Automatic SPIFFE ID assignment, federation, Istio integration #541
Description
installed SPIRE and SPIRE Agent in EKS using the official Helm chart.
Enabled Istio sidecar injection for the default namespace.
Deployed a sample workload (helloworld-eks.yaml) and confirmed Istio sidecar injection.
Attempted to deploy SPIRE Controller Manager for automatic SPIFFE ID assignment and federation.
Faced challenges finding a ready-to-apply manifest for SPIRE Controller Manager (v0.6.2) and its required resources.
Noted gaps in documentation regarding direct deployment steps for SPIRE Controller Manager in real clusters (not Kind/demo)
This my running pod in EKS same kind of setup i have GKE cluster as well
$ kubectl get pods -n spire
NAME READY STATUS RESTARTS AGE
spire-agent-5g45m 1/1 Running 0 167m
spire-agent-trvjg 0/1 Running 0 95m
spire-agent-xzwff 1/1 Running 0 167m
spire-server-0 2/2 Running 0 95m
spire-spiffe-csi-driver-fgtzp 2/2 Running 0 3h26m
spire-spiffe-csi-driver-kjmsb 2/2 Running 0 3h26m
spire-spiffe-csi-driver-vr77x 2/2 Running 0 3h26m
Next Actions:
Need a clear, production-ready manifest or Helm chart for SPIRE Controller Manager.
Need step-by-step instructions for integrating SPIRE Controller Manager with SPIRE, Istio, and ClusterSPIFFEID CRs in EKS.
Need documentation updates to cover real-world deployment (not just demo/Kind environments).
Missing in Documentation:
Direct YAML manifest for SPIRE Controller Manager deployment (with correct image, namespace, RBAC, and service account).
Example ClusterSPIFFEID CR for typical workloads.
Troubleshooting steps for SPIFFE credential injection and validation in Istio-enabled clusters.