Skip to content

docs: update SPIRE signing demo for Kind and OpenShift#334

Draft
rh-dnagornuks wants to merge 1 commit into
kagenti:mainfrom
rh-dnagornuks:agentcard-spire-signing-demo-refactor
Draft

docs: update SPIRE signing demo for Kind and OpenShift#334
rh-dnagornuks wants to merge 1 commit into
kagenti:mainfrom
rh-dnagornuks:agentcard-spire-signing-demo-refactor

Conversation

@rh-dnagornuks
Copy link
Copy Markdown
Contributor

@rh-dnagornuks rh-dnagornuks commented May 7, 2026
edited
Loading

Summary

  • Update the SPIRE signing demo documentation for both Kind and OpenShift environments
  • Document Helm-based configuration for enabling AgentCard signature verification
  • Add OpenShift-specific setup steps for SCC permissions, namespace labels, and trust bundle configuration
  • Remove the static AgentCard manifest and rely on operator-generated AgentCard resources instead
  • Update demo scripts to use the generated weather-agent-deployment-card
  • Add troubleshooting guidance for image pull limits and building the agentcard-signer image locally/OpenShift

Context

The previous SPIRE signing demo assumed a static AgentCard resource and focused primarily on a generic Kubernetes/SPIRE setup.

This PR updates the demo to align with the current operator behavior where AgentCard resources are generated automatically by the operator. It also improves the onboarding experience for both Kind and OpenShift users by documenting:

  • Recommended Kind setup using setup-kagenti.sh --with-spire
  • Required Helm values for signature verification
  • OpenShift-specific security requirements (SCC, namespace labels, CSI access)
  • Trust bundle ConfigMap differences in OpenShift environments

Tests

  • Test the demo flow on both Kind and OpenShift clusters and verify that the agent card successfully signed and verified.

Fixes #252

@rh-dnagornuks rh-dnagornuks requested a review from a team as a code owner May 7, 2026 11:48
@xjacka xjacka mentioned this pull request May 11, 2026
Open
@clawgenti clawgenti mentioned this pull request May 18, 2026
Closed
@akram
Copy link
Copy Markdown
Contributor

akram commented May 21, 2026

/hold
we are challenging an unexpected behaviour of the spiffe-helper sidecar here before merging that and see if the issue is still relevant

@rh-dnagornuks
docs: update SPIRE signing demo for Kind and OpenShift
9058c74 
Document Kind/SPIRE setup and Helm-based signature verification configuration, including OpenShift-specific requirements such as SCC permissions, namespace labels, and trust bundle key overrides.

Remove the static AgentCard manifest and rely on the operator-generated AgentCard (weather-agent-deployment-card).

Update demo and teardown scripts, and add troubleshooting guidance for image pull rate limits and building the agentcard-signer image.

Signed-off-by: Daniels Nagornuks <dnagornu@redhat.com>
@rh-dnagornuks rh-dnagornuks force-pushed the agentcard-spire-signing-demo-refactor branch from cc683eb to 9058c74 Compare May 21, 2026 10:05
@rh-dnagornuks rh-dnagornuks marked this pull request as draft May 21, 2026 10:06
@clawgenti clawgenti mentioned this pull request May 25, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Kagenti Issue Prioritization
Status: New /:ToDo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

doc: OpenShift deployment guide for SPIRE signing demos

3 participants

@rh-dnagornuks @akram @rubambiza