This is a SPIFFE/SPIRE playground.
Install Vagrant, vagrant-libvirt, Ubuntu 22.04 base box, and Windows Server 2022 base box.
Create the swtpm localca:
sudo bash provision-host-swtpm.shStart the SPIRE server, the uagent (Ubuntu), and the wagent (Windows) agent nodes:
vagrant up --no-destroy-on-error --no-ttyEnter the server node and register the workloads entries:
vagrant ssh server
sudo -i
# register example unix workload SPIFFE IDs entries (for agents that use
# a TPM DevID to authenticate in spire-server).
trust_domain="$(hostname --domain)"
for uid in 0 1000; do
for agent_spiffe_id_path in /vagrant/share/*-spiffe-id.txt; do
spire-server entry create \
-parentID "$(cat "$agent_spiffe_id_path")" \
-spiffeID "spiffe://$trust_domain/user-$uid" \
-selector "unix:uid:$uid"
done
done
# register example docker workload SPIFFE IDs entries (for agents that use
# a TPM DevID to authenticate in spire-server).
trust_domain="$(hostname --domain)"
for agent_spiffe_id_path in /vagrant/share/*-spiffe-id.txt; do
spire-server entry create \
-parentID "$(cat "$agent_spiffe_id_path")" \
-spiffeID "spiffe://$trust_domain/example-server" \
-selector 'docker:label:com.docker.compose.project:example-docker-workload' \
-selector 'docker:label:com.docker.compose.service:server'
spire-server entry create \
-parentID "$(cat "$agent_spiffe_id_path")" \
-spiffeID "spiffe://$trust_domain/example-client" \
-selector 'docker:label:com.docker.compose.project:example-docker-workload' \
-selector 'docker:label:com.docker.compose.service:client'
done
# show all
spire-server entry show
# exit the node.
exit
exitEnter the uagent0 node and fetch a worload SVID for the current user:
vagrant ssh uagent0
# fetch a SVID for the current workload (a unix process running as uid 1000).
install -d -m 700 svid
spire-agent api fetch x509 -write svid
openssl x509 -in svid/svid.0.pem -text -noout
openssl x509 -in svid/bundle.0.pem -text -noout
# fetch a SVID for the current workload (a unix process running as uid 0).
sudo -i
install -d -m 700 svid
spire-agent api fetch x509 -write svid
openssl x509 -in svid/svid.0.pem -text -noout
openssl x509 -in svid/bundle.0.pem -text -noout
# exit the node.
exit
exitEnter the uagent0 node and execute an example docker worload:
vagrant ssh uagent0
# build and run example docker workload.
cd /vagrant/example-docker-workload
docker compose up --buildIn another shell, enter the uagent0 node try the example docker worload:
vagrant ssh uagent0
# use example docker workload to see their SPIFFE IDs.
http localhost:8080
# dump the example server workload certificate.
# NB this will be a certificate for the server SPIFFE ID (e.g.
# spiffe://spire.test/example-server) URI X509 SAN (Subject
# Alternative Name). To include a DNS X509 SAN you would have to register
# the workload with, e.g., -dns example-server.spire.test.
trust_domain="$(hostname --domain)"
openssl s_client -connect localhost:8443 -servername $trust_domain </dev/null 2>/dev/null | openssl x509 -noout -textList this repository dependencies (and which have newer versions):
export GITHUB_COM_TOKEN='YOUR_GITHUB_PERSONAL_TOKEN'
./renovate.sh- The initial SPIFFE trust bundle must be distributed to the nodes using some out-of-band method.
- An agent SPIFFE ID can only be known after the devid-provisioning-agent provisions the TPM DevID.
- A workload can have one or more SPIFFE IDs, like the example-docker-workload, which will have the IDs:
spiffe://spire.test/user-0andspiffe://spire.test/example-server(orspiffe://spire.test/example-client).