SPIFFE/SPIRE playground
This is a SPIFFE/SPIRE playground.
Install Vagrant, vagrant-libvirt, Ubuntu 22.04 base box, and Windows Server 2022 base box.
Create the swtpm localca:
sudo bash provision-host-swtpm.sh
Start the SPIRE server
, the uagent
(Ubuntu), and the wagent
(Windows) agent nodes:
vagrant up --no-destroy-on-error --no-tty
Enter the server
node and register the workloads entries:
vagrant ssh server
sudo -i
# register example unix workload SPIFFE IDs entries (for agents that use
# a TPM DevID to authenticate in spire-server).
trust_domain="$(hostname --domain)"
for uid in 0 1000; do
for agent_spiffe_id_path in /vagrant/share/*-spiffe-id.txt; do
spire-server entry create \
-parentID "$(cat "$agent_spiffe_id_path")" \
-spiffeID "spiffe://$trust_domain/user-$uid" \
-selector "unix:uid:$uid"
done
done
# register example docker workload SPIFFE IDs entries (for agents that use
# a TPM DevID to authenticate in spire-server).
trust_domain="$(hostname --domain)"
for agent_spiffe_id_path in /vagrant/share/*-spiffe-id.txt; do
spire-server entry create \
-parentID "$(cat "$agent_spiffe_id_path")" \
-spiffeID "spiffe://$trust_domain/example-server" \
-selector 'docker:label:com.docker.compose.project:example-docker-workload' \
-selector 'docker:label:com.docker.compose.service:server'
spire-server entry create \
-parentID "$(cat "$agent_spiffe_id_path")" \
-spiffeID "spiffe://$trust_domain/example-client" \
-selector 'docker:label:com.docker.compose.project:example-docker-workload' \
-selector 'docker:label:com.docker.compose.service:client'
done
# show all
spire-server entry show
# exit the node.
exit
exit
Enter the uagent0
node and fetch a worload SVID for the current user:
vagrant ssh uagent0
# fetch a SVID for the current workload (a unix process running as uid 1000).
install -d -m 700 svid
spire-agent api fetch x509 -write svid
openssl x509 -in svid/svid.0.pem -text -noout
openssl x509 -in svid/bundle.0.pem -text -noout
# fetch a SVID for the current workload (a unix process running as uid 0).
sudo -i
install -d -m 700 svid
spire-agent api fetch x509 -write svid
openssl x509 -in svid/svid.0.pem -text -noout
openssl x509 -in svid/bundle.0.pem -text -noout
# exit the node.
exit
exit
Enter the uagent0
node and execute an example docker worload:
vagrant ssh uagent0
# build and run example docker workload.
cd /vagrant/example-docker-workload
docker compose up --build
In another shell, enter the uagent0
node try the example docker worload:
vagrant ssh uagent0
# use example docker workload to see their SPIFFE IDs.
http localhost:8080
# dump the example server workload certificate.
# NB this will be a certificate for the server SPIFFE ID (e.g.
# spiffe://spire.test/example-server) URI X509 SAN (Subject
# Alternative Name). To include a DNS X509 SAN you would have to register
# the workload with, e.g., -dns example-server.spire.test.
trust_domain="$(hostname --domain)"
openssl s_client -connect localhost:8443 -servername $trust_domain </dev/null 2>/dev/null | openssl x509 -noout -text
List this repository dependencies (and which have newer versions):
export GITHUB_COM_TOKEN='YOUR_GITHUB_PERSONAL_TOKEN'
./renovate.sh
spiffe://spire.test/user-0
and spiffe://spire.test/example-server
(or spiffe://spire.test/example-client
).