README
¶
X.509 SVID Watcher example
This example shows how a service can obtain X.509 SVIDs from the SPIFFE workload API which are automatically rotated before expiration.
The library provides a watcher interface type (workload.X509SVIDWatcher) that must be implemented to get notifications for SVIDs rotation and errors.
Once the watcher is created, the workload.NewX509SVIDClient function is called to make the client.
x509SVIDClient, err := workload.NewX509SVIDClient(watcher{}, workload.WithAddr("unix:///tmp/agent.sock"))
After checking for errors, the client is started with the Start method. It opens a stream to the workload API on a separated go routine.
err = x509SVIDClient.Start()
The watcher will be notified every time an SVID is updated or an error occurs.
Building
Build the svid-watcher example:
go build ./examples/svid-watcher/
Running
This example assumes the following preconditions:
- There are a SPIRE server and agent up and running.
- There is a Unix workload attestor configured.
- The trust domain is
example.org - The agent SPIFFE ID is
spiffe://example.org/host. - There is a
svid-watcheruser in the system.
1. Create the registration entry
Create the registration entry for the svid-watcher workload:
./spire-server entry create -spiffeID spiffe://example.org/svid-watcher \
-parentID spiffe://example.org/host \
-selector unix:user:svid-watcher
2. Start the workload
Start the svid-watcher with the svid-watcher user:
sudo -u svid-watcher ./svid-watcher
The watcher prints the SVID SPIFFE ID every time an SVID is updated.
2019/12/04 15:36:45 SVID updated for spiffeID: "spiffe://example.org/server"
Documentation
¶
There is no documentation for this package.
Source Files