X.509 SVID Watcher example
This example shows how a service can obtain X.509 SVIDs from the SPIFFE workload API which are automatically rotated before expiration.
The library provides a watcher interface type (workload.X509SVIDWatcher
) that must be implemented to get notifications for SVIDs rotation and errors.
Once the watcher is created, the workload.NewX509SVIDClient
function is called to make the client.
x509SVIDClient, err := workload.NewX509SVIDClient(watcher{}, workload.WithAddr("unix:///tmp/agent.sock"))
After checking for errors, the client is started with the Start
method. It opens a stream to the workload API on a separated go routine.
err = x509SVIDClient.Start()
The watcher will be notified every time an SVID is updated or an error occurs.
Building
Build the svid-watcher example:
go build ./examples/svid-watcher/
Running
This example assumes the following preconditions:
- There are a SPIRE server and agent up and running.
- There is a Unix workload attestor configured.
- The trust domain is
example.org
- The agent SPIFFE ID is
spiffe://example.org/host
.
- There is a
svid-watcher
user in the system.
1. Create the registration entry
Create the registration entry for the svid-watcher workload:
./spire-server entry create -spiffeID spiffe://example.org/svid-watcher \
-parentID spiffe://example.org/host \
-selector unix:user:svid-watcher
2. Start the workload
Start the svid-watcher with the svid-watcher
user:
sudo -u svid-watcher ./svid-watcher
The watcher prints the SVID SPIFFE ID every time an SVID is updated.
2019/12/04 15:36:45 SVID updated for spiffeID: "spiffe://example.org/server"