Skip to main content

Serve

warning

This feature is experimental.

Now, only X509-SVIDs are supported on the serve command and certificates/bundles are not refreshed. The command will terminate upon certificate expiry.

Make sure spirlctl in a version of at least v0.18.0 is used.

SPIRL Developer Identity allows developers to serve a Workload API locally for development and integration purposes. See fetch for a file-based variant.

Serve SPIFFE Workload API and Envoy SDS

Use spirlctl to serve a local SPIFFE Workload API and Envoy SDS

spirlctl exp dev-id serve --trust-domain my-trust-domain

You can specify custom parmeters to control where the socket becomes available and the redirection port during the authentication challenge.

[...]
  --redirect-listener-port 54321 \
  --spiffe-endpoint-socket unix:/tmp/spirl/devid/workload.sock

Once the Workload API is running you can for example use spirldbg to connect to the socket.

spirldbg svid-x509 --spiffe-endpoint-socket /tmp/spirl/devid/workload.sock

Envoy support

As the serve command also serves the Envoy SDS API you can connect it to a local Envoy.

  clusters:
  - name: spirlctl
    connect_timeout: 1s
    http2_protocol_options: {}
    load_assignment:
      cluster_name: spirlctl
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              pipe:
                path: /tmp/spirl/devid/workload.sock
  - name: your_resource
    transport_socket:
      name: envoy.transport_sockets.tls
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
        common_tls_context:
          tls_params:
            tls_maximum_protocol_version: TLSv1_2
          tls_certificate_sds_secret_configs:
          - name: "default"
            sds_config:
              api_config_source:
                api_type: GRPC
                grpc_services:
                  envoy_grpc:
                    cluster_name: spirlctl
                transport_api_version: V3
              resource_api_version: V3
          combined_validation_context:
            default_validation_context:
              match_subject_alt_names:
                exact: "<PEER SPIFFE ID>"
            validation_context_sds_secret_config:
              name: "ROOTCA"
              sds_config:
                api_config_source:
                  api_type: GRPC
                  grpc_services:
                    envoy_grpc:
                      cluster_name: spirlctl
                  transport_api_version: V3
                resource_api_version: V3
info

The SDS resource names are the following

SPIFFE ResourceSDS Resource Name
X509-SVID"default"
X509 Bundle"ROOTCA"

Other SDS resource names are not supported.