See it in Action

To deploy the spiffe-demo-app, you’ll need Helm installed.

Deploy a demo app into the k8s cluster you’ve been using:

helm repo add spiffe-demo https://spirl.github.io/spiffe-demo-app

helm -n spiffe-demo install spiffe-demo spiffe-demo/spiffe-demo-app --create-namespace

Finally, open a tunnel to access the demo app from your browser:

kubectl -n spiffe-demo port-forward  svc/spiffe-demo-service 8080:80

You can now access the app by visiting http://localhost:8080. Feel free to play around and view the certificates and JWT tokens being minted and served by Defakto.

spiffe demo app

Verify SVIDs from the CLI

For a CLI-based verification, deploy a one-shot pod using the spirldbg utility. The pod needs the k8s.spirl.com/spiffe-csi: enabled label so the Defakto admission controller injects the Workload API socket.

svid-checker.yaml
apiVersion: v1
kind: Pod
metadata:
  name: svid-checker
  namespace: spiffe-demo
  labels:
    k8s.spirl.com/spiffe-csi: "enabled"
spec:
  restartPolicy: Never
  containers:
  - name: svid-checker
    image: public.ecr.aws/d1i7q6j7/spirldbg:latest
    command:
    - spirldbg
    - svid-x509
    - --spiffe-endpoint-socket=unix:///spirl-agent-socket/agent.sock

Apply it and read the output:

kubectl apply -f svid-checker.yaml
kubectl -n spiffe-demo wait --for=jsonpath='{.status.phase}'=Succeeded pod/svid-checker
kubectl -n spiffe-demo logs svid-checker

You should see output like:

Successfully received x509 SVID
SPIFFE ID: spiffe://example.com/cluster-1/ns/spiffe-demo/sa/default
Not before: 2026-01-01T00:00:00Z
Not after:  2026-01-02T00:00:00Z
Validity:   24h0m0s
...

To fetch a JWT-SVID instead, replace svid-x509 with svid-jwt and add --audience <your-audience>.

For other example workloads that request an SVID see the Defakto Examples Repo.

Verify SVIDs from the CLI​

Verify SVIDs from the CLI