Serve
warning
This feature is experimental.
Now, only X509-SVIDs are supported on the serve command and certificates/bundles are not refreshed. The command will terminate upon certificate expiry.
Make sure spirlctl in a version of at least v0.18.0 is used.
Unified Access allows developers to serve a Workload API locally for development and integration purposes. See fetch for a file-based variant.
Serve SPIFFE Workload API and Envoy SDS
Use spirlctl to serve a local SPIFFE Workload API and Envoy SDS
spirlctl exp unified-access serve --trust-domain my-trust-domain \
--spiffe-endpoint-socket /tmp/workload.sock
once the Workload API is running you can for example use spirldbg to connect to the socket.
spirldbg svid-x509 --spiffe-endpoint-socket /tmp/workload.sock
Envoy support
As the serve command also serves the Envoy SDS API you can connect it to a local Envoy.
clusters:
- name: spirlctl
connect_timeout: 1s
http2_protocol_options: {}
load_assignment:
cluster_name: spirlctl
endpoints:
- lb_endpoints:
- endpoint:
address:
pipe:
path: /tmp/workload.sock
- name: your_resource
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
common_tls_context:
tls_params:
tls_maximum_protocol_version: TLSv1_2
tls_certificate_sds_secret_configs:
- name: "default"
sds_config:
api_config_source:
api_type: GRPC
grpc_services:
envoy_grpc:
cluster_name: spirlctl
transport_api_version: V3
resource_api_version: V3
combined_validation_context:
default_validation_context:
match_subject_alt_names:
exact: "<PEER SPIFFE ID>"
validation_context_sds_secret_config:
name: "ROOTCA"
sds_config:
api_config_source:
api_type: GRPC
grpc_services:
envoy_grpc:
cluster_name: spirlctl
transport_api_version: V3
resource_api_version: V3
info
The SDS resource names are the following
| SPIFFE Resource | SDS Resource Name |
|---|---|
| X509-SVID | "default" |
| X509 Bundle | "ROOTCA" |
Other SDS resource names are not supported.