spiffe / spire-examples Goto Github PK

Examples and documentation showing SPIRE integration with various projects and platforms

License: Apache License 2.0

spire-examples's Introduction

The Secure Production Identity Framework For Everyone (SPIFFE) Project defines a framework and set of standards for identifying and securing communications between application services. At its core, SPIFFE is:

A standard defining how services identify themselves to each other. These are called SPIFFE IDs and are implemented as Uniform Resource Identifiers (URIs).
A standard for encoding SPIFFE IDs in a cryptographically-verifiable document called a SPIFFE Verifiable Identity Document or SVIDs.
An API specification for issuing and/or retrieving SVIDs. This is the Workload API.

The SPIFFE Project has a reference implementation, the SPIRE (the SPIFFE Runtime Environment), that in addition to the above, it:

Performs node and workload attestation.
Implements a signing framework for securely issuing and renewing SVIDs.
Provides an API for registering nodes and workloads, along with their designated SPIFFE IDs.
Provides and manages the rotation of keys and certs for mutual authentication and encryption between workloads.
Simplifies access from identified services to secret stores, databases, services meshes and cloud provider services.
Interoperability and federation to SPIFFE compatible systems across heterogeneous environments and administrative trust boundaries.

SPIFFE is a graduated project of the Cloud Native Computing Foundation (CNCF). If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF.

SPIFFE Standards

Getting Started

spiffe: This repository includes the SPIFFE ID, SVID and Workload API specifications, example code, and tests, as well as project governance, policies, and processes.
spire: This is a reference implementation of SPIFFE and the SPIFFE Workload API that can be run on and across varying hosting environments.
go-spiffe: Golang client libraries.
java-spiffe: Java client libraries

Communications

Slack (Join here).
[email protected] (View or join here).
[email protected] (View or join here).
[email protected] (View or join here).

Contribute

SIGs & Working Groups

Most community activity is organized into Special Interest Groups (SIGs), time-bounded working groups, and our monthly community-wide meetings. SIGs follow these guidelines, although each may operate differently depending on their needs and workflows. Each group's material can be found in the /community directory of this repository.

Name	Lead	Group	Slack Channel	Meetings
SIG-Community	Umair Khan (HPE)	Here	Here	Notes
SIG-Spec	Evan Gilman (VMware)	Here	Here	Notes
SIG-SPIRE	Daniel Feldman (HPE)	Here	Here	Notes

Follow the SPIFFE Project You can find us on Github and Twitter.

SPIFFE SSC

The SPIFFE Steering Committee meets on a regular cadence to review project progress, address maintainer needs, and provide feedback on strategic direction and industry trends. Community members interested in joining this call can find details below.

Calendar: iCal or Browser-based
Meeting Notes: Google Doc
Call Details: Zoom Link

To contact the SSC privately, please send an email to [email protected].

spire-examples's People

Contributors

Stargazers

Watchers

Forkers

marcosy azdagron ajessup maxlambrecht rbkumar88 xjjyzmb sdminonne andres-gc castelloms richardhcl marcosdy mchurichi kunzimariano dfeldman martincapello vijaymateti amartinezfayo devopstoday11 rturner3 lucianozablocki mrsabath ryysud itishree143 jexf nathanawmk ricfeatherstone hiyosi szvincze csjiaxin nordix androidmi thegaragebandofit keeganwitt developer-guy adsk-pset-de-hackathon guilhermocc buddhanepal krishnakv bobo333 tngadaria kongweiguo vishnusomank

spire-examples's Issues

example certs are expired

note the Not After : May 12 19:33:47 2023 GMT below

$ echo '''-----BEGIN CERTIFICATE-----
> MIIBzDCCAVOgAwIBAgIJAJM4DhRH0vmuMAoGCCqGSM49BAMEMB4xCzAJBgNVBAYT
> AlVTMQ8wDQYDVQQKDAZTUElGRkUwHhcNMTgwNTEzMTkzMzQ3WhcNMjMwNTEyMTkz
> MzQ3WjAeMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGU1BJRkZFMHYwEAYHKoZIzj0C
> AQYFK4EEACIDYgAEWjB+nSGSxIYiznb84xu5WGDZj80nL7W1c3zf48Why0ma7Y7m
> CBKzfQkrgDguI4j0Z+0/tDH/r8gtOtLLrIpuMwWHoe4vbVBFte1vj6Xt6WeE8lXw
> cCvLs/mcmvPqVK9jo10wWzAdBgNVHQ4EFgQUh6XzV6LwNazA+GTEVOdu07o5yOgw
> DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwGQYDVR0RBBIwEIYOc3Bp
> ZmZlOi8vbG9jYWwwCgYIKoZIzj0EAwQDZwAwZAIwE4Me13qMC9i6Fkx0h26y09QZ
> IbuRqA9puLg9AeeAAyo5tBzRl1YL0KNEp02VKSYJAjBdeJvqjJ9wW55OGj1JQwDF
> D7kWeEB6oMlwPbI/5hEY3azJi16I0uN1JSYTSWGSqWc=
> -----END CERTIFICATE-----''' | openssl x509 -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            93:38:0e:14:47:d2:f9:ae
    Signature Algorithm: ecdsa-with-SHA512
        Issuer: C=US, O=SPIFFE
        Validity
            Not Before: May 13 19:33:47 2018 GMT
            Not After : May 12 19:33:47 2023 GMT
        Subject: C=US, O=SPIFFE
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (384 bit)
                pub:
                    04:5a:30:7e:9d:21:92:c4:86:22:ce:76:fc:e3:1b:
                    b9:58:60:d9:8f:cd:27:2f:b5:b5:73:7c:df:e3:c5:
                    a1:cb:49:9a:ed:8e:e6:08:12:b3:7d:09:2b:80:38:
                    2e:23:88:f4:67:ed:3f:b4:31:ff:af:c8:2d:3a:d2:
                    cb:ac:8a:6e:33:05:87:a1:ee:2f:6d:50:45:b5:ed:
                    6f:8f:a5:ed:e9:67:84:f2:55:f0:70:2b:cb:b3:f9:
                    9c:9a:f3:ea:54:af:63
                ASN1 OID: secp384r1
                NIST CURVE: P-384
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                87:A5:F3:57:A2:F0:35:AC:C0:F8:64:C4:54:E7:6E:D3:BA:39:C8:E8
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Alternative Name:
                URI:spiffe://local
    Signature Algorithm: ecdsa-with-SHA512
         30:64:02:30:13:83:1e:d7:7a:8c:0b:d8:ba:16:4c:74:87:6e:
         b2:d3:d4:19:21:bb:91:a8:0f:69:b8:b8:3d:01:e7:80:03:2a:
         39:b4:1c:d1:97:56:0b:d0:a3:44:a7:4d:95:29:26:09:02:30:
         5d:78:9b:ea:8c:9f:70:5b:9e:4e:1a:3d:49:43:00:c5:0f:b9:
         16:78:40:7a:a0:c9:70:3d:b2:3f:e6:11:18:dd:ac:c9:8b:5e:
         88:d2:e3:75:25:26:13:49:61:92:a9:67

Authentication for application with sql database without providing credentials

Hi Team,

I am looking for a use case, where I run one application and one sql database, and spire server and two spire agents.

Is it possible that that I connect application with database without giving sql username and password and access data from database ? In simple terms, if I connect sql database from my application can i simply give certificates of spire and not the username & password of sql database?

I need an example for the same.

or spire is all about just to provide identity only ?

Tests are failing due to changes in Travis

Travis CI seems to be giving us a 1-core instance now instead of 2-core, and 2 cores are required to run Minikube so all the Kubernetes tests fail. We should either figure out how to make Travis work, switch to a different build system, or not run Kubernetes tests for this repo.

Add the travis build badge to the README

Wire the Envoy example into travis

The envoy example is not currently exercised by Travis. Make it so