examples(spiffe-bundle-tdf): go-spiffe v2 TDF interop demo

[kanywst]

Summary

Closes the interop story for GET /v1/spiffe-bundle (the SPIFFE Trust Domain Format endpoint shipped in PR #47). A tiny cmd/consumer Go binary:

1. HTTP-GETs /v1/spiffe-bundle;
2. hands the body to spiffebundle.Read(td, body) from github.com/spiffe/go-spiffe/v2/bundle/spiffebundle;
3. asserts the parsed bundle exposes both X.509 authorities (bundle.X509Authorities()) and JWT authorities (bundle.JWTAuthorities());
4. surfaces the parsed SequenceNumber and RefreshHint envelope fields.

The point is what the SDK rejects, a real SPIFFE consumer (SPIRE agent, spiffe-helper, any workload using go-spiffe) would reject too. A regression that breaks the on-the-wire shape now trips the SDK parser end-to-end, not just a hand-rolled decoder.

The omega server is started with --spiffe-bundle-refresh-hint=180s so the parsed RefreshHint is a non-default 3m0s, proving the flag makes it through to the document and the SDK reads it back.

Sample success output:

[consumer] success
[consumer]   trust_domain:    omega.demo
[consumer]   x509 anchors:    1 (subject="CN=Omega Local CA")
[consumer]   jwt authorities: 1 (kids=[BA0vwLDU7Bs])
[consumer]   sequence:        1
[consumer]   refresh_hint:    3m0s

Scope layer

Plugin / example. No production code changes — only exercises the public HTTP surface.

Test plan

• Local make demo → [consumer] success
• markdownlint-cli2 CHANGELOG.md examples/spiffe-bundle-tdf/README.md — 0 error(s)
• go vet ./examples/spiffe-bundle-tdf/cmd/consumer/ clean
• CI: added spiffe-bundle-tdf to the existing examples matrix; Go-only setup, no new job needed.

Follow-ups

• A future PR could migrate the federation pump in internal/server/federation/ to fetch TDF from peers (currently it polls /v1/bundle PEM) and honour the per-peer RefreshHint. That would move docs/conformance-spiffe.md §6 from partial to implemented, but it changes federation behaviour and deserves its own scope.

Summary by CodeRabbit

• New Features

  • Added a runnable example demonstrating SPIFFE Bundle endpoint integration with the go-spiffe v2 SDK, including consumer validation and end-to-end demo setup.

• Documentation

  • Added comprehensive README and updated CHANGELOG documenting the new example, including setup instructions, runtime requirements, and validation details.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bd7d25ac-db99-4166-a94c-e54d2b1fe194

📥 Commits

Reviewing files that changed from the base of the PR and between 808354b and d05c2da.

📒 Files selected for processing (6)

• .github/workflows/ci.yml
• CHANGELOG.md
• examples/spiffe-bundle-tdf/Makefile
• examples/spiffe-bundle-tdf/README.md
• examples/spiffe-bundle-tdf/cmd/consumer/main.go
• examples/spiffe-bundle-tdf/run-demo.sh

---

📝 Walkthrough

Walkthrough

This PR adds a complete, runnable end-to-end demo for Omega's GET /v1/spiffe-bundle endpoint that validates SPIFFE Trust Domain Format (TDF) parsing using the go-spiffe v2 SDK. The demo includes documentation, Makefile orchestration, a Go consumer validator, a Bash orchestration script, and CI integration.

Changes

SPIFFE Bundle TDF Demo

Layer / File(s)	Summary
Demo documentation and build infrastructure examples/spiffe-bundle-tdf/README.md, examples/spiffe-bundle-tdf/Makefile	README describes the interop demo, validation expectations (non-empty X.509 and JWT authorities), execution via make demo, cleanup via make down, runtime requirements (Go, omega, curl), and clarifies scope as an interop check. Makefile provides demo target to run the orchestration script and down target to stop the server and clean temporary directories.
Go consumer validation program examples/spiffe-bundle-tdf/cmd/consumer/main.go	Consumer program fetches /v1/spiffe-bundle from a configurable Omega server, parses using spiffebundle.Read, validates HTTP 200 status and application/json Content-Type, asserts both X.509 and JWT authorities are present, and prints bundle metadata including trust domain, anchor subject, authority counts, and optional sequence/refresh-hint fields.
Demo orchestration script examples/spiffe-bundle-tdf/run-demo.sh	Bash script manages the full end-to-end flow: configures defaults (demo dir, port, trust domain, refresh hint), builds the consumer binary, starts Omega server with flags, waits for /healthz readiness, fetches /v1/spiffe-bundle response, runs the consumer validator, and displays output. Includes error handling, cleanup trap, and retry logic for server startup.
Changelog and CI integration CHANGELOG.md, .github/workflows/ci.yml	CHANGELOG documents the new demo as an end-to-end runnable example for /v1/spiffe-bundle SPIFFE TDF interop testing. CI workflow examples job matrix is extended to include the new demo in the automated test suite.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• 0-draft/omega#37: Both PRs add new example demos and extend the CI workflow examples matrix to include their respective runnable demonstrations.

Poem

🐰 A bundle hops into view,
With SPIFFE TDF so true,
Go-spiffe reads it right,
No glue code in sight—
One demo makes interop new! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title clearly and specifically summarizes the main change: adding a go-spiffe v2 TDF interop demo example. The title is concise, directly related to the changeset, and accurately reflects the primary objective.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch examples/spiffe-bundle-tdf

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces an end-to-end demo for the SPIFFE Trust Domain Format (TDF) endpoint, including a consumer binary and a shell script to verify interop with the go-spiffe v2 SDK. The review feedback highlights several best practices for shell scripting under 'set -e', specifically regarding command substitution and error handling. I have kept all three review comments as they provide actionable improvements and follow the requested guidelines.

[gemini-code-assist]

Assigning the output of seq to a variable before using it in the loop ensures that if seq fails, the script will exit immediately due to set -e.

Suggested change

	for _ in $(seq 1 50); do
	iters=$(seq 1 50)
	for _ in $iters; do

References

1. In shell scripts using 'set -e', assign command substitutions to a variable before using them as arguments to a command. This ensures that if the subshell fails, the script exits immediately, whereas command substitutions used directly as arguments do not trigger an exit on failure.

[kanywst]

See the reply on the L16 comment for the full reasoning. Same answer: rejecting, the abstract rule does not flag a real failure mode here and applying it consistently would be a sweep across every example demo, not a one-off in this PR.