This library is a convenient Go library for working with SPIFFE.
It leverages the SPIFFE Workload API, providing high level functionality that includes:
- Establishing mutually authenticated TLS (mTLS) between workloads powered by SPIFFE.
- Obtaining and validating X509-SVIDs and JWT-SVIDs.
- Federating trust between trust domains using SPIFFE bundles.
- Bundle management.
See the Go Package documentation.
Prerequisites:
- Running SPIRE or another SPIFFE Workload API implementation.
SPIFFE_ENDPOINT_SOCKETenvironment variable set to address of the Workload API (e.g.unix:///tmp/agent.sock). Alternatively the socket address can be provided programatically.
To create an mTLS server:
listener, err := spiffetls.Listen(ctx, "tcp", "127.0.0.1:8443", tlsconfig.AuthorizeAny())To dial an mTLS server:
conn, err := spiffetls.Dial(ctx, "tcp", "127.0.0.1:8443", tlsconfig.AuthorizeAny())The client and server obtain X509-SVIDs and X.509 bundles from the SPIFFE Workload API. The X509-SVIDs are presented by each peer and authenticated against the X.509 bundles. Both sides continue to be updated with X509-SVIDs and X.509 bundles streamed from the Workload API (e.g. secret rotation).
The examples directory contains rich examples for a variety of circumstances.