Skip to content
The SPIFFE Helper is a tool that can be used to retrieve and manage SVIDs on behalf of a workload
Go Makefile
Branch: master
Clone or download
MarcosDY add retry connection logic after communication with agent fails (#14)
* add retry connection logic after communication with agent fails
* upgrade spire version
* upgrade go-spiffe version
Latest commit e11122b Oct 8, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
test
.gitignore s/sidecar/spiffe-helper/ Jan 12, 2018
.go-version
.goreleaser.yml Move sidecar from spiffe-example Oct 6, 2017
.travis.yml add retry connection logic after communication with agent fails (#14) Oct 8, 2019
LICENSE
Makefile add retry connection logic after communication with agent fails (#14) Oct 8, 2019
README.md
config.go
config_test.go Refactor constants. Autoformatting with go fmt Jul 11, 2018
go.mod add retry connection logic after communication with agent fails (#14) Oct 8, 2019
go.sum
helper.conf s/sidecar/spiffe-helper/ Jan 12, 2018
helper_envoy.conf s/sidecar/spiffe-helper/ Jan 12, 2018
helper_ghostunnel.conf
main.go Introduce go modules (#12) Oct 4, 2019
spiffe-helper.go add retry connection logic after communication with agent fails (#14) Oct 8, 2019
spiffe-helper_test.go add retry connection logic after communication with agent fails (#14) Oct 8, 2019

README.md

SPIFFE Helper

The SPIFFE Helper is a simple utility for fetching X.509 SVID certificates from the SPIFFE Workload API, launch a process that makes use of the certificates and continuously get new certificates before they expire. The launched process is signaled to reload the certificates when is needed.

Usage

$ spiffe-helper -config <config_file>

<config_file>: file path to the configuration file.

If -config is not specified, the default value helper.conf is assumed.

Configuration

The configuration file is an HCL formatted file that defines the following configurations:

Configuration Description Example Value
agentAddress Socket address of SPIRE Agent. "/tmp/agent.sock"
cmd The path to the process to launch. "ghostunnel"
cmdArgs The arguments of the process to launch. "server --listen localhost:8002 --target localhost:8001--keystore certs/svid_key.pem --cacert certs/svid_bundle.pem --allow-uri-san spiffe://example.org/Database"
certDir Directory name to store the fetched certificates. This directory must be created previously. "certs"
renewSignal The signal that the process to be launched expects to reload the certificates. "SIGUSR1"
svidFileName File name to be used to store the X.509 SVID public certificate in PEM format. "svid.pem"
svidKeyFileName File name to be used to store the X.509 SVID private key and public certificate in PEM format. "svid_key.pem"
svidBundleFileName File name to be used to store the X.509 SVID Bundle in PEM format. "svid_bundle.pem"

Configuration example

agentAddress = "/tmp/agent.sock"
cmd = "ghostunnel"
cmdArgs = "server --listen localhost:8002 --target localhost:8001 --keystore certs/svid_key.pem --cacert certs/svid_bundle.pem --allow-uri-san spiffe://example.org/Database"
certDir = "certs"
renewSignal = "SIGUSR1"
svidFileName = "svid.pem"
svidKeyFileName = "svid_key.pem"
svidBundleFileName = "svid_bundle.pem"
You can’t perform that action at this time.