README
¶
go-spiffe (v2)
This library is a convenient Go library for working with SPIFFE.
It leverages the SPIFFE Workload API, providing high level functionality that includes:
- Establishing mutually authenticated TLS (mTLS) between workloads powered by SPIFFE.
- Obtaining and validating X509-SVIDs and JWT-SVIDs.
- Federating trust between trust domains using SPIFFE bundles.
- Bundle management.
Documentation
See the Go Package documentation.
Quick Start
Prerequisites:
- Running SPIRE or another SPIFFE Workload API implementation.
SPIFFE_ENDPOINT_SOCKETenvironment variable set to address of the Workload API (e.g.unix:///tmp/agent.sock). Alternatively the socket address can be provided programatically.
To create an mTLS server:
listener, err := spiffetls.Listen(ctx, "tcp", "127.0.0.1:8443", tlsconfig.AuthorizeAny())
To dial an mTLS server:
conn, err := spiffetls.Dial(ctx, "tcp", "127.0.0.1:8443", tlsconfig.AuthorizeAny())
The client and server obtain X509-SVIDs and X.509 bundles from the SPIFFE Workload API. The X509-SVIDs are presented by each peer and authenticated against the X.509 bundles. Both sides continue to be updated with X509-SVIDs and X.509 bundles streamed from the Workload API (e.g. secret rotation).
Examples
The examples directory contains rich examples for a variety of circumstances.
Directories
¶
| Path | Synopsis |
|---|---|
|
bundle
|
|
|
jwtbundle
Package jwtbundle provides JWT bundle related functionality.
|
Package jwtbundle provides JWT bundle related functionality. |
|
spiffebundle
Package spiffebundle provides SPIFFE bundle related functionality.
|
Package spiffebundle provides SPIFFE bundle related functionality. |
|
x509bundle
Package x509bundle provides X.509 bundle related functionality.
|
Package x509bundle provides X.509 bundle related functionality. |
|
examples
|
|
|
internal
|
|
|
proto
|
|
|
svid
|
|
Click to show internal directories.
Click to hide internal directories.