/spiffe-example

Code for various SPIFFE and SPIRE demos

Primary LanguageJava

SPIFFE examples

This repository contains infrastructure for development and demos as well as automated demos for each SPIRE release

Demonstrations

simple_verification - SVID Verification with Ghostunnel

This demo shows a Ghostunnel connection validating SPIFFE certificates.

rosemary - UNIX Attestation and Ghostunnel Verification

Demonstrates two workloads communicating over mutually authenticated Ghostunnel using SVIDs generated through UNIX attestation by UID.

beatrice - Kubernetes Attestation and Ghostunnel verification

Demonstrates two workloads communicating over mutually authenticated Ghostunnel endpoints using SVIDs automatically provisioned to an attested Kubernetes Pod.

cadfael - AWS Attestation and Envoy Verification

Demonstrates two workloads communicating via mutually authenticated Envoys using SVIDs generated through AWS instance attestation.

drew - Server and Agent Scale and Performance

Demonstrates 100 workloads on 100 servers managed by one spire-server

dupin - nginx with SPIFFE support

Demonstrates the use of the SPIFFE Workload API to automatically get X.509 certificates natively in nginx, with no helper. Connections are accepted or rejected based on allowed SPIFFE IDs.

java-spiffe - java with SPIFFE support

Demonstrates the use of the SPIFFE Workload API to dynamically update the X509 certificates of a custom KeyStore in a Java Security Provider. Connections are established using mTLS validating SPIFFE IDs

java-keystore-tomcat - Tomcat using a SPIFFE based KeyStore

Demonstrates two Tomcats using a SPIFFE based KeyStore and TrustStore that handles SVID certificates that gets from the WorkloadAPI. Connections are established using mTLS validating SPIFFE IDs.

Infrastructure

vagrant_k8s - Local Kubernetes with Vagrant

Creates a Kubernetes master and >=1 node in separate Vagrant VMs.

vagrant_db - Local MariaDB "bare metal" with Vagrant

ec2 - AWS EC2 with Terraform

Provisions a VPC with three EC2 instances with proper IAM instance roles for the aws-resolver plugin.