### PostgreSQL Connection String Example Source: https://github.com/spiffe/spire/blob/main/doc/plugin_server_datastore_sql.md Example of a connection string for configuring the PostgreSQL datastore. ```hcl connection_string = "dbname=postgres user=postgres password=password host=localhost sslmode=disable" ``` -------------------------------- ### Example MySQL Connection String Source: https://github.com/spiffe/spire/blob/main/doc/plugin_server_datastore_sql.md An example of a MySQL connection string with username, password, protocol, address, database name, and a parseTime parameter. ```hcl connection_string = "username:password@tcp(localhost:3306)/dbname?parseTime=true" ``` -------------------------------- ### Start SPIRE Server Source: https://github.com/spiffe/spire/blob/main/doc/SPIRE101.md Starts the SPIRE Server as a background process. Ensure you are in the development shell. ```shell # ./bin/spire-server run & ``` -------------------------------- ### Sample PostgreSQL SQL Datastore Configuration Source: https://github.com/spiffe/spire/blob/main/doc/plugin_server_datastore_sql.md Example HCL configuration for the SQL datastore using PostgreSQL. ```hcl DataStore "sql" { plugin_data { database_type = "postgres" connection_string = "dbname=spire_development user=spire host=127.0.0.1 sslmode=disable" } } ``` -------------------------------- ### Federation Configuration Example Source: https://github.com/spiffe/spire/blob/main/doc/spire_server.md Configure SPIRE Server to expose a bundle endpoint and define federated trust domains. This setup allows for cross-trust domain authentication. ```hcl server { . . . federation { bundle_endpoint { address = "0.0.0.0" port = 8443 refresh_hint = "10m" profile "https_web" { acme { domain_name = "example.org" email = "mail@example.org" } } } federates_with "domain1.test" { bundle_endpoint_url = "https://1.2.3.4:8443" bundle_endpoint_profile "https_web" {} } federates_with "domain2.test" { bundle_endpoint_url = "https://5.6.7.8:8443" bundle_endpoint_profile "https_spiffe" { endpoint_spiffe_id = "spiffe://domain2.test/beserver" } } } } ``` -------------------------------- ### Configure Disk KeyManager Source: https://github.com/spiffe/spire/blob/main/doc/plugin_server_keymanager_disk.md Example configuration for the disk KeyManager plugin, specifying the path to the keys file. ```hcl KeyManager "disk" { plugin_data = { keys_path = "/opt/spire/data/server/keys.json" } } ``` -------------------------------- ### Sample SQLite3 SQL Datastore Configuration Source: https://github.com/spiffe/spire/blob/main/doc/plugin_server_datastore_sql.md Example HCL configuration for the SQL datastore using SQLite3. ```hcl DataStore "sql" { plugin_data { database_type = "sqlite3" connection_string = "./.data/datastore.sqlite3" } } ``` -------------------------------- ### Start SPIRE Agent Source: https://github.com/spiffe/spire/blob/main/doc/SPIRE101.md Starts the SPIRE Agent as a background process, using a generated Join Token for attestation. Replace `` with the actual token. ```shell # ./bin/spire-agent run -joinToken & ``` -------------------------------- ### SSHPOP Server Configuration Example Source: https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_sshpop.md Example configuration for the SSHPOP NodeAttestor plugin in a server's configuration file. This includes trusted CAs and paths, with commented-out options for canonical domain and agent path template. ```hcl NodeAttestor "sshpop" { plugin_data { cert_authorities = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEAWPAsKJ/qMYUIBeH7BLMRCE/bkUvMHX+7OZhANk45S"] cert_authorities_path = "./conf/server/dummy_ssh_cert_authority.pub" # Sensibly check the FQDN set in the certificate principals. # canonical_domain = "example.com" # Change the agent's SPIFFE ID format # agent_path_template = "static/{{ index .ValidPrincipals 0 }}" } } ``` -------------------------------- ### Agent x509pop Configuration Example Source: https://github.com/spiffe/spire/blob/main/doc/plugin_agent_nodeattestor_x509pop.md This HCL configuration demonstrates how to set up the x509pop NodeAttestor plugin on the agent. Ensure the private_key_path and certificate_path point to valid files. ```hcl NodeAttestor "x509pop" { plugin_data { private_key_path = "/opt/spire/conf/agent/agent.key.pem" certificate_path = "/opt/spire/conf/agent/agent.crt.pem" } } ``` -------------------------------- ### Get Help for 'spire-server entry' Command Source: https://github.com/spiffe/spire/blob/main/doc/SPIRE101.md Displays help information for the 'entry' sub-command of spire-server. Use the --help flag for details on CLI options. ```shell # ./bin/spire-server entry --help ``` -------------------------------- ### Example Call Counter Metrics Source: https://github.com/spiffe/spire/blob/main/doc/telemetry/telemetry.md Demonstrates the metrics emitted by a successful AttestAgent RPC call, showing the call count and elapsed time with OK status. ```text spire_server.rpc.agent.v1.agent.attest_agent:1|c|#status:OK spire_server.rpc.agent.v1.agent.attest_agent.elapsed_time:1.045773|ms|#status:OK ``` -------------------------------- ### TPM DevID Selector Examples Source: https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_tpm_devid.md Examples of selectors that can be used with the TPM DevID node attestor for fine-grained attestation policies. ```text tpm_devid:subject:cn:example.org ``` ```text tpm_devid:issuer:cn:authority.org ``` ```text tpm_devid:fingerprint:9ba51e2643bea24e91d24bdec3a1aaf8e967b6e5 ``` -------------------------------- ### SSHPOP Agent Configuration Example Source: https://github.com/spiffe/spire/blob/main/doc/plugin_agent_nodeattestor_sshpop.md A sample HCL configuration for the sshpop NodeAttestor plugin on the agent. Ensure the host_key_path and host_cert_path point to valid SSH keys and certificates. ```hcl NodeAttestor "sshpop" { plugin_data { host_cert_path = "./conf/agent/dummy_agent_ssh_key-cert.pub" host_key_path = "./conf/agent/dummy_agent_ssh_key" } } ``` -------------------------------- ### GCP IIT Node Attestor Configuration Example Source: https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_gcp_iit.md A sample HCL configuration for the gcp_iit node attestor plugin, specifying an allow list for project IDs. ```hcl NodeAttestor "gcp_iit" { plugin_data { projectid_allow_list = ["project-123"] } } ``` -------------------------------- ### Create SPIRE Entry with Docker Label Selector Source: https://github.com/spiffe/spire/blob/main/doc/plugin_agent_workloadattestor_docker.md Example of creating a SPIRE entry using a Docker label selector. This attests workloads based on labels applied during container creation (e.g., `docker run --label key=value`). ```shell $ spire-server entry create \ -parentID spiffe://example.org/host \ -spiffeID spiffe://example.org/host/foo \ -selector docker:label:com.example.name:foo ``` -------------------------------- ### Built-in Plugin with Static Configuration Source: https://github.com/spiffe/spire/blob/main/doc/spire_agent.md Example of configuring a built-in plugin using static data directly within the agent configuration. Use this when plugin configuration is simple and does not require external files. ```hcl plugins { SomeType "some_plugin" { plugin_data = { option1 = "foo" option2 = 3 } } } ``` -------------------------------- ### External Plugin with Dynamic Configuration Source: https://github.com/spiffe/spire/blob/main/doc/spire_agent.md Example of configuring an external plugin by sourcing its configuration from a separate file using `plugin_data_file`. This is useful for managing complex or sensitive plugin configurations separately. ```hcl plugins { SomeType "some_plugin" { plugin_cmd = "./path/to/plugin" plugin_checksum = "4e1243bd22c66e76c2ba9eddc1f91394e57f9f83" plugin_data_file = "some_plugin.conf" } } ``` ```hcl option1 = "foo" option2 = 3 ``` -------------------------------- ### Run SPIRE Server Windows Service Source: https://github.com/spiffe/spire/blob/main/doc/spire_server.md Starts the SPIRE Server Windows service. All 'spire-server run' command arguments, such as '-config', must be passed as service arguments. ```bash > sc.exe start spire-server run -config c:\spire\conf\server\server.conf ``` -------------------------------- ### Run SPIRE Agent as a Windows Service Source: https://github.com/spiffe/spire/blob/main/doc/spire_agent.md Command to start the SPIRE Agent Windows service. All necessary arguments for the 'run' command must be provided as service arguments. ```bash > sc.exe start spire-agent run -config c:\spire\conf\agent\agent.conf ``` -------------------------------- ### Create SPIRE Entry with Docker Image ID Selector Source: https://github.com/spiffe/spire/blob/main/doc/plugin_agent_workloadattestor_docker.md Example of creating a SPIRE entry using a Docker image ID selector. The selector uses the REPOSITORY:TAG format, not the IMAGE ID. ```shell $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE prom/prometheus latest 1d3b7f56885b 2 weeks ago 262MB spiffe.io latest 02acdde06edc 2 weeks ago 1.17GB ghcr.io/spiffe/spire-agent 1.9.1 622ce7acc7e8 4 weeks ago 57.9MB ghcr.io/spiffe/spire-server 1.9.1 e3b24c3cd9e1 4 weeks ago 103MB envoyproxy/envoy contrib-v1.29.1 644f45f6626c 7 weeks ago 181MB ``` ```shell $ spire-server entry create \ -parentID spiffe://example.org/host \ -spiffeID spiffe://example.org/host/foo \ -selector docker:image_id:envoyproxy/envoy:contrib-v1.29.1 ``` -------------------------------- ### Create SPIRE Entry with Docker Environment Variable Selector Source: https://github.com/spiffe/spire/blob/main/doc/plugin_agent_workloadattestor_docker.md Example of creating a SPIRE entry using a Docker environment variable selector. This attests workloads based on the value of a specific environment variable within the container. ```shell $ spire-server entry create \ -parentID spiffe://example.org/host \ -spiffeID spiffe://example.org/host/foo \ -selector docker:env:ENVIRONMENT=prod ``` -------------------------------- ### Sample x509pop NodeAttestor Configuration Source: https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_x509pop.md This HCL configuration demonstrates how to set up the x509pop NodeAttestor plugin on the SPIRE server. It specifies the path to the CA bundle for validating agent certificates and includes commented-out examples for customizing the agent's SPIFFE ID format and setting limits on intermediate certificates and RSA key size. ```hcl NodeAttestor "x509pop" { plugin_data { ca_bundle_path = "/opt/spire/conf/server/agent-cacert.pem" # Change the agent's SPIFFE ID format # agent_path_template = "/cn/{{ .Subject.CommonName }}" # Optional: Maximum number of intermediate certificates (default: 4) # max_intermediates = 4 # Optional: Maximum RSA key size in bits (default: 8192) # max_rsa_key_size = 8192 } } ``` -------------------------------- ### Vault Upstream Authority Configuration with Client Certificate Auth Source: https://github.com/spiffe/spire/blob/main/doc/plugin_server_upstreamauthority_vault.md This HCL snippet demonstrates how to configure the Vault Upstream Authority plugin for SPIRE. It shows the basic setup with Vault address, PKI mount point, CA certificate path, and client certificate authentication details. It also includes commented-out examples for specifying a role name, using environment variables for key-pair, and using the default mount point. ```hcl UpstreamAuthority "vault" { plugin_data { vault_addr = "https://vault.example.org/" pki_mount_point = "test-pki" ca_cert_path = "/path/to/ca-cert.pem" cert_auth { cert_auth_mount_point = "test-tls-cert-auth" client_cert_path = "/path/to/client-cert.pem" client_key_path = "/path/to/client-key.pem" } // If specify the role to authenticate with // cert_auth { // cert_auth_mount_point = "test-tls-cert-auth" // cert_auth_role_name = "test" // client_cert_path = "/path/to/client-cert.pem" // client_key_path = "/path/to/client-key.pem" // } // If specify the key-pair as an environment variable and use the modified mount point // cert_auth { // cert_auth_mount_point = "test-tls-cert-auth" // } // If specify the key-pair as an environment variable and use the default mount point, set the empty structure. // cert_auth {} } } ``` -------------------------------- ### Configure Git and Build SPIRE Source: https://github.com/spiffe/spire/blob/main/doc/SPIRE101.md Configures Git to trust the temporary Docker container and then builds all SPIRE binaries. Ensure you are in the development shell. ```shell # git config --global --add safe.directory /spire # make build ``` -------------------------------- ### Clone SPIRE Repository Source: https://github.com/spiffe/spire/blob/main/doc/SPIRE101.md Use this command to clone the SPIRE GitHub repository to your local machine. Ensure Git is installed. ```shell git clone https://github.com/spiffe/spire ``` -------------------------------- ### Configure Server Socket Template and Use Instance Source: https://github.com/spiffe/spire/blob/main/doc/multiple_instances.md Sets the environment variable for the server's private API socket template and then uses the `-instance` flag to target a specific server instance for listing agents. ```bash export SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE=/var/run/spire/server/sockets/%i/private/api.sock spire-server agent list -instance b ``` -------------------------------- ### AWS S3 BundlePublisher with IRSA Configuration Source: https://github.com/spiffe/spire/blob/main/doc/plugin_server_bundlepublisher_aws_s3.md Example configuration for the aws_s3 BundlePublisher when using IRSA on EKS. Omit access_key_id and secret_access_key as they are automatically handled. ```hcl BundlePublisher "aws_s3" { plugin_data { region = "us-east-1" bucket = "spire-trust-bundle" object_key = "example.org" format = "spiffe" } } ``` -------------------------------- ### Rego Allow Clause for Entry Creation Source: https://github.com/spiffe/spire/blob/main/doc/authorization_policy_engine.md An example of an 'allow' clause that integrates with the `check_entry_create_namespace` rule. This demonstrates how to combine custom checks into the overall authorization policy. ```rego # Any allow check allow = true { check_entry_create_namespace } ``` -------------------------------- ### Examine SVID and Key Source: https://github.com/spiffe/spire/blob/main/doc/SPIRE101.md Optionally write the fetched SVID and key to disk for detailed examination using the -write flag. ```shell ``` -------------------------------- ### Sample Telemetry Configuration Source: https://github.com/spiffe/spire/blob/main/doc/telemetry/telemetry_config.md A sample HCL configuration block demonstrating how to set up various telemetry integrations like Prometheus, DogStatsd, Statsd, and M3. ```hcl telemetry { Prometheus { port = 9988 # optional TLS for prometheus tls { use_spire_svid = true authorized_spiffe_ids = [ "spiffe://example.org/monitoring/prometheus", ] # Alternatively, configure a web certificate directly: # cert_file = "/path/to/cert.pem" # key_file = "/path/to/key.pem" # client_ca_file = "/path/to/ca.pem" # optional CA file for mTLS } } DogStatsd = [ { address = "localhost:8125" }, ] Statsd = [ { address = "localhost:1337" }, { address = "collector.example.org:8125" }, ] M3 = [ { address = "localhost:9000" env = "prod" }, ] InMem {} AllowedLabels = [] BlockedLabels = [] AllowedPrefixes = [] BlockedPrefixes = [] } ``` -------------------------------- ### Windows: Server API and Serving Certificate Configuration Source: https://github.com/spiffe/spire/blob/main/support/oidc-discovery-provider/README.md Configure the OIDC Discovery Provider to use the Server API with a serving certificate on Windows platforms. Provide paths to the certificate and key files, and the Server API named pipe name via experimental configuration. ```hcl log_level = "debug" domains = ["mypublicdomain.test"] serving_cert_file { cert_file_path = "c:\\some\\path\\on\\disk\\to\\cert.pem" key_file_path = "c:\\some\\path\\on\\disk\\to\\key.pem" } server_api { experimental { named_pipe_name = "\\spire-server\\private\\api" } } ``` -------------------------------- ### k8s_psat Agent Configuration Example Source: https://github.com/spiffe/spire/blob/main/doc/plugin_agent_nodeattestor_k8s_psat.md Sample HCL configuration for the k8s_psat NodeAttestor plugin on the agent side. Ensure the 'cluster' value matches the server-side configuration. ```hcl NodeAttestor "k8s_psat" { plugin_data { cluster = "MyCluster" } } ``` -------------------------------- ### Configure EJBCA UpstreamAuthority Plugin Source: https://github.com/spiffe/spire/blob/main/doc/plugin_server_upstreamauthority_ejbca.md Example HCL configuration for the EJBCA UpstreamAuthority plugin. Ensure all required parameters are set, and note that environment variables can override these values. ```hcl UpstreamAuthority "ejbca" { plugin_data { hostname = "ejbca.example.com" ca_cert_path = "/path/to/ca_cert.pem" client_cert_path = "/path/to/client_cert.pem" client_cert_key_path = "/path/to/client_key.pem" ca_name = "Fake-Sub-CA" end_entity_profile_name = "fakeSpireIntermediateCAEEP" certificate_profile_name = "fakeSubCACP" end_entity_name = "cn" account_binding_id = "foo123" } } ``` -------------------------------- ### Configure Agent Socket Template and Use Instance Source: https://github.com/spiffe/spire/blob/main/doc/multiple_instances.md Sets the environment variable for the agent's public socket template and then uses the `-instance` flag to target a specific agent instance for API watch operations. ```bash export SPIRE_AGENT_PUBLIC_SOCKET_TEMPLATE=/var/run/spire/agent/sockets/%i/public/spiffe.sock spire-agent -instance a api watch ``` -------------------------------- ### Sample MySQL Datastore Configuration Source: https://github.com/spiffe/spire/blob/main/doc/plugin_server_datastore_sql.md A sample HCL configuration block for the SQL datastore plugin using MySQL. It specifies the database type and a connection string. ```hcl DataStore "sql" { plugin_data { database_type = "mysql" connection_string = "spire:@tcp(127.0.0.1)/spire_development?parseTime=true" } } ``` -------------------------------- ### Example of Tag-Based Image Selector (Not Recommended) Source: https://github.com/spiffe/spire/blob/main/doc/plugin_agent_workloadattestor_k8s.md Avoid using tag-based image selectors for reliable registration due to potential inconsistencies. This format can lead to unpredictable attestation results. ```text k8s:container-image:docker.io/envoyproxy/envoy-alpine:v1.16.0 ``` -------------------------------- ### Create SPIRE Server Windows Service Source: https://github.com/spiffe/spire/blob/main/doc/spire_server.md Creates a Windows service for the SPIRE Server executable. The 'binpath' argument must point to the SPIRE Server binary. ```bash > sc.exe create spire-server binpath=c:\spire\bin\spire-server.exe ``` -------------------------------- ### Create SPIRE Entry with Multiple Docker Label Selectors Source: https://github.com/spiffe/spire/blob/main/doc/plugin_agent_workloadattestor_docker.md Demonstrates composing multiple Docker label selectors for more specific workload attestation. This requires all specified labels to be present on the container. ```shell $ spire-server entry create \ -parentID spiffe://example.org/host \ -spiffeID spiffe://example.org/host/foo \ -selector docker:label:com.example.name:foo -selector docker:label:com.example.cluster:prod ``` -------------------------------- ### Sample GCP Secret Manager Plugin Configuration Source: https://github.com/spiffe/spire/blob/main/doc/plugin_agent_svidstore_gcp_secretmanager.md This HCL configuration demonstrates how to set up the GCP Secret Manager SVIDStore plugin, including specifying a service account file for authentication. ```hcl SVIDStore "gcp_secretmanager" { plugin_data { service_account_file = "/opt/token" } } ``` -------------------------------- ### Kubernetes Volume Definition for Projected Service Account Token Source: https://github.com/spiffe/spire/blob/main/doc/plugin_agent_nodeattestor_k8s_psat.md Example Kubernetes volume definition to mount the projected service account token. This token is used by the k8s_psat plugin for attestation. ```yaml volumes: - name: spire-agent projected: sources: - serviceAccountToken: path: spire-agent expirationSeconds: 600 audience: spire-server ``` -------------------------------- ### Sample Docker WorkloadAttestor Configuration Source: https://github.com/spiffe/spire/blob/main/doc/plugin_agent_workloadattestor_docker.md A basic configuration for the Docker workload attestor plugin. No specific plugin data is required for basic operation. ```hcl WorkloadAttestor "docker" { plugin_data { } } ``` -------------------------------- ### HashiCorp Vault KeyManager Configuration Source: https://github.com/spiffe/spire/blob/main/doc/plugin_server_keymanager_hashicorp_vault.md Example HCL configuration for the HashiCorp Vault KeyManager plugin. It shows how to specify Vault address, CA certificate path, and client certificate authentication details. ```hcl KeyManager "hashicorp_vault" { plugin_data { vault_addr = "https://vault.example.org/" ca_cert_path = "/path/to/ca-cert.pem" cert_auth { cert_auth_mount_point = "test-tls-cert-auth" client_cert_path = "/path/to/client-cert.pem" client_key_path = "/path/to/client-key.pem" } // If specify the role to authenticate with // cert_auth { // cert_auth_mount_point = "test-tls-cert-auth" // cert_auth_role_name = "test" // client_cert_path = "/path/to/client-cert.pem" // client_key_path = "/path/to/client-key.pem" // } // If specify the key-pair as an environment variable and use the modified mount point // cert_auth { // cert_auth_mount_point = "test-tls-cert-auth" // } // If specify the key-pair as an environment variable and use the default mount point, set the empty structure. // cert_auth {} } } ``` -------------------------------- ### Example Policy Data JSON Source: https://github.com/spiffe/spire/blob/main/doc/authorization_policy_engine.md This JSON structure defines API endpoints that can be referenced within a Rego policy for authorization decisions. It's recommended to pre-compile as much data as possible into this binding for optimization. ```json { "apis": [ { "full_method": "/spire.api.server.svid.v1.SVID/MintJWTSVID" }, { "full_method": "/spire.api.server.bundle.v1.Bundle/GetFederatedBundle"}, { "full_method": "/spire.api.server.svid.v1.SVID/BatchNewX509SVID"} ] } ``` -------------------------------- ### Configure K8s Attestor with Secure Kubelet Port (X509 Auth) Source: https://github.com/spiffe/spire/blob/main/doc/plugin_agent_workloadattestor_k8s.md Use this configuration to connect to the secure kubelet port, verifying the kubelet certificate using a custom CA path, and authenticating with an X509 client certificate and private key. Requires proper certificate management. ```hcl WorkloadAttestor "k8s" { plugin_data { kubelet_ca_path = "/path/to/kubelet-ca.pem" certificate_path = "/path/to/cert.pem" private_key_path = "/path/to/key.pem" } } ```