Provide a SPIFFE CLI utility in this repository

[evan2645]

There is a community need for a generalized SPIFFE CLI utility, with many useful features possible. Among them:

• Parsing SVIDs and displaying their contents (a-la openssl -text)
• Validating SVIDS (possibly with or without the workload api present?)
• Fetching SVIDs from the Workload API
• Supervising an application, writing SVIDs to disk, signaling as necessary

There are likely additional features that would fit well here (SPIFFE bundle fetching? Munging to type-specific bundles? etc). I would expect this utility to be fetchable/installable via typical go workflow, and would also expect it to fully subsume the functionality currently implemented in https://github.com/spiffe/spiffe-helper

[evan2645]

There are likely additional features that would fit well here (SPIFFE bundle fetching? Munging to type-specific bundles? etc)

Perhaps:

• Fetch a SPIFFE bundle from a SPIFFE federation API
• Serve a SPIFFE bundle from disk-based files or from the workload API
• Munge SPIFFE bundles into SVID-specific types as mentioned above (e.g. SPIFFE bundle to JWKS w/ only JWT-SVID keys, or into PEM-formatted CA certificates

Maybe some of the functionality from the SPIRE OIDC provider can live here too?

[mcpherrinm]

One case I'd be interested in is supporting processes without native workload support.

I'm thinking the user-interaction might look something like this:

spiffe --spiffe="spiffe://example.org/pickaworkload" exec   -- mysql --ssl-ca=@X509BUNDLE --ssl-cert=@X509SVID --ssl-key=@SVIDKEY

the spiffe tool would write out temp files (ideally, to somewhere like a tmpfs that's relatively secure) and exec the tool with the templated parameters filled in. Lots of bikeshedding to do on the details, and at least in the above case I'd probably want a wrapper shell script (I'd call it spiffe-mysql or something) so folks don't have to type it out.

That would work with tools like curl, mysql, etc -- anything that takes a cert bundle, client cert, and key as files.

Maybe a flag to send a signal to the child on update, too?

[mcpherrinm]

There's a few ways you might want to specify the paths to files:

1. as command line options, like mysql/curl do, with some syntax like in the comment above
2. as environment variables, for a "12 factor" style applications
3. to preconfigured paths (for apps with config files that don't want to change)

[mcpherrinm]

You may also want support for different file formats...

eg, syslog wants an "openssl CA directory". Java & windows apps often want a .p12 file Some apps want a pkcs1 vs pkcs8 key. Some want the x509 cert, chain, and key all in the same file (eg, mongodb)

our internal not-yet-spiffe software supported that set of file format options & that's given almost complete coverage of software we've run into.

[mcpherrinm]

Handling rotation:

1. Might want to signal a process (ideally, a child process)
2. Might want to run a command (eg, sv restart /service/foo if you're using runit, or some equivalent systemd command, etc) to restart a process. Definitely need to use this with care; I wouldn't want to knock out a fleet with a bad restart command.
3. Ideally apps notice files on disk changing (via inotify) and reload, or do it on some timer, requiring no coordination.

[mcpherrinm]

This is basically a description of spiffe-helper, but I think it's helpful to re-state what the goals are for a larger tool.