Workload example to demonstrate functionality of obtaining workload identity

[mrsabath]

It would be very useful to demonstrate how we can start a workload that can obtain its own identity from SPIRE Agent using CSI driver

[kfox1111]

Something that tests both sides too maybe? Like... a server and a client testing each other?

[marcofranssen]

https://github.com/philips-labs/spiffe-vault/blob/main/example/README.md

[kfox1111]

Something based on this may be easy to implement for the server side: https://spiffe.io/docs/latest/microservices/envoy-x509/readme/

[mrsabath]

Just as a reference, we have an simple example that demonstrates the following flow:

• sidecar gets the x509 cert from SPIRE Agent and uses it to obtain a connection document with a secret password from Vault
• then it passes it to the main Application that uses this connection document to access mySQL Database
• web Application demonstrates this access by serving data that can be displayed in the browser.

But this is too convoluted example. We need here something very simple, like a hello-world client that obtains x509 cert and uses it to establish mTLS connection to a given server. That's all.

[kfox1111]

The envoy-x509 example above I think can be made to be: pod1 (curl) -> pod2(envoy -> basic nginx). with both ends secured by spire. So might fit the hello-world example pretty well.

[kfox1111]

We could consider https://github.com/elinesterov/spiffe-demo-app

[edwbuck]

I would prefer that we implement this by providing links into the top-level README.md and that we not actually provide the demonstration directly. The scope of such demonstrations often reach far beyond the scope of installation.

With this in mind, some popular demonstrations could have an additional web page on how one would configure our Helm assisted deployment to match the demo. If so, we need one Issue per added "adaptation" page.

[marcofranssen]

Just as a reference, we have an simple example that demonstrates the following flow:

• sidecar gets the x509 cert from SPIRE Agent and uses it to obtain a connection document with a secret password from Vault
• then it passes it to the main Application that uses this connection document to access mySQL Database
• web Application demonstrates this access by serving data that can be displayed in the browser.

But this is too convoluted example. We need here something very simple, like a hello-world client that obtains x509 cert and uses it to establish mTLS connection to a given server. That's all.

@mrsabath Sound very similar to what I did as an example. https://github.com/philips-labs/spiffe-vault

Probably we should just take a list of examples managed by others in our README.md, like edwin is suggesting.

• https://github.com/philips-labs/spiffe-vault
• Marius his example link
• elinesterov/spiffe-demo-app
• …
• …

That way people of the community can add to the list without us having to maintain those examples, still giving the community more then just a single example.