Merge pull request #131 from kfox1111/step-ssh-bump2

Bump spiffe-step-ssh version

.github/workflows/pr_build.yaml

@@ -6,11 +6,11 @@ on:
   pull_request: {}
   workflow_dispatch: {}
 env:
-  GO_VERSION: 1.19.4
+  GO_VERSION: 1.24.1
   CHANGE_MINIKUBE_NONE_USER: true
 jobs:
   test-all:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     timeout-minutes: 30
     steps: 
       - name: Checkout
@@ -39,7 +39,7 @@ jobs:
       - run: |
           set -xe
           echo "building: {{github.ref_name}}-$(uname -i)"
-          docker build -t t examples/rpms
+          docker build -t t -f examples/rpms/Dockerfile examples
           docker run -i --rm -v /tmp:/tmp t /bin/bash -c 'cp -a /usr/share/nginx/html/packages /tmp'
       - name: Archive artifacts
         uses: actions/upload-artifact@v4

.github/workflows/release.yaml

@@ -14,10 +14,15 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
-      - run: |
+      - name: build
-          set -xe
+        env:
+          RPM_GPG_KEY: ${{ secrets.RPM_GPG_KEY }}
+        run: |
+          set -e
           echo "building: {{github.ref_name}}-$(uname -i)"
-          docker build -t t examples/rpms
+          printf "%s" "$RPM_GPG_KEY" | base64 -d > /tmp/rpm.priv
+          docker build --secret "id=gpg,src=/tmp/rpm.priv" -t t -f examples/rpms/Dockerfile examples
+          rm -f /tmp/rpm.priv
           docker run -i --rm -v /tmp:/tmp t /bin/bash -c 'cp -a /usr/share/nginx/html/packages /tmp'
       - name: Archive artifacts
         uses: actions/upload-artifact@v4
@@ -30,6 +35,11 @@ jobs:
     runs-on: ubuntu-24.04
     timeout-minutes: 30
     needs: packages
+    permissions:
+      id-token: write
+      contents: write
+      pages: write
+      packages: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -43,8 +53,42 @@ jobs:
         with:
           name: packages-arm
           path: /tmp/packages
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: build-state-image
+        run: |
+          set -e
+          sudo apt-get update
+          sudo apt-get install -y rsync
+          # Fetch previously released packages
+          mkdir -p /tmp/oldpackages
+          docker run -i --rm -v /tmp:/tmp ghcr.io/spiffe/spire-examples/pages:latest /bin/bash -c 'cp -a /usr/share/nginx/html/RPMS /tmp/oldpackages/ && cp -a /usr/share/nginx/html/DEBS /tmp/oldpackages/'
+          # Copy only packages that don't overwrite a previously released package. This prevents rereleasing a package.
+          sudo rsync --ignore-existing -rv /tmp/packages/ /tmp/oldpackages/
+          sudo mv /tmp/packages /tmp/releasepackages
+          sudo mv /tmp/oldpackages /tmp/packages
+          # Update repos
+          docker build -f examples/rpms/Dockerfile.repos -t ghcr.io/spiffe/spire-examples/pages:latest /tmp/packages
+          sudo rm -rf /tmp/packages
+          mkdir -p /tmp/packages
+          docker run -i --rm -v /tmp:/tmp ghcr.io/spiffe/spire-examples/pages:latest /bin/bash -c 'cp -a /usr/share/nginx/html/RPMS /tmp/packages/ && cp -a /usr/share/nginx/html/DEBS /tmp/packages/'
+          # Save a copy of packages/pages for next release
+          docker push ghcr.io/spiffe/spire-examples/pages:latest
       - name: Release Files
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          gh release upload "${GITHUB_REF#refs/tags/}" /tmp/packages/*/*/*
+          gh release upload "${GITHUB_REF#refs/tags/}" examples/rpms/rpm.pub /tmp/releasepackages/*/*/*.rpm /tmp/releasepackages/*/*/*.deb
+      - name: Setup Pages
+        uses: actions/configure-pages@v5
+      - name: Upload Artifact
+        uses: actions/upload-pages-artifact@v3
+        with:
+          path: /tmp/packages
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4

README.md

@@ -12,30 +12,26 @@ The SPIRE project is growing rapidly, and new features are released often. In or
 
 Examples showing how SPIRE integrates with Envoy.
 
-* [Envoy SDS Integration with SPIRE 1.5.1](examples/envoy) Use SPIRE to deliver and rotate X509-SVIDs for Envoy
+* [Envoy SDS Integration](examples/envoy) Use SPIRE to deliver and rotate X509-SVIDs for Envoy
 
 ## Kubernetes
 
 Examples showing how to deploy SPIRE on Kubernetes. There are several configuration possibilities.
 
-+ [Simple SAT with SPIRE 1.5.1](examples/k8s/simple_sat) - This is a simple configuration using the Kubernetes
++ [Simple PSAT](examples/k8s/simple_psat) - This is a simple configuration using the
-  [service account token (SAT) attestor](https://github.com/spiffe/spire/blob/v1.5.1/doc/plugin_server_nodeattestor_k8s_sat.md)
-  that deploys SPIRE server as a StatefulSet and SPIRE agent as a DaemonSet.
-+ [Simple PSAT with SPIRE 1.5.1](examples/k8s/simple_psat) - This is a simple configuration using the
   Kubernetes
-  [projected service account token (PSAT) attestor](https://github.com/spiffe/spire/blob/v1.5.1/doc/plugin_server_nodeattestor_k8s_psat.md)
+  [projected service account token (PSAT) attestor](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_k8s_psat.md).
-  that otherwise deploys SPIRE as in the **Simple SAT** example.
++ [Postgres](examples/k8s/postgres) - This expands on the **Simple PSAT** configuration by
-+ [Postgres with SPIRE 1.5.1](examples/k8s/postgres) - This expands on the **Simple SAT** configuration by
   moving the SPIRE datastore into a Postgres StatefulSet. The SPIRE server is
   now a stateless Deployment that can be scaled.
-+ [Kustomize with SPIRE 1.5.1](examples/k8s/k7e) - A set of SPIRE examples using [Kustomize](https://kustomize.io/)
++ [Kustomize](examples/k8s/k7e) - A set of SPIRE examples using [Kustomize](https://kustomize.io/)
   as shown at the SPIFFE Community Day in May 2019.
 
 ## EKS
 
 Examples showing how to deploy SPIRE on Amazon EKS.
 
-+ [EKS-based SAT with SPIRE 1.5.1](examples/k8s/eks_sat) - This slightly modifies the **Kubernetes Simple SAT** configuration to
++ [EKS-based SAT](examples/k8s/eks_psat) - This slightly modifies the **Kubernetes Simple PSAT** configuration to
   make it compatible with EKS platform.
 
 ## SystemD

examples/envoy/README.md

@@ -1,4 +1,4 @@
-# Envoy 1.17.0 SDS Example with SPIRE 1.5.1
+# Envoy 1.17.0 SDS Example with SPIRE
 
 [!WARNING]  
 This example is no longer tested regularly. Some assembly may be required. Please let us know if changes are needed.

examples/envoy/docker/echo/Dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/spiffe/spire-agent:1.6.1 as spire
+FROM ghcr.io/spiffe/spire-agent:1.11.2 as spire
 
 FROM envoyproxy/envoy:v1.25.1
 RUN mkdir -p /opt/spire/conf/agent

examples/envoy/docker/spire-server/Dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/spiffe/spire-server:1.6.1
+FROM ghcr.io/spiffe/spire-server:1.11.2
 
 # Override spire configurations
 COPY conf/spire-server.conf /opt/spire/conf/server/server.conf

examples/envoy/docker/web/Dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/spiffe/spire-agent:1.6.1 as spire
+FROM ghcr.io/spiffe/spire-agent:1.11.2 as spire
 
 FROM envoyproxy/envoy:v1.25.1
 RUN mkdir -p /opt/spire/conf/agent

examples/k8s/advanced/spire-chart/templates/agent-daemonset.tpl

@@ -23,12 +23,12 @@ spec:
         - name: init
           # This is a small image with wait-for-it, choose whatever image
           # you prefer that waits for a service to be up. This image is built
-          # from https://github.com/lqhl/wait-for-it
+          # from https://github.com/chainguard-images/images/blob/main/images/wait-for-it
-          image: gcr.io/spiffe-io/wait-for-it
+          image: cgr.dev/chainguard/wait-for-it
           args: ["-t", "30", "spire-server:8081"]
       containers:
         - name: spire-agent
-          image: ghcr.io/spiffe/spire-agent:1.6.1
+          image: ghcr.io/spiffe/spire-agent:1.11.2
           args: ["-config", "/run/spire/config/agent.conf"]
           env:
           - name: MY_NODE_NAME

examples/k8s/advanced/spire-chart/templates/server-statefulset.tpl

@@ -21,7 +21,7 @@ spec:
       shareProcessNamespace: true
       containers:
         - name: spire-server
-          image: ghcr.io/spiffe/spire-server:1.6.1
+          image: ghcr.io/spiffe/spire-server:1.11.2
           args:
             - -config
             - /run/spire/config/server.conf

examples/k8s/eks_psat/README.md

@@ -1,18 +1,18 @@
-# SPIRE 1.5.1 deployment using SAT node attestor on EKS
+# SPIRE deployment using PSAT node attestor on EKS
 
-This configuration is an example of a SPIRE 1.5.1 deployment for Kubernetes on EKS. This example is based on the [simple SAT](../simple_sat/README.md), with minor modifications to make it work on EKS platform.
+This configuration is an example of a SPIRE deployment for Kubernetes on EKS. This example is based on the [simple PSAT](../simple_psat/README.md), with minor modifications to make it work on EKS platform.
 
-Compare the [simple SAT server](../simple_sat/spire-server.yaml) configuration with
+Compare the [simple PSAT server](../simple_psat/spire-server.yaml) configuration with
-this [EKS SAT server](spire-server.yaml) to see the differences, which
+this [EKS PSAT server](spire-server.yaml) to see the differences, which
 consist of:
 
-+ Node attestation is done using the [SAT node attestor](https://github.com/spiffe/spire/blob/v1.5.1/doc/plugin_server_nodeattestor_k8s_sat.md)
++ Node attestation is done using the [PSAT node attestor](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_k8s_psat.md)
 with kubernetes token review validation enabled.
 + As a consequence of the above, volume and volume mounts for validation key are removed.
 + RBAC authorization policies are set to guarantee access to certain Kubernetes resources.
 
-In the same way, the differences between the [simple SAT agent](../simple_sat/spire-agent.yaml) and [EKS SAT server](spire-agent.yaml) are:
+In the same way, the differences between the [simple PSAT agent](../simple_psat/spire-agent.yaml) and [EKS PSAT server](spire-agent.yaml) are:
-+ Workload attestation is done using the [k8s workload attestor](https://github.com/spiffe/spire/blob/v1.5.1/doc/plugin_agent_workloadattestor_k8s.md) with the secure port configuration.
++ Workload attestation is done using the [k8s workload attestor](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_workloadattestor_k8s.md) with the secure port configuration.
 + RBAC authorization policies are set to guarantee access to certain Kubernetes resources.
 
 Both SPIRE agent and server run in the **spire** namespace, using service accounts of **spire-server** and **spire-agent**.
@@ -42,5 +42,5 @@ The server log shows the attestation result:
 $ kubectl -n spire logs -f spire-server-0
 ```
 ```
-level=info msg="Node attestation request from 192.168.21.111:56628 completed using strategy k8s_sat" subsystem_name=node_api
+level=info msg="Node attestation request from 192.168.21.111:56628 completed using strategy k8s_psat" subsystem_name=node_api
 ```

examples/k8s/eks_psat/spire-agent.yaml

@@ -52,7 +52,7 @@ data:
     }
 
     plugins {
-      NodeAttestor "k8s_sat" {
+      NodeAttestor "k8s_psat" {
         plugin_data {
           cluster = "demo-cluster"
         }
@@ -125,12 +125,12 @@ spec:
         - name: init
           # This is a small image with wait-for-it, choose whatever image
           # you prefer that waits for a service to be up. This image is built
-          # from https://github.com/lqhl/wait-for-it
+          # from https://github.com/chainguard-images/images/blob/main/images/wait-for-it
-          image: gcr.io/spiffe-io/wait-for-it
+          image: cgr.dev/chainguard/wait-for-it
           args: ["-t", "30", "spire-server:8081"]
       containers:
         - name: spire-agent
-          image: ghcr.io/spiffe/spire-agent:1.6.1
+          image: ghcr.io/spiffe/spire-agent:1.11.2
           args: ["-config", "/run/spire/config/agent.conf"]
           env:
           - name: MY_NODE_NAME
@@ -144,6 +144,8 @@ spec:
             - name: spire-agent-socket
               mountPath: /run/spire/sockets
               readOnly: false
+            - name: spire-token
+              mountPath: /var/run/secrets/tokens
           livenessProbe:
             httpGet:
               path: /live
@@ -166,3 +168,10 @@ spec:
           hostPath:
             path: /run/spire/sockets
             type: DirectoryOrCreate
+        - name: spire-token
+          projected:
+            sources:
+            - serviceAccountToken:
+                path: spire-agent
+                expirationSeconds: 7200
+                audience: spire-server

examples/k8s/eks_psat/spire-server.yaml

@@ -80,12 +80,11 @@ data:
         }
       }
 
-      NodeAttestor "k8s_sat" {
+      NodeAttestor "k8s_psat" {
         plugin_data {
           clusters = {
             "demo-cluster" = {
               service_account_allow_list = ["spire:spire-agent"]
-              use_token_review_api_validation = true
             }
           }
         }
@@ -152,7 +151,7 @@ spec:
       serviceAccountName: spire-server
       containers:
         - name: spire-server
-          image: ghcr.io/spiffe/spire-server:1.6.1
+          image: ghcr.io/spiffe/spire-server:1.11.2
           args: ["-config", "/run/spire/config/server.conf"]
           ports:
             - containerPort: 8081

examples/k8s/k7e/README.md

@@ -4,7 +4,7 @@ This directory contains various examples of deploying and configuring SPIRE to
 Kubernetes using [kustomize](https://kustomize.io) which is part of Kubectl as
 of 1.14.
 
-+ [base_minikube_sat](base_minikube_sat) - A base configuration for SPIRE in
++ [base_minikube_psat](base_minikube_psat) - A base configuration for SPIRE in
   minikube using the SAT attestor. This is also the base configuration from
   which all other configurations in this directory are derived.
 + [community_day_2019_may](community_day_2019_may) - This is the demo from
@@ -28,7 +28,7 @@ by kubectl, you can use the "kustomize" argument to `kubectl` along with the
 directory of the configuration to apply. For example:
 
 ```
-$ kubectl kustomize base_minikube_sat
+$ kubectl kustomize base_minikube_psat
 ```
 
 ## Apply Configuration to Kubernetes
@@ -37,5 +37,5 @@ To apply a kustomize configuration with kubectl, use the "-k" option to the
 "apply" option along with the directory of the configuration to apply:
 
 ```
-$ kubectl apply -k base_minikube_sat
+$ kubectl apply -k base_minikube_psat
 ```

examples/k8s/k7e/base_minikube_psat/config/spire-agent.conf

@@ -9,7 +9,7 @@ agent {
 }
 
 plugins {
-  NodeAttestor "k8s_sat" {
+  NodeAttestor "k8s_psat" {
     plugin_data {
       cluster = "demo-cluster"
     }

examples/k8s/k7e/base_minikube_psat/config/spire-server.conf

@@ -19,11 +19,10 @@ plugins {
     }
   }
 
-  NodeAttestor "k8s_sat" {
+  NodeAttestor "k8s_psat" {
     plugin_data {
       clusters = {
         "demo-cluster" = {
-          service_account_key_file = "/run/k8s-certs/sa.pub"
           service_account_allow_list = ["spire:spire-agent"]
         }
       }

examples/k8s/k7e/base_minikube_psat/spire-agent/spire-agent-deployment.yaml

@@ -23,12 +23,12 @@ spec:
         - name: init
           # This is a small image with wait-for-it, choose whatever image
           # you prefer that waits for a service to be up. This image is built
-          # from https://github.com/lqhl/wait-for-it
+          # from https://github.com/chainguard-images/images/blob/main/images/wait-for-it
-          image: gcr.io/spiffe-io/wait-for-it
+          image: cgr.dev/chainguard/wait-for-it
           args: ["-t", "30", "spire-server:8081"]
       containers:
         - name: spire-agent
-          image: ghcr.io/spiffe/spire-agent:1.6.1
+          image: ghcr.io/spiffe/spire-agent:1.11.2
           imagePullPolicy: Always
           args: ["-config", "/run/spire/config/spire-agent.conf"]
           env:
@@ -46,6 +46,8 @@ spec:
             - name: spire-agent-socket
               mountPath: /run/spire/sockets
               readOnly: false
+            - name: spire-token
+              mountPath: /var/run/secrets/tokens
           livenessProbe:
             httpGet:
               path: /live
@@ -71,3 +73,10 @@ spec:
           hostPath:
             path: /run/spire/sockets
             type: DirectoryOrCreate
+        - name: spire-token
+          projected:
+            sources:
+            - serviceAccountToken:
+                path: spire-agent
+                expirationSeconds: 7200
+                audience: spire-server

examples/k8s/k7e/base_minikube_psat/spire-server/spire-server-deployment.yaml

@@ -20,7 +20,7 @@ spec:
       serviceAccountName: spire-server
       containers:
         - name: spire-server
-          image: ghcr.io/spiffe/spire-server:1.6.1
+          image: ghcr.io/spiffe/spire-server:1.11.2
           imagePullPolicy: Always
           args: ["-config", "/run/spire/config/spire-server.conf"]
           ports:

examples/k8s/k7e/base_minikube_psat/spire-server/spire-server-role.yaml

@@ -8,3 +8,6 @@ rules:
   resources: ["configmaps"]
   resourceNames: ["spire-bundle"]
   verbs: ["get", "patch"]
+- apiGroups: ["authentication.k8s.io"]
+  resources: ["tokenreviews"]
+  verbs: ["create"]

examples/k8s/k7e/community_day_2019_may/README.md

@@ -1,10 +1,10 @@
 # Demo from SPIRE Community Day, May 2019
 
 This example will allow you to recreate the demo from SPIRE Community Day in
-May, 2019. To run this example you'll need:
+May 2019. To run this example you'll need:
 
 + A working minikube.
-+ `kubectl` version 1.14 or later.
++ `kubectl` version 1.20 or later.
 + The [examples/k8s/k7e](/examples/k8s/k7e) directory tree from the SPIRE github
   repository.
 
@@ -24,11 +24,11 @@ $ watch 'set -x; kubectl get pods -n spire; kubectl get pods'
 
 ### Deploy SPIRE
 
-To deploy SPIRE, apply the `base_minikube_sat` configuration from the parent
+To deploy SPIRE, apply the `base_minikube_psat` configuration from the parent
 directory:
 
 ```
-$ kubectl apply -k ../base_minikube_sat
+$ kubectl apply -k ../base_minikube_psat
 ```
 
 Within 30 seconds or so, you should now have pods in "Running" status for both
@@ -102,13 +102,13 @@ registration entries. We'll create two registration entries:
 First, let's create the `node` registration entry:
 
 ```
-$ kubectl exec -n spire spire-server-0 -- /opt/spire/bin/spire-server entry create -node -spiffeID spiffe://example.org/cluster -selector k8s_sat:cluster:demo-cluster
+$ kubectl exec -n spire spire-server-0 -- /opt/spire/bin/spire-server entry create -node -spiffeID spiffe://example.org/cluster -selector k8s_psat:cluster:demo-cluster
 
 Entry ID      : 1685a30f-fb14-4242-a86a-568038407ed7
 SPIFFE ID     : spiffe://example.org/cluster
 Parent ID     : spiffe://example.org/spire/server
 TTL           : 3600
-Selector      : k8s_sat:cluster:demo-cluster
+Selector      : k8s_psat:cluster:demo-cluster
 ```
 
 Second, we'll create a registration entry for our client workload:

examples/k8s/k7e/community_day_2019_may/client-deployment.yaml

@@ -16,7 +16,7 @@ spec:
     spec:
       containers:
         - name: client
-          image: ghcr.io/spiffe/spire-agent:1.6.1
+          image: ghcr.io/spiffe/spire-agent:1.11.2
           imagePullPolicy: Always
           command: ["/opt/spire/bin/spire-agent"]
           args: ["api", "watch", "-socketPath", "/run/spire/sockets/agent.sock"]

examples/k8s/postgres/README.md

@@ -1,4 +1,4 @@
-# Postgres SPIRE 1.5.1 deployment
+# Postgres SPIRE deployment
 
 This configuration is an example of a SPIRE deployment for Kubernetes using
 Postgres as a datastore for the SPIRE server. This configuration provides
@@ -8,13 +8,13 @@ better resiliency and allows for scaling up the number of SPIRE servers.
   PersistentVolume.
 + The SPIRE [server](spire-server.yaml) runs as a stateless Deployment.
 + The SPIRE agent runs as a DaemonSet - note this configuration is a symlink
-  to the [simple sat example](../simple_sat/spire-agent.yaml).
+  to the [simple psat example](../simple_psat/spire-agent.yaml).
 
 Both SPIRE agent and server, along with postgres, run in the **spire**
 namespace, using service accounts of **spire-database**, **spire-server**, and
 **spire-agent**.
 
-Compare the [simple sat server](../simple_sat/spire-server.yaml) configuration with
+Compare the [simple psat server](../simple_psat/spire-server.yaml) configuration with
 this [postgres backed server](spire-server.yaml) to see the differences, which
 consist of: a Deployment instead of a StatefulSet, a datastore plugin change,
 an InitContainer that waits for postgres to be up, and removal of the
@@ -27,11 +27,11 @@ failures and scalability.
 + **stateless** - To run the SPIRE server stateless (as in this example), the
   `UpstreamAuthority` plugin needs to be used.
 + **stateful** - To run the SPIRE server stateful, the directory specified in
-  `data_dir` must be persistent (such as in the [simple sat example](../simple_sat)
+  `data_dir` must be persistent (such as in the [simple psat example](../simple_psat)
   where a StatefulSet and PersistentVolumeClaim are used.
 
 In this example deployment, the SPIRE server is stateless, using the example
-[dummy upstream authority](https://github.com/spiffe/spire/tree/v1.5.1/conf/server).
+[dummy upstream authority](https://github.com/spiffe/spire/tree/main/conf/server).
 
 One other **important note**: In a production environment it is very important
 to use a highly available Postgres configuration, unlike this configuration

examples/k8s/postgres/spire-agent.yaml

@@ -24,7 +24,7 @@ data:
     }
 
     plugins {
-      NodeAttestor "k8s_sat" {
+      NodeAttestor "k8s_psat" {
         plugin_data {
           cluster = "demo-cluster"
         }
@@ -101,12 +101,12 @@ spec:
         - name: init
           # This is a small image with wait-for-it, choose whatever image
           # you prefer that waits for a service to be up. This image is built
-          # from https://github.com/lqhl/wait-for-it
+          # from https://github.com/chainguard-images/images/blob/main/images/wait-for-it
-          image: gcr.io/spiffe-io/wait-for-it
+          image: cgr.dev/chainguard/wait-for-it
           args: ["-t", "30", "spire-server:8081"]
       containers:
         - name: spire-agent
-          image: ghcr.io/spiffe/spire-agent:1.6.1
+          image: ghcr.io/spiffe/spire-agent:1.11.2
           args: ["-config", "/run/spire/config/agent.conf"]
           env:
           - name: MY_NODE_NAME
@@ -120,6 +120,8 @@ spec:
             - name: spire-agent-socket
               mountPath: /run/spire/sockets
               readOnly: false
+            - name: spire-token
+              mountPath: /var/run/secrets/tokens
           livenessProbe:
             httpGet:
               path: /live
@@ -142,3 +144,10 @@ spec:
           hostPath:
             path: /run/spire/sockets
             type: DirectoryOrCreate
+        - name: spire-token
+          projected:
+            sources:
+            - serviceAccountToken:
+                path: spire-agent
+                expirationSeconds: 7200
+                audience: spire-server

examples/k8s/postgres/spire-server.yaml

@@ -6,6 +6,36 @@ metadata:
 
 ---
 
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: spire-server-cluster-role
+rules:
+- apiGroups: [""]
+  resources: ["pods", "nodes"]
+  verbs: ["get"]
+- apiGroups: ["authentication.k8s.io"]
+  resources: ["tokenreviews"]
+  verbs: ["create"]
+
+---
+
+# Binds above cluster role to spire-server service account
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: spire-server-cluster-role-binding
+subjects:
+- kind: ServiceAccount
+  name: spire-server
+  namespace: spire
+roleRef:
+  kind: ClusterRole
+  name: spire-server-cluster-role
+  apiGroup: rbac.authorization.k8s.io
+
+---
+
 apiVersion: v1
 kind: Secret
 metadata:
@@ -46,11 +76,10 @@ data:
         }
       }
 
-      NodeAttestor "k8s_sat" {
+      NodeAttestor "k8s_psat" {
         plugin_data {
           clusters = {
             "demo-cluster" = {
-              service_account_key_file = "/run/k8s-certs/sa.pub"
               service_account_allow_list = ["spire:spire-agent"]
             }
           }
@@ -119,12 +148,12 @@ spec:
         - name: init
           # This is a small image with wait-for-it, choose whatever image
           # you prefer that waits for a service to be up. This image is built
-          # from https://github.com/lqhl/wait-for-it
+          # from https://github.com/chainguard-images/images/blob/main/images/wait-for-it
-          image: gcr.io/spiffe-io/wait-for-it
+          image: cgr.dev/chainguard/wait-for-it
           args: ["-t", "30", "spire-database:5432"]
       containers:
         - name: spire-server
-          image: ghcr.io/spiffe/spire-server:1.6.1
+          image: ghcr.io/spiffe/spire-server:1.11.2
           args: ["-config", "/run/spire/config/server.conf"]
           ports:
             - containerPort: 8081

examples/k8s/simple_psat/README.md

@@ -1,6 +1,6 @@
-# Simple SPIRE 1.5.1 deployment using PSAT node attestor
+# Simple SPIRE deployment using PSAT node attestor
 
-This configuration is an example of a simple SPIRE 1.5.1 deployment for Kubernetes that uses [PSAT node attestor](https://github.com/spiffe/spire/blob/v1.5.1/doc/plugin_server_nodeattestor_k8s_psat.md).
+This configuration is an example of a simple SPIRE deployment for Kubernetes that uses [PSAT node attestor](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_k8s_psat.md).
 
 + The SPIRE [server](spire-server.yaml) runs as a StatefulSet using a
   PersistentVolumeClaim.

examples/k8s/simple_psat/spire-agent.yaml

@@ -129,12 +129,12 @@ spec:
         - name: init
           # This is a small image with wait-for-it, choose whatever image
           # you prefer that waits for a service to be up. This image is built
-          # from https://github.com/lqhl/wait-for-it
+          # from https://github.com/chainguard-images/images/blob/main/images/wait-for-it
-          image: gcr.io/spiffe-io/wait-for-it
+          image: cgr.dev/chainguard/wait-for-it
           args: ["-t", "30", "spire-server:8081"]
       containers:
         - name: spire-agent
-          image: ghcr.io/spiffe/spire-agent:1.6.1
+          image: ghcr.io/spiffe/spire-agent:1.11.2
           args: ["-config", "/run/spire/config/agent.conf"]
           env:
           - name: MY_NODE_NAME

examples/k8s/simple_psat/spire-server.yaml

@@ -154,7 +154,7 @@ spec:
       serviceAccountName: spire-server
       containers:
         - name: spire-server
-          image: ghcr.io/spiffe/spire-server:1.6.1
+          image: ghcr.io/spiffe/spire-server:1.11.2
           args: ["-config", "/run/spire/config/server.conf"]
           ports:
             - containerPort: 8081

examples/k8s/simple_sat/README.md

@@ -1,33 +0,0 @@
-# Simple SPIRE 1.5.1 deployment using SAT node attestor
-
-This configuration is an example of a simple SPIRE v1.5.1 deployment for Kubernetes that uses [SAT node attestor](https://github.com/spiffe/spire/blob/v1.5.1/doc/plugin_server_nodeattestor_k8s_sat.md).
-
-+ The SPIRE [server](spire-server.yaml) runs as a StatefulSet using a
-  PersistentVolumeClaim.
-+ The SPIRE [agent](spire-agent.yaml) runs as a DaemonSet.
-
-Both SPIRE agent and server run in the **spire** namespace, using service
-accounts of **spire-server** and **spire-agent**.
-
-## Usage
-
-### Configuration
-
-+ Set trust_domain and the cluster name for the k8s SAT NodeAttestor.
-+ Modify the path in the *k8s-sa-cert* volume for SPIRE server as appropriate
-  for your deployment - this is the certificate used to verify service accounts
-  in the cluster. This example assumes minikube.
-
-### Deployment
-
-Start the server StatefulSet:
-
-```
-$ kubectl apply -f spire-server.yaml
-```
-
-Start the agent DaemonSet:
-
-```
-$ kubectl apply -f spire-agent.yaml
-```

examples/k8s/simple_sat/kustomization.yaml

@@ -1,8 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-namespace: spire
-
-resources:
-- spire-server.yaml
-- spire-agent.yaml

examples/k8s/simple_sat/spire-agent.yaml

@@ -1,144 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: spire-agent
-  namespace: spire
-
----
-
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: spire-agent
-  namespace: spire
-data:
-  agent.conf: |
-    agent {
-      data_dir = "/run/spire"
-      log_level = "DEBUG"
-      server_address = "spire-server"
-      server_port = "8081"
-      socket_path = "/run/spire/sockets/agent.sock"
-      trust_bundle_path = "/run/spire/config/bootstrap.crt"
-      trust_domain = "example.org"
-    }
-
-    plugins {
-      NodeAttestor "k8s_sat" {
-        plugin_data {
-          cluster = "demo-cluster"
-        }
-      }
-
-      KeyManager "memory" {
-        plugin_data {
-        }
-      }
-
-      WorkloadAttestor "k8s" {
-        plugin_data {
-          # Defaults to the secure kubelet port by default.
-          # Minikube does not have a cert in the cluster CA bundle that
-          # can authenticate the kubelet cert, so skip validation.
-          skip_kubelet_verification = true
-          node_name_env = "MY_NODE_NAME"
-        }
-      }
-
-      WorkloadAttestor "unix" {
-          plugin_data {
-          }
-      }
-    }
-
-    health_checks {
-      listener_enabled = true
-      bind_address = "0.0.0.0"
-      bind_port = "8080"
-      live_path = "/live"
-      ready_path = "/ready"
-    }
-  bootstrap.crt: |
-    -----BEGIN CERTIFICATE-----
-    MIICHzCCAaSgAwIBAgIJAJjG+BUpVpUbMAoGCCqGSM49BAMEMB4xCzAJBgNVBAYT
-    AlVTMQ8wDQYDVQQKDAZTUElGRkUwHhcNMjMwNjA5MjM0OTQxWhcNMjgwNjA3MjM0
-    OTQxWjAeMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGU1BJRkZFMHYwEAYHKoZIzj0C
-    AQYFK4EEACIDYgAERWdqmbBWmk7iKDFD7MuI8O2oBrXMpfZPC+Nz3dLRPWu44z3C
-    51MPk9GJDAoNsqpyZ9sHOnL8I+CdkmE41LqK/rigvKgvlrlqWJjf0/FAM/XLARaW
-    rzcpRty42WJgR5Yxo4GtMIGqMB0GA1UdDgQWBBRXKdGnbiP9nul87xm5F30yxRWT
-    VjAfBgNVHSMEGDAWgBRXKdGnbiP9nul87xm5F30yxRWTVjAPBgNVHRMBAf8EBTAD
-    AQH/MCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
-    ZTAOBgNVHQ8BAf8EBAMCAQYwGQYDVR0RBBIwEIYOc3BpZmZlOi8vbG9jYWwwCgYI
-    KoZIzj0EAwQDaQAwZgIxAKHxaBfSjhDJksGXmgJKkcpepPCYfB58hUc3HkxPy3Zf
-    08dfaeAp7UdBCkpU20GSrQIxAJc0FMZs1BSSINku6oYZpsrcCuo7CijAJMLCBLXQ
-    VYYO6xcbDgbZVm5MXu3FWTt+7g==
-    -----END CERTIFICATE-----
-
----
-
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: spire-agent
-  namespace: spire
-  labels:
-    app: spire-agent
-spec:
-  selector:
-    matchLabels:
-      app: spire-agent
-  template:
-    metadata:
-      namespace: spire
-      labels:
-        app: spire-agent
-    spec:
-      hostPID: true
-      hostNetwork: true
-      dnsPolicy: ClusterFirstWithHostNet
-      serviceAccountName: spire-agent
-      initContainers:
-        - name: init
-          # This is a small image with wait-for-it, choose whatever image
-          # you prefer that waits for a service to be up. This image is built
-          # from https://github.com/lqhl/wait-for-it
-          image: gcr.io/spiffe-io/wait-for-it
-          args: ["-t", "30", "spire-server:8081"]
-      containers:
-        - name: spire-agent
-          image: ghcr.io/spiffe/spire-agent:1.6.1
-          args: ["-config", "/run/spire/config/agent.conf"]
-          env:
-          - name: MY_NODE_NAME
-            valueFrom:
-              fieldRef:
-                fieldPath: status.podIP
-          volumeMounts:
-            - name: spire-config
-              mountPath: /run/spire/config
-              readOnly: true
-            - name: spire-agent-socket
-              mountPath: /run/spire/sockets
-              readOnly: false
-          livenessProbe:
-            httpGet:
-              path: /live
-              port: 8080
-            failureThreshold: 2
-            initialDelaySeconds: 15
-            periodSeconds: 60
-            timeoutSeconds: 3
-          readinessProbe:
-            httpGet:
-              path: /ready
-              port: 8080
-            initialDelaySeconds: 5
-            periodSeconds: 5
-      volumes:
-        - name: spire-config
-          configMap:
-            name: spire-agent
-        - name: spire-agent-socket
-          hostPath:
-            path: /run/spire/sockets
-            type: DirectoryOrCreate

examples/k8s/simple_sat/spire-server.yaml

@@ -1,195 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: spire
-
----
-
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: spire-server
-  namespace: spire
-
----
-
-apiVersion: v1
-kind: Secret
-metadata:
-  name: spire-server
-  namespace: spire
-type: Opaque
-data:
-  bootstrap.key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1JR2tBZ0VCQkRCN2FmUTBzS2xuVWZHZ01rcTRnZVFFdlUwOTV1aHJLZzNkVU1pSkQyVVVKNzBYYjVXTThXWmYKMEp3R2ZXVzVjTStnQndZRks0RUVBQ0toWkFOaUFBUkZaMnFac0ZhYVR1SW9NVVBzeTRqdzdhZ0d0Y3lsOWs4TAo0M1BkMHRFOWE3ampQY0xuVXcrVDBZa01DZzJ5cW5KbjJ3YzZjdndqNEoyU1lUalV1b3IrdUtDOHFDK1d1V3BZCm1OL1Q4VUF6OWNzQkZwYXZOeWxHM0xqWlltQkhsakU9Ci0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0K
-
----
-
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: spire-server
-  namespace: spire
-data:
-  server.conf: |
-    server {
-      bind_address = "0.0.0.0"
-      bind_port = "8081"
-      trust_domain = "example.org"
-      data_dir = "/run/spire/data"
-      log_level = "DEBUG"
-      ca_subject = {
-        country = ["US"],
-        organization = ["SPIFFE"],
-        common_name = "",
-      }
-    }
-
-    plugins {
-      DataStore "sql" {
-        plugin_data {
-          database_type = "sqlite3"
-          connection_string = "/run/spire/data/datastore.sqlite3"
-        }
-      }
-
-      NodeAttestor "k8s_sat" {
-        plugin_data {
-          clusters = {
-            "demo-cluster" = {
-              service_account_key_file = "/run/k8s-certs/sa.pub"
-              service_account_allow_list = ["spire:spire-agent"]
-            }
-          }
-        }
-      }
-
-      KeyManager "disk" {
-        plugin_data {
-          keys_path = "/run/spire/data/keys.json"
-        }
-      }
-
-      UpstreamAuthority "disk" {
-        plugin_data {
-          key_file_path = "/run/spire/secrets/bootstrap.key"
-          cert_file_path = "/run/spire/config/bootstrap.crt"
-        }
-      }
-    }
-
-    health_checks {
-      listener_enabled = true
-      bind_address = "0.0.0.0"
-      bind_port = "8080"
-      live_path = "/live"
-      ready_path = "/ready"
-    }
-  bootstrap.crt: |
-    -----BEGIN CERTIFICATE-----
-    MIICHzCCAaSgAwIBAgIJAJjG+BUpVpUbMAoGCCqGSM49BAMEMB4xCzAJBgNVBAYT
-    AlVTMQ8wDQYDVQQKDAZTUElGRkUwHhcNMjMwNjA5MjM0OTQxWhcNMjgwNjA3MjM0
-    OTQxWjAeMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGU1BJRkZFMHYwEAYHKoZIzj0C
-    AQYFK4EEACIDYgAERWdqmbBWmk7iKDFD7MuI8O2oBrXMpfZPC+Nz3dLRPWu44z3C
-    51MPk9GJDAoNsqpyZ9sHOnL8I+CdkmE41LqK/rigvKgvlrlqWJjf0/FAM/XLARaW
-    rzcpRty42WJgR5Yxo4GtMIGqMB0GA1UdDgQWBBRXKdGnbiP9nul87xm5F30yxRWT
-    VjAfBgNVHSMEGDAWgBRXKdGnbiP9nul87xm5F30yxRWTVjAPBgNVHRMBAf8EBTAD
-    AQH/MCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
-    ZTAOBgNVHQ8BAf8EBAMCAQYwGQYDVR0RBBIwEIYOc3BpZmZlOi8vbG9jYWwwCgYI
-    KoZIzj0EAwQDaQAwZgIxAKHxaBfSjhDJksGXmgJKkcpepPCYfB58hUc3HkxPy3Zf
-    08dfaeAp7UdBCkpU20GSrQIxAJc0FMZs1BSSINku6oYZpsrcCuo7CijAJMLCBLXQ
-    VYYO6xcbDgbZVm5MXu3FWTt+7g==
-    -----END CERTIFICATE-----
-
----
-
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: spire-server
-  namespace: spire
-  labels:
-    app: spire-server
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: spire-server
-  serviceName: spire-server
-  template:
-    metadata:
-      namespace: spire
-      labels:
-        app: spire-server
-    spec:
-      serviceAccountName: spire-server
-      containers:
-        - name: spire-server
-          image: ghcr.io/spiffe/spire-server:1.6.1
-          args: ["-config", "/run/spire/config/server.conf"]
-          ports:
-            - containerPort: 8081
-          volumeMounts:
-            - name: spire-config
-              mountPath: /run/spire/config
-              readOnly: true
-            - name: spire-secrets
-              mountPath: /run/spire/secrets
-              readOnly: true
-            - name: spire-data
-              mountPath: /run/spire/data
-              readOnly: false
-            - name: k8s-sa-cert
-              mountPath: /run/k8s-certs/sa.pub
-              readOnly: true
-          livenessProbe:
-            httpGet:
-              path: /live
-              port: 8080
-            failureThreshold: 2
-            initialDelaySeconds: 15
-            periodSeconds: 60
-            timeoutSeconds: 3
-          readinessProbe:
-            httpGet:
-              path: /ready
-              port: 8080
-            initialDelaySeconds: 5
-            periodSeconds: 5
-      volumes:
-        - name: spire-config
-          configMap:
-            name: spire-server
-        - name: spire-secrets
-          secret:
-            secretName: spire-server
-        - name: k8s-sa-cert
-          hostPath:
-            path: /var/lib/minikube/certs/sa.pub
-            type: File
-  volumeClaimTemplates:
-    - metadata:
-        name: spire-data
-        namespace: spire
-      spec:
-        accessModes:
-          - ReadWriteOnce
-        resources:
-          requests:
-            storage: 1Gi
-
----
-
-apiVersion: v1
-kind: Service
-metadata:
-  name: spire-server
-  namespace: spire
-spec:
-  type: NodePort
-  ports:
-    - name: grpc
-      port: 8081
-      targetPort: 8081
-      protocol: TCP
-  selector:
-    app: spire-server

examples/k8s/simple_sat/test.sh

@@ -1,65 +0,0 @@
-#!/bin/bash
-
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-
-bold=$(tput bold) || true
-norm=$(tput sgr0) || true
-red=$(tput setaf 1) || true
-green=$(tput setaf 2) || true
-yellow=$(tput setaf 3) || true
-
-fail() {
-	echo "${red}$*${norm}."
-	exit 1
-}
-
-delete-ns() {
-	echo "${bold}Cleaning up...${norm}"
-    kubectl delete --ignore-not-found namespace spire > /dev/null
-}
-
-cleanup() {
-    if [ -z "${GOOD}" ]; then
-        echo "${yellow}Dumping statefulset/spire-server logs...${norm}"
-        kubectl -nspire logs statefulset/spire-server --all-containers
-        echo "${yellow}Dumping daemonset/spire-agent logs...${norm}"
-        kubectl -nspire logs daemonset/spire-agent --all-containers
-    fi
-    delete-ns
-    if [ -n "${GOOD}" ]; then
-        echo "${green}Success.${norm}"
-    else
-        echo "${red}Failed.${norm}"
-    fi
-}
-
-trap cleanup EXIT
-
-echo "${bold}Preparing environment...${norm}"
-delete-ns
-kubectl create namespace spire
-
-echo "${bold}Applying configuration...${norm}"
-kubectl apply -k "${DIR}"
-
-LOGLINE="Agent attestation request completed"
-for ((i=0;i<120;i++)); do
-    if ! kubectl -nspire rollout status statefulset/spire-server; then
-        sleep 1
-        continue
-    fi
-    if ! kubectl -nspire rollout status daemonset/spire-agent; then
-        sleep 1
-        continue
-    fi
-    if ! kubectl -nspire logs statefulset/spire-server -c spire-server | grep -e "$LOGLINE" ; then
-        sleep 1
-        continue
-    fi
-    echo "${bold}Node attested.${norm}"
-    GOOD=1
-    exit 0
-done
-
-echo "${red}Timed out waiting for node to attest.${norm}"
-exit 1

examples/rpms/Dockerfile

@@ -1,16 +1,26 @@
 ARG STEPVER="0.28.2"
+ARG STEPCAVER="0.28.4"
 
 FROM docker.io/library/almalinux:9 AS rpm-builder
 ARG STEPVER
+ARG STEPCAVER
 
 WORKDIR /tmp
 
-COPY *.spec /tmp
+COPY rpms/*.spec /tmp
+ADD rpms/rpm.pub /tmp/rpm.pub
+ADD rpms/rpmmacros /root/.rpmmacros
 
-RUN \
+COPY systemd /tmp/systemd
-  dnf install -y rpmdevtools rpm-build git make && \
+
+RUN --mount=type=secret,id=gpg \
+  mkdir -p /root/rpmbuild/SOURCES && \
+  tar -zcvf /root/rpmbuild/SOURCES/spire-extras-systemd.tar.gz systemd && \
+  dnf install -y which rpmdevtools rpm-build rpm-sign git make && \
   spectool -g -R spire.spec && \
   rpmbuild -ba spire.spec && \
+  spectool -g -R spire-controller-manager.spec && \
+  rpmbuild -ba spire-controller-manager.spec && \
   spectool -g -R spiffe-helper.spec && \
   rpmbuild -ba spiffe-helper.spec && \
   spectool -g -R spiffe-step-ssh.spec && \
@@ -24,14 +34,29 @@ RUN \
   spectool -g -R spire-server-nodeattestor-tpmdirect.spec && \
   rpmbuild -ba spire-server-nodeattestor-tpmdirect.spec && \
   spectool -g -R spire-agent-nodeattestor-tpmdirect.spec && \
-  rpmbuild -ba spire-agent-nodeattestor-tpmdirect.spec
+  rpmbuild -ba spire-agent-nodeattestor-tpmdirect.spec && \
+  spectool -g -R spire-server-attestor-tpm.spec && \
+  rpmbuild -ba spire-server-attestor-tpm.spec && \
+  spectool -g -R spire-credentialcomposer-cel.spec && \
+  rpmbuild -ba spire-credentialcomposer-cel.spec && \
+  spectool -g -R aws-spiffe-workload-helper.spec && \
+  rpmbuild -ba aws-spiffe-workload-helper.spec && \
+  if [ -f /run/secrets/gpg ]; then \
+    gpg --import /run/secrets/gpg && \
+    gpg --import rpm.pub && \
+    rpm --addsign /root/rpmbuild/RPMS/*/*.rpm; \
+  else \
+    true; \
+  fi
 
 RUN \
   dnf localinstall -y https://github.com/smallstep/cli/releases/download/v${STEPVER}/step-cli-${STEPVER}-1.$(uname -i).rpm && \
+  dnf localinstall -y https://github.com/smallstep/certificates/releases/download/v${STEPCAVER}/step-ca-${STEPCAVER}-1.$(uname -i).rpm && \
   dnf localinstall -y /root/rpmbuild/RPMS/*/*.rpm
 
 FROM docker.io/library/ubuntu:latest AS deb-builder
 ARG STEPVER
+ARG STEPCAVER
 
 COPY --from=rpm-builder /root/rpmbuild/RPMS /root/rpmbuild/RPMS
 
@@ -48,7 +73,9 @@ RUN \
 
 RUN \
   curl -L -o step-cli.deb https://github.com/smallstep/cli/releases/download/v${STEPVER}/step-cli_${STEPVER}-1_$(dpkg --print-architecture).deb && \
+  curl -L -o step-ca.deb https://github.com/smallstep/certificates/releases/download/v${STEPCAVER}/step-ca_${STEPCAVER}-1_$(dpkg --print-architecture).deb && \
   apt-get install -y ./step-cli.deb && \
+  apt-get install -y ./step-ca.deb && \
   apt-get install -y /root/debbuild/*/*.deb
 
 FROM docker.io/library/nginx:latest

examples/rpms/Dockerfile.repos

@@ -0,0 +1,46 @@
+FROM docker.io/library/almalinux:9 AS rpm-builder9
+
+WORKDIR /tmp
+COPY RPMS /tmp/packages/RPMS
+COPY DEBS /tmp/packages/DEBS
+RUN \
+  dnf install -y createrepo_c && \
+  mkdir -p /tmp/packages/RPMS/x86_64/el9 && \
+  mkdir -p /tmp/packages/RPMS/aarch64/el9 && \
+  cd /tmp/packages/RPMS/x86_64 && \
+  createrepo -u https://spiffe.github.io/spire-examples/RPMS/x86_64 -o el9/ . && \
+  cd /tmp/packages/RPMS/aarch64 && \
+  createrepo -u https://spiffe.github.io/spire-examples/RPMS/aarch64 -o el9/ .
+
+FROM docker.io/library/almalinux:10 AS rpm-builder10
+WORKDIR /tmp
+COPY RPMS /tmp/packages/RPMS
+RUN \
+  dnf install -y createrepo_c && \
+  mkdir -p /tmp/packages/RPMS/x86_64/el10 && \
+  mkdir -p /tmp/packages/RPMS/aarch64/el10 && \
+  cd /tmp/packages/RPMS/x86_64 && \
+  createrepo -u https://spiffe.github.io/spire-examples/RPMS/x86_64 -o el10/ . && \
+  cd /tmp/packages/RPMS/aarch64 && \
+  createrepo -u https://spiffe.github.io/spire-examples/RPMS/aarch64 -o el10/ .
+
+FROM docker.io/library/almalinux:8 AS rpm-builder8
+WORKDIR /tmp
+COPY RPMS /tmp/packages/RPMS
+RUN \
+  dnf install -y createrepo_c && \
+  mkdir -p /tmp/packages/RPMS/x86_64/el8 && \
+  mkdir -p /tmp/packages/RPMS/aarch64/el8 && \
+  cd /tmp/packages/RPMS/x86_64 && \
+  createrepo -u https://spiffe.github.io/spire-examples/RPMS/x86_64 -o el8/ . && \
+  cd /tmp/packages/RPMS/aarch64 && \
+  createrepo -u https://spiffe.github.io/spire-examples/RPMS/aarch64 -o el8/ .
+
+FROM docker.io/library/nginx:latest
+RUN rm -rf /usr/share/nginx/html/*
+COPY --from=rpm-builder9 /tmp/packages/RPMS /usr/share/nginx/html/RPMS
+COPY --from=rpm-builder9 /tmp/packages/DEBS /usr/share/nginx/html/DEBS
+COPY --from=rpm-builder10 /tmp/packages/RPMS/x86_64/el10 /usr/share/nginx/html/RPMS/x86_64/el10
+COPY --from=rpm-builder10 /tmp/packages/RPMS/aarch64/el10 /usr/share/nginx/html/RPMS/aarch64/el10
+COPY --from=rpm-builder8 /tmp/packages/RPMS/x86_64/el8 /usr/share/nginx/html/RPMS/x86_64/el8
+COPY --from=rpm-builder8 /tmp/packages/RPMS/aarch64/el8 /usr/share/nginx/html/RPMS/aarch64/el8

examples/rpms/aws-spiffe-workload-helper.spec

@@ -0,0 +1,54 @@
+##############################################################################
+#
+# To you, dear reader:
+#
+# If you are a normal user, we recommend not reading further. Its probably not
+# the file your looking for.
+#
+# If you are looking at using this file as a base for your own work, please
+# don't. It is a horrible example. Please look elsewhere.
+#
+# If you are a package maintainer, please read on. We recognize this spec file
+# is blasphemous, a terrible abomination, a crime against nature, and more. We
+# regret needing to produce it, but had to in order to attract enough users to
+# find you. We beseech thee, kind and generous package maintainer, please help
+# us mend our wicked ways by joining us and help us produce proper packaging.
+# You are our only hope.
+#
+##############################################################################
+
+%define ARCH %(echo %{_arch} | sed s/aarch64/arm64/)
+
+Summary:    AWS SPIFFE Workload Helper
+Name:       aws-spiffe-workload-helper
+Version:    0.0.4
+Release:    1
+Group:      Applications/Internet
+License:    Apache-2.0
+URL:        https://spiffe.io
+Source0:    https://github.com/spiffe/aws-spiffe-workload-helper/releases/download/v%{version}/aws-spiffe-workload-helper_Linux_%{ARCH}.tar.gz
+
+%global __strip /bin/true
+
+%description
+AWS SPIFFE Workload Helper
+
+%global _missing_build_ids_terminate_build 0
+%global debug_package %{nil}
+
+%prep
+
+%setup -c
+
+%build
+
+%install
+mkdir -p "%{buildroot}/usr/bin"
+cp -a aws-spiffe-workload-helper %{buildroot}/usr/bin
+
+%clean
+rm -rf %{buildroot}
+
+%files
+/usr/bin/aws-spiffe-workload-helper
+

examples/rpms/k8s-spiffe-workload-auth-config.spec

@@ -19,9 +19,9 @@
 
 %define ARCH %(echo %{_arch} | sed s/aarch64/arm64/)
 
-Summary:    K8s SPIFFE Workload Auth Config
+Summary:    Kubernetes SPIFFE Workload Auth Config
 Name:       k8s-spiffe-workload-auth-config
-Version:    0.0.8
+Version:    0.2.1
 Release:    1
 Group:      Applications/Internet
 License:    Apache-2.0
@@ -29,8 +29,22 @@ URL:        https://spiffe.io
 Source0:    https://github.com/spiffe/k8s-spiffe-workload-auth-config/releases/download/v%{version}/k8s-spiffe-workload-auth-config_Linux_%{ARCH}.tar.gz
 Requires:  spiffe-helper
 
+%global __strip /bin/true
+
 %description
-K8s SPIFFE Workload Auth Config
+Kubernetes SPIFFE Workload Auth Config
+
+%package -n k8s-spiffe-oidc-discovery-provider
+Summary: Kubernetes SPIFFE OIDC Discovery Provider
+Requires: spiffe-helper spiffe-oidc-discovery-provider
+%description -n k8s-spiffe-oidc-discovery-provider
+Kubernetes SPIFFE OIDC Discovery Provider
+
+%package -n k8s-spire-agent
+Summary: Kubernetes SPIRE Agent
+Requires: spiffe-helper
+%description -n k8s-spire-agent
+Kubernetes SPIRE Agent
 
 %global _missing_build_ids_terminate_build 0
 %global debug_package %{nil}
@@ -46,10 +60,15 @@ mkdir -p "%{buildroot}/usr/bin"
 mkdir -p "%{buildroot}/etc/spiffe"
 mkdir -p "%{buildroot}/etc/kubernetes"
 mkdir -p "%{buildroot}/usr/lib/systemd/system"
+mkdir -p "%{buildroot}/usr/libexec/spiffe/k8s-oidc-discovery-provider"
 cp -a k8s-spiffe-workload-auth-config %{buildroot}/usr/bin
-cp -a config/k8s-spiffe-workload-auth-config.env %{buildroot}/etc/spiffe
+cp -a config/k8s-spiffe-workload-auth-config.env %{buildroot}/etc/spiffe/k8s-workload-auth-config.env
 cp -a config/auth-config.yaml %{buildroot}/etc/kubernetes/
+cp -a config/k8s-spiffe-oidc-discovery-provider-helper.conf %{buildroot}/usr/libexec/spiffe/k8s-oidc-discovery-provider/helper.conf
+cp -a config/k8s-spiffe-oidc-discovery-provider.conf %{buildroot}/etc/spiffe/k8s-oidc-discovery-provider.conf
 cp -a systemd/k8s-spiffe-workload-auth-config.service %{buildroot}/usr/lib/systemd/system
+cp -a systemd/k8s-spiffe-oidc-discovery-provider.service %{buildroot}/usr/lib/systemd/system
+cp -a systemd/k8s-spire-agent@.service %{buildroot}/usr/lib/systemd/system
 
 %clean
 rm -rf %{buildroot}
@@ -57,5 +76,13 @@ rm -rf %{buildroot}
 %files
 /usr/bin/k8s-spiffe-workload-auth-config
 /usr/lib/systemd/system/k8s-spiffe-workload-auth-config.service
-%config(noreplace) /etc/spiffe/k8s-spiffe-workload-auth-config.env
+%config(noreplace) /etc/spiffe/k8s-workload-auth-config.env
 %config(noreplace) /etc/kubernetes/auth-config.yaml
+
+%files -n k8s-spiffe-oidc-discovery-provider
+/usr/lib/systemd/system/k8s-spiffe-oidc-discovery-provider.service
+/usr/libexec/spiffe/k8s-oidc-discovery-provider/helper.conf
+%config(noreplace) /etc/spiffe/k8s-oidc-discovery-provider.conf
+
+%files -n k8s-spire-agent
+/usr/lib/systemd/system/k8s-spire-agent@.service

examples/rpms/k8s-spiffe-workload-jwt-exec-auth.spec

@@ -21,13 +21,15 @@
 
 Summary:    K8s SPIFFE Workload JWT Exec Auth Plugin
 Name:       k8s-spiffe-workload-jwt-exec-auth
-Version:    0.0.4
+Version:    0.0.7
 Release:    1
 Group:      Applications/Internet
 License:    Apache-2.0
 URL:        https://spiffe.io
 Source0:    https://github.com/spiffe/k8s-spiffe-workload-jwt-exec-auth/releases/download/v%{version}/k8s-spiffe-workload-jwt-exec-auth_Linux_%{ARCH}.tar.gz
 
+%global __strip /bin/true
+
 %description
 K8s SPIFFE Workload JWT Exec Auth Plugin
 

examples/rpms/rpm.pub

@@ -0,0 +1,51 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGefjVIBEACpBWcQ51kffvULrryaeZNNnOEBzQdEEwoV85YVzTaugzbIYZlh
+csF8IpBbEKAclVBbnT27HVdop+OtRJ2qMIxnCc+onWNZwnXDacKzzKOzj4cfZVhM
+LecdmPI6vJWJIyF/nnkh5/x+7e7RWAG/+4dxfMKOGQN6ReUFWDpQQxf3XqRYdlV/
+/KE25gFqBmn9aoG2C3KjlT6m2cKWySMEGFRkSBDXiY5OaQ99+AJJ0Qhe4t4lcm2Q
+e5ow7Y7UbmSHf2Kj9DF8heJQNJWqC8SbdWmBzyxQ9cbTnC3xN7vo1PQgfXZ9xEkI
+BZhF4YCen2vbpKuUPRbVXEnOPlehwAAeHLeqm0Au4GIF367rULi6/WR1L1ohFAc/
+/55byXoSJX3tvLK3QE546yC1VzGubt0Mb2lHeYlEuuNF+QKxIjSkHg5qoyk40JvB
+greij5TBcXSGAYNzTwfm5CgxZmmtcoSSGUR/Gcg7wDSc/FDa2hJ4Aczh5Yn6b2h4
+A4dgR7u3tu1z0CVJsPbV70nrjbLK4F/PMiPouyG4STowiCOfz2G+pjsZpqIGENPp
+9xkUUt+T4bu4s+0TulLmcZ/evMsYrGVvqBRAf+joJZM9h6/RSOq9y2QHZCTBC0Kd
+njxISJ3T/AEA7lWKHt1xE8rdhSKoJeBBUTRLRCVCGivY8YdToT0/sbJvGwARAQAB
+tBdTUElSRS1FWEFNUExFUyBQYWNrYWdlc4kCUgQTAQgAPBYhBOCDvv82eL8HHATG
+AdNMNfirI2ZFBQJnn41SAhsDBQsJCAcCAyICAQYVCgkICwIEFgIDAQIeBwIXgAAK
+CRDTTDX4qyNmRUh6D/43aSnn5beKm26L/rHxMV+rwGu4i7lwSY6jNXvaZueuGpBt
+IUiZbD4JFLHO2mCNvq3gbCVlOCT19qBFotQeJBbIXpK0ChMhupXrQQKOSj1qMbIb
+lX5c7LPRb08SmMKXsC2pgy8FvdtZb3VVn94UgU4mP13EWcMAztOXAXd9C+QjhsI4
+rvv+m1CKnL16/wFpy+gdIJK6K4r7O5UVyM+rOhQArswbfLdOGMxspsR7OLzqghJ4
+9IHWHAB+nNsXDgc2yb4OQi80zMf4n5iSuyu4hUTOBwScWamiFyOfvbVKFDwmNUCd
+QlO0wwsh7xflXSpi9nHNrCfKWkt7xyKt49gkz905NNaKZBeBtwR6FZ8rN4dDSSbU
+ybxamRLLD61WuEGGvCFwkUEUtCAPRYKLDaHnJGK7FNHwhfvyL4D4puWOkIeZYmqS
+UbuScNvnRGuYm/ursT6Wh2SkvN/j8oYjf8IP2VUkglbPMeW+gfa1pNrwtg3Ig4Yp
+Y+0JwCW5b4ZubupdReTG0uixWWxsTyasnutC0vIY99nto/A+RY2evlbwdwATMDce
+sdNVPh3IWOsGO1pd83xJyU8aIU+BiVJZ4lgCHIBO1mKmAyjjmWG6XhhqErkcR2A/
+gTwtQe0NuVeA8TYWigQ3gfHXfvVPL/7I45InDuUSHa+Dqa1sldjkEQSEMNMhSbkC
+DQRnn41SARAA1uHjcC8y+45h8HV6OHugHbRYKkVUXfROBUpCyQ6JQw0cj7sSdRXY
+XGW6Gk485v/PCKm2KdGleNCZAi/nrFnUcqO8enu3jU5fb0A/4PbmfTco08LuP6iw
+6dxoSKmALj15sVLw+4rPz3QmdS9op/WimDQ84UTJwCZMUV9knCudhAM4tuVrDfxn
+f8OjstOqkjGCY2jaey2hVKu7lUCBQ1r03kLqvPd99my4B+StcnTFmZTR3bNFUsGz
+dbHJzStj+fa1omu2Lqh8DCfvAyvHnM43v0s0+FMph9hhgK189bMwUX96QfH3/hr1
+07/G8s5PSxaoIQxMNwlIMwFVS683earb0l5DLbWbUFK9/HKrssurwITCbWAPh5z2
+wju0VewGXYgAX6+qr4xLUCB/R058Z9px5p4V/+yBWmQzhFgCaORnU1B3R+tapUcD
+LhC8khM7sHRL40pToOqPCjPg8YiD16sppeZts2ndLbAatSLtFtgHzYH9+C4GWatM
+SYpzmvqNBPYTfq8tVjTWi/R74GgfFHAAguSQyFnG/JhAeVyMWUb0QiYo/ihjjjGZ
+u5DxTkd3MgYuy8XRJ4RY1Mw4U4A2z1zTvn3MS/97d0VheJXdDRBts9RpZa7EGmsA
+KezlkJ001qCZRn46E4V8u4O6PehgcemClvYpCJjWBt95avAgcheZV8EAEQEAAYkC
+NgQYAQgAIBYhBOCDvv82eL8HHATGAdNMNfirI2ZFBQJnn41SAhsMAAoJENNMNfir
+I2ZFVFgP/1wc9HbFGfDY9xXIWlZ+Xp02llgJuv3EEvXRV+bsr7baylGzpnzyT+/x
+/WAxW+RFp6NiSqxg3QX7NKSDuxYwMcwJO0Gek9k5JmUW2m4f0JGjZUuX+EBG8nlr
+YT+ZpObb/pqidbNS0rFR7Nltfs0wM+/a583T/1Iy+7C2DNgP64lProI6ugEVVEhy
+SpqTLrm1mGq3cC6Nrd0pO572QiR7IVmaW0LwzWSscHL2c+wyE1ebutxX3uiopy7U
+swqww40YphYprZXDYF94mnVUrRBVTeytQ7RvS1MFZkkhYP5I3IKMt1nCaDL6IPAu
+alh+CUpQYCjjVPJGBIT+fnLvyiJpHk4xKwVBpN4l4i+rzzWfavEitEQTQPao8h11
+ftwgfkqAwhfVqgQLJXeZcST6OoMI8N8TTX1NPepbQPrmiLv1Trs44KtwpW9X4amu
+neYNfZjfU7Q0WM64yXKKvZAC2hQOXgkyufe6iQ/rNHsXMwq98f/Q7XElCt1OYS4x
+TxwtxbI6AoQm/JxhsI99hA+s/YCWTvwMplqNGDEF9t7DGPv+27qnN4L79miST3lv
+kwXmlnDER7rjJRv7bP5x+80/ZGybyzfMCOluE0SAXQbYoXTYISr430YVI2yQ1/47
+1402Cky2VgHj+fmI1lHqsz/xLESk5gUG4AKTr0HBPd6AOQ7dGW0u
+=mnaT
+-----END PGP PUBLIC KEY BLOCK-----

examples/rpms/rpmmacros

@@ -0,0 +1,3 @@
+%_signature gpg
+%_gpg_name SPIRE-EXAMPLES Packages
+%_gpgbin /usr/bin/gpg

examples/rpms/spiffe-helper.spec

@@ -21,13 +21,14 @@
 
 Summary:    SPIFFE Helper
 Name:       spiffe-helper
-Version:    0.9.0
+Version:    0.10.0
 Release:    1
 Group:      Applications/Internet
 License:    Apache-2.0
 URL:        https://spiffe.io
-#FIXME grab binaries once they are available
+Source0:    https://github.com/spiffe/spiffe-helper/releases/download/v%{version}/spiffe-helper_v%{version}_Linux-%{ARCH}.tar.gz
-Source0:    https://github.com/spiffe/spiffe-helper/archive/refs/tags/v%{version}.tar.gz
+
+%global __strip /bin/true
 
 %description
 SPIFFE Helper
@@ -40,12 +41,10 @@ SPIFFE Helper
 %setup -c
 
 %build
-cd spiffe-helper-%{version}
-make
 
 %install
 mkdir -p %{buildroot}/usr/bin
-cp spiffe-helper-%{version}/spiffe-helper %{buildroot}/usr/bin
+cp spiffe-helper %{buildroot}/usr/bin
 
 %clean
 rm -rf %{buildroot}

examples/rpms/spiffe-step-ssh.spec

@@ -21,7 +21,7 @@
 
 Summary:    SPIFFE Step SSH
 Name:       spiffe-step-ssh
-Version:    0.0.5
+Version:    0.0.9
 Release:    1
 Group:      Applications/Internet
 License:    Apache-2.0
@@ -30,9 +30,18 @@ Source0:    https://github.com/spiffe/spiffe-step-ssh/archive/refs/tags/v%{versi
 Requires:   step-cli
 Requires:   spiffe-helper
 
+%global __strip /bin/true
+
 %description
 SPIFFE Step SSH
 
+%package -n spiffe-step-ssh-server
+Summary: SPIFFE Step SSH Server
+Requires: step-ca
+Requires: spiffe-helper
+%description -n spiffe-step-ssh-server
+SPIFFE Step SSH Server
+
 %global _missing_build_ids_terminate_build 0
 %global debug_package %{nil}
 
@@ -45,6 +54,7 @@ SPIFFE Step SSH
 %install
 cd spiffe-step-ssh-%{version}
 make install DESTDIR="%{buildroot}"
+make install-server DESTDIR="%{buildroot}"
 
 %clean
 rm -rf %{buildroot}
@@ -55,3 +65,14 @@ rm -rf %{buildroot}
 /usr/lib/systemd/system/spiffe-step-ssh@.service
 /usr/lib/systemd/system/spiffe-step-ssh-cleanup.service
 %config(noreplace) /etc/spiffe/step-ssh
+
+%files -n spiffe-step-ssh-server
+/usr/lib/systemd/system/spiffe-step-ssh-server@.service
+/usr/lib/systemd/system/spiffe-step-ssh-fetchca@.service
+/usr/libexec/spiffe/step-ssh-server/main
+/usr/libexec/spiffe/step-ssh-server/ssh_x5c.tpl
+/usr/libexec/spiffe/step-ssh-server/nginx-fetchca.conf
+/usr/libexec/spiffe/step-ssh-server/helper-fetchca.conf
+/usr/sbin/setup-spiffe-step-ssh-server
+/usr/sbin/spiffe-step-ssh-get-cert-authority
+%config(noreplace) /etc/spiffe/step-ssh-server

examples/rpms/spire-agent-nodeattestor-tpmdirect.spec

@@ -21,16 +21,18 @@
 
 Summary:    SPIRE Agent Node Attestor TPM Direct
 Name:       spire-agent-nodeattestor-tpmdirect
-Version:    1.8.7
+Version:    1.9.0
 Release:    1
 Group:      Applications/Internet
 License:    Apache-2.0
 URL:        https://spiffe.io
-Source0:    https://github.com/boxboat/spire-tpm-plugin/releases/download/v%{version}/spire_tpm_plugin_tpm_attestor_agent_linux_%{ARCH}_v%{version}.tar.gz
+Source0:    https://github.com/spiffe/spire-tpm-plugin/releases/download/v%{version}/spire_tpm_plugin_tpm_attestor_agent_linux_%{ARCH}_v%{version}.tar.gz
-Source1:    https://github.com/boxboat/spire-tpm-plugin/releases/download/v%{version}/spire_tpm_plugin_get_tpm_pubhash_linux_%{ARCH}_v%{version}.tar.gz
+Source1:    https://github.com/spiffe/spire-tpm-plugin/releases/download/v%{version}/spire_tpm_plugin_get_tpm_pubhash_linux_%{ARCH}_v%{version}.tar.gz
+
+%global __strip /bin/true
 
 %description
-K8s SPIFFE Workload JWT Exec Auth Plugin
+SPIRE Agent Node Attestor TPM Direct
 
 %global _missing_build_ids_terminate_build 0
 %global debug_package %{nil}

examples/rpms/spire-controller-manager.spec

@@ -0,0 +1,74 @@
+##############################################################################
+#
+# To you, dear reader:
+#
+# If you are a normal user, we recommend not reading further. Its probably not
+# the file your looking for.
+#
+# If you are looking at using this file as a base for your own work, please
+# don't. It is a horrible example. Please look elsewhere.
+#
+# If you are a package maintainer, please read on. We recognize this spec file
+# is blasphemous, a terrible abomination, a crime against nature, and more. We
+# regret needing to produce it, but had to in order to attract enough users to
+# find you. We beseech thee, kind and generous package maintainer, please help
+# us mend our wicked ways by joining us and help us produce proper packaging.
+# You are our only hope.
+#
+##############################################################################
+
+%define ARCH %(echo %{_arch} | sed s/aarch64/arm64/ | sed s/x86_64/amd64/)
+
+Summary:    SPIRE Controller Manager
+Name:       spire-controller-manager
+Version:    0.6.2
+Release:    1
+Group:      Applications/Internet
+License:    Apache-2.0
+URL:        https://spiffe.io
+Requires:   spire-common
+#FIXME Switch to binaries once released
+Source0:    https://github.com/spiffe/spire-controller-manager/archive/refs/tags/v%{version}.tar.gz
+Source1:    spire-extras-systemd.tar.gz
+
+%global __strip /bin/true
+
+%description
+SPIRE Controller Manager
+
+%global _missing_build_ids_terminate_build 0
+%global debug_package %{nil}
+
+%prep
+
+%setup
+%setup -T -D -a 1
+
+%build
+curl -L -o go.tar.gz https://go.dev/dl/go1.24.2.linux-%{ARCH}.tar.gz
+tar -xvf go.tar.gz
+export PATH=$PATH:$(pwd)/go/bin
+export CGO_ENABLED=0
+go build -o spire-controller-manager cmd/main.go
+
+%install
+mkdir -p %{buildroot}/usr/bin
+cp spire-controller-manager %{buildroot}/usr/bin
+cd systemd
+make install DESTDIR="%{buildroot}"
+rm -f "%{buildroot}/etc/spiffe/default-trust-domain.env"
+rm -f "%{buildroot}/etc/spire/agent/default".*
+rm -f "%{buildroot}/etc/spire/server/default".*
+rm -f "%{buildroot}/usr/lib/systemd/system/spire-agent"*
+rm -f "%{buildroot}/usr/lib/systemd/system/spire-server"*
+rm -f "%{buildroot}/usr/lib/systemd/system/spire.target"
+rm -f "%{buildroot}/usr/libexec/spire/server/start.sh"
+
+%clean
+rm -rf %{buildroot}
+
+%files
+/usr/lib/systemd/system/spire-controller-manager@.service
+/usr/bin/spire-controller-manager
+/usr/libexec/spire/controller-manager/start.sh
+%config(noreplace) /etc/spire/controller-manager/default.conf

examples/rpms/spire-credentialcomposer-cel.spec

@@ -0,0 +1,53 @@
+##############################################################################
+#
+# To you, dear reader:
+#
+# If you are a normal user, we recommend not reading further. Its probably not
+# the file your looking for.
+#
+# If you are looking at using this file as a base for your own work, please
+# don't. It is a horrible example. Please look elsewhere.
+#
+# If you are a package maintainer, please read on. We recognize this spec file
+# is blasphemous, a terrible abomination, a crime against nature, and more. We
+# regret needing to produce it, but had to in order to attract enough users to
+# find you. We beseech thee, kind and generous package maintainer, please help
+# us mend our wicked ways by joining us and help us produce proper packaging.
+# You are our only hope.
+#
+##############################################################################
+
+%define ARCH %(echo %{_arch} | sed s/aarch64/arm64/)
+
+Summary:    SPIRE Credential Composer CEL
+Name:       spire-credentialcomposer-cel
+Version:    0.0.2
+Release:    1
+Group:      Applications/Internet
+License:    Apache-2.0
+URL:        https://spiffe.io
+Source0:    https://github.com/spiffe/spire-credentialcomposer-cel/releases/download/v%{version}/spire-credentialcomposer-cel_Linux_%{ARCH}.tar.gz
+
+%global __strip /bin/true
+
+%description
+SPIRE Credential Composer CEL
+
+%global _missing_build_ids_terminate_build 0
+%global debug_package %{nil}
+
+%prep
+
+%setup -c
+
+%build
+
+%install
+mkdir -p "%{buildroot}/usr/libexec/spire/plugins"
+cp -a spire-credentialcomposer-cel %{buildroot}/usr/libexec/spire/plugins/credentialcomposer-cel
+
+%clean
+rm -rf %{buildroot}
+
+%files
+/usr/libexec/spire/plugins/credentialcomposer-cel

examples/rpms/spire-examples.repo

@@ -0,0 +1,5 @@
+[spire-examples]
+name=spire-examples rpms
+baseurl=https://spiffe.github.io/spire-examples/RPMS/$basearch/el$releasever
+enabled=1
+gpgcheck=0

examples/rpms/spire-ha-agent.spec

@@ -21,7 +21,7 @@
 
 Summary:    SPIRE HA Agent
 Name:       spire-ha-agent
-Version:    0.0.11
+Version:    0.0.13
 Release:    1
 Group:      Applications/Internet
 License:    Apache-2.0
@@ -29,6 +29,8 @@ URL:        https://spiffe.io
 Source0:    https://github.com/spiffe/spire-ha-agent/releases/download/v%{version}/spire-ha-agent_Linux_%{ARCH}.tar.gz
 Source1:    https://github.com/spiffe/spire-ha-agent/releases/download/v%{version}/spire-trust-sync-helper_Linux_%{ARCH}.tar.gz
 
+%global __strip /bin/true
+
 %description
 SPIRE HA Agent
 

examples/rpms/spire-server-attestor-tpm.spec

@@ -0,0 +1,101 @@
+##############################################################################
+#
+# To you, dear reader:
+#
+# If you are a normal user, we recommend not reading further. Its probably not
+# the file your looking for.
+#
+# If you are looking at using this file as a base for your own work, please
+# don't. It is a horrible example. Please look elsewhere.
+#
+# If you are a package maintainer, please read on. We recognize this spec file
+# is blasphemous, a terrible abomination, a crime against nature, and more. We
+# regret needing to produce it, but had to in order to attract enough users to
+# find you. We beseech thee, kind and generous package maintainer, please help
+# us mend our wicked ways by joining us and help us produce proper packaging.
+# You are our only hope.
+#
+##############################################################################
+
+%define ARCH %(echo %{_arch} | sed s/aarch64/arm64/)
+
+Summary:    SPIRE Server Attestor TPM Sign
+Name:       spire-server-attestor-tpm-sign
+Version:    0.0.4
+Release:    1
+Group:      Applications/Internet
+License:    Apache-2.0
+URL:        https://spiffe.io
+Source0:    https://github.com/spiffe/spire-server-attestor-tpm/releases/download/v%{version}/spire-server-attestor-tpm-sign_Linux_%{ARCH}.tar.gz
+Source1:    https://github.com/spiffe/spire-server-attestor-tpm/releases/download/v%{version}/spire-server-attestor-tpm-signer-http_Linux_%{ARCH}.tar.gz
+Source2:    https://github.com/spiffe/spire-server-attestor-tpm/releases/download/v%{version}/spire-server-attestor-tpm-signer-unix_Linux_%{ARCH}.tar.gz
+Source3:    https://github.com/spiffe/spire-server-attestor-tpm/releases/download/v%{version}/spire-server-attestor-tpm-verifier_Linux_%{ARCH}.tar.gz
+
+%global __strip /bin/true
+
+%description
+SPIRE Server Attestor TPM Sign
+
+%package -n spire-server-attestor-tpm-signer-http
+Summary: SPIRE Server Attestor TPM Signer HTTP service
+Requires: spire-server-attestor-tpm-signer-unix
+%description -n spire-server-attestor-tpm-signer-http
+SPIRE Server Attestor TPM Signer HTTP service
+
+%package -n spire-server-attestor-tpm-signer-unix
+Summary: SPIRE Server Attestor TPM Signer Unix service
+%description -n spire-server-attestor-tpm-signer-unix
+SPIRE Server Attestor TPM Signer Unix service
+
+%package -n spire-server-attestor-tpm-verifier
+Summary: SPIRE Server Attestor TPM Verifier service
+%description -n spire-server-attestor-tpm-verifier
+SPIRE Server Attestor TPM Verifier service
+
+%global _missing_build_ids_terminate_build 0
+%global debug_package %{nil}
+
+%prep
+
+%setup -c
+%setup -T -D -a 1
+%setup -T -D -a 2
+%setup -T -D -a 3
+
+%build
+
+%install
+mkdir -p %{buildroot}/usr/bin
+mkdir -p %{buildroot}/usr/lib/systemd/system
+mkdir -p %{buildroot}/etc/spire/server-attestor-tpm
+cp -a spire-server-attestor-tpm-sign %{buildroot}/usr/bin
+cp -a spire-server-attestor-tpm-signer-http %{buildroot}/usr/bin
+cp -a spire-server-attestor-tpm-signer-unix %{buildroot}/usr/bin
+cp -a spire-server-attestor-tpm-verifier %{buildroot}/usr/bin
+cp -a systemd/spire-server-attestor-tpm-signer-http.service %{buildroot}/usr/lib/systemd/system
+cp -a systemd/spire-server-attestor-tpm-signer-unix.service %{buildroot}/usr/lib/systemd/system
+cp -a systemd/spire-server-attestor-tpm-verifier.service %{buildroot}/usr/lib/systemd/system
+cp -a conf/signer-http.conf %{buildroot}/etc/spire/server-attestor-tpm/
+cp -a conf/signer-unix.conf %{buildroot}/etc/spire/server-attestor-tpm/
+cp -a conf/verifier.conf %{buildroot}/etc/spire/server-attestor-tpm/
+
+%clean
+rm -rf %{buildroot}
+
+%files
+/usr/bin/spire-server-attestor-tpm-sign
+
+%files -n spire-server-attestor-tpm-signer-http
+/usr/bin/spire-server-attestor-tpm-signer-http
+/usr/lib/systemd/system/spire-server-attestor-tpm-signer-http.service
+%config(noreplace) /etc/spire/server-attestor-tpm/signer-http.conf
+
+%files -n spire-server-attestor-tpm-signer-unix
+/usr/bin/spire-server-attestor-tpm-signer-unix
+/usr/lib/systemd/system/spire-server-attestor-tpm-signer-unix.service
+%config(noreplace) /etc/spire/server-attestor-tpm/signer-unix.conf
+
+%files -n spire-server-attestor-tpm-verifier
+/usr/bin/spire-server-attestor-tpm-verifier
+/usr/lib/systemd/system/spire-server-attestor-tpm-verifier.service
+%config(noreplace) /etc/spire/server-attestor-tpm/verifier.conf

examples/rpms/spire-server-nodeattestor-tpmdirect.spec

@@ -21,15 +21,17 @@
 
 Summary:    SPIRE Server Node Attestor TPM Direct
 Name:       spire-server-nodeattestor-tpmdirect
-Version:    1.8.7
+Version:    1.9.0
 Release:    1
 Group:      Applications/Internet
 License:    Apache-2.0
 URL:        https://spiffe.io
-Source0:    https://github.com/boxboat/spire-tpm-plugin/releases/download/v%{version}/spire_tpm_plugin_tpm_attestor_server_linux_%{ARCH}_v%{version}.tar.gz
+Source0:    https://github.com/spiffe/spire-tpm-plugin/releases/download/v%{version}/spire_tpm_plugin_tpm_attestor_server_linux_%{ARCH}_v%{version}.tar.gz
+
+%global __strip /bin/true
 
 %description
-K8s SPIFFE Workload JWT Exec Auth Plugin
+SPIRE Server Node Attestor TPM Direct
 
 %global _missing_build_ids_terminate_build 0
 %global debug_package %{nil}

examples/rpms/spire.spec

@@ -21,13 +21,16 @@
 
 Summary:    SPIRE components
 Name:       spire-common
-Version:    1.11.1
+Version:    1.12.4
 Release:    1
 Group:      Applications/Internet
 License:    Apache-2.0
 URL:        https://spiffe.io
 Source0:    https://github.com/spiffe/spire/releases/download/v%{version}/spire-%{version}-linux-%{ARCH}-musl.tar.gz
 Source1:    https://github.com/spiffe/spire/releases/download/v%{version}/spire-extras-%{version}-linux-%{ARCH}-musl.tar.gz
+Source2:    spire-extras-systemd.tar.gz
+
+%global __strip /bin/true
 
 %description
 SPIRE Common
@@ -79,6 +82,7 @@ SPIFFE OIDC Discovery Provider
 
 %setup -c
 %setup -T -D -a 1
+%setup -T -D -a 2
 
 %build
 
@@ -87,10 +91,11 @@ SPIFFE OIDC Discovery Provider
 mkdir -p "%{buildroot}/bin"
 cp "spire-%{version}"/bin/* "%{buildroot}/bin"
 cp "spire-extras-%{version}"/bin/oidc-discovery-provider "%{buildroot}/bin/spiffe-oidc-discovery-provider"
-git clone https://github.com/spiffe/spire-examples
+cd systemd
-cd spire-examples
-cd examples/systemd
 make install DESTDIR="%{buildroot}"
+rm -f "%{buildroot}/etc/spire/controller-manager/default.conf"
+rm -f "%{buildroot}/usr/lib/systemd/system/spire-controller-manager@.service"
+rm -f "%{buildroot}/usr/libexec/spire/controller-manager/start.sh"
 
 %clean
 rm -rf %{buildroot}
@@ -102,7 +107,9 @@ rm -rf %{buildroot}
 %files -n spire-server
 /usr/lib/systemd/system/spire-server@.service
 /bin/spire-server
+/usr/libexec/spire/server/start.sh
 %config(noreplace) /etc/spire/server/default.conf
+%config(noreplace) /etc/spire/server/default.env
 
 %files -n spire-agent
 /usr/lib/systemd/system/spire-agent@.service

examples/systemd/Makefile

@@ -4,7 +4,13 @@ default:
 
 install:
 	mkdir -p $(DESTDIR)/usr/lib/systemd/system/
+	mkdir -p $(DESTDIR)/usr/libexec/spire/server/
+	mkdir -p $(DESTDIR)/usr/libexec/spire/controller-manager/
+	install scripts/server/start.sh $(DESTDIR)/usr/libexec/spire/server/
+	install scripts/controller-manager/start.sh $(DESTDIR)/usr/libexec/spire/controller-manager/
 	install system/* $(DESTDIR)/usr/lib/systemd/system/
 	([ ! -f $(DESTDIR)/etc/spire/agent/default.conf ] && mkdir -p $(DESTDIR)/etc/spire/agent && install conf/agent/default.conf $(DESTDIR)/etc/spire/agent/default.conf) || true
 	([ ! -f $(DESTDIR)/etc/spire/server/default.conf ] && mkdir -p $(DESTDIR)/etc/spire/server && install conf/server/default.conf $(DESTDIR)/etc/spire/server/default.conf) || true
+	([ ! -f $(DESTDIR)/etc/spire/server/default.env ] && mkdir -p $(DESTDIR)/etc/spire/server && install conf/server/default.env $(DESTDIR)/etc/spire/server/default.env) || true
+	([ ! -f $(DESTDIR)/etc/spire/controller-manager/default.conf ] && mkdir -p $(DESTDIR)/etc/spire/controller-manager && install conf/controller-manager/default.conf $(DESTDIR)/etc/spire/controller-manager/default.conf) || true
 	([ ! -f $(DESTDIR)/etc/spiffe/default-trust-domain.env ] && mkdir -p $(DESTDIR)/etc/spiffe && install conf/spiffe/default-trust-domain.env $(DESTDIR)/etc/spiffe/default-trust-domain.env) || true

examples/systemd/conf/controller-manager/default.conf

@@ -0,0 +1,16 @@
+apiVersion: spire.spiffe.io/v1alpha1
+kind: ControllerManagerConfig
+metadata:
+  name: config
+metrics:
+  bindAddress: 0.0.0.0:9123
+health:
+  healthProbeBindAddress: 0.0.0.0:9124
+trustDomain: "${SPIFFE_TRUST_DOMAIN}"
+entryIDPrefix: "scm-${INSTANCE}"
+clusterName: "scm-${INSTANCE}"
+clusterDomain: local
+watchClassless: true
+spireServerSocketPath: "/var/run/spire/server/sockets/${SYSTEMD_INSTANCE}/private/api.sock"
+staticManifestPath: "/etc/spire/server/${SYSTEMD_INSTANCE}/manifests"
+logLevel: info

examples/systemd/conf/server/default.conf

@@ -1,9 +1,9 @@
 server {
-    bind_address = "0.0.0.0"
+    bind_address = "${SPIRE_BIND_ADDRESS}"
-    bind_port = "8081"
+    bind_port = "${SPIRE_BIND_PORT}"
     trust_domain = "${SPIFFE_TRUST_DOMAIN}"
     jwt_issuer = "https://oidc-discovery-provider.${SPIFFE_TRUST_DOMAIN}"
-    log_level = "DEBUG"
+    log_level = "${SPIRE_LOG_LEVEL}"
     ca_ttl = "168h"
     default_x509_svid_ttl = "48h"
 }

examples/systemd/conf/server/default.env

@@ -0,0 +1,3 @@
+SPIRE_BIND_ADDRESS=0.0.0.0
+SPIRE_BIND_PORT=8081
+SPIRE_LOG_LEVEL=DEBUG

examples/systemd/scripts/controller-manager/start.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Set default variables
+export INSTANCE="${INSTANCE:-${SYSTEMD_INSTANCE}}"
+export SCM_CLASSNAME="${SCM_CLASSNAME:-scm-${SYSTEMD_INSTANCE}}"
+export SCM_ENTRYID_PREFIX="${SCM_ENTRYID_PREFIX:-${SCM_CLASSNAME}}"
+export SCM_CLUSTERNAME="${SCM_CLUSTERNAME:-${SCM_CLASSNAME}}"
+
+mkdir -p "/var/lib/spire/controller-manager/${SYSTEMD_INSTANCE}"
+
+if [ -f "/etc/spire/controller-manager/${SYSTEMD_INSTANCE}.conf" ]; then
+	cp -a "/etc/spire/controller-manager/${SYSTEMD_INSTANCE}.conf" "/var/lib/spire/controller-manager/${SYSTEMD_INSTANCE}/config"
+else
+	cp -a /etc/spire/controller-manager/default.conf "/var/lib/spire/controller-manager/${SYSTEMD_INSTANCE}/config"
+fi
+
+/bin/spire-controller-manager -config "/var/lib/spire/controller-manager/${SYSTEMD_INSTANCE}/config" -expand-env

examples/systemd/scripts/server/start.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Set default variables
+export INSTANCE="${INSTANCE:-${SYSTEMD_INSTANCE}}"
+
+mkdir -p "/var/lib/spire/server/${SYSTEMD_INSTANCE}" "/run/spire/server/${SYSTEMD_INSTANCE}/private" "/etc/spire/server/${SYSTEMD_INSTANCE}/tpm-direct/certs" "/etc/spire/server/${SYSTEMD_INSTANCE}/tpm-direct/hashes"
+
+if [ -f "/etc/spire/server/${SYSTEMD_INSTANCE}/config" ]; then
+	cp -a "/etc/spire/server/${SYSTEMD_INSTANCE}/config" "/var/lib/spire/server/${SYSTEMD_INSTANCE}/config"
+else
+	if [ -f "/etc/spire/server/${SYSTEMD_INSTANCE}.conf" ]; then
+		cp -a "/etc/spire/server/${SYSTEMD_INSTANCE}.conf" "/var/lib/spire/server/${SYSTEMD_INSTANCE}/config"
+	else
+		cp -a "/etc/spire/server/default.conf" "/var/lib/spire/server/${SYSTEMD_INSTANCE}/config"
+	fi
+fi
+
+/bin/spire-server run -config "/var/lib/spire/server/${SYSTEMD_INSTANCE}/config" -dataDir "/var/lib/spire/server/${SYSTEMD_INSTANCE}" -socketPath "/run/spire/server/sockets/${SYSTEMD_INSTANCE}/private/api.sock" -expandEnv

examples/systemd/system/spire-controller-manager@.service

@@ -0,0 +1,47 @@
+[Unit]
+Description=SPIRE Controller Manager Daemon %i
+PartOf=spire-server.target
+After=network-online.target local-fs.target time-sync.target
+Before=remote-fs-pre.target
+Wants=network-online.target local-fs.target time-sync.target remote-fs-pre.target spire-server.target
+StartLimitIntervalSec=0
+
+[Service]
+WorkingDirectory=/var/lib/spire/controller-manager/%i
+StateDirectory=spire/controller-manager/%i
+RuntimeDirectory=spire/controller-manager/sockets/%i
+RuntimeDirectoryPreserve=true
+ConfigurationDirectory=spire/controller-manager
+EnvironmentFile=-/etc/spiffe/default-trust-domain.env
+EnvironmentFile=-/etc/spiffe/server/default.env
+EnvironmentFile=-/etc/spire/server/%i.env
+EnvironmentFile=-/etc/spire/server/%i/env
+EnvironmentFile=-/etc/spire/controller-manager/%i.env
+EnvironmentFile=-/etc/spire/server/%i/controller-manager.env
+Environment=SYSTEMD_INSTANCE=%i
+ExecStart=/usr/libexec/spire/controller-manager/start.sh
+# https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=false
+# Needed by plugins
+PrivateTmp=false
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+ReadOnlyPaths=/
+Restart=always
+RestartSec=5s
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=true
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+TasksMax=infinity
+
+[Install]
+WantedBy=spire-server.target

examples/systemd/system/spire-server@.service

@@ -12,11 +12,11 @@ RuntimeDirectory=spire/server/sockets/%i
 RuntimeDirectoryPreserve=true
 ConfigurationDirectory=spire/server
 EnvironmentFile=-/etc/spiffe/default-trust-domain.env
+EnvironmentFile=-/etc/spire/server/default.env
 EnvironmentFile=-/etc/spire/server/%i.env
-Environment=INSTANCE=%i
+EnvironmentFile=-/etc/spire/server/%i/env
-ExecStart=/bin/spire-server run -config /var/lib/spire/server/%i/config -dataDir /var/lib/spire/server/%i -socketPath /run/spire/server/sockets/%i/private/api.sock -expandEnv
+Environment=SYSTEMD_INSTANCE=%i
-ExecStartPre=mkdir -p /var/lib/spire/server/%i /run/spire/server/%i/private /etc/spire/server/%i/tpm-direct/hashes
+ExecStart=/usr/libexec/spire/server/start.sh
-ExecStartPre=/bin/bash -c "if [ -f /etc/spire/server/%i.conf ]; then cp -a /etc/spire/server/%i.conf /var/lib/spire/server/%i/config; else cp -a /etc/spire/server/default.conf /var/lib/spire/server/%i/config; fi"
 # https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04
 LockPersonality=true
 MemoryDenyWriteExecute=true