spire-tutorials/nested-spire/scripts/create-workload-registration-entries.sh

#!/bin/bash

set -e

norm=$(tput sgr0) || true
green=$(tput setaf 2) || true
red=$(tput setaf 1) || true
bold=$(tput bold) || true

timestamp() {
    date -u "+[%Y-%m-%dT%H:%M:%SZ]"
}

log() {
    echo "${bold}$(timestamp) $*${norm}"
}

fingerprint() {
	# calculate the SHA1 digest of the DER bytes of the certificate using the
	# "coreutils" output format (`-r`) to provide uniform output from
	# `openssl sha1` on macOS and linux.
	openssl x509 -in "$1" -outform DER | openssl sha1 -r | awk '{print $1}'
}

check-entry-is-propagated() {
  # Check at most 30 times that the agent has successfully synced down the workload entry.
  # Wait one second between checks.
  log "Checking registration entry is propagated..."
  for ((i=1;i<=30;i++)); do
      if docker-compose logs $1 | grep -qe "$2"; then
          log "${green}Entry is propagated.${nn}"
          return 0
      fi
      sleep 1
  done

  log "${red}timed out waiting for the entry to be progagated to the agent${red}"
  exit 1
}


# Workload for nestedA deployment
log "creating nestedA workload registration entry..."
docker-compose exec -T nestedA-server \
    /opt/spire/bin/spire-server entry create \
    -parentID "spiffe://example.org/spire/agent/x509pop/$(fingerprint nestedA/agent/agent.crt.pem)" \
    -spiffeID "spiffe://example.org/nestedA/workload" \
    -selector "unix:uid:1001" \
    -ttl 0

check-entry-is-propagated nestedA-agent spiffe://example.org/nestedA/workload


# Workload for nestedB deployment
log "creating nestedB workload registration entry..."
docker-compose exec -T nestedB-server \
    /opt/spire/bin/spire-server entry create \
    -parentID "spiffe://example.org/spire/agent/x509pop/$(fingerprint nestedB/agent/agent.crt.pem)" \
    -spiffeID "spiffe://example.org/nestedB/workload" \
    -selector "unix:uid:1001" \
    -ttl 0

check-entry-is-propagated nestedB-agent spiffe://example.org/nestedB/workload