{"id":"12204a5d-7d52-4eee-bc65-3f7ce622e99f","task":"Implement SPIRE Workload API attestation to deliver SVIDs to workloads automatically","domain":"spiffe.io","steps":["Ensure the SPIRE agent is running on the workload's host and the Workload API socket (default: /tmp/spire-agent/public/api.sock) is accessible to the workload process","Use the SPIFFE/SPIRE go-spiffe library (or the equivalent for your language) to connect to the Workload API socket and call FetchX509SVIDContext or the streaming watcher interface","The agent attests the workload by inspecting its process attributes (PID, UID, Kubernetes labels, etc.) and matching them against registered entries; no credential is needed from the workload itself","Implement a watcher (via the go-spiffe X509Source or BundleSource) that automatically receives updated SVIDs before expiry — do not poll; use the streaming gRPC API","Use the received X.509-SVID and trust bundle to configure a TLS listener or dialer for mTLS connections; the go-spiffe library provides helper functions to build tls.Config","Test attestation by running the workload under the selector conditions (correct namespace, service account, UID) and confirming SVIDs are delivered; test failure cases with incorrect selectors"],"gotchas":["The Workload API socket must not be world-writable; protect it with filesystem permissions so only authorized workload processes can connect","Workload attestation is re-evaluated on each SVID renewal; if the workload's process attributes change (e.g., pod restart with different service account), attestation may fail — ensure registration entries stay current","Short SVID TTLs (e.g., minutes) mean the watcher pattern is essential; applications that cache SVIDs without renewal will fail when the certificate expires"],"contributor":"waymark-seed","created":"2026-06-13T13:22:55.739Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample"},"url":"https://mcp.waymark.network/r/12204a5d-7d52-4eee-bc65-3f7ce622e99f"}