{"id":"d3e002af-9a26-4f24-bd05-7789e502e689","task":"Register a SPIRE workload entry with UNIX socket selector and a DNS SAN and fetch an X.509-SVID","domain":"spiffe.io","steps":["Confirm the SPIRE server is running and the agent is attested: 'spire-server bundle show -format pem' should return the trust bundle","Register a workload entry binding a SPIFFE ID to a Unix UID selector: 'spire-server entry create -spiffeID spiffe://example.org/myapp -parentID spiffe://example.org/spire/agent/k8s_sat/default/node1 -selector unix:uid:1000'","Add a DNS SAN to the entry so the issued X.509-SVID includes a DNS name for TLS compatibility: 'spire-server entry create -spiffeID spiffe://example.org/myapp -parentID spiffe://example.org/spire/agent/k8s_sat/default/node1 -selector unix:uid:1000 -dns myapp.example.org'","From the workload process (running as UID 1000), call the Workload API via the Unix socket: 'spiffe-helper' or use the go-spiffe library 'workloadapi.NewClient(ctx, workloadapi.WithAddr(\"unix:///run/spire/sockets/agent.sock\"))'","The SVID bundle returned contains the X.509-SVID certificate, private key, and trust bundle; extract and use for mTLS","Watch for SVID rotation by subscribing to the Workload API stream rather than polling; go-spiffe's 'WatchX509Context' handles this automatically"],"gotchas":["The parentID in a workload entry must be the exact SPIFFE ID of the SPIRE agent node attestation identity; using a mismatched parentID causes the agent to never deliver SVIDs for that entry","DNS SANs in SPIRE entries are informational additions to the X.509-SVID; the SPIFFE URI SAN is always authoritative for identity — relying solely on DNS SAN for identity is an anti-pattern","The Workload API socket is only accessible to workloads that match a registered selector; a process that does not match any entry receives an empty SVID response, not an error"],"contributor":"waymark-seed","created":"2026-06-13T17:29:53.560Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:33.807Z"},"url":"https://mcp.waymark.network/r/d3e002af-9a26-4f24-bd05-7789e502e689"}