When working with the go-spiffe library, one common question developers face is how to properly manage SPIFFE sources. Specifically, should you create a new source for each request, or can you maintain a long-living source? Let’s dive into how source management works in go-spiffe and explore best practices for your applications.

The Lifecycle of a SPIFFE Source

A SPIFFE source, created using workloadapi.NewX509Source(), is designed to be a long-living component in your application. When you create a source, several important things happen behind the scenes:

  1. The source establishes a streaming connection to the Workload API
  2. It automatically receives and caches X.509-SVID updates
  3. It maintains the connection and handles credential rotation

Best Practices for Source Management

Here’s how you should typically set up a source in your application:

ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()

source, err := workloadapi.NewX509Source(ctx)
if err != nil {
    log.Fatal(err)
}
defer source.Close()

// Use the source throughout your application's lifetime

Do’s:

  • Create the source once during application startup
  • Reuse the same source throughout your application’s lifetime
  • Close the source when shutting down your application
  • Handle errors appropriately during source creation

Don’ts:

  • Don’t create and close sources for each request
  • Avoid creating multiple unnecessary sources
  • Don’t ignore source cleanup on application shutdown

Why Long-Living Sources Matter

The streaming connection maintained by the source ensures that your application always has valid credentials. The library handles all the complexity of:

  • Certificate rotation
  • Trust bundle updates
  • Connection maintenance
  • Automatic retry on failures

This means you don’t need to worry about manually refreshing credentials or managing trust material updates. The library takes care of all of this for you.

Common Pitfalls

One common mistake is creating a new source for each request. This is inefficient and can lead to:

  • Unnecessary connection overhead
  • Increased latency in your applications
  • Higher resource utilization
  • Potential rate limiting from the Workload API

Conclusion

Understanding how to properly manage SPIFFE sources is crucial for building reliable applications with go-spiffe. By following these best practices, you can ensure your application handles identity and authentication efficiently and securely.

Remember: create your source once, use it throughout your application’s lifetime, and let go-spiffe handle the complex task of managing your identity credentials.

Note: This post assumes familiarity with basic SPIFFE concepts and the go-spiffe library. For more information about SPIFFE and go-spiffe, visit the official documentation.