To regenerate the agent CSR to use x509 to join the spire server
openssl ecparam -name prime256v1 -param_enc named_curve -genkey -noout -out agent.keyopenssl req -new -nodes -key agent.key -config ./csrconfig.txt -nameopt utf8 -utf8 -out agent.csropenssl ca -config csr-caconfig.txt -cert server.fs.com.crt -keyfile server.fs.com.key -out agent.crt -infiles agent.csrOR
openssl req -x509 -nodes -in agent.csr -days 365 -key server.fs.com.key -config csrconfig.txt -extensions req_ext -nameopt utf8 -utf8 -out agent.crtModify the csrconfig.txt to change any attributes for the CSR generation
the Unix Domain Sockets have inconsistent permissions, the workload API looks to be 777, but the admin apis are not and may need to be modified to 777 once the containers are running
sudo chmod 777 /tmp/spire-agent-private/admin_api.sock
sudo chmod 777 /tmp/spire-server-private/api.sockdocker compose exec -u 501 -T spire-server bin/spire-server agent list -socketPath /run/spire/server/private/api.sockdocker compose exec -u 501 -T spire-server bin/spire-server entry show -socketPath /run/spire/server/private/api.sockdocker compose exec -u 501 -T spire-server bin/spire-server entry create -spiffeID spiffe://server.fs.com/workload/oidc-admin -parentID spiffe://server.fs.com/spire/agent/x509pop/b53cef79ffc236b8015241cfd48401777c7185e7 -selector docker:label:spiffe_id:spiffe://server.fs.com/workload/oidc-admin -admin -dns localhost -dns spire-server -socketPath /run/spire/server/private/api.sockdocker compose exec -u 501 -T spire-server bin/spire-server entry create -spiffeID spiffe://server.fs.com/workload/demo-service -parentID spiffe://server.fs.com/spire/agent/x509pop/b53cef79ffc236b8015241cfd48401777c7185e7 -selector docker:label:spiffe_id:spiffe://server.fs.com/workload/demo-service -dns demo-service -socketPath /run/spire/server/private/api.sockdocker compose exec -u 501 -T spire-server bin/spire-server entry create -spiffeID spiffe://server.fs.com/workload/demo-public -parentID spiffe://server.fs.com/spire/agent/x509pop/b53cef79ffc236b8015241cfd48401777c7185e7 -selector docker:label:spiffe_id:spiffe://server.fs.com/workload/demo-public -dns demo-public -socketPath /run/spire/server/private/api.sockOthers
docker compose exec -u 501 -T spire-server bin/spire-server entry create -spiffeID spiffe://server.fs.com/terminal -selector unix:uid:501 -parentID spiffe://server.fs.com/spire/agent/x509pop/b53cef79ffc236b8015241cfd48401777c7185e7 -socketPath /run/spire/server/private/api.sockdocker compose exec -u 501 -T spire-agent bin/spire-agent api fetch x509 -socketPath /run/spire/agent/public/workload_api.sock -write /run/spire/agent/conf/ca ./bin-macos/spire-server entry create -spiffeID spiffe://server.fs.com/workload/oidc-admin -parentID spiffe://server.fs.com/spire/agent/x509pop/b53cef79ffc236b8015241cfd48401777c7185e7 -selector unix:uid:501 -admin -dns localhost -dns spire-server -socketPath /tmp/spire/server/private/api.sock./bin-macos/spire-server entry create -spiffeID spiffe://server.fs.com/workload/demo-service -parentID spiffe://server.fs.com/spire/agent/x509pop/b53cef79ffc236b8015241cfd48401777c7185e7 -selector unix:uid:501 -dns demo-service -socketPath /tmp/spire/server/private/api.sock./bin-macos/spire-server entry create -spiffeID spiffe://server.fs.com/workload/demo-public -parentID spiffe://server.fs.com/spire/agent/x509pop/b53cef79ffc236b8015241cfd48401777c7185e7 -selector unix:uid:501 -dns demo-public -socketPath /tmp/spire/server/private/api.sock