SPIFFE ID Management CLI Tool

e5s v0.2.0 - SPIFFE ID Management CLI Tool

This release introduces the e5s CLI tool for simplified SPIFFE ID management and zero-trust development workflows.

✨ New Features

CLI Commands:

• spiffe-id - Construct SPIFFE IDs from components
• discover - Discover SPIFFE IDs from Kubernetes resources
• validate - Validate e5s configuration files
• version - Show version information and environment details
• client - Make mTLS requests for data-plane debugging
• deploy - Deploy and manage e5s test environments

Developer Experience:

• Command registry pattern for extensible CLI
• TableWriter helper for formatted console output
• Comprehensive Makefile targets for release automation
• Version tracking system with COMPATIBILITY.md and scripts/env-versions.sh
• SUCCESS-PATH.md following Stu McLaren methodology for user journeys

Quality & Security:

• Comprehensive link checking with lychee
• Automated security scanning with gosec, govulncheck, and golangci-lint
• OpenSSF Scorecard improvements (Pinned-Dependencies and Vulnerabilities)

🔄 Changes

• Refactored CLI code structure with command registry
• Enhanced API with Serve() function for simplified server usage
• Enhanced Get() function with automatic logging
• Updated all documentation with CLI tool usage
• Cleaned up documentation navigation to single hub pattern
• Removed external SPIRE documentation cross-references
• Fixed all broken documentation links (27 fixes)

🐛 Fixes

• Fixed test-demo directory gosec warning (unhandled w.Write error)
• Fixed TESTING_PRERELEASE.md expected output to match actual script behavior
• Fixed relative paths in documentation links
• Fixed security workflow false positives with govulncheck

🔒 Security

• All GitHub Actions pinned to commit SHAs (OpenSSF Scorecard 10/10)
• No known vulnerabilities in dependencies (OpenSSF Scorecard 10/10)
• Automated vulnerability scanning on every push and PR
• Daily scheduled security scans at 2 AM UTC

🧪 Compatibility

Tested with:

• Go 1.25.3
• go-spiffe SDK v2.6.0
• Helm v3.18.6
• minikube v1.37.0
• Docker v28.5.2
• kind v0.23.0
• golangci-lint v1.64.8
• SPIRE Helm Chart v0.27.0
• SPIRE Server v1.13.0
• SPIRE Agent v1.13.0

📦 Installation

# Using Go install
go install github.com/sufield/e5s/cmd/e5s@v0.2.0

# Or build from source
git clone https://github.com/sufield/e5s.git
cd e5s
git checkout v0.2.0
make build

📚 Documentation

• Getting Started
• Success Path
• CLI Reference
• CHANGELOG

---

Full Changelog: v0.1.0...v0.2.0

v0.1.0

v0.1.0 - Initial Release

This is the initial production release of e5s, a lightweight Go library for building mutual TLS services with SPIFFE identity verification.

Should you upgrade?

• If you're building new mTLS services with SPIRE, start here
• If you're using raw TLS or custom mTLS implementations, consider migrating to benefit from automatic certificate rotation and SPIFFE identity verification

What's the upgrade impact?

• New projects: Zero impact - just add the dependency and start coding
• Existing projects: Requires code changes to integrate, but the high-level API minimizes migration effort

Features

High-Level API

• e5s.Run() - Convention-over-configuration server that blocks until Ctrl+C
• e5s.Start() - Config-file-driven server with explicit lifecycle management
• e5s.Client() - Config-file-driven HTTP client with mTLS
• e5s.Get() and e5s.Post() - Convenience functions for single requests
• e5s.PeerID() - Extract authenticated peer's SPIFFE ID from requests

Low-Level API

• pkg/spiffehttp - HTTP server and client with SPIFFE mTLS support
• pkg/spire - SPIRE Workload API integration
• Automatic certificate rotation with zero downtime
• TLS 1.3 enforcement with secure cipher suites

Security

• Mutual TLS (mTLS) with SPIFFE identity verification
• Automatic certificate rotation (zero downtime)
• ReadHeaderTimeout protection against Slowloris attacks
• Comprehensive security scanning (gosec, govulncheck, CodeQL, gitleaks)
• Fuzzing tests for security-critical code paths
• All GitHub Actions dependencies pinned to commit SHAs

Documentation & Distribution

• Comprehensive API documentation at pkg.go.dev
• Multi-architecture binaries (Linux/macOS, amd64/arm64)
• Docker images for examples
• Kubernetes/Helm deployment support

Known Limitations

• This is a 0.x.x release, meaning the API may evolve based on user feedback
• Currently supports HTTP/HTTPS only (no gRPC support yet, though the low-level API can be used to build gRPC support)
• Requires a SPIRE deployment (not suitable for projects without SPIRE infrastructure)

Documentation

• Quickstart Guide
• API Guide
• Full API Reference
• Complete CHANGELOG

Release Assets

• Source code archives
• Pre-built binaries for Linux and macOS (amd64/arm64)
• Docker images for demo applications
• SHA256 checksums for verification