spiffe · kfox1111 · Mar 25, 2026 · Mar 25, 2026 · Apr 10, 2026 · Apr 10, 2026
@@ -8,6 +8,8 @@ const (
     	comma separated list of audience values
   -format value
     	deprecated; use -output
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_AGENT_PUBLIC_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -output value
     	Desired output format (pretty, json); default: pretty.
   -socketPath string
@@ -18,6 +20,8 @@ const (
     	Time to wait for a response (default 5s)
 `
 	fetchX509Usage = `Usage of fetch x509:
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_AGENT_PUBLIC_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -output value
     	Desired output format (pretty, json); default: pretty.
   -silent
@@ -32,6 +36,8 @@ const (
 	validateJWTUsage = `Usage of validate jwt:
   -audience string
     	expected audience value
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_AGENT_PUBLIC_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -output value
     	Desired output format (pretty, json); default: pretty.
   -socketPath string

@@ -11,18 +11,22 @@ import (
 
 type ConfigOS struct {
 	socketPath string
+	instance   string
 }
 
 func (c *ConfigOS) AddOSFlags(flags *flag.FlagSet) {
 	flags.StringVar(&c.socketPath, "socketPath", DefaultSocketPath, "Path to the SPIRE Agent API Unix domain socket")
+	flags.StringVar(&c.instance, "i", "", "Instance name to substitute into socket templates (env SPIRE_AGENT_PUBLIC_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.")
 }
 
 func (c *ConfigOS) GetAddr() (net.Addr, error) {
-	return util.GetUnixAddrWithAbsPath(c.socketPath)
+	resolved := ResolveSocketPath(c.socketPath, DefaultSocketPath, "SPIRE_AGENT_PUBLIC_SOCKET_TEMPLATE", c.instance)
+	return util.GetUnixAddrWithAbsPath(resolved)
 }
 
 func (c *ConfigOS) GetTargetName() (string, error) {
-	addr, err := util.GetUnixAddrWithAbsPath(c.socketPath)
+	resolved := ResolveSocketPath(c.socketPath, DefaultSocketPath, "SPIRE_AGENT_PUBLIC_SOCKET_TEMPLATE", c.instance)
+	addr, err := util.GetUnixAddrWithAbsPath(resolved)
 	if err != nil {
 		return "", err
 	}

@@ -0,0 +1,22 @@
+package common
+
+import (
+	"os"
+	"strings"
+)
+
+func ResolveSocketPath(socketPath, defaultPath, templateEnv, instance string) string {
+	tpl := os.Getenv(templateEnv)
+	if tpl != "" && strings.Contains(tpl, "%i") {
+		if instance == "" {
+			instance = "main"
+		}
+		if socketPath == "" || socketPath == defaultPath {
+			return strings.ReplaceAll(tpl, "%i", instance)
+		}
+	}
+	if socketPath == "" {
+		return defaultPath
+	}
+	return socketPath
+}
@@ -14,12 +14,15 @@ import (
 // that complements healthCheckCommand
 type healthCheckCommandOS struct {
 	socketPath string
+	instance   string
 }
 
 func (c *healthCheckCommandOS) addOSFlags(flags *flag.FlagSet) {
 	flags.StringVar(&c.socketPath, "socketPath", common.DefaultSocketPath, "Path to the SPIRE Agent API socket")
+	flags.StringVar(&c.instance, "i", "", "Instance name to substitute into socket templates (env SPIRE_AGENT_PUBLIC_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.")
 }
 
 func (c *healthCheckCommandOS) getAddr() (net.Addr, error) {
-	return util.GetUnixAddrWithAbsPath(c.socketPath)
+	resolved := common.ResolveSocketPath(c.socketPath, common.DefaultSocketPath, "SPIRE_AGENT_PUBLIC_SOCKET_TEMPLATE", c.instance)
+	return util.GetUnixAddrWithAbsPath(resolved)
 }
@@ -11,6 +11,8 @@ import (
 
 var (
 	usage = `Usage of health:
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_AGENT_PUBLIC_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -shallow
     	Perform a less stringent health check
   -socketPath string

@@ -80,6 +80,7 @@ type agentConfig struct {
 	ServerAddress                 string    `hcl:"server_address"`
 	ServerPort                    int       `hcl:"server_port"`
 	SocketPath                    string    `hcl:"socket_path"`
+	Instance                      string    `hcl:"instance"`
 	WorkloadX509SVIDKeyType       string    `hcl:"workload_x509_svid_key_type"`
 	TrustBundleFormat             string    `hcl:"trust_bundle_format"`
 	TrustBundlePath               string    `hcl:"trust_bundle_path"`

@@ -19,18 +19,30 @@ import (
 
 func (c *agentConfig) addOSFlags(flags *flag.FlagSet) {
 	flags.StringVar(&c.SocketPath, "socketPath", "", "Path to bind the SPIRE Agent API socket to")
+	flags.StringVar(&c.Instance, "i", "", "Instance name to substitute into socket templates (env SPIRE_AGENT_PUBLIC_SOCKET_TEMPLATE and SPIRE_AGENT_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var(s) are set, defaults to 'main'.")
 }
 
 func (c *agentConfig) setPlatformDefaults() {
 	c.SocketPath = common.DefaultSocketPath
 }
 
 func (c *agentConfig) getAddr() (net.Addr, error) {
-	return util.GetUnixAddrWithAbsPath(c.SocketPath)
+	resolved := common.ResolveSocketPath(c.SocketPath, common.DefaultSocketPath, "SPIRE_AGENT_PUBLIC_SOCKET_TEMPLATE", c.Instance)
+	return util.GetUnixAddrWithAbsPath(resolved)
 }
 
 func (c *agentConfig) getAdminAddr() (net.Addr, error) {
 	socketPathAbs, err := filepath.Abs(c.SocketPath)
+	tpl := os.Getenv("SPIRE_AGENT_PRIVATE_SOCKET_TEMPLATE")
+	if tpl != "" && strings.Contains(tpl, "%i") {
+		if c.Instance == "" {
+			c.Instance = "main"
+		}
+		if c.AdminSocketPath == "" {
+			c.AdminSocketPath = strings.ReplaceAll(tpl, "%i", c.Instance)
+		}
+	}
+
 	if err != nil {
 		return nil, fmt.Errorf("failed to get absolute path for socket_path: %w", err)
 	}

@@ -8,6 +8,8 @@ var (
     	Indicates that the command will not perform any action, but will print the agents that would be purged.
   -expiredFor duration
     	Amount of time that has passed since the agent's SVID has expired. It is used to determine which agents to purge. (default 720h0m0s)
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -output value
     	Desired output format (pretty, json); default: pretty.
   -socketPath string
@@ -22,6 +24,8 @@ var (
     	Filter based on string received, 'true': agents that can reattest, 'false': agents that can't reattest, other value will return all.
   -expiresBefore string
     	Filter by expiration time (format: "2006-01-02 15:04:05 -0700 -07")
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -matchSelectorsOn string
     	The match mode used when filtering by selectors. Options: exact, any, superset and subset (default "superset")
   -output value
@@ -32,6 +36,8 @@ var (
     	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
 `
 	banUsage = `Usage of agent ban:
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -output value
     	Desired output format (pretty, json); default: pretty.
   -socketPath string
@@ -40,6 +46,8 @@ var (
     	The SPIFFE ID of the agent to ban (agent identity)
 `
 	evictUsage = `Usage of agent evict:
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -output value
     	Desired output format (pretty, json); default: pretty.
   -socketPath string
@@ -56,6 +64,8 @@ var (
     	Filter based on string received, 'true': agents that can reattest, 'false': agents that can't reattest, other value will return all.
   -expiresBefore string
     	Filter by expiration time (format: "2006-01-02 15:04:05 -0700 -07")
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -matchSelectorsOn string
     	The match mode used when filtering by selectors. Options: exact, any, superset and subset (default "superset")
   -output value
@@ -66,6 +76,8 @@ var (
     	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
 `
 	showUsage = `Usage of agent show:
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -output value
     	Desired output format (pretty, json); default: pretty.
   -socketPath string

@@ -6,6 +6,8 @@ var (
 	setUsage = `Usage of bundle set:
   -format string
     	The format of the bundle data. Either "pem" or "spiffe". (default "pem")
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -id string
     	SPIFFE ID of the trust domain
   -output value
@@ -16,12 +18,16 @@ var (
     	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
 `
 	countUsage = `Usage of bundle count:
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -output value
     	Desired output format (pretty, json); default: pretty.
   -socketPath string
     	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
 `
 	deleteUsage = `Usage of bundle delete:
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -id string
     	SPIFFE ID of the trust domain
   -mode string
@@ -34,6 +40,8 @@ var (
 	listUsage = `Usage of bundle list:
   -format string
     	The format to list federated bundles (only pretty output format supports this flag). Either "pem" or "spiffe". (default "pem")
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -id string
     	SPIFFE ID of the trust domain
   -output value
@@ -44,6 +52,8 @@ var (
 	showUsage = `Usage of bundle show:
   -format string
     	The format to show the bundle (only pretty output format supports this flag). Either "pem" or "spiffe". (default "pem")
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -output value
     	Desired output format (pretty, json); default: pretty.
   -socketPath string

@@ -22,6 +22,8 @@ const (
     	SPIFFE ID of a trust domain to federate with. Can be used more than once
   -hint string
     	The entry hint, used to disambiguate entries with the same SPIFFE ID
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -jwtSVIDTTL int
     	The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry.
   -node
@@ -50,6 +52,8 @@ const (
     	SPIFFE ID of a trust domain an entry is federate with. Can be used more than once
   -hint string
     	The Hint of the records to show (optional)
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -matchFederatesWithOn string
     	The match mode used when filtering by federates with. Options: exact, any, superset and subset (default "superset")
   -matchSelectorsOn string
@@ -84,6 +88,8 @@ const (
     	SPIFFE ID of a trust domain to federate with. Can be used more than once
   -hint string
     	The entry hint, used to disambiguate entries with the same SPIFFE ID
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -jwtSVIDTTL int
     	The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry.
   -output value
@@ -106,6 +112,8 @@ const (
     	The Registration Entry ID of the record to delete.
   -file string
     	Path to a file containing a JSON structure for batch deletion (optional). If set to '-', read from stdin.
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -output value
     	Desired output format (pretty, json); default: pretty.
   -socketPath string
@@ -118,6 +126,8 @@ const (
     	SPIFFE ID of a trust domain an entry is federate with. Can be used more than once
   -hint string
     	The Hint of the records to count (optional)
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -matchFederatesWithOn string
     	The match mode used when filtering by federates with. Options: exact, any, superset and subset (default "superset")
   -matchSelectorsOn string

@@ -12,6 +12,8 @@ const (
     	Path to a file containing federation relationships in JSON format (optional). If set to '-', read the JSON from stdin.
   -endpointSpiffeID string
     	SPIFFE ID of the SPIFFE bundle endpoint server. Only used for 'spiffe' profile.
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -output value
     	Desired output format (pretty, json); default: pretty.
   -socketPath string
@@ -24,6 +26,8 @@ const (
     	Path to the trust domain bundle data (optional).
 `
 	deleteUsage = `Usage of federation delete:
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -id string
     	SPIFFE ID of the trust domain
   -output value
@@ -32,12 +36,16 @@ const (
     	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
 `
 	listUsage = `Usage of federation list:
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -output value
     	Desired output format (pretty, json); default: pretty.
   -socketPath string
     	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
 `
 	refreshUsage = `Usage of federation refresh:
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -id string
     	SPIFFE ID of the trust domain
   -output value
@@ -46,6 +54,8 @@ const (
     	Path to the SPIRE Server API socket (default "/tmp/spire-server/private/api.sock")
 `
 	showUsage = `Usage of federation show:
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -output value
     	Desired output format (pretty, json); default: pretty.
   -socketPath string
@@ -62,6 +72,8 @@ const (
     	Path to a file containing federation relationships in JSON format (optional). If set to '-', read the JSON from stdin.
   -endpointSpiffeID string
     	SPIFFE ID of the SPIFFE bundle endpoint server. Only used for 'spiffe' profile.
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -output value
     	Desired output format (pretty, json); default: pretty.
   -socketPath string

@@ -4,6 +4,8 @@ package healthcheck
 
 var (
 	healthcheckUsage = `Usage of healthcheck:
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -shallow
     	Perform a less stringent health check
   -socketPath string

@@ -6,6 +6,8 @@ var (
 	jwtActivateUsage = `Usage of localauthority jwt activate:
   -authorityID string
     	The authority ID of the JWT authority to activate
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -output value
     	Desired output format (pretty, json); default: pretty.
   -socketPath string

@@ -4,6 +4,8 @@ package jwt_test
 
 var (
 	jwtPrepareUsage = `Usage of localauthority jwt prepare:
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -output value
     	Desired output format (pretty, json); default: pretty.
   -socketPath string

@@ -6,6 +6,8 @@ var (
 	jwtRevokeUsage = `Usage of localauthority jwt revoke:
   -authorityID string
     	The authority ID of the JWT authority to revoke
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -output value
     	Desired output format (pretty, json); default: pretty.
   -socketPath string

@@ -4,6 +4,8 @@ package jwt_test
 
 var (
 	jwtShowUsage = `Usage of localauthority jwt show:
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -output value
     	Desired output format (pretty, json); default: pretty.
   -socketPath string

@@ -6,6 +6,8 @@ var (
 	jwtTaintUsage = `Usage of localauthority jwt taint:
   -authorityID string
     	The authority ID of the JWT authority to taint
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -output value
     	Desired output format (pretty, json); default: pretty.
   -socketPath string

@@ -6,6 +6,8 @@ var (
 	x509ActivateUsage = `Usage of localauthority x509 activate:
   -authorityID string
     	The authority ID of the X.509 authority to activate
+  -i string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE). If omitted and the env var is set, defaults to 'main'.
   -output value
     	Desired output format (pretty, json); default: pretty.
   -socketPath string