A curated list of SPIFFE and SPIRE resources

Content

• Video
  • SPIFFE and SPIRE Introduction
  • Advanced topics
• Blog posts
• Utils
• SDK
• Examples

Video

SPIFFE and SPIRE Introduction

A great place to start. Introduction to different concepts and integrations

• 10 minutes introduction to SPIFFE and SPIRE

  • February 2020
  • Evan Gilman

• Real World SPIFFE Scenarios and Outcomes

  • Andres Vega & Frederick Kautz
  • May 2022
  • KubeCon EU
  • Introduction
  • From perimeter to identity-based security, how do SPIFE and SPIRE solve these challenges, Who should care about SPIFFE in your organization? SPIFFE and SPIRE 101

• Mithril: Introducing Robust Identities into Istio by integrating with SPIRE

  • March 2022
  • HPE DEV MUNCH and LEARN
  • Introduction, Integrations
  • Challenges to secure hybrid environment, identity-based security, SPIFFE and SPIRE 101, architecture, deployment models, federation, what is service-mesh, what is istio, What is Mithril, Istio + SPIRE Integration, demo

• SPIFFE: In Theory and in Practice

  • Evan Gilman & Andrew Harding, VMware
  • October 2021
  • KubeCon NA

• Introduction to SPIFFE by Kelsey Hightower

  • Kelsey Hightower
  • December 2020

• SPIFFE and SPIRE: Architecture Deep Dive

  • Andrew Harding & Evan Gilman, VMware
  • December 2020

• Five Things You Didn’t Know You Could Do with SPIFFE and SPIRE

  • Andrew Jessup & Andrés Vega
  • November 2019 KubeCon NA
  • History and Federation

• TGI Kubernetes 094: SPIFFE and SPIRE

  • Joe Beda
  • October 2019
  • History of SPIFFE, SPIFFE ID, SVID, etc. SPIRE concepts. Demo with k8s

• Securing Multi-Cloud Cross-Cluster Communication with SPIFFE and SPIRE

  • Evan Gilman, Scytale, Inc.
  • May 2019
  • KubeCon EU
  • Security model, SPIRE Architecture, Node Attestation, Workload attestation, Selectors, Deployment topologies

• Managing Microservices Identity with SPIFFE

  • November 2018
  • East Bay Cloud Native Meetup

• SPIFFE and SPIRE in 6 minutes

  • May 2018
  • KubeCon EU 2018

• SPIFFE Project Intro

  • Andrew Jessup & Emiliano Berenbaum, Scytale, Inc.
  • May 2018
  • KubeCon EU

• Introducing SPIFFE: An Open Standard for Identity in Cloud Native Environments

  • Evan Gilman
  • December 2017
  • KubeCon NA

⬆ back to top

Advanced topics

Deep dive topics into different SPIRE and SPIFFE concepts as well as advanced use-cases and deployment/operation models

• SPIRE: Intro & Deep Dive Into Windows Support

  • Agustín Martínez Fayó & Marcos Yacob
  • May 2022
  • KubeCon EU
  • Deep dive
  • SPIFFE and SPIRe overview, SPIRE on Windows, Windows-specific attestation, Demo

• Multi-Cloud Workload Identity With SPIFFE

  • Jake Sanders & Charlie Egan, Jetstack
  • May 2022
  • KubeCon EU
  • Integrations
  • Workload identity, challenges of single vs multi-cloud architecture, what is SPIFE, what is cert-manager, SPIFFE-connector and its architecture, demo

• Integrating SPIRE with Tekton and Sigstore

  • Priya Wadhwa & Parth Patel
  • March 2022
  • SPIFFE and SPIRE March meetup
  • Integrations
  • What is Tekton, Tekton Chains, Tekton Chains workflow, SALSA Framework, Tekton and SPIRE integration, Architectrure, Demo

• Keyless signing and verification of artifact metadata with Witness and SPIRE

  • Cole Kennedy
  • March 2022
  • SPIFFE and SPIRE March meetup
  • Integrations
  • Attestation-based security model, Whtness and Judge architecture, Integration with SPIRE for keyless signing, Demo

• Bridging the Great Divide: SPIFFE/SPIRE for Cross-Cluster Authentication

  • Andrew Harding, VMware
  • October 2021
  • KubeCon NA
  • The problem of multi-cluster authentication, SPIFFE and SPIRE refresher, SPIRE controller architecture, Demo architecture, demo

• Untangling the Multi-Cloud Identity and Access Problem With SPIFFE Tornjak

  • B Lum & M Sabath
  • October 2021
  • KubeCon NA
  • Workload identity, Multi-cloud access problem, solutions with more problems, solution based on SPIFFE universal identity, Meet Tornjak, architecture, demo

• Deployment Patterns for Operating SPIRE at Scale

  • Evan Gilman
  • March 2021
  • SPIFFE and SPIRE meetup
  • SPIRE Deployment Models
  • Basic SPIRE architecture, Single SPIRE server, SPIRE Servers in HA, Nested SPIRE, Federated SPIRE,

• Securing the software supply chain with in-toto and SPIRE

  • Cole Kennedy
  • March 2021
  • SPIFFE and SPIRE meetup
  • Integrations
  • ZTA, Evidence-based trust, in-toto, using SPIRE for identity verification, demo

• Using SPIFFE Identities in PARSEC – Paul Howard, Hugues de Valon

  • March 2021
  • SPIFFE and SPIRE meetup
  • Integrations
  • What is PARSEC, Parsec architecture, Multitenancy in parsec, Integrating PSIRE and Parsec for authentication of clients, demo

• Sneak Peek Serverless support

  • Agustín Martínez
  • February 2021
  • SPIFFE and SPIRE Meetup
  • Advanced architecture
  • Challenges of supporting serverless identities, architecture

• AWS App Mesh, Mutual TLS, and SPIRE Integration

  • Efe Selcuk
  • February 2021
  • SPIFFE and SPIRE Meetup
  • Integrations
  • Intro to AWS App Mesh, Mutual TLS, SPIRE on AWS: EC2, ECS, Fargate, Challenges with fargate (registration, identity bootstrap). App Mesh and EKS SPIRE integration. AppMesh architecture, Scaling Parameters and perf, Demo

• Service Identity at Scale at Netflix

  • Ian Haken
  • October 2020
  • SPIFFE and SPIRE Meetup
  • Case study
  • Netflix ecosystem, need for identities, attestation, AWS instance metadata, bootstrap of trust, nodes, containers, non-cloud, universal identity, scaling identity platform, Authorization, similarities of Netflix identity system with SPIRE and SPIFFE

• Attestation and identity provisioning to Intel SGX workloads

  • Andrey Brito
  • December 2020
  • Production Identity day
  • Integrations
  • SGX concepts 101, Porting apps to SGX, Integrating SPIFFE and SGX, Threat model, Integration flow.

• Using DevIDs and TPMs for Node Attestation

  • Adriane Cardozo, Marcos Yedro
  • December 2020
  • Production Identity day
  • Integrations
  • DevID and TPM 101, 802.1AR, TPM2 attestation design, Demo

• Fortifying Microservice Security with SPIRE and OPA

  • Ash Nakar
  • December 2020
  • Production Identity day
  • Integrations
  • What is OPA, OPA 101, Demo, Propogatin user identity through JWT SVID

• Using a CRD to better integrate SPIRE and Kubernetes

  • Faisal Memon
  • December 2020
  • Production Identity day
  • Integrations
  • SPIRE and NGINX, SPIRE provides Identities and certificates for Webhooks and API servers certs. CRD for SPIRE and why use CRD. Demo.

• Leveraging Certificate Transparency to Strengthen Auditability in SPIRE

  • Ruide Zhang, Bytedance
  • December 2020
  • Production Identity day
  • Integration
  • Certificate Transparency in SPIRE, Showcase of a certificate with SCT,

• Establishing Trust Across Regulatory Boundaries in Complex, Heterogeneous Infrastructures With SPIRE

  • Jonathan Oddy
  • March 2020
  • SPIFFE and SPIRE Meetup
  • Case study
  • The scale of the company and Infrastructure, Service authentication, challenges, Kafka integration, trust domain federation, benefits using SPIRE, and remaining challenges

• Operationalizing SPIRE at Square

  • Matthew McPherrin
  • March 2020
  • SPIFFE and SPIRE Meetup
  • Case study, Operations
  • Square hybrid multi-cloud architecture, SPIFFE arch overview, Architect for reliability: Datastore, dealing with datastore failures, region failure, spire server failure, spire agent failures, no identity issued, monitoring spire, custom logging with SPIRE, recovering from failures.

• Observability in SPIRE at Scale

  • Andrew Moore
  • March 2020
  • SPIFFE and SPIRE Meetup
  • Advanced topics, Operations
  • Telemetry implementation, Scale at Uber, agent observability, logs vs metrics, server observability, future enhancements

• Securing Communication Between Meshes and Beyond with SPIFFE Federation

  • Evan Gilman & Oliver Liu
  • November 2019
  • KubeCon NA
  • Integrations
  • What is a ServiceMesh, SPIFFE, Identity and service mesh, Hybrid and multi-mesh examples, Different identity authority architectures, SPIFFE Federation as the exchange of trust, Istio and SPIRE federation, Demo,

• Scaling SPIRE for Performance and Availability

  • Tyler Julian, Uber
  • November 2019
  • KubeCon NA
  • Practical design decisions, Operations
  • The concept of the root of trust, What is SPIFFE, SPIRE Architecture, short-lived credentials vs. revocation, Registration challenges, Scaling registration, Per-cluster vs. per-host workload registration, TTL: security vs. Reliability

• Integrating SPIRE with workload schedulers

  • Tyler Dixon, Uber
  • May 2019
  • SPIFFE Community Day
  • Design decisions, Integrations
  • Background, Workload registration strategies, workload lifecycle readiness check, liveness check, and relation to registration and resilience.

• Securing Application Telemetry & Tracing with SPIFFE and Envoy

  • Sabree Blackmon, Docker
  • December 2018
  • KubeCon NA
  • Integrations
  • Importance of different data types, What are telemetry, logging, tracing, and audit data. Simple-secrets case study and demo of integrating with envoy and spire.

⬆ back to top

Blogs

• On-Premise Workload Identity Federation with GCP using SPIFFE and SPIRE

  • How SPIFFE solves interoperability by combining SPIFFE and Google Workload Identity for on-premise workloads that communicate with GCP APIs.

• Use SPIRE as an OIDC provider for Kubernetes apiserver

  • In this article, we will introduce a method to integrate spire with kubernetes. Use spire as an OIDC provider for kubernetes apiserver to authenticate the workload, which can fetch a valid JWT SVID from SPIRE.

• Azure AD workload identity federation with SPIFFE and SPIRE

  • This blog post explores how services relying on SPIFFE can also use this capability to access Azure resources. No secrets are necessary.

• Going secretless and keyless with Spiffe Vault

  • In this blogpost I want to introduce you to a small commandline utility (spiffe-vault) that enables a whole bunch of usecases like secretless deployments, keyless codesigning, keyless encryption.

• SPIFFE/SPIRE CSI Driver

  • Deploying SPIRE with CSI Driver

• Envoy, SPIRE, and OPA

  • Zero Trust with Envoy, SPIRE, and Open Policy Agent (OPA)

• Hardening Istio security with SPIRE

  • Istio and SPIRE integration.

• AWS OIDC Authentication with SPIFFE

  • Easy authentication with automated AWS credentials. Federation with AWS.

• Providing mTLS Identities to Lambdas

  • Securing serverless communication with our data centers.

• Azure AD workload identity federation with SPIFFE and SPIRE

  • SPIFFE federation with Azure Cloud.

• Using mTLS with SPIFFE/SPIRE in AWS App Mesh on Amazon EKS

  • SPIFFE federation with AWS cloud.

• SPIFFE/SPIRE Federation on Kind clusters

  • SPIFFE federation.

• Shepherding your Cloud Native “cattle” with Tornjak

  • Introduction to project Tornjak

⬆ back to top

SDK

• go spiffe

  • This library is a convenient Go library for working with SPIFFE.

• java spiffe

  • Java SPIFFE Library.

• c spiffe

  • C SPIFFE library.

• python spiffe

  • This SPIFFE library provides a Workload API client to fetch X.509 and JWT SVIDs and trust bundles. Important: This library currently doesn't provide any functionality to support TLS connections using SPIFFE certificates.

• rust spire-workload-rs

  • This crate provides a number of useful APIs to help Rust programs use Spire workload API.

• rust-spiffe

  • A utility library to interact with the SPIFFE Workload API to fetch X.509 and JWT SVIDs and Bundles. It also provides types that comply with the SPIFFE standards.

⬆ back to top

Utils

• SPIFFE GCP Proxy

  • This is a simple GOLANG application that provides an Auth proxy for On-Prem workloads that want to use Google Cloud Platform APIs, using SPIFFE and Workload Identity Federation.

• SPIRE HELM Charts

  • https://github.com/philips-labs/helm-charts/tree/main/charts/spire

• spire-oidc-discovery-provider

  • The SPIRE OIDC Discovery Provider is a small helper that provides a minimal implementation of a subset of the OIDC discovery document as related to exposing a JSON Web Key Set (JWKS) for JSON Web Token (JWT) validation.

• spire-controller-manages

  • SPIRE Kubernetes Controller manager which facilitates the registration of workloads and establishment of federation relationships.

• k8s-workload-registrar

  • The SPIRE Kubernetes Workload Registrar implements a Kubernetes ValidatingAdmissionWebhook that facilitates automatic workload registration within Kubernetes.

• SPIFFE CSI Driver

  • A Container Storage Interface driver for Kubernetes that facilitates injection of the SPIFFE Workload API.

• spiffe-aws-assume-role

  • This tool allows using a SPIFFE JWT to authenticate to AWS APIs

• Tornjak

  • The project aims to provide a management plane and capabilities for SPIFFE identities managed by SPIRE. The goals are to provide global visibility, auditability, and configuration and policy management for identities.

• SPIFFE Helper

  • The SPIFFE Helper is a simple utility for fetching X.509 SVID certificates from the SPIFFE Workload API, launch a process that makes use of the certificates and continuously get new certificates before they expire. The launched process is signaled to reload the certificates when is needed.

• cert-manager csi-driver-spiffe

  • csi-driver-spiffe is a Container Storage Interface (CSI) driver plugin for Kubernetes to work along cert-manager. This CSI driver transparently delivers SPIFFE SVIDs in the form of X.509 certificate key pairs to mounting Kubernetes Pods.

• NGINX with SPIFFE support

  • This version of NGINX Open Source interacts with the SPIFFE Workload API to request and use certificates for mTLS.

• Kafka SPIFFE Principal Builder

  • A custom KafkaPrincipalBuilder implementation for Apache Kafka. This class and documentation deal only with SslAuthenticationContext, we do not support any other context at the moment (Kerberos, SASL, Oauth)

• Emissary

  • This is a service that communicates with spire-agent to fetch and validate JWT-SVIDs sent to it over HTTP, usually from envoy using ext_authz.

• SPIFFE Vault

  • Integrates SPIFFE SVID authentication with Hashicorp Vault to retrieve a VAULT_TOKEN. Example usecases
    • Read secrets from Hashicorp Vault Hashicorp Vault without providing a secret to authenticate against Hashicorp Vault. Instead we will be using a SPIFFE SVID to authenticate ourself against Hashicorp Vault.
    • Perform secretless/keyless code signing by utilizing the Hashicorp Vault Transit engine as a software defined HSM. This resolves the issue of having signing keys on a local machine as well resolves the issue of managing secrets to access the signing keys. Again we utilize the SPIFFE SVID to authenticate against Hashicorp Vault.

• Kerberos-Attestor

  • The Kerberos-Attestor is a plugin for the SPIRE server and agent that allows SPIRE to automatically attest nodes that are joined to a domain backed by the Kerberos authentication protocol.

• SPIRE TPM Plugin

  • This repository contains agent and server plugins for SPIRE to allow TPM 2-based node attestation.

• SPIRE Tailscale Plugin

  • This node attestation plugin relies on a Tailscale OIDC id-token feature, which is marked as Work-in-Progress and may not be available for everyone yet.

⬆ back to top

Examples

• Istio Identities with SPIFFE/SPIRE

  • How to replace the identity-issuing mechanism of Istio with that of SPIRE.

• spiffe-user-demo

  • This is a proof of concept project that runs a SPIFFE Workload API service meant to provide user-based SVIDs on developer endpoints, bootstrapped from an SSO login. This demo in particular integrates with OIDC providers to enable user login, but generalizes to any web application SSO.

• Java SPIFFE examples

  • A bunch of java-spiffe use examples

• SPIRE and SGX-SCONE

  • Issuing SPIFFE IDs to SGX Confidential Workloads

• opa-spiffe-oidc

  • This repository contains the code for the OPA-SPIFFE OIDC Demo.

• spire-envoy-kafka

  • Data exchange demo - Kafka integrated with Envoy proxy and SPIRE

⬆ back to top