spire

module
v1.11.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 12, 2024 License: Apache-2.0

README

SPIRE Logo

CII Best Practices Build Status Go Report Card Production Phase

SPIRE (the SPIFFE Runtime Environment) is a toolchain of APIs for establishing trust between software systems across a wide variety of hosting platforms. SPIRE exposes the SPIFFE Workload API, which can attest running software systems and issue SPIFFE IDs and SVIDs to them. This in turn allows two workloads to establish trust between each other, for example by establishing an mTLS connection or by signing and verifying a JWT token. SPIRE can also enable workloads to securely authenticate to a secret store, a database, or a cloud provider service.

SPIRE is a graduated project of the Cloud Native Computing Foundation (CNCF). If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF.

Get SPIRE

Learn about SPIRE

  • Before trying SPIRE, it's a good idea to learn about its architecture and design goals.
  • Once ready to get started, see the Quickstart Guides for Kubernetes, Linux, and MacOS.
  • There are several examples demonstrating SPIRE usage in the spire-examples and spire-tutorials repositories.
  • Check ADOPTERS.md for a list of production SPIRE adopters, a view of the ecosystem, and use cases.
  • See the SPIRE Roadmap for a list of planned features and enhancements.
  • Join the SPIFFE community on Slack. If you have any questions about how SPIRE works, or how to get it up and running, the best places to ask questions are the SPIFFE Slack channels.
  • Download the free book about SPIFFE and SPIRE, "Solving the Bottom Turtle."

Integrate with SPIRE

For supported integration versions, see Supported Integrations.

Contribute to SPIRE

The SPIFFE community maintains the SPIRE project. Information on the various SIGs and relevant standards can be found in https://github.com/spiffe/spiffe.

Further Reading

  • The Scaling SPIRE guide covers design guidelines, recommendations, and deployment models.
  • For an explanation of how SPIRE compares to related systems such as secret stores, identity providers, authorization policy engines and service meshes see comparisons.

Security

Security Assessments

A third party security firm (Cure53) completed a security audit of SPIFFE and SPIRE in February of 2021. Additionally, the CNCF Technical Advisory Group for Security conducted two assessments on SPIFFE and SPIRE in 2018 and 2020. Please find the reports and supporting material, including the threat model exercise results, below.

Reporting Security Vulnerabilities

If you've found a vulnerability or a potential vulnerability in SPIRE please let us know at security@spiffe.io. We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively.

Directories

Path Synopsis
cmd
pkg
common/fflag
The fflag package implements a basic singleton pattern for the purpose of providing SPIRE with a system-wide feature flagging facility.
The fflag package implements a basic singleton pattern for the purpose of providing SPIRE with a system-wide feature flagging facility.
common/peertracker
Package peertracker handles attestation security for the SPIFFE Workload API.
Package peertracker handles attestation security for the SPIFFE Workload API.
common/plugin/sshpop
Package sshpop implements ssh proof of possession based node attestation.
Package sshpop implements ssh proof of possession based node attestation.
common/selector
The selector package exports functions useful for manipulating and generating spire selectors
The selector package exports functions useful for manipulating and generating spire selectors
common/tlspolicy
Package tlspolicy provides for configuration and enforcement of policies relating to TLS.
Package tlspolicy provides for configuration and enforcement of policies relating to TLS.
server/bundle/pubmanager
Package pubmanager manages the publishing of the trust bundle to external stores through the configured BundlePublisher plugins.
Package pubmanager manages the publishing of the trust bundle to external stores through the configured BundlePublisher plugins.
nolint // forked code
nolint //forked code
proto
spire Module
support
test
tools module
k8s-test Module

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL