Skip to content

Latest commit

 

History

History
399 lines (303 loc) · 20.8 KB

README.md

File metadata and controls

399 lines (303 loc) · 20.8 KB

A curated list of SPIFFE and SPIRE resources

Content

Video

SPIFFE and SPIRE Introduction

A great place to start. Introduction to different concepts and integrations

⬆ back to top

Advanced topics

Deep dive topics into different SPIRE and SPIFFE concepts as well as advanced use-cases and deployment/operation models

⬆ back to top

Blogs

⬆ back to top

SDK

  • go spiffe

    • This library is a convenient Go library for working with SPIFFE.
  • java spiffe

    • Java SPIFFE Library.
  • c spiffe

    • C SPIFFE library.
  • python spiffe

    • This SPIFFE library provides a Workload API client to fetch X.509 and JWT SVIDs and trust bundles. Important: This library currently doesn't provide any functionality to support TLS connections using SPIFFE certificates.
  • rust spire-workload-rs

    • This crate provides a number of useful APIs to help Rust programs use Spire workload API.
  • rust-spiffe

    • A utility library to interact with the SPIFFE Workload API to fetch X.509 and JWT SVIDs and Bundles. It also provides types that comply with the SPIFFE standards.

⬆ back to top

Utils

  • SPIFFE GCP Proxy

    • This is a simple GOLANG application that provides an Auth proxy for On-Prem workloads that want to use Google Cloud Platform APIs, using SPIFFE and Workload Identity Federation.
  • SPIRE HELM Charts

  • spire-oidc-discovery-provider

    • The SPIRE OIDC Discovery Provider is a small helper that provides a minimal implementation of a subset of the OIDC discovery document as related to exposing a JSON Web Key Set (JWKS) for JSON Web Token (JWT) validation.
  • spire-controller-manages

    • SPIRE Kubernetes Controller manager which facilitates the registration of workloads and establishment of federation relationships.
  • k8s-workload-registrar

    • The SPIRE Kubernetes Workload Registrar implements a Kubernetes ValidatingAdmissionWebhook that facilitates automatic workload registration within Kubernetes.
  • SPIFFE CSI Driver

    • A Container Storage Interface driver for Kubernetes that facilitates injection of the SPIFFE Workload API.
  • spiffe-aws-assume-role

    • This tool allows using a SPIFFE JWT to authenticate to AWS APIs
  • Tornjak

    • The project aims to provide a management plane and capabilities for SPIFFE identities managed by SPIRE. The goals are to provide global visibility, auditability, and configuration and policy management for identities.
  • SPIFFE Helper

    • The SPIFFE Helper is a simple utility for fetching X.509 SVID certificates from the SPIFFE Workload API, launch a process that makes use of the certificates and continuously get new certificates before they expire. The launched process is signaled to reload the certificates when is needed.
  • cert-manager csi-driver-spiffe

    • csi-driver-spiffe is a Container Storage Interface (CSI) driver plugin for Kubernetes to work along cert-manager. This CSI driver transparently delivers SPIFFE SVIDs in the form of X.509 certificate key pairs to mounting Kubernetes Pods.
  • NGINX with SPIFFE support

    • This version of NGINX Open Source interacts with the SPIFFE Workload API to request and use certificates for mTLS.
  • Kafka SPIFFE Principal Builder

    • A custom KafkaPrincipalBuilder implementation for Apache Kafka. This class and documentation deal only with SslAuthenticationContext, we do not support any other context at the moment (Kerberos, SASL, Oauth)
  • Emissary

    • This is a service that communicates with spire-agent to fetch and validate JWT-SVIDs sent to it over HTTP, usually from envoy using ext_authz.
  • SPIFFE Vault

    • Integrates SPIFFE SVID authentication with Hashicorp Vault to retrieve a VAULT_TOKEN. Example usecases
      • Read secrets from Hashicorp Vault Hashicorp Vault without providing a secret to authenticate against Hashicorp Vault. Instead we will be using a SPIFFE SVID to authenticate ourself against Hashicorp Vault.
      • Perform secretless/keyless code signing by utilizing the Hashicorp Vault Transit engine as a software defined HSM. This resolves the issue of having signing keys on a local machine as well resolves the issue of managing secrets to access the signing keys. Again we utilize the SPIFFE SVID to authenticate against Hashicorp Vault.
  • Kerberos-Attestor

    • The Kerberos-Attestor is a plugin for the SPIRE server and agent that allows SPIRE to automatically attest nodes that are joined to a domain backed by the Kerberos authentication protocol.
  • SPIRE TPM Plugin

    • This repository contains agent and server plugins for SPIRE to allow TPM 2-based node attestation.
  • SPIRE Tailscale Plugin

    • This node attestation plugin relies on a Tailscale OIDC id-token feature, which is marked as Work-in-Progress and may not be available for everyone yet.

⬆ back to top

Examples

  • Istio Identities with SPIFFE/SPIRE

    • How to replace the identity-issuing mechanism of Istio with that of SPIRE.
  • spiffe-user-demo

    • This is a proof of concept project that runs a SPIFFE Workload API service meant to provide user-based SVIDs on developer endpoints, bootstrapped from an SSO login. This demo in particular integrates with OIDC providers to enable user login, but generalizes to any web application SSO.
  • Java SPIFFE examples

    • A bunch of java-spiffe use examples
  • SPIRE and SGX-SCONE

    • Issuing SPIFFE IDs to SGX Confidential Workloads
  • opa-spiffe-oidc

    • This repository contains the code for the OPA-SPIFFE OIDC Demo.
  • spire-envoy-kafka

    • Data exchange demo - Kafka integrated with Envoy proxy and SPIRE

⬆ back to top