spire

module

v1.9.4 Latest Latest Go to latest Published: Apr 5, 2024 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/spiffe/spire

Links

Open Source Insights

README ¶

SPIRE Logo

SPIRE (the SPIFFE Runtime Environment) is a toolchain of APIs for establishing trust between software systems across a wide variety of hosting platforms. SPIRE exposes the SPIFFE Workload API, which can attest running software systems and issue SPIFFE IDs and SVIDs to them. This in turn allows two workloads to establish trust between each other, for example by establishing an mTLS connection or by signing and verifying a JWT token. SPIRE can also enable workloads to securely authenticate to a secret store, a database, or a cloud provider service.

Get SPIRE
Learn about SPIRE
Integrate with SPIRE
Contribute to SPIRE
Further Reading
Security

SPIRE is a graduated project of the Cloud Native Computing Foundation (CNCF). If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF.

Get SPIRE

Pre-built releases of SPIRE can be found at https://github.com/spiffe/spire/releases. These releases contain both SPIRE Server and SPIRE Agent binaries.
Container images are published for spire-server, spire-agent, and oidc-discovery-provider.
Alternatively, you can build SPIRE from source.

Learn about SPIRE

Before trying SPIRE, it's a good idea to learn about its architecture and design goals.
Once ready to get started, see the Quickstart Guides for Kubernetes, Linux, and MacOS.
There are several examples demonstrating SPIRE usage in the spire-examples and spire-tutorials repositories.
Check ADOPTERS.md for a list of production SPIRE adopters, a view of the ecosystem, and use cases.
See the SPIRE Roadmap for a list of planned features and enhancements.
Join the SPIFFE community on Slack. If you have any questions about how SPIRE works, or how to get it up and running, the best places to ask questions are the SPIFFE Slack channels.
Download the free book about SPIFFE and SPIRE, "Solving the Bottom Turtle."

Integrate with SPIRE

See Extend SPIRE to learn about the highly extensible SPIRE plugin framework.
Officially maintained client libraries for interacting with the SPIFFE Workload API are available in Go and Java. See SPIFFE Library Usage Examples for a full list of official and community libraries, as well as code samples.
SPIRE provides an implementation of the Envoy Secret Discovery Service (SDS) for use with Envoy Proxy. SDS can be used to transparently install and rotate TLS certificates and trust bundles in Envoy. See Using SPIRE with Envoy for more information.

For supported integration versions, see Supported Integrations.

Contribute to SPIRE

The SPIFFE community maintains the SPIRE project. Information on the various SIGs and relevant standards can be found in https://github.com/spiffe/spiffe.

See CONTRIBUTING to get started.
Use GitHub Issues to request features or file bugs.
See GOVERNANCE for SPIFFE and SPIRE governance policies.

Security

Security Assessments

A third party security firm (Cure53) completed a security audit of SPIFFE and SPIRE in February of 2021. Additionally, the CNCF Technical Advisory Group for Security conducted two assessments on SPIFFE and SPIRE in 2018 and 2020. Please find the reports and supporting material, including the threat model exercise results, below.

Reporting Security Vulnerabilities

If you've found a vulnerability or a potential vulnerability in SPIRE please let us know at security@spiffe.io. We'll send a confirmation email to acknowledge your report, and we'll send an additional email when we've identified the issue positively or negatively.

Directories ¶

Path	Synopsis
cmd
spire-agent
spire-agent/cli
spire-agent/cli/api
spire-agent/cli/common
spire-agent/cli/healthcheck
spire-agent/cli/run
spire-agent/cli/validate
spire-server
spire-server/cli
spire-server/cli/agent
spire-server/cli/bundle
spire-server/cli/common
spire-server/cli/entry
spire-server/cli/federation
spire-server/cli/healthcheck
spire-server/cli/jwt
spire-server/cli/logger
spire-server/cli/run
spire-server/cli/token
spire-server/cli/validate
spire-server/cli/x509
spire-server/util
pkg
agent
agent/api
agent/api/debug/v1
agent/api/delegatedidentity/v1
agent/api/health/v1
agent/api/rpccontext
agent/attestor/node
agent/attestor/workload
agent/catalog
agent/client
agent/common/backoff
agent/common/cgroups
agent/endpoints
agent/endpoints/sdsv3
agent/endpoints/workload
agent/manager
agent/manager/cache
agent/manager/storecache
agent/plugin/keymanager
agent/plugin/keymanager/base
agent/plugin/keymanager/disk
agent/plugin/keymanager/memory
agent/plugin/keymanager/test
agent/plugin/nodeattestor
agent/plugin/nodeattestor/awsiid
agent/plugin/nodeattestor/azuremsi
agent/plugin/nodeattestor/gcpiit
agent/plugin/nodeattestor/jointoken
agent/plugin/nodeattestor/k8spsat
agent/plugin/nodeattestor/k8ssat
agent/plugin/nodeattestor/sshpop
agent/plugin/nodeattestor/test
agent/plugin/nodeattestor/tpmdevid
agent/plugin/nodeattestor/tpmdevid/tpmutil
agent/plugin/nodeattestor/x509pop
agent/plugin/svidstore
agent/plugin/svidstore/awssecretsmanager
agent/plugin/svidstore/gcpsecretmanager
agent/plugin/workloadattestor
agent/plugin/workloadattestor/docker
agent/plugin/workloadattestor/docker/cgroup
agent/plugin/workloadattestor/k8s
agent/plugin/workloadattestor/k8s/sigstore
agent/plugin/workloadattestor/systemd
agent/plugin/workloadattestor/unix
agent/plugin/workloadattestor/windows
agent/storage
agent/svid
agent/svid/store
agent/workloadkey
common/agentpathtemplate
common/api
common/api/middleware
common/api/rpccontext
common/auth
common/bundleutil
common/catalog
common/catalog/testplugin
common/cli
common/cliprinter
common/cliprinter/internal/errorjson
common/cliprinter/internal/errorpretty
common/cliprinter/internal/protojson
common/cliprinter/internal/protopretty
common/cliprinter/internal/structjson
common/cliprinter/internal/structpretty
common/container/process
common/coretypes/bundle
common/coretypes/jwtkey
common/coretypes/x509certificate
common/cryptoutil
common/diskutil
common/entrypoint
common/errorutil
common/fflag The fflag package implements a basic singleton pattern for the purpose of providing SPIRE with a system-wide feature flagging facility.	The fflag package implements a basic singleton pattern for the purpose of providing SPIRE with a system-wide feature flagging facility.
common/health
common/hostservice/metricsservice
common/idutil
common/jwtsvid
common/jwtutil
common/log
common/namedpipe
common/nodeutil
common/peertracker Package peertracker handles attestation security for the SPIFFE Workload API.	Package peertracker handles attestation security for the SPIFFE Workload API.
common/pemutil
common/plugin
common/plugin/aws
common/plugin/azure
common/plugin/gcp
common/plugin/k8s
common/plugin/k8s/apiserver
common/plugin/sshpop Package sshpop implements ssh proof of possession based node attestation.	Package sshpop implements ssh proof of possession based node attestation.
common/plugin/tpmdevid
common/plugin/x509pop
common/profiling
common/protoutil
common/rotationutil
common/sddl
common/selector The selector package exports functions useful for manipulating and generating spire selectors	The selector package exports functions useful for manipulating and generating spire selectors
common/telemetry
common/telemetry/agent
common/telemetry/agent/adminapi
common/telemetry/agent/keymanager
common/telemetry/agent/store
common/telemetry/agent/workloadapi
common/telemetry/common
common/telemetry/server
common/telemetry/server/datastore
common/telemetry/server/keymanager
common/uptime
common/util
common/version
common/x509svid
common/x509util
server
server/api
server/api/agent/v1
server/api/audit
server/api/bundle/v1
server/api/debug/v1
server/api/entry/v1
server/api/health/v1
server/api/limits
server/api/localauthority/v1
server/api/logger/v1
server/api/middleware
server/api/rpccontext
server/api/svid/v1
server/api/trustdomain/v1
server/authorizedentries
server/authpolicy
server/bundle/client
server/bundle/datastore
server/bundle/pubmanager Package pubmanager manages the publishing of the trust bundle to external stores through the configured BundlePublisher plugins.	Package pubmanager manages the publishing of the trust bundle to external stores through the configured BundlePublisher plugins.
server/ca
server/ca/manager
server/ca/rotator
server/cache/dscache
server/cache/entrycache
server/catalog
server/credtemplate
server/credvalidator
server/datastore
server/datastore/sqldriver/awsrds
server/datastore/sqlstore
server/endpoints
server/endpoints/bundle
server/endpoints/bundle/internal/acmetest nolint // forked code	nolint // forked code
server/endpoints/bundle/internal/autocert nolint // forked code	nolint // forked code
server/hostservice/agentstore
server/hostservice/identityprovider
server/plugin/bundlepublisher
server/plugin/bundlepublisher/awss3
server/plugin/credentialcomposer
server/plugin/credentialcomposer/uniqueid
server/plugin/keymanager
server/plugin/keymanager/awskms
server/plugin/keymanager/azurekeyvault
server/plugin/keymanager/base
server/plugin/keymanager/disk
server/plugin/keymanager/gcpkms
server/plugin/keymanager/memory
server/plugin/keymanager/test
server/plugin/nodeattestor
server/plugin/nodeattestor/awsiid
server/plugin/nodeattestor/awsiid/awsrsa1024
server/plugin/nodeattestor/awsiid/awsrsa2048
server/plugin/nodeattestor/azuremsi
server/plugin/nodeattestor/base
server/plugin/nodeattestor/gcpiit
server/plugin/nodeattestor/jointoken
server/plugin/nodeattestor/k8spsat
server/plugin/nodeattestor/k8ssat
server/plugin/nodeattestor/sshpop
server/plugin/nodeattestor/tpmdevid
server/plugin/nodeattestor/x509pop
server/plugin/notifier
server/plugin/notifier/gcsbundle
server/plugin/notifier/k8sbundle
server/plugin/upstreamauthority
server/plugin/upstreamauthority/awspca
server/plugin/upstreamauthority/awssecret
server/plugin/upstreamauthority/certmanager
server/plugin/upstreamauthority/certmanager/internal/v1
server/plugin/upstreamauthority/disk
server/plugin/upstreamauthority/gcpcas
server/plugin/upstreamauthority/spire
server/plugin/upstreamauthority/vault
server/registration
server/svid
proto
private/server/journal
spire/common
spire/common/plugin
spire Module
support
oidc-discovery-provider
test
clock
fakes/fakeagentcatalog
fakes/fakeagentkeymanager
fakes/fakeagentnodeattestor
fakes/fakeagentstore
fakes/fakedatastore
fakes/fakeentryclient
fakes/fakehealthchecker
fakes/fakeidentityprovider
fakes/fakemetrics
fakes/fakenotifier
fakes/fakepluginmetrics
fakes/fakeserverca
fakes/fakeservercatalog
fakes/fakeserverkeymanager
fakes/fakeservernodeattestor
fakes/fakeupstreamauthority
fakes/fakeworkloadapi
fakes/fakeworkloadattestor
fixture
fixture/nodeattestor/x509pop
grpctest
integration/setup/adminclient
integration/setup/debugagent
integration/setup/debugserver
integration/setup/delegatedidentity
integration/setup/downstreamclient
integration/setup/itclient
integration/setup/node-attestation
integration/setup/svidstore/check
integration/setup/svidstore/plugin
integration/setup/x509pop
plugintest
spiretest
testca
testkey
tpmsimulator
util
tools module
k8s-test Module

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL