SPIRE (the SPIFFE Runtime Environment) is a tool-chain for establishing trust between software systems across a wide variety of hosting platforms. Concretely, SPIRE exposes the SPIFFE Workload API, which can attest running software systems and issue SPIFFE IDs and SVIDs to them. This in turn allows two workloads to establish trust between each other, for example by establishing an mTLS connection or by signing and verifying a JWT token. Or for a workload to securely authenticate to a secret store, a database, or a cloud provider service.
SPIRE is hosted by the Cloud Native Computing Foundation (CNCF) as a sandbox level project. If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details read the CNCF announcement.
Get SPIRE
Pre-built releases can be found at https://github.com/spiffe/spire/releases. These releases contain both server and agent binaries plus the officially supported plugins.
Alternatively you can build SPIRE from source.
Getting started
Before trying out SPIRE, we recommend becoming familiar with its architecture and design goals.
Getting Started Guide for Kubernetes
Getting Started Guide for Linux
The SPIRE Server and SPIRE Agent reference guides covers in more detail the specific configuration options and plugins available.
Examples
There are several examples demonstrating SPIRE usage in the spire-examples repository.
Using SPIRE with Envoy
SPIRE provides an implementation of the Envoy
Secret Discovery Service
(SDS). SDS can be used to transparently install and rotate TLS certificates and
trust bundles in Envoy. Please see the SPIRE Agent configuration guide for more information.
Upgrading SPIRE
SPIRE Server supports zero-downtime upgrades when there's more than one SPIRE Server in the cluster. Please see the Managing Upgrades/Downgrades guide for more information on SPIRE version compatibility and supported upgrade paths.
Getting Help
If you have any questions about how SPIRE works, or how to get it up and running, the best place to ask questions is the SPIFFE Slack Organization. Most of the maintainers monitor the #spire channel there, and can help direct you to other channels if need be. Please feel free to drop by any time!
Community
The SPIFFE community, and Scytale in particular, maintain the SPIRE project.
Information on the various SIGs and relevant standards can be found in
https://github.com/spiffe/spiffe.
The SPIFFE and SPIRE governance policies are detailed in
GOVERNANCE.