Uniform Workload Identity Everywhere - SPIRE Integrations and Extensibility

Explore SPIRE integrations and extensibility for uniform workload identity across diverse environments in this conference talk by Ryan Turner from Uber. Discover how SPIRE adapts to support production workload identity in heterogeneous infrastructure and various software systems. Learn about deep integrations available in SPIRE and its plugin-based architecture, which offers extensibility to meet organization-specific infrastructure and tooling needs. Gain insights into common integration challenges, SPIRE's open-source implementation of the SPIFFE specification, and its application in server and agent components. Understand how SPIRE handles node attestation, workload attestation, and key management across different platforms. Explore practical examples of SPIRE integrations, including Envoy DMTLS, OIDC Federation, and serverless use cases.

Uniform Workload Identity Everywhere: SPIRE Integrations and Extensibility Ryan Turner, Uber
Common Integration Challenges Virtual • Using multiple environments - public and/or private clouds • Proprietary tooling and infrastructure Mix of legacy and cloud-native applications • Enforcing uniform authentication across all RPCs
Open-source implementation of SPIFFE specification • Control plane for identity distribution/rotation • Scalable distributed system
Controlling select functionality and security properties Consumption of SPIRE-issued identity Downstream integrations Simplifying propagation of SVIDs Using SVID as authentication material for external domains
Applies to: Server • Synchronizes upstream PKI chain/keys with SPIRE • Handles CSRs for SPIRE CA Optionally accepts SPIRE JWT signing keys Available built-in plugins
Applies to: Server, Agent • Authenticates a node (physical or virtual) in the infrastructure • Challenge-response protocol Defines bridge of trust between host identity system and SPIRE • Built-in plugins
Selectors can be based on host metadata or be static • Enables distribution of identities to more finely-grained subsets of hosts Alias registration entries matching node selectors can be used to
WorkloadAttestor Applies to: Agent Interrogates trusted system for attributes of process • Matches workload metadata to selectors of identity registrations • Example authorities: OS kernel, orchestration platform • Built-in plugins
Private key generation Computes digital signatures of data Built-in plugins
Plugin interfaces defined in proto/spire/agent, server /* Implement respective plugin interface Add HCL config stanza for respective component(s) (Server and/or Agent) Example for custom NodeAttestor plugin called mynodeattestor
Envoy DMTLS using X.509 SVIDs SPIRE Workload API implements Envoy SDS • OIDC Federation Authenticate to external services with SVIDS Example using a JWT-SVID to invoke AWS APIs
Agentless mode Enables serverless use cases • Integration with Apache data projects