SPIRE (the SPIFFE Runtime Environment) is a tool-chain for establishing trust between software systems across a wide variety of hosting platforms. Concretely, SPIRE exposes the SPIFFE Workload API, which can attest running software systems and issue SPIFFE IDs and SVIDs to them. This in turn allows two workloads to establish trust between each other, for example by establishing an mTLS connection or by signing and verifying a JWT token. Or for a workload to securely authenticate to a secret store, a database, or a cloud provider service.

• Get SPIRE
• Getting started
• Examples
• Using SPIRE with Envoy
• Upgrading SPIRE
• Getting help
• Community

SPIRE is hosted by the Cloud Native Computing Foundation (CNCF) as a sandbox level project. If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details read the CNCF announcement.

Pre-built releases can be found at https://github.com/spiffe/spire/releases. These releases contain both server and agent binaries plus the officially supported plugins.

Alternatively you can build SPIRE from source.

Before trying out SPIRE, we recommend becoming familiar with its architecture and design goals.

Getting Started Guide for Kubernetes

Getting Started Guide for Linux

The SPIRE Server and SPIRE Agent reference guides covers in more detail the specific configuration options and plugins available.

There are several examples demonstrating SPIRE usage in the spire-examples repository.

SPIRE provides an implementation of the Envoy Secret Discovery Service (SDS). SDS can be used to transparently install and rotate TLS certificates and trust bundles in Envoy. Please see the SPIRE Agent configuration guide for more information.

SPIRE Server supports zero-downtime upgrades when there's more than one SPIRE Server in the cluster. Please see the Managing Upgrades/Downgrades guide for more information on SPIRE version compatibility and supported upgrade paths.

If you have any questions about how SPIRE works, or how to get it up and running, the best place to ask questions is the SPIFFE Slack Organization. Most of the maintainers monitor the #spire channel there, and can help direct you to other channels if need be. Please feel free to drop by any time!

The SPIFFE community, and Scytale in particular, maintain the SPIRE project. Information on the various SIGs and relevant standards can be found in https://github.com/spiffe/spiffe.

The SPIFFE and SPIRE governance policies are detailed in GOVERNANCE.