SPIRE vs Istio and the future of SPIRE
121 views
Skip to first unread message
pas...@wso2.com
Dec 3, 2018, 4:29:02 AM12/3/18
to [Discussions] Developers & Contributors
Hi All,
If I understand correctly SPIRE and Istio are both implementations of SPIFFE, but the level they implement the standard is different at the moment.
My question is, what is the long term plan of the SPIRE implementation. Do you intend to provide a standalone production identity framework or will this merge with Istio at some time ?
In case you decide to evolve independently, will you plan to provide integration support for Istio ?
Please refer the below links on my related discussion with Istio security team.
Thanks.
Pasan W.
Evan Gilman
Dec 3, 2018, 4:31:47 PM12/3/18
to pas...@wso2.com, dev-dis...@spiffe.io
Hi Pasan
SPIRE is built for production and is a distinctly different project
than Istio or any of its internal components... as such, it will
evolve independently. As for Istio integration, we have some demos
we're preparing for KubeCon in Seattle USA next week which will show
off an integration with Envoy, and is the first step towards a Istio
integration which would displace the native Istio component named
Citadel.
There is nothing I am aware of in SPIRE design that would
fundamentally prevent it from displacing Citadel - a sufficiently
motivated individual could probably get this working with the current
codebase and some glue code. I hope this answers your question
> --
> You received this message because you are subscribed to the Google Groups "[Discussions] Developers & Contributors" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dev-discussio...@spiffe.io.
> To view this discussion on the web visit https://groups.google.com/a/spiffe.io/d/msgid/dev-discussion/b59cb430-f439-410f-aa4f-7218d9f6af4a%40spiffe.io.
> For more options, visit https://groups.google.com/a/spiffe.io/d/optout.
--
evan
SPIRE is built for production and is a distinctly different project
than Istio or any of its internal components... as such, it will
evolve independently. As for Istio integration, we have some demos
we're preparing for KubeCon in Seattle USA next week which will show
off an integration with Envoy, and is the first step towards a Istio
integration which would displace the native Istio component named
Citadel.
There is nothing I am aware of in SPIRE design that would
fundamentally prevent it from displacing Citadel - a sufficiently
motivated individual could probably get this working with the current
codebase and some glue code. I hope this answers your question
> You received this message because you are subscribed to the Google Groups "[Discussions] Developers & Contributors" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dev-discussio...@spiffe.io.
> To view this discussion on the web visit https://groups.google.com/a/spiffe.io/d/msgid/dev-discussion/b59cb430-f439-410f-aa4f-7218d9f6af4a%40spiffe.io.
> For more options, visit https://groups.google.com/a/spiffe.io/d/optout.
--
evan
Pasan Wijesinghe
Dec 3, 2018, 10:47:59 PM12/3/18
to [Discussions] Developers & Contributors, pas...@wso2.com
Thanks a lot for your prompt response, Evan.
We are evaluating the possibility of integrating a SPIRE server into Istio and identified some key gaps Istio has when compared with SPIRE.
A major point is that SPIRE enables the workload to access the trust bundle whereas Istio does not allow that. Even if we manage to link SPIRE into Istio I can't think of a way to provide this feature without breaking Istio's design.
I would very much like to know what you think about this.
Is this idea of integrating SPIRE and Istio discussed earlier? Can you please share if you have any links on this?
Thanks.
Pasan W.
Reply all
Reply to author
Forward
0 new messages