Skip to main content

Module 11: The SPIFFE/SPIRE Ecosystem

Real-world integrations: Vault, Cilium, CI/CD, and enterprise patterns

3 hours. 2 hands-on labs. Free course module.

Learning Objectives

  • Integrate SPIRE with HashiCorp Vault for secret management
  • Connect SPIRE with Cilium for network identity
  • Use SPIFFE identity in CI/CD pipelines
  • Understand enterprise adoption patterns and case studies

Why This Matters

SPIRE does not exist in isolation. In production, it integrates with Vault for secrets, Cilium for networking, CI/CD for pipeline identity, and GitOps for declarative operations. Understanding the ecosystem makes you the engineer who connects all the pieces.

SPIFFE ECOSYSTEM INTEGRATIONSSPIREIdentity ProviderVaultCiliumGitHub ActionsEnvoyIstioOPATerraformArgoCD
Architecture diagram for Module 11: The SPIFFE/SPIRE Ecosystem.

Lesson Content

SPIRE does not exist in isolation. It integrates with the broader cloud-native ecosystem to provide identity for secrets management, network security, CI/CD pipelines, and GitOps workflows.

SPIRE + HashiCorp Vault

Vault can use SPIFFE identities for authentication. Instead of distributing Vault tokens (another secret to manage), workloads authenticate to Vault using their SVID. Vault verifies the SVID against the SPIRE trust bundle and issues a Vault token with the appropriate policies.

SPIRE + Cilium

Cilium (eBPF-based networking) can use SPIFFE identities for network-level identity enforcement. This combines Kubernetes-native networking with cryptographic workload identity for defense-in-depth.

SPIFFE in CI/CD Pipelines

CI/CD pipelines are workloads too. They need identity to pull from registries, deploy to clusters, and access secrets. SPIFFE gives pipelines cryptographic identity instead of long-lived tokens.

# GitHub Actions with SPIFFE identity:
# 1. GitHub OIDC token identifies the workflow
# 2. SPIRE attests the workflow as a workload
# 3. Pipeline receives an SVID
# 4. Uses SVID to authenticate to production systems

# No long-lived secrets in GitHub!
# Identity is ephemeral and scoped to the specific workflow run

Enterprise Adoption Patterns

  • Bloomberg: Uses SPIRE for workload identity across 100,000+ services
  • Uber: Integrated SPIFFE for inter-service authentication
  • Pinterest: Uses SPIRE for zero-trust networking
  • ByteDance: Deploys SPIRE at massive scale for cloud-native identity

Real-World Use Cases

  • Vault authentication with SPIFFE — eliminating Vault token distribution
  • CI/CD workload identity — GitHub Actions getting SPIFFE SVIDs instead of static secrets
  • Cilium with SPIFFE — combining eBPF networking with cryptographic identity
  • Terraform with SPIFFE — infrastructure provisioning tools authenticating to APIs

Common Mistakes

  • Using static Vault tokens alongside SPIFFE (defeats the purpose)
  • Not securing the OIDC discovery endpoint for JWT verification
  • Attempting to replace all existing auth at once instead of migrating incrementally

Production Alternatives

  • Vault alone: Good for secret storage but creates its own token management problem. SPIFFE + Vault eliminates Vault token distribution.
  • Cloud IAM alone: Works within one cloud but breaks in multi-cloud. SPIFFE provides portable identity.
  • Kubernetes Service Accounts alone: Limited to one cluster, no mTLS, no automatic rotation, no federation.

Career Relevance

The CNCF ecosystem is where the industry is heading. Engineers who understand how SPIFFE connects Vault, Cilium, Envoy, OPA, and CI/CD are uniquely positioned for platform engineering leadership roles.

Hands-On Labs

  1. Vault Authentication with SPIFFE

    Configure Vault to accept SPIFFE identities for authentication.

    • Deploy Vault with the JWT auth method
    • Configure Vault to trust the SPIRE trust bundle
    • Authenticate a workload using its JWT-SVID
    • Retrieve secrets with the SPIFFE-authenticated token

    View lab files on GitHub

  2. CI/CD Workload Identity

    Give CI/CD pipelines SPIFFE identity instead of static credentials.

    • Configure SPIRE to attest CI/CD runners
    • Issue SVIDs to pipeline workloads
    • Use the SVID to deploy to Kubernetes
    • Remove all static credentials from the pipeline

    View lab files on GitHub

Key Takeaways

  • Vault + SPIFFE eliminates the need to distribute Vault tokens
  • CI/CD pipelines should have cryptographic identity, not static secrets
  • SPIFFE integrates with the entire CNCF ecosystem (Cilium, Envoy, OPA, Istio)
  • Enterprise adoption is real — Bloomberg, Uber, Pinterest use SPIRE at scale
  • The ecosystem is growing — early adopters have a skills advantage