Skip to main content

Module 11: The SPIFFE/SPIRE Ecosystem Slides

Slide walkthrough for Module 11 of Mastering SPIFFE & SPIRE: Zero Trust for Cloud Native Systems: Real-world integrations: Vault, Cilium, CI/CD, and...

This slide page is the visual review companion for the full course module. Use it to recap the architecture, examples, exercises, production warnings, and takeaways after reading the lesson.

Slide Outline

  1. The SPIFFE/SPIRE Ecosystem - Real-world integrations: Vault, Cilium, CI/CD, and enterprise patterns
  2. Learning Objectives - 4 outcomes for this module
  3. Why This Module Matters - SPIRE does not exist in isolation. In production, it integrates with Vault for secrets, Cilium for networking, CI/CD for
  4. SPIRE + HashiCorp Vault - Lesson section from the full module
  5. SPIRE + Cilium - Lesson section from the full module
  6. SPIFFE in CI/CD Pipelines - Lesson section from the full module
  7. Enterprise Adoption Patterns - Lesson section from the full module
  8. Real-World Use Cases - Vault authentication with SPIFFE — eliminating Vault token distribution, CI/CD workload identity — GitHub Actions getting SPIFFE SVIDs instead of static secrets
  9. Common Mistakes to Avoid - 3 mistakes covered
  10. Hands-On Labs - 2 hands-on labs
  11. Key Takeaways - 5 points to remember

Learning Objectives

  • Integrate SPIRE with HashiCorp Vault for secret management
  • Connect SPIRE with Cilium for network identity
  • Use SPIFFE identity in CI/CD pipelines
  • Understand enterprise adoption patterns and case studies

Why This Module Matters

SPIRE does not exist in isolation. In production, it integrates with Vault for secrets, Cilium for networking, CI/CD for pipeline identity, and GitOps for declarative operations. Understanding the ecosystem makes you the engineer who connects all the pieces.

Common Mistakes

  • Using static Vault tokens alongside SPIFFE (defeats the purpose)
  • Not securing the OIDC discovery endpoint for JWT verification
  • Attempting to replace all existing auth at once instead of migrating incrementally

Key Takeaways

  • Vault + SPIFFE eliminates the need to distribute Vault tokens
  • CI/CD pipelines should have cryptographic identity, not static secrets
  • SPIFFE integrates with the entire CNCF ecosystem (Cilium, Envoy, OPA, Istio)
  • Enterprise adoption is real — Bloomberg, Uber, Pinterest use SPIRE at scale
  • The ecosystem is growing — early adopters have a skills advantage

Hands-On Labs

  1. Vault Authentication with SPIFFE

    Configure Vault to accept SPIFFE identities for authentication.

    • Deploy Vault with the JWT auth method
    • Configure Vault to trust the SPIRE trust bundle
    • Authenticate a workload using its JWT-SVID
    • Retrieve secrets with the SPIFFE-authenticated token

    View lab files on GitHub

  2. CI/CD Workload Identity

    Give CI/CD pipelines SPIFFE identity instead of static credentials.

    • Configure SPIRE to attest CI/CD runners
    • Issue SVIDs to pipeline workloads
    • Use the SVID to deploy to Kubernetes
    • Remove all static credentials from the pipeline

    View lab files on GitHub

Read the full module | Back to course curriculum