This repository contains the service definitions, code generated stubs, and infrastructure for running and testing SPIRE plugins.
SPIRE supports a rich plugin system. Plugins can either be built in, or external, to SPIRE. External plugins are separate processes and use go-plugin under the covers.
SPIRE communicates with plugins over gRPC. As such, the various interfaces are defined via gRPC service definitions.
There are three types of interfaces:
| Type | Description |
|---|---|
| Plugin | The primary plugin interface. A plugin only implements only one plugin interface. |
| Service | An auxiliary service interface. These are generic facilities consumed by SPIRE. An example is the common Config service. A plugin implements zero or more service interfaces. |
| Host Service | A service provided by SPIRE and optionally consumed by plugins. |
| Plugin | Versions | Description | Template |
|---|---|---|---|
| KeyManager | v1 | Manages private keys and performs signing operations. | link |
| NodeAttestor | v1 | Performs the agent side of the node attestation flow. | link |
| SVIDStore | v1 | Stores workload X509-SVIDs to arbitrary destinations. | link |
| WorkloadAttestor | v1 | Attests workloads and provides selectors. | link |
| Plugin | Versions | Description | Template |
|---|---|---|---|
| BundlePublisher | v1 | Publishes a trust bundle to a store. | link |
| CredentialComposer | v1 | Allows customization of SVID and CA attributes. | link |
| KeyManager | v1 | Manages private keys and performs signing operations. | link |
| NodeAttestor | v1 | Performs the server side of the node attestation flow. | link |
| Notifier | v1 | Notifies external systems of certain SPIRE events. | link |
| UpstreamAuthority | v1 | Plugs SPIRE into an upstream PKI. | link |
| Service | Versions | Description |
|---|---|---|
| Config | v1 | Used by SPIRE to configure the plugin. |
| Host Service | Versions | Description |
|---|---|---|
| Metrics | v1 | Provides metrics facilities. |
| Host Service | Versions | Description |
|---|---|---|
| IdentityProvider | v1 | Provides an identity and bundle information. |
| AgentStore | v1 | Provides information about attested agents. |
For guidance in authoring a plugin, see AUTHORING.
To migrate existing pre-SDK plugins, see MIGRATING.
This repository is tagged along with SPIRE releases with the same name, even if there are no changes to the APIs between SPIRE versions. This allows consumers to always pick a tag that matches up with their deployment. Even so, SPIRE maintains API compatibility between SPIRE versions. SPIRE will clearly indicate in the CHANGELOG when APIs are deprecated and issue warnings at runtime when they are used well in advance of any removal.
This repository follows the same governance and contribution guidelines as the SPIRE project.
For specifics on getting started, see CONTRIBUTING.
Please open Issues to request features or file bugs.