►
From YouTube: SPIRE Project Updates - Agustín Martínez Fayó
Description
SPIRE Project Updates - Agustín Martínez Fayó
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2021 Virtual from May 4–7, 2021. Learn more at kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
A
Well,
yes,
I
am,
I
was
team,
martinez
fascio
and
I
am
a
spire
maintainer
and
I've
been
lucky
to
be
part
of
the
project
since
the
beginning.
A
So
we
will
share
some
project
updates.
A
So,
let's,
let's
start
by
sharing
some
numbers
to
have
an
idea
of
how
the
the
project
has
been
evolving
during
the
last
year.
So
I
will
show
some
some
numbers
since
last
kubecon
in
san
diego.
A
That
were
done
in
more
than
230
merchant
beers
and
all
that
was
done
by
36
different
contributors.
So
it's
it's
really
nice
to
see
a
lot
of
contributions
from
the
community
and
see
how
this
is
growing
and
growing
over
time.
This
really
shows
that
the
project
is
really
healthy.
A
So
well,
let's,
let's
get
right
into
some
of
the
the
recent
accomplishment
done
in
the
project,
so
we
will
refactor
it
the
aspire
server
apis
in
a
in
a
set
of
more
like
more
resource
oriented
apis.
A
That
were
organized
in
the
in
the
node
and
registration
apis
started
to
show
some
structural
problems
in
terms
of
how
how
the
apis
were
organized.
A
For
example,
when
adding
some
some
new
functionality,
it
was
difficult
to
find
the
right
place
to
add
it,
maybe
simply
because
it
it
didn't
actually
fit
well
in
the
in
the
node
or
registration
apis.
A
So,
after
after
a
lot
of
design,
work
and
feedback,
they
they
were
refactored
in
different
apis,
depending
on
the
on
the
resource
like
asian
bundle,
entry
or
resvit,
and
we
also
took
the
opportunity
to
improve
the
the
consistency
across
the
apis
in
terms
of
things
like
passionation
and
filtering
of
fields.
A
So
one
other
thing
is
that
a
lot
of
work
has
been
done
to
update
the
spire
documentation,
adding
examples
and
tutorial
for
the
most
used
and
critical
use
cases
included
well,
kubernetes
oidc
authentication,
a
lot
of
different
use
cases
using
envoy
nested
aspire
federation,
the
use
of
telemetry
inspire,
so
we
have
now
a
lot
of
guides
that
can
help
you
get
started
with
the
with
the
most
user
use
cases
so
yeah
that
that
that
is
good
and
we
just
heard
from
kesley
that
he
enjoyed
looking
at
the
documentation
so
well
back
back
in
april,
we
had
the
spire
0.10
release
where
we
completed
all
the
work
needed
to
have
support
for
judd
svitz
in
nested
aspire,
topologies.
A
So,
regarding
the
the
gold
spf
library,
we
saw
that
the
ghost
p51
started
to
show
some
signs
that
it
it
needed
an
update
because
it
was
not
as
flexible
as
we
wanted.
A
So
earlier
this
year,
we
we
worked
on
on
a
refresh
of
the
library,
rethinking
it
from
scratch,
and
we
we
worked
on
on
the
v2,
which
provides
low,
both
low
and
high
level
interfaces
to
handle
the
common
use
cases
that
includes
establishing
mutually
authenticated
tls
between
workflows
that
are
powered
by
spf.
A
It
also
makes
makes
it
easy
to
obtain
and
validate
both
x5
online
and
just
beats
it
well.
It
also
provides
all
the
resources
needed
to
further
rate
trust
between
trust
domains
using
spf,
bundles
and
all
all
the
functionality
needed
to
perform
things
like
bundle,
management,
spiffidi
handle
or
sv
verification.
A
So
you
can
do
that
now
in
with
with
tiny
amount
of
code.
Also,
a
lot
of
work
has
been
done
in
the
java
spf
library
to
provide
again
new
functionality
through
new
interfaces,
and
all
this
has
been
done
in
a
more
modular
way.
A
So,
let's,
let's
take
a
look
at
the
the
recent
releases
of
the
fire,
so
the
most
the
most
recent
release
is
0
11
1.
That
will
really
set.
I
think,
at
the
end,
at
the
end
of
september,
that
that
included
an
improvement
in
the
aws
pca
of
upstream
authority,
plugging
and
also
the
option
to
disable
rate
limiting
of
node
attestation
request
among,
among
other
improvements
and
fixes.
A
A
And
in
0
10,
where
we
had
a
bunch
of
new
things
and
improvements,
including
the
the
support
for
test
with
in
nested
spire,
introducing
the
the
upstream
authority
plug-in.
There
were
other
other
improvements
like
the
reduction
of
database
load
in
certain
configurations
and
the
ability
of
asians
to
proactively
rotate
in
the
workloads
aspects.
A
A
Let's,
let's
talk
a
little
bit
about
what
is
keeping
us
busy
now?
What
are
the
things
that
we're
spending
time
on
now
so
well,
for
for,
for
many
reasons,
we
have
been
kind
of
deferring
1.00
for
some
time.
A
A
A
So
there
have
been
a
lot
of
things
to
decide
and
to
work
on
to
be
able
to
to
finally
have
1.0,
but
at
this
point
we
we
are
getting
closer
to
that
and
we
really
think
that
we
should
be
able
to
have
a
wonderful
reason.
A
So
there
are
a
lot
of
proposals
being
discussed
at
this
moment,
which
is
something
great.
One
of
of
them
is
a
proposal
for
tpm
node
at
the
station.
That
is
based
on
on
an
approach
following
a
draft
specification
from
the
trusted
computing
group.
That
deliberations
divide
the
certificate
to
authenticate
each
device.
A
There
is
also
an
ongoing
effort
to
add
support
for
aws,
kms
and
manager
signing
keys
since,
since
this
this
would
be
the
the
first
key
management
plugin
that
depends
on
an
external
service.
A
So
one
of
the
things
that
are
under
discussion
is
the
like
the
exact
behavior
on
failures,
including
timeouts
and
retries
strategies,
so
that
is
also
being
discussed
now
there
is
a
proposal
for
updating
the
this
fire
data
store
to
have
a
simple
plugable
solution
that
would
be
able
to
to
support
both
sql
and
key
value
stores.
A
So
again,
a
lot
of
discussion
around
that,
so
obviously
we're
a
bit
short
in
time.
We
have
about
three
minutes
left
three
to
four
okay,
yeah
so
well,
there
are
many
many
different
scenarios
where
installing
expiration
is
not
possible
and
that
that
obviously
is
a
problem
inspired
where
the
the
workloads
running
in
those
environment
can't
access
the
workload
api.
A
So
there
is
a
proposal
under
discussion
to
address
that
problem.
Right
now,
it's
focused
on
providing
support
for
the
for
the
different
serverless
compute
services
provided
by
by
the
by
the
measured
cloud
providers
as
the
like
the
primary
use
case.
But
the
idea
is
to
come
up
with
with
a
solution
or
or
a
set
of
solutions
for
the
different
scenarios.
A
The
good
allow
to
be
able
to
use
spire
in
those
environments
where
you
can't
install
a
nation
and
then
quickly,
we
we
had
the
forced
rotation
and
revocation,
as
pending
roadmap
item
for
a
while,
but
now
there
is
a
a
concrete
proposal
to
scope
the
work
needed
to
provide
a
quick,
reliable
and
automated
mechanism
of
like
recovering
from
key
compromise.
A
So
the
the
proposal
defines
some
some
steps
to
accomplish
that
and
also
introduces
some
new
apis
in
order
to
achieve
that
process.
So
that's
under
active
discussion.
Now
there
is
a
proposal
to
add
the
certificate
certificate
transparency,
support
inspired
through
a
new
plugin
type.
This
this
is
being
discussed
also,
so
let's
try
to
go
quickly
through
this,
so
we
we
already
talked
about
the
things
that
are
keeping
missing
us
now,
but
there
are
some
other
things
that
we
have
in
the
horizon,
like
in
the
implementation
of
the
break
class
mode.
A
It's
it's
well
known
that
spire
is
a
since
it's
it's
a
critical
piece
in
any
production
system
that
relies
on
aspire
to
provide
identities
on
workloads.
A
So
if,
if
spy
is
not
able
to
properly
provide
new
speeds
or
renew
existing
ones,
it
that
will
result
in
in
service
interruptions,
so
a
break
last
mode
would
be
a
way
to
provide
a
mechanism
that
allows
fire
to
continue
providing
identities
even
in
the
states
where
a
failure
would
prevent
the
spire
from
missing
aspects.
A
So
there
is
a
currently
a
request
for
comment
issue
for
that,
although
we
haven't
actively
discussed
that
yet
so
that's
something
pending,
so
the
health
check
system
inspire
can
become
improved.
We
recently
added
the
back
end
points
to
get
information
about
the
agent
and
the
server,
but
there
is
room
to
improve
the
current
way
to
to
check
the
health
of
aspire,
server
and
nation
to
make
it
more
reliable
and
complete.
A
We
also
one
of
the
things
that
we
we
have
in
the
roma
is
to
to
review
the
there
are
messages
to
have
that
we
have
to
make
sure
that
they
are
not
only
descriptive
of
the
error,
but
also
that
helps
to
have
a
resolution
for
the
condition
we
have
some
work
to
do
in
order
to
productionize
kubernetes
deployments
to
adhere
to
security,
best
practices,
and
we
also
plan
to
look
at
how
does
the
the
correspond
exposed
service
facilities,
plugins
and
plugins
exposed
services?
Spirocore
can
utilize
in
exchange.
B
Augustine
amazon.
B
Great
augustine,
where
a
time
thanks
for
the
update
this
this
is
a
lot.
There
is
certainly
a
lot
of
momentum
going
on
for
the
project
very
excited
fired
up
to
see
this
slides
will
be
made
available.
I
know
you
had
a
few
extra
spikes,
but
we
do
need
to
move
on
to
the
to
the
next
section.
Is
there
a
place?
You
would
like
to
call
out
folks
to
come
check
out,
perhaps
the
spy
repo
or
where
can
they
find
this
information
you've
been
talking
about.