v1.10.4 Latest
SPIFFE Overview Concepts Community Presentations Get Involved
SPIRE About Concepts Use Cases Comparisons Case Studies
Try Quickstart for Linux and MacOS X Quickstart for Kubernetes Quickstart for Docker Compose
Plan Scaling SPIRE Extending
Deploy Getting SPIRE Install Server Install Agent Configuring Registering workloads Working with SVIDs SPIFFE Library Usage Examples SPIRE Agent Configuration Reference SPIRE Server Configuration Reference SPIRE Telemetry Configuration
Maintain Upgrade/Downgrade SPIRE
Helm Charts Hardened About Installation Upgrading Service Selection Recommendations Exposing Services
Identifiers Namespaces
Advanced Federation Local Mirrors
Integrate SPIRE Securing Microservices Using Envoy with SPIRE SPIRE with Envoy and X.509-SVIDs SPIRE with Envoy and JWT-SVIDs Spire with OPA + Envoy + X.509-SVIDs Spire with OPA + Envoy + JWT-SVIDs
SVID Authentication AWS OIDC Authentication Vault Integration Example
SPIRE Architecture Nested SPIRE Example SPIRE Federation Example

Exposing Services

How to expose SPIFFE/SPIRE services outside of Kubernetes

Default

By default no SPIRE services are exposed outside the Kubernetes cluster. The below sections cover how to expose them.

Exposable Services

Production Services

Service Name Section Value Default DNS Name
SPIRE Server spire-server.ingress spire-server.$trustDomain
SPIRE Federation Bundle Endpoint spire-server.federation.ingress spire-server-federation.$trustDomain
SPIFFE OIDC Discovery Provider spiffe-oidc-discovery-provider.ingress oidc-discovery.$trustDomain

Experimental Services

Service Name Value Default DNS Name
Tornjak Frontend tornjak-frontend.ingress tornjak-backend.$trustDomain
Tornjak Backend spire-server.tornjak.ingress tornjak-frontend.$trustDomain

Ingress Controller Support

We have tests for ingress-nginx based Ingress Controllers and the Ingress Controller built into OpenShift.

For ingress-nginx, set global.spire.ingressControllerType=ingress-nginx

For OpenShift, set global.openshift=true

Other Ingress Controllers may work but are untested and unsupported. Set the ingress.annotations values as appropriate for your Ingress Controller. Please consider submitting a PR if you’re able to get another Ingress to work.

Generic Ingress Config

Each Ingress that is enabled by setting ingress.enabled=true will by default create a virtual host with a DNS name like $serviceName.$trustDomain. You can override the host under the services ingress section with key host. If the host value doesn’t have a . in it, $trustDomain will automatically be added.

Example: Overriding the spire-server-federation host to be example-fed.$trustDomain

your-values.yaml snippet:

spire-server:
 federation:
   ingress:
     enabled: true
     host: example-fed

Example: Overriding the spire-server-federation host to be example-fed.my-domain.com

your-values.yaml snippet:

spire-server:
 federation:
   ingress:
     enabled: true
     host: example-fed.my-domain.com

SPIFFE OIDC Discovery Provider

The most likely service you will want to expose outside the Kubernetes Cluster is the the SPIFFE OIDC Discovery Provider.

In order to check the integrity of a JWT, an external service needs information about the server used to sign the JWT. This info can be retrieved from the SPIFFE OIDC Discovery Provider. It will need to be exposed to any other service needing to validate JWT’s.

SPIRE Server

When setting up a Nested SPIRE installation and you have child SPIRE instances in other clusters, you will need to expose the Root SPIRE instance outside the Kubernetes cluster. You can do this like:

your-values.yaml snippet:

spire-server:
  ingress:
    enabled: true

SPIRE Federation Bundle Endpoint

When setting up Federation, you need to expose the bundle endpoint outside the Kubernetes cluster so other SPIRE instances can contact it. It will not work without enabling Federation as well. Please see the Federation documentation of the Helm Chart for all the related options to successfully deploy a Federation.

your-values.yaml snippet:

spire-server:
  federation:
    enabled: true
    ingress:
      enabled: true