GitOps for SPIFFE/SPIRE: Infrastructure-as-Code for Identity Management

Introduction: Identity Management as Code#

In our previous guides, we’ve built sophisticated SPIFFE/SPIRE deployments with multi-cluster federation and advanced security patterns. However, managing these complex identity infrastructures manually becomes unsustainable at enterprise scale. This is where GitOps principles transform identity management from a manual, error-prone process into a declarative, automated, and auditable system.

This comprehensive guide explores how to implement GitOps patterns for SPIFFE/SPIRE, covering everything from basic deployment automation to advanced multi-environment identity governance with full audit trails and compliance reporting.

GitOps Architecture for Identity Infrastructure#

Let’s visualize a complete GitOps workflow for SPIFFE/SPIRE:

1
graph TB
2
    subgraph "GitOps Control Plane"
3
        GIT_REPO[Git Repository<br/>Identity Configurations]
4
        ARGOCD[ArgoCD<br/>Application Controller]
5
        FLUX[Flux<br/>Source Controller]
6
        HELM_REPO[Helm Repository<br/>SPIRE Charts]
7
    end
8

9
    subgraph "Development Workflow"
10
        DEV[Developer]
11
        PR[Pull Request]
12
        CI[CI Pipeline<br/>Validation]
13
        MERGE[Merge to Main]
14

15
        DEV --> PR
16
        PR --> CI
17
        CI --> MERGE
18
    end
19

20
    subgraph "Production Cluster"
21
        SPIRE_SERVER[SPIRE Server]
22
        SPIRE_AGENTS[SPIRE Agents]
23
        WORKLOADS[Application Workloads]
24

25
        SPIRE_SERVER --> SPIRE_AGENTS
26
        SPIRE_AGENTS --> WORKLOADS
27
    end
28

29
    subgraph "Staging Cluster"
30
        STAGING_SPIRE[SPIRE Server Staging]
31
        STAGING_AGENTS[SPIRE Agents Staging]
32
        STAGING_WORKLOADS[Staging Workloads]
33

34
        STAGING_SPIRE --> STAGING_AGENTS
35
        STAGING_AGENTS --> STAGING_WORKLOADS
36
    end
37

38
    subgraph "Development Cluster"
39
        DEV_SPIRE[SPIRE Server Dev]
40
        DEV_AGENTS[SPIRE Agents Dev]
41
        DEV_WORKLOADS[Dev Workloads]
42

43
        DEV_SPIRE --> DEV_AGENTS
44
        DEV_AGENTS --> DEV_WORKLOADS
45
    end
46

47
    subgraph "Configuration Sources"
48
        CLUSTER_SPIFFE_IDS[ClusterSPIFFEID CRDs]
49
        FEDERATION_CONFIG[Federation Configs]
50
        HELM_VALUES[Environment Values]
51
        POLICIES[Security Policies]
52
    end
53

54
    MERGE --> GIT_REPO
55
    GIT_REPO --> ARGOCD
56
    GIT_REPO --> FLUX
57
    HELM_REPO --> ARGOCD
58

59
    ARGOCD --> SPIRE_SERVER
60
    ARGOCD --> STAGING_SPIRE
61
    FLUX --> DEV_SPIRE
62

63
    CLUSTER_SPIFFE_IDS --> GIT_REPO
64
    FEDERATION_CONFIG --> GIT_REPO
65
    HELM_VALUES --> GIT_REPO
66
    POLICIES --> GIT_REPO
67

68
    style GIT_REPO fill:#99ff99
69
    style ARGOCD fill:#ffcc99
70
    style MERGE fill:#ff9999

GitOps Benefits for Identity Management#

Declarative Configuration: All identity policies defined as code
Audit Trail: Complete history of identity changes in Git
Automated Rollback: Quick recovery from identity misconfigurations
Environment Consistency: Identical deployments across dev/staging/prod
Compliance: Automated policy enforcement and reporting
Collaboration: Review process for identity changes

Repository Structure and Organization#

Git Repository Layout#

Let’s establish a comprehensive repository structure for SPIFFE/SPIRE GitOps:

1
spiffe-gitops/
2
├── README.md
3
├── .gitignore
4
├── .github/
5
│   └── workflows/
6
│       ├── validate-spiffe-config.yml
7
│       ├── security-scan.yml
8
│       └── deploy-staging.yml
9
├── environments/
10
│   ├── development/
11
│   │   ├── kustomization.yaml
12
│   │   ├── spire-values.yaml
13
│   │   ├── cluster-spiffe-ids/
14
│   │   └── federation/
15
│   ├── staging/
16
│   │   ├── kustomization.yaml
17
│   │   ├── spire-values.yaml
18
│   │   ├── cluster-spiffe-ids/
19
│   │   └── federation/
20
│   └── production/
21
│       ├── kustomization.yaml
22
│       ├── spire-values.yaml
23
│       ├── cluster-spiffe-ids/
24
│       └── federation/
25
├── base/
26
│   ├── spire-server/
27
│   │   ├── kustomization.yaml
28
│   │   ├── namespace.yaml
29
│   │   ├── configmap.yaml
30
│   │   ├── statefulset.yaml
31
│   │   └── service.yaml
32
│   ├── spire-agent/
33
│   │   ├── kustomization.yaml
34
│   │   ├── daemonset.yaml
35
│   │   ├── configmap.yaml
36
│   │   └── rbac.yaml
37
│   └── common/
38
│       ├── crds/
39
│       ├── rbac/
40
│       └── policies/
41
├── charts/
42
│   ├── spire-custom/
43
│   │   ├── Chart.yaml
44
│   │   ├── values.yaml
45
│   │   └── templates/
46
│   └── spiffe-helper/
47
├── applications/
48
│   ├── argocd/
49
│   │   ├── app-of-apps.yaml
50
│   │   ├── spire-dev.yaml
51
│   │   ├── spire-staging.yaml
52
│   │   └── spire-production.yaml
53
│   └── flux/
54
│       ├── clusters/
55
│       ├── sources/
56
│       └── kustomizations/
57
├── policies/
58
│   ├── opa/
59
│   │   ├── spiffe-policies.rego
60
│   │   └── federation-policies.rego
61
│   ├── kustomize/
62
│   └── helm/
63
├── scripts/
64
│   ├── validate-spiffe-ids.sh
65
│   ├── generate-trust-bundle.sh
66
│   └── migration/
67
└── docs/
68
    ├── deployment-guide.md
69
    ├── troubleshooting.md
70
    └── runbooks/

ArgoCD Configuration for SPIFFE/SPIRE#

App-of-Apps Pattern#

1
apiVersion: argoproj.io/v1alpha1
2
kind: Application
3
metadata:
4
  name: spiffe-suite
5
  namespace: argocd
6
  finalizers:
7
    - resources-finalizer.argocd.argoproj.io
8
spec:
9
  project: default
10
  source:
11
    repoURL: https://github.com/company/spiffe-gitops
12
    targetRevision: main
13
    path: applications/argocd
14
  destination:
15
    server: https://kubernetes.default.svc
16
    namespace: argocd
17
  syncPolicy:
18
    automated:
19
      prune: true
20
      selfHeal: true
21
      allowEmpty: false
22
    syncOptions:
23
      - CreateNamespace=true
24
      - PrunePropagationPolicy=foreground
25
      - PruneLast=true
26
    retry:
27
      limit: 5
28
      backoff:
29
        duration: 5s
30
        factor: 2
31
        maxDuration: 3m
32
---
33
# SPIRE Development Environment
34
apiVersion: argoproj.io/v1alpha1
35
kind: Application
36
metadata:
37
  name: spire-development
38
  namespace: argocd
39
spec:
40
  project: spiffe-project
41
  source:
42
    repoURL: https://github.com/company/spiffe-gitops
43
    targetRevision: main
44
    path: environments/development
45
  destination:
46
    server: https://dev-cluster.company.com
47
    namespace: spire-system
48
  syncPolicy:
49
    automated:
50
      prune: true
51
      selfHeal: true
52
    syncOptions:
53
      - CreateNamespace=true
54
      - ServerSideApply=true
55
      - ApplyOutOfSyncOnly=true
56
    managedNamespaceMetadata:
57
      labels:
58
        environment: development
59
        managed-by: argocd
60
        spire-managed: "true"
61
  revisionHistoryLimit: 10
62
  ignoreDifferences:
63
    - group: apps
64
      kind: Deployment
65
      jsonPointers:
66
        - /spec/replicas
67
    - group: ""
68
      kind: ConfigMap
69
      name: spire-server-config
70
      jsonPointers:
71
        - /data/server.conf
72
---
73
# SPIRE Staging Environment
74
apiVersion: argoproj.io/v1alpha1
75
kind: Application
76
metadata:
77
  name: spire-staging
78
  namespace: argocd
79
  annotations:
80
    argocd.argoproj.io/sync-wave: "1"
81
spec:
82
  project: spiffe-project
83
  source:
84
    repoURL: https://github.com/company/spiffe-gitops
85
    targetRevision: main
86
    path: environments/staging
87
  destination:
88
    server: https://staging-cluster.company.com
89
    namespace: spire-system
90
  syncPolicy:
91
    # Manual sync for staging (requires approval)
92
    automated:
93
      prune: false
94
      selfHeal: false
95
    syncOptions:
96
      - CreateNamespace=true
97
      - ServerSideApply=true
98
      - RespectIgnoreDifferences=true
99
      # Require approval for staging changes
100
      - SkipDryRunOnMissingResource=true
101
  revisionHistoryLimit: 20
102
  # Pre-sync hooks for validation
103
  operation:
104
    sync:
105
      preSyncHooks:
106
        - name: validate-staging-config
107
          image: company/spire-validator:v1.0.0
108
          command: ["/bin/sh"]
109
          args:
110
            - -c
111
            - |
112
              echo "Validating SPIRE configuration for staging..."
113
              /opt/spire-validator/validate-config.sh /config/
114
              echo "Validation complete"
115
          volumes:
116
            - name: config
117
              configMap:
118
                name: spire-server-config
119
---
120
# SPIRE Production Environment
121
apiVersion: argoproj.io/v1alpha1
122
kind: Application
123
metadata:
124
  name: spire-production
125
  namespace: argocd
126
  annotations:
127
    argocd.argoproj.io/sync-wave: "2"
128
    notifications.argoproj.io/subscribe.on-sync-failed.slack: spire-alerts
129
    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: spire-deployments
130
spec:
131
  project: spiffe-project
132
  source:
133
    repoURL: https://github.com/company/spiffe-gitops
134
    targetRevision: main
135
    path: environments/production
136
  destination:
137
    server: https://prod-cluster.company.com
138
    namespace: spire-system
139
  syncPolicy:
140
    # Manual sync only for production
141
    automated: {}
142
    syncOptions:
143
      - CreateNamespace=true
144
      - ServerSideApply=true
145
      - PrunePropagationPolicy=background
146
      - Replace=false
147
  # Enhanced validation for production
148
  operation:
149
    sync:
150
      preSyncHooks:
151
        - name: backup-current-config
152
          image: company/spire-backup:v1.0.0
153
          command: ["/scripts/backup-spire-config.sh"]
154
        - name: validate-production-config
155
          image: company/spire-validator:v1.0.0
156
          command: ["/scripts/validate-production.sh"]
157
        - name: security-scan
158
          image: company/security-scanner:v1.0.0
159
          command: ["/scripts/scan-spire-config.sh"]
160
      postSyncHooks:
161
        - name: health-check
162
          image: company/spire-health-checker:v1.0.0
163
          command: ["/scripts/verify-deployment.sh"]
164
        - name: notify-success
165
          image: curlimages/curl:latest
166
          command: ["/bin/sh"]
167
          args:
168
            - -c
169
            - |
170
              curl -X POST https://hooks.slack.com/services/xxx/yyy/zzz \
171
                -H 'Content-type: application/json' \
172
                --data '{"text":"SPIRE production deployment successful"}'
173
  revisionHistoryLimit: 50

ArgoCD Project Configuration#

1
apiVersion: argoproj.io/v1alpha1
2
kind: AppProject
3
metadata:
4
  name: spiffe-project
5
  namespace: argocd
6
spec:
7
  description: "SPIFFE/SPIRE Identity Infrastructure Project"
8

9
  # Source repositories
10
  sourceRepos:
11
    - https://github.com/company/spiffe-gitops
12
    - https://spiffe.github.io/helm-charts-hardened
13

14
  # Destination clusters and namespaces
15
  destinations:
16
    - namespace: spire-system
17
      server: https://dev-cluster.company.com
18
    - namespace: spire-system
19
      server: https://staging-cluster.company.com
20
    - namespace: spire-system
21
      server: https://prod-cluster.company.com
22
    - namespace: "spire-*"
23
      server: "*"
24

25
  # Cluster resource whitelist
26
  clusterResourceWhitelist:
27
    - group: ""
28
      kind: Namespace
29
    - group: "rbac.authorization.k8s.io"
30
      kind: ClusterRole
31
    - group: "rbac.authorization.k8s.io"
32
      kind: ClusterRoleBinding
33
    - group: "apiextensions.k8s.io"
34
      kind: CustomResourceDefinition
35
    - group: "spire.spiffe.io"
36
      kind: ClusterSPIFFEID
37
    - group: "spire.spiffe.io"
38
      kind: ClusterFederatedTrustDomain
39

40
  # Namespace resource whitelist
41
  namespaceResourceWhitelist:
42
    - group: ""
43
      kind: ConfigMap
44
    - group: ""
45
      kind: Secret
46
    - group: ""
47
      kind: Service
48
    - group: ""
49
      kind: ServiceAccount
50
    - group: "apps"
51
      kind: Deployment
52
    - group: "apps"
53
      kind: StatefulSet
54
    - group: "apps"
55
      kind: DaemonSet
56
    - group: "monitoring.coreos.com"
57
      kind: ServiceMonitor
58
    - group: "networking.k8s.io"
59
      kind: NetworkPolicy
60

61
  # RBAC policies
62
  roles:
63
    - name: spire-admin
64
      description: "Full access to SPIRE resources"
65
      policies:
66
        - p, proj:spiffe-project:spire-admin, applications, *, spiffe-project/*, allow
67
        - p, proj:spiffe-project:spire-admin, repositories, *, *, allow
68
        - p, proj:spiffe-project:spire-admin, certificates, *, *, allow
69
      groups:
70
        - company:spire-administrators
71

72
    - name: spire-operator
73
      description: "Operational access to SPIRE resources"
74
      policies:
75
        - p, proj:spiffe-project:spire-operator, applications, get, spiffe-project/*, allow
76
        - p, proj:spiffe-project:spire-operator, applications, sync, spiffe-project/spire-development, allow
77
        - p, proj:spiffe-project:spire-operator, applications, sync, spiffe-project/spire-staging, allow
78
      groups:
79
        - company:platform-engineers
80

81
    - name: spire-viewer
82
      description: "Read-only access to SPIRE resources"
83
      policies:
84
        - p, proj:spiffe-project:spire-viewer, applications, get, spiffe-project/*, allow
85
        - p, proj:spiffe-project:spire-viewer, repositories, get, *, allow
86
      groups:
87
        - company:developers
88

89
  # Sync windows for production deployments
90
  syncWindows:
91
    - kind: allow
92
      schedule: "0 2 * * 1-5" # Weekdays 2 AM
93
      duration: 2h
94
      applications:
95
        - spire-production
96
      manualSync: true
97

98
    - kind: deny
99
      schedule: "0 16 * * 5" # Friday 4 PM
100
      duration: 64h # Block weekend deployments
101
      applications:
102
        - spire-production

Flux Configuration for SPIFFE/SPIRE#

Flux Sources and Kustomizations#

1
apiVersion: source.toolkit.fluxcd.io/v1beta1
2
kind: GitRepository
3
metadata:
4
  name: spiffe-gitops
5
  namespace: flux-system
6
spec:
7
  interval: 1m
8
  url: https://github.com/company/spiffe-gitops
9
  ref:
10
    branch: main
11
  secretRef:
12
    name: flux-system
13
  verify:
14
    mode: head
15
    secretRef:
16
      name: flux-gpg-keys
17
---
18
# Helm repository for SPIRE charts
19
apiVersion: source.toolkit.fluxcd.io/v1beta1
20
kind: HelmRepository
21
metadata:
22
  name: spiffe-helm
23
  namespace: flux-system
24
spec:
25
  interval: 10m
26
  url: https://spiffe.github.io/helm-charts-hardened
27
---
28
# OCI repository for custom charts
29
apiVersion: source.toolkit.fluxcd.io/v1beta1
30
kind: OCIRepository
31
metadata:
32
  name: spiffe-oci
33
  namespace: flux-system
34
spec:
35
  interval: 5m
36
  url: oci://registry.company.com/spiffe-charts
37
  ref:
38
    tag: latest
39
  secretRef:
40
    name: oci-registry-auth
41
---
42
# Development environment kustomization
43
apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
44
kind: Kustomization
45
metadata:
46
  name: spire-development
47
  namespace: flux-system
48
spec:
49
  interval: 2m
50
  sourceRef:
51
    kind: GitRepository
52
    name: spiffe-gitops
53
  path: "./environments/development"
54
  prune: true
55
  validation: client
56
  healthChecks:
57
    - apiVersion: apps/v1
58
      kind: StatefulSet
59
      name: spire-server
60
      namespace: spire-system
61
    - apiVersion: apps/v1
62
      kind: DaemonSet
63
      name: spire-agent
64
      namespace: spire-system
65
  timeout: 10m
66
  postBuild:
67
    substitute:
68
      CLUSTER_NAME: "development"
69
      TRUST_DOMAIN: "dev.company.com"
70
      ENVIRONMENT: "development"
71
    substituteFrom:
72
      - kind: ConfigMap
73
        name: cluster-config
74
        optional: true
75
      - kind: Secret
76
        name: spire-secrets
77
        optional: false
78
---
79
# Staging environment with dependency on development
80
apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
81
kind: Kustomization
82
metadata:
83
  name: spire-staging
84
  namespace: flux-system
85
spec:
86
  interval: 5m
87
  sourceRef:
88
    kind: GitRepository
89
    name: spiffe-gitops
90
  path: "./environments/staging"
91
  prune: true
92
  validation: server
93
  dependsOn:
94
    - name: spire-development
95
    - name: spire-crds
96
  healthChecks:
97
    - apiVersion: apps/v1
98
      kind: StatefulSet
99
      name: spire-server
100
      namespace: spire-system
101
    - apiVersion: apps/v1
102
      kind: DaemonSet
103
      name: spire-agent
104
      namespace: spire-system
105
  timeout: 15m
106
  postBuild:
107
    substitute:
108
      CLUSTER_NAME: "staging"
109
      TRUST_DOMAIN: "staging.company.com"
110
      ENVIRONMENT: "staging"
111
  # Notification for staging deployments
112
  webhooks:
113
    - name: staging-webhook
114
      url: https://hooks.slack.com/services/xxx/yyy/zzz
115
      headers:
116
        Content-Type: application/json
117
      template: |
118
        {
119
          "text": "SPIRE staging deployment {{ .Status }}: {{ .Revision }}"
120
        }
121
---
122
# Production environment with strict controls
123
apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
124
kind: Kustomization
125
metadata:
126
  name: spire-production
127
  namespace: flux-system
128
spec:
129
  interval: 10m
130
  sourceRef:
131
    kind: GitRepository
132
    name: spiffe-gitops
133
  path: "./environments/production"
134
  prune: false # Manual pruning for production
135
  validation: server
136
  dependsOn:
137
    - name: spire-staging
138
    - name: spire-crds
139
    - name: production-prerequisites
140
  healthChecks:
141
    - apiVersion: apps/v1
142
      kind: StatefulSet
143
      name: spire-server
144
      namespace: spire-system
145
    - apiVersion: apps/v1
146
      kind: DaemonSet
147
      name: spire-agent
148
      namespace: spire-system
149
    - apiVersion: spire.spiffe.io/v1alpha1
150
      kind: ClusterSPIFFEID
151
      name: production-workloads
152
      namespace: spire-system
153
  timeout: 30m
154
  # Manual approval required for production
155
  suspend: true
156
  postBuild:
157
    substitute:
158
      CLUSTER_NAME: "production"
159
      TRUST_DOMAIN: "prod.company.com"
160
      ENVIRONMENT: "production"
161
      SECURITY_LEVEL: "high"
162
    substituteFrom:
163
      - kind: Secret
164
        name: production-secrets
165
---
166
# CRDs must be applied first
167
apiVersion: kustomize.toolkit.fluxcd.io/v1beta1
168
kind: Kustomization
169
metadata:
170
  name: spire-crds
171
  namespace: flux-system
172
spec:
173
  interval: 24h
174
  sourceRef:
175
    kind: GitRepository
176
    name: spiffe-gitops
177
  path: "./base/common/crds"
178
  prune: false # Never prune CRDs automatically
179
  validation: client
180
  timeout: 5m

Environment-Specific Configurations#

Development Environment#

1
apiVersion: kustomize.config.k8s.io/v1beta1
2
kind: Kustomization
3

4
resources:
5
  - ../../base/spire-server
6
  - ../../base/spire-agent
7
  - ../../base/common/rbac
8
  - cluster-spiffe-ids
9
  - namespace.yaml
10

11
# Development-specific patches
12
patchesStrategicMerge:
13
  - spire-server-dev-patch.yaml
14
  - spire-agent-dev-patch.yaml
15

16
# Development-specific images
17
images:
18
  - name: ghcr.io/spiffe/spire-server
19
    newTag: 1.8.2
20
  - name: ghcr.io/spiffe/spire-agent
21
    newTag: 1.8.2
22

23
# Development-specific config
24
configMapGenerator:
25
  - name: spire-server-config
26
    files:
27
      - server.conf=configs/server-dev.conf
28
    options:
29
      disableNameSuffixHash: true
30

31
  - name: cluster-config
32
    literals:
33
      - CLUSTER_NAME=development
34
      - TRUST_DOMAIN=dev.company.com
35
      - ENVIRONMENT=development
36
      - LOG_LEVEL=DEBUG
37
      - ENABLE_FEDERATION=false
38

39
secretGenerator:
40
  - name: spire-secrets
41
    files:
42
      - ca.crt=secrets/dev-ca.crt
43
      - ca.key=secrets/dev-ca.key
44
    options:
45
      disableNameSuffixHash: true
46

47
# Development namespace configuration
48
namespace: spire-system
49

50
# Labels for all resources
51
commonLabels:
52
  environment: development
53
  managed-by: flux
54
  app.kubernetes.io/part-of: spire
55

56
# Annotations for all resources
57
commonAnnotations:
58
  config.kubernetes.io/origin: |
59
    configuredIn: environments/development/kustomization.yaml
60
    configuredBy:
61
      apiVersion: kustomize.config.k8s.io/v1beta1
62
      kind: Kustomization

1
apiVersion: apps/v1
2
kind: StatefulSet
3
metadata:
4
  name: spire-server
5
spec:
6
  replicas: 1 # Single replica for development
7
  template:
8
    spec:
9
      containers:
10
        - name: spire-server
11
          env:
12
            - name: LOG_LEVEL
13
              value: "DEBUG"
14
            - name: ENABLE_PROFILING
15
              value: "true"
16
          resources:
17
            requests:
18
              memory: "256Mi"
19
              cpu: "100m"
20
            limits:
21
              memory: "1Gi"
22
              cpu: "500m"
23
          # Development-specific health check
24
          livenessProbe:
25
            initialDelaySeconds: 15
26
            periodSeconds: 30
27
          readinessProbe:
28
            initialDelaySeconds: 10
29
            periodSeconds: 15

Staging Environment#

1
apiVersion: kustomize.config.k8s.io/v1beta1
2
kind: Kustomization
3

4
resources:
5
  - ../../base/spire-server
6
  - ../../base/spire-agent
7
  - ../../base/common/rbac
8
  - ../../base/common/policies
9
  - cluster-spiffe-ids
10
  - federation
11
  - monitoring.yaml
12
  - namespace.yaml
13

14
# Staging-specific patches
15
patchesStrategicMerge:
16
  - spire-server-staging-patch.yaml
17
  - spire-agent-staging-patch.yaml
18

19
# JSON patches for fine-grained control
20
patchesJson6902:
21
  - target:
22
      group: apps
23
      version: v1
24
      kind: StatefulSet
25
      name: spire-server
26
    patch: |-
27
      - op: replace
28
        path: /spec/replicas
29
        value: 2
30
      - op: add
31
        path: /spec/template/spec/containers/0/env/-
32
        value:
33
          name: FEDERATION_ENABLED
34
          value: "true"
35

36
images:
37
  - name: ghcr.io/spiffe/spire-server
38
    newTag: 1.8.2
39
  - name: ghcr.io/spiffe/spire-agent
40
    newTag: 1.8.2
41

42
configMapGenerator:
43
  - name: spire-server-config
44
    files:
45
      - server.conf=configs/server-staging.conf
46
    options:
47
      disableNameSuffixHash: true
48

49
  - name: cluster-config
50
    literals:
51
      - CLUSTER_NAME=staging
52
      - TRUST_DOMAIN=staging.company.com
53
      - ENVIRONMENT=staging
54
      - LOG_LEVEL=INFO
55
      - ENABLE_FEDERATION=true
56
      - FEDERATION_ENDPOINT=https://spire-bundle.staging.company.com:8443
57

58
namespace: spire-system
59

60
commonLabels:
61
  environment: staging
62
  managed-by: flux
63
  app.kubernetes.io/part-of: spire
64

65
# Staging-specific annotations
66
commonAnnotations:
67
  config.kubernetes.io/origin: |
68
    configuredIn: environments/staging/kustomization.yaml
69
  notifications.flux.weave.works/webhook: staging-webhook

Production Environment#

1
apiVersion: kustomize.config.k8s.io/v1beta1
2
kind: Kustomization
3

4
resources:
5
  - ../../base/spire-server
6
  - ../../base/spire-agent
7
  - ../../base/common/rbac
8
  - ../../base/common/policies
9
  - cluster-spiffe-ids
10
  - federation
11
  - monitoring.yaml
12
  - security-policies.yaml
13
  - network-policies.yaml
14
  - backup-config.yaml
15
  - namespace.yaml
16

17
# Production-specific patches
18
patchesStrategicMerge:
19
  - spire-server-prod-patch.yaml
20
  - spire-agent-prod-patch.yaml
21

22
# Production hardening patches
23
patchesJson6902:
24
  - target:
25
      group: apps
26
      version: v1
27
      kind: StatefulSet
28
      name: spire-server
29
    patch: |-
30
      - op: replace
31
        path: /spec/replicas
32
        value: 3
33
      - op: add
34
        path: /spec/template/spec/securityContext
35
        value:
36
          runAsNonRoot: true
37
          runAsUser: 1000
38
          fsGroup: 1000
39
          seccompProfile:
40
            type: RuntimeDefault
41
      - op: add
42
        path: /spec/template/spec/containers/0/securityContext
43
        value:
44
          allowPrivilegeEscalation: false
45
          readOnlyRootFilesystem: true
46
          capabilities:
47
            drop:
48
            - ALL
49

50
images:
51
  - name: ghcr.io/spiffe/spire-server
52
    newTag: 1.8.2
53
    digest: sha256:abcd1234... # Pin to specific digest for production
54
  - name: ghcr.io/spiffe/spire-agent
55
    newTag: 1.8.2
56
    digest: sha256:efgh5678...
57

58
configMapGenerator:
59
  - name: spire-server-config
60
    files:
61
      - server.conf=configs/server-prod.conf
62
    options:
63
      disableNameSuffixHash: true
64

65
  - name: cluster-config
66
    literals:
67
      - CLUSTER_NAME=production
68
      - TRUST_DOMAIN=prod.company.com
69
      - ENVIRONMENT=production
70
      - LOG_LEVEL=WARN
71
      - ENABLE_FEDERATION=true
72
      - ENABLE_AUDIT_LOGGING=true
73
      - FEDERATION_ENDPOINT=https://spire-bundle.prod.company.com:8443
74

75
namespace: spire-system
76

77
commonLabels:
78
  environment: production
79
  managed-by: flux
80
  app.kubernetes.io/part-of: spire
81
  security.policy/enforce: strict
82

83
commonAnnotations:
84
  config.kubernetes.io/origin: |
85
    configuredIn: environments/production/kustomization.yaml
86
  security.policy/version: "v1.0.0"
87
  backup.policy/enabled: "true"

Workload Identity Management as Code#

ClusterSPIFFEID Templates#

1
apiVersion: spire.spiffe.io/v1alpha1
2
kind: ClusterSPIFFEID
3
metadata:
4
  name: web-services
5
  labels:
6
    environment: production
7
    service-tier: web
8
    managed-by: gitops
9
spec:
10
  # Dynamic SPIFFE ID generation
11
  spiffeIDTemplate: |
12
    {{- $env := .PodMeta.Labels.environment | default "unknown" -}}
13
    {{- $service := required "service label required" .PodMeta.Labels.service -}}
14
    {{- $version := .PodMeta.Labels.version | default "v1" -}}
15
    spiffe://{{ .TrustDomain }}/{{ $env }}/web/{{ $service }}/{{ $version }}
16

17
  # Production web service selector
18
  podSelector:
19
    matchLabels:
20
      tier: web
21
      environment: production
22
    matchExpressions:
23
      - key: service
24
        operator: Exists
25
      - key: security-scan
26
        operator: In
27
        values: ["passed", "approved"]
28

29
  namespaceSelector:
30
    matchLabels:
31
      environment: production
32
      tier: web
33
    matchExpressions:
34
      - key: name
35
        operator: NotIn
36
        values: ["kube-system", "kube-public"]
37

38
  workloadSelectorTemplates:
39
    - "k8s:ns:{{ .PodMeta.Namespace }}"
40
    - "k8s:sa:{{ .PodSpec.ServiceAccountName }}"
41
    - "k8s:service:{{ .PodMeta.Labels.service }}"
42
    - "k8s:version:{{ .PodMeta.Labels.version }}"
43
    - "k8s:deployment:{{ .PodMeta.OwnerReferences[0].Name }}"
44

45
  dnsNameTemplates:
46
    - "{{ .PodMeta.Labels.service }}.{{ .PodMeta.Namespace }}.svc.cluster.local"
47
    - "{{ .PodMeta.Labels.service }}.prod.company.com"
48

49
  # Production settings
50
  ttl: 3600
51
  jwtSvidTTL: 300
52

53
  # Federation for cross-cluster communication
54
  federatesWith:
55
    - "staging.company.com"
56
    - "partner.trusted-vendor.com"
57
---
58
# Database services with enhanced security
59
apiVersion: spire.spiffe.io/v1alpha1
60
kind: ClusterSPIFFEID
61
metadata:
62
  name: database-services
63
  labels:
64
    environment: production
65
    service-tier: data
66
    security-level: high
67
spec:
68
  spiffeIDTemplate: |
69
    {{- $db := required "database label required" .PodMeta.Labels.database -}}
70
    {{- $role := .PodMeta.Labels.role | default "replica" -}}
71
    spiffe://{{ .TrustDomain }}/data/{{ $db }}/{{ $role }}
72

73
  podSelector:
74
    matchLabels:
75
      tier: data
76
      environment: production
77
    matchExpressions:
78
      - key: database
79
        operator: Exists
80
      - key: backup-enabled
81
        operator: In
82
        values: ["true"]
83

84
  namespaceSelector:
85
    matchLabels:
86
      environment: production
87
      tier: data
88

89
  workloadSelectorTemplates:
90
    - "k8s:ns:{{ .PodMeta.Namespace }}"
91
    - "k8s:sa:{{ .PodSpec.ServiceAccountName }}"
92
    - "k8s:database:{{ .PodMeta.Labels.database }}"
93
    - "k8s:role:{{ .PodMeta.Labels.role }}"
94
    - "k8s:statefulset:{{ .PodMeta.OwnerReferences[0].Name }}"
95

96
  # Longer TTL for stable database connections
97
  ttl: 7200
98

99
  # Admin access for primary database instances
100
  admin: |
101
    {{- if eq (.PodMeta.Labels.role | default "replica") "primary" -}}
102
    true
103
    {{- else -}}
104
    false
105
    {{- end -}}
106

107
  # No federation for database services (internal only)
108
  federatesWith: []
109
---
110
# API Gateway services
111
apiVersion: spire.spiffe.io/v1alpha1
112
kind: ClusterSPIFFEID
113
metadata:
114
  name: api-gateway-services
115
  labels:
116
    environment: production
117
    service-tier: gateway
118
spec:
119
  spiffeIDTemplate: |
120
    {{- $gateway := .PodMeta.Labels.gateway-type | default "api" -}}
121
    {{- $region := .PodMeta.Labels.region | default "us-east-1" -}}
122
    spiffe://{{ .TrustDomain }}/gateway/{{ $gateway }}/{{ $region }}
123

124
  podSelector:
125
    matchLabels:
126
      tier: gateway
127
      environment: production
128

129
  workloadSelectorTemplates:
130
    - "k8s:ns:{{ .PodMeta.Namespace }}"
131
    - "k8s:sa:{{ .PodSpec.ServiceAccountName }}"
132
    - "k8s:gateway-type:{{ .PodMeta.Labels.gateway-type }}"
133
    - "k8s:region:{{ .PodMeta.Labels.region }}"
134

135
  dnsNameTemplates:
136
    - "*.api.prod.company.com"
137
    - "gateway.{{ .PodMeta.Namespace }}.svc.cluster.local"
138

139
  ttl: 3600
140

141
  # Gateway can communicate with all federated domains
142
  federatesWith:
143
    - "staging.company.com"
144
    - "partner.trusted-vendor.com"
145
    - "aws.company.com"
146
    - "gcp.company.com"

CI/CD Pipeline Integration#

GitHub Actions Workflow#

1
name: Validate SPIFFE Configuration
2
on:
3
  pull_request:
4
    paths:
5
      - "environments/**"
6
      - "base/**"
7
      - "charts/**"
8
  push:
9
    branches:
10
      - main
11

12
jobs:
13
  validate-syntax:
14
    runs-on: ubuntu-latest
15
    steps:
16
      - uses: actions/checkout@v4
17

18
      - name: Setup tools
19
        run: |
20
          # Install kubectl
21
          curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
22
          chmod +x kubectl && sudo mv kubectl /usr/local/bin/
23

24
          # Install kustomize
25
          curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash
26
          sudo mv kustomize /usr/local/bin/
27

28
          # Install SPIRE CLI for validation
29
          curl -L https://github.com/spiffe/spire/releases/download/v1.8.2/spire-1.8.2-linux-x86_64-glibc.tar.gz | tar xz
30
          sudo mv spire-1.8.2/bin/* /usr/local/bin/
31

32
          # Install OPA for policy validation
33
          curl -L -o opa https://openpolicyagent.org/downloads/v0.57.0/opa_linux_amd64_static
34
          chmod +x opa && sudo mv opa /usr/local/bin/
35

36
      - name: Validate Kubernetes manifests
37
        run: |
38
          echo "Validating Kubernetes syntax..."
39
          for env in development staging production; do
40
            echo "Validating $env environment..."
41
            kustomize build environments/$env > /tmp/$env-manifests.yaml
42
            kubectl apply --dry-run=client -f /tmp/$env-manifests.yaml
43
          done
44

45
      - name: Validate SPIFFE ID templates
46
        run: |
47
          echo "Validating SPIFFE ID templates..."
48
          ./scripts/validate-spiffe-ids.sh
49

50
      - name: Validate security policies
51
        run: |
52
          echo "Validating OPA policies..."
53
          for policy in policies/opa/*.rego; do
54
            opa fmt --diff $policy
55
            opa test $policy
56
          done
57

58
      - name: Check for secrets in manifests
59
        run: |
60
          echo "Scanning for secrets..."
61
          if grep -r "password\|secret\|key" environments/ --include="*.yaml" | grep -v "secretRef\|secretName"; then
62
            echo "ERROR: Found potential secrets in manifests"
63
            exit 1
64
          fi
65

66
      - name: Validate Helm charts
67
        run: |
68
          echo "Validating Helm charts..."
69
          for chart in charts/*/; do
70
            helm lint $chart
71
            helm template test $chart --dry-run
72
          done
73

74
  security-scan:
75
    runs-on: ubuntu-latest
76
    steps:
77
      - uses: actions/checkout@v4
78

79
      - name: Run Checkov security scan
80
        uses: bridgecrewio/checkov-action@master
81
        with:
82
          directory: .
83
          framework: kubernetes
84
          output_format: sarif
85
          output_file_path: results.sarif
86

87
      - name: Upload scan results
88
        uses: github/codeql-action/upload-sarif@v2
89
        with:
90
          sarif_file: results.sarif
91

92
  test-deployment:
93
    runs-on: ubuntu-latest
94
    needs: [validate-syntax, security-scan]
95
    steps:
96
      - uses: actions/checkout@v4
97

98
      - name: Setup kind cluster
99
        uses: helm/kind-action@v1.8.0
100
        with:
101
          cluster_name: spire-test
102

103
      - name: Deploy SPIRE to test cluster
104
        run: |
105
          # Install SPIRE CRDs
106
          kubectl apply -f base/common/crds/
107

108
          # Deploy development configuration
109
          kustomize build environments/development | kubectl apply -f -
110

111
          # Wait for deployment
112
          kubectl wait --for=condition=ready pod -l app=spire-server -n spire-system --timeout=300s
113
          kubectl wait --for=condition=ready pod -l app=spire-agent -n spire-system --timeout=300s
114

115
      - name: Run integration tests
116
        run: |
117
          ./scripts/integration-tests.sh

Validation Scripts#

1
#!/bin/bash
2
set -e
3

4
echo "Validating SPIFFE ID templates..."
5

6
# Find all ClusterSPIFFEID resources
7
find environments/ -name "*.yaml" -exec grep -l "kind: ClusterSPIFFEID" {} \; | while read -r file; do
8
    echo "Validating $file..."
9

10
    # Extract SPIFFE ID templates
11
    yq eval '.spec.spiffeIDTemplate // empty' "$file" | while IFS= read -r template; do
12
        if [[ -n "$template" ]]; then
13
            # Validate template syntax
14
            if ! echo "$template" | grep -q "spiffe://"; then
15
                echo "ERROR: Invalid SPIFFE ID template in $file: $template"
16
                exit 1
17
            fi
18

19
            # Check for required trust domain placeholder
20
            if ! echo "$template" | grep -q "{{ .TrustDomain }}"; then
21
                echo "ERROR: SPIFFE ID template missing TrustDomain placeholder in $file"
22
                exit 1
23
            fi
24

25
            # Validate Go template syntax
26
            if ! echo "$template" | go-template-validator; then
27
                echo "ERROR: Invalid Go template syntax in $file: $template"
28
                exit 1
29
            fi
30

31
            echo "✓ Valid SPIFFE ID template: $template"
32
        fi
33
    done
34
done
35

36
echo "✓ All SPIFFE ID templates are valid"
37

38
# Validate workload selectors
39
echo "Validating workload selectors..."
40

41
find environments/ -name "*.yaml" -exec grep -l "workloadSelectorTemplates" {} \; | while read -r file; do
42
    echo "Validating selectors in $file..."
43

44
    yq eval '.spec.workloadSelectorTemplates[]? // empty' "$file" | while IFS= read -r selector; do
45
        if [[ -n "$selector" ]]; then
46
            # Validate selector format
47
            if ! echo "$selector" | grep -q "k8s:"; then
48
                echo "ERROR: Invalid workload selector format in $file: $selector"
49
                exit 1
50
            fi
51

52
            echo "✓ Valid workload selector: $selector"
53
        fi
54
    done
55
done
56

57
echo "✓ All workload selectors are valid"

Policy as Code with OPA#

SPIFFE Policy Framework#

1
package spiffe.policies
2

3
import future.keywords.contains
4
import future.keywords.if
5

6
# Default deny all SPIFFE ID creation
7
default allow_spiffeid_creation = false
8

9
# Allow SPIFFE ID creation for valid requests
10
allow_spiffeid_creation {
11
    input.kind == "ClusterSPIFFEID"
12
    valid_spiffe_id_format
13
    valid_trust_domain
14
    valid_selectors
15
    environment_specific_rules
16
}
17

18
# Validate SPIFFE ID format
19
valid_spiffe_id_format {
20
    spiffe_id := input.spec.spiffeIDTemplate
21
    startswith(spiffe_id, "spiffe://")
22
    contains(spiffe_id, "{{ .TrustDomain }}")
23
}
24

25
# Validate trust domain
26
valid_trust_domain {
27
    spiffe_id := input.spec.spiffeIDTemplate
28

29
    # Extract trust domain pattern
30
    trust_domain_pattern := regex.split(`\{\{\s*\.TrustDomain\s*\}\}`, spiffe_id)[1]
31

32
    # Validate against allowed patterns
33
    allowed_trust_domain_patterns[trust_domain_pattern]
34
}
35

36
allowed_trust_domain_patterns := {
37
    "/prod/",
38
    "/staging/",
39
    "/dev/",
40
    "/test/"
41
}
42

43
# Validate workload selectors
44
valid_selectors {
45
    selectors := input.spec.workloadSelectorTemplates
46

47
    # Must have namespace selector
48
    namespace_selector_present(selectors)
49

50
    # Must have service account selector
51
    service_account_selector_present(selectors)
52

53
    # No prohibited selectors
54
    no_prohibited_selectors(selectors)
55
}
56

57
namespace_selector_present(selectors) {
58
    some selector in selectors
59
    startswith(selector, "k8s:ns:")
60
}
61

62
service_account_selector_present(selectors) {
63
    some selector in selectors
64
    startswith(selector, "k8s:sa:")
65
}
66

67
no_prohibited_selectors(selectors) {
68
    prohibited := {"k8s:node-name:", "k8s:pod-uid:"}
69
    not any_prohibited_selector(selectors, prohibited)
70
}
71

72
any_prohibited_selector(selectors, prohibited) {
73
    some selector in selectors
74
    some prohibited_prefix in prohibited
75
    startswith(selector, prohibited_prefix)
76
}
77

78
# Environment-specific rules
79
environment_specific_rules {
80
    input.metadata.labels.environment == "production"
81
    production_rules
82
}
83

84
environment_specific_rules {
85
    input.metadata.labels.environment == "staging"
86
    staging_rules
87
}
88

89
environment_specific_rules {
90
    input.metadata.labels.environment == "development"
91
    development_rules
92
}
93

94
# Production environment rules
95
production_rules {
96
    # Must have security scan passed
97
    input.metadata.labels["security-scan"] == "passed"
98

99
    # TTL must not exceed 24 hours
100
    input.spec.ttl <= 86400
101

102
    # Must specify admin flag explicitly
103
    "admin" in object.keys(input.spec)
104

105
    # Federation must be explicitly controlled
106
    federation_controlled
107
}
108

109
federation_controlled {
110
    federates_with := input.spec.federatesWith
111
    allowed_federation_domains := {
112
        "staging.company.com",
113
        "partner.trusted-vendor.com"
114
    }
115

116
    # All federation domains must be in allowed list
117
    every domain in federates_with {
118
        domain in allowed_federation_domains
119
    }
120
}
121

122
# Staging environment rules
123
staging_rules {
124
    # TTL must not exceed 12 hours
125
    input.spec.ttl <= 43200
126

127
    # No admin privileges in staging
128
    not input.spec.admin
129
}
130

131
# Development environment rules
132
development_rules {
133
    # TTL must not exceed 4 hours
134
    input.spec.ttl <= 14400
135

136
    # No federation in development
137
    count(input.spec.federatesWith) == 0
138

139
    # No admin privileges in development
140
    not input.spec.admin
141
}
142

143
# Validate federation policies
144
default allow_federation = false
145

146
allow_federation {
147
    input.kind == "ClusterFederatedTrustDomain"
148
    valid_federation_domain
149
    valid_bundle_endpoint
150
    environment_allows_federation
151
}
152

153
valid_federation_domain {
154
    domain := input.spec.trustDomain
155

156
    # Must be in allowed domains list
157
    allowed_federation_domains[domain]
158
}
159

160
allowed_federation_domains := {
161
    "staging.company.com",
162
    "partner.trusted-vendor.com",
163
    "aws.company.com",
164
    "gcp.company.com"
165
}
166

167
valid_bundle_endpoint {
168
    endpoint := input.spec.bundleEndpointURL
169

170
    # Must use HTTPS
171
    startswith(endpoint, "https://")
172

173
    # Must use standard port
174
    contains(endpoint, ":8443")
175
}
176

177
environment_allows_federation {
178
    input.metadata.labels.environment == "production"
179
}
180

181
environment_allows_federation {
182
    input.metadata.labels.environment == "staging"
183
}

Monitoring and Alerting for GitOps#

GitOps Monitoring Dashboard#

1
apiVersion: v1
2
kind: ConfigMap
3
metadata:
4
  name: spire-gitops-dashboard
5
  namespace: monitoring
6
data:
7
  dashboard.json: |
8
    {
9
      "dashboard": {
10
        "title": "SPIRE GitOps Operations",
11
        "panels": [
12
          {
13
            "title": "ArgoCD Application Health",
14
            "type": "stat",
15
            "targets": [
16
              {
17
                "expr": "sum(argocd_app_health_status{project=\"spiffe-project\"}) by (health_status)",
18
                "legendFormat": "{{ health_status }}"
19
              }
20
            ]
21
          },
22
          {
23
            "title": "Deployment Frequency",
24
            "type": "graph",
25
            "targets": [
26
              {
27
                "expr": "increase(argocd_app_sync_total{project=\"spiffe-project\"}[1h])",
28
                "legendFormat": "{{ name }}"
29
              }
30
            ]
31
          },
32
          {
33
            "title": "Configuration Drift",
34
            "type": "table",
35
            "targets": [
36
              {
37
                "expr": "argocd_app_sync_status{project=\"spiffe-project\"} != 1",
38
                "legendFormat": "{{ name }}"
39
              }
40
            ]
41
          },
42
          {
43
            "title": "ClusterSPIFFEID Resources",
44
            "type": "stat",
45
            "targets": [
46
              {
47
                "expr": "count(kube_customresource{customresource_kind=\"ClusterSPIFFEID\"})"
48
              }
49
            ]
50
          }
51
        ]
52
      }
53
    }
54
---
55
# AlertManager rules for GitOps
56
apiVersion: monitoring.coreos.com/v1
57
kind: PrometheusRule
58
metadata:
59
  name: spire-gitops-alerts
60
  namespace: monitoring
61
spec:
62
  groups:
63
    - name: spire.gitops
64
      rules:
65
        - alert: SPIREGitOpsApplicationOutOfSync
66
          expr: |
67
            argocd_app_sync_status{project="spiffe-project"} != 1
68
          for: 10m
69
          labels:
70
            severity: warning
71
          annotations:
72
            summary: "SPIRE application out of sync"
73
            description: "ArgoCD application {{ $labels.name }} has been out of sync for more than 10 minutes"
74

75
        - alert: SPIREGitOpsApplicationUnhealthy
76
          expr: |
77
            argocd_app_health_status{project="spiffe-project",health_status!="Healthy"} == 1
78
          for: 5m
79
          labels:
80
            severity: critical
81
          annotations:
82
            summary: "SPIRE application unhealthy"
83
            description: "ArgoCD application {{ $labels.name }} is in {{ $labels.health_status }} state"
84

85
        - alert: SPIREGitOpsSyncFailure
86
          expr: |
87
            increase(argocd_app_sync_total{project="spiffe-project",phase="Failed"}[5m]) > 0
88
          for: 2m
89
          labels:
90
            severity: critical
91
          annotations:
92
            summary: "SPIRE GitOps sync failure"
93
            description: "ArgoCD application {{ $labels.name }} sync failed"
94

95
        - alert: SPIREConfigurationDrift
96
          expr: |
97
            time() - argocd_app_sync_timestamp{project="spiffe-project"} > 7200
98
          for: 1h
99
          labels:
100
            severity: warning
101
          annotations:
102
            summary: "SPIRE configuration drift detected"
103
            description: "SPIRE application {{ $labels.name }} hasn't synced in over 2 hours"

Conclusion#

Implementing GitOps for SPIFFE/SPIRE transforms identity management from manual operations to a scalable, auditable, and automated system. This approach provides:

✅ Declarative Identity Configuration: All identity policies defined as code in Git
✅ Environment Consistency: Identical processes across development, staging, and production
✅ Automated Compliance: Policy enforcement through code reviews and automated validation
✅ Complete Audit Trail: Every identity change tracked in Git history
✅ Disaster Recovery: Quick restoration from Git state
✅ Collaborative Security: Team-based review process for identity changes

The patterns and examples in this guide establish a foundation for enterprise-grade identity operations that can scale from small teams to large organizations while maintaining security, compliance, and operational excellence.

In our final post of this series, we’ll explore edge computing scenarios with SPIFFE/SPIRE, showing how to extend zero-trust identity to IoT devices and edge locations.

Additional Resources#

Ready to implement GitOps for your SPIFFE/SPIRE infrastructure? The GitOps community provides extensive guidance for implementing infrastructure-as-code practices at scale.