SPIRE now works on Windows!

in his heart , SPIRE . PROJECT It aims to solve the problem of secure issuance of workload identities at scale, regardless of where the workload is running. It does this by having an scalable architecture made up of plug-ins that allows SPIRE to grow depending on the support needs of different platforms, cloud providers, etc. So far, SPIRE can only be deployed on Linux platforms. But this is now a thing of the past with the new beta Windows support in SPIRE 1.3.0!

What type of support is provided?

Over the years, SPIRE, a production-ready implementation of SPIFFE standards, it has gained a high degree of maturity on Linux platforms. We learned a lot in terms of how to deploy, run, and integrate SPIRE in a variety of Linux environments.

Windows support is gradually being introduced as a file Experimental feature. We anticipate that as our operational experience with Windows evolves, changes that affect user experience or functionality must be introduced. We will work hard to fill in the gaps and stabilize Windows support over the next several SPIRE releases.

Version 1.3.0 adds support for running both SPIRE Server and Agent on Windows. Existing plug-ins have been adapted to run under Windows, where possible. In addition, a new Windows workload authenticator (similar to the existing Unix workload authenticator) has been added to provide Windows-specific themes for Windows workloads.

What is the difference?

One of the guiding principles of the SPIRE project is to strive for ease of use and intuitive configuration. With that in mind, running SPIRE on Windows is a lot like running it on Linux. Configuration differences are limited to areas where platform-specific features are used (eg Unix domain sockets, named pipes, etc.).

The work ahead of us

Supporting SPIRE on an additional operating system is not an easy task. As we have indicated, SPIRE has been growing in maturity and stability on Linux platforms over several years. We know we will need to work across many versions to provide a similar level of feature parity with what we have today on Linux platforms. We have a lot of work ahead of us in multiple dimensions:

  • The SPIFFE Workload Endpoints The standard does not yet support exposing the Workload API as a named pipe endpoint. We will work closely with SPIFFE SIG specification group Updates the specification to standardize the way SPIFFE implementers (such as SPIRE) can use named pipes to serve and consume the Workload API.
  • The K8s workload attestor plug-in is not yet supported on Windows due to a difference in support of key K8s features that we rely on to demonstrate K8s-based workloads. We are actively looking for alternative ways to check which Windows workloads are running in K8s.
  • While the go-spiffe library has been updated to support the use of named pipes with the Workload API, other language libraries have not. This is partly because there is no support for named pipe transfers in the C/C++ gRPC library. We have work to do to provide this support, which may include collaborating with others in the ecosystem to develop and extract needed changes for libraries like gRPC.

We want to hear from you

Although Windows support is very new, we have collaborated with interested community members to design and validate the existing set of features. SPIRE is already running in test environments, with plans to deploy to thousands of Windows hosts. This early adoption was and will continue to be an integral part of the stability of our support. We’re very eager to learn more from the community and early adopters how we can better support providing a secure service identity for workloads that run in Windows environments.

If you have requests or anything to say about this new support, we want to hear! Please feel free to open a case at GitHub repository Request a feature or report a bug. Also, you can join the awesome SPIFFE community on Slack: https://slack.spiffe.io/. We will be happy to answer your questions and discuss your requests. Finally, if you want to be up to date with all the news about the project, join the SPIFFE Announce mailing group, a low-frequency list of project announcements: https://groups.google.com/a/spiffe.io/g/announce.

Leave a Comment

Your email address will not be published.