Issuing SVIDs to CI/CD Jobs

SPIRL allows issuing SVIDs to CI/CD jobs with a SPIFFE ID that includes attributes such as the job's repository, branch name, workflow name, etc. When a CI/CD job requests an SVID, it connects to the spirl-agent and sends a JWT token issued by the CI/CD controller that contains information about the job. The spirl-agent then returns an SVID with a SPIFFE ID that includes attributes found in the JWT token claims.

Configuring a CI/CD Profile

For each issuer in your CI/CD system, you will need to create a CI/CD Profile on SPIRL. The profile contains the JWT token issuer and optionally the URL to obtain the JWKS if it is not found at the standard location (e.g. <issuer>/.well-known/openid-configuration).

spirlctl ci-cd profile create jenkins-profile --issuer https://my-jenkins.example.com

To use a CI/CD Profile, it must be linked to a cluster. Once a CI/CD Profile and cluster are linked, the agents in that cluster will validate JWT tokens issued by the CI/CD profile issuer and the claims in the token can be used for that SPIFFE ID path template.

spirlctl ci-cd profile link create CLUSTER_NAME PROFILE_NAME --trust-domain TRUST_DOMAIN_NAME

Customizing SPIFFE IDs for CI/CD

Any claim found in the JWT token issued by your CI/CD controller can be used in the SPIFFE ID. When setting up a cluster, use {{jwt.claim.<claim-name>}} in the path template to add the claim values to the SPIFFE ID.

spirlctl cluster register prod-cluster --trust-domain example.com \
    --platform k8s --path-template /{{cluster.name}}/repo/{{jwt.claim.repo}}

Requesting an SVID from a CI/CD Job

When a CI/CD job requests an SVID, it must pass the JWT Token from the CI/CD issuer to the agent. The JWT token should be passed in the metadata of the gRPC call with the key "identity-exchange-token".

Alternatively, you can use spirldbg to request the SVID with the token by using the flag --identity-exchange-token.

spirldbg svid-jwt --filename /tmp/jwt-svid --audience https://example.com --identity-exchange-token ${IDTOKEN}