Due to there being several components that need to be built as well as dependencies on continuing effort, the work can be broken down into milestones.
The nature of the design specification of milestones is based on two main ideas:
- The scope of capabilities/goals that can be achieved
- The dependencies required based on on-going and planned work in the community
Here are a set of milestones. It is defined in an order but does not have to strictly follow it apart from Milestones A and B to lay the foundations of other milestones.
List of milestones
- Milestone A: Global Visibility
- Milestone B: Global Visibility + Authentication
- Milestone C: Policy management
- Milestone D: Improve Policy definitions and UX
- Milestone E: Auditability
- Milestone F: Advanced Authentication
- Milestone G: Enhancing SPIRE API
Status: Completed
Very simple global visibility and management of SPIRE APIs with simple authentication.
Feature dependencies: None
- Agent
- APIS: Implement only SPIRE server APIs
- No Authentication
- No Authorization
- Manager
- Global Visibility
- Add tornjak agent (backend call instead, not addition to UI)
- SPIRE API actions on servers
- No server info + custom tornjak APIs
- No Identity policy management
- No Auditability of idetntites
- No Management of SPIRE identity Configurations
- Global Visibility
Status: Completed
Add ability to obtain server info and some custom tornjak APIs with simple authentication
Feature dependencies: None
In addition to above:
- Agent
- APIS: Implement some custom tornjak APIs
- Authentication via simple certificate auth from configured root CA on agent
Status: In Progress
Provide authorization capabilities and policy management. Showcase the ability to use the workload registrar usecase with a stricter threat model enforced by policy.
Feature dependencies: Authorization and policy management (Issue #1975)
In addition to above:
- Agent
- Authorization through SPIRE configuration
- Manager
- Provide an interface to the policy engines used by the SPIRE deployments
- Actions
- Add policy engine
- Provide address
- Choose authentication method - User or Certificate [pending auth issue #TBD]
- CRUD on policies
- No Visibility and consumability of policies
- No Provide templates for more complex policies to be created
Status: Not Started
Provide better UX around policy management and provide the ability to create more sophisticated identity policy.
Feature dependencies: Authorization and policy management (Issue #1975)
In addition to above:
- Manager
- Visibility and consumability of policies
- Provide templates for more complex policies to be created
Status: Not Started
Feature Dependencies: Advanced Logging entries and infrastructure for SPIRE (Issue TBD)
- Manager
- Auditability of Identities and use for operations/forensics
Status: Not Started
Feature dependencies: More Admin Authentication mechanisms for SPIRE server (Issue #2099)
Other missing features:
- Agent
- More sophisticated authentication mechanisms + move authentication mechanisms to use SPIRE native (Dependencies: More authentication options for SPIRE)
Status: Not Started
Feature dependencies: Augment SPIRE API (Issue TBD)
Other missing features:
- Manager
- Management of SPIRE Identity configurations (Dependencies: SPIRE API boundary decisions)