Kuma Star
← Back to Blog

Kuma 2.12 SPIFFE/SPIRE support...

/ 3 min read
Featured image for a blog article titled Kuma 2.12 SPIFFE/SPIRE support....

We’re excited to announce the release of Kuma 2.12.

Notable features

In Kuma 2.12.x we’ve focused on 3 main areas:

  • SPIFFE/SPIRE support
  • Consistent XDS name

Feel free to check our release notes for the full list of changes.

SPIFFE / SPIRE support and MeshIdentity

MeshIdentity defines how workloads in a mesh obtain their cryptographic identity. It separates the responsibility of issuing identities from establishing trust, enabling Kuma to adopt SPIFFE-compliant practices while remaining flexible and easy to use.

With MeshIdentity, you can:

  • Enable secure mTLS between services, using trusted certificate authorities.
  • Assign different identity providers to subsets of workloads, allowing more granular control and progressive migration.

Whilst this provides SPIFFE-compliant practices, we also worked on being able to integrate with a SPIRE agent running on your Kubernetes nodes to be able to obtain their SPIFFE Verifiable Identity Documents:

apiVersion: kuma.io/v1alpha1
kind: MeshIdentity
metadata:
 name: identity-spire
 namespace: kuma-system
 labels:
   kuma.io/mesh: default
spec:
 selector:
   dataplane:
     matchLabels: {}
 spiffeID:
   trustDomain: default.us-east.mesh.local
   path: "/ns//sa/"
 provider:
   type: Spire
   spire: {}

If you’re using SPIRE, it’s classed as the Trust authority for the mesh, and for customers that have not rolled out SPIRE in their organisations, we’ve also introduced the concept of MeshTrust.

This allows you to validate the workload identity back to the MeshTrust authority that you control. Currently, this is only supported on Kubernetes environments, and we’re working on cross-zone identity in the next release of Kuma.

Find out more information about MeshIdentity and MeshTrust here.

Consistent resource identifiers

To help with how you consume, aggregate, and draw value from service-to-service metrics, as well as how to define Services and their Identity, we took on the rather large effort of introducing a consistent naming convention for Mesh resources.

This has a number of benefits, including being able to inspect individual resources through the Inspect API, as well as browsing resources in Mesh Manager.

Upgrading

We strongly suggest upgrading to Kuma 2.12.0. Upgrading is easy through kumactl or Helm.

Be sure to carefully read the upgrade guide and the version specific upgrade notes before upgrading Kuma.

Join the community

Join us on our community channels, including official Slack chat, to learn more about Kuma. The community channels are useful for getting up and running with Kuma, as well as for learning how to contribute to and discuss the project roadmap. Kuma is a CNCF Sandbox project: neutral, open and inclusive.

The community call is hosted on the second Wednesday of every Month at 8:30 AM PDT. And don’t forget to follow Kuma on Twitter and star it on GitHub!

Get Community Updates

Sign up for our Kuma community newsletter to get the most recent updates and product announcements.