Careful!

You are browsing documentation for the next version of Kuma. Use this version at your own risk.

MeshIdentity

This resource is experimental. It works only on Kubernetes and requires MeshServices to be enabled.

MeshIdentity is a resource that defines how workloads in a mesh obtain their cryptographic identity. It separates the responsibility of issuing identities from establishing trust, enabling Kuma to adopt SPIFFE compliant practices while remaining flexible and easy to use.

With MeshIdentity, you can:

Enable secure mTLS between services using trusted certificate authorities
Switch identity providers without downtime, for example when migrating from built-in certificates to SPIRE
Assign different identity providers to subsets of workloads, allowing more granular control

This resource is namespaced (system-namespace only) and controls how data plane proxies receive identity certificates.

Spec fields

Selector

The selector field controls which data plane proxies a MeshIdentity applies to. It uses Kubernetes-style label selectors on data plane proxy tags.

When multiple MeshIdentity resources apply to the same data plane proxy, the one with the most specific selector (greatest number of matching labels) takes precedence. If two policies have selectors with the same number of labels, Kuma compares their names lexicographically—the policy whose name comes first alphabetically takes precedence.

Type: Selector Required: No Default: Empty selector (applies to nothing)

Data plane

Specifies the label selector for matching data plane proxies.

Type: LabelSelector Required: No

SPIFFE ID

The spiffeID field defines how SPIFFE IDs are constructed for selected data plane proxies. By default, Kuma generates a SPIFFE ID based on the mesh and zone. With spiffeID, you can customize the trustDomain and path template.

Type: SpiffeID Required: No

Trust domain

Template for constructing the SPIFFE ID trust domain. The trust domain is the root of a SPIFFE identity namespace and identifies the trust boundary within which identities are valid.

Supported variables:

.Mesh - The mesh name
.Zone - The zone name
{{ label "label-name" }} - Any label from the data plane proxy resource

Type: string Required: No Default: "{{ .Mesh }}.{{ .Zone }}.mesh.local"

Path

Template for constructing the SPIFFE ID path component. The path provides additional specificity to identify a workload within a trust domain.

Supported variables:

.Namespace - The Kubernetes namespace
.ServiceAccount - The Kubernetes service account
.Workload - The workload identifier
{{ label "label-name" }} - Any label from the data plane proxy resource

When using .Workload in the path template, data plane proxies selected by this MeshIdentity must have the workload identifier. This can be provided either:

Via a data plane proxy token generated with the --workload parameter
Directly on the data plane proxy resource via the kuma.io/workload label

Connections from data plane proxies lacking the required workload identifier will be rejected.

Type: string Required: No Default: "/ns/{{ .Namespace }}/sa/{{ .ServiceAccount }}"

Provider

The provider field defines how identity certificates are issued. This field is required and must specify one of the supported provider types.

Type: Provider Required: Yes

Type

Specifies the type of certificate provider.

Type: string (enum: Bundled, Spire) Required: Yes

Bundled

Configuration for certificates generated by Kuma’s control plane, either automatically generated or supplied by the user. Required when type is Bundled.

Type: Bundled Required: When type=Bundled

Mesh trust creation

Defines whether a MeshTrust resource should be automatically created from this MeshIdentity. When Enabled, the control plane automatically generates a MeshTrust resource with the same name as this MeshIdentity.

Type: string (enum: Enabled, Disabled) Required: No Default: Enabled

Insecure allow self-signed

Allows the use of self-signed certificates. This should only be enabled in development environments or when you understand the security implications.

Type: boolean Required: No Default: false

Auto-generate

Configuration for automatic CA generation by the control plane.

Type: Autogenerate Required: No

Enabled

When true, the control plane automatically generates a self-signed CA and stores it. This is useful for testing and development.

Type: boolean Required: No Default: false

Certificate authority

Configuration for user-provided certificate authority. Use this to specify a custom CA instead of automatic generation.

Type: CA Required: No

Certificate

Data source containing the CA certificate. The control plane resolves this data source at runtime. Supported data source types include File, Secret (Kubernetes), and Inline.

Type: SecureDataSource Required: When ca is specified

Private key

Data source containing the CA private key. The control plane resolves this data source at runtime. Supported data source types include File, Secret (Kubernetes), and Inline.

Type: SecureDataSource Required: When ca is specified

Certificate parameters

Parameters for certificate generation.

Type: CertificateParameters Required: No

Expiry

Duration for which generated certificates are valid.

Type: Duration Required: No Default: 24h

SPIRE

Configuration for SPIRE-based certificate delivery. Required when type is Spire. To enable SPIRE socket injection, either:

Set KUMA_RUNTIME_KUBERNETES_INJECTOR_SPIRE_ENABLED environment variable on the control plane globally
Enable it per pod by adding the k8s.kuma.io/spire-support label

Type: Spire Required: When type=Spire

Agent

Configuration for the SPIRE agent.

Type: SpireAgent Required: No

Timeout

Connection timeout to the socket exposed by the SPIRE agent.

Type: Duration Required: No Default: 1s

Examples

Basic MeshIdentity with automatic generation

Kubernetes
Universal

apiVersion: kuma.io/v1alpha1
kind: MeshIdentity
metadata:
  name: identity
  namespace: kuma-system
  labels:
    kuma.io/mesh: default
spec:
  selector:
    dataplane:
      matchLabels: {}
  provider:
    type: Bundled
    bundled:
      meshTrustCreation: Enabled
      insecureAllowSelfSigned: true
      autogenerate:
        enabled: true

type: MeshIdentity
name: identity
mesh: default
spec:
  selector:
    dataplane:
      matchLabels: {}
  provider:
    type: Bundled
    bundled:
      meshTrustCreation: Enabled
      insecureAllowSelfSigned: true
      autogenerate:
        enabled: true

apiVersion: kuma.io/v1alpha1
kind: MeshIdentity
metadata:
  name: identity
  namespace: {{site.mesh_namespace}}
  labels:
    kuma.io/mesh: default
spec:
  selector:
    dataplane:
      matchLabels: {}
  spiffeID:
    trustDomain: "{{ .Mesh }}.{{ .Zone }}.mesh.local"
    path: "/ns/{{ .Namespace }}/sa/{{ .ServiceAccount }}"
  provider:
    type: Bundled
    bundled:
      meshTrustCreation: Enabled
      insecureAllowSelfSigned: true
      certificateParameters:
        expiry: 24h
      autogenerate:
        enabled: true

type: MeshIdentity
name: identity
mesh: default
spec:
  selector:
    dataplane:
      matchLabels: {}
  spiffeID:
    trustDomain: "{{ .Mesh }}.{{ .Zone }}.mesh.local"
    path: "/ns/{{ .Namespace }}/sa/{{ .ServiceAccount }}"
  provider:
    type: Bundled
    bundled:
      meshTrustCreation: Enabled
      insecureAllowSelfSigned: true
      certificateParameters:
        expiry: 24h
      autogenerate:
        enabled: true

MeshIdentity with user-provided certificate authority

Kubernetes
Universal

apiVersion: kuma.io/v1alpha1
kind: MeshIdentity
metadata:
  name: identity
  namespace: kuma-system
  labels:
    kuma.io/mesh: default
spec:
  selector:
    dataplane:
      matchLabels:
        app: my-app
  provider:
    type: Bundled
    bundled:
      meshTrustCreation: Enabled
      insecureAllowSelfSigned: true
      ca:
        certificate:
          type: File
          file:
            path: /ca.crt
        privateKey:
          type: File
          file:
            path: /ca.key

type: MeshIdentity
name: identity
mesh: default
spec:
  selector:
    dataplane:
      matchLabels:
        app: my-app
  provider:
    type: Bundled
    bundled:
      meshTrustCreation: Enabled
      insecureAllowSelfSigned: true
      ca:
        certificate:
          type: File
          file:
            path: /ca.crt
        privateKey:
          type: File
          file:
            path: /ca.key

MeshIdentity with SPIRE provider

Kubernetes
Universal

apiVersion: kuma.io/v1alpha1
kind: MeshIdentity
metadata:
  name: identity-spire
  namespace: {{site.mesh_namespace}}
  labels:
    kuma.io/mesh: default
spec:
  selector:
    dataplane:
      matchLabels: {}
  spiffeID:
    trustDomain: default.us-east.mesh.local
    path: "/ns/{{ .Namespace }}/sa/{{ .ServiceAccount }}"
  provider:
    type: Spire
    spire:
      agent:
        timeout: 2s

type: MeshIdentity
name: identity-spire
mesh: default
spec:
  selector:
    dataplane:
      matchLabels: {}
  spiffeID:
    trustDomain: default.us-east.mesh.local
    path: "/ns/{{ .Namespace }}/sa/{{ .ServiceAccount }}"
  provider:
    type: Spire
    spire:
      agent:
        timeout: 2s

MeshIdentity with workload label

Kubernetes
Universal

apiVersion: kuma.io/v1alpha1
kind: MeshIdentity
metadata:
  name: identity-workload
  namespace: {{site.mesh_namespace}}
  labels:
    kuma.io/mesh: default
spec:
  selector:
    dataplane:
      matchLabels: {}
  spiffeID:
    trustDomain: "{{ .Mesh }}.{{ .Zone }}.mesh.local"
    path: "/workload/{{ .Workload }}"
  provider:
    type: Bundled
    bundled:
      meshTrustCreation: Enabled
      insecureAllowSelfSigned: true
      autogenerate:
        enabled: true

type: MeshIdentity
name: identity-workload
mesh: default
spec:
  selector:
    dataplane:
      matchLabels: {}
  spiffeID:
    trustDomain: "{{ .Mesh }}.{{ .Zone }}.mesh.local"
    path: "/workload/{{ .Workload }}"
  provider:
    type: Bundled
    bundled:
      meshTrustCreation: Enabled
      insecureAllowSelfSigned: true
      autogenerate:
        enabled: true

All options

Kind is a string value representing the REST resource this object represents. Servers may infer this...

Spec is the specification of the Kuma MeshIdentity resource.

Type specifies the type of certificate provider.

Values: Bundled | Spire

Spire indicates that SPIRE is used for certificate delivery.

Spire agent configuration

Connection timeout to the socket exposed by Spire agent Default 1 second.

Bundled provides information about certificates that are generated by the control plane, either auto...

CA has configuration related to the CA

PrivateKey allows the user to specify a custom private key.

Values: File | Secret | EnvVar | InsecureInline

Values: Secret

Certificate allows the user to specify a custom certificate.

Values: File | Secret | EnvVar | InsecureInline

Values: Secret

Autogenerate configures the control plane to use self-signed certificates.

MeshTrustCreation defines whether a MeshTrust resource should be automatically created from an exist...

Values: Enabled | Disabled

CertificateParameters allows users to define certificate generation parameters.

InsecureAllowSelfSigned allows users to enable the use of self-signed certificates.

Status is the current status of the Kuma MeshIdentity resource.

Conditions is an array of hostname generator conditions.

type of condition in CamelCase or in foo.example.com/CamelCase.

reason contains a programmatic identifier indicating the reason for the condition's last transition....

status of the condition, one of True, False, Unknown.

Values: True | False | Unknown

message is a human readable message indicating details about the transition. This may be an empty st...

APIVersion defines the versioned schema of this representation of an object. Servers should convert ...