Andrea Cosentino created CAMEL-23305:
----------------------------------------
Summary: Add camel-spiffe component for SPIFFE workload identity
(mTLS and JWT-SVID)
Key: CAMEL-23305
URL: https://issues.apache.org/jira/browse/CAMEL-23305
Project: Camel
Issue Type: Wish
Reporter: Andrea Cosentino
Assignee: Andrea Cosentino
Add a new camel-spiffe module that integrates with the
[SPIFFE|https://spiffe.io/] (Secure Production Identity Framework for Everyone)
Workload API to provide workload identity for Camel routes.
SPIFFE provides cryptographic identity to workloads via SVIDs (SPIFFE
Verifiable Identity Documents) in two forms:
- *X.509-SVID*: X.509 certificates with SPIFFE IDs as SANs, used for mutual TLS
- *JWT-SVID*: JWT tokens encoding the SPIFFE ID, used as bearer tokens
h3. Proposed scope
1. *SSLContextParameters backed by SPIFFE Workload API* — Provide an
{{SSLContextParameters}} implementation that sources certificates and trust
bundles from the SPIFFE Workload API (via SPIRE) with automatic rotation. This
enables zero-trust mTLS for any TLS-capable Camel component (HTTP, gRPC, Kafka,
Netty, etc.) without per-component changes.
2. *JWT-SVID processor/policy* — A processor that fetches JWT-SVIDs from the
Workload API and sets them as Authorization headers, plus a validation policy
for the receiving end.
h3. Motivation
SPIFFE adoption is growing due to zero-trust security requirements. Having
native support in Camel would allow workload-to-workload authentication without
manual certificate management. This is complementary to (not a replacement for)
OAuth2/OIDC via Keycloak — SPIFFE handles machine identity while Keycloak
handles user identity.
h3. Dependencies
The [java-spiffe|https://github.com/spiffe/java-spiffe] library
({{io.spiffe:java-spiffe-core}}) is Apache-2.0 licensed and provides the
Workload API client.
Note: The SPIFFE spec is still being finalized. The Keycloak team is also
tracking this. This issue tracks the Camel-side integration.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
