[jira] [Updated] (CAMEL-23305) Add camel-spiffe component for SPIFFE workload identity (mTLS and JWT-SVID)

Thu, 09 Apr 2026 09:20:39 -0700 


     [ 
https://issues.apache.org/jira/browse/CAMEL-23305?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andrea Cosentino updated CAMEL-23305:
-------------------------------------
    Fix Version/s: 4.x

> Add camel-spiffe component for SPIFFE workload identity (mTLS and JWT-SVID)
> ---------------------------------------------------------------------------
>
>                 Key: CAMEL-23305
>                 URL: https://issues.apache.org/jira/browse/CAMEL-23305
>             Project: Camel
>          Issue Type: Wish
>            Reporter: Andrea Cosentino
>            Assignee: Andrea Cosentino
>            Priority: Major
>             Fix For: 4.x
>
>
> Add a new camel-spiffe module that integrates with the 
> [SPIFFE|https://spiffe.io/] (Secure Production Identity Framework for 
> Everyone) Workload API to provide workload identity for Camel routes.
> SPIFFE provides cryptographic identity to workloads via SVIDs (SPIFFE 
> Verifiable Identity Documents) in two forms:
> - *X.509-SVID*: X.509 certificates with SPIFFE IDs as SANs, used for mutual 
> TLS
> - *JWT-SVID*: JWT tokens encoding the SPIFFE ID, used as bearer tokens
> h3. Proposed scope
> 1. *SSLContextParameters backed by SPIFFE Workload API* — Provide an 
> {{SSLContextParameters}} implementation that sources certificates and trust 
> bundles from the SPIFFE Workload API (via SPIRE) with automatic rotation. 
> This enables zero-trust mTLS for any TLS-capable Camel component (HTTP, gRPC, 
> Kafka, Netty, etc.) without per-component changes.
> 2. *JWT-SVID processor/policy* — A processor that fetches JWT-SVIDs from the 
> Workload API and sets them as Authorization headers, plus a validation policy 
> for the receiving end.
> h3. Motivation
> SPIFFE adoption is growing due to zero-trust security requirements. Having 
> native support in Camel would allow workload-to-workload authentication 
> without manual certificate management. This is complementary to (not a 
> replacement for) OAuth2/OIDC via Keycloak — SPIFFE handles machine identity 
> while Keycloak handles user identity.
> h3. Dependencies
> The [java-spiffe|https://github.com/spiffe/java-spiffe] library 
> ({{io.spiffe:java-spiffe-core}}) is Apache-2.0 licensed and provides the 
> Workload API client.
> Note: The SPIFFE spec is still being finalized. The Keycloak team is also 
> tracking this. This issue tracks the Camel-side integration.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to