From 8cedf42c4328361f889a8552b977db792e615a12 Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Wed, 22 Apr 2026 16:58:02 -0700 Subject: [PATCH 1/2] Add spiffe support proposal Signed-off-by: Kevin Fox --- proposals/0000-spiffe-support.md | 51 ++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 proposals/0000-spiffe-support.md diff --git a/proposals/0000-spiffe-support.md b/proposals/0000-spiffe-support.md new file mode 100644 index 0000000..e4d0031 --- /dev/null +++ b/proposals/0000-spiffe-support.md @@ -0,0 +1,51 @@ +## SPIFFE Support + +* **Owners:** + * `kfox1111` + +* **Implementation Status:** `Partially implemented` + +* **Related Issues and PRs:** + * https://github.com/prometheus/exporter-toolkit/issues/259 + * https://github.com/prometheus/exporter-toolkit/pull/387 + +> TL;DR: Flip a switch and exporters can mTLS with SPIFFE based identities + +## Why + +TLS is hard and manual. mTLS is even harder. + +SPIFFE and its corresponding reference implementation SPIRE makets it very easy to get fresh certificates in a fully automatic way. +Connections between prometheus and exporters can be two way validated and encrypted. + +### Pitfalls of the current solution + +The main issue right now is the go-spiffe library pulls in otel and that pulls in a lot of dependencies. They compile out, but it looks bad. + +## Goals + +Support easy configuration of prometheus and exporters + +### Audience + +If not clear, the target audience that this change relates to. + +## Non-Goals + +* Move old designs to the new format. +* Not doing X,Y,Z. + +## How + +We add SPIFFE support to the exporter-toolkit and prometheus scrape configuration + +## Alternatives + +Today you can wrap every exporter in a SPIFFE supporting proxy and put a proxy inbetween prometheus and the exporter too. It's painful. The idea is security should be easy. + +## Action Plan + +The tasks to do in order to migrate to the new idea. + +* [ ] Implement support in the exporter-toolkit +* [ ] Implement support in prometheus From 9bdb4640eca44165e92cf60f6b7f83de8477c3be Mon Sep 17 00:00:00 2001 From: Kevin Fox Date: Wed, 22 Apr 2026 16:59:17 -0700 Subject: [PATCH 2/2] Update number Signed-off-by: Kevin Fox --- proposals/{0000-spiffe-support.md => 0080-spiffe-support.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename proposals/{0000-spiffe-support.md => 0080-spiffe-support.md} (100%) diff --git a/proposals/0000-spiffe-support.md b/proposals/0080-spiffe-support.md similarity index 100% rename from proposals/0000-spiffe-support.md rename to proposals/0080-spiffe-support.md