Founder direction 2026-05-03: with 100% Cilium mesh enforcement +
Envoy where required, bp-spire is redundant for the minimal Sovereign
MVP.
Reasoning:
- Cilium 1.13+ has built-in mutual auth using SPIFFE, but it ships
with its own embedded SPIRE server managed by the Cilium operator.
External bp-spire is not needed for east-west mTLS.
- Our ESO→OpenBao auth uses the K8s ServiceAccount auth method
(TokenReview against kube-apiserver), not JWT-SVID.
- WireGuard transparent encryption (already enabled in cilium values)
encrypts every pod-to-pod connection at the kernel transport layer.
- Cross-Sovereign federation and per-workload-fingerprint attestation
are not blocking handover; they can be re-introduced as an opt-in
blueprint when needed.
Changes:
- Delete clusters/_template/bootstrap-kit/06-spire.yaml
- Remove bp-spire from kustomization.yaml + expected-bootstrap-deps.yaml
- Remove bp-spire dependsOn from 07-nats-jetstream.yaml + 08-openbao.yaml
- bp-cilium 1.1.4: add encryption.nodeEncryption=true so node-to-node
traffic (not just pod-to-pod) is also WireGuard-encrypted; document
in values.yaml comment that WireGuard is the canonical east-west
mTLS layer.
Removes 4 pods (spire-server, spire-agent, spire-spiffe-csi-driver,
spire-spiffe-oidc-discovery-provider) from every Sovereign and the
recurring CSI mount race that was getting stuck on otech43.
Co-authored-by: hatiyildiz <hatiyildiz@openova.io>
74921e30f1