SPIFFE
old school Official SPIFFE method:
https://blog.envoyproxy.io/securing-the-service-mesh-with-spire-0-3-abb45cd79810
Workload
A workload is a single piece of software, deployed with a particular configuration for a single purpose; it may comprise multiple running instances of software, all of which perform the same task. The term “workload” may encompass a range of different definitions of a software system, including:
- A web server running a Python web application, running on a cluster of virtual machines with a load-balancer in front of it.
- An instance of a MySQL database.
- A worker program processing items on a queue.
- A collection of independently deployed systems that work together, such as a web application that uses a database service. The web application and database could also individually be considered workloads.
SPIFFE ID
A SPIFFE ID is a string that uniquely and specifically identifies a workload. SPIFFE IDs may also be assigned to intermediate systems that a workload runs on (such as a group of virtual machines). For example, spiffe://acme.com/billing/payments is a valid SPIFFE ID.
SPIFFE IDs are a Uniform Resource Identifier (URI) which takes the following format: spiffe://*trust domain*/*workload identifier*
The workload identifier uniquely identifies a specific workload within a trust domain.
The SPIFFE specification describes in detail the format and use of SPIFFE IDs.
Trust Domain
The trust domain corresponds to the trust root of a system. A trust domain could represent an individual, organization, environment or department running their own independent SPIFFE infrastructure. All workloads identified in the same trust domain are issued identity documents that can be verified against the root keys of the trust domain.
It is generally advised keep workloads that are in either different physical locations (such as different data centers or cloud regions) or environments where different security practices are applied (such as a staging or lab environment compared to a production environment) in distinct trust domains.
SPIFFE Verifiable Identity Document (SVID)
An SVID is the document with which a workload proves its identity to a resource or caller. An SVID is considered valid if it has been signed by an authority within the SPIFFE ID’s trust domain.
An SVID contains a single SPIFFE ID, which represents the identity of the service presenting it. It encodes the SPIFFE ID in a cryptographically-verifiable document, in one of two currently supported formats: an X.509 certificate or a JWT token.