mTLS is a much needed baseline for Zero-Trust as a whole. However, its PKI setup requires heavy operational investment and resources from agencies which also includes the management of the key lifecycle from provisioning to renewal to revocation. If any of the stages are not handled timely, the impact is rippled to the web services and may bring down the business in worst case.
The emergence of SPIFFE issuing X.509 SVID also means that whole setup need some form of “transformation” into mesh network and sidecar driven setup (towards a K8 architecture). Challenge is whether there is an optimal (and yet secure) translation from existing PKI to SPIFFE or an alternative to achieve a reasonable identity-based attestation level.
- Walkthrough video
- Overview: we demo a full transition from legacy PKI to mTLS with SPIFFE
- Stage 0: Microservices in Docker with TLS from a local Certificate Authority spireplash/pki/README.md
- Stage 1: Migrating to Kubernetes spireplash/k8s/README.md
- Stage 2: Adopting Envoy sidecar architecture and using X.509 SVIDS by SPIFFE for mTLS spireplash/envoy/README.md
- Optimization consideration:
- Using Ansible and Shell scripting to automate transition
- Security consideration:
- No hard-code of password required during the whole process
- Manage file permission to avoid running command as sudo user
- Use of Kubernetes secret for TLS during Stage 1 transitioning
- Serve Tornjak GUI for SPIRE on HTTPS
- Setup Kubespray for multi-clusters deployment
- Configure RBAC Authorization
- SPIFFE use case for Unix and Docker workload attestor
- Combine Unix, Docker and Kubernetes workload attestors by using a centralized SPIRE Server
- Use an UpstreamAuthority plugin to integrate with existing PKI infrastructure
- Manage PKI certificate and key lifecycle
- MERN stack transition use case
- Tran Nguyen Bao Long @TNBL265
- Ivan Feng @IvanFengJK
- Ryan Toh @Rye123