1 of 25

SPIRE FEDERATION:  GALADRIEL

Maxi Churichi - Argentina - HPE

Juliano Fantozzi - Brazil - HPE

  • 1

2 of 25

THE TALK

  • The WHAT:
    • SPIRE Federation
  • The HOW 
    • How does SPIRE Federation work?
  • The WHY
    • Current limitations
    • How is Federation being approached?
  • The proposed new HOW
    • GALADRIEL
    • DEMO
  • The NEXT
    • What's next?

  • 2

3 of 25

THE WHAT: SPIRE FEDERATION

  • 3

4 of 25

SPIFFE – SPIRE FEDERATION

Allows secure communications between services that are in different trust domains

  • 4

SPIRE Server A

SPIRE Server B

SPIRE Agent

SPIRE Agent

Workload A

Workload B

Federation� 

(Servers constantly

exchange trust bundles)

5 of 25

CURRENT SPIRE FEDERATION

  • Manual configuration
  • Federation API

  • 5

Exposing the trust bundle via end-point

Defining relationships

6 of 25

HOW DOES CURRENT SPIRE FEDERATION WORK?

  • 6

SPIRE A

SPIRE B

4. Trust Bundle A

4. Trust Bundle B

1. Endpoint configuration

2. Federation configuration

3. Trust bundle setting

1. Endpoint configuration

2. Federation configuration

3. Trust bundle setting

7 of 25

THE WHY: CURRENT LIMITATIONS

  • 7

8 of 25

FEDERATION TODAY

  • 8

SPIRE

SPIRE

SPIRE

  • Federation requires both servers to expose a port for accessing bundles
  • Scalability
  • There is no central way to audit all the federation relationships inside an organization

9 of 25

SOME OF THE CURRENT FEDERATION APPROACHES

  • Direct peer to peer
    • Either HTTPS or HTTPS+SPIFFE supported
  • Sharing via an object store (S3 bucket, Vault, etc.)
  • Via a VPN or tunnel
  • SPIRE Controller Manager
  • 9

10 of 25

GALADRIEL – A SPIRE FEDERATION ALTERNATIVE

  • 10

11 of 25

FEDERATION WITH GALADRIEL

  • 11

SPIRE

GALADRIEL

SPIRE

Galadriel is a central point that collects trust bundles and shares them with SPIRE servers

12 of 25

FEDERATION WITH GALADRIEL

  • 12

SPIRE

GALADRIEL

SPIRE

Galadriel is a central point that collects trust bundles and shares them with SPIRE servers

SPIRE

13 of 25

GALADRIEL

WHAT IS 

  • Alternative approach to federation
  • Multi-tenant
  • Federation at scale

WHAT IS NOT

  • A replacement of current SPIRE federation
  • A SPIRE plugin

  • 13

14 of 25

DESIGN CONSIDERATIONS

  • 14

  • Galadriel Server synchronizes all connected Harvesters
  • Galadriel Harvesters run alongside their SPIRE server 
  • Easy to deploy and manage

SPIRE SERVER

GALADRIEL SERVER

HARVESTER

15 of 25

SECURITY CONSIDERATIONS

  • 15
  • Never concatenate bundles
  • Federation relationships are kept secure in the database
  • No sensitive material being sent over the network
  • End-to-end signature verification of bundles
  • Multitenancy

16 of 25

DEMO MAP

  • 16

SPIRE A

SPIRE B

Galadriel Server

Galadriel Harvester

Galadriel Harvester

REST

UDS

UDS

REST

Members

Relationships

SPIRE Agent

Greeter Server

SPIRE Agent

Greeter Client

17 of 25

DEMO MAP

  • 17

SPIRE A

SPIRE B

Galadriel Server

Galadriel Harvester

Galadriel Harvester

REST

UDS

UDS

REST

Members

Relationships

SPIRE Agent

Greeter Server

SPIRE Agent

Greeter Client

1

1

18 of 25

DEMO MAP

  • 18

SPIRE A

SPIRE B

Galadriel Server

Galadriel Harvester

Galadriel Harvester

REST

UDS

UDS

REST

Members

Relationships

SPIRE Agent

Greeter Server

SPIRE Agent

Greeter Client

1

1

2

2

19 of 25

DEMO MAP

  • 19

SPIRE A

SPIRE B

Galadriel Server

Galadriel Harvester

Galadriel Harvester

REST

UDS

UDS

REST

Members

Relationships

SPIRE Agent

Greeter Server

SPIRE Agent

Greeter Client

1

1

2

2

3

20 of 25

DEMO MAP

  • 20

SPIRE A

SPIRE B

Galadriel Server

Galadriel Harvester

Galadriel Harvester

REST

UDS

UDS

REST

Members

Relationships

SPIRE Agent

Greeter Server

SPIRE Agent

Greeter Client

1

1

2

2

3

4

21 of 25

DEMO MAP

  • 21

SPIRE A

SPIRE B

Galadriel Server

Galadriel Harvester

Galadriel Harvester

REST

UDS

UDS

REST

Members

Relationships

SPIRE Agent

Greeter Server

SPIRE Agent

Greeter Client

1

1

2

2

3

4

5

5

22 of 25

DEMO MAP

  • 22

SPIRE A

SPIRE B

Galadriel Server

Galadriel Harvester

Galadriel Harvester

REST

UDS

UDS

REST

Members

Relationships

SPIRE Agent

Greeter Server

SPIRE Agent

Greeter Client

1

1

2

2

3

4

5

5

6+7

6+7

23 of 25

DEMO MAP

DEMO TIME!

  • 23

SPIRE A

SPIRE B

Galadriel Server

Galadriel Harvester

Galadriel Harvester

REST

UDS

UDS

REST

Members

Relationships

SPIRE Agent

Greeter Server

SPIRE Agent

Greeter Client

1

1

2

2

3

4

5

5

6+7

6+7

24 of 25

NEXT STEPS

  • Working on an MVP for first half of 2023
  • Finalize end-to-end verification design

  • 24

25 of 25

SUPPORTING DOCS

  • 25