Maximiliano Churichi, HPE
Max Lambrecht, HPE
SPIFFE and SPIRE contribute to strong identification and attestation of workloads in cloud native environments. SPIRE provides functionality to federate with other entities following SPIFFE federation specifications, and it allows for the creation of multiple federation entries. However, some limitations do exist.
First, SPIRE federation options require the setup of a secure, public endpoint to serve the federation data. For some use cases, such exposure is not feasible due to security and scalability concerns. Second, the more SPIFFE trust domains are federated, the more complex the configuration and maintenance of federation entries. Administration of federation is tedious as multiple steps are needed to define a two-way federation on each SPIRE server. Third, current tools do not provide the means to audit and manage life cycles of relationships.
This talk will introduce Galadriel, an alternative approach that facilitates SPIRE federation of multiple trust domains via a central exchange hub. The talk will describe Galadriel’s architecture and present its benefits, limitations, and potential evolution of such an alternative.