Multi-Cluster SPIFFE Federation: Building Cross-Cloud Zero-Trust Architecture

Introduction: Beyond Single-Cluster Identity#

In our previous guides, we’ve built robust SPIFFE/SPIRE deployments within single Kubernetes clusters. However, modern enterprises operate across multiple clusters, regions, and cloud providers. This creates the challenge of establishing trust relationships between workloads that span organizational boundaries while maintaining the cryptographic guarantees that make SPIFFE/SPIRE so powerful.

This comprehensive guide explores SPIFFE federation—the mechanism that enables secure, verifiable communication between workloads across different trust domains without compromising on zero-trust principles or requiring complex credential management.

Understanding SPIFFE Federation Architecture#

Let’s visualize a multi-cluster federated SPIFFE deployment:

1
graph TB
2
    subgraph "Trust Domain: aws.company.com"
3
        subgraph "AWS Production Cluster"
4
            AWS_SPIRE_SERVER[SPIRE Server AWS]
5
            AWS_SPIRE_AGENT1[SPIRE Agent]
6
            AWS_WL1[Frontend Service]
7
            AWS_WL2[Auth Service]
8

9
            AWS_SPIRE_SERVER --> AWS_SPIRE_AGENT1
10
            AWS_SPIRE_AGENT1 --> AWS_WL1
11
            AWS_SPIRE_AGENT1 --> AWS_WL2
12
        end
13

14
        AWS_BUNDLE_EP[Bundle Endpoint<br/>8443]
15
        AWS_SPIRE_SERVER --> AWS_BUNDLE_EP
16
    end
17

18
    subgraph "Trust Domain: gcp.company.com"
19
        subgraph "GCP Data Cluster"
20
            GCP_SPIRE_SERVER[SPIRE Server GCP]
21
            GCP_SPIRE_AGENT1[SPIRE Agent]
22
            GCP_WL1[Data Service]
23
            GCP_WL2[ML Pipeline]
24

25
            GCP_SPIRE_SERVER --> GCP_SPIRE_AGENT1
26
            GCP_SPIRE_AGENT1 --> GCP_WL1
27
            GCP_SPIRE_AGENT1 --> GCP_WL2
28
        end
29

30
        GCP_BUNDLE_EP[Bundle Endpoint<br/>8443]
31
        GCP_SPIRE_SERVER --> GCP_BUNDLE_EP
32
    end
33

34
    subgraph "Trust Domain: onprem.company.com"
35
        subgraph "On-Premises Edge Cluster"
36
            ONPREM_SPIRE_SERVER[SPIRE Server OnPrem]
37
            ONPREM_SPIRE_AGENT1[SPIRE Agent]
38
            ONPREM_WL1[Legacy System]
39
            ONPREM_WL2[Edge Gateway]
40

41
            ONPREM_SPIRE_SERVER --> ONPREM_SPIRE_AGENT1
42
            ONPREM_SPIRE_AGENT1 --> ONPREM_WL1
43
            ONPREM_SPIRE_AGENT1 --> ONPREM_WL2
44
        end
45

46
        ONPREM_BUNDLE_EP[Bundle Endpoint<br/>8443]
47
        ONPREM_SPIRE_SERVER --> ONPREM_BUNDLE_EP
48
    end
49

50
    subgraph "Federation Relationships"
51
        AWS_BUNDLE_EP -.->|Trust Bundle Exchange| GCP_BUNDLE_EP
52
        GCP_BUNDLE_EP -.->|Trust Bundle Exchange| ONPREM_BUNDLE_EP
53
        ONPREM_BUNDLE_EP -.->|Trust Bundle Exchange| AWS_BUNDLE_EP
54
    end
55

56
    subgraph "Cross-Cluster Communication"
57
        AWS_WL1 -.->|mTLS with Federated SVID| GCP_WL1
58
        GCP_WL2 -.->|mTLS with Federated SVID| ONPREM_WL2
59
        ONPREM_WL1 -.->|mTLS with Federated SVID| AWS_WL2
60
    end
61

62
    style AWS_SPIRE_SERVER fill:#ff9999
63
    style GCP_SPIRE_SERVER fill:#99ff99
64
    style ONPREM_SPIRE_SERVER fill:#9999ff
65
    style AWS_BUNDLE_EP fill:#ffcccc
66
    style GCP_BUNDLE_EP fill:#ccffcc
67
    style ONPREM_BUNDLE_EP fill:#ccccff

Federation Benefits#

Cross-Cloud Zero Trust: Workloads authenticate across cloud boundaries without VPNs or complex networking
Cryptographic Trust: Federation relationships are based on cryptographic verification, not network controls
Scalable Identity: Central identity management across distributed infrastructure
Regulatory Compliance: Meet data residency requirements while maintaining unified security
Disaster Recovery: Seamless failover between federated clusters

Federation Concepts and Components#

Trust Domains#

Each SPIRE deployment operates within a trust domain - a boundary within which SPIRE has authority to mint and validate identities:

1
# Trust domain examples
2
spiffe://aws.company.com          # AWS production environment
3
spiffe://gcp.company.com          # GCP data processing environment
4
spiffe://onprem.company.com       # On-premises legacy systems
5
spiffe://edge.company.com         # Edge computing nodes
6
spiffe://partner.example.com      # External partner systems

Trust Bundles#

A trust bundle contains the public keys (root CAs) that a trust domain uses to validate SVIDs. During federation, trust domains exchange their bundles to establish mutual trust.

Bundle Endpoints#

Each SPIRE Server exposes a bundle endpoint that allows other trust domains to retrieve its current trust bundle. This enables automatic trust bundle updates when certificates rotate.

Setting Up Multi-Cluster Federation#

Step 1: Configure Trust Domain Infrastructure#

Let’s set up three clusters representing a typical enterprise scenario:

1
# aws-cluster-config.yaml - AWS Production Cluster
2
apiVersion: v1
3
kind: ConfigMap
4
metadata:
5
  name: spire-server-aws-config
6
  namespace: spire-system
7
data:
8
  server.conf: |
9
    server {
10
      bind_address = "0.0.0.0"
11
      bind_port = "8081"
12
      socket_path = "/tmp/spire-server/private/api.sock"
13
      trust_domain = "aws.company.com"
14
      data_dir = "/run/spire/data"
15
      log_level = "INFO"
16

17
      # Federation configuration
18
      federation {
19
        # Bundle endpoint configuration
20
        bundle_endpoint {
21
          address = "0.0.0.0"
22
          port = 8443
23

24
          # ACL for bundle access
25
          acme {
26
            tos_accepted = true
27
            cache_dir = "/tmp/spire-server/private/acme"
28
            directory_url = "https://acme-v02.api.letsencrypt.org/directory"
29
          }
30
        }
31

32
        # Federated trust domains
33
        federates_with {
34
          "gcp.company.com" {
35
            bundle_endpoint_url = "https://spire-bundle.gcp.company.com:8443"
36
            bundle_endpoint_profile {
37
              endpoint_spiffe_id = "spiffe://gcp.company.com/spire/server"
38

39
              # Authentication method
40
              type = "https_spiffe"
41

42
              # Custom CA for verification (optional)
43
              # tls_ca_cert_path = "/etc/ssl/certs/gcp-ca.pem"
44
            }
45
          }
46

47
          "onprem.company.com" {
48
            bundle_endpoint_url = "https://spire-bundle.onprem.company.com:8443"
49
            bundle_endpoint_profile {
50
              type = "https_web"
51

52
              # Web PKI verification
53
              # tls_ca_cert_path = "/etc/ssl/certs/ca-certificates.crt"
54
            }
55
          }
56

57
          # Partner trust domain with restricted access
58
          "partner.example.com" {
59
            bundle_endpoint_url = "https://spire-bundle.partner.example.com:8443"
60
            bundle_endpoint_profile {
61
              type = "https_spiffe"
62
              endpoint_spiffe_id = "spiffe://partner.example.com/spire/server"
63
            }
64

65
            # Refresh interval for partner bundles
66
            refresh_hint = "3600s"
67
          }
68
        }
69
      }
70

71
      # CA configuration for federation
72
      ca_subject = {
73
        country = ["US"],
74
        organization = ["Company Corp"],
75
        organizational_unit = ["AWS Production"],
76
        common_name = "SPIRE Server CA - AWS",
77
      }
78

79
      # JWT issuer for cross-domain authentication
80
      jwt_issuer = "https://oidc.aws.company.com"
81
    }
82

83
    plugins {
84
      NodeAttestor "aws_iid" {
85
        plugin_data {
86
          access_key_id = "${AWS_ACCESS_KEY_ID}"
87
          secret_access_key = "${AWS_SECRET_ACCESS_KEY}"
88
          account_ids_for_verification = ["123456789012"]
89
          instance_tag_requirements = {
90
            "Environment" = ["production"]
91
            "TrustDomain" = ["aws.company.com"]
92
          }
93
        }
94
      }
95

96
      WorkloadAttestor "k8s" {
97
        plugin_data {
98
          skip_kubelet_verification = false
99
          kubelet_secure_port = 10250
100
        }
101
      }
102

103
      DataStore "sql" {
104
        plugin_data {
105
          database_type = "postgres"
106
          connection_string = "host=postgres-aws.data.svc.cluster.local dbname=spire user=spire sslmode=require"
107
        }
108
      }
109

110
      KeyManager "aws_kms" {
111
        plugin_data {
112
          key_id = "arn:aws:kms:us-east-1:123456789012:key/aws-spire-key"
113
          region = "us-east-1"
114
        }
115
      }
116

117
      UpstreamAuthority "aws_pca" {
118
        plugin_data {
119
          certificate_authority_arn = "arn:aws:acm-pca:us-east-1:123456789012:certificate-authority/aws-spire-ca"
120
          region = "us-east-1"
121
          validity_period_hours = 8760
122
        }
123
      }
124

125
      # Bundle endpoint notifier
126
      Notifier "k8sbundle" {
127
        plugin_data {
128
          webhook_label = "spiffe.io/webhook"
129
          config_map = "spire-bundle"
130
          config_map_key = "bundle.crt"
131
          namespace = "spire-system"
132
        }
133
      }
134
    }
135
---
136
# gcp-cluster-config.yaml - GCP Data Cluster
137
apiVersion: v1
138
kind: ConfigMap
139
metadata:
140
  name: spire-server-gcp-config
141
  namespace: spire-system
142
data:
143
  server.conf: |
144
    server {
145
      bind_address = "0.0.0.0"
146
      bind_port = "8081"
147
      socket_path = "/tmp/spire-server/private/api.sock"
148
      trust_domain = "gcp.company.com"
149
      data_dir = "/run/spire/data"
150
      log_level = "INFO"
151

152
      federation {
153
        bundle_endpoint {
154
          address = "0.0.0.0"
155
          port = 8443
156

157
          # GCP-specific TLS configuration
158
          tls {
159
            cert_chain_path = "/etc/ssl/spire/bundle-endpoint.crt"
160
            private_key_path = "/etc/ssl/spire/bundle-endpoint.key"
161
            ca_cert_path = "/etc/ssl/spire/ca.crt"
162
          }
163
        }
164

165
        federates_with {
166
          "aws.company.com" {
167
            bundle_endpoint_url = "https://spire-bundle.aws.company.com:8443"
168
            bundle_endpoint_profile {
169
              type = "https_spiffe"
170
              endpoint_spiffe_id = "spiffe://aws.company.com/spire/server"
171
            }
172
          }
173

174
          "onprem.company.com" {
175
            bundle_endpoint_url = "https://spire-bundle.onprem.company.com:8443"
176
            bundle_endpoint_profile {
177
              type = "https_web"
178
            }
179
          }
180
        }
181
      }
182

183
      ca_subject = {
184
        country = ["US"],
185
        organization = ["Company Corp"],
186
        organizational_unit = ["GCP Data Processing"],
187
        common_name = "SPIRE Server CA - GCP",
188
      }
189

190
      jwt_issuer = "https://oidc.gcp.company.com"
191
    }
192

193
    plugins {
194
      NodeAttestor "gcp_iit" {
195
        plugin_data {
196
          projectid_whitelist = ["company-gcp-data"]
197
          service_account_whitelist = [
198
            "spire-agent@company-gcp-data.iam.gserviceaccount.com"
199
          ]
200
          zone_whitelist = ["us-central1-a", "us-central1-b"]
201
        }
202
      }
203

204
      WorkloadAttestor "k8s" {
205
        plugin_data {
206
          skip_kubelet_verification = false
207
          kubelet_secure_port = 10250
208
        }
209
      }
210

211
      DataStore "sql" {
212
        plugin_data {
213
          database_type = "postgres"
214
          connection_string = "host=postgres-gcp.data.svc.cluster.local dbname=spire user=spire sslmode=require"
215
        }
216
      }
217

218
      KeyManager "gcp_kms" {
219
        plugin_data {
220
          key_name = "projects/company-gcp-data/locations/us-central1/keyRings/spire/cryptoKeys/spire-server"
221
        }
222
      }
223

224
      UpstreamAuthority "gcp_cas" {
225
        plugin_data {
226
          ca_name = "projects/company-gcp-data/locations/us-central1/certificateAuthorities/spire-ca"
227
          validity_period_hours = 8760
228
        }
229
      }
230
    }
231
---
232
# onprem-cluster-config.yaml - On-Premises Edge Cluster
233
apiVersion: v1
234
kind: ConfigMap
235
metadata:
236
  name: spire-server-onprem-config
237
  namespace: spire-system
238
data:
239
  server.conf: |
240
    server {
241
      bind_address = "0.0.0.0"
242
      bind_port = "8081"
243
      socket_path = "/tmp/spire-server/private/api.sock"
244
      trust_domain = "onprem.company.com"
245
      data_dir = "/run/spire/data"
246
      log_level = "INFO"
247

248
      federation {
249
        bundle_endpoint {
250
          address = "0.0.0.0"
251
          port = 8443
252

253
          # On-premises certificate management
254
          tls {
255
            cert_chain_path = "/etc/ssl/spire/server.crt"
256
            private_key_path = "/etc/ssl/spire/server.key"
257
            ca_cert_path = "/etc/ssl/spire/ca.crt"
258
          }
259

260
          # Access control for on-premises
261
          acl {
262
            authorized_keys = [
263
              "/etc/ssl/spire/federation-client.pub"
264
            ]
265
          }
266
        }
267

268
        federates_with {
269
          "aws.company.com" {
270
            bundle_endpoint_url = "https://spire-bundle.aws.company.com:8443"
271
            bundle_endpoint_profile {
272
              type = "https_spiffe"
273
              endpoint_spiffe_id = "spiffe://aws.company.com/spire/server"
274
            }
275
          }
276

277
          "gcp.company.com" {
278
            bundle_endpoint_url = "https://spire-bundle.gcp.company.com:8443"
279
            bundle_endpoint_profile {
280
              type = "https_spiffe"
281
              endpoint_spiffe_id = "spiffe://gcp.company.com/spire/server"
282
            }
283
          }
284
        }
285
      }
286

287
      ca_subject = {
288
        country = ["US"],
289
        organization = ["Company Corp"],
290
        organizational_unit = ["On-Premises Operations"],
291
        common_name = "SPIRE Server CA - OnPrem",
292
      }
293

294
      jwt_issuer = "https://oidc.onprem.company.com"
295
    }
296

297
    plugins {
298
      NodeAttestor "join_token" {
299
        plugin_data = {}
300
      }
301

302
      WorkloadAttestor "k8s" {
303
        plugin_data {
304
          skip_kubelet_verification = false
305
          kubelet_secure_port = 10250
306
        }
307
      }
308

309
      WorkloadAttestor "unix" {
310
        plugin_data {
311
          discover_workload_path = true
312
        }
313
      }
314

315
      DataStore "sql" {
316
        plugin_data {
317
          database_type = "postgres"
318
          connection_string = "host=postgres-onprem.data.svc.cluster.local dbname=spire user=spire sslmode=require"
319
        }
320
      }
321

322
      KeyManager "disk" {
323
        plugin_data {
324
          keys_path = "/run/spire/data/keys.json"
325
        }
326
      }
327

328
      UpstreamAuthority "disk" {
329
        plugin_data {
330
          cert_file_path = "/run/spire/ca/ca.crt"
331
          key_file_path = "/run/spire/ca/ca.key"
332
        }
333
      }
334
    }

Step 2: Configure Workload Registration for Federation#

Create ClusterSPIFFEID resources that enable cross-cluster communication:

1
# AWS Frontend Service - can communicate with GCP data services
2
apiVersion: spire.spiffe.io/v1alpha1
3
kind: ClusterSPIFFEID
4
metadata:
5
  name: aws-frontend-service
6
  namespace: spire-system
7
spec:
8
  spiffeIDTemplate: "spiffe://aws.company.com/ns/{{ .PodMeta.Namespace }}/service/{{ .PodMeta.Labels.service }}"
9

10
  podSelector:
11
    matchLabels:
12
      component: frontend
13

14
  namespaceSelector:
15
    matchNames:
16
      - "production"
17
      - "staging"
18

19
  workloadSelectorTemplates:
20
    - "k8s:ns:{{ .PodMeta.Namespace }}"
21
    - "k8s:sa:{{ .PodSpec.ServiceAccountName }}"
22
    - "k8s:service:{{ .PodMeta.Labels.service }}"
23

24
  # Enable federation with GCP and on-premises
25
  federatesWith:
26
    - "gcp.company.com"
27
    - "onprem.company.com"
28

29
  dnsNameTemplates:
30
    - "{{ .PodMeta.Labels.service }}.{{ .PodMeta.Namespace }}.svc.cluster.local"
31
    - "frontend.aws.company.com"
32

33
  ttl: 3600
34
---
35
# GCP Data Service - can receive requests from AWS and send to on-premises
36
apiVersion: spire.spiffe.io/v1alpha1
37
kind: ClusterSPIFFEID
38
metadata:
39
  name: gcp-data-service
40
  namespace: spire-system
41
spec:
42
  spiffeIDTemplate: "spiffe://gcp.company.com/ns/{{ .PodMeta.Namespace }}/service/{{ .PodMeta.Labels.service }}/version/{{ .PodMeta.Labels.version }}"
43

44
  podSelector:
45
    matchLabels:
46
      component: data-processing
47

48
  workloadSelectorTemplates:
49
    - "k8s:ns:{{ .PodMeta.Namespace }}"
50
    - "k8s:sa:{{ .PodSpec.ServiceAccountName }}"
51
    - "k8s:service:{{ .PodMeta.Labels.service }}"
52
    - "k8s:version:{{ .PodMeta.Labels.version }}"
53

54
  # Federation with AWS (to receive requests) and on-premises (to access legacy data)
55
  federatesWith:
56
    - "aws.company.com"
57
    - "onprem.company.com"
58

59
  dnsNameTemplates:
60
    - "{{ .PodMeta.Labels.service }}.{{ .PodMeta.Namespace }}.svc.cluster.local"
61
    - "data.gcp.company.com"
62

63
  ttl: 3600
64
---
65
# On-Premises Legacy System - bridge to cloud services
66
apiVersion: spire.spiffe.io/v1alpha1
67
kind: ClusterSPIFFEID
68
metadata:
69
  name: onprem-legacy-bridge
70
  namespace: spire-system
71
spec:
72
  spiffeIDTemplate: "spiffe://onprem.company.com/datacenter/{{ .PodMeta.Labels.datacenter }}/system/{{ .PodMeta.Labels.system }}"
73

74
  podSelector:
75
    matchLabels:
76
      component: legacy-bridge
77

78
  workloadSelectorTemplates:
79
    - "k8s:ns:{{ .PodMeta.Namespace }}"
80
    - "k8s:sa:{{ .PodSpec.ServiceAccountName }}"
81
    - "k8s:datacenter:{{ .PodMeta.Labels.datacenter }}"
82
    - "k8s:system:{{ .PodMeta.Labels.system }}"
83

84
  # Can communicate with cloud services
85
  federatesWith:
86
    - "aws.company.com"
87
    - "gcp.company.com"
88

89
  dnsNameTemplates:
90
    - "{{ .PodMeta.Labels.system }}.{{ .PodMeta.Namespace }}.svc.cluster.local"
91
    - "legacy.onprem.company.com"
92

93
  ttl: 7200 # Longer TTL for stable legacy systems
94
---
95
# Cross-domain API Gateway
96
apiVersion: spire.spiffe.io/v1alpha1
97
kind: ClusterSPIFFEID
98
metadata:
99
  name: cross-domain-gateway
100
  namespace: spire-system
101
spec:
102
  spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/gateway/{{ .PodMeta.Labels.gateway-type }}/{{ .PodMeta.Labels.region }}"
103

104
  podSelector:
105
    matchLabels:
106
      component: api-gateway
107

108
  workloadSelectorTemplates:
109
    - "k8s:ns:{{ .PodMeta.Namespace }}"
110
    - "k8s:sa:{{ .PodSpec.ServiceAccountName }}"
111
    - "k8s:gateway-type:{{ .PodMeta.Labels.gateway-type }}"
112
    - "k8s:region:{{ .PodMeta.Labels.region }}"
113

114
  # Gateway can communicate across all domains
115
  federatesWith:
116
    - "aws.company.com"
117
    - "gcp.company.com"
118
    - "onprem.company.com"
119
    - "partner.example.com"
120

121
  dnsNameTemplates:
122
    - "api-gateway.{{ .PodMeta.Namespace }}.svc.cluster.local"
123
    - 'api.{{ .TrustDomain | replace "://" "." }}'
124

125
  ttl: 3600

Step 3: Deploy Cross-Cluster Application Example#

Let’s deploy a distributed application that spans multiple clusters:

1
# aws-frontend-deployment.yaml - Deployed in AWS cluster
2
apiVersion: v1
3
kind: Namespace
4
metadata:
5
  name: distributed-app
6
  labels:
7
    federation: enabled
8
---
9
apiVersion: v1
10
kind: ServiceAccount
11
metadata:
12
  name: frontend-service
13
  namespace: distributed-app
14
---
15
apiVersion: apps/v1
16
kind: Deployment
17
metadata:
18
  name: frontend
19
  namespace: distributed-app
20
spec:
21
  replicas: 3
22
  selector:
23
    matchLabels:
24
      app: frontend
25
      service: frontend
26
  template:
27
    metadata:
28
      labels:
29
        app: frontend
30
        service: frontend
31
        component: frontend
32
        version: v1
33
    spec:
34
      serviceAccountName: frontend-service
35
      containers:
36
        - name: frontend
37
          image: company/frontend:v1.2.3
38
          ports:
39
            - containerPort: 8080
40
          env:
41
            # SPIFFE configuration
42
            - name: SPIFFE_ENDPOINT_SOCKET
43
              value: "unix:///run/spire/sockets/agent.sock"
44
            - name: TRUST_DOMAIN
45
              value: "aws.company.com"
46
            # Service endpoints in other clusters
47
            - name: DATA_SERVICE_URL
48
              value: "https://data.gcp.company.com:8443"
49
            - name: LEGACY_SERVICE_URL
50
              value: "https://legacy.onprem.company.com:8443"
51
          volumeMounts:
52
            - name: spire-agent-socket
53
              mountPath: /run/spire/sockets
54
              readOnly: true
55
      volumes:
56
        - name: spire-agent-socket
57
          hostPath:
58
            path: /run/spire/sockets
59
            type: DirectoryOrCreate
60
---
61
apiVersion: v1
62
kind: Service
63
metadata:
64
  name: frontend
65
  namespace: distributed-app
66
spec:
67
  selector:
68
    app: frontend
69
  ports:
70
    - port: 8080
71
      targetPort: 8080
72
      name: http
73
  type: LoadBalancer

1
# gcp-data-service-deployment.yaml - Deployed in GCP cluster
2
apiVersion: v1
3
kind: Namespace
4
metadata:
5
  name: distributed-app
6
  labels:
7
    federation: enabled
8
---
9
apiVersion: v1
10
kind: ServiceAccount
11
metadata:
12
  name: data-service
13
  namespace: distributed-app
14
---
15
apiVersion: apps/v1
16
kind: Deployment
17
metadata:
18
  name: data-service
19
  namespace: distributed-app
20
spec:
21
  replicas: 2
22
  selector:
23
    matchLabels:
24
      app: data-service
25
      service: data-processing
26
  template:
27
    metadata:
28
      labels:
29
        app: data-service
30
        service: data-processing
31
        component: data-processing
32
        version: v2
33
    spec:
34
      serviceAccountName: data-service
35
      containers:
36
        - name: data-service
37
          image: company/data-service:v2.1.0
38
          ports:
39
            - containerPort: 8443
40
          env:
41
            - name: SPIFFE_ENDPOINT_SOCKET
42
              value: "unix:///run/spire/sockets/agent.sock"
43
            - name: TRUST_DOMAIN
44
              value: "gcp.company.com"
45
            # Allowed client trust domains
46
            - name: ALLOWED_CLIENT_TRUST_DOMAINS
47
              value: "aws.company.com,onprem.company.com"
48
            # Legacy system endpoint
49
            - name: LEGACY_DB_URL
50
              value: "https://database.onprem.company.com:5432"
51
          volumeMounts:
52
            - name: spire-agent-socket
53
              mountPath: /run/spire/sockets
54
              readOnly: true
55
      volumes:
56
        - name: spire-agent-socket
57
          hostPath:
58
            path: /run/spire/sockets
59
            type: DirectoryOrCreate
60
---
61
apiVersion: v1
62
kind: Service
63
metadata:
64
  name: data-service
65
  namespace: distributed-app
66
spec:
67
  selector:
68
    app: data-service
69
  ports:
70
    - port: 8443
71
      targetPort: 8443
72
      name: https

1
# onprem-legacy-bridge-deployment.yaml - Deployed in on-premises cluster
2
apiVersion: v1
3
kind: Namespace
4
metadata:
5
  name: distributed-app
6
  labels:
7
    federation: enabled
8
---
9
apiVersion: v1
10
kind: ServiceAccount
11
metadata:
12
  name: legacy-bridge
13
  namespace: distributed-app
14
---
15
apiVersion: apps/v1
16
kind: Deployment
17
metadata:
18
  name: legacy-bridge
19
  namespace: distributed-app
20
spec:
21
  replicas: 1
22
  selector:
23
    matchLabels:
24
      app: legacy-bridge
25
      system: mainframe-bridge
26
  template:
27
    metadata:
28
      labels:
29
        app: legacy-bridge
30
        system: mainframe-bridge
31
        component: legacy-bridge
32
        datacenter: primary
33
    spec:
34
      serviceAccountName: legacy-bridge
35
      containers:
36
        - name: legacy-bridge
37
          image: company/legacy-bridge:v1.0.5
38
          ports:
39
            - containerPort: 8443
40
            - containerPort: 5432 # Database proxy port
41
          env:
42
            - name: SPIFFE_ENDPOINT_SOCKET
43
              value: "unix:///run/spire/sockets/agent.sock"
44
            - name: TRUST_DOMAIN
45
              value: "onprem.company.com"
46
            # Cloud service endpoints that can access this bridge
47
            - name: ALLOWED_CLIENT_TRUST_DOMAINS
48
              value: "aws.company.com,gcp.company.com"
49
            # Legacy system configuration
50
            - name: MAINFRAME_HOST
51
              value: "mainframe.internal.company.com"
52
            - name: DATABASE_HOST
53
              value: "db-cluster.internal.company.com"
54
          volumeMounts:
55
            - name: spire-agent-socket
56
              mountPath: /run/spire/sockets
57
              readOnly: true
58
            # Mount legacy certificates for backward compatibility
59
            - name: legacy-certs
60
              mountPath: /etc/ssl/legacy
61
              readOnly: true
62
      volumes:
63
        - name: spire-agent-socket
64
          hostPath:
65
            path: /run/spire/sockets
66
            type: DirectoryOrCreate
67
        - name: legacy-certs
68
          secret:
69
            secretName: legacy-system-certs
70
---
71
apiVersion: v1
72
kind: Service
73
metadata:
74
  name: legacy-bridge
75
  namespace: distributed-app
76
spec:
77
  selector:
78
    app: legacy-bridge
79
  ports:
80
    - port: 8443
81
      targetPort: 8443
82
      name: https
83
    - port: 5432
84
      targetPort: 5432
85
      name: database

Step 4: Implement Cross-Cluster mTLS Communication#

Here’s how applications use federated SPIFFE identities for cross-cluster communication:

1
// frontend-service.go - AWS Frontend Service
2
package main
3

4
import (
5
    "context"
6
    "crypto/tls"
7
    "fmt"
8
    "io"
9
    "net/http"
10
    "time"
11

12
    "github.com/spiffe/go-spiffe/v2/spiffeid"
13
    "github.com/spiffe/go-spiffe/v2/spiffetls"
14
    "github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig"
15
    "github.com/spiffe/go-spiffe/v2/workloadapi"
16
)
17

18
func main() {
19
    ctx := context.Background()
20

21
    // Create Workload API client
22
    client, err := workloadapi.New(ctx, workloadapi.WithAddr("unix:///run/spire/sockets/agent.sock"))
23
    if err != nil {
24
        panic(fmt.Sprintf("Failed to create workload API client: %v", err))
25
    }
26
    defer client.Close()
27

28
    // Set up HTTP server for incoming requests
29
    go startHTTPServer(client)
30

31
    // Example: Call GCP data service
32
    callGCPDataService(client)
33

34
    // Example: Call on-premises legacy service
35
    callOnPremLegacyService(client)
36

37
    select {} // Keep running
38
}
39

40
func startHTTPServer(client *workloadapi.Client) {
41
    // Create TLS config that accepts requests from any federated trust domain
42
    tlsConfig := tlsconfig.MTLSServerConfig(client, client, tlsconfig.AuthorizeAny())
43

44
    server := &http.Server{
45
        Addr:      ":8080",
46
        TLSConfig: tlsConfig,
47
        Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
48
            // Extract client identity from certificate
49
            if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
50
                clientID, err := spiffeid.FromURI(r.TLS.PeerCertificates[0].URIs[0])
51
                if err == nil {
52
                    fmt.Printf("Request from: %s\n", clientID)
53

54
                    // Make decisions based on client trust domain
55
                    switch clientID.TrustDomain().String() {
56
                    case "gcp.company.com":
57
                        w.Header().Set("Content-Type", "application/json")
58
                        fmt.Fprintf(w, `{"message": "Hello from AWS frontend", "client": "%s"}`, clientID)
59
                    case "onprem.company.com":
60
                        w.Header().Set("Content-Type", "application/json")
61
                        fmt.Fprintf(w, `{"message": "Legacy system acknowledged", "client": "%s"}`, clientID)
62
                    default:
63
                        http.Error(w, "Unauthorized trust domain", http.StatusForbidden)
64
                    }
65
                    return
66
                }
67
            }
68
            http.Error(w, "No valid client certificate", http.StatusUnauthorized)
69
        }),
70
    }
71

72
    fmt.Println("Frontend server starting on :8080...")
73
    if err := server.ListenAndServeTLS("", ""); err != nil {
74
        panic(fmt.Sprintf("Server failed: %v", err))
75
    }
76
}
77

78
func callGCPDataService(client *workloadapi.Client) {
79
    // Create TLS config for calling GCP data service
80
    gcpDataID := spiffeid.Must("gcp.company.com", "ns", "distributed-app", "service", "data-processing")
81
    tlsConfig := tlsconfig.MTLSClientConfig(client, client, tlsconfig.AuthorizeID(gcpDataID))
82

83
    httpClient := &http.Client{
84
        Transport: &http.Transport{
85
            TLSClientConfig: tlsConfig,
86
        },
87
        Timeout: 30 * time.Second,
88
    }
89

90
    // Make authenticated request to GCP data service
91
    resp, err := httpClient.Get("https://data.gcp.company.com:8443/api/process-data")
92
    if err != nil {
93
        fmt.Printf("Failed to call GCP data service: %v\n", err)
94
        return
95
    }
96
    defer resp.Body.Close()
97

98
    body, _ := io.ReadAll(resp.Body)
99
    fmt.Printf("GCP Data Service Response: %s\n", body)
100
}
101

102
func callOnPremLegacyService(client *workloadapi.Client) {
103
    // Create TLS config for calling on-premises legacy bridge
104
    onPremID := spiffeid.Must("onprem.company.com", "datacenter", "primary", "system", "mainframe-bridge")
105
    tlsConfig := tlsconfig.MTLSClientConfig(client, client, tlsconfig.AuthorizeID(onPremID))
106

107
    httpClient := &http.Client{
108
        Transport: &http.Transport{
109
            TLSClientConfig: tlsConfig,
110
        },
111
        Timeout: 60 * time.Second, // Longer timeout for legacy systems
112
    }
113

114
    // Make authenticated request to on-premises legacy bridge
115
    resp, err := httpClient.Get("https://legacy.onprem.company.com:8443/api/legacy-data")
116
    if err != nil {
117
        fmt.Printf("Failed to call on-premises legacy service: %v\n", err)
118
        return
119
    }
120
    defer resp.Body.Close()
121

122
    body, _ := io.ReadAll(resp.Body)
123
    fmt.Printf("On-Premises Legacy Service Response: %s\n", body)
124
}

1
// data-service.go - GCP Data Service
2
package main
3

4
import (
5
    "context"
6
    "database/sql"
7
    "encoding/json"
8
    "fmt"
9
    "net/http"
10
    "strings"
11
    "time"
12

13
    "github.com/spiffe/go-spiffe/v2/spiffeid"
14
    "github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig"
15
    "github.com/spiffe/go-spiffe/v2/workloadapi"
16
    _ "github.com/lib/pq"
17
)
18

19
type DataService struct {
20
    client   *workloadapi.Client
21
    database *sql.DB
22
}
23

24
func main() {
25
    ctx := context.Background()
26

27
    // Create Workload API client
28
    client, err := workloadapi.New(ctx, workloadapi.WithAddr("unix:///run/spire/sockets/agent.sock"))
29
    if err != nil {
30
        panic(fmt.Sprintf("Failed to create workload API client: %v", err))
31
    }
32
    defer client.Close()
33

34
    // Connect to database (simulated)
35
    db, err := sql.Open("postgres", "host=db-cluster.data.svc.cluster.local dbname=analytics user=dataservice sslmode=require")
36
    if err != nil {
37
        panic(fmt.Sprintf("Failed to connect to database: %v", err))
38
    }
39
    defer db.Close()
40

41
    service := &DataService{
42
        client:   client,
43
        database: db,
44
    }
45

46
    service.startServer()
47
}
48

49
func (ds *DataService) startServer() {
50
    // Create TLS config that accepts federated clients
51
    allowedClients := []spiffeid.ID{
52
        spiffeid.Must("aws.company.com", "ns", "distributed-app", "service", "frontend"),
53
        spiffeid.Must("onprem.company.com", "datacenter", "primary", "system", "mainframe-bridge"),
54
    }
55

56
    tlsConfig := tlsconfig.MTLSServerConfig(ds.client, ds.client, tlsconfig.AuthorizeOneOf(allowedClients...))
57

58
    mux := http.NewServeMux()
59
    mux.HandleFunc("/api/process-data", ds.processDataHandler)
60
    mux.HandleFunc("/api/health", ds.healthHandler)
61

62
    server := &http.Server{
63
        Addr:      ":8443",
64
        TLSConfig: tlsConfig,
65
        Handler:   mux,
66
    }
67

68
    fmt.Println("GCP Data Service starting on :8443...")
69
    if err := server.ListenAndServeTLS("", ""); err != nil {
70
        panic(fmt.Sprintf("Server failed: %v", err))
71
    }
72
}
73

74
func (ds *DataService) processDataHandler(w http.ResponseWriter, r *http.Request) {
75
    // Extract and validate client identity
76
    clientID, err := ds.getClientIdentity(r)
77
    if err != nil {
78
        http.Error(w, "Invalid client identity", http.StatusUnauthorized)
79
        return
80
    }
81

82
    fmt.Printf("Processing data request from: %s\n", clientID)
83

84
    // Different processing based on client trust domain
85
    var response map[string]interface{}
86

87
    switch clientID.TrustDomain().String() {
88
    case "aws.company.com":
89
        // AWS frontend gets aggregated data
90
        response = map[string]interface{}{
91
            "type":      "aggregated",
92
            "data":      ds.getAggregatedData(),
93
            "source":    "gcp.company.com",
94
            "client":    clientID.String(),
95
            "timestamp": time.Now().Unix(),
96
        }
97

98
    case "onprem.company.com":
99
        // On-premises gets raw data for legacy processing
100
        response = map[string]interface{}{
101
            "type":      "raw",
102
            "data":      ds.getRawDataForLegacy(),
103
            "source":    "gcp.company.com",
104
            "client":    clientID.String(),
105
            "timestamp": time.Now().Unix(),
106
        }
107

108
    default:
109
        http.Error(w, "Unauthorized trust domain", http.StatusForbidden)
110
        return
111
    }
112

113
    w.Header().Set("Content-Type", "application/json")
114
    json.NewEncoder(w).Encode(response)
115
}
116

117
func (ds *DataService) healthHandler(w http.ResponseWriter, r *http.Request) {
118
    w.Header().Set("Content-Type", "application/json")
119
    json.NewEncoder(w).Encode(map[string]string{
120
        "status":       "healthy",
121
        "trust_domain": "gcp.company.com",
122
        "service":      "data-processing",
123
    })
124
}
125

126
func (ds *DataService) getClientIdentity(r *http.Request) (spiffeid.ID, error) {
127
    if r.TLS == nil || len(r.TLS.PeerCertificates) == 0 {
128
        return spiffeid.ID{}, fmt.Errorf("no client certificate")
129
    }
130

131
    return spiffeid.FromURI(r.TLS.PeerCertificates[0].URIs[0])
132
}
133

134
func (ds *DataService) getAggregatedData() interface{} {
135
    // Simulate aggregated data processing
136
    return map[string]interface{}{
137
        "total_records": 15420,
138
        "categories":    []string{"analytics", "ml-training", "reporting"},
139
        "processed_at":  time.Now().Format(time.RFC3339),
140
    }
141
}
142

143
func (ds *DataService) getRawDataForLegacy() interface{} {
144
    // Simulate raw data for legacy systems
145
    return map[string]interface{}{
146
        "records": []map[string]interface{}{
147
            {"id": 1, "value": "legacy-compatible-data-1"},
148
            {"id": 2, "value": "legacy-compatible-data-2"},
149
        },
150
        "format": "legacy-v1",
151
    }
152
}

Advanced Federation Patterns#

Hierarchical Trust Relationships#

Configure hierarchical trust where some domains trust others transitively:

1
apiVersion: v1
2
kind: ConfigMap
3
metadata:
4
  name: spire-server-hierarchical-config
5
  namespace: spire-system
6
data:
7
  server.conf: |
8
    server {
9
      bind_address = "0.0.0.0"
10
      bind_port = "8081"
11
      trust_domain = "root.company.com"
12

13
      # Root trust domain configuration
14
      federation {
15
        bundle_endpoint {
16
          address = "0.0.0.0"
17
          port = 8443
18
        }
19

20
        # Direct trust relationships
21
        federates_with {
22
          # Production environments
23
          "aws.prod.company.com" {
24
            bundle_endpoint_url = "https://spire-bundle.aws.prod.company.com:8443"
25
            bundle_endpoint_profile {
26
              type = "https_spiffe"
27
              endpoint_spiffe_id = "spiffe://aws.prod.company.com/spire/server"
28
            }
29
            trust_level = "high"
30
          }
31

32
          "gcp.prod.company.com" {
33
            bundle_endpoint_url = "https://spire-bundle.gcp.prod.company.com:8443"
34
            bundle_endpoint_profile {
35
              type = "https_spiffe"
36
              endpoint_spiffe_id = "spiffe://gcp.prod.company.com/spire/server"
37
            }
38
            trust_level = "high"
39
          }
40

41
          # Staging environments (lower trust)
42
          "staging.company.com" {
43
            bundle_endpoint_url = "https://spire-bundle.staging.company.com:8443"
44
            bundle_endpoint_profile {
45
              type = "https_web"
46
            }
47
            trust_level = "medium"
48
            refresh_hint = "1800s"  # More frequent refresh for staging
49
          }
50

51
          # Partner environments (restricted trust)
52
          "partner.example.com" {
53
            bundle_endpoint_url = "https://spire-bundle.partner.example.com:8443"
54
            bundle_endpoint_profile {
55
              type = "https_spiffe"
56
              endpoint_spiffe_id = "spiffe://partner.example.com/spire/server"
57
            }
58
            trust_level = "limited"
59
            refresh_hint = "3600s"
60

61
            # Additional validation for partner domains
62
            additional_validation {
63
              required_san = ["spire-server.partner.example.com"]
64
              certificate_transparency = true
65
            }
66
          }
67
        }
68

69
        # Transitive trust policies
70
        transitive_trust {
71
          # Allow production environments to trust each other transitively
72
          allow_transitive = ["aws.prod.company.com", "gcp.prod.company.com"]
73

74
          # Block transitive trust for external partners
75
          block_transitive = ["partner.example.com"]
76

77
          # Maximum trust chain length
78
          max_chain_length = 3
79
        }
80
      }
81
    }

Conditional Federation#

Implement time-based and condition-based federation:

1
apiVersion: v1
2
kind: ConfigMap
3
metadata:
4
  name: spire-server-conditional-config
5
  namespace: spire-system
6
data:
7
  server.conf: |
8
    server {
9
      bind_address = "0.0.0.0"
10
      bind_port = "8081"
11
      trust_domain = "conditional.company.com"
12

13
      federation {
14
        bundle_endpoint {
15
          address = "0.0.0.0"
16
          port = 8443
17
        }
18

19
        federates_with {
20
          # Business hours federation
21
          "partner.business.com" {
22
            bundle_endpoint_url = "https://spire-bundle.partner.business.com:8443"
23
            bundle_endpoint_profile {
24
              type = "https_spiffe"
25
              endpoint_spiffe_id = "spiffe://partner.business.com/spire/server"
26
            }
27

28
            # Time-based access control
29
            time_restrictions {
30
              allowed_hours = ["09:00-17:00"]
31
              timezone = "America/New_York"
32
              allowed_days = ["MON", "TUE", "WED", "THU", "FRI"]
33
            }
34

35
            # IP-based restrictions for additional security
36
            ip_restrictions {
37
              allowed_cidrs = ["203.0.113.0/24", "198.51.100.0/24"]
38
            }
39
          }
40

41
          # Emergency access federation
42
          "emergency.company.com" {
43
            bundle_endpoint_url = "https://spire-bundle.emergency.company.com:8443"
44
            bundle_endpoint_profile {
45
              type = "https_spiffe"
46
              endpoint_spiffe_id = "spiffe://emergency.company.com/spire/server"
47
            }
48

49
            # Emergency conditions
50
            emergency_access {
51
              # Only activate during incidents
52
              activation_conditions = ["incident_declared", "security_breach"]
53

54
              # Automatic deactivation
55
              max_duration = "4h"
56

57
              # Approval workflow
58
              requires_approval = true
59
              approvers = ["security-team", "incident-commander"]
60
            }
61
          }
62

63
          # Geographic federation
64
          "eu.company.com" {
65
            bundle_endpoint_url = "https://spire-bundle.eu.company.com:8443"
66
            bundle_endpoint_profile {
67
              type = "https_spiffe"
68
              endpoint_spiffe_id = "spiffe://eu.company.com/spire/server"
69
            }
70

71
            # Geographic restrictions for GDPR compliance
72
            geographic_restrictions {
73
              allowed_regions = ["eu-west-1", "eu-central-1"]
74
              data_residency_required = true
75
            }
76
          }
77
        }
78
      }
79
    }

Monitoring and Observability for Federation#

Set up comprehensive monitoring for federated environments:

1
apiVersion: monitoring.coreos.com/v1
2
kind: ServiceMonitor
3
metadata:
4
  name: spire-federation-monitoring
5
  namespace: monitoring
6
spec:
7
  selector:
8
    matchLabels:
9
      app: spire-server
10
      federation: enabled
11
  endpoints:
12
    - port: metrics
13
      interval: 30s
14
      path: /metrics
15
      relabelings:
16
        - sourceLabels: [__name__]
17
          regex: "spire_server_federation_.*|spire_server_bundle_.*"
18
          action: keep
19
---
20
# Federation-specific alerts
21
apiVersion: monitoring.coreos.com/v1
22
kind: PrometheusRule
23
metadata:
24
  name: spire-federation-alerts
25
  namespace: monitoring
26
spec:
27
  groups:
28
    - name: spire.federation
29
      rules:
30
        - alert: SPIREFederationBundleExpiry
31
          expr: |
32
            (spire_server_bundle_expiry_timestamp_seconds - time()) / 86400 < 7
33
          for: 1h
34
          labels:
35
            severity: warning
36
          annotations:
37
            summary: "SPIRE federation bundle expiring soon"
38
            description: "Bundle for trust domain {{ $labels.trust_domain }} expires in less than 7 days"
39

40
        - alert: SPIREFederationEndpointDown
41
          expr: |
42
            up{job="spire-federation-endpoints"} == 0
43
          for: 5m
44
          labels:
45
            severity: critical
46
          annotations:
47
            summary: "SPIRE federation endpoint down"
48
            description: "Federation endpoint {{ $labels.instance }} is unreachable"
49

50
        - alert: SPIREFederationTrustBundleUpdateFailed
51
          expr: |
52
            increase(spire_server_federation_bundle_update_errors_total[5m]) > 0
53
          for: 2m
54
          labels:
55
            severity: warning
56
          annotations:
57
            summary: "SPIRE federation bundle update failed"
58
            description: "Failed to update trust bundle from {{ $labels.trust_domain }}"
59

60
        - alert: SPIRECrossDomainAuthenticationFailures
61
          expr: |
62
            rate(spire_server_federation_authentication_failures_total[5m]) > 0.1
63
          for: 3m
64
          labels:
65
            severity: warning
66
          annotations:
67
            summary: "High rate of cross-domain authentication failures"
68
            description: "{{ $value }} authentication failures per second between trust domains"
69

70
        - alert: SPIREFederationLatencyHigh
71
          expr: |
72
            histogram_quantile(0.99, rate(spire_server_federation_request_duration_seconds_bucket[5m])) > 10
73
          for: 5m
74
          labels:
75
            severity: warning
76
          annotations:
77
            summary: "High federation request latency"
78
            description: "99th percentile federation request latency is {{ $value }}s"
79
---
80
# Grafana dashboard for federation
81
apiVersion: v1
82
kind: ConfigMap
83
metadata:
84
  name: spire-federation-dashboard
85
  namespace: monitoring
86
data:
87
  dashboard.json: |
88
    {
89
      "dashboard": {
90
        "title": "SPIRE Federation Overview",
91
        "panels": [
92
          {
93
            "title": "Active Federation Relationships",
94
            "type": "stat",
95
            "targets": [
96
              {
97
                "expr": "count(spire_server_federation_relationship_active)",
98
                "legendFormat": "Active Federations"
99
              }
100
            ]
101
          },
102
          {
103
            "title": "Cross-Domain Request Rate",
104
            "type": "graph",
105
            "targets": [
106
              {
107
                "expr": "sum(rate(spire_server_federation_requests_total[5m])) by (source_trust_domain, target_trust_domain)",
108
                "legendFormat": "{{ source_trust_domain }} -> {{ target_trust_domain }}"
109
              }
110
            ]
111
          },
112
          {
113
            "title": "Trust Bundle Health",
114
            "type": "table",
115
            "targets": [
116
              {
117
                "expr": "spire_server_bundle_expiry_timestamp_seconds",
118
                "legendFormat": "Bundle Expiry"
119
              }
120
            ]
121
          },
122
          {
123
            "title": "Federation Errors",
124
            "type": "graph",
125
            "targets": [
126
              {
127
                "expr": "sum(rate(spire_server_federation_errors_total[5m])) by (trust_domain, error_type)",
128
                "legendFormat": "{{ trust_domain }} - {{ error_type }}"
129
              }
130
            ]
131
          }
132
        ]
133
      }
134
    }

Security Considerations and Best Practices#

Trust Domain Segmentation#

1
apiVersion: v1
2
kind: ConfigMap
3
metadata:
4
  name: trust-domain-security-policy
5
  namespace: spire-system
6
data:
7
  security-policy.rego: |
8
    package spire.federation.security
9

10
    import future.keywords.contains
11
    import future.keywords.if
12

13
    # Default deny all cross-domain access
14
    default allow_federation = false
15

16
    # Production trust domains
17
    production_domains := {
18
        "aws.prod.company.com",
19
        "gcp.prod.company.com",
20
        "onprem.prod.company.com"
21
    }
22

23
    # Staging trust domains
24
    staging_domains := {
25
        "aws.staging.company.com",
26
        "gcp.staging.company.com"
27
    }
28

29
    # Partner trust domains
30
    partner_domains := {
31
        "partner.example.com",
32
        "vendor.supplier.com"
33
    }
34

35
    # Allow federation within production environments
36
    allow_federation {
37
        input.source_trust_domain in production_domains
38
        input.target_trust_domain in production_domains
39
        production_security_checks
40
    }
41

42
    # Allow limited staging to production access
43
    allow_federation {
44
        input.source_trust_domain in staging_domains
45
        input.target_trust_domain in production_domains
46
        staging_to_production_checks
47
    }
48

49
    # Partner access with strict controls
50
    allow_federation {
51
        input.source_trust_domain in partner_domains
52
        input.target_trust_domain in production_domains
53
        partner_access_checks
54
        business_hours_check
55
    }
56

57
    production_security_checks {
58
        # Require strong attestation
59
        input.attestation_strength == "high"
60

61
        # Require recent certificate
62
        time.now_ns() - input.certificate_issued_time < (24 * 60 * 60 * 1000000000)  # 24 hours
63

64
        # Verify certificate chain
65
        input.certificate_chain_valid == true
66
    }
67

68
    staging_to_production_checks {
69
        # More restrictive for staging access
70
        input.attestation_strength == "high"
71
        input.purpose in ["testing", "development", "ci-cd"]
72

73
        # Time-based restrictions
74
        business_hours_check
75
    }
76

77
    partner_access_checks {
78
        # Very strict for partners
79
        input.attestation_strength == "high"
80
        input.partner_approval == true
81

82
        # Specific service restrictions
83
        input.target_service in allowed_partner_services
84

85
        # IP whitelist
86
        input.source_ip in partner_allowed_ips
87
    }
88

89
    business_hours_check {
90
        hour := time.now_ns() / 1000000000 / 3600 % 24
91
        hour >= 9
92
        hour <= 17
93
    }
94

95
    allowed_partner_services := [
96
        "api-gateway",
97
        "webhook-receiver",
98
        "data-export"
99
    ]
100

101
    partner_allowed_ips := [
102
        "203.0.113.0/24",
103
        "198.51.100.0/24"
104
    ]

Certificate Rotation in Federated Environments#

1
apiVersion: batch/v1
2
kind: CronJob
3
metadata:
4
  name: federation-cert-rotation
5
  namespace: spire-system
6
spec:
7
  schedule: "0 2 * * *" # Daily at 2 AM
8
  jobTemplate:
9
    spec:
10
      template:
11
        spec:
12
          serviceAccountName: spire-server
13
          containers:
14
            - name: cert-rotator
15
              image: company/spire-cert-rotator:v1.0.0
16
              env:
17
                - name: TRUST_DOMAIN
18
                  value: "aws.company.com"
19
                - name: FEDERATED_DOMAINS
20
                  value: "gcp.company.com,onprem.company.com,partner.example.com"
21
                - name: ROTATION_THRESHOLD_DAYS
22
                  value: "30"
23
              command:
24
                - /bin/sh
25
                - -c
26
                - |
27
                  # Check certificate expiry across all federated domains
28
                  for domain in $(echo $FEDERATED_DOMAINS | tr ',' ' '); do
29
                    echo "Checking federation with $domain..."
30

31
                    # Get current bundle
32
                    kubectl exec spire-server-0 -c spire-server -- \
33
                      /opt/spire/bin/spire-server bundle show \
34
                      -format spiffe -socketPath /tmp/spire-server/private/api.sock \
35
                      -trustDomain $domain > /tmp/${domain}-bundle.pem
36

37
                    # Check expiry
38
                    expiry=$(openssl x509 -in /tmp/${domain}-bundle.pem -noout -enddate | cut -d= -f2)
39
                    expiry_epoch=$(date -d "$expiry" +%s)
40
                    current_epoch=$(date +%s)
41
                    days_until_expiry=$(( (expiry_epoch - current_epoch) / 86400 ))
42

43
                    if [ $days_until_expiry -lt $ROTATION_THRESHOLD_DAYS ]; then
44
                      echo "Certificate for $domain expires in $days_until_expiry days, triggering rotation..."
45

46
                      # Trigger bundle refresh
47
                      kubectl exec spire-server-0 -c spire-server -- \
48
                        /opt/spire/bin/spire-server bundle refresh \
49
                        -trustDomain $domain -socketPath /tmp/spire-server/private/api.sock
50

51
                      # Notify monitoring
52
                      curl -X POST http://alertmanager.monitoring.svc.cluster.local:9093/api/v1/alerts \
53
                        -H "Content-Type: application/json" \
54
                        -d "[{
55
                          \"labels\": {
56
                            \"alertname\": \"SPIREFederationCertRotation\",
57
                            \"trust_domain\": \"$domain\",
58
                            \"severity\": \"info\"
59
                          },
60
                          \"annotations\": {
61
                            \"summary\": \"Federation certificate rotated for $domain\"
62
                          }
63
                        }]"
64
                    else
65
                      echo "Certificate for $domain is valid for $days_until_expiry more days"
66
                    fi
67
                  done
68
          restartPolicy: OnFailure

Troubleshooting Federation Issues#

Common Federation Problems and Solutions#

1
# Federation troubleshooting commands
2

3
# 1. Check federation status
4
kubectl exec -n spire-system spire-server-0 -c spire-server -- \
5
  /opt/spire/bin/spire-server federation list
6

7
# 2. Verify bundle endpoint connectivity
8
kubectl exec -n spire-system spire-server-0 -c spire-server -- \
9
  curl -v https://spire-bundle.gcp.company.com:8443
10

11
# 3. Check trust bundle content
12
kubectl exec -n spire-system spire-server-0 -c spire-server -- \
13
  /opt/spire/bin/spire-server bundle show -format spiffe -trustDomain gcp.company.com
14

15
# 4. Test cross-domain SVID validation
16
kubectl exec -n spire-system spire-server-0 -c spire-server -- \
17
  /opt/spire/bin/spire-server validate-jwt-svid \
18
  -audience spiffe://aws.company.com/frontend \
19
  -svid-file /tmp/test-svid.jwt
20

21
# 5. Check federation logs
22
kubectl logs -n spire-system spire-server-0 -c spire-server | grep -i federation
23

24
# 6. Verify network connectivity between clusters
25
kubectl run federation-test --rm -i --tty --image=curlimages/curl -- \
26
  curl -v https://spire-bundle.gcp.company.com:8443
27

28
# 7. Check DNS resolution
29
kubectl run dns-test --rm -i --tty --image=busybox -- \
30
  nslookup spire-bundle.gcp.company.com
31

32
# 8. Test certificate chain validation
33
openssl s_client -connect spire-bundle.gcp.company.com:8443 -servername spire-bundle.gcp.company.com
34

35
# 9. Verify SPIFFE ID in cross-domain communication
36
kubectl exec -n distributed-app frontend-xxx -- \
37
  openssl s_client -connect data.gcp.company.com:8443 -servername data.gcp.company.com -showcerts

Conclusion#

Multi-cluster SPIFFE federation transforms isolated identity silos into a unified, enterprise-scale zero-trust architecture. By implementing federation, organizations can:

✅ Enable Seamless Cross-Cloud Communication: Workloads authenticate across any infrastructure boundary
✅ Maintain Cryptographic Trust: Federation relationships are based on verifiable certificates, not network controls
✅ Scale Identity Management: Central policies with distributed enforcement across all environments
✅ Meet Compliance Requirements: Satisfy data residency and regulatory requirements while maintaining security
✅ Simplify Operations: Reduce VPN complexity and eliminate credential sprawl across environments

The patterns and examples in this guide provide a foundation for building production-grade federated identity systems that can scale from small multi-cluster deployments to global enterprise architectures spanning clouds, edge locations, and partner organizations.

In our next post, we’ll explore GitOps patterns for managing SPIFFE/SPIRE configurations, showing how to implement infrastructure-as-code practices for identity management at scale.

Additional Resources#

Building a federated SPIFFE architecture for your organization? The SPIFFE community provides extensive support for enterprise federation deployments and complex multi-cloud scenarios.