Spiffe Integration

SPIFFE (Secure Production Identity Framework For Everyone), provides a secure identity through a specially crafted X.509 certificate to every workload in an environment.

Traefik Hub API Gateway is able to connect to the Workload API to obtain an x509-SVID used to secure the connection with SPIFFE enabled backends.

Configuration Example

Static Configuration

# Default Servers Transport
serversTransport:
  spiffe:
    ids:
    - spiffe://trust-domain/id1
    - spiffe://trust-domain/id2
    trustDomain: "spiffe://trust-domain"
spiffe:
    workloadAPIAddr: localhost

ServerTransport

Override the default Servers Transport on the Services that reference it

apiVersion: traefik.io/v1alpha1
kind: ServersTransport
metadata:
  name: mytransport
  namespace: apps
spec:
  spiffe:
    ids:
    - spiffe://trust-domain/specific-id1
    trustDomain: "spiffe://trust-domain"

Configuration Options

Field	Description	Default	Required
workloadAPIAddr	Address of the SPIFFE Workload API.		True

Backends Connection

Enabling SPIFFE does not imply that backend connections are going to use it automatically.

Each ServersTransport, that is meant to be secured with SPIFFE, must explicitly enable it.

The configuration can be done globally using the default ServersTransport.

A dedicated SPIFFE configuration can be appllied on a Service using a specific ServersTransport. To apply such a configuration, you must refer to the ServerTransportin the Service:

• Using the option serversTransportName on a IngressRoute
• Using the option serversTransportName on a TraefikService
• Using the annotation serversTransportName is the service is exposed using an Ingress).

SPIFFE can cause Traefik Hub API Gateway to stall

When using SPIFFE, Traefik Hub API Gateway will wait for the first SVID to be delivered before starting. If it hangs while waiting for SPIFFE SVID delivery, please double-check that it is correctly registered as a workload in your SPIFFE infrastructure.