Skip to content

Secure service-to-service communication with SPIFFE for Apps

Available in device using IE Runtime version 1.22.0 and later (Release Notes).

Overview

This document provides guidance on using SPIFFE to enable secure service-to-service communication for your application(s). Your application services can be register to the SPIRE agent. A X.509-SVID can be fetched through the SPIFFE Workload API. This can be used as certificate to establish secure communication with other registered services via mutual TLS (mTLS).

Step-by-Step Procedure

1. Use the device internal proxy-redirect network

Each container that is part of the proxy-redirect network will receive a SPIFFE ID as environment variable.

Example docker-compose snippet:

version: '2.4'

services:
  my-service:
    image: my-image:0.0.1
    container_name: my-image
    mem_limit: 512mb
    mem_reservation: 256mb
    networks:
      - edge-network

networks:
  edge-network:
    external: true
    name: proxy-redirect

2. Fetch X.509-SVIDs (SPIFFE Verifiable Identity Document)

To fetch the X.509-SVID, your service must communicate with the SPIRE agent. This can be achieved using the SPIFFE Workload API, which is accessible through the socket mounted at /var/run/edgedevice/edgeapiagent.sock.

There are libraries available to help you fetch X.509-SVIDs and interact with the SPIFFE Workload API.

The X.509-SVIDs will contain the service name as the SAN, which can be used to establish mTLS connections based on DNS. The DNS names will always follow the format <service-name>.proxy-redirect.

  • refers to the name of the service in the docker-compose.yaml.
  • proxy-redirect defines the network for service-to-service communication.

3. Establish mTLS connection

Use the DNS name of the service you want to connect to and implement mTLS into both services.