What's Up In Workload Identity - October 2024
SPIFFE? WIMSE? All that and more inside the October edition of What's Up in Workload Identity.
Hey!
Welcome to the third edition of What’s Up in Workload Identity, a monthly review of the world of Workload Identity (SPIFFE, WIMSE and much more…)
It’s a world that’s moving fast - and it’s hard to keep up 🚀
You can expect to see each edition covering:
News: significant events in the Workload Identity space
Content: awesome blog posts and talks that have been published
Releases: the latest and greatest changes to Workload Identity tooling
Coming Up: the events and talks you won’t want to miss
Who am I? I’m Noah. I’ve been working in the Workload Identity space for the past few years. I currently work at Teleport, leading the development of our Workload Identity product. That being said, this newsletter is in a personal capacity and I’m keen to keep it unbiased! You can find out more about me on my website.
News
The latest news from the Workload Identity space
Latest updates on WIMSE drafts
Ahead of the IETF 121 meeting in Dublin next week, the WIMSE WG have published new versions of two of their existing internet drafts.
The Workload Identity in a Multi System Environment (WIMSE) Architecture draft has entered its third (or if you, like the IETF, prefer to count from zero - 02nd) iteration. This document focusses on Workload Identity at a higher level, setting out various fundamental terminology and concepts.
The latest iteration brings significantly more clarity to several key concepts, such as that of trust domains and workload identifiers. If you’re familiar with the space, you won’t be surprised to see the definitions largely encompassing and being compatible with the definitions made by SPIFFE, with the WIMSE draft directly calling out SPIFFE IDs as an example of a compatible workload identifier.
It’s also encouraging to see the Workload Identity Token (WIT), which was first introduced in the Service to Service Authentication draft, being deemed notable enough to be mentioned and referred to within the Architecture draft.
Speaking of Service to Service Authentication, this draft has also received a round of changes as part of a second (uh, 01st) iteration. This document focusses more specifically on techniques and protocols for authenticating workload identity within the context of service to service communication.
Amongst the changes to this draft is the addition of a new claim to the proposed Workload Proof Token (WPT). The WPT is created by a workload as part of service to service authentication flows to prove its possession of a key pair that is contained within the Workload Identity Token (WIT) that contains claims that describe the workload’s identity. The new claim, “wth”, will contain a SHA256 hash of a WIT that the WPT has been produced for. This creates a more specific binding between the two, particularly in cases where the WIT may have been extended with additional attributes of the workload identity.
The draft now also includes a temporary comparison as part of the ongoing discussion on which authentication flow become the draft’s recommendation. Today, the draft describes two options: a flow based on OAuth DPoP using the WPT and a flow based on RFC9421 HTTP message signatures. If you’re using HTTP for service to service communication, it’s definitely worth diving into this discussion, there’s some really interesting trade-offs between the two options. I’m looking forward to reading up on this discussion as the working group tries to reach consensus.
You can check out the changes included in the latest revisions over on the IETF Datatracker:
Content
The best of recent blogs, webinars and talks on Workload Identity
Fortifying gRPC Microservices: Beyond JWT with mTLS and SPIFFE
By Mehrdad Afshari (Signeen, Inc.) at gRPConf 2024
Federating Secrets Across Clusters Using SPIFFE, SPIRE, and VMware Secrets Manager
By Volkan Özçelik
CNL: Secure workload identities with SPIFFE, cert-manager, trust-manager
By Mattias Gees (Venafi) on CNCF’s Cloud Native Live
Releases
Highlights from recent releases to Workload Identity tools
SPIRE - 1.11.0 - October 24th
Introduces the “forced rotation and revocation” functionality which allows administrators to manually rotate certificate authorities and JWT key pairs within SPIRE. It’s well worth learning more about this functionality if you’re operating SPIRE in production and need to prepare for how to respond to exfiltration of CA private key material.
This release also includes a number of bug fixes and optimisations.
VMWare Secrets Manager - 0.28.0 - October 16th
Introduced an interesting proof of concept feature to support sharing secrets between clusters, and, support for PostgreSQL as a backing store.
Teleport Workload Identity - 16.4.3 - October 16th
Introduced support for issuing JWT-SVIDs to workloads. This includes compatibility with OIDC for OIDC-based federation and authentication to third-party APIs such as cloud providers.
Coming Up…
What’s happening soon in the world of Workload Identity
KubeCon North America
November 12th to the 15th - Salt Lake City, Utah
Find out more at https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/
You also won’t want to miss the “Workload Identity Day 0” event being hosted by Venafi at their HQ. The schedule is jam-packed with talks on SPIFFE, SPIRE and the workload identity space as a whole. You can find out more about that at https://venafi.com/events/workload-identity-day-zero/
KubeCon India
December 11th to the 12th - Delhi
Find out more at https://events.linuxfoundation.org/kubecon-cloudnativecon-india/
That’s all for this month’s edition of What’s Up in Workload Identity. If you’ve found this interesting, please subscribe and share!
Got something you’d love to see in the next edition? I’m particularly keen to start including some short editorial pieces within WUIWI. Please get in touch at wuiwi@noahstride.co.uk