I Secure Production Identity Framework For Everyone
In chapter 6, we detailed the challenges in key management, including key provisioning, trust bootstrapping, certificate revocation, key rotation, and key usage monitoring. In a typical microservices deployment, each microservice is provisioned with a key pair. In chapter 6 you did that by manually copying Java keystore files to the Order Processing and Inventory microservices. Doing things manually won’t work in a microservices deployment, however—everything must be automated.
Ideally, during the continuous integration/continuous delivery (CI/CD) pipeline, the keys should be generated and provisioned to the microservices. When the keys are provisioned to all the nodes/microservices, the next challenge is to bootstrap trust between nodes. Why would a node trust a request initiated from another node? That’s the trust bootstrap problem we need to solve. Then again, just like provisioning keys to each microservice, the provisioned keys must be rotated before they expire. In this appendix, we discuss how SPIFFE (Secure Production Identity Framework For Everyone) helps to address key provisioning, trust bootstrapping, and key rotation problems.