Skip to main content

Process, Architecture, and Prerequisites

SPIRL Trust Domain Servers can be integrated with Venafi Firefly to issue workload identities with your existing PKI infrastructure.

Prerequisites

  1. Kubernetes cluster
  2. Venafi Firefly Account

Architecture

SPIRL Trust domain servers are deployed in a Kubernetes cluster.

SPIRL Trust Domain servers are deployed via Helm chart. SPIRL Trust Domain Server Pods are deployed as k8s ReplicaSets. Each pod contains a SPIRL Trust Domain Server container and Venafi Firefly container. The Venafi Firefly container is used to integrate SPIRL Trust Domain Server into your PKI infrastructure.

Venafi Firefly is exposed to the SPIRL Trust Domain Server container via unix domain socket over a shared temporary volume as represented in the diagram below.

High-level procedure overview

  1. Configure Venafi Firefly
  2. Register SPIFFE Trust Domain with SPIRL Control Plane
  3. Deploy SPIRL Trust Domain Server via Helm chart
  4. Verify SPIRL Trust Domain Server is connected to SPIRL Control Plane
  5. Verify Venafi Firefly is connected to Venafi Control Plane
  6. Register your first cluster with SPIRL self-hosted SPIRL Trust Domain Server
  7. Configure and deploy SPIRL SPIFFE Workload API Agents in your cluster
  8. Verify SPIRL SPIFFE Workload API Agents are connected to SPIRL Trust Domain Server