This feature is in private preview and is not publicly available.
Downtime Protection
Defakto supports an optional component -- the SPIRL Reflector -- to mitigate the effect of temporary network outages. This guide contains detailed information to help you set up Downtime Protection by installing the SPIRL Reflector as part of your deployment.
Overview
The SPIRL Reflector is an optional resiliency component that enhances the Defakto workload identity platform by reducing dependency on the Trust Domain Server for existing workload scaling operations. The Reflector operates as an intelligent caching proxy that sits between Defakto Agents and the Trust Domain Server, enabling continued credential issuance for existing workloads even when the Trust Domain Server becomes unavailable.
The Reflector enhances this architecture by intercepting credential requests from Agents and either forwarding them to the Trust Domain Server (normal path) or serving cached credentials when the Trust Domain Server is unreachable (resilient path).
This design maintains a robust security model while providing steady-state resiliency, allowing existing workloads to scale out even during Trust Domain Server outages, though new workload clusters still require Trust Domain Server connectivity for initial credential bootstrapping.
See the below pages for more information about installing or using the Reflector.
📄️ Install Downtime Protection
Deploy the credential caching proxy.
📄️ Monitoring SPIRL Reflector
Monitor Reflector health and performance.
📄️ Configuration Reference
Helm values and runtime settings.