Replies: 1 comment 1 reply
-
|
Hi, @lusains. It's a really interesting solution, I'm personally interested in it. Your goal is for the APISIX implementation to be a SPIFFE Workload API client that accepts certificates from the SPIFFE network that are used to authenticate the client's connection and provide the TLS service, and automatically uses them for the mTLS security layer on the service proxy, right? I am checking its feasibility. |
Beta Was this translation helpful? Give feedback.
-
|
APISIX acts as a client and communicates with the SPIRE agent via the mounted Unix Domain Socket (UDS) to fetch the SVID. This functionality has already been implemented in Traefik and Envoy. We aim to extend this capability to APISIX, achieving a closed-loop north-south mTLS setup. SPIFFE as the identity framework in Access Control Lists (ACLs) for secrets management, mutual TLS for service-to-service communication, and even for implementing general authorization policies. |
Beta Was this translation helpful? Give feedback.
-
As the requirements for zero trust become higher and higher, mtls based on the spiffee protocol is also being promoted. Is there any support plan?
Beta Was this translation helpful? Give feedback.
All reactions