Skip to main content

Module 9: Advanced SPIRE Architectures Slides

Slide walkthrough for Module 9 of Mastering SPIFFE & SPIRE: Zero Trust for Cloud Native Systems: Production-grade deployments: HA, federation, and...

This slide page is the visual review companion for the full course module. Use it to recap the architecture, examples, exercises, production warnings, and takeaways after reading the lesson.

Slide Outline

  1. Advanced SPIRE Architectures - Production-grade deployments: HA, federation, and multi-cluster
  2. Learning Objectives - 4 outcomes for this module
  3. Why This Module Matters - Single-server SPIRE works for demos. Production requires high availability, multi-cluster federation, and disaster recov
  4. High Availability SPIRE - Lesson section from the full module
  5. Nested SPIRE - Lesson section from the full module
  6. SPIFFE Federation - Lesson section from the full module
  7. Multi-Cloud Architectures - Lesson section from the full module
  8. Migration Strategy: Adopting SPIFFE Incrementally - Lesson section from the full module
  9. Incident Thinking: What Happens If... - Lesson section from the full module
  10. Real-World Use Cases - Multi-cluster Kubernetes with unified trust, Multi-cloud deployments (AWS + GCP) sharing workload identity
  11. Common Mistakes to Avoid - 4 mistakes covered
  12. Security Risks to Watch - 3 risks covered
  13. Hands-On Labs - 2 hands-on labs
  14. Key Takeaways - 5 points to remember

Learning Objectives

  • Design high-availability SPIRE deployments
  • Configure nested SPIRE for hierarchical trust
  • Implement SPIFFE federation across trust domains
  • Plan multi-cluster and multi-cloud architectures

Why This Module Matters

Single-server SPIRE works for demos. Production requires high availability, multi-cluster federation, and disaster recovery. This module teaches you the architecture patterns that organizations with thousands of services deploy.

Common Mistakes

  • Running SPIRE Server with SQLite in production (no HA support)
  • Not planning federation before deploying to multiple clusters
  • Using different trust domains for dev/staging/prod when they need to communicate
  • Not testing failover before you need it in an actual outage

Key Takeaways

  • Production SPIRE requires HA with shared database (PostgreSQL/MySQL)
  • Nested SPIRE enables hierarchical trust for multi-team organizations
  • Federation allows cross-trust-domain authentication via bundle exchange
  • Multi-cloud works because attestation is plugin-based, not cloud-specific
  • Plan trust domain boundaries early — they are hard to change later

Hands-On Labs

  1. Deploying SPIRE in HA Mode

    Deploy a 3-replica SPIRE Server with PostgreSQL.

    • Deploy PostgreSQL for SPIRE datastore
    • Deploy 3 SPIRE Server replicas
    • Verify leader election and failover
    • Simulate a server failure and observe recovery

    View lab files on GitHub

  2. Configuring SPIFFE Federation

    Federate two SPIRE deployments for cross-cluster trust.

    • Deploy two separate SPIRE instances (two Kind clusters)
    • Exchange trust bundles between the instances
    • Register federated workload entries
    • Verify cross-cluster mTLS communication

    View lab files on GitHub

Read the full module | Back to course curriculum