Skip to main content

Module 8: SPIRE Integrations and Service Mesh Slides

Slide walkthrough for Module 8 of Mastering SPIFFE & SPIRE: Zero Trust for Cloud Native Systems: Connect SPIRE with Envoy, Istio, and the cloud-native...

This slide page is the visual review companion for the full course module. Use it to recap the architecture, examples, exercises, production warnings, and takeaways after reading the lesson.

Slide Outline

  1. SPIRE Integrations and Service Mesh - Connect SPIRE with Envoy, Istio, and the cloud-native ecosystem
  2. Learning Objectives - 4 outcomes for this module
  3. Why This Module Matters - SPIRE in isolation is useful. SPIRE integrated with Envoy, Istio, and OPA is transformational. This module shows you how
  4. SPIRE with Envoy - Lesson section from the full module
  5. SPIRE with Istio - Lesson section from the full module
  6. OIDC Discovery with SPIRE - Lesson section from the full module
  7. SPIFFE ID Naming Schemas - Lesson section from the full module
  8. Real-World Use Cases - Envoy SDS — automatic mTLS certificate delivery without restarts, Istio with SPIRE CA — stronger attestation than Istio default
  9. Common Mistakes to Avoid - 4 mistakes covered
  10. Production Notes - 3 practical notes
  11. Hands-On Labs - 3 hands-on labs
  12. Key Takeaways - 5 points to remember

Learning Objectives

  • Integrate SPIRE with Envoy as the identity provider
  • Use SPIRE with Istio and Linkerd service meshes
  • Configure OIDC discovery for JWT authentication
  • Design SPIFFE ID naming schemas for production

Why This Module Matters

SPIRE in isolation is useful. SPIRE integrated with Envoy, Istio, and OPA is transformational. This module shows you how workload identity plugs into the broader cloud-native ecosystem — turning separate tools into a unified zero trust platform.

Production Notes

  • Envoy SDS integration means zero-downtime certificate rotation. Envoy watches the SPIRE socket and reloads certificates automatically.
  • When replacing Istio CA with SPIRE, perform a gradual rollout — run both CAs during migration, then cut over.
  • OIDC discovery must be accessible from wherever JWT verification happens (API gateways, cloud provider IAM).

Common Mistakes

  • Configuring Envoy SDS with the wrong socket path
  • Not testing OIDC discovery endpoint accessibility from external consumers
  • Using Istio CA and SPIRE CA simultaneously without understanding precedence
  • Designing SPIFFE ID paths that do not support your service mesh routing needs

Key Takeaways

  • Envoy SDS integration gives automatic mTLS with zero restarts
  • SPIRE can replace Istio CA for stronger attestation and federation
  • OIDC discovery enables external systems to verify SPIFFE JWTs
  • SPIFFE ID naming schemas should be documented and hierarchical
  • The combination of SPIRE + Envoy + OPA provides complete zero trust

Hands-On Labs

  1. SPIRE with Envoy mTLS

    Configure Envoy to use SPIRE for automatic mTLS.

    • Deploy Envoy sidecars alongside application pods
    • Configure Envoy SDS to use the SPIRE Workload API
    • Verify mTLS between Envoy sidecars
    • Observe certificate rotation in Envoy admin interface

    View lab files on GitHub

  2. SPIRE + OPA Authorization

    Combine SPIRE identity with OPA policy enforcement via Envoy.

    • Deploy OPA alongside Envoy
    • Write Rego policies that reference SPIFFE IDs
    • Configure Envoy ext_authz filter
    • Test that only authorized services can access protected endpoints

    View lab files on GitHub

  3. OIDC Discovery with SPIRE

    Configure SPIRE as an OIDC provider for JWT verification.

    • Enable OIDC discovery on SPIRE Server
    • Fetch the OIDC discovery document
    • Verify a JWT-SVID using the OIDC public keys
    • Integrate with an API gateway that supports OIDC

    View lab files on GitHub

Read the full module | Back to course curriculum