Skip to content

Envoy SDS (Secret Discovery Service)

Envoy SDS (Secret Discovery Service) is an API that allows Envoy proxies to dynamically fetch secrets, such as TLS certificates and private keys, from a remote management server^[400-devops-07-monitoring-and-observability-k8s-istio-samples-security-spire-readme.md].

Integration with SPIRE

A primary use case for the SDS API is integrating external Certificate Authorities (CAs), such as SPIRE (the SPIFFE Runtime Environment), into the service mesh^[400-devops-07-monitoring-and-observability-k8s-istio-samples-security-spire-readme.md]. By leveraging SDS, Envoy can obtain workload identities issued by SPIRE rather than a default mesh CA^[400-devops-07-monitoring-and-observability-k8s-istio-samples-security-spire-readme.md].

This integration is typically facilitated by the istio-agent. In standard deployments, the agent can be configured to act as an SDS server that watches xDS (any discovery service) resources and retrieves the necessary secrets^[400-devops-07-monitoring-and-observability-k8s-istio-samples-security-spire-readme.md].

Workflow

When utilizing SDS with systems like SPIRE, the workflow generally involves:

  1. Deployment: Deploying the CA infrastructure (e.g., SPIRE) and ensuring the necessary socket injection mechanisms are in place prior to installing the service mesh^[400-devops-07-monitoring-and-observability-k8s-istio-samples-security-spire-readme.md].
  2. Configuration: Applying custom resource configurations (like istio-spire-config.yaml) that instruct the Istio control plane to use the SDS API for secret discovery^[400-devops-07-monitoring-and-observability-k8s-istio-samples-security-spire-readme.md].
  3. Verification: Operators can verify the integration by inspecting the dynamic active secrets of a Pod using tools like istioctl proxy-config secret to confirm that the certificate issuer matches the external system (e.g., O = SPIRE)^[400-devops-07-monitoring-and-observability-k8s-istio-samples-security-spire-readme.md].

Sources

^[400-devops-07-monitoring-and-observability-k8s-istio-samples-security-spire-readme.md]