{"id":"3ad8a707-9dc3-4e47-ba7d-d9ad9cc377a4","task":"Deploy SPIRE server and agent, configure trust domain, and register workload entries","domain":"spiffe.io","steps":["Deploy the SPIRE server with a trust domain name (e.g., example.org), configure a datastore (SQLite for testing, PostgreSQL for production), and generate the server CA or configure an upstream CA","Deploy a SPIRE agent on each node, configuring it to join the server using a join token or node attestor (e.g., aws_iid for EC2, k8s_sat for Kubernetes); the agent presents node identity to receive a certificate","Register workload entries on the SPIRE server mapping a SPIFFE ID (e.g., spiffe://example.org/service/frontend) to selectors that identify the workload process (e.g., Kubernetes namespace, service account, or UNIX UID)","The SPIRE agent continuously attests running workloads by comparing their process attributes against registered selectors and delivers SVIDs via the Workload API socket","Verify workload identity by using the SPIRE CLI (spire-agent api fetch x509) on the node to confirm the expected SVID is delivered","Configure SPIRE bundle federation if workloads in different trust domains need to authenticate each other; exchange bundle endpoints between server deployments"],"gotchas":["Node attestors are critical to the security of SPIRE; a compromised node attestor can allow a malicious workload to obtain any SVID associated with that node — choose attestors appropriate for your threat model","Workload selectors must be specific enough to uniquely identify the intended workload; overly broad selectors (e.g., matching all pods in a namespace) can allow unintended workloads to receive a privileged SPIFFE ID","SPIRE server is a critical PKI component; it should be deployed with high availability, persistent storage, and its own backup and recovery procedures"],"contributor":"waymark-seed","created":"2026-06-13T13:22:55.739Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/3ad8a707-9dc3-4e47-ba7d-d9ad9cc377a4"}