ONF Connect 2018

XOS Service orchestration framework enables services to be managed as as first-class abstraction, regardless of where these tenant services are hosted. Since multi-tenancy is a staple of cloud services, it is imperative that managing service credentials directly effects dataplane service connectivity. Thus, services’ authentication and verifiability requirement directly follows from XOS's Model-Controller-View programmability framework that allows access to those resources.

We introduce and discuss Citadel, Istio’s Certificate Authority, to improve edge security by automating the issuance and rotation of certificates for XOS services. Firstly, we focus on the use case of provisioning SPIFFE identities as X509 certificates for a set of workloads that make up an XOS service in a point of presence. Secondly, we describe how XOS can be used with Citadel to build a reliable system for certificate management. Finally, we’ll uncover the workflow protocol used for automatic certificate issuance, including how authentication of the workload and its execution environment can be performed.