Skip to content
Riptides Docs

Trust Domain Federation

Trust domain federation enables workloads in separate Riptides deployments to authenticate to each other across trust boundaries. Each Riptides deployment operates its own trust domain with its own CA. Federation is the mechanism by which two trust domains can validate each other’s SVIDs without merging into a single deployment.

Trust Bundles

Section titled “Trust Bundles”

A trust bundle contains the signing CA certificates for a trust domain. The control plane distributes the local trust bundle to all daemons. When a workload receives a connection from a remote workload, the kernel module validates the remote SVID against the trust bundle for that domain.

To accept connections from a foreign trust domain, that domain’s trust bundle must be loaded into the local control plane and distributed to daemons.

Cross-Domain Federation

Section titled “Cross-Domain Federation”

Multiple Riptides deployments, each operating their own trust domain, can federate by exchanging trust bundles. This enables:

  • Multi-cluster communication — Workloads in different Kubernetes clusters (each with its own trust domain) can authenticate to each other via mTLS using their respective SPIFFE IDs.
  • Multi-cloud communication — Workloads running in different cloud providers, managed by separate control planes, can establish trusted connections.
  • Partner and third-party access — Organizations can share trust bundles with partners, allowing cross-organization workload authentication without sharing credentials.

How It Works

Section titled “How It Works”
  1. Each control plane publishes its trust bundle (the signing CA certificates for its trust domain).
  2. Administrators configure each control plane to trust the other domain’s bundle.
  3. The control planes distribute the foreign trust bundles to their daemons.
  4. The kernel module loads all trust bundles and can verify SVIDs from any trusted domain.

When a workload in example.com connects to a workload in partner.com, the kernel modules on both sides verify the remote SVID against the appropriate trust bundle. Ingress and egress policies can reference SPIFFE IDs from foreign trust domains in their allowedSPIFFEIDs lists.

Example

Section titled “Example”
apiVersion: core.riptides.io/v1alpha1
kind: TrustBundle
metadata:
  name: partner-trust
  namespace: riptides-system
spec:
  trustDomain: "partner.com"
  bundle: |
    -----BEGIN CERTIFICATE-----
    <root-ca-certificate>
    -----END CERTIFICATE-----

With this trust bundle loaded, workloads in the local trust domain can verify and accept connections from workloads presenting SVIDs issued by partner.com.