π What is Dapr Service Invocation?
Dapr (Distributed Application Runtime) provides a service invocation API that allows microservices to call each other over HTTP or gRPC, abstracting away service discovery, retries, and load balancing.
π§© Key Concepts:
- Each app is identified by an App ID (e.g.,
order-service
,payment-service
). - Apps call each other using Dapr sidecars:
For example:
POST http://localhost:3500/v1.0/invoke/payment-service/method/charge
-
Dapr handles:
- Service discovery
- Retries and timeouts
- Observability (tracing, metrics)
- Security (when mTLS is enabled)
π How SPIFFE Helps
SPIFFE (Secure Production Identity Framework for Everyone) and SPIRE (its runtime) provide zero-trust identity to workloads via SPIFFE IDs (like spiffe://example.org/ns/default/sa/order-service
).
When integrated with Dapr, SPIFFE enhances service invocation security by enabling:
β Strong Workload Identity
- SPIRE issues short-lived X.509 certificates to workloads based on their identity (namespace, service account, etc.).
- These are used in mutual TLS (mTLS) connections.
β Authentication
- Every Dapr sidecar uses mTLS for communication.
- With SPIFFE, the Dapr sidecar can validate exactly which workload is calling, not just a hostname or IP, but a verified identity.
β Authorization
- Combined with Daprβs Invoke Allowlist, you can restrict which SPIFFE identities (or App IDs) are allowed to call specific services.
- This adds fine-grained control over inter-service communication.
π§ Summary
Feature | Dapr Alone | With SPIFFE Integration |
---|---|---|
Service Invocation | By App ID over HTTP/gRPC via sidecars | Same, but with stronger identity guarantees |
Identity Verification | Via Dapr-managed mTLS | Via SPIFFE-issued certificates and SPIFFE IDs |
Access Control | Allowlist by App ID | Allowlist tied to cryptographically verified IDs |
Security Posture | Good | Strong (zero-trust, workload-authenticated) |
Top comments (0)