Zero Trust at Shopify Scale: Automating MTLS Across Thousands of Services

中文 English 日本語
Mutual TLSinternal service authenticationattested identitiesACLautomating MTLSCNCF

Introduction

In the era of distributed systems and cloud-native architectures, ensuring secure communication between services at scale is critical. Shopify’s implementation of Mutual TLS (MTLS) exemplifies how Zero Trust principles can be operationalized to enforce attested identities, ACL (Access Control List) policies, and internal service authentication. This article explores Shopify’s approach to automating MTLS, leveraging CNCF tools like Spire and Cert Manager, while addressing challenges in certificate management, identity verification, and scalability.

Core Concepts and Architecture

Mutual TLS (MTLS) and Zero Trust

Zero Trust operates on the principle of Never Trust, Always Verify, ensuring every request—regardless of origin—is authenticated and authorized. MTLS extends this by requiring both client and server to present and validate certificates, establishing end-to-end encrypted communication. At Shopify, MTLS is used to authenticate internal services, ensuring only attested identities can access specific endpoints.

Spiffy ID and X.509 Certificates

Shopify employs Spiffy IDs (URI-based identifiers like spiffy://shopify.com/service-account/project) to represent service identities. These are derived from X.509 certificates, which include unique attributes such as Subject Name and Serial Number. The Spiffy ID format avoids special characters like @, enabling seamless integration with Kafka and Kubernetes.

CNCF Tools and Integration

  • Spire (a CNCF project) manages identity lifecycle by acting as a node agent, dynamically issuing and revoking certificates.
  • Google Certificate Authority Service (CAS) generates certificates, which are then mapped to Spiffy IDs via Identity Reflection.
  • Cert Manager automates certificate issuance and renewal in Kubernetes environments, supporting Google CA integration.

Key Features and Implementation

Automating MTLS at Scale

Shopify’s MTLS automation addresses three critical areas:

  1. Certificate Management:

    • A three-tier PKI structure (Root CA, Intermediate CA, Leaf Certificates) ensures secure certificate chains.
    • Automated rotation policies (Root CA every 3 years, Intermediate CA every 3 months) are enforced with secret management via Google Secret Manager and Kubernetes Secrets.

  2. Identity Verification:

    • Spiffy IDs are injected into Kubernetes Secrets and validated against ACL policies.
    • Kafka requires custom SAN URI parsing to align with its DN-based ACL system.

  3. Deployment and Observability:

    • Argo CD Sync Waves manage deployment order, ensuring certificates are ready before service startup.
    • Prometheus and Grafana monitor certificate lifecycles, while StatsD tracks job success/failure metrics.

Service Authentication and ACL Enforcement

  • Service Mesh vs. Cloud Provider Solutions:

    • Service Mesh (e.g., Istio) offers automatic certificate rotation but introduces overhead for large-scale deployments.
    • Google ALB and Ingress Engine X provide MTLS support but require custom SAN URI parsing for client certificate validation.

  • Access Control:

    • ACL policies restrict access to endpoints (e.g., /internal/Z), ensuring only services with valid Spiffy IDs can interact.
    • Workload Identity Federation and Google Workload Identity enable seamless IAM-based authentication for services.

Challenges and Solutions

Scalability and Complexity

  • Certificate Overlap: Overlapping certificate lifecycles and permissions risk security gaps. Shopify mitigates this with automated rotation and strict ACL enforcement.
  • Kafka Integration: Custom principle builder logic resolves SAN URI parsing issues, aligning with Kafka’s DN-based ACL requirements.
  • Deployment Coordination: Sync Waves prevent certificate desynchronization, ensuring services start only after certificates are available.

Operational Overhead

  • Manual Certificate Management: Shopify replaces manual processes with Cert Manager and Google CAS, reducing human error.
  • Monitoring and Alerting: Prometheus Push Gateway and Grafana provide real-time visibility into certificate expiration, job failures, and MTLS handshake success rates.

Conclusion

Shopify’s implementation of Mutual TLS at scale demonstrates how Zero Trust can be operationalized through attested identities, automated certificate management, and CNCF tools. By leveraging Spiffy IDs, Spire, and Cert Manager, Shopify ensures secure, scalable, and observable service communication. Key takeaways include:

  • Automate certificate lifecycle to reduce operational overhead.
  • Use Spiffy IDs for consistent identity representation across services.
  • Integrate observability tools to monitor MTLS health and detect anomalies.

This approach provides a blueprint for organizations seeking to enforce Zero Trust in large-scale distributed systems.

推薦閱讀

Scaling TLS with Self-Service and Multi-Tenant Certificates in KubernetesBeyond the Ephemeral: Mastering Serverless Metrics at Scale With ShopifyUnlocking Customer-Centric Observability with Open Telemetry and Cloud-Native TechnologiesSmooth Scaling with OpAMP Supervisor: Managing OpenTelemetry Collectors at ScaleA Project Maintainers Guide To TAG Security: Open FGA Project's PracticeFrom Chaos to Control: Migrating Access Control with Open FGA