Add service for spire sever-workload and ghostunnel arg descrption

Author: tossmilestone

docs/en/security/workload_security/spire.mdx

@@ -162,6 +162,23 @@ metadata:
   name: server-sa
   namespace: example
 ---
+apiVersion: v1
+kind: Service
+metadata:
+  name: server-workload
+spec:
+  internalTrafficPolicy: Cluster
+  ports:
+    - appProtocol: tcp
+      name: web
+      port: 8443
+      protocol: TCP
+      targetPort: 8443
+  selector:
+    app: server-workload
+  sessionAffinity: None
+  type: ClusterIP
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -216,6 +233,8 @@ spec:
           name: spiffe-socket
 ```
 
+* The `--allow-uri` flag in the `ghostunnel` configuration specifies the SPIFFE ID of the client workload that is allowed to connect to the server. In this example, only the client workload with the SPIFFE ID `spiffe://example.org/ns/example/sa/client-sa` is allowed to connect to the server.
+
 Apply with: `kubectl apply -f server-workload.yaml`
 
 #### Deploy Client Workload
@@ -271,6 +290,8 @@ spec:
           name: spiffe-socket
 ```
 
+* The `--verify-uri` flag in the `ghostunnel` configuration specifies the SPIFFE ID of the server workload that the client workload is allowed to connect to. In this example, only the server workload with the SPIFFE ID `spiffe://example.org/ns/example/sa/server-sa` is allowed to connect to the client workload.
+
 Apply with: `kubectl apply -f client-workload.yaml`
 
 ### Verification