spire-tailscale-plugin

module
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 29, 2022 License: Apache-2.0

README

SPIRE Tailscale Plugin

⚠ this node attestation plugin relies on a Tailscale OIDC id-token feature, which is marked as Work-in-Progress and may not be available for everyone yet.

This repository contains agent and server plugins for SPIRE to allow Tailscale node attestation.

Quick Start

Before starting, create a running SPIRE deployment and add the following configuration to the agent and server. The agents should be running on a Tailscale node, with version >= 1.24.0.

Agent Configuration
NodeAttestor "tailscale" {
  plugin_cmd = "/path/to/plugin_cmd"
  plugin_checksum = "sha256 of the plugin binary"
  plugin_data {
    domain_allow_list = [ "example.com" ]
  }
}
Server Configuration
NodeAttestor "tailscale" {
  plugin_cmd = "/path/to/plugin_cmd"
  plugin_checksum = "sha256 of the plugin binary"
  plugin_data {
  }
}

How it Works

This plugin automatically attests instances using the Tailscale OIDC Token (a Tailscale feature still in WIP), and operates as follows:

  1. Agent fetches a Tailscale OIDC token from the local tailscaled agent
  2. Agent sends the token to the server
  3. Server validates the token.
  4. Server creates a SPIFFE ID in the form of spiffe://<trust_domain>/spire/agent/tailscale/<hostname>
  5. All done!

Directories

Path Synopsis
cmd
agent/tailscale_attestor
server/tailscale_attestor
pkg
agent/plugin/nodeattestor/ts
common/plugin/ts
server/plugin/nodeattestor/ts

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.