spire-tailscale-plugin

module
v0.1.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 26, 2022 License: Apache-2.0

README

SPIRE Tailscale Plugin

This repository contains agent and server plugins for SPIRE to allow Tailscale node attestation.

Quick Start

Before starting, create a running SPIRE deployment and add the following configuration to the agent and server. Both server and agents should be running on a Tailscale node.

Agent Configuration
NodeAttestor "tailscale" {
	plugin_cmd = "/path/to/plugin_cmd"
	plugin_checksum = "sha256 of the plugin binary"
	plugin_data {
	}
}
Server Configuration
NodeAttestor "tailscale" {
	plugin_cmd = "/path/to/plugin_cmd"
	plugin_checksum = "sha256 of the plugin binary"
	plugin_data {
	}
}

How it Works

The plugin uses the Tailscale Node public keys as the method of attestation and is inspired on the client verification in custom DERP servers. The plugin operates as follows:

  1. Agent fetches the Tailscale Node key from the local tailscaled agent
  2. Agent sends the key to the server
  3. Server inspects the key and checks if it is a valid key in its Tailscale network.
  4. Server creates a SPIFFE ID in the form of spiffe://<trust_domain>/spire/agent/ts/<hostname>
  5. All done!

Directories

Path Synopsis
cmd
agent/tailscale_attestor command
server/tailscale_attestor command

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.