|
1 | 1 | # SPIRE Tailscale Plugin |
2 | 2 |
|
3 | | -> :warning: this project is still WIP and experimental (see [#1](https://github.com/jsiebens/spire-tailscale-plugin/issues/1)) |
| 3 | +> :warning: this node attestation plugin relies on a Tailscale OIDC id-token feature, which is marked as Work-in-Progress and may not be available for everyone yet. |
4 | 4 | |
5 | 5 | This repository contains agent and server plugins for [SPIRE](https://github.com/spiffe/spire) to allow [Tailscale](https://tailscale.com) node attestation. |
6 | 6 |
|
7 | 7 | ## Quick Start |
8 | 8 |
|
9 | 9 | Before starting, create a running SPIRE deployment and add the following configuration to the agent and server. |
10 | | -Both server and agents should be running on a Tailscale node. |
| 10 | +The agents should be running on a Tailscale node, with version __>= 1.24.0__. |
11 | 11 |
|
12 | 12 | ### Agent Configuration |
13 | 13 |
|
14 | 14 | ```hcl |
15 | 15 | NodeAttestor "tailscale" { |
16 | | - plugin_cmd = "/path/to/plugin_cmd" |
17 | | - plugin_checksum = "sha256 of the plugin binary" |
18 | | - plugin_data { |
19 | | - } |
| 16 | + plugin_cmd = "/path/to/plugin_cmd" |
| 17 | + plugin_checksum = "sha256 of the plugin binary" |
| 18 | + plugin_data { |
| 19 | + domain_allow_list = [ "example.com" ] |
| 20 | + } |
20 | 21 | } |
21 | 22 | ``` |
22 | 23 |
|
23 | 24 | ### Server Configuration |
24 | 25 |
|
25 | 26 | ```hcl |
26 | 27 | NodeAttestor "tailscale" { |
27 | | - plugin_cmd = "/path/to/plugin_cmd" |
28 | | - plugin_checksum = "sha256 of the plugin binary" |
29 | | - plugin_data { |
30 | | - } |
| 28 | + plugin_cmd = "/path/to/plugin_cmd" |
| 29 | + plugin_checksum = "sha256 of the plugin binary" |
| 30 | + plugin_data { |
| 31 | + } |
31 | 32 | } |
32 | 33 | ``` |
33 | 34 |
|
34 | 35 | ## How it Works |
35 | 36 |
|
36 | | -The plugin uses the Tailscale Node public keys as the method of attestation and is inspired on the [client verification](https://tailscale.com/kb/1118/custom-derp-servers/?q=derp#optional-restricting-client-access-to-your-derp-node) in custom DERP servers. |
| 37 | +This plugin automatically attests instances using the Tailscale OIDC Token. (a Tailscale feature still in WIP) |
37 | 38 | The plugin operates as follows: |
38 | 39 |
|
39 | | -1. Agent fetches the Tailscale Node key from the local `tailscaled` agent |
40 | | -1. Agent sends the key to the server |
41 | | -1. Server inspects the key and checks if it is a valid key in its Tailscale network. |
42 | | -1. Server creates a SPIFFE ID in the form of `spiffe://<trust_domain>/spire/agent/ts/<hostname>` |
| 40 | +1. Agent fetches a Tailscale OIDC token from the local `tailscaled` agent |
| 41 | +1. Agent sends the token to the server |
| 42 | +1. Server validates the token. |
| 43 | +1. Server creates a SPIFFE ID in the form of `spiffe://<trust_domain>/spire/agent/tailscale/<hostname>` |
43 | 44 | 1. All done! |
0 commit comments