Skip to content

Commit

Permalink
update README
Browse files Browse the repository at this point in the history
  • Loading branch information
jsiebens committed Apr 26, 2022
1 parent 8686d0f commit b6ff994
Showing 1 changed file with 41 additions and 0 deletions.
41 changes: 41 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
# SPIRE Tailscale Plugin

This repository contains agent and server plugins for [SPIRE](https://github.com/spiffe/spire) to allow [Tailscale](https://tailscale.com) node attestation.

## Quick Start

Before starting, create a running SPIRE deployment and add the following configuration to the agent and server.
Both server and agents should be running on a Tailscale node.

### Agent Configuration

```hcl
NodeAttestor "tailscale" {
plugin_cmd = "/path/to/plugin_cmd"
plugin_checksum = "sha256 of the plugin binary"
plugin_data {
}
}
```

### Server Configuration

```hcl
NodeAttestor "tailscale" {
plugin_cmd = "/path/to/plugin_cmd"
plugin_checksum = "sha256 of the plugin binary"
plugin_data {
}
}
```

## How it Works

The plugin uses the Tailscale Node public keys as the method of attestation and is inspired on the [client verification](https://tailscale.com/kb/1118/custom-derp-servers/?q=derp#optional-restricting-client-access-to-your-derp-node) in custom DERP servers.
The plugin operates as follows:

1. Agent fetches the Tailscale Node key from the local `tailscaled` agent
1. Agent sends the key to the server
1. Server inspects the key and checks if it is a valid key in its Tailscale network.
1. Server creates a SPIFFE ID in the form of `spiffe://<trust_domain>/spire/agent/ts/<hostname>`
1. All done!

0 comments on commit b6ff994

Please sign in to comment.