-
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
41 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
# SPIRE Tailscale Plugin | ||
|
||
This repository contains agent and server plugins for [SPIRE](https://github.com/spiffe/spire) to allow [Tailscale](https://tailscale.com) node attestation. | ||
|
||
## Quick Start | ||
|
||
Before starting, create a running SPIRE deployment and add the following configuration to the agent and server. | ||
Both server and agents should be running on a Tailscale node. | ||
|
||
### Agent Configuration | ||
|
||
```hcl | ||
NodeAttestor "tailscale" { | ||
plugin_cmd = "/path/to/plugin_cmd" | ||
plugin_checksum = "sha256 of the plugin binary" | ||
plugin_data { | ||
} | ||
} | ||
``` | ||
|
||
### Server Configuration | ||
|
||
```hcl | ||
NodeAttestor "tailscale" { | ||
plugin_cmd = "/path/to/plugin_cmd" | ||
plugin_checksum = "sha256 of the plugin binary" | ||
plugin_data { | ||
} | ||
} | ||
``` | ||
|
||
## How it Works | ||
|
||
The plugin uses the Tailscale Node public keys as the method of attestation and is inspired on the [client verification](https://tailscale.com/kb/1118/custom-derp-servers/?q=derp#optional-restricting-client-access-to-your-derp-node) in custom DERP servers. | ||
The plugin operates as follows: | ||
|
||
1. Agent fetches the Tailscale Node key from the local `tailscaled` agent | ||
1. Agent sends the key to the server | ||
1. Server inspects the key and checks if it is a valid key in its Tailscale network. | ||
1. Server creates a SPIFFE ID in the form of `spiffe://<trust_domain>/spire/agent/ts/<hostname>` | ||
1. All done! |