diff --git a/README.md b/README.md new file mode 100644 index 0000000..4eaa198 --- /dev/null +++ b/README.md @@ -0,0 +1,41 @@ +# SPIRE Tailscale Plugin + +This repository contains agent and server plugins for [SPIRE](https://github.com/spiffe/spire) to allow [Tailscale](https://tailscale.com) node attestation. + +## Quick Start + +Before starting, create a running SPIRE deployment and add the following configuration to the agent and server. +Both server and agents should be running on a Tailscale node. + +### Agent Configuration + +```hcl +NodeAttestor "tailscale" { + plugin_cmd = "/path/to/plugin_cmd" + plugin_checksum = "sha256 of the plugin binary" + plugin_data { + } +} +``` + +### Server Configuration + +```hcl +NodeAttestor "tailscale" { + plugin_cmd = "/path/to/plugin_cmd" + plugin_checksum = "sha256 of the plugin binary" + plugin_data { + } +} +``` + +## How it Works + +The plugin uses the Tailscale Node public keys as the method of attestation and is inspired on the [client verification](https://tailscale.com/kb/1118/custom-derp-servers/?q=derp#optional-restricting-client-access-to-your-derp-node) in custom DERP servers. +The plugin operates as follows: + +1. Agent fetches the Tailscale Node key from the local `tailscaled` agent +1. Agent sends the key to the server +1. Server inspects the key and checks if it is a valid key in its Tailscale network. +1. Server creates a SPIFFE ID in the form of `spiffe:///spire/agent/ts/` +1. All done! \ No newline at end of file