Provides agent and server plugins for SPIRE to allow Tailscale node attestation.

Overview

SPIRE Tailscale Plugin

⚠️ this node attestation plugin relies on a Tailscale OIDC id-token feature, which is marked as Work-in-Progress and may not be available for everyone yet.

This repository contains agent and server plugins for SPIRE to allow Tailscale node attestation.

Quick Start

Before starting, create a running SPIRE deployment and add the following configuration to the agent and server. The agents should be running on a Tailscale node, with version >= 1.24.0.

Agent Configuration

NodeAttestor "tailscale" {
  plugin_cmd = "/path/to/plugin_cmd"
  plugin_checksum = "sha256 of the plugin binary"
  plugin_data {
    domain_allow_list = [ "example.com" ]
  }
}

Server Configuration

NodeAttestor "tailscale" {
  plugin_cmd = "/path/to/plugin_cmd"
  plugin_checksum = "sha256 of the plugin binary"
  plugin_data {
  }
}

How it Works

This plugin automatically attests instances using the Tailscale OIDC Token (a Tailscale feature still in WIP), and operates as follows:

  1. Agent fetches a Tailscale OIDC token from the local tailscaled agent
  2. Agent sends the token to the server
  3. Server validates the token.
  4. Server creates a SPIFFE ID in the form of spiffe://<trust_domain>/spire/agent/tailscale/<hostname>
  5. All done!
You might also like...
Bridge REMOV will allow you to safely transfer NFT from RMRK to MOVR and backwards

remov Inspiration Our aim is to expand the capabilities of blockchain and make a secure way for transferring NFT between RMRK and MOVR blockchain. The

Package for writing Nagios/Icinga/et cetera plugins in Go (golang)

nagiosplugin Package for writing Nagios/Icinga/et cetera plugins in Go (golang). Documentation See http://godoc.org/github.com/olorin/nagiosplugin. Us

TCP proxy, highjacks HTTP to allow CORS

portproxy A shitty TCP proxy that relays all requests to a local port to a remote server. portproxy -port 8080 -raddr google.com:80 Will proxy all TC

Transport to allow go-libp2p applications to natively use i2p for communication

I2P Transport for go-libp2p This library can be used to build go-libp2p applications using the i2p network. Look at transport_test.go for example usag

Steam's protocol in Go to allow automation of different actions on the Steam network without running an actual Steam client

Steam's protocol in Go to allow automation of different actions on the Steam network without running an actual Steam client. Includes APIs for friends, chatting, trading, trade offers and TF2 crafting.

UFW-Autoblacklist - Script that allow you to ban-ip all spammers
UFW-Autoblacklist - Script that allow you to ban-ip all spammers

Setup: go build main.go tcptrack -i interface | ./main

Extended ssh-agent which supports git commit signing over ssh

ssh-agentx ssh-agentx Rationale Requirements Configuration ssh-agentx Configuration ssh-gpg-signer Linux Windows Signing commits after configuration T

A very simple ssh-agent that signs requests in parallel

ssh-agent A very simple ssh-agent that signs requests in parallel. Usage To install and run the agent simply run: $ go install github.com/Woellchen/ss

ACN - Agent Communication Network

The libp2p_node is an integral part of the ACN. ACN - Agent Communication Network The agent communication network (ACN) provides a system for agents t

Comments
  • Does the agent need to prove possession of the tailscale key?

    Does the agent need to prove possession of the tailscale key?

    Really cool plugin! Thank you for sharing it 🤗

    From the readme and brief look at the code, it seems that the agent sends a public key and the server looks it up to verify its presence in tailscale .. however, public key is also public information and not expected to be private. It seems like the server should issue a challenge, and the agent should solve/sign this challenge in order to prove possession of the private key (example here)? Tailscale may not allow for this kind of key usage ...

    Another (way more involved) option could be to send a tailscale handshake over the node attestation exchange, and let the server either terminate or observe it.

    opened by evan2645 3
Owner
Johan Siebens
Johan Siebens
Headscale - An open source, self-hosted implementation of the Tailscale control server

Headscale - An open source, self-hosted implementation of the Tailscale control server

Juan Font 8.1k Sep 26, 2022
A memory-safe SSH server, focused on listening only on VPN networks such as Tailscale

Features Is tested to work with SCP Integrates well with systemd Quickstart Download binary for your architecture. We only support Linux. If you don't

function61.com 2 Jun 10, 2022
A TCP proxy used to expose services onto a tailscale network without root. Ideal for container environments.

tailscale-sidecar This is barely tested software, I don't guarantee it works but please make an issue if you use it and find a bug. Pull requests are

Mark Pashmfouroush 93 Sep 20, 2022
Example of how to write reverse proxy in Go that runs on Cloud Run with Tailscale

Cloudrun Tailscale Reverse Proxy Setup Create a ephemeral key in Tailscale Set TAILSCALE_AUTHKEY in your Cloud Run environment variables Set TARGET_UR

ThreeComma.io 9 Sep 23, 2022
A pair of local reverse proxies (one in Windows, one in Linux) for Tailscale on WSL2

tailscale-wsl2 TL;DR Running two reverse proxies (one in Windows, one in the WSL2 Linux VM), the Windows Tailscale daemon can be accessed via WSL2: $

Danny Hermes 25 Aug 10, 2022
Cdn - CDN microservice to upload files to zachlatta.com that only accepts traffic from Tailscale IPs

cdn CDN microservice to upload files to zachlatta.com that only accepts traffic from Tailscale IPs. source code available at https://github.com/zachla

zach latta 2 Jun 26, 2022
Tscert - Minimal package for just the HTTPS cert fetching part of the Tailscale client API

tscert This is a stripped down version of the tailscale.com/client/tailscale Go

Tailscale 15 Sep 17, 2022
An unofficial GUI wrapper around the Tailscale CLI client.

Trayscale Trayscale is an unofficial GUI wrapper around the Tailscale CLI client, particularly for use on Linux, as no official Linux GUI client exist

null 29 Sep 22, 2022
🎉 An awesome version control tool for protoc and its related plugins.

❤️ PowerProto is actively maintained! Any questions in use can be directly raised issue, I will respond to you as fast as possible. If you think the p

storyicon 157 Sep 16, 2022
This plugins watches and builds the source files continiusly in-memory

Caddy Esbuild plugin This plugins watches and builds the source files continiusly in-memory. It includes a etag to cache in the browser to save bandwi

Richard Hagen 3 Jun 17, 2022