vault-auth-spire icon indicating copy to clipboard operation
vault-auth-spire copied to clipboard

Published 20 hours ago verified publisher icon bloomberg

Support Spire as a TrustSource

Open dennisgove opened this issue 5 years ago • 2 comments

The plugin is designed to support multiple sources of trust used to verify SVIDs but currently the only implemented one is TrustFileSource.

Purpose: Track the implementation of a TrustSpireSource.

Goal

The goal of this to support Spire as a live source of trust for the plugin. The final implementation should be able to connect to one or more instances of Spire (via local agents or otherwise) in order to receive from Spire the known trust CAs that SVIDs can be verified against.

dennisgove avatar Oct 25 '19 18:10 dennisgove

Nice!

One way to do this might be to connect to the SPIRE server bundle endpoint... It will require that the plugin know how to authenticate the endpoint's server certificate, though.

Another way to do it could be using the workload api, exposed by a local agent... In this case, vault would be the workload, and you could provide it with bundles from multiple trust domains via federation.

evan2645 avatar Oct 25 '19 19:10 evan2645

Regarding connecting to the workload api, there's saved code in this note doing just that. I'd put it together just as a sanity check and it works as expected.

dennisgove avatar Oct 25 '19 19:10 dennisgove