go-spiffe icon indicating copy to clipboard operation
go-spiffe copied to clipboard
verified publisher icon spiffe

Provide a SPIFFE CLI utility in this repository

Open evan2645 opened this issue 6 years ago • 6 comments

There is a community need for a generalized SPIFFE CLI utility, with many useful features possible. Among them:

  • Parsing SVIDs and displaying their contents (a-la openssl -text)
  • Validating SVIDS (possibly with or without the workload api present?)
  • Fetching SVIDs from the Workload API
  • Supervising an application, writing SVIDs to disk, signaling as necessary

There are likely additional features that would fit well here (SPIFFE bundle fetching? Munging to type-specific bundles? etc). I would expect this utility to be fetchable/installable via typical go workflow, and would also expect it to fully subsume the functionality currently implemented in https://github.com/spiffe/spiffe-helper

evan2645 avatar Sep 19 '19 17:09 evan2645

There are likely additional features that would fit well here (SPIFFE bundle fetching? Munging to type-specific bundles? etc)

Perhaps:

  • Fetch a SPIFFE bundle from a SPIFFE federation API
  • Serve a SPIFFE bundle from disk-based files or from the workload API
  • Munge SPIFFE bundles into SVID-specific types as mentioned above (e.g. SPIFFE bundle to JWKS w/ only JWT-SVID keys, or into PEM-formatted CA certificates

Maybe some of the functionality from the SPIRE OIDC provider can live here too?

evan2645 avatar Dec 16 '19 23:12 evan2645

One case I'd be interested in is supporting processes without native workload support.

I'm thinking the user-interaction might look something like this:

spiffe --spiffe="spiffe://example.org/pickaworkload" exec   -- mysql --ssl-ca=@X509BUNDLE --ssl-cert=@X509SVID --ssl-key=@SVIDKEY

the spiffe tool would write out temp files (ideally, to somewhere like a tmpfs that's relatively secure) and exec the tool with the templated parameters filled in. Lots of bikeshedding to do on the details, and at least in the above case I'd probably want a wrapper shell script (I'd call it spiffe-mysql or something) so folks don't have to type it out.

That would work with tools like curl, mysql, etc -- anything that takes a cert bundle, client cert, and key as files.

Maybe a flag to send a signal to the child on update, too?

mcpherrinm avatar Dec 16 '19 23:12 mcpherrinm

There's a few ways you might want to specify the paths to files:

  1. as command line options, like mysql/curl do, with some syntax like in the comment above
  2. as environment variables, for a "12 factor" style applications
  3. to preconfigured paths (for apps with config files that don't want to change)

mcpherrinm avatar Dec 17 '19 00:12 mcpherrinm

You may also want support for different file formats...

eg, syslog wants an "openssl CA directory". Java & windows apps often want a .p12 file Some apps want a pkcs1 vs pkcs8 key. Some want the x509 cert, chain, and key all in the same file (eg, mongodb)

our internal not-yet-spiffe software supported that set of file format options & that's given almost complete coverage of software we've run into.

mcpherrinm avatar Dec 17 '19 00:12 mcpherrinm

Handling rotation:

  1. Might want to signal a process (ideally, a child process)
  2. Might want to run a command (eg, sv restart /service/foo if you're using runit, or some equivalent systemd command, etc) to restart a process. Definitely need to use this with care; I wouldn't want to knock out a fleet with a bad restart command.
  3. Ideally apps notice files on disk changing (via inotify) and reload, or do it on some timer, requiring no coordination.

mcpherrinm avatar Dec 17 '19 02:12 mcpherrinm

This is basically a description of spiffe-helper, but I think it's helpful to re-state what the goals are for a larger tool.

mcpherrinm avatar Dec 17 '19 02:12 mcpherrinm