Support Spire as a TrustSource

bloomberg / vault-auth-spire

vault-auth-spire is an authentication plugin for Hashicorp Vault which allows logging into Vault using a Spire provided SVID.

Apache License 2.0

41 stars 8 forks source link

Support Spire as a TrustSource #2

Open dennisgove opened 5 years ago

dennisgove commented 5 years ago

The plugin is designed to support multiple sources of trust used to verify SVIDs but currently the only implemented one is TrustFileSource.

Purpose: Track the implementation of a TrustSpireSource.

Goal

The goal of this to support Spire as a live source of trust for the plugin. The final implementation should be able to connect to one or more instances of Spire (via local agents or otherwise) in order to receive from Spire the known trust CAs that SVIDs can be verified against.

evan2645 commented 5 years ago

Nice!

One way to do this might be to connect to the SPIRE server bundle endpoint... It will require that the plugin know how to authenticate the endpoint's server certificate, though.

Another way to do it could be using the workload api, exposed by a local agent... In this case, vault would be the workload, and you could provide it with bundles from multiple trust domains via federation.

dennisgove commented 5 years ago

Regarding connecting to the workload api, there's saved code in this note doing just that. I'd put it together just as a sanity check and it works as expected.