Open strideynet opened 7 months ago
strideynet
commented
7 months ago This needs fleshing out a little bit more - need to see if the SPIFFE spec states a few more rules around the issuer of JWTs and the discovery URL or if this just follows the OIDC discovery spec.
strideynet
commented
7 months ago SPIFFE OIDC Discovery docs: https://github.com/spiffe/spire/blob/main/support/oidc-discovery-provider/README.md
strideynet
commented
2 months ago Imho we should make this dependent on https://github.com/gravitational/teleport/issues/38927 so we have a shared mechanism for federation, rather than re-implementing it for joining.
We'd drop the issuer_url and instead leverage the trusted spiffe federations of the Teleport cluster.
kind: token
version: v2
metadata:
name: spiffe-demo
spec:
roles: [Bot]
join_method: spiffe-svid
bot_name: my-bot
spiffe:
allow:
- # spiffe_id restricts joins to SVIDs with a specific SPIFFE ID
#
# This field supports glob-style matching:
# - Use '*' to match zero or more characters.
# - Use '?' to match any single character.
spiffe_id: spiffe://acme.com/billing/*/foo
Whilst we investigate Teleport acting as a SPIFFE provider, we should also support Teleport acting as a consumer of SPIFFE SVIDs. This will allow
tbotinstances running in a SPIFFE enabled environment to join the Teleport cluster using the readily available SVID.An initial implementation should leverage JWT SVIDs - this will be similar to how we handle join methods such as
githubtoday. The JWT can be validated by checking the signature against the published Trust Domain CA. We should require that the JWT include an audience that identifies the Teleport cluster being joined.Supporting x509 SVIDs may be more challenging as today the join RPCs do not support client certificate authentication.
WIP Join Token spec: