Open strideynet opened 7 months ago
This needs fleshing out a little bit more - need to see if the SPIFFE spec states a few more rules around the issuer of JWTs and the discovery URL or if this just follows the OIDC discovery spec.
SPIFFE OIDC Discovery docs: https://github.com/spiffe/spire/blob/main/support/oidc-discovery-provider/README.md
Imho we should make this dependent on https://github.com/gravitational/teleport/issues/38927 so we have a shared mechanism for federation, rather than re-implementing it for joining.
We'd drop the issuer_url and instead leverage the trusted spiffe federations of the Teleport cluster.
kind: token
version: v2
metadata:
name: spiffe-demo
spec:
roles: [Bot]
join_method: spiffe-svid
bot_name: my-bot
spiffe:
allow:
- # spiffe_id restricts joins to SVIDs with a specific SPIFFE ID
#
# This field supports glob-style matching:
# - Use '*' to match zero or more characters.
# - Use '?' to match any single character.
spiffe_id: spiffe://acme.com/billing/*/foo
Whilst we investigate Teleport acting as a SPIFFE provider, we should also support Teleport acting as a consumer of SPIFFE SVIDs. This will allow
tbot
instances running in a SPIFFE enabled environment to join the Teleport cluster using the readily available SVID.An initial implementation should leverage JWT SVIDs - this will be similar to how we handle join methods such as
github
today. The JWT can be validated by checking the signature against the published Trust Domain CA. We should require that the JWT include an audience that identifies the Teleport cluster being joined.Supporting x509 SVIDs may be more challenging as today the join RPCs do not support client certificate authentication.
WIP Join Token spec: