Machine ID: Support for Envoy SDS for Workload Identity

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.

https://goteleport.com

GNU Affero General Public License v3.0

17.29k stars 1.73k forks source link

Machine ID: Support for Envoy SDS for Workload Identity #38666

Closed strideynet closed 3 weeks ago

strideynet commented 6 months ago

What would you like Teleport to do?

Support distributing workload identity certificates to an Envoy proxy.

What problem does this solve?

Integrating Teleport Workload Identity with service meshes.

If a workaround exists, please include it.

strideynet commented 6 months ago

Lots of research needs to be done here !

strideynet commented 6 months ago

https://istio.io/latest/docs/ops/integrations/spire/ https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret https://github.com/envoyproxy/envoy/blob/a2673f749bb7a3f68f357e006e49b2143cc98b8f/api/envoy/service/secret/v3/sds.proto https://spiffe.io/docs/latest/microservices/envoy/

strideynet commented 6 months ago

Seems like we can offer this over the same gRPC listener as the workload API. We'll need to look into Workload Attestation to really neaten this up at some point otherwise you'll need to run a tbot sidecar for each envoy sidecar.