search

hashicorp / consul

Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure.
https://www.consul.io
Other
28.41k stars 4.43k forks source link

SPIFFE/Spire compatible TLS + x509/JWT-SVID termination #11974

Open blaggacao opened 2 years ago

blaggacao commented 2 years ago

Feature Description

  1. Consul terminates tls connections via spiffe/go-sdk, which in turn provisions and atomically cycles cryptographic material on crypto/tls.Config.

  2. Consul further uses spiffe/go-sdk to validate JWT- or x509-SVIDs against a configurable set of workload identities (SPIFFE-IDs). (JWT-SVID can easilly cross the L7 boundary, while x509-SVID can double up for mTLS)

  3. Consul accepts JWT-SVIDs (bearer tokens) directly as ACL tokens (to avoid the bothersome login step).

Use Case(s)

Zero trust environments governed by SPIFFE/spire.

/cc @manveru

X-ref:

blaggacao commented 2 years ago

I suggest we consolidate discussion on https://github.com/hashicorp/nomad/issues/11806 pars-pro-toto.