search

nats-io / nats-server

High-Performance server for NATS.io, the cloud and edge native messaging system.
https://nats.io
Apache License 2.0
15.26k stars 1.37k forks source link

Support direct integration with Spire Workload API #1928

Open f5yacobucci opened 3 years ago

f5yacobucci commented 3 years ago

Feature Request

SPIFFE/Spire Agents support a workload API using Unix domain sockets - the workload API is responsible for workload attestation as well as SVID and cryptographic data updates.

In the following diagram, NATS runs as a workload and client to the spire agent. Agent is responsible for delivering SVID and certificates to the workload.

------    ---------------    ---------------
| WL | -> | WL  | Agent | -> | Kernel      |
------    | API |       |    | Attestation |
          ---------------    ---------------

Use Case:

As a user of both SPIFFE/Spire and NATS I would like convenient PKI, attestation, identity, encryption, and mTLS authentication services. Many of my services directly integrate with my running Spire Agents and I would like NATS to participate in the same trust domain, share identification information, and encrypt traffic via mTLS while honoring certificate rotations and revocations.

Proposed Change:

The nats-server-config-reloader or other subsystem can integrate existing spiffe agent clients. Direct communication with Spire will allow for immediate and consistent updates with other Spire aware workloads throughout the system. Cutting down on potential TLS errors and security problems.

Who Benefits From The Change(s)?

Any organization using both SPIFFE/Spire for identity and SSL key management, NATS messaging, and zero-trust principles.

Alternative Approaches

An alternative outside of Spire integration would require the adoption of another identity and key provider. For some organizations the commitment to Spire is too deep.

At a very high-level a couple Spire options exist:

  1. Sidecar pattern (this is independent of NATS work). A sidecar can be deployed acting as the registered NATS workload. The sidecar acts as the workload client and reconfigures NATS identity information when triggered over the unix socket. My organization has successfully employed this pattern for other systems.
  2. Integrate the Spire Agent client and directly communicate with Spire, receiving and reloading identity information without a sidecar.
  3. The Spire team is currently working on another method specifically for serverless workloads. This method will write identity information to disk for the workload to watch and reload. In combination with the nats-server-config-reloader this method may be preferred to limit dependencies and code changes; however, it is being designed for serverless implementations in mind, and has yet to be released. See here. Issue #2077.
SuperCoolAlan commented 1 year ago

Following, would dig this integration.

3goats commented 1 month ago

This would be great.