SPIFFE/Spire Agents support a workload API using Unix domain sockets - the workload API is responsible for workload attestation as well as SVID and cryptographic data updates.
In the following diagram, NATS runs as a workload and client to the spire agent. Agent is responsible for delivering SVID and certificates to the workload.
As a user of both SPIFFE/Spire and NATS I would like convenient PKI, attestation, identity, encryption, and mTLS authentication services. Many of my services directly integrate with my running Spire Agents and I would like NATS to participate in the same trust domain, share identification information, and encrypt traffic via mTLS while honoring certificate rotations and revocations.
Proposed Change:
The nats-server-config-reloader or other subsystem can integrate existing spiffe agent clients. Direct communication with Spire will allow for immediate and consistent updates with other Spire aware workloads throughout the system. Cutting down on potential TLS errors and security problems.
Who Benefits From The Change(s)?
Any organization using both SPIFFE/Spire for identity and SSL key management, NATS messaging, and zero-trust principles.
Alternative Approaches
An alternative outside of Spire integration would require the adoption of another identity and key provider. For some organizations the commitment to Spire is too deep.
At a very high-level a couple Spire options exist:
Sidecar pattern (this is independent of NATS work). A sidecar can be deployed acting as the registered NATS workload. The sidecar acts as the workload client and reconfigures NATS identity information when triggered over the unix socket. My organization has successfully employed this pattern for other systems.
Integrate the Spire Agent client and directly communicate with Spire, receiving and reloading identity information without a sidecar.
The Spire team is currently working on another method specifically for serverless workloads. This method will write identity information to disk for the workload to watch and reload. In combination with the nats-server-config-reloader this method may be preferred to limit dependencies and code changes; however, it is being designed for serverless implementations in mind, and has yet to be released. See here. Issue #2077.
Feature Request
SPIFFE/Spire Agents support a workload API using Unix domain sockets - the workload API is responsible for workload attestation as well as SVID and cryptographic data updates.
In the following diagram, NATS runs as a workload and client to the spire agent. Agent is responsible for delivering SVID and certificates to the workload.
Use Case:
As a user of both SPIFFE/Spire and NATS I would like convenient PKI, attestation, identity, encryption, and mTLS authentication services. Many of my services directly integrate with my running Spire Agents and I would like NATS to participate in the same trust domain, share identification information, and encrypt traffic via mTLS while honoring certificate rotations and revocations.
Proposed Change:
The
nats-server-config-reloader
or other subsystem can integrate existing spiffe agent clients. Direct communication with Spire will allow for immediate and consistent updates with other Spire aware workloads throughout the system. Cutting down on potential TLS errors and security problems.Who Benefits From The Change(s)?
Any organization using both SPIFFE/Spire for identity and SSL key management, NATS messaging, and zero-trust principles.
Alternative Approaches
An alternative outside of Spire integration would require the adoption of another identity and key provider. For some organizations the commitment to Spire is too deep.
At a very high-level a couple Spire options exist:
nats-server-config-reloader
this method may be preferred to limit dependencies and code changes; however, it is being designed for serverless implementations in mind, and has yet to be released. See here. Issue #2077.