Closed penghuazhou closed 3 weeks ago
amartinezfayo
commented
2 months ago Thank you @penghuazhou for opening this issue. It seems that SPIRE Agent in your environment needs to traverse a proxy in order to reach the server. It must be considered that mTLS connections must be established between the agent and server. Could you elaborate a little more about all the different components that are in your scenario and why you need a proxy? Thanks!
penghuazhou
commented
2 months ago @amartinezfayo, For example, the networks of data centers in the United States and Africa must be connected, and access needs to be done through an SDN agent.
amartinezfayo
commented
1 month ago I'm not sure if I'm understanding correctly: what you would like to achieve is obtaining X509-SVIDs from Ghostunnel to be used in an SDN agent? But the problem is that Ghostunnel doesn't have a Workload API endpoint available to get the X509-SVID because for that you need a SPIRE Agent running, which is not able to connect to the SPIRE Server that is in the other data center?
penghuazhou
commented
1 month ago @amartinezfayo Only want spire-agent invoke spire-server throw sdn agent, between spire-agent and spire-server in different country, if use sdn, the network will be well.
amartinezfayo
commented
1 month ago How does TLS termination work with the sdn agent? The important thing to consider here is that mTLS connections must be established between the agent and server.
amartinezfayo
commented
1 month ago I think that having a diagram of how that sdn agent interacts with SPIRE would help.
In some case, we shoud use a http-tunnel to support spire-agent to invoke spire-server.