Fazal/tailscale node attestor server#6691
Draft
FazalAAli wants to merge 3 commits intospiffe:mainfrom
Draft
Conversation
Implement a SPIRE server node attestor for Tailscale that verifies agent identity through certificate chain validation, challenge-response proof of key possession, and Tailscale API device lookup. The trust model relies on Let's Encrypt certs (issued via Tailscale ACME DNS-01) as proof of tailnet membership, with all identity facts sourced from the Tailscale API rather than agent self-reporting.
Replace the cert-based attestation (TLS certs + external Tailscale API)
with a simpler approach that leverages the tailscaled local whois API.
Since both SPIRE server and agent are on the same Tailscale network, the
WireGuard tunnel provides mutual authentication at the network layer.
The server V1 wrapper now forwards the peer address via gRPC metadata
(X-Forwarded-Peer-Addr), allowing the plugin to identify connecting
peers through tailscaled's whois endpoint. This eliminates the need for
API keys, CA bundles, cert loading, and challenge-response flows.
Agent plugin: sends a minimal {} payload (no config needed).
Server plugin: extracts peer IP, validates it's a Tailscale address,
calls WhoIs, and builds selectors from the response.
Collaborator
|
Thanks @FazalAAli for opening this. Would you mind also opening an issue for this so we can discuss some details? Can you add some details about the attestation model and what guarantees we can get about the node? |
Collaborator
|
@FazalAAli, checking in again to see if you're still interested in this. We'll like to understand a bit more how you see the attestation working here before looking at the PR in depth. |
Author
Hi @sorindumitru, sorry I missed this. Let me start a thread in the slack to get some intial discussion :) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request check list
Affected functionality
Description of change
Which issue this PR fixes