SPIRE Tailscale Plugin

⚠️ this node attestation plugin relies on a Tailscale OIDC id-token feature, which is marked as Work-in-Progress and may not be available for everyone yet.

This repository contains agent and server plugins for SPIRE to allow Tailscale node attestation.

Quick Start

Before starting, create a running SPIRE deployment and add the following configuration to the agent and server. The agents should be running on a Tailscale node, with version >= 1.24.0.

Agent Configuration

NodeAttestor "tailscale" {
  plugin_cmd = "/path/to/plugin_cmd"
  plugin_checksum = "sha256 of the plugin binary"
  plugin_data {
    domain_allow_list = [ "example.com" ]
  }
}

Server Configuration

NodeAttestor "tailscale" {
  plugin_cmd = "/path/to/plugin_cmd"
  plugin_checksum = "sha256 of the plugin binary"
  plugin_data {
  }
}

How it Works

This plugin automatically attests instances using the Tailscale OIDC Token (a Tailscale feature still in WIP), and operates as follows:

1. Agent fetches a Tailscale OIDC token from the local tailscaled agent
2. Agent sends the token to the server
3. Server validates the token.
4. Server creates a SPIFFE ID in the form of spiffe://<trust_domain>/spire/agent/tailscale/<hostname>
5. All done!