This demo shows two workloads communicating over Ghostunnel using generated SVID. A SPIRE deployment takes care of the node and workload attestation.
This demo is composed of 4 containers: two workloads with their respective SPIRE agents, one SPIRE server and a test harness.
Two containers use Ghostunnel to establish a channel between themselves.
Ghostunnel uses Go SPIFFE library to parse and verify the SAN URI SPIFFE value.
In each of these containers there is a Spire Agent and a Workload Sidecar.
One container has a Spire Server with a SQLite data store database.
There is also one entry per workload. In both cases there are two selectors: type 'hash' and 'uid', and the parent is its corresponding node.
| Selectors | SPIFFE ID | PARENT ID |
|---|---|---|
| unix/uid:1111 | spiffe://example.org/Blog | spiffe://example.org/spiffe/node-id/TokenBlog |
| unix/uid:1111 | spiffe://example.org/Database | spiffe://example.org/spiffe/node-id/TokenDatabase |
These are the steps performed by the demo:
- Setup Trust Domain for SPIRE server
- Intermediate cert for SPIRE server
- Self signed root
- Setup Spire Agent for Database and Blog workloads
- Seed with SPIRE server trust bundle
- Seed with SPIRE server IP
- Seed with SPIRE SPIFFE ID (if we are using well known Trust Domain, SPIRE Server SPIFFE ID can be derived)
- Setup DataStore on Spire Server
- Call registration API to insert Workload data. (Using CLI registration )
- Bootstrap Workload Sidecar with the SPIRE Agent Workload API destination
- Bootstrap SPIRE Agent attestation with join token (have to replicate token into SPIRE Server)
- Initiate SPIRE Agent Bootstrap and Attestation
- Initiate Blog to Database traffic.
- Rotate workload SVIDs.
These are the steps to run the demo:
- Clone this repo
- Change to 'rosemary/' directory and run 'make'
- This will build the containers and it usually takes several minutes
- Run 'make demo' and it will open tmuxinator with 7 panes
- From top to bottom:
- Blog (Agent) CLI | Blog sidecar
- Database (Agent) CLI | Database sidecar
- Server CLI | Server logs
- Main console (aka harness)
- Use the right panes (CLI) to run commands
- The daemon CLI is './spire-agent' for SPIRE Agent and './spire-server' for SPIRE server
- Run the daemon CLI without arguments to see the valid options
- To see the SVID generated for the agents you need to run the following command in its container: 'openssl x509 -in base_svid.crt -noout -text'
- You can run netcat in the agents CLI to simulate the workloads
- In Database CLI run './nc.sh'
- In Blog CLI run './nc.sh'
- You should be able to type text in one of the nc instances and see the echo in the other after pressing Enter key
- To exit tmuxinator press 'Ctrl+B' then '&' and confirm with 'Y'
- To stop the containers run 'make clean'