Cross link trust

[kfox1111]

Load the trust bundle of each server into the other's server under the federated name, spiffe://spire-ha. Then, in the spire-ha-agent, use those trust bundles for bootstrapping. This would enable booting a spire-ha-agent with only one upstream agent available.

[kfox1111]

How is jwks going to work?

[kfox1111]

Current thinking is to move the x509 trust bundle to spire-ha-x509 and then add spire-ha-jwks. It would require the jwks to be converted to pem.... which isn't really standardized. But I think we can get away with it since we control both the server side and client side, and we can encode the kid into the cn.

[sorindumitru]

I think it should be possible to deal with the trust bundle only in JWKS format. Most of the APIs involved should accept JWKS. Did you see any issues with that?

[kfox1111]

oh.... the default format is pem, which excludes the jwk's... but -format spiffe gets it:

spire-server bundle show -socketPath /var/run/spire/server/sockets/a/private/api.sock -format spiffe

That should work.

[kfox1111]

Hmmm.... Except that is a server command... I need to get it via the agent..

[sorindumitru]

I see. What I'm thinking might work is to subscribe via the delegated API to fetch x509 and jwt bundles and then merge them into one using https://pkg.go.dev/github.com/spiffe/go-spiffe/[email protected]/bundle/spiffebundle

The Bundle struct in there can be marshalled to a JWKS which can then be fed into spire-server. It might need conversion into yet another format, the protobuf representation of the bundle.

[kfox1111]

There are functions in the go library, it looks like, to rebuild a spiffe formatted json file from the ca and jwks formatted files.

[kfox1111]

Added a little tool to convert from ca.crt & jwt_bundle.json back to a spiffe formatted json file. spire-trust-sync service modified to use it. Now spiffe://spire-ha has a complete trust bundle.

Last step is to add support for it in the spire-ha-agent.