Initial readme

Signed-off-by: Kevin Fox <[email protected]>
spiffe · Nov 15, 2024 · aa50b45 · aa50b45
1 parent 41fb7a8
commit aa50b45
Show file tree

Hide file tree

Showing 3 changed files with 91 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -1,2 +1,20 @@
-# spire-ha-agent
-SPIRE HA Agent
+# SPIRE HA Agent
+
+[![Apache 2.0 License](https://img.shields.io/github/license/spiffe/helm-charts)](https://opensource.org/licenses/Apache-2.0)
+[![Development Phase](https://github.com/spiffe/spiffe/blob/main/.img/maturity/dev.svg)](https://github.com/spiffe/spiffe/blob/main/MATURITY.md#development)
+
+An agent to setup a SPIRE HA TrustDomain using two independent SPIRE Servers
+
+## Warning
+
+This code is very early in development and is very experimental. Please do not use it in production yet. Please do consider testing it out, provide feedback,
+and maybe provide fixes.
+
+## Diagram
+
+![diagram](diagram.png)
+
+## How it Works
+
+If the trust bundles of both servers are presented to the workload, it will not care which server instance a certificate is issued from. This agent provides
+both trust bundles to the end user as one trust bundle, and will contact whichever server is responding to respond to x509 certificate or jwt token requests.
diff --git a/diagram.dot b/diagram.dot
@@ -0,0 +1,71 @@
+digraph G {
+  subgraph cluster_server1 {
+      label = "node name: n1"
+      #style = dashed
+        style="filled,solid,bold";
+        color="#b3b3b3";
+        fillcolor="#f5f5f5";
+        labeljust="l"; 
+
+    spire_server_1[label=<<table border="0"><tr><td><b>SPIRE Server A</b></td></tr><tr><td align="left"><font point-size="9">NodeAttestors: tpm</font></td></tr></table>>,shape="record",style="rounded,solid,filled,bold",color="#6c8ebf",fillcolor="#dae8fc"]
+  }
+
+  subgraph cluster_server2 {
+
+      label = "node name: n2"
+      #style = dashed
+        style="filled,solid,bold";
+        color="#b3b3b3";
+        fillcolor="#f5f5f5";
+        labeljust="l"; 
+    spire_server_2[label=<<table border="0"><tr><td><b>SPIRE Server B</b></td></tr><tr><td align="left"><font point-size="9">NodeAttestors: tpm</font></td></tr></table>>,shape="record",style="rounded,solid,filled,bold",color="#6c8ebf",fillcolor="#dae8fc"]
+  }
+
+
+  subgraph cluster_node3 {
+      label = "node name: n3"
+      #style = dashed
+        style="filled,solid,bold";
+        color="#b3b3b3";
+        fillcolor="#f5f5f5";
+        labeljust="l"; 
+
+      subgraph cluster_node1_systemd {
+          #label = "Systemd"
+          label = "systemd managed"
+          style = "dashed,filled"
+          color="#939393";
+          fillcolor="#d5d5d5";
+
+       labeljust="l"; 
+
+          spire_agent1[label=<<table border="0"><tr><td><b>SPIRE Agent A</b></td></tr><tr><td align="left"><font point-size="9">NodeAttestor: tpm</font></td></tr><tr><td align="left"><font point-size="9">WorkloadAttestor: systemd</font></td></tr><tr><td align="left"><font point-size="9">systemd: [email protected]</font></td></tr></table>>,shape="record",style="rounded,solid,filled,bold",color="#82b366",fillcolor="#d5e8d4"]
+          spire_agent2[label=<<table border="0"><tr><td><b>SPIRE Agent B</b></td></tr><tr><td align="left"><font point-size="9">NodeAttestor: tpm</font></td></tr><tr><td align="left"><font point-size="9">WorkloadAttestor: systemd</font></td></tr><tr><td align="left"><font point-size="9">systemd: [email protected]</font></td></tr></table>>,shape="record",style="rounded,solid,filled,bold",color="#82b366",fillcolor="#d5e8d4"]
+    subgraph cluster_tb {
+        label=""
+        style="invis"
+          spire_ha_agent[label=<<table border="0"><tr><td><b>SPIRE HA Agent</b></td></tr><tr><td align="left"><font point-size="9">systemd: [email protected]</font></td></tr></table>>,shape="record",style="rounded,solid,filled,bold",color="#82b366",fillcolor="#d5e8d4"]
+subgraph cluster_storage {
+          spire_ha_agent_state_a[label="Trust Bundle A", shape=note,style="rounded,solid,filled,bold",fillcolor="#ffffff"]
+          spire_ha_agent_state_b[label="Trust Bundle B", shape=note,style="rounded,solid,filled,bold",fillcolor="#ffffff"]
+}
+    }
+          sshd1[label="sshd",shape="box",style="rounded,solid,filled,bold",color="#d6b656",fillcolor="#fff2cc"]
+          kubelet1[label="kubelet",shape="box",style="rounded,solid,filled,bold",color="#d6b656",fillcolor="#fff2cc"]
+          //k8s_spiffe_helper1[label=<<table border="0"><tr><td><b>K8s SPIFFE Helper</b></td></tr><tr><td align="left"><font point-size="9">systemd: k8s-spiffe-helper.service</font></td></tr><tr><td align="left"><font point-size="9">tool: spiffe-helper</font></td></tr></table>>,shape="box",style="rounded,solid,filled,bold",color="#d79b00",fillcolor="#ffe6cc"]
+      }
+  }
+
+  spire_server_1 -> spire_agent1[dir=back]
+  spire_server_2 -> spire_agent2[dir=back]
+  spire_agent1 -> spire_ha_agent[dir=back]
+  spire_agent2 -> spire_ha_agent[dir=back]
+  spire_ha_agent -> sshd1[dir=back]
+  spire_ha_agent -> kubelet1[dir=back]
+//  spire_ha_agent -> spire_ha_agent_state[dir=both, constraint=false]
+ // spire_ha_agent_state_a -> spire_ha_agent_state_b 
+  spire_agent1 -> spire_ha_agent_state_a
+  spire_agent2 -> spire_ha_agent_state_b
+  spire_ha_agent_state_a -> spire_ha_agent
+  spire_ha_agent_state_b -> spire_ha_agent
+}
diff --git a/diagram.png b/diagram.png