The project aims to provide a management plane and capabilities for SPIFFE identities managed by SPIRE. The goals are to provide global visibility, auditability, and configuration and policy management for identities. This can be thought about as a central management plane for identities across SPIRE servers, with the aim for use by an administrator or CISO to govern an organization's workload identities.
The following are guides on how to try out Tornjak:
Here are a few additional resources:
The architecture consists of 2 main components, the agent and the manager.
- The manager provides a management control plane for SPIRE servers, and a central point of data collection. It interacts with the agents, SPIRE servers, and corresponding components to achieve this.
- The agent provides a way for the management plane to communicate with the SPIRE servers and provide introspection and configuration of identities.
For more details of the components and execution plan, please refer to these documents
The binary and container can be built with the following command, replacing the container tag with the desired container tag of choice.
This makes the tornjak agent + spire 1.1.3 server container:
CONTAINER_TAG=tsidentity/tornjak-spire-server:latest make container-agent
The container is run with the same arguments as the SPIRE server image, and usage is transparent. It runs a server hosted on port 10000 accessed via http. A different spire version may be specified within the first line of the Dockerfile.add-frontend file. Currently, SPIRE versions <= 1.4.0 are compatible with Tornjak.
Alternatively, pre-built Tornjak images can be found at gcr.io/spiffe-io/tornjak-spire-server:{version}
, where the specified tag denotes the supported SPIRE server version, as listed in the SPIRE_BUILD_VERSIONS document.
To start a local version of the Tornjak front-end server point at the running Tornjak APIs:
cd tornjak-frontend
REACT_APP_API_SERVER_URI=http://<tornjak_API>/ npm start
Assuming npm
is installed, this will start a server on http://localhost:3000
Please be patient, as it might take a few minutes to compile and start the server.
Once you have a Tornjak agent running, you may run the Tornjak manager by locally running
go run tornjak-backend/cmd/manager/manager.go
which starts listening on port 50000. To start the manager UI, run:
REACT_APP_API_SERVER_URI=http://localhost:50000/
REACT_APP_TORNJAK_MANAGER=true npm start
In this view, there is an additional navigation bar tab titled "Manage Servers" where you may register Tornjak agents.