The following demonstrates using the SPIFFE Workload API to supply Ghostunnel with an X.509 identity and trusted CA roots that are used to facilite communication between a frontend and backend service.
ghostunnelbinary from Ghostunnelspire-serverandspire-agentbinaries from SPIREsocat
There are several processes involved in the demo:
- Frontend client that sends TCP data
- Frontend Ghostunnel that receives TCP data forwards it to the backend Ghostunnel over SPIFFE-authenticated mutual TLS
- Backend Ghostunnel that receives TCP data over SPIFFE-authenticated mutual TLS and forwards it to the backend server
- Backend server that receives TCP data
- Frontend SPIRE agent that identifies the frontend Ghostunnel and issues it a frontend SPIFFE identity
- Backend SPIRE agent that identifies the backend Ghostunnel and issues it a backend SPIFFE identity
- SPIRE server that mints the identities and delivers them to agents according to workload registration
TCP mTLS TCP
Frontend ------> Frontend Ghostunnel --------> Backend Ghostunnel ------> Backend
^ ^
| |
| |
Frontend SPIRE Agent Backend SPIRE Agent
^ ^
| |
+ +
\ /
\ /
+---- SPIRE Server ----+
$ ./01-run-spire-server.sh
$ ./02-run-backend-agent.sh
$ ./03-run-frontend-agent.sh
$ ./04-register-ghostunnel-workloads.sh
$ ./05-run-backend-ghostunnel.sh
$ ./06-run-frontend-ghostunnel.sh
$ ./07-run-backend.sh
Run the following the send a request from the frontend.
$ ./08-send-frontend-request.sh
You should see the backend print out a message!