-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Workload Identity: Add workload-identity-x509
service to tbot
#50812
Conversation
workload-identity-x509
service to tbot
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks pretty good, and working well on my dev cluster.
Aside from a couple of nits, one more general question: if a user wants to issue more than one SVID, what's the solution? I guess multiple outputs, one per SVID?
I realize the UX for this case is rough with upstream SPIFFE tools too and the impl here seems sane. Just curious more than anything.
Yeah for now - certainly. Perhaps eventually we can write them all into sub-directories? The other thing in my mind is we could really just make having many outputs cheap - and then it doesn't really matter. |
@strideynet See the table below for backport results.
|
…0812) * Add config for new output * Add tests * rename * rename * Add simple impl for WorkloadIdentityX509Service * Add support for label based issuance * Add support for specifying selectors via cli * Add `TestBotWorkloadIdentityX509` * Add note on removing hidden flag * Add more thorough logging * Remove unnecessary slice copy * Update terminology * Reshuffle and rename * Fix broken build * Fix more building * Rename name/label selector * Rename selector * Add godocs * Nicer error messge
…t` (#50812) (#51059) * Workload Identity: Add `workload-identity-x509` service to `tbot` (#50812) * Add config for new output * Add tests * rename * rename * Add simple impl for WorkloadIdentityX509Service * Add support for label based issuance * Add support for specifying selectors via cli * Add `TestBotWorkloadIdentityX509` * Add note on removing hidden flag * Add more thorough logging * Remove unnecessary slice copy * Update terminology * Reshuffle and rename * Fix broken build * Fix more building * Rename name/label selector * Rename selector * Add godocs * Nicer error messge * Fix dependency on newer cryptosuites pakcage * Switch to old jitter command
…0812) * Add config for new output * Add tests * rename * rename * Add simple impl for WorkloadIdentityX509Service * Add support for label based issuance * Add support for specifying selectors via cli * Add `TestBotWorkloadIdentityX509` * Add note on removing hidden flag * Add more thorough logging * Remove unnecessary slice copy * Update terminology * Reshuffle and rename * Fix broken build * Fix more building * Rename name/label selector * Rename selector * Add godocs * Nicer error messge
Part of: #49986
As per RFD191: #49133
For now, this command is hidden until we remove the feature flag.
Follow up PRs will include the
workload-identity-api
andworkload-identity-jwt
services.