Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFD191: Rework Workload Identity Configuration and RBAC UX #49133

Merged
merged 30 commits into from
Dec 12, 2024
Merged

RFD191: Rework Workload Identity Configuration and RBAC UX #49133

merged 30 commits into from
Dec 12, 2024

Conversation

strideynet
Copy link
Contributor

Related to #44006

@strideynet
Copy link
Contributor Author

Ready for first pass opinions on this.

@strideynet strideynet mentioned this pull request Nov 20, 2024
Draft
timothyb89
timothyb89 reviewed Nov 21, 2024
View reviewed changes
Copy link
Contributor

@timothyb89 timothyb89 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few thoughts after a first readthrough

rfd/0191-workload-id-config-ux.md Outdated Show resolved Hide resolved
rfd/0191-workload-id-config-ux.md Outdated Show resolved Hide resolved
rfd/0191-workload-id-config-ux.md Outdated Show resolved Hide resolved
rfd/0191-workload-id-config-ux.md Show resolved Hide resolved
rfd/0191-workload-id-config-ux.md Outdated Show resolved Hide resolved
rfd/0191-workload-id-config-ux.md Show resolved Hide resolved
rfd/0191-workload-id-config-ux.md Outdated Show resolved Hide resolved
@strideynet
Copy link
Contributor Author

strideynet commented Nov 26, 2024
edited
Loading

I think largely, we need to ask design partners about the types of rules they would write, and understand how they'd prefer to express these.

Generally, it seems like option 1 and option 3 are the most sensible to move forward with. Option 2 seems to push the complexity of what's reasonable in YAML and causes problems for generation of IaC due to recursion.

thedevelopnik
thedevelopnik reviewed Nov 26, 2024
View reviewed changes
rfd/0191-workload-id-config-ux.md Outdated Show resolved Hide resolved
rfd/0191-workload-id-config-ux.md Show resolved Hide resolved
rfd/0191-workload-id-config-ux.md Outdated Show resolved Hide resolved
rfd/0191-workload-id-config-ux.md Show resolved Hide resolved
rfd/0191-workload-id-config-ux.md Show resolved Hide resolved
This was referenced Nov 29, 2024
Open
Open
Closed
Open
Open
Open
Open
Merged
This was referenced Dec 10, 2024
Open
Open
Merged
@strideynet
Copy link
Contributor Author

@thedevelopnik / @timothyb89 please take another look.

@strideynet strideynet added the no-changelog Indicates that a PR does not require a changelog entry label Dec 11, 2024
timothyb89
timothyb89 approved these changes Dec 12, 2024
View reviewed changes
Copy link
Contributor

@timothyb89 timothyb89 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks pretty good! I think you found a good compromise supporting both YAML conditions and expressions for rules.

rfd/0191-workload-id-config-ux.md Show resolved Hide resolved
rfd/0191-workload-id-config-ux.md
TTL will be capped at this value. This provides the ability to enforce a
maximum permissible TTL regardless of the configuration of the `tbot` agent.

If this field is not set, a default maximum value of 24 hours will be used.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we / the SPIFFE spec define an upper limit to the TTL, or is it arbitrary?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SPIFFE doesn't specify anything. Across the rest of Teleport we do have some limits, but, I'm leaning towards that we may want to relax these for Workload Identity in order to support some more niche use-cases.

@strideynet strideynet added this pull request to the merge queue Dec 12, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Dec 12, 2024
@strideynet strideynet added this pull request to the merge queue Dec 12, 2024
Merged via the queue into master with commit 6da9dc0 Dec 12, 2024
40 checks passed
@strideynet strideynet deleted the rfd/191-workload-id-config-ux branch December 12, 2024 16:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thedevelopnik thedevelopnik thedevelopnik approved these changes

@ryanclark ryanclark ryanclark approved these changes

@timothyb89 timothyb89 timothyb89 approved these changes

Assignees
No one assigned
Labels
no-changelog Indicates that a PR does not require a changelog entry rfd Request for Discussion size/lg
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@strideynet @timothyb89 @ryanclark @thedevelopnik