Make node alias and vanity name entries easier to reason about #2612
Comments
|
Hi @kfox1111 ... I think there is definitely room for improvement here. Tactically, I think you should be able to get what you want by replacing the In the long run, it would be great to make this more approachable. There are clearly use cases for mapping nodes/agents to an alias either via selector or via 1:1 alias. In fact, join token does this kind of 1:1 alias already when creating one with A new flag like # Give a specific agent alias nodename/foo
$ spire-server entry create -nodeAlias -parentID spiffe://example/spire/agent/tpm/xxxxx -spiffeID spiffe://example/nodename/foo
# Give a group of agents an alias to nodename/foo
$ spire-server entry create -nodeAlias -selector aws_iid:tag:nodename:foo -spiffeID spiffe://example/nodename/foo |
evan2645
changed the title
|
Something like the above feels like a step in the right direction with regards to clarifying the behavior of "node entries", and also enabling straight ID aliasing (which is already supported, but not intuitive). We should also document the shapes of the entries that these produce somewhere such that API consumers can leverage them as well. Perhaps that is coupled with proto documentation, and/or new RPCs or params |
evan2645
added
priority/backlog
|
This issue is stale because it has been open for 365 days with no activity. |
|
This issue was closed because it has been inactive for 30 days since being marked as stale. |
I would have thought this could work:
But currently another spiffeID is not able to be used in this case, only labels from the agent. Might be a nice thing to be able to do. I managed to work around it by the plugin's own selector for now:
The text was updated successfully, but these errors were encountered: