MintX509Svid should support svid_hints #5445
Comments
MarcosDY
added
priority/backlog
|
For consistency, we should add this in the MintJWTSVIDRequest message also. |
|
This seems like a straightforward task, I will take a stab at it today as a first contribution if nobody is already working on it |
|
Actually although it is just a case of adding a field and returning it, it got me thinking what is the point? If an admin operator is minting a one off cert or token, wouldn't they already know the purpose of the SVID? curious about the initial use-case @stevend-uber |
|
@SpectralHiss in a highly dynamic environment where minting SVIDs happens in addition to normal certificates, svid-hints help with provenance and metrics. At Uber, these are additionally minted through automation in addition to admin operator minting. |
|
I think what @SpectralHiss is getting at is that the hint is normally conveyed back alongside the SVID on the workload API, not as a property of the SVID. In other words, where would you expect the hint provided to this API to end up? |
The Mintx509SVID API should accept hints as a field when minting a new x509. This would allow parity with the normal operations of creating a new entry for deployments of SPIRE.
https://github.com/spiffe/spire-api-sdk/blob/main/proto/spire/api/server/svid/v1/svid.pb.go#L24
The text was updated successfully, but these errors were encountered: