Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Workload Identity: Add workload-identity-x509 service to tbot #50812

Merged
merged 19 commits into from
Jan 15, 2025
Merged

Workload Identity: Add workload-identity-x509 service to tbot #50812

merged 19 commits into from
Jan 15, 2025
+1,157 −28

Conversation

strideynet
Copy link
Contributor

@strideynet strideynet commented Jan 7, 2025
edited
Loading

Part of: #49986

As per RFD191: #49133

For now, this command is hidden until we remove the feature flag.

version: v2
proxy_server: example.teleport.sh
onboarding:
  join_method: kubernetes
  token: local-workload-id
certificate_ttl: 24h
storage:
  type: directory
  path: /Users/noah/code/gravitational/teleport-scratch/tbot-new-workload-id/storage
services:
  - type: workload-identity-x509
    destination:
      type: directory
      path: /Users/noah/code/gravitational/teleport-scratch/tbot-new-workload-id/svid-out
    workload_identity:
      name: workload-identity
  - type: workload-identity-x509
    destination:
      type: directory
      path: /Users/noah/code/gravitational/teleport-scratch/tbot-new-workload-id/svid-labels-out
    workload_identity:
      labels:
        test: [bar]

Follow up PRs will include the workload-identity-api and workload-identity-jwt services.

@strideynet strideynet changed the title Strideynet/new x509 output tbot Workload Identity: Add workload-identity-x509 service to tbot Jan 7, 2025
@strideynet strideynet added the no-changelog Indicates that a PR does not require a changelog entry label Jan 7, 2025
@strideynet strideynet marked this pull request as ready for review January 7, 2025 16:20
@strideynet strideynet mentioned this pull request Jan 8, 2025
Open
@timothyb89 timothyb89 mentioned this pull request Jan 15, 2025
Draft
timothyb89
timothyb89 approved these changes Jan 15, 2025
View reviewed changes
Copy link
Contributor

@timothyb89 timothyb89 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks pretty good, and working well on my dev cluster.

Aside from a couple of nits, one more general question: if a user wants to issue more than one SVID, what's the solution? I guess multiple outputs, one per SVID?

I realize the UX for this case is rough with upstream SPIFFE tools too and the impl here seems sane. Just curious more than anything.

lib/tbot/cli/start_workload_identity_x509_test.go Show resolved Hide resolved
lib/tbot/service_workload_identity_x509.go Outdated Show resolved Hide resolved
@strideynet
Copy link
Contributor Author

Aside from a couple of nits, one more general question: if a user wants to issue more than one SVID, what's the solution? I guess multiple outputs, one per SVID?

Yeah for now - certainly. Perhaps eventually we can write them all into sub-directories? The other thing in my mind is we could really just make having many outputs cheap - and then it doesn't really matter.

@strideynet strideynet enabled auto-merge January 15, 2025 09:17
@strideynet strideynet added this pull request to the merge queue Jan 15, 2025
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jan 15, 2025
@strideynet strideynet added this pull request to the merge queue Jan 15, 2025
Merged via the queue into master with commit 5bd6c59 Jan 15, 2025
44 checks passed
@strideynet strideynet deleted the strideynet/new-x509-output-tbot branch January 15, 2025 10:25
@public-teleport-github-review-bot
Copy link

@strideynet See the table below for backport results.

Branch Result
branch/v16 Failed
branch/v17 Create PR

@strideynet strideynet mentioned this pull request Jan 15, 2025
Open
strideynet added a commit that referenced this pull request Jan 15, 2025
@strideynet
Workload Identity: Add workload-identity-x509 service to tbot (#5…
bafdcb9 
…0812)

* Add config for new output

* Add tests

* rename

* rename

* Add simple impl for WorkloadIdentityX509Service

* Add support for label based issuance

* Add support for specifying selectors via cli

* Add `TestBotWorkloadIdentityX509`

* Add note on removing hidden flag

* Add more thorough logging

* Remove unnecessary slice copy

* Update terminology

* Reshuffle and rename

* Fix broken build

* Fix more building

* Rename name/label selector

* Rename selector

* Add godocs

* Nicer error messge
@strideynet strideynet mentioned this pull request Jan 15, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ryanclark ryanclark ryanclark approved these changes

@timothyb89 timothyb89 timothyb89 approved these changes

Assignees
No one assigned
Labels
backport/branch/v16 backport/branch/v17 machine-id no-changelog Indicates that a PR does not require a changelog entry size/lg
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@strideynet @timothyb89 @ryanclark