-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proto/agent: add JWT SVID privileged API #20
proto/agent: add JWT SVID privileged API #20
Conversation
Signed-off-by: Yuhan Li <[email protected]>
23cf246
to
a670245
Compare
@amartinezfayo I'm glad you noticed this, do you have any thoughts about it? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @loveyana for this contribution! It looks great.
I have only one super minor suggestion in a comment.
proto/spire/api/agent/delegatedidentity/v1/delegatedidentity.proto
Outdated
Show resolved
Hide resolved
Signed-off-by: Yuhan Li <[email protected]>
// for the requested audience. | ||
rpc FetchJWTSVIDs(FetchJWTSVIDsRequest) returns (FetchJWTSVIDsResponse); | ||
|
||
// Subscribe to get local and all federated JWKS bundle. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// Subscribe to get local and all federated JWKS bundle. | |
// Subscribe to get local and all federated JWKS bundles. |
// Subscribe to get local and all federated JWKS bundle. | |
// Subscribe to get local and all federated JWKS bundle. |
I think things will get cumbersome when the workload-to-audience complexity explodes, but I also don't have a better suggestion ... I think in this case, folks are just going to have to manage multiple streams. Maybe it's something we can improve on in the future after some use ... general shape etc looks good to me @amartinezfayo , thank you for the contribution @loveyana! |
* proto/agent: add JWT SVID privileged API Signed-off-by: Yuhan Li <[email protected]> * Fix comment lint problem Signed-off-by: Yuhan Li <[email protected]>
* proto/agent: add JWT SVID privileged API Signed-off-by: Yuhan Li <[email protected]> * Fix comment lint problem Signed-off-by: Yuhan Li <[email protected]>
Bring gRPC to latest to keep in sync with forthcoming gRPC upgrade in SPIRE.
Add JWT SVID privileged API proto definitions in Delegated Identity API. This API includes two RPCs:
FetchJWTSVIDs
andSubscribeToJWTBundles
.The FetchJWTSVIDs rpc allows a privileged client to get JWT-SVIDs for a given workload.
The request is used to fetch JWT-SVIDs for a workload. As in the workload api, audience list is required and also need the selectors describing the workload to fetch.
And the response is used to fetch a list of JWT-SVIDs (for the fetched workload). JWT-SVIDs for registration entries matching all the passed selectors are returned.
The
SubscribeToJWTBundles
rpc streams get local and all federated bundles. It should be noted that the bundle data it returns is marshaled to JWKS.Related: #4, #7 ,#8