You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
etcd to use the spiffe workload api to fetch its CA / certificates and listen for updates from the workload socket for updated CA's / Certfiicates.
Alternately, at minimum, it would be nice if spiffe-helper put down the CA/cert/key onto disk, that etcd would watch the configured file for updates and automatically apply the new versions if they change on disk without having to risk quorum disruptions by restarting the servers.
Why is this needed?
Managing certificates and CA's are difficult. SPIFFE/SPIRE have a standard/implementation that handle automatic CA rotation, advanced node attestation and automated certificate issuance/rotation.
With node attestation, you can use things such as TPM's to help secure the trust chain. SPIRE will also automatically rotate the CA frequently (often daily), so certs are very very short lived and CA's are short lived too, greatly increasing security.
This would also simplify setting up etcd clusters as all the PKI can be completely offloaded.
The text was updated successfully, but these errors were encountered:
What would you like to be added?
etcd to use the spiffe workload api to fetch its CA / certificates and listen for updates from the workload socket for updated CA's / Certfiicates.
Alternately, at minimum, it would be nice if spiffe-helper put down the CA/cert/key onto disk, that etcd would watch the configured file for updates and automatically apply the new versions if they change on disk without having to risk quorum disruptions by restarting the servers.
Why is this needed?
Managing certificates and CA's are difficult. SPIFFE/SPIRE have a standard/implementation that handle automatic CA rotation, advanced node attestation and automated certificate issuance/rotation.
With node attestation, you can use things such as TPM's to help secure the trust chain. SPIRE will also automatically rotate the CA frequently (often daily), so certs are very very short lived and CA's are short lived too, greatly increasing security.
This would also simplify setting up etcd clusters as all the PKI can be completely offloaded.
The text was updated successfully, but these errors were encountered: