Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SPIFFE/SPIRE support #18963

Open
kfox1111 opened this issue Nov 30, 2024 · 0 comments
Open

SPIFFE/SPIRE support #18963

kfox1111 opened this issue Nov 30, 2024 · 0 comments

Comments

@kfox1111
Copy link

What would you like to be added?

etcd to use the spiffe workload api to fetch its CA / certificates and listen for updates from the workload socket for updated CA's / Certfiicates.

Alternately, at minimum, it would be nice if spiffe-helper put down the CA/cert/key onto disk, that etcd would watch the configured file for updates and automatically apply the new versions if they change on disk without having to risk quorum disruptions by restarting the servers.

Why is this needed?

Managing certificates and CA's are difficult. SPIFFE/SPIRE have a standard/implementation that handle automatic CA rotation, advanced node attestation and automated certificate issuance/rotation.

With node attestation, you can use things such as TPM's to help secure the trust chain. SPIRE will also automatically rotate the CA frequently (often daily), so certs are very very short lived and CA's are short lived too, greatly increasing security.

This would also simplify setting up etcd clusters as all the PKI can be completely offloaded.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

1 participant