Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Workload Identity: Add workload-identity-x509 service to tbot #50812

Open
wants to merge 15 commits into
base: master
Choose a base branch
from
Open

Workload Identity: Add workload-identity-x509 service to tbot #50812

wants to merge 15 commits into from

Conversation

strideynet
Copy link
Contributor

@strideynet strideynet commented Jan 7, 2025
edited
Loading

Part of: #49986

As per RFD191: #49133

For now, this command is hidden until we remove the feature flag.

version: v2
proxy_server: example.teleport.sh
onboarding:
  join_method: kubernetes
  token: local-workload-id
certificate_ttl: 24h
storage:
  type: directory
  path: /Users/noah/code/gravitational/teleport-scratch/tbot-new-workload-id/storage
services:
  - type: workload-identity-x509
    destination:
      type: directory
      path: /Users/noah/code/gravitational/teleport-scratch/tbot-new-workload-id/svid-out
    workload_identity:
      name: workload-identity
  - type: workload-identity-x509
    destination:
      type: directory
      path: /Users/noah/code/gravitational/teleport-scratch/tbot-new-workload-id/svid-labels-out
    workload_identity:
      labels:
        test: [bar]

Follow up PRs will include the workload-identity-api and workload-identity-jwt services.

@strideynet strideynet changed the title Strideynet/new x509 output tbot Workload Identity: Add workload-identity-x509 service to tbot Jan 7, 2025
@strideynet strideynet added the no-changelog Indicates that a PR does not require a changelog entry label Jan 7, 2025
@strideynet strideynet marked this pull request as ready for review January 7, 2025 16:20
strideynet
strideynet commented Jan 7, 2025
View reviewed changes
lib/tbot/cli/start_workload_identity_x509.go
"The name of the workload identity to issue",
).StringVar(&c.WorkloadIdentityName)
cmd.Flag(
"workload-identity-labels",
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is --workload-identity-name and --workload-identity-labels too verbose? I was worried that just --name / --labels would be not verbose enough. Perhaps --name-selector / --label-selector ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm actually curious about this exact question on #50898. I've so far gone with the unambiguous but way too verbose names following the pattern here, but was strongly considering the much shorter --name and --labels since users can probably infer meaning from context. Maybe there's some additional benefit knowing that e.g. --labels can be reused across certain commands that accept selectors?

strideynet
strideynet commented Jan 7, 2025
View reviewed changes
lib/tbot/config/service_workload_identity.go Outdated
type WorkloadIdentityX509Service struct {
// WorkloadIdentity is the selector for the WorkloadIdentity resource that
// will be used to issue WICs.
WorkloadIdentity WorkloadIdentitySelector `yaml:"workload_identity"`
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the JSON/YAML name of this field reference the "selector" nature of the field - e.g workload_identity_selector or selector ?

@strideynet strideynet mentioned this pull request Jan 8, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@capnspacehook capnspacehook Awaiting requested review from capnspacehook

@timothyb89 timothyb89 Awaiting requested review from timothyb89

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
backport/branch/v16 backport/branch/v17 machine-id no-changelog Indicates that a PR does not require a changelog entry size/lg
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@strideynet @timothyb89