-
Notifications
You must be signed in to change notification settings - Fork 151
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SPIFFE Workload Server can be Single Point of Failure? #94
Comments
|
1 & 2. I'm sorry, but I beg to disagree. There are 3 reasons to mention server spec in The SPIFFE Workload API.
|
@savankumargudaas I'm not really sure at this point whether this is just commentary, or if there is a particular "issue" you'd like to see addressed. If there is an issue you'd like to see addressed, can you try to state the problem as plainly as you can (and proposed solutions, if you have ideas there)? If there isn't an issue, please close this ticket. |
As mentioned reasons in my last comment, server is a critical part of SPIFFE, hence server spec needs to mention in SPIFFE doc to avoid SPF. Issuing certificate during bootstrap is the core cause of SPF, because availablity of server is mandatory. In a distributed system, there are enough probems, SPF is something which need to be avoided. IMO compling with SPIFFE spec should not add a critical piece of infra, rather it need to be non-critical and compliment exising distributed system with additional layer of security/identity. How it can be achieved? it's something which need to be discussed and need to be adressed. |
I don't think we can really be responsive to this issue in its current form without compromising on the core principles of SPIFFE. @savankumargudaas if you have specific suggestions for concrete changes to SPIFFE specs, please open a PR. Happy to discuss more on the mailing list; GitHub issues aren't the best format for general discussion. |
I have questions on base assumptions of The SPIFFE Workload API server/client. Can someone please clarify?
The text was updated successfully, but these errors were encountered: