David Arnold

I think, by now, I have +- a plan. A sidecar spiffe-helper would continously roll the certificates and expose them through a shared ephimeral volume. Remaining open question: _**How can...

How far fetched would it be to utilize https://github.com/heavypackets/rust-spiffe and support SPIFFE for mTLS natively — while preserving the possibility for people to manually set up their own ACME stack?

So here is a prototype: - [`./dev/spire`](https://github.com/ContainerSolutions/trow/tree/9d42e01225da27e85cca2f4fd6f4b57ba995400d/dev/spire) - [how it's deployed](https://github.com/ContainerSolutions/trow/blob/9d42e01225da27e85cca2f4fd6f4b57ba995400d/dev/Justfile#L45-L47) - [the custom artifact?](https://github.com/ContainerSolutions/trow/blob/f33a747dccfe8eba5376c80d60f6ebcfbdafb6c9/dev/Justfile#L53-L56) - [after up and running](https://github.com/ContainerSolutions/trow/blob/f33a747dccfe8eba5376c80d60f6ebcfbdafb6c9/dev/Justfile#L17) - [the SPIFFE identities are loaded](https://github.com/ContainerSolutions/trow/blob/f33a747dccfe8eba5376c80d60f6ebcfbdafb6c9/dev/Justfile#L67-L79) — this can be...

If you would be willing to give https://github.com/numtide/devshell a try, I could be plugging together a prototype that would have unrivalled UX, and only _ever_ one bootstrap dependencies: - `curl...

**Showcase:** - → [wrapped hostctl](https://github.com/ContainerSolutions/trow/pull/193/files#diff-4bb450507124b9bcd863a6d4a8fff3a75338d9a11c2ced8bb59b33f3f73637b0R42-R61) — `nix-shell` - → [fed by `devshell.toml`](https://github.com/ContainerSolutions/trow/pull/193/files#diff-04359bb04ecc08b0f19f634f869be71b73a5585e69c0f762403232b8ba6db226R91) — `nix-shell`

> Will it actually work with the version of kustomize in kubectl? Not yet. But see how work is progressing on: https://github.com/kubernetes-sigs/kustomize/issues/1500 New versions are expected to land in 20.*...

Breadcrumb: - https://github.com/dave/jennifer/ - https://github.com/aloder/tojen (this might be a precursor to taking this issue, or not... no commitment at this time possible)

I think the only remaining useful consideration out of this would be to provide user defined sub-menus, like `ci-menu` [where all checks are amassed](https://github.com/gytis-ivaskevicius/flake-utils-plus/blob/36d9cd23223a2782ed36630d2efcedfb93ea9734/.github/workflows/ci.yaml#L22-L33).

I'll try to figure out a solution tomorrow. This also annoys me (using `nix develop` / `zsh`). #26 has a pending fix for review, which lead me to believe the...

^^ noted, will try to carve out a spot to context switch.