Ben Leggett

I'm pulling over/focusing the discussion from #43273 around `DelegatedIdentityAPI` because I think it's important, and agree it's probably not the right API for Istio to use. https://github.com/istio/istio/pull/43273#issuecomment-1563397269 ztunnel _is_ effectively...

There is also this upstream Envoy issue: https://github.com/envoyproxy/envoy/issues/19756

Scratch that - I've confused myself. SPIRE slack guys sorted me - There's no scoping problem with this API so it should be fine for Istio to use for ztunnel...

Not stale

> So I did do some work on this a few months ago and there are some open questions, but a lot of the rust work itself is done. >...

> So FWIW the delegated `ztunnel` doesn't need to know any of the plugins at all. In fact this is probably the biggest part of the design which I tried...

> > The DelegatedIdentity API completely bypasses SPIRE Agent attestation, though, correct? > > So this is an interesting question. It really cuts to the core of the delegated identity...

I've raised https://github.com/spiffe/spire/issues/5019 to have a chat with the SPIRE folks about how we can use the DelegateIdentity API without having to DIY workload attestation. So far, they seem amenable,...

Yeah I don't really want to complicate the matrix of what causes injection to happen, it's already a little too baroque. Is the problem here simply that defaultRevision control planes...

Yeah that's for https://github.com/istio/istio/issues/51121 A better CNI check would likely live outside of the Helm `GitVersion` detection anyway - as explained here it's not ideal.