kfox1111

@neolit123 Was reading through the kep and noticed something that still makes it kind of difficult to use for me. Do you have a few minutes today sometime to jump...

So, i've been playing around with multiple technologies, trying to get them to work together. Right now, one of the combinations I'm testing is: * k8s * spire * bootc...

> i'm familiar with TPMs, SPIRE and hardware node attestation ideas. > > > To make it easy to add new nodes to the cluster, I overrode /var/lib/kubelet.config to live...

> > > if you are not calling join you should manually write instance-config.yaml to /var/lib/kubelet with all the required fields when this node is joining the cluster, giving it...

images being binaries? Not sure we can distribute windows based containers?

I think we may be able to hit both the arm and windows build case with goreleaser https://github.com/spiffe/k8s-spiffe-workload-auth-config/blob/main/.github/workflows/release.yaml https://github.com/spiffe/k8s-spiffe-workload-auth-config/blob/main/.goreleaser.yaml

That is a good question.... Depends on if its a preference flag, or a hard 'no' flag. if it was an enum, it could have more complicated logic like, "nevercert"...

Yeah, a config option sounds good. I dont think using an x509 svid would work for the x5c. it seems to need to be signed using the priv key for...

I dont see how using an X509-SVID is at all valid for issuing a JWT. That would require that the public key for that specific svid shows up on /keys...

I did a survey of a bunch of public oidc providers. about 1/3 has x5c properties. Of those, all of them were self signed. So for maximum compatibility, we should...