Matthew McPherrin

Hierarchical SPIFFE identities may provide a good path for multitenancy in Keywhiz as well.

I've been thinking about this, and I think I'd like to support SPIFFE in a slightly more bold manner, which also better aligns with how Keysync works: Currently, the keywhiz...

While that seems useful, it's unlikely that I or anyone on my team is going to have the time or expertise to write a Jenkins plugin, as we don't use...

We could issue automation certs off a separate root or intermediate and drop the automationenabled column in the database too, if we wanted. (Or automatically fill that column?). Not sure...

@madtrax We use Keywhiz with a different server and client roots in our production deploys. You just have to set "validateCerts: false" in your dropwizard applicationConnectors config, so that it...

I've added a comment and that option to the dev config in https://github.com/square/keywhiz/pull/186 I'll probably revert that option once this issue is closed, though.

I scanned a bunch in the past, and it seemed like each Walgreens location I tested had a seperate ID

We have a few other projects in brew, so I think this is reasonable.

A plugin architecture seems really cool here. I'd love to make sure whatever we end up doing is flexible enough to support a wide variety of protocols. A short list...

Some discussion in #253 about how configuration should be live-loadable (especially for ACLs, if not other config options too).