Matthew McPherrin
Matthew McPherrin
We currently rely on the CN in client cert subjects. We should support SPIFFE identities. https://github.com/spiffe/svid/blob/master/SPECIFICATION.md The first step would be figuring out how to map keywhiz clients to SVID...
We send client's "last seen" times to the RW database. We should do that async -- it shouldn't block API calls. This will help improve latency if the RW server...
Keywhiz decrypts secrets each time they're read from the database. If there's a secret assigned to many clients, the Keywhiz server will have to load that secret from the database...
Keywhiz has support for local admin users, or pulling them from LDAP. But we should support SSO schemes. Our abstraction for a user is not good enough to support this...
Exception in thread "main" java.lang.IllegalArgumentException: (was java.lang.NullPointerException) (through reference chain: keywhiz.KeywhizConfig["cookieKey"]) We should print an error message, not just NPE. I'm not sure if this is something specific to the...
Keywhiz should not require a configured CookieKey. It should automatically generate one if not present, and store it in the database like any other secret.
I think it might be nicer operationally if we put AutomationClients in the configuration. There's been a bunch of times in dev setups I've had to jump through an extra...
I just misconfigured a trustStoreType, and Keywhiz started, but I got strange client errors. We should make sure the trustStore is sane, and bail if it isn't. I had a...
If you run multiple Keywhiz servers, it would be convenient to have a way (API + cli) to export the encrypted secret for import into another server. This is easy...
In some cases, a rendezvous mode might be interesting. In this case, the tunneled connections go in the opposite direction as the tunnels. You have two ghostunnels: one in rendezvous...