spiffe
WIT-SVID support in SPIRE
SPIFFE sig-spec is actively working on bringing Workload Identity Token support into SPIFFE.
- The IETF document is in its final stages: https://datatracker.ietf.org/doc/draft-ietf-wimse-s2s-protocol/
- The SPIFFE WIT-SVID which picks it up is planning to merge this into an "experimental" branch until the IETF document has become an RFC: https://github.com/spiffe/spiffe/pull/327
I believe now is a good time to discuss a potential support in SPIRE if there's appetite for it and what's necessary.
cc @strideynet @sorindumitru
Agreed - I'd be keen to pick up some of the WIT related work in go-spiffe (and maybe also some experimental WPT utilities over there too 😉 )
Hi @arndt-s, thanks for opening this! It will be a very large effort to support a new SVID type in the SPIFFE projects (SPIRE, go-spiffe, java-spiffe, etc.). I think it would be helpful to discuss a few things in a call to define the path forward:
- Scope of changes in SPIRE and other SPIFFE projects
- How we will track progress of all the work in SPIFFE projects related to WIT-SVIDs (GitHub projects tend to work well for this)
- Potential commitment from anyone in the community to implement these changes
- Strategy for how changes will eventually be merged back into the
mainbranch of SPIRE - Alignment with IETF draft and SPIFFE spec changes since those are still in-flight
We have a bi-weekly SIG-SPIRE community call from 10:30 am - 11:30 am PT that would be a good place to go more in depth on these topics. @arndt-s would you be able to join any instances of that call in the near future?
cc @dfeldman who runs the SIG-SPIRE calls
@rturner3 I'm planning to attend SIG-SPIRE next week to bring this issue up.
Update: SIG-SPIRE is bi-weekly and not happening this week. Targeting Oct 9.
We've created a project to track all the work related with WIT-SVID support: https://github.com/orgs/spiffe/projects/28/
