tornjak icon indicating copy to clipboard operation
tornjak copied to clipboard
verified publisher icon spiffe

Federation feature for single Tornjak/SPIRE instance

Open maia-iyer opened this issue 1 year ago • 1 comments

We would like to extend Tornjak to make the Federation management experience easier.

This involves backend decision of using the SPIRE API or potentially the controller manager CRDs.

The frontend needs design of how the page will look and what functionalities will be most important.

maia-iyer avatar Feb 12 '24 21:02 maia-iyer

The major pain point of configuring federation seems to be due to the exchange step. Currently, this takes three steps:

  • Obtain a trust bundle from the source SPIRE server
  • Format the API call or CRD to be called/placed into the target SPIRE server
  • Make the API call

Additional nice-to-have features:

  • Federation list
  • Easy way to view workload entries that federateWith each trust domain

Here's a proposed set of steps:

  1. Implement view-type APIs and frontend features
  • Backend API: needs to add bundle show/list and federation list
  • Frontend UI:
    • A new page at the top for Federation.
      • Federation List
      • Bundle List
    • A place to view THIS SPIRE server's bundle (and perhaps display the properly formatted CRD or api call for other SPIRE servers to federate with this one)
  1. Implement write-type APIs and frontend features
  • Backend API: needs to add bundle set/delete, and federation create/update/delete
  • Frontend UI:
    • A page to Create Federation and Set Bundle. These maybe should be the same page.
    • Buttons to delete bundle or federation relationships
  1. Additional Features
  • Add a way to view workloads with federatesWith

maia-iyer avatar Apr 22 '24 16:04 maia-iyer