We currently rely on the CN in client cert subjects.

We should support SPIFFE identities.

https://github.com/spiffe/svid/blob/master/SPECIFICATION.md

The first step would be figuring out how to map keywhiz clients to SVID identities.

Those identities look like (examples from SVID spec):

spiffe://staging.acme.com/payments/mysql
or
spiffe://k8s-west.acme.com/ns/staging-ns/sa/default

The "Trust domain" is the staging.acme.com or k8s-west.acme.com portion of the name, and the "Path" is the /payments/mysql or /ns/staging-ns/sa/default portion.

A simple first pass would be to allow client names to be either the full URI, or just the path portion (with a fixed Trust Domain). I'm not sure which is better yet. Since we don't support the SPIFFE name constraints, we can't be sure of trust domains being signed by the right CA, so supporting multiple trust domains is more work. Just the path may also be an easier migration from current client identities.

Maybe we need something a bit more flexible in the mapping though. Like, what if you wanted to do spiffe://mydomain.co/keywhizclients/clientname.