Description
We currently rely on the CN in client cert subjects.
We should support SPIFFE identities.
https://github.com/spiffe/svid/blob/master/SPECIFICATION.md
The first step would be figuring out how to map keywhiz clients to SVID identities.
Those identities look like (examples from SVID spec):
spiffe://staging.acme.com/payments/mysql
or
spiffe://k8s-west.acme.com/ns/staging-ns/sa/default
The "Trust domain" is the staging.acme.com
or k8s-west.acme.com
portion of the name, and the "Path" is the /payments/mysql
or /ns/staging-ns/sa/default
portion.
A simple first pass would be to allow client names to be either the full URI, or just the path portion (with a fixed Trust Domain). I'm not sure which is better yet. Since we don't support the SPIFFE name constraints, we can't be sure of trust domains being signed by the right CA, so supporting multiple trust domains is more work. Just the path may also be an easier migration from current client identities.
Maybe we need something a bit more flexible in the mapping though. Like, what if you wanted to do spiffe://mydomain.co/keywhizclients/clientname
.