Skip to content

Entry labels #6069

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kfox1111 opened this issue May 14, 2025 · 2 comments
Open

Entry labels #6069

kfox1111 opened this issue May 14, 2025 · 2 comments
Labels
triage/in-progress Issue triage is in progress

Comments

@kfox1111
Copy link
Contributor

I would like to be able to add labels (arbitrary key/value pairs) onto entries. They would be stored in the db along with the entry, and otherwise would be normally ignored by spire.

Kubernetes popularized this kind of thing and has proven quite useful over time.

One particular use case of interest would be to be able to use them in conjunction with custom CredentialComposer plugins. For example, when using JWTs with Minio, the JWT needs a custom "policy" property. (spiffe/club-zero#7). An entry could have a label like 'minio.io/policy=readwrite' added to the entry, and the MinioCredentialComposer could use the saved labels to affect the generated JWTs.
@sorindumitru sorindumitru added the triage/in-progress Issue triage is in progress label May 15, 2025
@kfox1111
Copy link
Contributor Author

This would be much cleaner then having to add the needed information into the spiffeid, then scrape it back out to add the property. For example:
https://github.com/spiffe/spire-credentialcomposer-cel?tab=readme-ov-file#minio

Also, there currently isn't a way not to have that info still in the resulting spiffeid as a credential composer cant rewrite the subject.

@sorindumitru
Copy link
Collaborator

Thanks @kfox1111 for opening this issue. This has been considered in the past, for example #1336. At that point we've decided not to added them, because:

  • We didn't have a lot of good examples of how they could be used.
  • They might not be the right abstraction to solve the issue.

I think the minio example is possibly a good example for making use of the metadata, but I'm not sure it's the right abstraction to use:

  • It assumes whoever configured the Minio policies has access to configure entries (and have a way to deal with conflicting changes). In some ways it mixes authentication with authorization.
  • It forces thinking the Minio policy configuration in terms of workload selectors and even more of that in terms of the ParentID relationships in the registration entries.

I think an ideal way of configuring these would be driven by the SPIFFE ID, i.e. this SPIFFE ID has this kind of access to these buckets. Some ways of dealing with this would be:

  • Credential exchange. The workload can swap a SVID for a MinIO specific token, which contains the policies the workload has acess to.
  • A CredentialComposer plugin that fetches the list of MinIO policies based on the SPIFFE ID from some other service that is used to definte these policies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage/in-progress Issue triage is in progress
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sorindumitru @kfox1111