AthenZ / k8s-athenz-sia

Apache License 2.0

1 stars 7 forks source link

role cert/ token naming and its path #49

Open mlajkim opened 10 months ago

mlajkim commented 10 months ago

Background

Too many environment variables for setting role cert

ROLE_CERT_DELIMITER="_"
ROLE_CERT_DIRECTORY="/var/run/athenz"

And if you decide to let the user of SIA to customize output files name, there will be more env variables needed.

But, you can actually shrink in this way (though it requires unit test)

ROLE_CERT_NAMING_FORMAT="/var/run/hogehoge/<domain>_<role>.cert.pem"

Once logic is implemented, you can apply it for access token and role tokens too!

TODOs

[ ] If the same names for certificates fetched, sia should stop itself?

mlajkim commented 10 months ago

ROLE_CERT_NAMING_FORMAT="/var/run/athenz/rolecerts/<domain>_<role>.cert.pem"
ACCESS_TOKEN_NAMING_FORMAT="/var/run/athenz/roletokens/<domain>_<role>.atoken"
ROLE_TOKEN_NAMING_FORMAT="/var/run/athenz/accesstokens/<domain>_<role>.ztoken"

naming format reading function
also handles single name like /var/run/athenz/rolecerts/rolecert.cert.pem, if only one TARGET_DOMAIN_ROLES?
unit test for the function (lots of unit test)
three envs "ROLE_CERT_NAMING_FORMAT" "ACCESS_TOKEN_NAMING_FORMAT" "ROLE_TOKEN_NAMING_FORMAT"
operation check
Should shutdown init container if all of them exists!
- ROLE_CERT_DELIMITER
- ROLE_CERT_DIRECTORY
- ROLE_CERT_NAMING_FORMAT
Should write deprecated, when ROLE_CERT_DELIMITER or ROLE_CERT_DIRECTORY are used

mlajkim commented 5 months ago

TODO: Make sure to change

[ ] Fix: https://github.com/AthenZ/k8s-athenz-sia/pull/120/files