Closed qrkourier closed 2 months ago
One solution is to use the external CA enrollment method ottca
to pre-create identities with particular attributes, then match (re-use) that identity by externalId
. Put another way, the SPIFFE ID can be automatically matched to a persistent OpenZiti Identity. That way, there's no need to garbage collect a proliferation of auto-enrolled identities from each run of a SPIFFE-enabled pod.
Similar requests have come up for roles based on OIDC claims property that we will implement, will revisit this if future external demand
There's one set of default roles added to all auto-enrolled identities from an external CA. This means I need a separate CA for each distinct set of identity roles.
A hypothetical feature of Ziti external CAs is parsing roles from the SPIFFE ID.
A simplistic implementation could treat a particular position in the SPIFFE ID as a Ziti identity role, e.g.,
spiffe://{{trust domain}}/workloads/{{ entity name }}/role/{{ role name }}
. A more sophisticated implementation could introduce a new type of identity role which is an SVID match pattern.