kfox1111
commented
2 months ago There's a start of some here: https://github.com/spiffe/spire-examples/pull/64
Would be pretty easy to add spiffe-helper there too.
Open udf2457 opened 2 months ago
kfox1111
commented
2 months ago There's a start of some here: https://github.com/spiffe/spire-examples/pull/64
Would be pretty easy to add spiffe-helper there too.
udf2457
commented
2 months ago Thanks for the pointer, will take a look.
I haven't reviewed it or tried it, but I do know from recently looking through their docs that smallstep use systemd service and timer templates: https://smallstep.com/docs/step-ca/renewal/#automated-renewal ... cert-renewer@.service cert-renewer@.timer and then e.g. creating cert-renewer@postgresql.service and cert-renewer@postgresql.timer
Whether that's simpler or more convoluted than your proposal I don't know... 😉
It would be nice if the tool had integration with
systemdto enable launch / reload viasystemd.Its saves sysadmins from "reinventing the wheel" and un-necessary DIY maintenance dependencies.
Also pretty much all third-party packages will install a systemd service. So that's more sysadmin work to remove the systemd service.
For example, PostgreSQL, install via official package. It installs a systemd service. All configuration (e.g. where to find SSL certs) is done in /etc/postgresql, so sysadmins don't need to touch the maintainer's systemd service. It would be good to point the /etc config at the spiffe certs location and spiffe-helper calls systemd.