From c05b7e69ac8e7b911b0ee824b818d88e346a27d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Volkan=20=C3=96z=C3=A7elik?= Date: Sun, 5 Jan 2025 07:16:52 -0800 Subject: [PATCH] minor updates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Volkan Özçelik --- jira.xml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/jira.xml b/jira.xml index de1573c..53b7ae0 100644 --- a/jira.xml +++ b/jira.xml @@ -17,6 +17,10 @@ Invert shard generation flow. + + dr: keeper crash + waiting-for: shard generation inversion. + Check the entire codebase and implement the `TODO:` items. @@ -29,6 +33,10 @@ Create a video about this new shamir secret sharing workflow. + + DR: devise a DR scenario when a keeper crashes. + (depends on the new inverted sharding workflow) + @@ -78,6 +86,20 @@ + + consider using NATS for cross trust boundary (or nor) secret federation + + + wrt: secure erasing shards and the root key >> + It would be interesting to try and chat with some of the folks under the cncf + (That's a good idea indeed; I'm noting it down.) + + + over the break, I dusted off https://github.com/spiffe/helm-charts-hardened/pull/166 and started playing with the new k8s built in cel based mutation functionality. + the k8s cel support is a little rough, but I was able to do a whole lot in it, and think I can probably get it to work for everything. once 1.33 hits, I think it will be even easier. + I mention this, as I think spike may want similar functionality? + csi driver, specify secrets to fetch to volume automatically, keep it up to date, and maybe poke the process once refreshed + set sqlilite on by default and make sure everything works.