Delegated workload get bundles

[kfox1111]

I'm calling the delegated workload api to get bundles, as the delegated agent. I would have expected all trust bundles to be available. But I was not able to see the extra trust bundle until I added it to the delegated agent's federatesWith option.

Is this correct behavior or unexpected? If it is expected, is there a way to set federatesWith=* so it will see them all?

[rturner3]

The expected behavior is that the agent should only provide federated bundles associated to entries the agent is authorized to (controlled by entry federates_with property, as you mentioned).

I just had a read through the implementation of the Delegated Identity API SubscribeToX509SVIDBundles method and its interaction with the bundle cache + agent sync with the server, and it looks like this should be the behavior. There is also a unit test that confirms this behavior:

spire/pkg/agent/api/delegatedidentity/v1/service_test.go

Lines 412 to 429 in 50976c3

	testName: "cache bundle update - two bundles",
	authSpiffeID: []string{"spiffe://example.org/one"},
	identities: []cache.Identity{
	identityFromX509SVID(x509SVID1),
	},
	cacheUpdates: map[spiffeid.TrustDomain]*cache.Bundle{
	spiffeid.RequireTrustDomainFromString(bundle1.TrustDomain().IDString()): bundle1,
	spiffeid.RequireTrustDomainFromString(bundle2.TrustDomain().IDString()): bundle2,
	},
	expectResp: []*delegatedidentityv1.SubscribeToX509BundlesResponse{
	{
	CaCertificates: map[string][]byte{
	bundle1.TrustDomain().IDString(): marshalBundle(bundle1.X509Authorities()),
	bundle2.TrustDomain().IDString(): marshalBundle(bundle2.X509Authorities()),
	},
	},
	},
	},

There is not currently an option available to assign all federated bundles to an entry or agent using a wildcard.

[kfox1111]

Ok. Then lets convert this issue to a request to support the single wildcard of '*' to mean federate with all? :)

Otherwise its going to be a pain to manage updating all the delegate entries every time a new federation is added.

[sorindumitru]

There are some prior requests for this in #2272

[kfox1111]

Or, I guess we could keep it more specific and consider changing the delegation api.... If you have a service delegating, it needs to be able to get the trust bundles for any workload its delegating for. Currently thats not possible except to manually union all possible workloads federated-with settings into the delegated services entry.

[rturner3]

I think associating a federated bundle with all entries or agents is still a real usability problem today with SPIRE. I think this problem extends beyond just consumption of federated bundles over the Delegated Identity API.

The issue that @sorindumitru referenced (#2272) captures the main challenge of enabling bundles to be globally federated with the current design - there is no compensating control to exclude a globally federated bundle for a specific set of entries. I think if we can come up with an approach of how we can solve this part of the problem, we're open to accepting some improvements in this area.