feat: Allow JWT signing keys to be shared (closes #4699)#6537
Draft
keeganwitt wants to merge 2 commits into
Draft
feat: Allow JWT signing keys to be shared (closes #4699)#6537keeganwitt wants to merge 2 commits into
keeganwitt wants to merge 2 commits into
Conversation
keeganwitt
force-pushed
the
too_many_jwks_keys
branch
3 times, most recently
from
705e1fb to
3df263c
Compare
Member
|
We've discussing this a bit, here's a summary of the discussions so far (at least the parts I remember):
|
Member
|
@keeganwitt, checking in to see if you are still interested in looking at how we can move this forward. |
Contributor
Author
My team hasn't had a chance to test this yet, but yes, I think we want to move forward with fixing this issue. |
Member
|
@keeganwitt maybe you could join one of the weekly SPIRE Contributor Sync so we can have a discussion around this PR? |
keeganwitt
force-pushed
the
too_many_jwks_keys
branch
3 times, most recently
from
aca4343 to
6e9bb74
Compare
Contributor
Author
Sure, I'll drop in next week (9 June). |
…fe#4699) Let multiple SPIRE servers in a trust domain share JWT signing key material so the JWKS endpoint no longer accumulates one key per server. Sharing is opt-in per KeyManager plugin via a `shared_keys` configuration block, supported by the disk, AWS KMS, GCP KMS, and Azure Key Vault key managers. For a shared key to collapse to a single JWKS entry: - Derive the JWT/WIT key ID deterministically from the public key (reusing x509util.GetSubjectKeyID), so every server computes the same kid for the same key material. - Dedup signing keys by kid when appending to the bundle, keeping the latest NotAfter, since each server computes its own expiry. To keep HA key rotation correct, sharing is scoped to JWT keys only. X509 CA and WIT keys remain per-server, namespaced by a server identifier (now required when shared_keys is enabled), so a restarting server only discovers its own X509/WIT keys plus the shared JWT keys and never adopts another server's CA journal. Cross-server creation races are coordinated with a per-plugin distributed lock and a freshness window. Signed-off-by: Keegan Witt <keeganwitt@gmail.com>
Add a CLAUDE.md describing the repository build/test workflow and the shared JWT signing key design (the deterministic kid, bundle dedup, JWT-only scoping, cross-server locking, and the per-plugin discovery mechanics) so future work on this feature can continue without prior context. Signed-off-by: Keegan Witt <keeganwitt@gmail.com>
keeganwitt
force-pushed
the
too_many_jwks_keys
branch
from
6e9bb74 to
ea2dc97
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request check list
Affected functionality
Description of change
Adds the ability to share signing keys between server instances rather than each instance managing its own key pairs, so that the number of keys that will be exposed in the JWKS endpoint is reduced.
Which issue this PR fixes
#4699