Skip to content

x509 cache hint for registration entries #6360

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
ValFadeev wants to merge 13 commits into
base: main
Choose a base branch
from
Draft

x509 cache hint for registration entries #6360

ValFadeev wants to merge 13 commits into from

Conversation

@ValFadeev
Copy link
Contributor

@ValFadeev ValFadeev commented Oct 6, 2025

This is a draft PR aiming to implement some of the suggestions discussed in #6129. It adds a new field to RegisteredEntry represented by an opaque protobuf-encoded message. The message is meant to contain flags and other fields guiding the agent's behavior with respect to pre-fetching and caching of X509 SVIDs. The intention is to reduce unnecessary work performed by the agent, in case the client is unlikely to ever ask for an X509 SVID and prefers JWT instead. For now only one boolean flag JWTOnly is introduced. Other fields may be added later to fine-tune the logic and cover various edge-cases.
The bulk of this draft is to define the new field in the message definition, update the datastore and have the existing tests pass. The actual usage of the field in fetchEntries is purely indicative and requires further consideration.

Pull Request check list

  • Commit conforms to CONTRIBUTING.md?
  • Proper tests/regressions included?
  • Documentation updated?

Affected functionality

  • adds a new field to RegisteredEntry and the underlying datastore table
  • allows flagging registration entries as preferring JWT SVID over X509
    Description of change

Which issue this PR fixes

Fixes #6129

sorindumitru
sorindumitru reviewed Oct 7, 2025
View reviewed changes
proto/spire/common/common.proto Outdated
Comment on lines 102 to 106
message X509SvidCacheHint {
/** Flag indicating whether the workload is likely to require only JWT SVID. */
bool jwt_only = 1;
}
X509SvidCacheHint x509_svid_cache_hint = 16;
Copy link
Collaborator

@sorindumitru sorindumitru Oct 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We discussed this today and we think this would be more useful if it was a generic flag field that we can use in the future for non x509-svid cache flags.

For the flag itself, we think disable_x509_svid_prefetch would be better since it allows us to specify more easily which SVID types should be prefetched. This might come in handy if we get a new SVID type, for example WIT-SVID.

@ValFadeev
renamed fields as per review comments
72289e3 
Signed-off-by: Valentin Fadeev <[email protected]>
@ValFadeev
fixed existing tests
3f71b9f 
Signed-off-by: Valentin Fadeev <[email protected]>
@amartinezfayo
Copy link
Member

amartinezfayo commented Nov 13, 2025

Hi @ValFadeev, are you planning to go back to this PR?

@ValFadeev
Copy link
Contributor Author

ValFadeev commented Nov 16, 2025

Hi @amartinezfayo, apologies for the delay. I had a few conflicting priorities lately, but I do plan to pick this back up over the coming week.

@ValFadeev ValFadeev force-pushed the jwt-preference-entry branch from a3460c8 to 33440fc Compare November 27, 2025 22:51
@ValFadeev
added test data entries
2fb8b6d 
Signed-off-by: Valentin Fadeev <[email protected]>
@ValFadeev
updated test helper
ac9b01f 
Signed-off-by: Valentin Fadeev <[email protected]>
@ValFadeev
conditionally populate cache hint flags from row
ab0b8e9 
Signed-off-by: Valentin Fadeev <[email protected]>
@ValFadeev ValFadeev changed the title [WIP] - x509 cache hint for registration entries x509 cache hint for registration entries Nov 30, 2025
@ValFadeev ValFadeev marked this pull request as ready for review November 30, 2025 21:59
@ValFadeev ValFadeev marked this pull request as draft November 30, 2025 22:02
@ValFadeev
Copy link
Contributor Author

ValFadeev commented Nov 30, 2025

@amartinezfayo offering this for another review. I am not sure I implemented the semantics of an optional field the right way when loading from row. I also understand this change may have to be split in two, with the schema migration going first. But hopefully, this gives an outline of the functionality, as it was last described.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@evan2645 evan2645 Awaiting requested review from evan2645 evan2645 is a code owner

@amartinezfayo amartinezfayo Awaiting requested review from amartinezfayo amartinezfayo is a code owner

@MarcosDY MarcosDY Awaiting requested review from MarcosDY MarcosDY is a code owner

@rturner3 rturner3 Awaiting requested review from rturner3 rturner3 is a code owner

@sorindumitru sorindumitru Awaiting requested review from sorindumitru sorindumitru is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@sorindumitru sorindumitru

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Flag for jwt preference entry

3 participants

@ValFadeev @amartinezfayo @sorindumitru