Skip to content

x509 cache hint for registration entries #6360

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sorindumitru merged 61 commits into from
Apr 10, 2026
+1,151 −422
Merged

x509 cache hint for registration entries #6360

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
61 commits
Select commit Hold shift + click to select a range
1dba0ae
drafted x509 cache hint for registration entries
ValFadeev Oct 6, 2025
72289e3
renamed fields as per review comments
ValFadeev Oct 11, 2025
3f71b9f
fixed existing tests
ValFadeev Oct 13, 2025
b6b449a
Merge branch 'main' into jwt-preference-entry
ValFadeev Nov 25, 2025
1c93083
removed unused linter directive
ValFadeev Nov 25, 2025
660f5d1
undid drive-by formatting
ValFadeev Nov 25, 2025
086383f
removed unused linter directive
ValFadeev Nov 25, 2025
3776a45
corrected check for missing value when mapping from model
ValFadeev Nov 25, 2025
8daf8d7
increment schema version to trigger migration
ValFadeev Nov 26, 2025
33440fc
added migration test
ValFadeev Nov 27, 2025
2fb8b6d
added test data entries
ValFadeev Nov 27, 2025
ac9b01f
updated test helper
ValFadeev Nov 27, 2025
ab0b8e9
conditionally populate cache hint flags from row
ValFadeev Nov 30, 2025
88fa1db
applied suggestion to error message
ValFadeev Jan 6, 2026
a50ec7e
Merge branch 'main' into jwt-preference-entry
ValFadeev Jan 6, 2026
a46cb81
undid the change to fetchEntries
ValFadeev Jan 8, 2026
183e6b5
Merge branch 'main' into jwt-preference-entry
ValFadeev Jan 21, 2026
16ad462
incremented schema version for migration
ValFadeev Jan 21, 2026
921edcf
corrected typo in version
ValFadeev Jan 22, 2026
13e0d30
excluded records from cache
ValFadeev Jan 22, 2026
19935b9
updated migrations and tests
ValFadeev Jan 22, 2026
c4508f2
increased size of the blob
ValFadeev Jan 22, 2026
478a81f
checked if hints exist
ValFadeev Jan 22, 2026
4caec66
added unit test for DisableX509SvidPrefetch
ValFadeev Jan 22, 2026
7f1e2b4
renamed new field to additional attributes
ValFadeev Jan 25, 2026
bc6a28f
Merge branch 'main' into jwt-preference-entry
ValFadeev Jan 25, 2026
fac8325
updated description of the message
ValFadeev Jan 25, 2026
86e81c2
fixed assertion
ValFadeev Jan 26, 2026
fb49792
updated model field description
ValFadeev Jan 30, 2026
cd33b7e
added cli support for additional attributes
ValFadeev Feb 11, 2026
d1db089
added disableX509SVIDPrefetch to server cli docs
ValFadeev Feb 11, 2026
29b19e0
addressed linter finding
ValFadeev Feb 11, 2026
187da05
create additional attributes conditionally
ValFadeev Feb 17, 2026
3ae4ecc
updated integration test to check cached svids
ValFadeev Feb 18, 2026
d156b8f
created a separate migration for registration entries
ValFadeev Feb 18, 2026
dfec897
Merge branch 'main' into jwt-preference-entry
ValFadeev Feb 18, 2026
6bff39a
fixed quoting in test fixture
ValFadeev Feb 18, 2026
4f690fd
added new field to client api util
ValFadeev Feb 19, 2026
f748841
validated expectation, accounting for agent entries
ValFadeev Feb 19, 2026
0102b52
updated actual expectation in the test
ValFadeev Feb 19, 2026
ef55768
Merge branch 'main' into jwt-preference-entry
ValFadeev Feb 19, 2026
6f54da0
updated entry mask and tests
ValFadeev Feb 20, 2026
c66af51
run check on agents with debug socket
ValFadeev Feb 20, 2026
b7fb760
temporarily removed flag to validate test
ValFadeev Feb 20, 2026
1ea0406
reinstated flag, updated expectation
ValFadeev Feb 20, 2026
fd54ce2
cascade migrations
ValFadeev Feb 27, 2026
e9d52a1
break on error
ValFadeev Feb 27, 2026
80f7b6c
removed duplicated assignment
ValFadeev Mar 1, 2026
415370f
Merge branch 'main' into jwt-preference-entry
ValFadeev Mar 1, 2026
18d602e
picked up changes from spire-api-sdk
ValFadeev Mar 20, 2026
8cbec7f
Merge branch 'main' into jwt-preference-entry
ValFadeev Mar 20, 2026
097ac03
added flag to indicate if any of additional attrs were set
ValFadeev Mar 22, 2026
be1f2e7
enforced additional attributes message size
ValFadeev Mar 22, 2026
9fd6df2
validate attributes when creating/updating
ValFadeev Mar 30, 2026
dc38724
updated base schema version for migration
ValFadeev Mar 30, 2026
4db66c5
Merge branch 'main' into jwt-preference-entry
ValFadeev Mar 30, 2026
c16d67b
removed unused helper
ValFadeev Mar 30, 2026
cadd6b7
Revert "removed unused helper"
ValFadeev Mar 30, 2026
c4b63ea
Revert "updated base schema version for migration"
ValFadeev Mar 30, 2026
951f8fc
removed fallthrough
ValFadeev Mar 30, 2026
fa3b6dd
Merge branch 'main' into jwt-preference-entry
sorindumitru Apr 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion cmd/spire-server/cli/entry/create.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,10 @@ type createCommand struct {
// storeSVID determines if the issued SVID must be stored through an SVIDStore plugin
storeSVID bool

// disableX509SVIDPrefetch tells the agent not to prefetch and cache X509 SVID for
// the given entry
disableX509SVIDPrefetch bool

printer cliprinter.Printer

env *commoncli.Env
Expand Down Expand Up @@ -103,6 +107,7 @@ func (c *createCommand) AppendFlags(f *flag.FlagSet) {
f.Int64Var(&c.entryExpiry, "entryExpiry", 0, "An expiry, from epoch in seconds, for the resulting registration entry to be pruned")
f.Var(&c.dnsNames, "dns", "A DNS name that will be included in SVIDs issued based on this entry, where appropriate. Can be used more than once")
f.StringVar(&c.hint, "hint", "", "The entry hint, used to disambiguate entries with the same SPIFFE ID")
f.BoolVar(&c.disableX509SVIDPrefetch, "disableX509SVIDPrefetch", false, "A boolean value that, when set, disables prefetching X509 SVID for this entry")
cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, prettyPrintCreate)
}

Expand Down Expand Up @@ -209,8 +214,14 @@ func (c *createCommand) parseConfig() ([]*types.Entry, error) {

selectors = append(selectors, cs)
}

e.Selectors = selectors

if c.disableX509SVIDPrefetch {
e.AdditionalAttributes = &types.Entry_AdditionalAttributes{
DisableX509SvidPrefetch: c.disableX509SVIDPrefetch,
}
}

e.FederatesWith = c.federatesWith
e.Admin = c.admin
return []*types.Entry{e}, nil
Expand Down
251 changes: 178 additions & 73 deletions cmd/spire-server/cli/entry/create_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,10 @@ func TestCreate(t *testing.T) {
DnsNames: []string{"unu1000", "ung1000"},
Downstream: true,
StoreSvid: true,
CreatedAt: 1547583197,
AdditionalAttributes: &types.Entry_AdditionalAttributes{
DisableX509SvidPrefetch: true,
},
CreatedAt: 1547583197,
},
Status: &types.Status{
Code: int32(codes.OK),
Expand Down Expand Up @@ -93,7 +96,10 @@ func TestCreate(t *testing.T) {
X509SvidTtl: 200,
JwtSvidTtl: 30,
Admin: true,
CreatedAt: 1547583197,
AdditionalAttributes: &types.Entry_AdditionalAttributes{
DisableX509SvidPrefetch: false,
},
CreatedAt: 1547583197,
},
Status: &types.Status{
Code: int32(codes.OK),
Expand All @@ -109,7 +115,10 @@ func TestCreate(t *testing.T) {
X509SvidTtl: 200,
JwtSvidTtl: 30,
Hint: "internal",
CreatedAt: 1547583197,
AdditionalAttributes: &types.Entry_AdditionalAttributes{
DisableX509SvidPrefetch: false,
},
CreatedAt: 1547583197,
},
Status: &types.Status{
Code: int32(codes.OK),
Expand All @@ -128,7 +137,29 @@ func TestCreate(t *testing.T) {
StoreSvid: true,
X509SvidTtl: 200,
JwtSvidTtl: 30,
CreatedAt: 1547583197,
AdditionalAttributes: &types.Entry_AdditionalAttributes{
DisableX509SvidPrefetch: false,
},
CreatedAt: 1547583197,
},
Status: &types.Status{
Code: int32(codes.OK),
Message: "OK",
},
},
{
Entry: &types.Entry{
Id: "entry-id-4",
SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/additionalattr"},
ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/join_token/TokenBlog"},
Selectors: []*types.Selector{{Type: "unix", Value: "uid:1111"}},
X509SvidTtl: 200,
JwtSvidTtl: 30,
Admin: true,
AdditionalAttributes: &types.Entry_AdditionalAttributes{
DisableX509SvidPrefetch: true,
},
CreatedAt: 1547583197,
},
Status: &types.Status{
Code: int32(codes.OK),
Expand Down Expand Up @@ -235,6 +266,7 @@ func TestCreate(t *testing.T) {
"-downstream",
"-storeSVID",
"-hint", "internal",
"-disableX509SVIDPrefetch",
},
expReq: &entryv1.BatchCreateEntryRequest{
Entries: []*types.Entry{
Expand All @@ -254,27 +286,30 @@ func TestCreate(t *testing.T) {
Downstream: true,
StoreSvid: true,
Hint: "internal",
AdditionalAttributes: &types.Entry_AdditionalAttributes{
DisableX509SvidPrefetch: true,
},
},
},
},
fakeResp: fakeRespOKFromCmd,
expOutPretty: fmt.Sprintf(`Entry ID : entry-id
SPIFFE ID : spiffe://example.org/workload
Parent ID : spiffe://example.org/parent
Revision : 0
Downstream : true
X509-SVID TTL : 60
JWT-SVID TTL : 30
Expiration time : %s
Selector : zebra:zebra:2000
Selector : alpha:alpha:2000
FederatesWith : spiffe://domaina.test
FederatesWith : spiffe://domainb.test
DNS name : unu1000
DNS name : ung1000
Admin : true
StoreSvid : true

expOutPretty: fmt.Sprintf(`Entry ID : entry-id
SPIFFE ID : spiffe://example.org/workload
Parent ID : spiffe://example.org/parent
Revision : 0
Downstream : true
X509-SVID TTL : 60
JWT-SVID TTL : 30
Expiration time : %s
Selector : zebra:zebra:2000
Selector : alpha:alpha:2000
FederatesWith : spiffe://domaina.test
FederatesWith : spiffe://domainb.test
DNS name : unu1000
DNS name : ung1000
Admin : true
StoreSvid : true
DisableX509SvidPrefetch : true
`, time.Unix(1552410266, 0).UTC()),
expOutJSON: `{
"results": [
Expand Down Expand Up @@ -319,7 +354,10 @@ StoreSvid : true
],
"revision_number": "0",
"store_svid": true,
"jwt_svid_ttl": 30
"jwt_svid_ttl": 30,
"additional_attributes": {
"disable_x509_svid_prefetch": true
}
}
}
]
Expand Down Expand Up @@ -365,22 +403,22 @@ StoreSvid : true
},
},
fakeResp: fakeRespOKFromCmdWithoutJwtTtl,
expOutPretty: fmt.Sprintf(`Entry ID : entry-id
SPIFFE ID : spiffe://example.org/workload
Parent ID : spiffe://example.org/parent
Revision : 0
Downstream : true
X509-SVID TTL : 60
JWT-SVID TTL : default
Expiration time : %s
Selector : zebra:zebra:2000
Selector : alpha:alpha:2000
FederatesWith : spiffe://domaina.test
FederatesWith : spiffe://domainb.test
DNS name : unu1000
DNS name : ung1000
Admin : true
StoreSvid : true
expOutPretty: fmt.Sprintf(`Entry ID : entry-id
SPIFFE ID : spiffe://example.org/workload
Parent ID : spiffe://example.org/parent
Revision : 0
Downstream : true
X509-SVID TTL : 60
JWT-SVID TTL : default
Expiration time : %s
Selector : zebra:zebra:2000
Selector : alpha:alpha:2000
FederatesWith : spiffe://domaina.test
FederatesWith : spiffe://domainb.test
DNS name : unu1000
DNS name : ung1000
Admin : true
StoreSvid : true

`, time.Unix(1552410266, 0).UTC()),
expOutJSON: `{
Expand Down Expand Up @@ -466,36 +504,57 @@ StoreSvid : true
JwtSvidTtl: 30,
StoreSvid: true,
},
{
SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/additionalattr"},
ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/spire/agent/join_token/TokenBlog"},
Selectors: []*types.Selector{{Type: "unix", Value: "uid:1111"}},
X509SvidTtl: 200,
JwtSvidTtl: 30,
Admin: true,
AdditionalAttributes: &types.Entry_AdditionalAttributes{
DisableX509SvidPrefetch: true,
},
},
},
},
fakeResp: fakeRespOKFromFile,
expOutPretty: `Entry ID : entry-id-1
SPIFFE ID : spiffe://example.org/Blog
Parent ID : spiffe://example.org/spire/agent/join_token/TokenBlog
Revision : 0
X509-SVID TTL : 200
JWT-SVID TTL : 30
Selector : unix:uid:1111
Admin : true
expOutPretty: `Entry ID : entry-id-1
SPIFFE ID : spiffe://example.org/Blog
Parent ID : spiffe://example.org/spire/agent/join_token/TokenBlog
Revision : 0
X509-SVID TTL : 200
JWT-SVID TTL : 30
Selector : unix:uid:1111
Admin : true

Entry ID : entry-id-2
SPIFFE ID : spiffe://example.org/Database
Parent ID : spiffe://example.org/spire/agent/join_token/TokenDatabase
Revision : 0
X509-SVID TTL : 200
JWT-SVID TTL : 30
Selector : unix:uid:1111
Hint : internal

Entry ID : entry-id-2
SPIFFE ID : spiffe://example.org/Database
Parent ID : spiffe://example.org/spire/agent/join_token/TokenDatabase
Revision : 0
X509-SVID TTL : 200
JWT-SVID TTL : 30
Selector : unix:uid:1111
Hint : internal
Entry ID : entry-id-3
SPIFFE ID : spiffe://example.org/storesvid
Parent ID : spiffe://example.org/spire/agent/join_token/TokenDatabase
Revision : 0
X509-SVID TTL : 200
JWT-SVID TTL : 30
Selector : type:key1:value
Selector : type:key2:value
StoreSvid : true

Entry ID : entry-id-3
SPIFFE ID : spiffe://example.org/storesvid
Parent ID : spiffe://example.org/spire/agent/join_token/TokenDatabase
Revision : 0
X509-SVID TTL : 200
JWT-SVID TTL : 30
Selector : type:key1:value
Selector : type:key2:value
StoreSvid : true
Entry ID : entry-id-4
SPIFFE ID : spiffe://example.org/additionalattr
Parent ID : spiffe://example.org/spire/agent/join_token/TokenBlog
Revision : 0
X509-SVID TTL : 200
JWT-SVID TTL : 30
Selector : unix:uid:1111
Admin : true
DisableX509SvidPrefetch : true

`,
expOutJSON: `{
Expand Down Expand Up @@ -531,7 +590,10 @@ StoreSvid : true
"dns_names": [],
"revision_number": "0",
"store_svid": false,
"jwt_svid_ttl": 30
"jwt_svid_ttl": 30,
"additional_attributes": {
"disable_x509_svid_prefetch": false
}
}
},
{
Expand Down Expand Up @@ -565,7 +627,10 @@ StoreSvid : true
"dns_names": [],
"revision_number": "0",
"store_svid": false,
"jwt_svid_ttl": 30
"jwt_svid_ttl": 30,
"additional_attributes": {
"disable_x509_svid_prefetch": false
}
}
},
{
Expand Down Expand Up @@ -603,7 +668,47 @@ StoreSvid : true
"dns_names": [],
"revision_number": "0",
"store_svid": true,
"jwt_svid_ttl": 30
"jwt_svid_ttl": 30,
"additional_attributes": {
"disable_x509_svid_prefetch": false
}
}
},
{
"status": {
"code": 0,
"message": "OK"
},
"entry": {
"id": "entry-id-4",
"spiffe_id": {
"trust_domain": "example.org",
"path": "/additionalattr"
},
"parent_id": {
"trust_domain": "example.org",
"path": "/spire/agent/join_token/TokenBlog"
},
"selectors": [
{
"type": "unix",
"value": "uid:1111"
}
],
"x509_svid_ttl": 200,
"federates_with": [],
"hint": "",
"admin": true,
"created_at": "1547583197",
"downstream": false,
"expires_at": "0",
"dns_names": [],
"revision_number": "0",
"store_svid": false,
"jwt_svid_ttl": 30,
"additional_attributes": {
"disable_x509_svid_prefetch": true
}
}
}
]
Expand All @@ -621,13 +726,13 @@ StoreSvid : true
}},
fakeResp: fakeRespErr,
expErrPretty: `Failed to create the following entry (code: AlreadyExists, msg: "similar entry already exists"):
Entry ID : (none)
SPIFFE ID : spiffe://example.org/already-exist
Parent ID : spiffe://example.org/spire/server
Revision : 0
X509-SVID TTL : default
JWT-SVID TTL : default
Selector : unix:uid:1
Entry ID : (none)
SPIFFE ID : spiffe://example.org/already-exist
Parent ID : spiffe://example.org/spire/server
Revision : 0
X509-SVID TTL : default
JWT-SVID TTL : default
Selector : unix:uid:1

Error: failed to create one or more entries
`,
Expand Down
Loading
Loading