Faisal Memon
Faisal Memon
> If I recall correctly, I think we were going to use the recently added `can_reattest` field to determine if an agent should go through an attestation flow v.s. renewal...
> We talked about this PR today. To summarize: > > 1. we're going to forego persistence and have the RenewAgent RPC return a field in its response on whether...
> Hey @faisal-memon, I've opened #3201 to address consolidated storage for the agent. There is some obvious overlap with the changes you've introduced. I'm happy to merge in either order...
Was able to reproduce the unit test failure: ``` --- FAIL: TestRotator (0.17s) --- FAIL: TestRotator/reattest_expired_at_startup (0.03s) rotator_test.go:193: error during rotation: Could not reattest agent and current SVID has already...
> Hey @faisal-memon, considering the very sensitive nature of this operation (i.e. if we break renewal we can brick installations), how much has this change been manually tested? Quite a...
Was able to reproduce this. The container ID is not getting populated in the pod container status while it is in the initializing state. Maybe the init container is different?
> @faisal-memon @rturner3 how is it? How is it different than init container? Im not sure, just guessing that init container populates container id sooner to explain the difference with...
You should just be able to do: ``` disabled_namespaces = [ "kube-system", "kube-public", "my-disabled-namespace"] ```
I was hoping we could spend some time at the next sig spire meeting to demo the available solutions. What do you think?