Extract the service name from a SPIFFE path #53
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kchiranjewee63
requested changes
Sep 23, 2025
Member
kchiranjewee63
left a comment
kchiranjewee63
left a comment
There was a problem hiding this comment.
@mattbates thanks for the contribution! We actually already have the tokenetes SPIFFE ID as a configuration (tokenetesSpiffeId), it was just missed to be used.
Instead of parsing the path, we should compare the client's SPIFFE ID with the configured tokenetes SPIFFE ID. If they match, use the TOKENETES_SERVICE_NAME constant, otherwise extract the service name from the path as you've done.
Comment on lines
+113
to
+114
| pathParts := strings.Split(spiffeID.Path(), "/") | ||
| serviceName := pathParts[len(pathParts)-1] |
Member
There was a problem hiding this comment.
Suggested change
| pathParts := strings.Split(spiffeID.Path(), "/") | |
| serviceName := pathParts[len(pathParts)-1] | |
| var serviceName string | |
| if spiffeID.String() == wss.TokenetesSpiffeId.String() { | |
| serviceName = common.TOKENETES_SERVICE_NAME | |
| } else { | |
| serviceName = extractServiceNameFromSPIFFEPath(spiffeID.Path()) | |
| } |
And the function extractServiceNameFromSPIFFEPath can be:
// extractServiceNameFromSPIFFEPath extracts the service name from a SPIFFE ID path.
// For Kubernetes SPIFFE IDs, it looks for /sa/ pattern and extracts the service account name.
// Falls back to the last path component if /sa/ pattern is not found.
func extractServiceNameFromSPIFFEPath(path string) string {
if saIndex := strings.Index(path, "/sa/"); saIndex != -1 {
// Found /sa/ pattern, extract the service account name
saStart := saIndex + 4 // skip "/sa/"
pathAfterSA := path[saStart:]
if nextSlash := strings.Index(pathAfterSA, "/"); nextSlash != -1 {
return pathAfterSA[:nextSlash]
}
return pathAfterSA
}
// Fallback to last path component
pathParts := strings.Split(path, "/")
return pathParts[len(pathParts)-1]
}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A SPIFFE ID has a path that can be used to encode keys and values - eg a namespace (
ns) and service account (sa):spiffe://trust.domain/ns/foo/sa/barThis update finds the service name using the service account
sacomponent of the path in the ID. This was required in order to usetconfigdin an environment with SPIRE on Kubenetes, using the standard SPIFFE ID format.The alternative to this would be to keep the existing implementation and update the service name to include the full path. This is currently hardcoded (https://github.com/tokenetes/tconfigd/blob/main/service/common/common.go#L4) so we'd need a way to configure this.