Re: Review for aspects of KEP-3257 (Trust Anchor Sets)

[Taahir Ahmed]

+kubernete...@googlegroups.com 

On Wed, Jun 8, 2022 at 12:46 PM Taahir Ahmed <ta...@google.com> wrote:

Hi!

I'm working on [KEP-3257: Trust Anchor Sets](https://github.com/kubernetes/enhancements/pull/3258).  One of the reviewers recommended checking in with SIG Architecture about some aspects.

1. In the proposal, we need to establish a correspondence between a signer name (looks like `example.com/my-signer`, and a TrustAnchorSets object.  I currently propose doing that using a naming convention for the TrustAnchorSets object, so that the `example.com/my-signer` becomes `example.com-slash-my--signer`.  The translation needs to be 1:1, and not allow collisions between TrustAnchorSets objects from different signers.

2. The TrustAnchorSets object is an object with no user-specified intent (so, no `spec` subobject), only system-defined state (so, a `status` subobject, with conditions).  Is this all right?  Should the object be set up in a different way?

Thanks,

Taahir