Documentation ¶
Index ¶
- Constants
- func BundleProtoFromRootCA(trustDomainID string, rootCA *x509.Certificate) *common.Bundle
- func BundleProtoFromRootCADER(trustDomainID string, derBytes []byte) *common.Bundle
- func BundleProtoFromRootCAs(trustDomainID string, rootCAs []*x509.Certificate) *common.Bundle
- func BundleProtoFromRootCAsDER(trustDomainID string, derBytes []byte) (*common.Bundle, error)
- func CalculateRefreshHint(bundle *Bundle) time.Duration
- func CommonBundleFromProto(b *types.Bundle) (*common.Bundle, error)
- func JWTSigningKeysFromBundleProto(b *common.Bundle) (map[string]crypto.PublicKey, error)
- func Marshal(bundle *Bundle, opts ...MarshalOption) ([]byte, error)
- func MergeBundles(a, b *common.Bundle) (*common.Bundle, bool)
- func PruneBundle(bundle *common.Bundle, expiration time.Time, log logrus.FieldLogger) (*common.Bundle, bool, error)
- func RootCAsDERFromBundleProto(b *common.Bundle) (derBytes []byte)
- func RootCAsFromBundleProto(b *common.Bundle) (out []*x509.Certificate, err error)
- type Bundle
- func BundleFromProto(b *common.Bundle) (*Bundle, error)
- func BundleFromRootCA(trustDomain spiffeid.TrustDomain, rootCA *x509.Certificate) *Bundle
- func BundleFromRootCAs(trustDomain spiffeid.TrustDomain, rootCAs []*x509.Certificate) *Bundle
- func Decode(trustDomain spiffeid.TrustDomain, r io.Reader) (*Bundle, error)
- func New(trustDomain spiffeid.TrustDomain) *Bundle
- func ParseBundle(bundleBytes []byte) (*Bundle, error)
- func Unmarshal(trustDomain spiffeid.TrustDomain, data []byte) (*Bundle, error)
- func (b *Bundle) AppendJWTSigningKey(kid string, key crypto.PublicKey) error
- func (b *Bundle) AppendRootCA(rootCA *x509.Certificate)
- func (b *Bundle) EqualTo(other *Bundle) bool
- func (b *Bundle) JWTSigningKeys() map[string]crypto.PublicKey
- func (b *Bundle) Proto() *common.Bundle
- func (b *Bundle) RefreshHint() time.Duration
- func (b *Bundle) RootCAs() []*x509.Certificate
- func (b *Bundle) SetRefreshHint(d time.Duration)
- func (b *Bundle) TrustDomainID() string
- type MarshalOption
Constants ¶
const ( // MinimumRefreshHint is the smallest refresh hint the client allows. // Anything smaller than the minimum will be reset to the minimum. MinimumRefreshHint = time.Minute )
Variables ¶
This section is empty.
Functions ¶
func BundleProtoFromRootCA ¶
func BundleProtoFromRootCA(trustDomainID string, rootCA *x509.Certificate) *common.Bundle
func BundleProtoFromRootCAs ¶
func BundleProtoFromRootCAs(trustDomainID string, rootCAs []*x509.Certificate) *common.Bundle
func CalculateRefreshHint ¶
CalculateRefreshHint is used to calculate the refresh hint for a given bundle. If the bundle already contains a refresh hint, then that is used, Otherwise, it looks at the lifetimes of the bundle contents and returns a fraction of the smallest. It is fairly aggressive but ensures clients don't miss a rotation period and lose their ability to fetch. TODO: reevaluate our strategy here when we rework the TTL story inside SPIRE.
func PruneBundle ¶
func PruneBundle(bundle *common.Bundle, expiration time.Time, log logrus.FieldLogger) (*common.Bundle, bool, error)
PruneBundle removes the bundle RootCAs and JWT keys that expired before a given time It returns an error if prunning results in a bundle with no CAs or keys
func RootCAsFromBundleProto ¶
func RootCAsFromBundleProto(b *common.Bundle) (out []*x509.Certificate, err error)
Types ¶
type Bundle ¶
type Bundle struct {
// contains filtered or unexported fields
}
func BundleFromRootCA ¶
func BundleFromRootCA(trustDomain spiffeid.TrustDomain, rootCA *x509.Certificate) *Bundle
func BundleFromRootCAs ¶
func BundleFromRootCAs(trustDomain spiffeid.TrustDomain, rootCAs []*x509.Certificate) *Bundle
func New ¶
func New(trustDomain spiffeid.TrustDomain) *Bundle
func ParseBundle ¶
func (*Bundle) AppendJWTSigningKey ¶
func (*Bundle) AppendRootCA ¶
func (b *Bundle) AppendRootCA(rootCA *x509.Certificate)
func (*Bundle) RefreshHint ¶
RefreshHint returns the bundle refresh hint.
func (*Bundle) RootCAs ¶
func (b *Bundle) RootCAs() []*x509.Certificate
func (*Bundle) SetRefreshHint ¶
SetRefreshHint sets the bundle refresh hint to the given duration. It is rounded up to the nearest second.
func (*Bundle) TrustDomainID ¶
type MarshalOption ¶
type MarshalOption interface {
// contains filtered or unexported methods
}
func NoJWTSVIDKeys ¶
func NoJWTSVIDKeys() MarshalOption
NoJWTSVIDKeys skips marshalling JWT SVID keys
func NoX509SVIDKeys ¶
func NoX509SVIDKeys() MarshalOption
NoX509SVIDKeys skips marshalling X509 SVID keys
func OverrideRefreshHint ¶
func OverrideRefreshHint(value time.Duration) MarshalOption
OverrideRefreshHint overrides the refresh hint in the bundle
func StandardJWKS ¶
func StandardJWKS() MarshalOption
StandardJWKS omits SPIFFE-specific parameters from the marshaled bundle