spiffe

package
v1.7.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 14, 2023 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Overview

Package spiffe contains code related to spiffe identity management

Package spiffe contains cert reload and spiffe items

Index

Constants

View Source 
const (
	CABundleFileMode = os.FileMode(0o644) //nolint
)

Variables

View Source 
var ErrCertTimeout = errors.New("timed out waiting for trust bundle")

ErrCertTimeout occurs when CertManager does not receive the initial trust bundle before the configured timeout.

View Source 
var ErrNoCertificates = errors.New("no certificates in svid response")

ErrNoCertificates occurs when a workloadapi.X509Context contains no certificates, but is expected to by a parsing function.

Functions

func ParseCABundle 

func ParseCABundle(svidResponse *workloadapi.X509Context) (*x509bundle.Bundle, error)

ParseCABundle converts an X509Context into a native go bundle.

Types

type CABundleManager 

type CABundleManager struct {
	TaskQueue        *taskqueue.TaskQueue
	CABundleFilepath string
	// contains filtered or unexported fields
}

CABundleManager manages SPIRE events and CA Bundles.

func (*CABundleManager) CABundleBytesFromSVIDResponse 

func (manager *CABundleManager) CABundleBytesFromSVIDResponse(svidResponse *workloadapi.X509Context) ([]byte, bool, error)

CABundleBytesFromSVIDResponse Extracts 

CA Bundle bytes from svidResponse. Also
tests hash value and updates internal
hash if it has been updates. Returns CA
Bytes,whether or not the CA Bundle has
changed, and possibly a marshal error.

func (*CABundleManager) CertKeyBytesFromSVIDResponse 

func (manager *CABundleManager) CertKeyBytesFromSVIDResponse(svidResponse *workloadapi.X509Context) ([]byte, []byte, error)

CertKeyBytesFromSVIDResponse Extracts 

cert and key from svidResponse. Also
updates internal copy of cert and key.

func (*CABundleManager) NewCertificateGetter 

func (manager *CABundleManager) NewCertificateGetter() func(*tls.CertificateRequestInfo) (*tls.Certificate, error)

NewCertificateGetter returns a TLS Config GetCertificate function that 

fetches certificates from the CABundleManager.

func (*CABundleManager) SerialNumberFromSVIDResponse 

func (manager *CABundleManager) SerialNumberFromSVIDResponse(svidResponse *workloadapi.X509Context) ([]byte, error)

SerialNumberFromSVIDResponse Extracts 

the default SVID certificate's serial
number from a given SVID Response

func (*CABundleManager) TestAndUpdateCABundle 

func (manager *CABundleManager) TestAndUpdateCABundle(caBundle []byte) bool

TestAndUpdateCABundle Takes CA Bundle bytes 

and tests if they are equal to the previous
CA Bundle. Updates internal hash if so.
Returns if the bundle has changed.

func (*CABundleManager) WaitForCABundle 

func (manager *CABundleManager) WaitForCABundle(maxSeconds int) error

WaitForCABundle Waits given seconds for CABundle to be written.

func (*CABundleManager) Write 

func (manager *CABundleManager) Write(svidResponse *workloadapi.X509Context) error

Write Implements svidWriter interface. 

Writes CA Bundle to disk if none have
been written yet. Otherwise enqueues
a spire event in the taskqueue.

type CertFetcher 

type CertFetcher interface {
	// Start starts fetching X.509 certificates.
	// It returns an error if it fails to start.
	// Otherwise, certificates are written to the X509Context channel
	// and if there is an unrecoverable error it is written to the error channel.
	Start(context.Context) (<-chan *workloadapi.X509Context, <-chan error, error)
	// Stop closes the connection with the SPIFFE Workload API Client.
	Stop() error
}

CertFetcher fetches certificates

type CertManager 

type CertManager struct {
	ErrCh chan error
	// contains filtered or unexported fields
}

CertManager writes SVID certificates and keys to disk.

func NewCertManager 

func NewCertManager(svidWriter SVIDWriter, fetcher CertFetcher, timeout time.Duration) *CertManager

NewCertManager returns a new instance of the CertManager.

func NewCertManagerWithReloader 

func NewCertManagerWithReloader(
	reloader Reloader,
	svidWriter SVIDWriter,
	fetcher CertFetcher,
	timeout time.Duration,
) *CertManager

NewCertManagerWithReloader returns a new instance of the CertManager.

func (*CertManager) Run 

func (c *CertManager) Run(ctx context.Context) error

Run is the run loop for the certmanager. Starts the certFetcher and waits for certs or an unrecoverable error.

func (*CertManager) Stop 

func (c *CertManager) Stop() error

Stop stops the internal certFetcher.

type Client 

type Client interface {
	WatchX509Context(context.Context, workloadapi.X509ContextWatcher) error
	Close() error
}

Client wraps the workloadapi.Client

type DiskSVIDConfig 

type DiskSVIDConfig struct {
	// CertDir is the directory that holds the certificates and key.
	CertDir,

	KeyFilename,

	CertFilename,

	CABundleFilename string
}

DiskSVIDConfig contains the configuration for a Writer.

type DiskSVIDWriter 

type DiskSVIDWriter struct {
	KeyFile,
	CertFile,
	CaBundleFile string
}

DiskSVIDWriter implements SVIDWriter interface.

func NewDiskSVIDWriter 

func NewDiskSVIDWriter(config DiskSVIDConfig) (*DiskSVIDWriter, error)

NewDiskSVIDWriter creates a new instance of Writer. Returns an error if the cert directory does not exist.

func (*DiskSVIDWriter) Write 

func (d *DiskSVIDWriter) Write(svidResponse *workloadapi.X509Context) error

Write parses the svidResponse into a private key, certificate, and CA. The key, cert, and CA cert are written to disk.

type Reloader 

type Reloader interface {
	// Reload reloads a process
	Reload() error
}

Reloader knows how to reload a process

type SVIDWriter 

type SVIDWriter interface {
	// Write writes a private key, certificate, and CA certificate from a SPIFFE X509-SVID
	Write(svidResponse *workloadapi.X509Context) error
}

SVIDWriter knows how extract and write certificates and keys from a SPIFFE X509-SVID.

type X509CertFetcher 

type X509CertFetcher struct {
	WatchErrCh chan error
	CertCh     chan *workloadapi.X509Context
	// contains filtered or unexported fields
}

X509CertFetcher fetches certs from the X509 SPIFFE Workload API.

func NewX509CertFetcher 

func NewX509CertFetcher(spireAddr string, client Client) (*X509CertFetcher, error)

NewX509CertFetcher creates a new instance of CertFetcher.

func (*X509CertFetcher) Start 

func (c *X509CertFetcher) Start(ctx context.Context) (<-chan *workloadapi.X509Context, <-chan error, error)

Start creates a SPIFFE Workload API Client. If the client cannot be created an error is returned. Otherwise, a goroutine is kicked off that watches for new X.509 Contexts over the Workload API. If a fatal error occurs while watching for X.509 Contexts it is written to the WatchErrCh channel.

func (*X509CertFetcher) Stop 

func (c *X509CertFetcher) Stop() error

Stop closes the connection with the SPIFFE Workload API Client.

Source Files

View all Source files

Directories

Path Synopsis
Code generated by counterfeiter.
 Code generated by counterfeiter.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.