Documentation ¶
Index ¶
- type AgentX509SVIDParams
- type BundleUpdater
- type CA
- func (ca *CA) JWTKey() *JWTKey
- func (ca *CA) NotifyTaintedX509Authorities(taintedAuthorities []*x509.Certificate)
- func (ca *CA) SetJWTKey(jwtKey *JWTKey)
- func (ca *CA) SetX509CA(x509CA *X509CA)
- func (ca *CA) SignAgentX509SVID(ctx context.Context, params AgentX509SVIDParams) ([]*x509.Certificate, error)
- func (ca *CA) SignDownstreamX509CA(ctx context.Context, params DownstreamX509CAParams) ([]*x509.Certificate, error)
- func (ca *CA) SignServerX509SVID(ctx context.Context, params ServerX509SVIDParams) ([]*x509.Certificate, error)
- func (ca *CA) SignWorkloadJWTSVID(ctx context.Context, params WorkloadJWTSVIDParams) (string, error)
- func (ca *CA) SignWorkloadX509SVID(ctx context.Context, params WorkloadX509SVIDParams) ([]*x509.Certificate, error)
- func (ca *CA) TaintedAuthorities() <-chan []*x509.Certificate
- func (ca *CA) X509CA() *X509CA
- type Config
- type DownstreamX509CAParams
- type JWTKey
- type ServerCA
- type ServerX509SVIDParams
- type UpstreamClient
- func (u *UpstreamClient) Close() error
- func (u *UpstreamClient) MintX509CA(ctx context.Context, csr []byte, ttl time.Duration, ...) (_ []*x509.Certificate, err error)
- func (u *UpstreamClient) PublishJWTKey(ctx context.Context, jwtKey *common.PublicKey) (_ []*common.PublicKey, err error)
- func (u *UpstreamClient) WaitUntilMintX509CAStreamDone(ctx context.Context) error
- func (u *UpstreamClient) WaitUntilPublishJWTKeyStreamDone(ctx context.Context) error
- type UpstreamClientConfig
- type ValidateX509CAFunc
- type WorkloadJWTSVIDParams
- type WorkloadX509SVIDParams
- type X509CA
- type X509CAValidator
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AgentX509SVIDParams ¶ added in v1.6.0
type AgentX509SVIDParams struct { // Public Key PublicKey crypto.PublicKey // SPIFFE ID of the agent SPIFFEID spiffeid.ID }
AgentX509SVIDParams are parameters relevant to agent X509-SVID creation
type BundleUpdater ¶ added in v0.10.0
type BundleUpdater interface { SyncX509Roots(ctx context.Context, roots []*x509certificate.X509Authority) error AppendJWTKeys(ctx context.Context, keys []*common.PublicKey) ([]*common.PublicKey, error) LogError(err error, msg string) }
BundleUpdater is the interface used by the UpstreamClient to append bundle updates.
type CA ¶
type CA struct {
// contains filtered or unexported fields
}
func (*CA) NotifyTaintedX509Authorities ¶ added in v1.11.0
func (ca *CA) NotifyTaintedX509Authorities(taintedAuthorities []*x509.Certificate)
func (*CA) SignAgentX509SVID ¶ added in v1.6.0
func (ca *CA) SignAgentX509SVID(ctx context.Context, params AgentX509SVIDParams) ([]*x509.Certificate, error)
func (*CA) SignDownstreamX509CA ¶ added in v1.6.0
func (ca *CA) SignDownstreamX509CA(ctx context.Context, params DownstreamX509CAParams) ([]*x509.Certificate, error)
func (*CA) SignServerX509SVID ¶
func (ca *CA) SignServerX509SVID(ctx context.Context, params ServerX509SVIDParams) ([]*x509.Certificate, error)
func (*CA) SignWorkloadJWTSVID ¶ added in v1.6.0
func (*CA) SignWorkloadX509SVID ¶ added in v1.6.0
func (ca *CA) SignWorkloadX509SVID(ctx context.Context, params WorkloadX509SVIDParams) ([]*x509.Certificate, error)
func (*CA) TaintedAuthorities ¶ added in v1.11.0
func (ca *CA) TaintedAuthorities() <-chan []*x509.Certificate
type Config ¶
type Config struct { Log logrus.FieldLogger Clock clock.Clock Metrics telemetry.Metrics TrustDomain spiffeid.TrustDomain CredBuilder *credtemplate.Builder CredValidator *credvalidator.Validator HealthChecker health.Checker }
type DownstreamX509CAParams ¶ added in v1.6.0
type DownstreamX509CAParams struct { // Public Key PublicKey crypto.PublicKey // TTL is the desired time-to-live of the SVID. Regardless of the TTL, the // lifetime of the certificate will be capped to that of the signing cert. TTL time.Duration }
DownstreamX509CAParams are parameters relevant to downstream X.509 CA creation
type ServerCA ¶
type ServerCA interface { SignDownstreamX509CA(ctx context.Context, params DownstreamX509CAParams) ([]*x509.Certificate, error) SignServerX509SVID(ctx context.Context, params ServerX509SVIDParams) ([]*x509.Certificate, error) SignAgentX509SVID(ctx context.Context, params AgentX509SVIDParams) ([]*x509.Certificate, error) SignWorkloadX509SVID(ctx context.Context, params WorkloadX509SVIDParams) ([]*x509.Certificate, error) SignWorkloadJWTSVID(ctx context.Context, params WorkloadJWTSVIDParams) (string, error) TaintedAuthorities() <-chan []*x509.Certificate }
ServerCA is an interface for Server CAs
type ServerX509SVIDParams ¶
ServerX509SVIDParams are parameters relevant to server X509-SVID creation
type UpstreamClient ¶ added in v0.10.0
type UpstreamClient struct {
// contains filtered or unexported fields
}
UpstreamClient is used to interact with and stream updates from the UpstreamAuthority plugin.
func NewUpstreamClient ¶ added in v0.10.0
func NewUpstreamClient(config UpstreamClientConfig) *UpstreamClient
NewUpstreamClient returns a new UpstreamAuthority plugin client.
func (*UpstreamClient) Close ¶ added in v0.10.0
func (u *UpstreamClient) Close() error
Close closes the client, stopping any open streams against the UpstreamAuthority plugin.
func (*UpstreamClient) MintX509CA ¶ added in v0.10.0
func (u *UpstreamClient) MintX509CA(ctx context.Context, csr []byte, ttl time.Duration, validateX509CA ValidateX509CAFunc) (_ []*x509.Certificate, err error)
MintX509CA mints an X.509CA using the UpstreamAuthority. It maintains an open stream to the UpstreamAuthority plugin to receive and append X.509 root updates to the bundle. The stream remains open until another call to MintX509CA happens or the client is closed.
func (*UpstreamClient) PublishJWTKey ¶ added in v0.10.0
func (u *UpstreamClient) PublishJWTKey(ctx context.Context, jwtKey *common.PublicKey) (_ []*common.PublicKey, err error)
PublishJWTKey publishes the JWT key to the UpstreamAuthority. It maintains an open stream to the UpstreamAuthority plugin to receive and append JWT key updates to the bundle. The stream remains open until another call to PublishJWTKey happens or the client is closed.
func (*UpstreamClient) WaitUntilMintX509CAStreamDone ¶ added in v0.10.0
func (u *UpstreamClient) WaitUntilMintX509CAStreamDone(ctx context.Context) error
WaitUntilMintX509CAStreamDone waits until the MintX509CA stream has stopped.
func (*UpstreamClient) WaitUntilPublishJWTKeyStreamDone ¶ added in v0.10.0
func (u *UpstreamClient) WaitUntilPublishJWTKeyStreamDone(ctx context.Context) error
WaitUntilPublishJWTKeyStreamDone waits until the MintX509CA stream has stopped.
type UpstreamClientConfig ¶ added in v0.10.0
type UpstreamClientConfig struct { UpstreamAuthority upstreamauthority.UpstreamAuthority BundleUpdater BundleUpdater }
UpstreamClientConfig is the configuration for an UpstreamClient. Each field is required.
type ValidateX509CAFunc ¶ added in v1.2.0
type ValidateX509CAFunc = func(x509CA, x509Roots []*x509.Certificate) error
ValidateX509CAFunc is used by the upstream client to validate an X509CA newly minted by an upstream authority before it accepts it.
type WorkloadJWTSVIDParams ¶ added in v1.6.0
type WorkloadJWTSVIDParams struct { // SPIFFE ID of the SVID SPIFFEID spiffeid.ID // TTL is the desired time-to-live of the SVID. Regardless of the TTL, the // lifetime of the token will be capped to that of the signing key. TTL time.Duration // Audience is used for audience claims Audience []string }
WorkloadJWTSVIDParams are parameters relevant to workload JWT-SVID creation
type WorkloadX509SVIDParams ¶ added in v1.6.0
type WorkloadX509SVIDParams struct { // Public Key PublicKey crypto.PublicKey // SPIFFE ID of the SVID SPIFFEID spiffeid.ID // DNSNames is used to add DNS SAN's to the X509 SVID. The first entry // is also added as the CN. DNSNames []string // TTL is the desired time-to-live of the SVID. Regardless of the TTL, the // lifetime of the certificate will be capped to that of the signing cert. TTL time.Duration // Subject of the SVID. Default subject is used if it is empty. Subject pkix.Name }
WorkloadX509SVIDParams are parameters relevant to workload X509-SVID creation
type X509CA ¶
type X509CA struct { // Signer is used to sign child certificates. Signer crypto.Signer // Certificate is the CA certificate. Certificate *x509.Certificate // UpstreamChain contains the CA certificate and intermediates necessary to // chain back to the upstream trust bundle. It is only set if the CA is // signed by an UpstreamCA. UpstreamChain []*x509.Certificate }
type X509CAValidator ¶ added in v1.2.0
type X509CAValidator struct { TrustDomain spiffeid.TrustDomain CredValidator *credvalidator.Validator Signer crypto.Signer Clock clock.Clock }
func (*X509CAValidator) ValidateSelfSignedX509CA ¶ added in v1.2.0
func (v *X509CAValidator) ValidateSelfSignedX509CA(x509CA *x509.Certificate) error
func (*X509CAValidator) ValidateUpstreamX509CA ¶ added in v1.2.0
func (v *X509CAValidator) ValidateUpstreamX509CA(x509CA, upstreamRoots []*x509.Certificate) error