Documentation ¶
Index ¶
- func AgentAuthorizer(ds datastore.DataStore, clk clock.Clock) middleware.AgentAuthorizer
- func EntryFetcher(ds datastore.DataStore) middleware.EntryFetcher
- func Middleware(log logrus.FieldLogger, metrics telemetry.Metrics, ds datastore.DataStore, ...) middleware.Middleware
- func RateLimits(config RateLimitConfig) map[string]api.RateLimiter
- func UpstreamPublisher(jwtKeyPublisher manager.JwtKeyPublisher) bundle.UpstreamPublisher
- type APIServers
- type AuthorizedEntryFetcherWithEventsBasedCache
- func (a *AuthorizedEntryFetcherWithEventsBasedCache) FetchAuthorizedEntries(_ context.Context, agentID spiffeid.ID) ([]*types.Entry, error)
- func (a *AuthorizedEntryFetcherWithEventsBasedCache) PruneEventsTask(ctx context.Context) error
- func (a *AuthorizedEntryFetcherWithEventsBasedCache) RunUpdateCacheTask(ctx context.Context) error
- type AuthorizedEntryFetcherWithFullCache
- func (a *AuthorizedEntryFetcherWithFullCache) FetchAuthorizedEntries(_ context.Context, agentID spiffeid.ID) ([]*types.Entry, error)
- func (a *AuthorizedEntryFetcherWithFullCache) PruneEventsTask(ctx context.Context) error
- func (a *AuthorizedEntryFetcherWithFullCache) RunRebuildCacheTask(ctx context.Context) error
- type Config
- type Endpoints
- type RateLimitConfig
- type Server
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AgentAuthorizer ¶ added in v0.11.0
func AgentAuthorizer(ds datastore.DataStore, clk clock.Clock) middleware.AgentAuthorizer
func EntryFetcher ¶ added in v0.11.0
func EntryFetcher(ds datastore.DataStore) middleware.EntryFetcher
func Middleware ¶ added in v0.11.0
func Middleware(log logrus.FieldLogger, metrics telemetry.Metrics, ds datastore.DataStore, clk clock.Clock, rlConf RateLimitConfig, policyEngine *authpolicy.Engine, auditLogEnabled bool, adminIDs []spiffeid.ID) middleware.Middleware
func RateLimits ¶ added in v0.11.0
func RateLimits(config RateLimitConfig) map[string]api.RateLimiter
func UpstreamPublisher ¶ added in v0.11.0
func UpstreamPublisher(jwtKeyPublisher manager.JwtKeyPublisher) bundle.UpstreamPublisher
Types ¶
type APIServers ¶ added in v0.11.0
type APIServers struct { AgentServer agentv1.AgentServer BundleServer bundlev1.BundleServer DebugServer debugv1_pb.DebugServer EntryServer entryv1.EntryServer HealthServer grpc_health_v1.HealthServer LoggerServer loggerv1.LoggerServer SVIDServer svidv1.SVIDServer TrustDomainServer trustdomainv1.TrustDomainServer LocalAUthorityServer localauthorityv1.LocalAuthorityServer }
type AuthorizedEntryFetcherWithEventsBasedCache ¶ added in v1.8.7
type AuthorizedEntryFetcherWithEventsBasedCache struct {
// contains filtered or unexported fields
}
func NewAuthorizedEntryFetcherWithEventsBasedCache ¶ added in v1.8.7
func (*AuthorizedEntryFetcherWithEventsBasedCache) FetchAuthorizedEntries ¶ added in v1.8.7
func (*AuthorizedEntryFetcherWithEventsBasedCache) PruneEventsTask ¶ added in v1.8.7
func (a *AuthorizedEntryFetcherWithEventsBasedCache) PruneEventsTask(ctx context.Context) error
PruneEventsTask start a ticker which prunes old events
func (*AuthorizedEntryFetcherWithEventsBasedCache) RunUpdateCacheTask ¶ added in v1.8.7
func (a *AuthorizedEntryFetcherWithEventsBasedCache) RunUpdateCacheTask(ctx context.Context) error
RunUpdateCacheTask starts a ticker which rebuilds the in-memory entry cache.
type AuthorizedEntryFetcherWithFullCache ¶ added in v0.12.0
type AuthorizedEntryFetcherWithFullCache struct {
// contains filtered or unexported fields
}
func NewAuthorizedEntryFetcherWithFullCache ¶ added in v0.12.0
func (*AuthorizedEntryFetcherWithFullCache) FetchAuthorizedEntries ¶ added in v0.12.0
func (*AuthorizedEntryFetcherWithFullCache) PruneEventsTask ¶ added in v1.8.0
func (a *AuthorizedEntryFetcherWithFullCache) PruneEventsTask(ctx context.Context) error
PruneEventsTask start a ticker which prunes old events
func (*AuthorizedEntryFetcherWithFullCache) RunRebuildCacheTask ¶ added in v0.12.0
func (a *AuthorizedEntryFetcherWithFullCache) RunRebuildCacheTask(ctx context.Context) error
RunRebuildCacheTask starts a ticker which rebuilds the in-memory entry cache.
type Config ¶
type Config struct { // TPCAddr is the address to bind the TCP listener to. TCPAddr *net.TCPAddr // LocalAddr is the local address to bind the listener to. LocalAddr net.Addr // The svid rotator used to obtain the latest server credentials SVIDObserver svid.Observer // The server's configured trust domain. Used for validation, server SVID, etc. TrustDomain spiffeid.TrustDomain // Plugin catalog Catalog catalog.Catalog // Server CA for signing SVIDs ServerCA ca.ServerCA // Bundle endpoint configuration BundleEndpoint bundle.EndpointConfig // Authority manager AuthorityManager manager.AuthorityManager // Makes policy decisions AuthPolicyEngine *authpolicy.Engine // The logger for the endpoints subsystem Log logrus.FieldLogger // The root logger for the entire process RootLog loggerv1.Logger // The default (original config) log level LaunchLogLevel logrus.Level Metrics telemetry.Metrics // RateLimit holds rate limiting configurations. RateLimit RateLimitConfig Uptime func() time.Duration Clock clock.Clock // CacheReloadInterval controls how often the in-memory entry cache reloads CacheReloadInterval time.Duration // EventsBasedCache enabled event driven cache reloads EventsBasedCache bool // PruneEventsOlderThan controls how long events can live before they are pruned PruneEventsOlderThan time.Duration // SQLTransactionTimeout controls how long to wait for an event before giving up SQLTransactionTimeout time.Duration AuditLogEnabled bool // AdminIDs are a list of fixed IDs that when presented by a caller in an // X509-SVID, are granted admin rights. AdminIDs []spiffeid.ID BundleManager *bundle_client.Manager // UseLegacyDownstreamX509CATTL, if true, the downstream X509CAs will use // the legacy TTL calculation ( e.g. prefer downstream workload entry TTL, // then fall back to the default workload X509-SVID TTL) v.s. the new TTL // calculation (prefer the TTL passed by the downstream caller, then fall // back to the default X509 CA TTL). UseLegacyDownstreamX509CATTL bool }
Config is a configuration for endpoints
type Endpoints ¶
type Endpoints struct { TCPAddr *net.TCPAddr LocalAddr net.Addr SVIDObserver svid.Observer TrustDomain spiffeid.TrustDomain DataStore datastore.DataStore BundleCache *bundle.Cache APIServers APIServers BundleEndpointServer Server Log logrus.FieldLogger Metrics telemetry.Metrics RateLimit RateLimitConfig EntryFetcherCacheRebuildTask func(context.Context) error EntryFetcherPruneEventsTask func(context.Context) error CertificateReloadTask func(context.Context) error AuditLogEnabled bool AuthPolicyEngine *authpolicy.Engine AdminIDs []spiffeid.ID }
func (*Endpoints) ListenAndServe ¶
ListenAndServe starts all endpoint servers and blocks until the context is canceled or any of the servers fails to run. If the context is canceled, the function returns nil. Otherwise, the error from the failed server is returned.
type RateLimitConfig ¶ added in v0.11.0
type RateLimitConfig struct { // Attestation, if true, rate limits attestation Attestation bool // Signing, if true, rate limits JWT and X509 signing requests Signing bool }
RateLimitConfig holds rate limiting configurations.
type Server ¶
type Server interface { // ListenAndServe starts all endpoint servers and blocks until the context // is canceled or any of the servers fails to run. If the context is // canceled, the function returns nil. Otherwise, the error from the failed // server is returned. ListenAndServe(ctx context.Context) error }
Server manages gRPC and HTTP endpoint lifecycle
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
internal/acmetest
nolint // forked code
|
nolint // forked code |
internal/autocert
nolint // forked code
|
nolint // forked code |
Click to show internal directories.
Click to hide internal directories.