endpoints

package
v1.10.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 3, 2024 License: Apache-2.0 Imports: 68 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AgentAuthorizer added in v0.11.0

func AgentAuthorizer(ds datastore.DataStore, clk clock.Clock) middleware.AgentAuthorizer

func EntryFetcher added in v0.11.0

func EntryFetcher(ds datastore.DataStore) middleware.EntryFetcher

func Middleware added in v0.11.0

func Middleware(log logrus.FieldLogger, metrics telemetry.Metrics, ds datastore.DataStore, clk clock.Clock, rlConf RateLimitConfig, policyEngine *authpolicy.Engine, auditLogEnabled bool, adminIDs []spiffeid.ID) middleware.Middleware

func RateLimits added in v0.11.0

func RateLimits(config RateLimitConfig) map[string]api.RateLimiter

func UpstreamPublisher added in v0.11.0

func UpstreamPublisher(jwtKeyPublisher manager.JwtKeyPublisher) bundle.UpstreamPublisher

Types

type APIServers added in v0.11.0

type APIServers struct {
	AgentServer          agentv1.AgentServer
	BundleServer         bundlev1.BundleServer
	DebugServer          debugv1_pb.DebugServer
	EntryServer          entryv1.EntryServer
	HealthServer         grpc_health_v1.HealthServer
	LoggerServer         loggerv1.LoggerServer
	SVIDServer           svidv1.SVIDServer
	TrustDomainServer    trustdomainv1.TrustDomainServer
	LocalAUthorityServer localauthorityv1.LocalAuthorityServer
}

type AuthorizedEntryFetcherWithEventsBasedCache added in v1.8.7

type AuthorizedEntryFetcherWithEventsBasedCache struct {
	// contains filtered or unexported fields
}

func NewAuthorizedEntryFetcherWithEventsBasedCache added in v1.8.7

func NewAuthorizedEntryFetcherWithEventsBasedCache(ctx context.Context, log logrus.FieldLogger, metrics telemetry.Metrics, clk clock.Clock, ds datastore.DataStore, cacheReloadInterval, pruneEventsOlderThan, sqlTransactionTimeout time.Duration) (*AuthorizedEntryFetcherWithEventsBasedCache, error)

func (*AuthorizedEntryFetcherWithEventsBasedCache) FetchAuthorizedEntries added in v1.8.7

func (a *AuthorizedEntryFetcherWithEventsBasedCache) FetchAuthorizedEntries(_ context.Context, agentID spiffeid.ID) ([]*types.Entry, error)

func (*AuthorizedEntryFetcherWithEventsBasedCache) PruneEventsTask added in v1.8.7

PruneEventsTask start a ticker which prunes old events

func (*AuthorizedEntryFetcherWithEventsBasedCache) RunUpdateCacheTask added in v1.8.7

RunUpdateCacheTask starts a ticker which rebuilds the in-memory entry cache.

type AuthorizedEntryFetcherWithFullCache added in v0.12.0

type AuthorizedEntryFetcherWithFullCache struct {
	// contains filtered or unexported fields
}

func NewAuthorizedEntryFetcherWithFullCache added in v0.12.0

func NewAuthorizedEntryFetcherWithFullCache(ctx context.Context, buildCache entryCacheBuilderFn, log logrus.FieldLogger, clk clock.Clock, ds datastore.DataStore, cacheReloadInterval, pruneEventsOlderThan time.Duration) (*AuthorizedEntryFetcherWithFullCache, error)

func (*AuthorizedEntryFetcherWithFullCache) FetchAuthorizedEntries added in v0.12.0

func (a *AuthorizedEntryFetcherWithFullCache) FetchAuthorizedEntries(_ context.Context, agentID spiffeid.ID) ([]*types.Entry, error)

func (*AuthorizedEntryFetcherWithFullCache) PruneEventsTask added in v1.8.0

func (a *AuthorizedEntryFetcherWithFullCache) PruneEventsTask(ctx context.Context) error

PruneEventsTask start a ticker which prunes old events

func (*AuthorizedEntryFetcherWithFullCache) RunRebuildCacheTask added in v0.12.0

func (a *AuthorizedEntryFetcherWithFullCache) RunRebuildCacheTask(ctx context.Context) error

RunRebuildCacheTask starts a ticker which rebuilds the in-memory entry cache.

type Config

type Config struct {
	// TPCAddr is the address to bind the TCP listener to.
	TCPAddr *net.TCPAddr

	// LocalAddr is the local address to bind the listener to.
	LocalAddr net.Addr

	// The svid rotator used to obtain the latest server credentials
	SVIDObserver svid.Observer

	// The server's configured trust domain. Used for validation, server SVID, etc.
	TrustDomain spiffeid.TrustDomain

	// Plugin catalog
	Catalog catalog.Catalog

	// Server CA for signing SVIDs
	ServerCA ca.ServerCA

	// Bundle endpoint configuration
	BundleEndpoint bundle.EndpointConfig

	// Authority manager
	AuthorityManager manager.AuthorityManager

	// Makes policy decisions
	AuthPolicyEngine *authpolicy.Engine

	// The logger for the endpoints subsystem
	Log logrus.FieldLogger

	// The root logger for the entire process
	RootLog loggerv1.Logger

	// The default (original config) log level
	LaunchLogLevel logrus.Level

	Metrics telemetry.Metrics

	// RateLimit holds rate limiting configurations.
	RateLimit RateLimitConfig

	Uptime func() time.Duration

	Clock clock.Clock

	// CacheReloadInterval controls how often the in-memory entry cache reloads
	CacheReloadInterval time.Duration

	// EventsBasedCache enabled event driven cache reloads
	EventsBasedCache bool

	// PruneEventsOlderThan controls how long events can live before they are pruned
	PruneEventsOlderThan time.Duration

	// SQLTransactionTimeout controls how long to wait for an event before giving up
	SQLTransactionTimeout time.Duration

	AuditLogEnabled bool

	// AdminIDs are a list of fixed IDs that when presented by a caller in an
	// X509-SVID, are granted admin rights.
	AdminIDs []spiffeid.ID

	BundleManager *bundle_client.Manager

	// UseLegacyDownstreamX509CATTL, if true, the downstream X509CAs will use
	// the legacy TTL calculation ( e.g. prefer downstream workload entry TTL,
	// then fall back to the default workload X509-SVID TTL) v.s. the new TTL
	// calculation (prefer the TTL passed by the downstream caller, then fall
	// back to the default X509 CA TTL).
	UseLegacyDownstreamX509CATTL bool
}

Config is a configuration for endpoints

type Endpoints

type Endpoints struct {
	TCPAddr                      *net.TCPAddr
	LocalAddr                    net.Addr
	SVIDObserver                 svid.Observer
	TrustDomain                  spiffeid.TrustDomain
	DataStore                    datastore.DataStore
	BundleCache                  *bundle.Cache
	APIServers                   APIServers
	BundleEndpointServer         Server
	Log                          logrus.FieldLogger
	Metrics                      telemetry.Metrics
	RateLimit                    RateLimitConfig
	EntryFetcherCacheRebuildTask func(context.Context) error
	EntryFetcherPruneEventsTask  func(context.Context) error
	CertificateReloadTask        func(context.Context) error
	AuditLogEnabled              bool
	AuthPolicyEngine             *authpolicy.Engine
	AdminIDs                     []spiffeid.ID
}

func New

func New(ctx context.Context, c Config) (*Endpoints, error)

New creates new endpoints struct

func (*Endpoints) ListenAndServe

func (e *Endpoints) ListenAndServe(ctx context.Context) error

ListenAndServe starts all endpoint servers and blocks until the context is canceled or any of the servers fails to run. If the context is canceled, the function returns nil. Otherwise, the error from the failed server is returned.

type RateLimitConfig added in v0.11.0

type RateLimitConfig struct {
	// Attestation, if true, rate limits attestation
	Attestation bool

	// Signing, if true, rate limits JWT and X509 signing requests
	Signing bool
}

RateLimitConfig holds rate limiting configurations.

type Server

type Server interface {
	// ListenAndServe starts all endpoint servers and blocks until the context
	// is canceled or any of the servers fails to run. If the context is
	// canceled, the function returns nil. Otherwise, the error from the failed
	// server is returned.
	ListenAndServe(ctx context.Context) error
}

Server manages gRPC and HTTP endpoint lifecycle

Directories

Path Synopsis
internal/acmetest
nolint // forked code
nolint // forked code
internal/autocert
nolint // forked code
nolint // forked code

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL