Documentation ¶
Index ¶
- Constants
- type AttestedNode
- type Bundle
- type DNSName
- type FederatedTrustDomain
- type JoinToken
- type Migration
- type Model
- type NodeSelector
- type Plugin
- func (ds *Plugin) AppendBundle(ctx context.Context, b *common.Bundle) (bundle *common.Bundle, err error)
- func (ds *Plugin) Configure(hclConfiguration string) error
- func (ds *Plugin) CountAttestedNodes(ctx context.Context) (count int32, err error)
- func (ds *Plugin) CountBundles(ctx context.Context) (count int32, err error)
- func (ds *Plugin) CountRegistrationEntries(ctx context.Context) (count int32, err error)
- func (ds *Plugin) CreateAttestedNode(ctx context.Context, node *common.AttestedNode) (attestedNode *common.AttestedNode, err error)
- func (ds *Plugin) CreateBundle(ctx context.Context, b *common.Bundle) (bundle *common.Bundle, err error)
- func (ds *Plugin) CreateFederationRelationship(ctx context.Context, fr *datastore.FederationRelationship) (newFr *datastore.FederationRelationship, err error)
- func (ds *Plugin) CreateJoinToken(ctx context.Context, token *datastore.JoinToken) (err error)
- func (ds *Plugin) CreateOrReturnRegistrationEntry(ctx context.Context, entry *common.RegistrationEntry) (registrationEntry *common.RegistrationEntry, existing bool, err error)
- func (ds *Plugin) CreateRegistrationEntry(ctx context.Context, entry *common.RegistrationEntry) (registrationEntry *common.RegistrationEntry, err error)
- func (ds *Plugin) DeleteAttestedNode(ctx context.Context, spiffeID string) (attestedNode *common.AttestedNode, err error)
- func (ds *Plugin) DeleteBundle(ctx context.Context, trustDomainID string, mode datastore.DeleteMode) (err error)
- func (ds *Plugin) DeleteFederationRelationship(ctx context.Context, trustDomain spiffeid.TrustDomain) error
- func (ds *Plugin) DeleteJoinToken(ctx context.Context, token string) (err error)
- func (ds *Plugin) DeleteRegistrationEntry(ctx context.Context, entryID string) (registrationEntry *common.RegistrationEntry, err error)
- func (ds *Plugin) FetchAttestedNode(ctx context.Context, spiffeID string) (attestedNode *common.AttestedNode, err error)
- func (ds *Plugin) FetchBundle(ctx context.Context, trustDomainID string) (resp *common.Bundle, err error)
- func (ds *Plugin) FetchFederationRelationship(ctx context.Context, trustDomain spiffeid.TrustDomain) (fr *datastore.FederationRelationship, err error)
- func (ds *Plugin) FetchJoinToken(ctx context.Context, token string) (resp *datastore.JoinToken, err error)
- func (ds *Plugin) FetchRegistrationEntry(ctx context.Context, entryID string) (*common.RegistrationEntry, error)
- func (ds *Plugin) GetNodeSelectors(ctx context.Context, spiffeID string, ...) (selectors []*common.Selector, err error)
- func (ds *Plugin) ListAttestedNodes(ctx context.Context, req *datastore.ListAttestedNodesRequest) (resp *datastore.ListAttestedNodesResponse, err error)
- func (ds *Plugin) ListBundles(ctx context.Context, req *datastore.ListBundlesRequest) (resp *datastore.ListBundlesResponse, err error)
- func (ds *Plugin) ListFederationRelationships(ctx context.Context, req *datastore.ListFederationRelationshipsRequest) (resp *datastore.ListFederationRelationshipsResponse, err error)
- func (ds *Plugin) ListNodeSelectors(ctx context.Context, req *datastore.ListNodeSelectorsRequest) (resp *datastore.ListNodeSelectorsResponse, err error)
- func (ds *Plugin) ListRegistrationEntries(ctx context.Context, req *datastore.ListRegistrationEntriesRequest) (resp *datastore.ListRegistrationEntriesResponse, err error)
- func (ds *Plugin) PruneBundle(ctx context.Context, trustDomainID string, expiresBefore time.Time) (changed bool, err error)
- func (ds *Plugin) PruneJoinTokens(ctx context.Context, expiry time.Time) (err error)
- func (ds *Plugin) PruneRegistrationEntries(ctx context.Context, expiresBefore time.Time) (err error)
- func (ds *Plugin) SetBundle(ctx context.Context, b *common.Bundle) (bundle *common.Bundle, err error)
- func (ds *Plugin) SetNodeSelectors(ctx context.Context, spiffeID string, selectors []*common.Selector) (err error)
- func (ds *Plugin) UpdateAttestedNode(ctx context.Context, n *common.AttestedNode, mask *common.AttestedNodeMask) (node *common.AttestedNode, err error)
- func (ds *Plugin) UpdateBundle(ctx context.Context, b *common.Bundle, mask *common.BundleMask) (bundle *common.Bundle, err error)
- func (ds *Plugin) UpdateFederationRelationship(ctx context.Context, fr *datastore.FederationRelationship, ...) (newFr *datastore.FederationRelationship, err error)
- func (ds *Plugin) UpdateRegistrationEntry(ctx context.Context, e *common.RegistrationEntry, ...) (entry *common.RegistrationEntry, err error)
- type RegisteredEntry
- type Selector
- type V3AttestedNode
Constants ¶
const ( PluginName = "sql" // MySQL database type MySQL = "mysql" // PostgreSQL database type PostgreSQL = "postgres" // SQLite database type SQLite = "sqlite3" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AttestedNode ¶
type AttestedNode struct { Model SpiffeID string `gorm:"unique_index"` DataType string SerialNumber string ExpiresAt time.Time `gorm:"index"` NewSerialNumber string NewExpiresAt *time.Time CanReattest bool Selectors []*NodeSelector }
AttestedNode holds an attested node (agent)
func (AttestedNode) TableName ¶
func (AttestedNode) TableName() string
TableName gets table name of AttestedNode
type Bundle ¶
type Bundle struct { Model TrustDomain string `gorm:"not null;unique_index"` Data []byte `gorm:"size:16777215"` // make MySQL to use MEDIUMBLOB (max 16MB) - doesn't affect PostgreSQL/SQLite FederatedEntries []RegisteredEntry `gorm:"many2many:federated_registration_entries;"` }
Bundle holds a trust bundle.
type DNSName ¶
type DNSName struct { Model RegisteredEntryID uint `gorm:"unique_index:idx_dns_entry"` Value string `gorm:"unique_index:idx_dns_entry"` }
DNSName holds a DNS for a registration entry
type FederatedTrustDomain ¶
type FederatedTrustDomain struct { Model // TrustDomain is the trust domain name (e.g., "example.org") to federate with. TrustDomain string `gorm:"not null;unique_index"` // BundleEndpointURL is the URL of the SPIFFE bundle endpoint that provides the trust // bundle to federate with. BundleEndpointURL string // BundleEndpointProfile is the endpoint profile type. BundleEndpointProfile string // EndpointSPIFFEID specifies the expected SPIFFE ID of the // SPIFFE bundle endpoint server when BundleEndpointProfile // is "https_spiffe" EndpointSPIFFEID string // Implicit indicates wether the trust domain automatically federates with // all registration entries by default or not. Implicit bool }
FederatedTrustDomain holds federated trust domains. It has the information needed to get updated bundles of the federated trust domain from a SPIFFE bundle endpoint server.
func (FederatedTrustDomain) TableName ¶
func (FederatedTrustDomain) TableName() string
TableName gets table name of FederatedTrustDomain
type Migration ¶
type Migration struct { Model // Database version Version int // SPIRE Code versioning CodeVersion string }
Migration holds database schema version number, and the SPIRE Code version number
type Model ¶
Model is used as a base for other models. Similar to gorm.Model without `DeletedAt`. We don't want soft-delete support.
type NodeSelector ¶
type NodeSelector struct { Model SpiffeID string `gorm:"unique_index:idx_node_resolver_map"` Type string `gorm:"unique_index:idx_node_resolver_map"` Value string `gorm:"unique_index:idx_node_resolver_map"` }
NodeSelector holds a node selector by spiffe ID
func (NodeSelector) TableName ¶
func (NodeSelector) TableName() string
TableName gets table name of NodeSelector
type Plugin ¶
type Plugin struct {
// contains filtered or unexported fields
}
Plugin is a DataStore plugin implemented via a SQL database
func New ¶
func New(log logrus.FieldLogger) *Plugin
New creates a new sql plugin struct. Configure must be called in order to start the db.
func (*Plugin) AppendBundle ¶
func (ds *Plugin) AppendBundle(ctx context.Context, b *common.Bundle) (bundle *common.Bundle, err error)
AppendBundle append bundle contents to the existing bundle (by trust domain). If no existing one is present, create it.
func (*Plugin) Configure ¶
Configure parses HCL config payload into config struct, and opens new DB based on the result
func (*Plugin) CountAttestedNodes ¶
CountAttestedNodes counts all attested nodes
func (*Plugin) CountBundles ¶
CountBundles can be used to count all existing bundles.
func (*Plugin) CountRegistrationEntries ¶
CounCountRegistrationEntries counts all registrations (pagination available)
func (*Plugin) CreateAttestedNode ¶
func (ds *Plugin) CreateAttestedNode(ctx context.Context, node *common.AttestedNode) (attestedNode *common.AttestedNode, err error)
CreateAttestedNode stores the given attested node
func (*Plugin) CreateBundle ¶
func (ds *Plugin) CreateBundle(ctx context.Context, b *common.Bundle) (bundle *common.Bundle, err error)
CreateBundle stores the given bundle
func (*Plugin) CreateFederationRelationship ¶ added in v1.1.0
func (ds *Plugin) CreateFederationRelationship(ctx context.Context, fr *datastore.FederationRelationship) (newFr *datastore.FederationRelationship, err error)
CreateFederationRelationship creates a new federation relationship. If the bundle endpoint profile is 'https_spiffe' and the given federation relationship contains a bundle, the current stored bundle is overridden. If no bundle is provided and there is not a previusly stored bundle in the datastore, the federation relationship is not created.
func (*Plugin) CreateJoinToken ¶
CreateJoinToken takes a Token message and stores it
func (*Plugin) CreateOrReturnRegistrationEntry ¶ added in v1.1.0
func (ds *Plugin) CreateOrReturnRegistrationEntry(ctx context.Context, entry *common.RegistrationEntry) (registrationEntry *common.RegistrationEntry, existing bool, err error)
CreateOrReturnRegistrationEntry stores the given registration entry. If an entry already exists with the same (parentID, spiffeID, selector) tuple, that entry is returned instead.
func (*Plugin) CreateRegistrationEntry ¶
func (ds *Plugin) CreateRegistrationEntry(ctx context.Context, entry *common.RegistrationEntry) (registrationEntry *common.RegistrationEntry, err error)
CreateRegistrationEntry stores the given registration entry
func (*Plugin) DeleteAttestedNode ¶
func (ds *Plugin) DeleteAttestedNode(ctx context.Context, spiffeID string) (attestedNode *common.AttestedNode, err error)
DeleteAttestedNode deletes the given attested node
func (*Plugin) DeleteBundle ¶
func (ds *Plugin) DeleteBundle(ctx context.Context, trustDomainID string, mode datastore.DeleteMode) (err error)
DeleteBundle deletes the bundle with the matching TrustDomain. Any CACert data passed is ignored.
func (*Plugin) DeleteFederationRelationship ¶ added in v1.1.0
func (ds *Plugin) DeleteFederationRelationship(ctx context.Context, trustDomain spiffeid.TrustDomain) error
DeleteFederationRelationship deletes the federation relationship to the given trust domain. The associated trust bundle is not deleted.
func (*Plugin) DeleteJoinToken ¶
DeleteJoinToken deletes the given join token
func (*Plugin) DeleteRegistrationEntry ¶
func (ds *Plugin) DeleteRegistrationEntry(ctx context.Context, entryID string) (registrationEntry *common.RegistrationEntry, err error)
DeleteRegistrationEntry deletes the given registration
func (*Plugin) FetchAttestedNode ¶
func (ds *Plugin) FetchAttestedNode(ctx context.Context, spiffeID string) (attestedNode *common.AttestedNode, err error)
FetchAttestedNode fetches an existing attested node by SPIFFE ID
func (*Plugin) FetchBundle ¶
func (ds *Plugin) FetchBundle(ctx context.Context, trustDomainID string) (resp *common.Bundle, err error)
FetchBundle returns the bundle matching the specified Trust Domain.
func (*Plugin) FetchFederationRelationship ¶ added in v1.1.0
func (ds *Plugin) FetchFederationRelationship(ctx context.Context, trustDomain spiffeid.TrustDomain) (fr *datastore.FederationRelationship, err error)
FetchFederationRelationship fetches the federation relationship that matches the given trust domain. If the federation relationship is not found, nil is returned.
func (*Plugin) FetchJoinToken ¶
func (ds *Plugin) FetchJoinToken(ctx context.Context, token string) (resp *datastore.JoinToken, err error)
FetchJoinToken takes a Token message and returns one, populating the fields we have knowledge of
func (*Plugin) FetchRegistrationEntry ¶
func (ds *Plugin) FetchRegistrationEntry(ctx context.Context, entryID string) (*common.RegistrationEntry, error)
FetchRegistrationEntry fetches an existing registration by entry ID
func (*Plugin) GetNodeSelectors ¶
func (ds *Plugin) GetNodeSelectors(ctx context.Context, spiffeID string, dataConsistency datastore.DataConsistency) (selectors []*common.Selector, err error)
GetNodeSelectors gets node (agent) selectors by SPIFFE ID
func (*Plugin) ListAttestedNodes ¶
func (ds *Plugin) ListAttestedNodes(ctx context.Context, req *datastore.ListAttestedNodesRequest) (resp *datastore.ListAttestedNodesResponse, err error)
ListAttestedNodes lists all attested nodes (pagination available)
func (*Plugin) ListBundles ¶
func (ds *Plugin) ListBundles(ctx context.Context, req *datastore.ListBundlesRequest) (resp *datastore.ListBundlesResponse, err error)
ListBundles can be used to fetch all existing bundles.
func (*Plugin) ListFederationRelationships ¶ added in v1.1.0
func (ds *Plugin) ListFederationRelationships(ctx context.Context, req *datastore.ListFederationRelationshipsRequest) (resp *datastore.ListFederationRelationshipsResponse, err error)
ListFederationRelationships can be used to list all existing federation relationships
func (*Plugin) ListNodeSelectors ¶
func (ds *Plugin) ListNodeSelectors(ctx context.Context, req *datastore.ListNodeSelectorsRequest) (resp *datastore.ListNodeSelectorsResponse, err error)
ListNodeSelectors gets node (agent) selectors by SPIFFE ID
func (*Plugin) ListRegistrationEntries ¶
func (ds *Plugin) ListRegistrationEntries(ctx context.Context, req *datastore.ListRegistrationEntriesRequest) (resp *datastore.ListRegistrationEntriesResponse, err error)
ListRegistrationEntries lists all registrations (pagination available)
func (*Plugin) PruneBundle ¶
func (ds *Plugin) PruneBundle(ctx context.Context, trustDomainID string, expiresBefore time.Time) (changed bool, err error)
PruneBundle removes expired certs and keys from a bundle
func (*Plugin) PruneJoinTokens ¶
PruneJoinTokens takes a Token message, and deletes all tokens which have expired before the date in the message
func (*Plugin) PruneRegistrationEntries ¶
func (ds *Plugin) PruneRegistrationEntries(ctx context.Context, expiresBefore time.Time) (err error)
PruneRegistrationEntries takes a registration entry message, and deletes all entries which have expired before the date in the message
func (*Plugin) SetBundle ¶
func (ds *Plugin) SetBundle(ctx context.Context, b *common.Bundle) (bundle *common.Bundle, err error)
SetBundle sets bundle contents. If no bundle exists for the trust domain, it is created.
func (*Plugin) SetNodeSelectors ¶
func (ds *Plugin) SetNodeSelectors(ctx context.Context, spiffeID string, selectors []*common.Selector) (err error)
SetNodeSelectors sets node (agent) selectors by SPIFFE ID, deleting old selectors first
func (*Plugin) UpdateAttestedNode ¶
func (ds *Plugin) UpdateAttestedNode(ctx context.Context, n *common.AttestedNode, mask *common.AttestedNodeMask) (node *common.AttestedNode, err error)
UpdateAttestedNode updates the given node's cert serial and expiration.
func (*Plugin) UpdateBundle ¶
func (ds *Plugin) UpdateBundle(ctx context.Context, b *common.Bundle, mask *common.BundleMask) (bundle *common.Bundle, err error)
UpdateBundle updates an existing bundle with the given CAs. Overwrites any existing certificates.
func (*Plugin) UpdateFederationRelationship ¶ added in v1.1.0
func (ds *Plugin) UpdateFederationRelationship(ctx context.Context, fr *datastore.FederationRelationship, mask *types.FederationRelationshipMask) (newFr *datastore.FederationRelationship, err error)
UpdateFederationRelationship updates the given federation relationship. Attributes are only updated if the correspondent mask value is set to true.
func (*Plugin) UpdateRegistrationEntry ¶
func (ds *Plugin) UpdateRegistrationEntry(ctx context.Context, e *common.RegistrationEntry, mask *common.RegistrationEntryMask) (entry *common.RegistrationEntry, err error)
UpdateRegistrationEntry updates an existing registration entry
type RegisteredEntry ¶
type RegisteredEntry struct { Model EntryID string `gorm:"unique_index"` SpiffeID string `gorm:"index"` ParentID string `gorm:"index"` // TTL of identities derived from this entry TTL int32 Selectors []Selector FederatesWith []Bundle `gorm:"many2many:federated_registration_entries;"` Admin bool Downstream bool // (optional) expiry of this entry Expiry int64 `gorm:"index"` // (optional) DNS entries DNSList []DNSName // RevisionNumber is a counter that is incremented when the entry is // updated. RevisionNumber int64 // StoreSvid determines if the issued SVID is exportable to a store StoreSvid bool // Hint is a "hint string" passed to the workload to distinguish between // multiple SVIDs Hint string }
RegisteredEntry holds a registered entity entry