Documentation ¶
Index ¶
- Constants
- func CreateServerCATemplate(spiffeID spiffeid.ID, publicKey crypto.PublicKey, ...) (*x509.Certificate, error)
- func CreateX509SVIDTemplate(spiffeID spiffeid.ID, publicKey crypto.PublicKey, ...) (*x509.Certificate, error)
- func GenerateServerCACSR(signer crypto.Signer, trustDomain spiffeid.TrustDomain, subject pkix.Name) ([]byte, error)
- func MaxSVIDTTL() time.Duration
- func MaxSVIDTTLForCATTL(caTTL time.Duration) time.Duration
- func MinCATTLForSVIDTTL(svidTTL time.Duration) time.Duration
- type BundleUpdater
- type CA
- func (ca *CA) JWTKey() *JWTKey
- func (ca *CA) SetJWTKey(jwtKey *JWTKey)
- func (ca *CA) SetX509CA(x509CA *X509CA)
- func (ca *CA) SignJWTSVID(ctx context.Context, params JWTSVIDParams) (string, error)
- func (ca *CA) SignX509CASVID(ctx context.Context, params X509CASVIDParams) ([]*x509.Certificate, error)
- func (ca *CA) SignX509SVID(ctx context.Context, params X509SVIDParams) ([]*x509.Certificate, error)
- func (ca *CA) X509CA() *X509CA
- type Config
- type JWTKey
- type JWTKeyEntry
- type JWTSVIDParams
- type Journal
- type JournalEntries
- type ManagedCA
- type Manager
- type ManagerConfig
- type ServerCA
- type UpstreamClient
- func (u *UpstreamClient) Close() error
- func (u *UpstreamClient) MintX509CA(ctx context.Context, csr []byte, ttl time.Duration, ...) (_ []*x509.Certificate, err error)
- func (u *UpstreamClient) PublishJWTKey(ctx context.Context, jwtKey *common.PublicKey) (_ []*common.PublicKey, err error)
- func (u *UpstreamClient) WaitUntilMintX509CAStreamDone(ctx context.Context) error
- func (u *UpstreamClient) WaitUntilPublishJWTKeyStreamDone(ctx context.Context) error
- type UpstreamClientConfig
- type ValidateX509CAFunc
- type X509CA
- type X509CAEntry
- type X509CASVIDParams
- type X509CAValidator
- type X509SVIDParams
Constants ¶
const ( // DefaultX509SVIDTTL is the TTL given to X509 SVIDs if not overridden by // the server config. DefaultX509SVIDTTL = time.Hour // DefaultJWTSVIDTTL is the TTL given to JWT SVIDs if a different TTL is // not provided in the signing request. DefaultJWTSVIDTTL = time.Minute * 5 )
const (
DefaultCATTL = 24 * time.Hour
)
Variables ¶
This section is empty.
Functions ¶
func CreateServerCATemplate ¶
func CreateX509SVIDTemplate ¶
func GenerateServerCACSR ¶
func MaxSVIDTTL ¶ added in v1.0.1
MaxSVIDTTL returns the maximum SVID lifetime that can be guaranteed to not be cut artificially short by a scheduled rotation.
func MaxSVIDTTLForCATTL ¶ added in v1.0.1
MaxSVIDTTLForCATTL returns the maximum SVID TTL that can be guaranteed given a specific CA TTL. In other words, given a CA TTL, what is the largest SVID TTL that is guaranteed to not be cut artificially short by a scheduled rotation?
func MinCATTLForSVIDTTL ¶ added in v1.0.1
MinCATTLForSVIDTTL returns the minimum CA TTL necessary to guarantee an SVID TTL of the provided value. In other words, given an SVID TTL, what is the minimum CA TTL that will guarantee that the SVIDs lifetime won't be cut artificially short by a scheduled rotation?
Types ¶
type BundleUpdater ¶ added in v0.10.0
type BundleUpdater interface { AppendX509Roots(ctx context.Context, roots []*x509.Certificate) error AppendJWTKeys(ctx context.Context, keys []*common.PublicKey) ([]*common.PublicKey, error) LogError(err error, msg string) }
BundleUpdater is the interface used by the UpstreamClient to append bundle updates.
type CA ¶
type CA struct {
// contains filtered or unexported fields
}
func (*CA) SignJWTSVID ¶
func (*CA) SignX509CASVID ¶
func (ca *CA) SignX509CASVID(ctx context.Context, params X509CASVIDParams) ([]*x509.Certificate, error)
func (*CA) SignX509SVID ¶
func (ca *CA) SignX509SVID(ctx context.Context, params X509SVIDParams) ([]*x509.Certificate, error)
type JWTKeyEntry ¶
type JWTKeyEntry = journal.JWTKeyEntry
type JWTSVIDParams ¶
type JWTSVIDParams struct { // SPIFFE ID of the SVID SpiffeID spiffeid.ID // TTL is the desired time-to-live of the SVID. Regardless of the TTL, the // lifetime of the certificate will be capped to that of the signing cert. TTL time.Duration // Audience is used for audience claims Audience []string }
JWTSVIDParams are parameters relevant to JWT SVID creation
type Journal ¶
type Journal struct {
// contains filtered or unexported fields
}
Journal stores X509 CAs and JWT keys on disk as they are rotated by the manager. The data format on disk is a PEM encoded protocol buffer.
func LoadJournal ¶
func (*Journal) AppendJWTKey ¶
func (*Journal) AppendX509CA ¶
func (*Journal) Entries ¶
func (j *Journal) Entries() *JournalEntries
type JournalEntries ¶
type Manager ¶
type Manager struct {
// contains filtered or unexported fields
}
func NewManager ¶
func NewManager(c ManagerConfig) *Manager
func (*Manager) PublishJWTKey ¶ added in v0.10.0
func (m *Manager) PublishJWTKey(ctx context.Context, jwtKey *common.PublicKey) ([]*common.PublicKey, error)
PublishJWTKey publishes the passed JWK to the upstream server using the configured UpstreamAuthority plugin, then appends to the bundle the JWKs returned by the upstream server, and finally it returns the updated list of JWT keys contained in the bundle.
The following cases may arise when calling this function:
- The UpstreamAuthority plugin doesn't implement PublishJWTKey, in which case we receive an Unimplemented error from the upstream server, and hence we log a one time warning about this, append the passed JWK to the bundle, and return the updated list of JWT keys.
- The UpstreamAuthority plugin returned an error, then we return the error.
- There is no UpstreamAuthority plugin configured, then assumes we are the root server and just appends the passed JWK to the bundle and returns the updated list of JWT keys.
type ManagerConfig ¶
type ManagerConfig struct { CA ManagedCA Catalog catalog.Catalog TrustDomain spiffeid.TrustDomain CATTL time.Duration X509CAKeyType keymanager.KeyType JWTKeyType keymanager.KeyType CASubject pkix.Name Dir string Log logrus.FieldLogger Metrics telemetry.Metrics Clock clock.Clock HealthChecker health.Checker }
type ServerCA ¶
type ServerCA interface { SignX509SVID(ctx context.Context, params X509SVIDParams) ([]*x509.Certificate, error) SignX509CASVID(ctx context.Context, params X509CASVIDParams) ([]*x509.Certificate, error) SignJWTSVID(ctx context.Context, params JWTSVIDParams) (string, error) }
ServerCA is an interface for Server CAs
type UpstreamClient ¶ added in v0.10.0
type UpstreamClient struct {
// contains filtered or unexported fields
}
UpstreamClient is used to interact with and stream updates from the UpstreamAuthority plugin.
func NewUpstreamClient ¶ added in v0.10.0
func NewUpstreamClient(config UpstreamClientConfig) *UpstreamClient
NewUpstreamClient returns a new UpstreamAuthority plugin client.
func (*UpstreamClient) Close ¶ added in v0.10.0
func (u *UpstreamClient) Close() error
Close closes the client, stopping any open streams against the UpstreamAuthority plugin.
func (*UpstreamClient) MintX509CA ¶ added in v0.10.0
func (u *UpstreamClient) MintX509CA(ctx context.Context, csr []byte, ttl time.Duration, validateX509CA ValidateX509CAFunc) (_ []*x509.Certificate, err error)
MintX509CA mints an X.509CA using the UpstreamAuthority. It maintains an open stream to the UpstreamAuthority plugin to receive and append X.509 root updates to the bundle. The stream remains open until another call to MintX509CA happens or the client is closed.
func (*UpstreamClient) PublishJWTKey ¶ added in v0.10.0
func (u *UpstreamClient) PublishJWTKey(ctx context.Context, jwtKey *common.PublicKey) (_ []*common.PublicKey, err error)
PublishJWTKey publishes the JWT key to the UpstreamAuthority. It maintains an open stream to the UpstreamAuthority plugin to receive and append JWT key updates to the bundle. The stream remains open until another call to PublishJWTKey happens or the client is closed.
func (*UpstreamClient) WaitUntilMintX509CAStreamDone ¶ added in v0.10.0
func (u *UpstreamClient) WaitUntilMintX509CAStreamDone(ctx context.Context) error
WaitUntilMintX509CAStreamDone waits until the MintX509CA stream has stopped.
func (*UpstreamClient) WaitUntilPublishJWTKeyStreamDone ¶ added in v0.10.0
func (u *UpstreamClient) WaitUntilPublishJWTKeyStreamDone(ctx context.Context) error
WaitUntilPublishJWTKeyStreamDone waits until the MintX509CA stream has stopped.
type UpstreamClientConfig ¶ added in v0.10.0
type UpstreamClientConfig struct { UpstreamAuthority upstreamauthority.UpstreamAuthority BundleUpdater BundleUpdater }
UpstreamClientConfig is the configuration for an UpstreamClient. Each field is required.
type ValidateX509CAFunc ¶ added in v1.2.0
type ValidateX509CAFunc = func(x509CA, x509Roots []*x509.Certificate) error
ValidateX509CAFunc is used by the upstream client to validate an X509CA newly minted by an upstream authority before it accepts it.
type X509CA ¶
type X509CA struct { // Signer is used to sign child certificates. Signer crypto.Signer // Certificate is the CA certificate. Certificate *x509.Certificate // UpstreamChain contains the CA certificate and intermediates necessary to // chain back to the upstream trust bundle. It is only set if the CA is // signed by an UpstreamCA. UpstreamChain []*x509.Certificate }
func SelfSignX509CA ¶
func UpstreamSignX509CA ¶
type X509CAEntry ¶
type X509CAEntry = journal.X509CAEntry
type X509CASVIDParams ¶
type X509CASVIDParams struct { // SPIFFE ID of the SVID SpiffeID spiffeid.ID // Public Key PublicKey crypto.PublicKey // TTL is the desired time-to-live of the SVID. Regardless of the TTL, the // lifetime of the certificate will be capped to that of the signing cert. TTL time.Duration }
X509CASVIDParams are parameters relevant to X509 CA SVID creation
type X509CAValidator ¶ added in v1.2.0
type X509CAValidator struct { TrustDomain spiffeid.TrustDomain Signer crypto.Signer }
func (X509CAValidator) ValidateSelfSignedX509CA ¶ added in v1.2.0
func (v X509CAValidator) ValidateSelfSignedX509CA(x509CA *x509.Certificate) error
func (X509CAValidator) ValidateUpstreamX509CA ¶ added in v1.2.0
func (v X509CAValidator) ValidateUpstreamX509CA(x509CA, upstreamRoots []*x509.Certificate) error
type X509SVIDParams ¶
type X509SVIDParams struct { // SPIFFE ID of the SVID SpiffeID spiffeid.ID // Public Key PublicKey crypto.PublicKey // TTL is the desired time-to-live of the SVID. Regardless of the TTL, the // lifetime of the certificate will be capped to that of the signing cert. TTL time.Duration // DNSList is used to add DNS SAN's to the X509 SVID. The first entry // is also added as the CN. DNSList []string // Subject of the SVID. Default subject is used if it is empty. Subject pkix.Name }
X509SVIDParams are parameters relevant to X509 SVID creation