Documentation ¶
Index ¶
- func MaxSVIDTTL() time.Duration
- func MaxSVIDTTLForCATTL(caTTL time.Duration) time.Duration
- func MinCATTLForSVIDTTL(svidTTL time.Duration) time.Duration
- type Config
- type JWTKeyEntry
- type Journal
- type JournalEntries
- type JwtKeyPublisher
- type JwtKeySlot
- type ManagedCA
- type Manager
- func (m *Manager) ActivateJWTKey()
- func (m *Manager) ActivateX509CA()
- func (m *Manager) Close()
- func (m *Manager) GetCurrentJWTKeySlot() Slot
- func (m *Manager) GetCurrentX509CASlot() Slot
- func (m *Manager) GetNextJWTKeySlot() Slot
- func (m *Manager) GetNextX509CASlot() Slot
- func (m *Manager) NotifyBundleLoaded(ctx context.Context) error
- func (m *Manager) NotifyOnBundleUpdate(ctx context.Context)
- func (m *Manager) PrepareJWTKey(ctx context.Context) (err error)
- func (m *Manager) PrepareX509CA(ctx context.Context) (err error)
- func (m *Manager) PruneBundle(ctx context.Context) (err error)
- func (m *Manager) PublishJWTKey(ctx context.Context, jwtKey *common.PublicKey) ([]*common.PublicKey, error)
- func (m *Manager) RotateJWTKey()
- func (m *Manager) RotateX509CA()
- type Slot
- type SlotLoader
- type SlotPosition
- type X509CAEntry
- type X509CASlot
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func MaxSVIDTTL ¶
MaxSVIDTTL returns the maximum SVID lifetime that can be guaranteed to not be cut artificially short by a scheduled rotation.
func MaxSVIDTTLForCATTL ¶
MaxSVIDTTLForCATTL returns the maximum SVID TTL that can be guaranteed given a specific CA TTL. In other words, given a CA TTL, what is the largest SVID TTL that is guaranteed to not be cut artificially short by a scheduled rotation?
func MinCATTLForSVIDTTL ¶
MinCATTLForSVIDTTL returns the minimum CA TTL necessary to guarantee an SVID TTL of the provided value. In other words, given an SVID TTL, what is the minimum CA TTL that will guarantee that the SVIDs lifetime won't be cut artificially short by a scheduled rotation?
Types ¶
type Config ¶
type Config struct { CredBuilder *credtemplate.Builder CredValidator *credvalidator.Validator CA ManagedCA Catalog catalog.Catalog TrustDomain spiffeid.TrustDomain X509CAKeyType keymanager.KeyType JWTKeyType keymanager.KeyType Dir string Log logrus.FieldLogger Metrics telemetry.Metrics Clock clock.Clock }
type JWTKeyEntry ¶
type JWTKeyEntry = journal.JWTKeyEntry
type Journal ¶
type Journal struct {
// contains filtered or unexported fields
}
Journal stores X509 CAs and JWT keys on disk as they are rotated by the manager. The data format on disk is a PEM encoded protocol buffer.
func LoadJournal ¶
func (*Journal) AppendJWTKey ¶
func (*Journal) AppendX509CA ¶
func (*Journal) Entries ¶
func (j *Journal) Entries() *JournalEntries
type JournalEntries ¶
type JwtKeyPublisher ¶
type JwtKeySlot ¶
type JwtKeySlot struct {
// contains filtered or unexported fields
}
func (*JwtKeySlot) IsEmpty ¶
func (s *JwtKeySlot) IsEmpty() bool
func (*JwtKeySlot) KmKeyID ¶
func (s *JwtKeySlot) KmKeyID() string
func (*JwtKeySlot) Reset ¶
func (s *JwtKeySlot) Reset()
func (*JwtKeySlot) ShouldActivateNext ¶
func (s *JwtKeySlot) ShouldActivateNext(now time.Time) bool
func (*JwtKeySlot) ShouldPrepareNext ¶
func (s *JwtKeySlot) ShouldPrepareNext(now time.Time) bool
type Manager ¶
type Manager struct {
// contains filtered or unexported fields
}
func (*Manager) ActivateJWTKey ¶
func (m *Manager) ActivateJWTKey()
func (*Manager) ActivateX509CA ¶
func (m *Manager) ActivateX509CA()
func (*Manager) GetCurrentJWTKeySlot ¶
func (*Manager) GetCurrentX509CASlot ¶
func (*Manager) GetNextJWTKeySlot ¶
func (*Manager) GetNextX509CASlot ¶
func (*Manager) NotifyBundleLoaded ¶
func (*Manager) NotifyOnBundleUpdate ¶
func (*Manager) PublishJWTKey ¶
func (m *Manager) PublishJWTKey(ctx context.Context, jwtKey *common.PublicKey) ([]*common.PublicKey, error)
PublishJWTKey publishes the passed JWK to the upstream server using the configured UpstreamAuthority plugin, then appends to the bundle the JWKs returned by the upstream server, and finally it returns the updated list of JWT keys contained in the bundle.
The following cases may arise when calling this function:
- The UpstreamAuthority plugin doesn't implement PublishJWTKey, in which case we receive an Unimplemented error from the upstream server, and hence we log a one time warning about this, append the passed JWK to the bundle, and return the updated list of JWT keys.
- The UpstreamAuthority plugin returned an error, then we return the error.
- There is no UpstreamAuthority plugin configured, then assumes we are the root server and just appends the passed JWK to the bundle and returns the updated list of JWT keys.
func (*Manager) RotateJWTKey ¶
func (m *Manager) RotateJWTKey()
func (*Manager) RotateX509CA ¶
func (m *Manager) RotateX509CA()
type SlotLoader ¶
type SlotLoader struct { TrustDomain spiffeid.TrustDomain Log logrus.FieldLogger Dir string Catalog catalog.Catalog UpstreamClient *ca.UpstreamClient }
func (*SlotLoader) Load ¶
func (s *SlotLoader) Load(ctx context.Context) (*Journal, map[SlotPosition]Slot, error)
type SlotPosition ¶
type SlotPosition int
const ( CurrentX509CASlot SlotPosition = iota NextX509CASlot CurrentJWTKeySlot NextJWTKeySlot )
type X509CAEntry ¶
type X509CAEntry = journal.X509CAEntry
type X509CASlot ¶
type X509CASlot struct {
// contains filtered or unexported fields
}
func (*X509CASlot) IsEmpty ¶
func (s *X509CASlot) IsEmpty() bool
func (*X509CASlot) KmKeyID ¶
func (s *X509CASlot) KmKeyID() string
func (*X509CASlot) Reset ¶
func (s *X509CASlot) Reset()
func (*X509CASlot) ShouldActivateNext ¶
func (s *X509CASlot) ShouldActivateNext(now time.Time) bool
func (*X509CASlot) ShouldPrepareNext ¶
func (s *X509CASlot) ShouldPrepareNext(now time.Time) bool