manager

package
v1.8.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 10, 2023 License: Apache-2.0 Imports: 33 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func MaxSVIDTTL 

func MaxSVIDTTL() time.Duration

MaxSVIDTTL returns the maximum SVID lifetime that can be guaranteed to not be cut artificially short by a scheduled rotation.

func MaxSVIDTTLForCATTL 

func MaxSVIDTTLForCATTL(caTTL time.Duration) time.Duration

MaxSVIDTTLForCATTL returns the maximum SVID TTL that can be guaranteed given a specific CA TTL. In other words, given a CA TTL, what is the largest SVID TTL that is guaranteed to not be cut artificially short by a scheduled rotation?

func MinCATTLForSVIDTTL 

func MinCATTLForSVIDTTL(svidTTL time.Duration) time.Duration

MinCATTLForSVIDTTL returns the minimum CA TTL necessary to guarantee an SVID TTL of the provided value. In other words, given an SVID TTL, what is the minimum CA TTL that will guarantee that the SVIDs lifetime won't be cut artificially short by a scheduled rotation?

Types

type Config 

type Config struct {
	CredBuilder   *credtemplate.Builder
	CredValidator *credvalidator.Validator
	CA            ManagedCA
	Catalog       catalog.Catalog
	TrustDomain   spiffeid.TrustDomain
	X509CAKeyType keymanager.KeyType
	JWTKeyType    keymanager.KeyType
	Dir           string
	Log           logrus.FieldLogger
	Metrics       telemetry.Metrics
	Clock         clock.Clock
}

type JWTKeyEntry 

type JWTKeyEntry = journal.JWTKeyEntry

type Journal 

type Journal struct {
	// contains filtered or unexported fields
}

Journal stores X509 CAs and JWT keys on disk as they are rotated by the manager. The data format on disk is a PEM encoded protocol buffer.

func LoadJournal 

func LoadJournal(path string) (*Journal, error)

func (*Journal) AppendJWTKey 

func (j *Journal) AppendJWTKey(slotID string, issuedAt time.Time, jwtKey *ca.JWTKey) error

func (*Journal) AppendX509CA 

func (j *Journal) AppendX509CA(slotID string, issuedAt time.Time, x509CA *ca.X509CA) error

func (*Journal) Entries 

func (j *Journal) Entries() *JournalEntries

func (*Journal) UpdateJWTKeyStatus added in v1.7.1 

func (j *Journal) UpdateJWTKeyStatus(issuedAt time.Time, status journal.Status) error

UpdateJWTKeyStatus updates a stored JWTKey entry to have the given status, updating the journal file.

func (*Journal) UpdateX509CAStatus added in v1.7.1 

func (j *Journal) UpdateX509CAStatus(issuedAt time.Time, status journal.Status) error

UpdateX509CAStatus updates a stored X509CA entry to have the given status, updating the journal file.

type JournalEntries 

type JournalEntries = journal.Entries

type JwtKeyPublisher 

type JwtKeyPublisher interface {
	PublishJWTKey(ctx context.Context, jwtKey *common.PublicKey) ([]*common.PublicKey, error)
}

type JwtKeySlot 

type JwtKeySlot struct {
	// contains filtered or unexported fields
}

func (*JwtKeySlot) AuthorityID added in v1.7.2 

func (s *JwtKeySlot) AuthorityID() string

func (*JwtKeySlot) IsEmpty 

func (s *JwtKeySlot) IsEmpty() bool

func (*JwtKeySlot) KmKeyID 

func (s *JwtKeySlot) KmKeyID() string

func (*JwtKeySlot) NotAfter added in v1.7.2 

func (s *JwtKeySlot) NotAfter() time.Time

func (*JwtKeySlot) PublicKey added in v1.7.2 

func (s *JwtKeySlot) PublicKey() crypto.PublicKey

func (*JwtKeySlot) Reset 

func (s *JwtKeySlot) Reset()

func (*JwtKeySlot) ShouldActivateNext 

func (s *JwtKeySlot) ShouldActivateNext(now time.Time) bool

func (*JwtKeySlot) ShouldPrepareNext 

func (s *JwtKeySlot) ShouldPrepareNext(now time.Time) bool

func (*JwtKeySlot) Status added in v1.7.1 

func (s *JwtKeySlot) Status() journal.Status

type ManagedCA 

type ManagedCA interface {
	SetX509CA(*ca.X509CA)
	SetJWTKey(*ca.JWTKey)
}

type Manager 

type Manager struct {
	// contains filtered or unexported fields
}

func NewManager 

func NewManager(ctx context.Context, c Config) (*Manager, error)

func (*Manager) ActivateJWTKey 

func (m *Manager) ActivateJWTKey()

func (*Manager) ActivateX509CA 

func (m *Manager) ActivateX509CA()

func (*Manager) Close 

func (m *Manager) Close()

func (*Manager) GetCurrentJWTKeySlot 

func (m *Manager) GetCurrentJWTKeySlot() Slot

func (*Manager) GetCurrentX509CASlot 

func (m *Manager) GetCurrentX509CASlot() Slot

func (*Manager) GetNextJWTKeySlot 

func (m *Manager) GetNextJWTKeySlot() Slot

func (*Manager) GetNextX509CASlot 

func (m *Manager) GetNextX509CASlot() Slot

func (*Manager) NotifyBundleLoaded 

func (m *Manager) NotifyBundleLoaded(ctx context.Context) error

func (*Manager) NotifyOnBundleUpdate 

func (m *Manager) NotifyOnBundleUpdate(ctx context.Context)

func (*Manager) PrepareJWTKey 

func (m *Manager) PrepareJWTKey(ctx context.Context) (err error)

func (*Manager) PrepareX509CA 

func (m *Manager) PrepareX509CA(ctx context.Context) (err error)

func (*Manager) PruneBundle 

func (m *Manager) PruneBundle(ctx context.Context) (err error)

func (*Manager) PublishJWTKey 

func (m *Manager) PublishJWTKey(ctx context.Context, jwtKey *common.PublicKey) ([]*common.PublicKey, error)

PublishJWTKey publishes the passed JWK to the upstream server using the configured UpstreamAuthority plugin, then appends to the bundle the JWKs returned by the upstream server, and finally it returns the updated list of JWT keys contained in the bundle.

The following cases may arise when calling this function:

- The UpstreamAuthority plugin doesn't implement PublishJWTKey, in which case we receive an Unimplemented error from the upstream server, and hence we log a one time warning about this, append the passed JWK to the bundle, and return the updated list of JWT keys.

- The UpstreamAuthority plugin returned an error, then we return the error.

- There is no UpstreamAuthority plugin configured, then assumes we are the root server and just appends the passed JWK to the bundle and returns the updated list of JWT keys.

func (*Manager) RotateJWTKey 

func (m *Manager) RotateJWTKey()

func (*Manager) RotateX509CA 

func (m *Manager) RotateX509CA()

type Slot 

type Slot interface {
	KmKeyID() string
	IsEmpty() bool
	Reset()
	ShouldPrepareNext(now time.Time) bool
	ShouldActivateNext(now time.Time) bool
	Status() journal.Status
	AuthorityID() string
	PublicKey() crypto.PublicKey
	NotAfter() time.Time
}

type SlotLoader 

type SlotLoader struct {
	TrustDomain spiffeid.TrustDomain

	Log            logrus.FieldLogger
	Dir            string
	Catalog        catalog.Catalog
	UpstreamClient *ca.UpstreamClient
}

func (*SlotLoader) Load 

func (s *SlotLoader) Load(ctx context.Context) (*Journal, map[SlotPosition]Slot, error)

type SlotPosition 

type SlotPosition int
const (
	CurrentX509CASlot SlotPosition = iota
	NextX509CASlot
	CurrentJWTKeySlot
	NextJWTKeySlot
)

type X509CAEntry 

type X509CAEntry = journal.X509CAEntry

type X509CASlot 

type X509CASlot struct {
	// contains filtered or unexported fields
}

func (*X509CASlot) AuthorityID added in v1.7.2 

func (s *X509CASlot) AuthorityID() string

func (*X509CASlot) IsEmpty 

func (s *X509CASlot) IsEmpty() bool

func (*X509CASlot) KmKeyID 

func (s *X509CASlot) KmKeyID() string

func (*X509CASlot) NotAfter added in v1.7.2 

func (s *X509CASlot) NotAfter() time.Time

func (*X509CASlot) PublicKey added in v1.7.2 

func (s *X509CASlot) PublicKey() crypto.PublicKey

func (*X509CASlot) Reset 

func (s *X509CASlot) Reset()

func (*X509CASlot) ShouldActivateNext 

func (s *X509CASlot) ShouldActivateNext(now time.Time) bool

func (*X509CASlot) ShouldPrepareNext 

func (s *X509CASlot) ShouldPrepareNext(now time.Time) bool

func (*X509CASlot) Status added in v1.7.1 

func (s *X509CASlot) Status() journal.Status

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.