README
¶
ZeroTrust Library
ZeroTrust library implements Zero Trust principles for microservices, providing mutual TLS (mTLS) and identity-based access without implicit trust.
Features
Core Features
- Service Identity Management: Secure service identification and authentication
- Mutual TLS (mTLS): Certificate-based authentication between services
- Policy Engine: Flexible policy evaluation and enforcement
- Network Segmentation: Micro-segmentation and zero-trust networking
- Certificate Management: Automated certificate generation, validation, and renewal
Supported Providers
1. SPIFFE/SPIRE Provider
- Identity Management: Secure Production Identity Framework for Everyone (SPIFFE)
- Attestation: SPIRE (SPIFFE Runtime Environment) integration
- Certificate Generation: Automatic SPIFFE certificate generation
- Trust Domain Management: Multi-tenant trust domain support
2. Istio Service Mesh Provider
- Service Mesh Security: Istio-based service mesh security
- Traffic Management: Envoy proxy-based traffic management
- Policy Enforcement: Istio authorization policies
- Network Segmentation: Service mesh-based micro-segmentation
3. mTLS via cert-manager Provider
- Certificate Management: Kubernetes cert-manager integration
- Automated Renewal: Automatic certificate renewal
- CA Management: Certificate Authority management
- Key Rotation: Automated key rotation
Installation
go get github.com/anasamu/go-micro-libs/zerotrust
Quick Start
Basic Usage
package main
import (
"context"
"log"
"github.com/anasamu/go-micro-libs/zerotrust"
"github.com/anasamu/go-micro-libs/zerotrust/providers/spiffe"
"github.com/anasamu/go-micro-libs/zerotrust/providers/istio"
"github.com/anasamu/go-micro-libs/zerotrust/providers/mtls"
"github.com/sirupsen/logrus"
)
func main() {
// Create logger
logger := logrus.New()
// Create ZeroTrust manager
manager := zerotrust.NewZeroTrustManager(nil, logger)
// Register SPIFFE provider
spiffeProvider := spiffe.NewSPIFFEProvider("spiffe", logger)
spiffeConfig := map[string]interface{}{
"server_url": "spire-server:8081",
"trust_domain": "example.org",
}
spiffeProvider.Configure(spiffeConfig)
manager.RegisterProvider(spiffeProvider)
// Register Istio provider
istioProvider := istio.NewIstioProvider("istio", logger)
istioConfig := map[string]interface{}{
"namespace": "default",
"mesh_name": "default",
}
istioProvider.Configure(istioConfig)
manager.RegisterProvider(istioProvider)
// Register mTLS provider
mtlsProvider := mtls.NewMTLSProvider("mtls", logger)
mtlsConfig := map[string]interface{}{
"cluster_name": "production",
"namespace": "default",
}
mtlsProvider.Configure(mtlsConfig)
manager.RegisterProvider(mtlsProvider)
// Use the manager...
}
Service Authentication
// Authenticate a service using SPIFFE
authRequest := &types.ServiceAuthRequest{
ServiceID: "user-service",
SPIFFEID: "spiffe://example.org/service/user-service",
TrustDomain: "example.org",
Context: map[string]interface{}{
"environment": "production",
},
}
response, err := manager.AuthenticateService(ctx, "spiffe", authRequest)
if err != nil {
log.Fatal(err)
}
if response.Success {
log.Printf("Service authenticated: %s", response.IdentityID)
}
Certificate Management
// Generate mTLS certificate
certRequest := &types.MTLSCertRequest{
ServiceID: "user-service",
Subject: "CN=user-service",
SubjectAltNames: []string{"user-service.default.svc.cluster.local"},
ValidityPeriod: 24 * time.Hour,
KeySize: 2048,
KeyType: "RSA",
}
certResponse, err := manager.GenerateMTLSCertificate(ctx, "mtls", certRequest)
if err != nil {
log.Fatal(err)
}
log.Printf("Certificate generated: %s", certResponse.Certificate.SerialNumber)
Policy Evaluation
// Evaluate access policy
policyRequest := &types.PolicyEvaluationRequest{
PolicyID: "user-service-access",
Subject: "user-service",
Resource: "user-database",
Action: "read",
Context: map[string]interface{}{
"time": "business-hours",
"location": "datacenter-1",
},
}
policyResponse, err := manager.EvaluatePolicy(ctx, "istio", policyRequest)
if err != nil {
log.Fatal(err)
}
if policyResponse.Allowed {
log.Printf("Access allowed: %s", policyResponse.Reason)
} else {
log.Printf("Access denied: %s", policyResponse.Reason)
}
Configuration
SPIFFE/SPIRE Configuration
spiffe:
server_url: "spire-server:8081"
trust_domain: "example.org"
retry_attempts: 3
timeout: "30s"
Istio Configuration
istio:
namespace: "default"
mesh_name: "default"
host: "istiod.istio-system.svc.cluster.local"
port: 15012
secure: true
mTLS Configuration
mtls:
cluster_name: "production"
namespace: "default"
cert_manager:
issuer: "letsencrypt-prod"
secret_name: "mtls-certs"
Advanced Features
Network Segmentation
// Create network segment
segmentRequest := &types.NetworkSegmentRequest{
SegmentID: "frontend-segment",
Name: "Frontend Network Segment",
Description: "Network segment for frontend services",
NetworkCIDR: "10.0.1.0/24",
Policies: []types.ServiceMeshPolicy{
{
ID: "frontend-policy",
Name: "Frontend Access Policy",
Type: "authorization",
Enabled: true,
Priority: 100,
Rules: []types.PolicyRule{
{
ID: "allow-frontend",
Name: "Allow Frontend Access",
Description: "Allow frontend services to access backend",
Enabled: true,
Priority: 1,
Conditions: []types.PolicyCondition{
{
ID: "frontend-service",
Type: "service",
Field: "service.name",
Operator: "equals",
Value: "frontend-*",
},
},
Actions: []types.PolicyAction{
{
ID: "allow",
Type: "allow",
},
},
},
},
},
},
}
segmentResponse, err := manager.CreateNetworkSegment(ctx, "istio", segmentRequest)
if err != nil {
log.Fatal(err)
}
log.Printf("Network segment created: %s", segmentResponse.SegmentID)
Service Mesh Configuration
// Configure service mesh security
meshConfigRequest := &types.ServiceMeshConfigRequest{
ServiceID: "user-service",
MeshType: "istio",
Namespace: "default",
Configuration: map[string]interface{}{
"mtls": map[string]interface{}{
"mode": "STRICT",
},
"authorization": map[string]interface{}{
"enabled": true,
"policies": []string{"user-service-policy"},
},
},
Policies: []types.ServiceMeshPolicy{
{
ID: "user-service-policy",
Name: "User Service Policy",
Type: "authorization",
Enabled: true,
Priority: 100,
},
},
}
meshResponse, err := manager.ConfigureServiceMesh(ctx, "istio", meshConfigRequest)
if err != nil {
log.Fatal(err)
}
log.Printf("Service mesh configured: %s", meshResponse.Status)
Monitoring and Observability
Health Checks
// Check provider health
healthResults := manager.HealthCheck(ctx)
for provider, err := range healthResults {
if err != nil {
log.Printf("Provider %s is unhealthy: %v", provider, err)
} else {
log.Printf("Provider %s is healthy", provider)
}
}
Statistics
// Get provider statistics
stats := manager.GetStats(ctx)
for provider, statsData := range stats {
log.Printf("Provider %s stats: %+v", provider, statsData)
}
Best Practices
1. Certificate Management
- Use short-lived certificates (24 hours or less)
- Implement automated certificate renewal
- Rotate private keys regularly
- Monitor certificate expiration
2. Policy Design
- Follow principle of least privilege
- Use context-aware policies
- Implement defense in depth
- Regular policy audits
3. Network Segmentation
- Segment services by function
- Use micro-segmentation
- Implement zero-trust networking
- Monitor network traffic
4. Service Identity
- Use strong service identities
- Implement service attestation
- Validate service certificates
- Monitor identity changes
Integration Examples
With Go Micro Framework
// In your microservice bootstrap
func bootstrapService(ctx context.Context, config *Config) error {
// Initialize ZeroTrust manager
ztManager := zerotrust.NewZeroTrustManager(config.ZeroTrust, logger)
// Register providers
spiffeProvider := spiffe.NewSPIFFEProvider("spiffe", logger)
spiffeProvider.Configure(config.SPIFFE)
ztManager.RegisterProvider(spiffeProvider)
// Authenticate service
authRequest := &types.ServiceAuthRequest{
ServiceID: config.Service.Name,
Context: config.Service.Context,
}
authResponse, err := ztManager.AuthenticateService(ctx, "spiffe", authRequest)
if err != nil {
return err
}
// Store service identity
config.Service.IdentityID = authResponse.IdentityID
config.Service.SPIFFEID = authResponse.SPIFFEID
return nil
}
With Kubernetes
# Service account with SPIFFE annotation
apiVersion: v1
kind: ServiceAccount
metadata:
name: user-service
namespace: default
annotations:
spire.io/spiffe-id: "spiffe://example.org/service/user-service"
---
# Pod with SPIFFE sidecar
apiVersion: v1
kind: Pod
metadata:
name: user-service
spec:
serviceAccountName: user-service
containers:
- name: user-service
image: user-service:latest
- name: spire-agent
image: gcr.io/spiffe-io/spire-agent:latest
Troubleshooting
Common Issues
-
Certificate Validation Failures
- Check certificate expiration
- Verify trust chain
- Validate SPIFFE ID format
-
Policy Evaluation Errors
- Check policy syntax
- Verify context data
- Validate subject permissions
-
Network Access Denied
- Check network policies
- Verify service identity
- Validate mTLS configuration
Debug Logging
// Enable debug logging
logger.SetLevel(logrus.DebugLevel)
// Add structured logging
logger.WithFields(logrus.Fields{
"service_id": "user-service",
"provider": "spiffe",
"operation": "authenticate",
}).Debug("Service authentication started")
Contributing
Please see CONTRIBUTING.md for contribution guidelines.
License
This library is licensed under the MIT License. See LICENSE for details.
Documentation
¶
Index ¶
- type ManagerConfig
- type ZeroTrustManager
- func (ztm *ZeroTrustManager) AuthenticateService(ctx context.Context, providerName string, request *types.ServiceAuthRequest) (*types.ServiceAuthResponse, error)
- func (ztm *ZeroTrustManager) Close() error
- func (ztm *ZeroTrustManager) ConfigureServiceMesh(ctx context.Context, providerName string, ...) (*types.ServiceMeshConfigResponse, error)
- func (ztm *ZeroTrustManager) CreateSPIFFEIdentity(ctx context.Context, providerName string, request *types.SPIFFEIdentityRequest) (*types.SPIFFEIdentityResponse, error)
- func (ztm *ZeroTrustManager) EvaluatePolicy(ctx context.Context, providerName string, ...) (*types.PolicyEvaluationResponse, error)
- func (ztm *ZeroTrustManager) GenerateMTLSCertificate(ctx context.Context, providerName string, request *types.MTLSCertRequest) (*types.MTLSCertResponse, error)
- func (ztm *ZeroTrustManager) GetDefaultProvider() (ZeroTrustProvider, error)
- func (ztm *ZeroTrustManager) GetProvider(name string) (ZeroTrustProvider, error)
- func (ztm *ZeroTrustManager) GetStats(ctx context.Context) map[string]interface{}
- func (ztm *ZeroTrustManager) HealthCheck(ctx context.Context) map[string]error
- func (ztm *ZeroTrustManager) IssueServiceCredential(ctx context.Context, providerName string, request *types.CredentialRequest) (*types.CredentialResponse, error)
- func (ztm *ZeroTrustManager) RegisterProvider(provider ZeroTrustProvider) error
- func (ztm *ZeroTrustManager) ValidateMTLSCertificate(ctx context.Context, providerName string, ...) (*types.MTLSCertValidationResponse, error)
- func (ztm *ZeroTrustManager) ValidateSPIFFEIdentity(ctx context.Context, providerName string, ...) (*types.SPIFFEValidationResponse, error)
- func (ztm *ZeroTrustManager) ValidateServiceIdentity(ctx context.Context, providerName string, ...) (*types.ServiceIdentityResponse, error)
- type ZeroTrustProvider
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ManagerConfig ¶
type ManagerConfig struct {
DefaultProvider string `json:"default_provider"`
RetryAttempts int `json:"retry_attempts"`
RetryDelay time.Duration `json:"retry_delay"`
Timeout time.Duration `json:"timeout"`
Metadata map[string]string `json:"metadata"`
}
ManagerConfig holds zero trust manager configuration
func DefaultManagerConfig ¶
func DefaultManagerConfig() *ManagerConfig
DefaultManagerConfig returns default zero trust manager configuration
type ZeroTrustManager ¶
type ZeroTrustManager struct {
// contains filtered or unexported fields
}
ZeroTrustManager manages multiple zero trust security providers
func NewZeroTrustManager ¶
func NewZeroTrustManager(config *ManagerConfig, logger *logrus.Logger) *ZeroTrustManager
NewZeroTrustManager creates a new zero trust manager
func (*ZeroTrustManager) AuthenticateService ¶
func (ztm *ZeroTrustManager) AuthenticateService(ctx context.Context, providerName string, request *types.ServiceAuthRequest) (*types.ServiceAuthResponse, error)
AuthenticateService authenticates a service using the specified provider
func (*ZeroTrustManager) Close ¶
func (ztm *ZeroTrustManager) Close() error
Close closes all providers
func (*ZeroTrustManager) ConfigureServiceMesh ¶
func (ztm *ZeroTrustManager) ConfigureServiceMesh(ctx context.Context, providerName string, request *types.ServiceMeshConfigRequest) (*types.ServiceMeshConfigResponse, error)
ConfigureServiceMesh configures service mesh security using the specified provider
func (*ZeroTrustManager) CreateSPIFFEIdentity ¶
func (ztm *ZeroTrustManager) CreateSPIFFEIdentity(ctx context.Context, providerName string, request *types.SPIFFEIdentityRequest) (*types.SPIFFEIdentityResponse, error)
CreateSPIFFEIdentity creates a SPIFFE identity using the specified provider
func (*ZeroTrustManager) EvaluatePolicy ¶
func (ztm *ZeroTrustManager) EvaluatePolicy(ctx context.Context, providerName string, request *types.PolicyEvaluationRequest) (*types.PolicyEvaluationResponse, error)
EvaluatePolicy evaluates a zero trust policy using the specified provider
func (*ZeroTrustManager) GenerateMTLSCertificate ¶
func (ztm *ZeroTrustManager) GenerateMTLSCertificate(ctx context.Context, providerName string, request *types.MTLSCertRequest) (*types.MTLSCertResponse, error)
GenerateMTLSCertificate generates an mTLS certificate using the specified provider
func (*ZeroTrustManager) GetDefaultProvider ¶
func (ztm *ZeroTrustManager) GetDefaultProvider() (ZeroTrustProvider, error)
GetDefaultProvider returns the default zero trust provider
func (*ZeroTrustManager) GetProvider ¶
func (ztm *ZeroTrustManager) GetProvider(name string) (ZeroTrustProvider, error)
GetProvider returns a zero trust provider by name
func (*ZeroTrustManager) GetStats ¶
func (ztm *ZeroTrustManager) GetStats(ctx context.Context) map[string]interface{}
GetStats returns statistics for all providers
func (*ZeroTrustManager) HealthCheck ¶
func (ztm *ZeroTrustManager) HealthCheck(ctx context.Context) map[string]error
HealthCheck performs health check on all providers
func (*ZeroTrustManager) IssueServiceCredential ¶
func (ztm *ZeroTrustManager) IssueServiceCredential(ctx context.Context, providerName string, request *types.CredentialRequest) (*types.CredentialResponse, error)
IssueServiceCredential issues a credential for a service using the specified provider
func (*ZeroTrustManager) RegisterProvider ¶
func (ztm *ZeroTrustManager) RegisterProvider(provider ZeroTrustProvider) error
RegisterProvider registers a zero trust provider
func (*ZeroTrustManager) ValidateMTLSCertificate ¶
func (ztm *ZeroTrustManager) ValidateMTLSCertificate(ctx context.Context, providerName string, request *types.MTLSCertValidationRequest) (*types.MTLSCertValidationResponse, error)
ValidateMTLSCertificate validates an mTLS certificate using the specified provider
func (*ZeroTrustManager) ValidateSPIFFEIdentity ¶
func (ztm *ZeroTrustManager) ValidateSPIFFEIdentity(ctx context.Context, providerName string, request *types.SPIFFEValidationRequest) (*types.SPIFFEValidationResponse, error)
ValidateSPIFFEIdentity validates a SPIFFE identity using the specified provider
func (*ZeroTrustManager) ValidateServiceIdentity ¶
func (ztm *ZeroTrustManager) ValidateServiceIdentity(ctx context.Context, providerName string, request *types.ServiceIdentityRequest) (*types.ServiceIdentityResponse, error)
ValidateServiceIdentity validates a service identity using the specified provider
type ZeroTrustProvider ¶
type ZeroTrustProvider interface {
// Provider information
GetName() string
GetSupportedFeatures() []types.ZeroTrustFeature
GetConnectionInfo() *types.ConnectionInfo
// Identity and authentication
AuthenticateService(ctx context.Context, request *types.ServiceAuthRequest) (*types.ServiceAuthResponse, error)
ValidateServiceIdentity(ctx context.Context, request *types.ServiceIdentityRequest) (*types.ServiceIdentityResponse, error)
IssueServiceCredential(ctx context.Context, request *types.CredentialRequest) (*types.CredentialResponse, error)
// mTLS operations
GenerateMTLSCertificate(ctx context.Context, request *types.MTLSCertRequest) (*types.MTLSCertResponse, error)
ValidateMTLSCertificate(ctx context.Context, request *types.MTLSCertValidationRequest) (*types.MTLSCertValidationResponse, error)
RenewMTLSCertificate(ctx context.Context, request *types.MTLSCertRenewalRequest) (*types.MTLSCertRenewalResponse, error)
// SPIFFE/SPIRE operations
CreateSPIFFEIdentity(ctx context.Context, request *types.SPIFFEIdentityRequest) (*types.SPIFFEIdentityResponse, error)
ValidateSPIFFEIdentity(ctx context.Context, request *types.SPIFFEValidationRequest) (*types.SPIFFEValidationResponse, error)
AttestSPIFFEIdentity(ctx context.Context, request *types.SPIFFEAttestRequest) (*types.SPIFFEAttestResponse, error)
// Service mesh operations
ConfigureServiceMesh(ctx context.Context, request *types.ServiceMeshConfigRequest) (*types.ServiceMeshConfigResponse, error)
ValidateServiceMeshPolicy(ctx context.Context, request *types.ServiceMeshPolicyRequest) (*types.ServiceMeshPolicyResponse, error)
ApplyServiceMeshSecurity(ctx context.Context, request *types.ServiceMeshSecurityRequest) (*types.ServiceMeshSecurityResponse, error)
// Policy enforcement
EvaluatePolicy(ctx context.Context, request *types.PolicyEvaluationRequest) (*types.PolicyEvaluationResponse, error)
EnforcePolicy(ctx context.Context, request *types.PolicyEnforcementRequest) (*types.PolicyEnforcementResponse, error)
// Network segmentation
CreateNetworkSegment(ctx context.Context, request *types.NetworkSegmentRequest) (*types.NetworkSegmentResponse, error)
ValidateNetworkAccess(ctx context.Context, request *types.NetworkAccessRequest) (*types.NetworkAccessResponse, error)
// Health and monitoring
HealthCheck(ctx context.Context) error
GetStats(ctx context.Context) (*types.ZeroTrustStats, error)
// Configuration
Configure(config map[string]interface{}) error
IsConfigured() bool
Close() error
}
ZeroTrustProvider interface for zero trust security backends
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.