spire

package

v1.19.4 Latest Latest Go to latest Published: May 13, 2026 License: Apache-2.0 Imports: 23 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/cilium/cilium

Links

Documentation ¶

Index ¶

Variables
func NewClient(params params) out
func NewFakeClient() identity.Provider
type Client
type ClientConfig
- func (cfg ClientConfig) Flags(flags *pflag.FlagSet)
type MutualAuthConfig
- func (cfg MutualAuthConfig) Flags(flags *pflag.FlagSet)
type SpireEntryConfig
- func DefaultSpireEntryConfig() SpireEntryConfig
- func ZtunnelSpireEntryConfig() SpireEntryConfig

Constants ¶

This section is empty.

Variables ¶

View Source

var Cell = cell.Module(
	"spire-client",
	"Spire Server API Client",
	cell.Config(defaultMutualAuthConfig),
	cell.Config(defaultClientConfig),
	cell.Provide(func(zfg ztunnel.Config) SpireEntryConfig {
		if zfg.EnableZTunnel {
			return ZtunnelSpireEntryConfig()
		}
		return DefaultSpireEntryConfig()
	}),
	cell.Provide(NewClient),
)

Cell is the cell for the SPIRE client.

View Source

var FakeCellClient = cell.Module(
	"fake-spire-client",
	"Fake Spire Server API Client",
	cell.Config(defaultMutualAuthConfig),
	cell.Config(defaultClientConfig),
	cell.Provide(DefaultSpireEntryConfig),
	cell.Provide(NewFakeClient),
)

Functions ¶

func NewClient ¶

func NewClient(params params) out

NewClient creates a new SPIRE client. If the mutual authentication is not enabled, it returns a noop client. When ztunnel is enabled, the client is still created but the identity.Provider returned is a noop since ztunnel handles identity differently.

func NewFakeClient ¶

func NewFakeClient() identity.Provider

NewFakeClient creates a new fake SPIRE client.

Types ¶

type Client ¶

type Client struct {
	// contains filtered or unexported fields
}

func (*Client) Delete ¶

func (c *Client) Delete(ctx context.Context, id string) error

Delete deletes the SPIFFE ID for the given ID. The SPIFFE ID path is determined by the SpireEntryConfig.

func (*Client) DeleteBatch ¶ added in v1.19.4

func (c *Client) DeleteBatch(ctx context.Context, ids []string) error

DeleteBatch deletes multiple SPIFFE entries at once. It lists all entries by parent ID, filters to the requested IDs, and deletes in batches. This is more efficient than looking up each entry individually.

func (*Client) GetSpireEntryConfig ¶ added in v1.19.4

func (c *Client) GetSpireEntryConfig() SpireEntryConfig

GetSpireEntryConfig returns the SPIRE entry configuration.

func (*Client) GetSpireTrustDomain ¶ added in v1.19.4

func (c *Client) GetSpireTrustDomain() string

GetSpireTrustDomain returns the SPIFFE trust domain.

func (*Client) Initialized ¶ added in v1.19.4

func (c *Client) Initialized() <-chan struct{}

Initialized returns a channel that is closed when the client is initialized.

func (*Client) List ¶

func (c *Client) List(ctx context.Context) ([]string, error)

func (*Client) Upsert ¶

func (c *Client) Upsert(ctx context.Context, id string) error

Upsert creates or updates the SPIFFE ID for the given ID. The SPIFFE ID path and selectors are determined by the SpireEntryConfig.

func (*Client) UpsertBatch ¶ added in v1.19.4

func (c *Client) UpsertBatch(ctx context.Context, ids []string) error

UpsertBatch creates or updates multiple SPIFFE entries at once. For each ID, it checks if an entry exists and updates it, otherwise creates it.

type ClientConfig ¶

type ClientConfig struct {
	SpireAgentSocketPath         string        `mapstructure:"mesh-auth-spire-agent-socket"`
	SpireServerAddress           string        `mapstructure:"mesh-auth-spire-server-address"`
	SpireServerConnectionTimeout time.Duration `mapstructure:"mesh-auth-spire-server-connection-timeout"`
	SpiffeTrustDomain            string        `mapstructure:"mesh-auth-spiffe-trust-domain"`
}

ClientConfig contains the configuration for the SPIRE client.

func (ClientConfig) Flags ¶

func (cfg ClientConfig) Flags(flags *pflag.FlagSet)

Flags adds the flags used by ClientConfig.

type MutualAuthConfig ¶ added in v1.17.2

type MutualAuthConfig struct {
	Enabled bool `mapstructure:"mesh-auth-mutual-enabled"`
}

MutualAuthConfig contains general configuration for mutual authentication.

func (MutualAuthConfig) Flags ¶ added in v1.17.2

func (cfg MutualAuthConfig) Flags(flags *pflag.FlagSet)

Flags adds the flags used by ClientConfig.

type SpireEntryConfig ¶ added in v1.19.4

type SpireEntryConfig struct {
	ParentID      string
	PathFunc      func(string) string
	SelectorsFunc func(string) []*types.Selector
}

SpireEntryConfig contains the configuration for SPIRE entry generation. This allows the SPIRE client to be configured for different use cases such as mutual-auth or ztunnel.

func DefaultSpireEntryConfig ¶ added in v1.19.4

func DefaultSpireEntryConfig() SpireEntryConfig

DefaultSpireEntryConfig returns the default SpireEntryConfig for mutual-auth mode.

func ZtunnelSpireEntryConfig ¶ added in v1.19.4

func ZtunnelSpireEntryConfig() SpireEntryConfig

ZtunnelSpireEntryConfig returns the SpireEntryConfig for ztunnel mode. In ztunnel mode: - ParentID is "/ztunnel" - Path format is "/ns/{namespace}/sa/{serviceaccount}" - Selectors are k8s namespace and service account selectors

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL