server

package
v1.14.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 11, 2025 License: Apache-2.0 Imports: 47 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Config 

type Config struct {
	// Configurations for server plugins
	PluginConfigs common.PluginConfigs

	Log loggerv1.Logger

	// LogReopener facilitates handling a signal to rotate log file.
	LogReopener func(context.Context) error

	// If true enables audit logs
	AuditLogEnabled bool

	// Address of SPIRE server
	BindAddress *net.TCPAddr

	// Address of SPIRE Server to be reached locally
	BindLocalAddress net.Addr

	// Directory to store runtime data
	DataDir string

	// Trust domain
	TrustDomain spiffeid.TrustDomain

	Experimental ExperimentalConfig

	// If true enables profiling.
	ProfilingEnabled bool

	// Port used by the pprof web server when ProfilingEnabled == true
	ProfilingPort int

	// Frequency in seconds by which each profile file will be generated.
	ProfilingFreq int

	// Array of profiles names that will be generated on each profiling tick.
	ProfilingNames []string

	// AgentTTL is time-to-live for agent SVIDs
	AgentTTL time.Duration

	// X509SVIDTTL is default time-to-live for X509-SVIDs (overrides SVIDTTL)
	X509SVIDTTL time.Duration

	// JWTSVIDTTL is default time-to-live for SVIDs (overrides SVIDTTL)
	JWTSVIDTTL time.Duration

	// CATTL is the time-to-live for the server CA. This only applies to
	// self-signed CA certificates, otherwise it is up to the upstream CA.
	CATTL time.Duration

	// JWTIssuer is used as the issuer claim in JWT-SVIDs minted by the server.
	// If unset, the JWT-SVID will not have an issuer claim.
	JWTIssuer string

	// CASubject is the subject used in the CA certificate
	CASubject pkix.Name

	// Telemetry provides the configuration for metrics exporting
	Telemetry telemetry.FileConfig

	// HealthChecks provides the configuration for health monitoring
	HealthChecks health.Config

	// CAKeyType is the key type used for the X509 and JWT signing keys
	CAKeyType keymanager.KeyType

	// JWTKeyType is the key type used for JWT signing keys
	JWTKeyType keymanager.KeyType

	// Federation holds the configuration needed to federate with other
	// trust domains.
	Federation FederationConfig

	// RateLimit holds rate limiting configurations.
	RateLimit endpoints.RateLimitConfig

	// CacheReloadInterval controls how often the in-memory entry cache reloads
	CacheReloadInterval time.Duration

	// FullCacheReloadInterval controls how often the in-memory entry goes through a full reload
	FullCacheReloadInterval time.Duration

	// EventsBasedCache enabled event driven cache reloads
	EventsBasedCache bool

	// PruneEventsOlderThan controls how long events can live before they are pruned
	PruneEventsOlderThan time.Duration

	// EventTimeout controls how long to wait for an event before giving up
	EventTimeout time.Duration

	// AuthPolicyEngineConfig determines the config for authz policy
	AuthOpaPolicyEngineConfig *authpolicy.OpaEngineConfig

	// AdminIDs are a list of fixed IDs that when presented by a caller in an
	// X509-SVID, are granted admin rights.
	AdminIDs []spiffeid.ID

	// TLSPolicy determines the policy settings to apply to all TLS connections.
	TLSPolicy tlspolicy.Policy

	// PruneAttestedNodesExpiredFor enables periodic removal of attested nodes
	// with X509-SVID expiration date further than a given time interval in the
	// past. Non-reattestable nodes are not pruned by default. Banned nodes are
	// not pruned.
	PruneAttestedNodesExpiredFor time.Duration

	// PruneNonReattestableNodes, if true, includes non-reattestable nodes in the list
	// considered for pruning.
	PruneNonReattestableNodes bool

	// MaxAttestedNodeInfoStaleness determines how long to trust cached attested
	// node information, before requiring refreshing it from the datastore.
	MaxAttestedNodeInfoStaleness time.Duration

	// DisableJWTSVIDs, if true, JWT-SVID profile is disabled
	DisableJWTSVIDs bool
}

type ExperimentalConfig 

type ExperimentalConfig struct{}

type FederationConfig added in v0.11.0 

type FederationConfig struct {
	// BundleEndpoint contains the federation bundle endpoint configuration.
	BundleEndpoint *bundle.EndpointConfig
	// FederatesWith holds the federation configuration for trust domains this
	// server federates with.
	FederatesWith map[spiffeid.TrustDomain]bundle_client.TrustDomainConfig
}

type Server 

type Server struct {
	// contains filtered or unexported fields
}

func New 

func New(config Config) *Server

func (*Server) CheckHealth added in v1.0.0 

func (s *Server) CheckHealth() health.State

CheckHealth is used as a top-level health check for the Server.

func (*Server) Run 

func (s *Server) Run(ctx context.Context) error

Run the server This method initializes the server, including its plugins, and then blocks until it's shut down or an error is encountered.

func (*Server) ValidateConfig added in v1.14.0 

func (s *Server) ValidateConfig(ctx context.Context) (map[string][]string, error)

Source Files

View all Source files

Directories

Path Synopsis
api
agent/v1
audit
bundle/v1
debug/v1
entry/v1
health/v1
limits
localauthority/v1
logger/v1
middleware
rpccontext
svid/v1
trustdomain/v1
bundle
client
datastore
pubmanager
Package pubmanager manages the publishing of the trust bundle to external stores through the configured BundlePublisher plugins.
 Package pubmanager manages the publishing of the trust bundle to external stores through the configured BundlePublisher plugins.
ca
manager
rotator
cache
dscache
entrycache
nodecache
sqldriver/awsrds
sqlstore
bundle
bundle/internal/acmetest
nolint // forked code
 nolint // forked code
bundle/internal/autocert
nolint //forked code
 nolint //forked code
hostservice
agentstore
identityprovider
plugin
bundlepublisher
bundlepublisher/awsrolesanywhere
bundlepublisher/awss3
bundlepublisher/common
bundlepublisher/gcpcloudstorage
bundlepublisher/k8sconfigmap
credentialcomposer
credentialcomposer/uniqueid
keymanager
keymanager/awskms
keymanager/azurekeyvault
keymanager/base
keymanager/disk
keymanager/gcpkms
keymanager/memory
keymanager/test
nodeattestor
nodeattestor/awsiid
nodeattestor/awsiid/awsrsa1024
nodeattestor/awsiid/awsrsa2048
nodeattestor/azureimds
nodeattestor/azuremsi
nodeattestor/base
nodeattestor/gcpiit
nodeattestor/httpchallenge
nodeattestor/jointoken
nodeattestor/k8spsat
nodeattestor/sshpop
nodeattestor/tpmdevid
nodeattestor/x509pop
notifier
notifier/gcsbundle
notifier/k8sbundle
upstreamauthority
upstreamauthority/awspca
upstreamauthority/awssecret
upstreamauthority/certmanager
upstreamauthority/certmanager/internal/v1
upstreamauthority/disk
upstreamauthority/ejbca
upstreamauthority/gcpcas
upstreamauthority/spire
upstreamauthority/vault

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.