workload

Documentation

Index

• Constants
• func GetAgentAddress() string
• type Option
  • func WithAddr(addr string) Option
• type X509SVID
• type X509SVIDClient
  • func NewX509SVIDClient(watcher X509SVIDWatcher, opts ...Option) (*X509SVIDClient, error)
  • func (c *X509SVIDClient) Start(ctx context.Context) error
  • func (c *X509SVIDClient) Stop(ctx context.Context) error
• type X509SVIDWatcher
• type X509SVIDs
  • func (x *X509SVIDs) Default() *X509SVID

Constants

const (
	// DefaultAgentAddress is the default GRPC address to contact the spire agent at.
	DefaultAgentAddress = "unix:///tmp/agent.sock"

	// EnvVarAgentAddress is the environment variable name where the Workload API address may be configured.
	EnvVarAgentAddress = "SPIFFE_ENDPOINT_SOCKET"
)

Functions

func GetAgentAddress

func GetAgentAddress() string

GetAgentAddress returns the Workload API agent address configured by the environment or a default.

Types

type Option

type Option func(*X509SVIDClient)

Option configures the workload client.

func WithAddr

func WithAddr(addr string) Option

WithAddr specifies the unix socket address of the SPIFFE agent.

type X509SVID

type X509SVID struct {
	SPIFFEID        string
	PrivateKey      crypto.Signer
	Certificates    []*x509.Certificate
	TrustBundle     []*x509.Certificate
	TrustBundlePool *x509.CertPool
}

SVID is an X.509 SPIFFE Verifiable Identity Document.

See https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md

type X509SVIDClient

type X509SVIDClient struct {
	// contains filtered or unexported fields
}

X509SVIDClient interacts with the SPIFFE Workload API.

func NewX509SVIDClient

func NewX509SVIDClient(watcher X509SVIDWatcher, opts ...Option) (*X509SVIDClient, error)

NewX509SVIDClient returns a new Workload API client for X.509 SVIDs.

func (*X509SVIDClient) Start

func (c *X509SVIDClient) Start(ctx context.Context) error

Start starts the client.

The client will always start, and users should rely on the watcher interface to receives updates on the client's status.

It is an error to call Start() more than once. Calling Start() after Stop() is not supported.

func (*X509SVIDClient) Stop

func (c *X509SVIDClient) Stop(ctx context.Context) error

Stop stops the client and waits for the watch loop to end.

type X509SVIDWatcher

type X509SVIDWatcher interface {
	// UpdateX509SVIDs indicates to the Watcher that the SVID has been updated
	UpdateX509SVIDs(*X509SVIDs)

	// OnError indicates an error occurred.
	OnError(err error)
}

X509SVIDWatcher is implemented by consumers who wish to be updated on SVID changes.

type X509SVIDs

type X509SVIDs struct {
	// SVIDs is a list of X509SVID messages, each of which includes a single
	// SPIFFE Verifiable Identity Document, along with its private key and bundle.
	SVIDs []*X509SVID

	// CRL is a list of revoked certificates.
	// Unimplemented.
	CRL *pkix.CertificateList

	// FederatedBundles are CA certificate bundles belonging to foreign Trust Domains
	// that the workload should trust, keyed by the SPIFFE ID of the foreign domain.
	// Unimplemented.
	FederatedBundles map[string][]*x509.Certificate
}

X509SVIDs is an X.509 SVID response from the SPIFFE Workload API.

func (*X509SVIDs) Default

func (x *X509SVIDs) Default() *X509SVID

Default returns the default SVID (the first in the list).

See the SPIFFE Workload API standard Section 5.3 (https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Workload_API.md#53-default-identity)