Compare commits

...

218 Commits

Author SHA1 Message Date
kfox1111 9fddca5c1a
Deprecate retry_bootstrap (#6050)
* Deprecate retry_bootstrap

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
2025-07-10 10:06:38 -03:00
Sorin Dumitru 6767a3c3c9
Wait for server to come up before using it (#6174)
This test fails from time to time in CI. It seems like we should be waiting for the server to come up before trying to use it to get its bundle.

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
2025-07-09 07:19:04 +01:00
Sorin Dumitru 2d261f2db4
Retry healthcheck during agent-cli test (#6173)
It's possible for the agent to appear attested but for the healthcheck to not yet be passing, so we should retry not just the attestation but also the health check.

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
2025-07-08 22:41:56 +01:00
Sorin Dumitru 1ff99fa96d
Unpin binary version in upstream-authority-vault test (#6172)
This is the only test that does it and I don't think it is or should be necessary.

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
2025-07-08 21:43:37 +01:00
Yuedong Wu fd2b898aae
Fix markdown link syntax nits (#6169)
Signed-off-by: Yuedong Wu <dwcn22@outlook.com>
2025-07-07 20:21:53 +01:00
Carlo Teubner 11f821cf31
golangci-lint: upgrade to v2 & fix flakey test (#6064)
* golangci-lint: upgrade to v2

- Upgrade golangci-lint to the latest version, v2.1.6.
- Migrate to new config file format as required with v2.
- Run golangci-lint via "go run" not "go tool"; the docs explicitly
  recommend against the latter, and it was needlessly polluting our
  go.mod file.
- With the new way, the golangci-lint version is maintained in
  .spire-tool-versions, consistent with other similar tools.
- While we're at it, enable a few more linters/checks.
- Address all new linter complaints.
- Simplify some error return code patterns
- golangci-lint: enable more revive rules

* TestAttestAgent: fix flakeyness

This flakeyness was reported previously in #5774 with improvements made
in #5815, but was still happening.

Hopefully fix it, by not assuming that the gRPC Send() message must not
return an error; it is legitimately allowed to return io.EOF, in the
case where the server has returned an application-level error, which
we can then obtain via a Recv() call.

See https://pkg.go.dev/google.golang.org/grpc#ClientStream.SendMsg

Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>
2025-07-04 16:14:29 -03:00
dependabot[bot] 0508762982
Bump google.golang.org/api from 0.239.0 to 0.240.0 (#6166)
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.239.0 to 0.240.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.239.0...v0.240.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-version: 0.240.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-07-04 10:59:21 -07:00
dependabot[bot] b5beef4006
Bump github.com/shirou/gopsutil/v4 from 4.25.5 to 4.25.6 (#6165)
Bumps [github.com/shirou/gopsutil/v4](https://github.com/shirou/gopsutil) from 4.25.5 to 4.25.6.
- [Release notes](https://github.com/shirou/gopsutil/releases)
- [Commits](https://github.com/shirou/gopsutil/compare/v4.25.5...v4.25.6)

---
updated-dependencies:
- dependency-name: github.com/shirou/gopsutil/v4
  dependency-version: 4.25.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-07-03 16:39:05 -07:00
dependabot[bot] 7a3bf0a650
Bump github.com/docker/docker (#6167)
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 28.3.0+incompatible to 28.3.1+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v28.3.0...v28.3.1)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-version: 28.3.1+incompatible
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-07-03 14:29:39 -07:00
dependabot[bot] b9b00ad3cc
Bump github.com/go-viper/mapstructure/v2 from 2.2.1 to 2.3.0 (#6159)
Bumps [github.com/go-viper/mapstructure/v2](https://github.com/go-viper/mapstructure) from 2.2.1 to 2.3.0.
- [Release notes](https://github.com/go-viper/mapstructure/releases)
- [Changelog](https://github.com/go-viper/mapstructure/blob/main/CHANGELOG.md)
- [Commits](https://github.com/go-viper/mapstructure/compare/v2.2.1...v2.3.0)

---
updated-dependencies:
- dependency-name: github.com/go-viper/mapstructure/v2
  dependency-version: 2.3.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-07-03 09:51:18 -07:00
dependabot[bot] 32ee70fed9
Bump the aws-sdk group across 1 directory with 5 updates (#6161)
Bumps the aws-sdk group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) | `1.225.1` | `1.227.0` |
| [github.com/aws/aws-sdk-go-v2/service/iam](https://github.com/aws/aws-sdk-go-v2) | `1.42.0` | `1.43.0` |
| [github.com/aws/aws-sdk-go-v2/service/organizations](https://github.com/aws/aws-sdk-go-v2) | `1.38.0` | `1.39.0` |
| [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) | `1.80.0` | `1.82.0` |
| [github.com/aws/aws-sdk-go-v2/service/sts](https://github.com/aws/aws-sdk-go-v2) | `1.33.21` | `1.34.0` |



Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.225.1 to 1.227.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.225.1...service/ec2/v1.227.0)

Updates `github.com/aws/aws-sdk-go-v2/service/iam` from 1.42.0 to 1.43.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.42.0...service/s3/v1.43.0)

Updates `github.com/aws/aws-sdk-go-v2/service/organizations` from 1.38.0 to 1.39.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.38.0...service/s3/v1.39.0)

Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.80.0 to 1.82.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.80.0...service/s3/v1.82.0)

Updates `github.com/aws/aws-sdk-go-v2/service/sts` from 1.33.21 to 1.34.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/sts/v1.33.21...v1.34.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2
  dependency-version: 1.227.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/iam
  dependency-version: 1.43.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/organizations
  dependency-version: 1.39.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/s3
  dependency-version: 1.82.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/sts
  dependency-version: 1.34.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-07-02 16:11:59 -07:00
dependabot[bot] 32b64d04b8
Bump github.com/go-jose/go-jose/v4 from 4.1.0 to 4.1.1 (#6160)
Bumps [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) from 4.1.0 to 4.1.1.
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Changelog](https://github.com/go-jose/go-jose/blob/main/CHANGELOG.md)
- [Commits](https://github.com/go-jose/go-jose/compare/v4.1.0...v4.1.1)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v4
  dependency-version: 4.1.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-07-02 12:15:17 -07:00
dependabot[bot] d3bdc8c163
Bump github.com/docker/docker (#6157)
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 28.2.2+incompatible to 28.3.0+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v28.2.2...v28.3.0)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-version: 28.3.0+incompatible
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-07-02 10:45:57 -07:00
Ryan Turner dff8a88df0
Prepare main branch for upcoming 1.13.0 release (#6163)
* Changelog for v.1.12.4 release (#6162)

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Prepare main branch for upcoming 1.13.0 release

Signed-off-by: Ryan Turner <ryan.turner253@icloud.com>

---------

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
Signed-off-by: Ryan Turner <ryan.turner253@icloud.com>
Co-authored-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
2025-07-01 22:48:49 -07:00
dependabot[bot] 46ac9d92f5
Bump cloud.google.com/go/secretmanager in the google-cloud-sdk group (#6144)
Bumps the google-cloud-sdk group with 1 update: [cloud.google.com/go/secretmanager](https://github.com/googleapis/google-cloud-go).


Updates `cloud.google.com/go/secretmanager` from 1.14.7 to 1.15.0
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/documentai/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/automl/v1.14.7...kms/v1.15.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/secretmanager
  dependency-version: 1.15.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: google-cloud-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-07-01 11:42:01 -07:00
Agustín Martínez Fayó f687bf21e8
Revert "Fix metrics/health checks when retry_bootstrap=true (#6063)" (#6158)
This reverts commit 41aedaea5a.

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
2025-06-27 07:49:45 -03:00
dependabot[bot] 6512090356
Bump github.com/sigstore/cosign/v2 from 2.5.0 to 2.5.2 (#6145)
Bumps [github.com/sigstore/cosign/v2](https://github.com/sigstore/cosign) from 2.5.0 to 2.5.2.
- [Release notes](https://github.com/sigstore/cosign/releases)
- [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sigstore/cosign/compare/v2.5.0...v2.5.2)

---
updated-dependencies:
- dependency-name: github.com/sigstore/cosign/v2
  dependency-version: 2.5.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-06-26 09:13:22 -03:00
dependabot[bot] ba824b04d1
Bump google.golang.org/api from 0.237.0 to 0.239.0 (#6154)
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.237.0 to 0.239.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.237.0...v0.239.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-version: 0.239.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-06-26 07:37:29 -03:00
dependabot[bot] 21359c4ebf
Bump the k8s-io group with 5 updates (#6153)
Bumps the k8s-io group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [k8s.io/api](https://github.com/kubernetes/api) | `0.33.1` | `0.33.2` |
| [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) | `0.33.1` | `0.33.2` |
| [k8s.io/client-go](https://github.com/kubernetes/client-go) | `0.33.1` | `0.33.2` |
| [k8s.io/kube-aggregator](https://github.com/kubernetes/kube-aggregator) | `0.33.1` | `0.33.2` |
| [k8s.io/mount-utils](https://github.com/kubernetes/mount-utils) | `0.33.1` | `0.33.2` |


Updates `k8s.io/api` from 0.33.1 to 0.33.2
- [Commits](https://github.com/kubernetes/api/compare/v0.33.1...v0.33.2)

Updates `k8s.io/apimachinery` from 0.33.1 to 0.33.2
- [Commits](https://github.com/kubernetes/apimachinery/compare/v0.33.1...v0.33.2)

Updates `k8s.io/client-go` from 0.33.1 to 0.33.2
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](https://github.com/kubernetes/client-go/compare/v0.33.1...v0.33.2)

Updates `k8s.io/kube-aggregator` from 0.33.1 to 0.33.2
- [Commits](https://github.com/kubernetes/kube-aggregator/compare/v0.33.1...v0.33.2)

Updates `k8s.io/mount-utils` from 0.33.1 to 0.33.2
- [Commits](https://github.com/kubernetes/mount-utils/compare/v0.33.1...v0.33.2)

---
updated-dependencies:
- dependency-name: k8s.io/api
  dependency-version: 0.33.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: k8s-io
- dependency-name: k8s.io/apimachinery
  dependency-version: 0.33.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: k8s-io
- dependency-name: k8s.io/client-go
  dependency-version: 0.33.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: k8s-io
- dependency-name: k8s.io/kube-aggregator
  dependency-version: 0.33.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: k8s-io
- dependency-name: k8s.io/mount-utils
  dependency-version: 0.33.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: k8s-io
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-06-25 18:04:23 -03:00
dependabot[bot] 55e614c112
Bump github.com/aws/smithy-go from 1.22.3 to 1.22.4 (#6138)
Bumps [github.com/aws/smithy-go](https://github.com/aws/smithy-go) from 1.22.3 to 1.22.4.
- [Release notes](https://github.com/aws/smithy-go/releases)
- [Changelog](https://github.com/aws/smithy-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/smithy-go/compare/v1.22.3...v1.22.4)

---
updated-dependencies:
- dependency-name: github.com/aws/smithy-go
  dependency-version: 1.22.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-06-24 15:37:33 -03:00
dependabot[bot] 76299f86f3
Bump github.com/google/go-containerregistry from 0.20.5 to 0.20.6 (#6135)
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.20.5 to 0.20.6.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.20.5...v0.20.6)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-version: 0.20.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-06-19 17:14:03 +01:00
Agustín Martínez Fayó 70fadb5861
Use k8s Apply operation in `k8s_configmap` BundlePublisher plugin instead of Get / Create / Update (#6139)
* Use k8s Apply operation instead of Get / Create / Update

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

* Address PR comment

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

---------

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
2025-06-19 06:56:37 +01:00
Sorin Dumitru b991f8b6bd
Use UpstreamAuthority.SubscribeToLocalBundle RPC (#6090)
* Add test to show the issue

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>

* Update spire-plugin-sdk to include new RPC

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>

* Implement the new SubscribeToLocalBundle RPC

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>

* fakeupstreamauthority: add support for GetTrustBundle

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>

* Add UpstreamClient support for wathing upstream authorities

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>

* Use SubscribeToLocalBundle UpstreamAuthority RPC if available

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>

* Address review comments

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>

---------

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
2025-06-18 19:20:16 +01:00
Sorin Dumitru 0dfc8a6cf2
spire-agent: JWT-SVID validation should check for exp claim presence (#6141)
* spire-agent: JWT-SVID validation should check for exp claim presence

The SPIFFE [spec](https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md\#33-expiration-time) says that tokens MUST have an exp field. We must reject tokens without one present.

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* Bump SPIRE 1.12.4 and update Changelog

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* Also update migration table

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* Remove extra line in CHANGELOG.md

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

---------

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
2025-06-18 18:19:56 +01:00
dependabot[bot] c9f33b41f2
Bump github.com/aws/aws-sdk-go-v2/service/kms in the aws-sdk group (#6130)
Bumps the aws-sdk group with 1 update: [github.com/aws/aws-sdk-go-v2/service/kms](https://github.com/aws/aws-sdk-go-v2).


Updates `github.com/aws/aws-sdk-go-v2/service/kms` from 1.40.1 to 1.41.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.40.1...service/s3/v1.41.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/kms
  dependency-version: 1.41.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-06-17 15:52:57 -03:00
Sorin Dumitru 6185e7f0ed
Use sha of branch of caching executables (#6133)
Using the executables does not work because they do not exist when we try to fetch from the cache. This means we may end up fetching executables from previous runs of the workflows on the branch.

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
2025-06-15 09:31:17 -03:00
dependabot[bot] 6fcb5ef7ec
Bump github.com/go-sql-driver/mysql from 1.9.2 to 1.9.3 (#6131)
Bumps [github.com/go-sql-driver/mysql](https://github.com/go-sql-driver/mysql) from 1.9.2 to 1.9.3.
- [Release notes](https://github.com/go-sql-driver/mysql/releases)
- [Changelog](https://github.com/go-sql-driver/mysql/blob/v1.9.3/CHANGELOG.md)
- [Commits](https://github.com/go-sql-driver/mysql/compare/v1.9.2...v1.9.3)

---
updated-dependencies:
- dependency-name: github.com/go-sql-driver/mysql
  dependency-version: 1.9.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-06-14 12:52:06 +01:00
dependabot[bot] df29c3ca1a
Bump google.golang.org/api from 0.236.0 to 0.237.0 (#6132)
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.236.0 to 0.237.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.236.0...v0.237.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-version: 0.237.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-06-14 09:44:14 +01:00
Keegan Witt 3d4579bb12
fix: subject_types_supported cannot be an empty list (#6126)
Closes #6125

Signed-off-by: Keegan Witt <keeganwitt@gmail.com>
2025-06-13 11:59:07 +01:00
Sorin Dumitru c1a25db8e1
Lower log level of cotainer not found retry (#6128)
This can appear somewhat frequently, more so now that the pod list is cached. We already have a warning for when the container it is not found at all, no point warning about retrying.

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
Co-authored-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
2025-06-13 07:17:30 +01:00
dependabot[bot] b6760ad0d2
Bump github.com/sigstore/sigstore from 1.9.4 to 1.9.5 (#6124)
Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.9.4 to 1.9.5.
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.9.4...v1.9.5)

---
updated-dependencies:
- dependency-name: github.com/sigstore/sigstore
  dependency-version: 1.9.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-06-12 10:25:22 -03:00
Agustín Martínez Fayó 7cdc62c353
Add `k8s_configmap` BundlePublisher plugin (#6105)
* Add `k8s_configmap` BundlePublisher

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
2025-06-12 06:57:58 -03:00
dependabot[bot] 48133acad8
Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity (#6122)
Bumps the azure-sdk group with 1 update: [github.com/Azure/azure-sdk-for-go/sdk/azidentity](https://github.com/Azure/azure-sdk-for-go).


Updates `github.com/Azure/azure-sdk-for-go/sdk/azidentity` from 1.10.0 to 1.10.1
- [Release notes](https://github.com/Azure/azure-sdk-for-go/releases)
- [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/go-mgmt-sdk-release-guideline.md)
- [Commits](https://github.com/Azure/azure-sdk-for-go/compare/sdk/azcore/v1.10.0...sdk/azidentity/v1.10.1)

---
updated-dependencies:
- dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azidentity
  dependency-version: 1.10.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: azure-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-06-11 16:17:24 -03:00
dependabot[bot] cbdf62d24b
Bump the aws-sdk group across 1 directory with 2 updates (#6121)
Bumps the aws-sdk group with 2 updates in the / directory: [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) and [github.com/aws/aws-sdk-go-v2/service/kms](https://github.com/aws/aws-sdk-go-v2).


Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.224.0 to 1.225.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.224.0...service/ec2/v1.225.0)

Updates `github.com/aws/aws-sdk-go-v2/service/kms` from 1.39.0 to 1.40.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.39.0...service/s3/v1.40.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2
  dependency-version: 1.225.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/kms
  dependency-version: 1.40.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-06-11 09:07:49 -03:00
dependabot[bot] 408849b989
Bump golang.org/x/net from 0.40.0 to 0.41.0 (#6116)
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.40.0 to 0.41.0.
- [Commits](https://github.com/golang/net/compare/v0.40.0...v0.41.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.41.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-06-10 16:14:17 -03:00
dependabot[bot] 2a341f8ac6
Bump golang.org/x/crypto from 0.38.0 to 0.39.0 (#6115)
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.38.0 to 0.39.0.
- [Commits](https://github.com/golang/crypto/compare/v0.38.0...v0.39.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.39.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-06-10 13:28:57 -03:00
Ryan Turner ce88f8651a
Update to Go 1.24.4 (#6119)
* Update to Go 1.24.4

Signed-off-by: Ryan Turner <ryan.turner253@icloud.com>

* Update to Alpine Linux 3.22

Signed-off-by: Ryan Turner <ryan.turner253@icloud.com>

---------

Signed-off-by: Ryan Turner <ryan.turner253@icloud.com>
2025-06-10 09:35:39 -03:00
Sorin Dumitru e7083db69f
Terminate entry lookup early if possible (#6100)
In the cases where we know which entries we are looking for, e.g. for SVID issuance, we can end iterating through entries early if we found all of them.

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
2025-06-07 14:14:45 +01:00
Tyler Schade 114f457701
implement gracefulstop with a configurable timeout in spire-server (#6076)
* implement gracefulstop

Signed-off-by: tjons <tylerschade99@gmail.com>

* code review feedback: remove configuration parameter and extract helper function

Signed-off-by: tjons <tylerschade99@gmail.com>

* code review feedback pt 2

Signed-off-by: tjons <tylerschade99@gmail.com>

* reintroduce cancellation

Signed-off-by: tjons <tylerschade99@gmail.com>

---------

Signed-off-by: tjons <tylerschade99@gmail.com>
2025-06-07 09:51:16 +01:00
dependabot[bot] 656e83d0fe
Bump github.com/hashicorp/vault/sdk from 0.17.0 to 0.18.0 (#6117)
Bumps [github.com/hashicorp/vault/sdk](https://github.com/hashicorp/vault) from 0.17.0 to 0.18.0.
- [Release notes](https://github.com/hashicorp/vault/releases)
- [Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG-v1.10-v1.15.md)
- [Commits](https://github.com/hashicorp/vault/compare/sdk/v0.17.0...sdk/v0.18.0)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/vault/sdk
  dependency-version: 0.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-06-06 14:13:26 -07:00
dependabot[bot] 8866c602a5
Bump github.com/aws/aws-sdk-go-v2/service/kms in the aws-sdk group (#6114)
Bumps the aws-sdk group with 1 update: [github.com/aws/aws-sdk-go-v2/service/kms](https://github.com/aws/aws-sdk-go-v2).


Updates `github.com/aws/aws-sdk-go-v2/service/kms` from 1.38.1 to 1.39.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.38.1...service/s3/v1.39.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/kms
  dependency-version: 1.39.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-06-06 11:40:47 -07:00
dependabot[bot] bc52fe64b4
Bump golang.org/x/sync from 0.14.0 to 0.15.0 (#6111)
Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.14.0 to 0.15.0.
- [Commits](https://github.com/golang/sync/compare/v0.14.0...v0.15.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sync
  dependency-version: 0.15.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-06-06 09:52:13 -07:00
dependabot[bot] 1c7a915e36
Bump github.com/hashicorp/vault/api from 1.16.0 to 1.20.0 (#6113)
Bumps [github.com/hashicorp/vault/api](https://github.com/hashicorp/vault) from 1.16.0 to 1.20.0.
- [Release notes](https://github.com/hashicorp/vault/releases)
- [Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG.md)
- [Commits](https://github.com/hashicorp/vault/compare/v1.16.0...api/v1.20.0)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/vault/api
  dependency-version: 1.20.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-06-05 16:13:19 -07:00
dependabot[bot] 19cf417169
Bump golang.org/x/time from 0.11.0 to 0.12.0 (#6110)
Bumps [golang.org/x/time](https://github.com/golang/time) from 0.11.0 to 0.12.0.
- [Commits](https://github.com/golang/time/compare/v0.11.0...v0.12.0)

---
updated-dependencies:
- dependency-name: golang.org/x/time
  dependency-version: 0.12.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-06-05 13:59:28 -07:00
dependabot[bot] 84fe369baf
Bump google.golang.org/grpc from 1.72.2 to 1.73.0 (#6112)
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.72.2 to 1.73.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.72.2...v1.73.0)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-version: 1.73.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-06-05 10:29:45 -07:00
dependabot[bot] 77c1f6e701
Bump github.com/docker/docker from 28.1.1+incompatible to 28.2.2+incompatible (#6097)
* Bump github.com/docker/docker

Bumps [github.com/docker/docker](https://github.com/docker/docker) from 28.1.1+incompatible to 28.2.2+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v28.1.1...v28.2.2)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-version: 28.2.2+incompatible
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Update Docker version

Signed-off-by: Ryan Turner <ryan.turner253@icloud.com>

* Remove check for Docker version in plugin test

Signed-off-by: Ryan Turner <ryan.turner253@icloud.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Ryan Turner <ryan.turner253@icloud.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Ryan Turner <ryan.turner253@icloud.com>
Co-authored-by: Ryan Turner <rturner3@users.noreply.github.com>
2025-06-04 21:07:09 -07:00
dependabot[bot] 49ceb4a2ed
Bump github.com/open-policy-agent/opa from 1.5.0 to 1.5.1 (#6107)
Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.5.0 to 1.5.1.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-policy-agent/opa/compare/v1.5.0...v1.5.1)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-version: 1.5.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-06-04 14:57:45 -07:00
dependabot[bot] eacccc5fa8
Bump github.com/hashicorp/vault/sdk from 0.16.0 to 0.17.0 (#6092)
Bumps [github.com/hashicorp/vault/sdk](https://github.com/hashicorp/vault) from 0.16.0 to 0.17.0.
- [Release notes](https://github.com/hashicorp/vault/releases)
- [Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG-v1.10-v1.15.md)
- [Commits](https://github.com/hashicorp/vault/compare/sdk/v0.16.0...sdk/v0.17.0)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/vault/sdk
  dependency-version: 0.17.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-06-04 13:37:42 -07:00
dependabot[bot] a4561482d2
Bump google.golang.org/api from 0.235.0 to 0.236.0 (#6108)
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.235.0 to 0.236.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.235.0...v0.236.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-version: 0.236.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-06-04 10:35:19 -07:00
dependabot[bot] 9ece0645bc
Bump the aws-sdk group across 1 directory with 2 updates (#6099)
Bumps the aws-sdk group with 2 updates in the / directory: [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) and [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2).


Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.223.0 to 1.224.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.223.0...service/ec2/v1.224.0)

Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.79.1 to 1.80.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.79.1...service/s3/v1.80.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2
  dependency-version: 1.224.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/s3
  dependency-version: 1.80.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-06-03 11:40:10 -07:00
dependabot[bot] 9287c56b11
Bump google.golang.org/grpc from 1.72.1 to 1.72.2 (#6102)
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.72.1 to 1.72.2.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.72.1...v1.72.2)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-version: 1.72.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-06-03 11:38:43 +01:00
dependabot[bot] 8841281892
Bump github.com/shirou/gopsutil/v4 from 4.25.4 to 4.25.5 (#6103)
Bumps [github.com/shirou/gopsutil/v4](https://github.com/shirou/gopsutil) from 4.25.4 to 4.25.5.
- [Release notes](https://github.com/shirou/gopsutil/releases)
- [Commits](https://github.com/shirou/gopsutil/compare/v4.25.4...v4.25.5)

---
updated-dependencies:
- dependency-name: github.com/shirou/gopsutil/v4
  dependency-version: 4.25.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-06-02 21:04:54 +01:00
dependabot[bot] 13db20d282
Bump github.com/open-policy-agent/opa from 1.4.2 to 1.5.0 (#6098)
Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.4.2 to 1.5.0.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-policy-agent/opa/compare/v1.4.2...v1.5.0)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-version: 1.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-06-02 13:11:06 +01:00
dependabot[bot] aaa5235f7e
Bump cloud.google.com/go/storage in the google-cloud-sdk group (#6096)
Bumps the google-cloud-sdk group with 1 update: [cloud.google.com/go/storage](https://github.com/googleapis/google-cloud-go).


Updates `cloud.google.com/go/storage` from 1.54.0 to 1.55.0
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.54.0...spanner/v1.55.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/storage
  dependency-version: 1.55.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: google-cloud-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-06-02 10:49:34 +01:00
Sorin Dumitru 4c28ec2268
Improve performance for fetching authorized entries (#6034)
* Reduce some code duplication in the entry cache

This also improves performance slightly since we no longer clone some slices.

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
2025-05-30 19:13:07 -03:00
dependabot[bot] 80001e9179
Bump cloud.google.com/go/kms in the google-cloud-sdk group (#6082)
Bumps the google-cloud-sdk group with 1 update: [cloud.google.com/go/kms](https://github.com/googleapis/google-cloud-go).


Updates `cloud.google.com/go/kms` from 1.21.2 to 1.22.0
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/documentai/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/kms/v1.21.2...kms/v1.22.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/kms
  dependency-version: 1.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: google-cloud-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-05-29 14:34:28 -03:00
dependabot[bot] 11de50bb38
Bump github.com/google/go-containerregistry from 0.20.3 to 0.20.5 (#6085)
Bumps [github.com/google/go-containerregistry](https://github.com/google/go-containerregistry) from 0.20.3 to 0.20.5.
- [Release notes](https://github.com/google/go-containerregistry/releases)
- [Changelog](https://github.com/google/go-containerregistry/blob/main/.goreleaser.yml)
- [Commits](https://github.com/google/go-containerregistry/compare/v0.20.3...v0.20.5)

---
updated-dependencies:
- dependency-name: github.com/google/go-containerregistry
  dependency-version: 0.20.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-05-29 11:53:15 +01:00
dependabot[bot] c2f72bd8b7
Bump sigs.k8s.io/controller-runtime from 0.20.4 to 0.21.0 (#6089)
Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.20.4 to 0.21.0.
- [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases)
- [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md)
- [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.20.4...v0.21.0)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/controller-runtime
  dependency-version: 0.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-05-28 18:13:44 +01:00
dependabot[bot] 08fbaa2a95
Bump github.com/aws/aws-sdk-go-v2/service/ec2 in the aws-sdk group (#6081)
Bumps the aws-sdk group with 1 update: [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2).


Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.218.0 to 1.219.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.218.0...service/ec2/v1.219.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2
  dependency-version: 1.219.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-05-28 11:15:44 +01:00
Sorin Dumitru 10dae54b05
Bump go to 1.24.3 (#6088)
Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
Co-authored-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
2025-05-28 06:47:10 +01:00
kfox1111 41aedaea5a
Fix metrics/health checks when retry_bootstrap=true (#6063)
* Fix metrics/health checks when retry_bootstrap=true

When retry_bootstrap is true, during the startup/retrying, health
checks / metrics are not started. This time is currently is capped at
5 minutes, requiring fairly long health check delays on Kubernetes,
and no ability to collect metrics on what its doing.

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
2025-05-27 15:26:27 -03:00
dependabot[bot] 5e7fe55ad2
Bump the k8s-io group with 5 updates (#6078)
Bumps the k8s-io group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [k8s.io/api](https://github.com/kubernetes/api) | `0.33.0` | `0.33.1` |
| [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) | `0.33.0` | `0.33.1` |
| [k8s.io/client-go](https://github.com/kubernetes/client-go) | `0.33.0` | `0.33.1` |
| [k8s.io/kube-aggregator](https://github.com/kubernetes/kube-aggregator) | `0.33.0` | `0.33.1` |
| [k8s.io/mount-utils](https://github.com/kubernetes/mount-utils) | `0.33.0` | `0.33.1` |


Updates `k8s.io/api` from 0.33.0 to 0.33.1
- [Commits](https://github.com/kubernetes/api/compare/v0.33.0...v0.33.1)

Updates `k8s.io/apimachinery` from 0.33.0 to 0.33.1
- [Commits](https://github.com/kubernetes/apimachinery/compare/v0.33.0...v0.33.1)

Updates `k8s.io/client-go` from 0.33.0 to 0.33.1
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](https://github.com/kubernetes/client-go/compare/v0.33.0...v0.33.1)

Updates `k8s.io/kube-aggregator` from 0.33.0 to 0.33.1
- [Commits](https://github.com/kubernetes/kube-aggregator/compare/v0.33.0...v0.33.1)

Updates `k8s.io/mount-utils` from 0.33.0 to 0.33.1
- [Commits](https://github.com/kubernetes/mount-utils/compare/v0.33.0...v0.33.1)

---
updated-dependencies:
- dependency-name: k8s.io/api
  dependency-version: 0.33.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: k8s-io
- dependency-name: k8s.io/apimachinery
  dependency-version: 0.33.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: k8s-io
- dependency-name: k8s.io/client-go
  dependency-version: 0.33.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: k8s-io
- dependency-name: k8s.io/kube-aggregator
  dependency-version: 0.33.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: k8s-io
- dependency-name: k8s.io/mount-utils
  dependency-version: 0.33.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: k8s-io
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-05-27 16:48:40 +01:00
dependabot[bot] 993bab01a8
Bump github.com/jackc/pgx/v5 from 5.7.4 to 5.7.5 (#6077)
Bumps [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) from 5.7.4 to 5.7.5.
- [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md)
- [Commits](https://github.com/jackc/pgx/compare/v5.7.4...v5.7.5)

---
updated-dependencies:
- dependency-name: github.com/jackc/pgx/v5
  dependency-version: 5.7.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-05-22 14:43:01 +01:00
dependabot[bot] de2c63f9a8
Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity (#6070)
Bumps the azure-sdk group with 1 update: [github.com/Azure/azure-sdk-for-go/sdk/azidentity](https://github.com/Azure/azure-sdk-for-go).


Updates `github.com/Azure/azure-sdk-for-go/sdk/azidentity` from 1.9.0 to 1.10.0
- [Release notes](https://github.com/Azure/azure-sdk-for-go/releases)
- [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/go-mgmt-sdk-release-guideline.md)
- [Commits](https://github.com/Azure/azure-sdk-for-go/compare/sdk/azcore/v1.9.0...sdk/azcore/v1.10.0)

---
updated-dependencies:
- dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azidentity
  dependency-version: 1.10.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: azure-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-05-22 12:04:10 +01:00
Agustín Martínez Fayó 0b0b86a1d3
Add ARM64 support for integration tests in GitHub workflows (#6059)
* Add ARM64 support for integration tests on GitHub workflows

Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
2025-05-20 18:30:02 -03:00
Sorin Dumitru 9aebf800d1
Bump SPIRE v1.12.3 (#6080)
* Use Policy field instead of PolicyIdentifiers in cert templates (#6074)

Co-authored-by: Marcos Yacob <marcosyacob@gmail.com>
Signed-off-by: Sorin Dumitru <sorin@returnze.ro>

* Bump SPIRE v1.12.3

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>

---------

Signed-off-by: Sorin Dumitru <sorin@returnze.ro>
Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
Co-authored-by: Marcos Yacob <marcosyacob@gmail.com>
2025-05-20 15:50:52 -03:00
dependabot[bot] f448057e3f
Bump github.com/googleapis/gax-go/v2 from 2.14.1 to 2.14.2 (#6073)
Bumps [github.com/googleapis/gax-go/v2](https://github.com/googleapis/gax-go) from 2.14.1 to 2.14.2.
- [Release notes](https://github.com/googleapis/gax-go/releases)
- [Commits](https://github.com/googleapis/gax-go/compare/v2.14.1...v2.14.2)

---
updated-dependencies:
- dependency-name: github.com/googleapis/gax-go/v2
  dependency-version: 2.14.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-05-19 16:10:33 +01:00
dependabot[bot] 1810d8c9fe
Bump google.golang.org/grpc from 1.72.0 to 1.72.1 (#6072)
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.72.0 to 1.72.1.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.72.0...v1.72.1)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-version: 1.72.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-05-19 15:27:22 +01:00
dependabot[bot] 8cd40be1de
Bump github.com/hashicorp/vault/sdk from 0.15.2 to 0.16.0 (#6071)
Bumps [github.com/hashicorp/vault/sdk](https://github.com/hashicorp/vault) from 0.15.2 to 0.16.0.
- [Release notes](https://github.com/hashicorp/vault/releases)
- [Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG-v1.10-v1.15.md)
- [Commits](https://github.com/hashicorp/vault/compare/sdk/v0.15.2...sdk/v0.16.0)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/vault/sdk
  dependency-version: 0.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-05-19 13:41:48 +01:00
dependabot[bot] ea97e994b8
Bump the aws-sdk group across 1 directory with 2 updates (#6068)
Bumps the aws-sdk group with 2 updates in the / directory: [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) and [github.com/aws/aws-sdk-go-v2/service/iam](https://github.com/aws/aws-sdk-go-v2).


Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.213.0 to 1.218.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.213.0...service/ec2/v1.218.0)

Updates `github.com/aws/aws-sdk-go-v2/service/iam` from 1.41.1 to 1.42.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ivs/v1.41.1...service/s3/v1.42.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2
  dependency-version: 1.218.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/iam
  dependency-version: 1.42.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-05-19 11:05:26 +01:00
kfox1111 81d54ef5ba
Don't contact trust_bundle_url needlessly (#6065)
* Don't contact trust_bundle_url needlessly

The agent contacts the trust_bundle_url on startup even if it already
has a trust bundle. If connection fails, the agent fails. This
requirement puts more load on the server needlessly, and either makes
the agent lower availability or puts higher availability requirements
on the server. Change it so that this doesn't happen.

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

* Fix lint

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

* Incorperate feedback

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

---------

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
2025-05-15 17:39:53 -03:00
dependabot[bot] 03d18e4024
Bump google.golang.org/api from 0.230.0 to 0.233.0 (#6067)
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.230.0 to 0.233.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.230.0...v0.233.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-version: 0.233.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-05-15 15:38:10 +01:00
dependabot[bot] d0b274e6c3
Bump cloud.google.com/go/storage in the google-cloud-sdk group (#6066)
Bumps the google-cloud-sdk group with 1 update: [cloud.google.com/go/storage](https://github.com/googleapis/google-cloud-go).


Updates `cloud.google.com/go/storage` from 1.53.0 to 1.54.0
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.53.0...spanner/v1.54.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/storage
  dependency-version: 1.54.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: google-cloud-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-05-15 10:51:57 -03:00
dependabot[bot] 843614b927
Bump github.com/open-policy-agent/opa from 1.4.0 to 1.4.2 (#6046)
Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.4.0 to 1.4.2.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-policy-agent/opa/compare/v1.4.0...v1.4.2)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-version: 1.4.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-05-15 12:26:24 +01:00
dependabot[bot] 1b15dd811e
Bump github.com/google/go-tpm from 0.9.3 to 0.9.5 (#6062)
Bumps [github.com/google/go-tpm](https://github.com/google/go-tpm) from 0.9.3 to 0.9.5.
- [Release notes](https://github.com/google/go-tpm/releases)
- [Commits](https://github.com/google/go-tpm/compare/v0.9.3...v0.9.5)

---
updated-dependencies:
- dependency-name: github.com/google/go-tpm
  dependency-version: 0.9.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-05-15 11:13:38 +01:00
Carlo Teubner 6709c8b6b4
Delete some dead code (#6058)
I ran
    go run golang.org/x/tools/cmd/deadcode@latest -test ./...
and manually reviewed the result.

I selected a subset of "dead code" (never-called functions) to delete. I
did not delete some other functions that seemed like they could still be
useful in future.

One function flagged as dead was "DeltaSecretsTest" in
pkg/agent/endpoints/sdsv3/handler_test.go, which seems like it was a
misspelled function that was intended as a test case. I tried renaming
it to "TestDeltaSecrets" but it turned out to be broken and hard to fix.
Since it only tests that an RPC method is unimplemented, I opted to just
remove the function instead.

Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>
2025-05-15 10:07:05 +01:00
dependabot[bot] 3e892f15d6
Bump golang.org/x/net from 0.39.0 to 0.40.0 (#6061)
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.39.0 to 0.40.0.
- [Commits](https://github.com/golang/net/compare/v0.39.0...v0.40.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.40.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-05-14 11:51:23 -03:00
kfox1111 66559bc70f
Add file mode to oidc-discovery-provider (#6025)
* Add file mode to oidc-discovery-provider

This enables the oidc-discovery-provider to read the trust bundle from a
file.

Fixes: https://github.com/spiffe/spire/issues/6017

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
2025-05-13 16:24:11 -03:00
dependabot[bot] 4dd9a149eb
Bump golang.org/x/sys from 0.32.0 to 0.33.0 (#6047)
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.32.0 to 0.33.0.
- [Commits](https://github.com/golang/sys/compare/v0.32.0...v0.33.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-version: 0.33.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-05-08 19:37:44 +01:00
dependabot[bot] 662da58da3
Bump cloud.google.com/go/storage in the google-cloud-sdk group (#6045)
Bumps the google-cloud-sdk group with 1 update: [cloud.google.com/go/storage](https://github.com/googleapis/google-cloud-go).


Updates `cloud.google.com/go/storage` from 1.52.0 to 1.53.0
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.52.0...spanner/v1.53.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/storage
  dependency-version: 1.53.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: google-cloud-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-05-08 07:30:50 +01:00
Marcos Yacob e5ad056d5e
Bump SPIRE v1.12.2 (#6052)
Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>
2025-05-07 13:39:56 -03:00
dependabot[bot] 4741d49d88
Bump github.com/aws/aws-sdk-go-v2/service/ec2 in the aws-sdk group (#6040)
Bumps the aws-sdk group with 1 update: [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2).


Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.212.0 to 1.213.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.212.0...service/ec2/v1.213.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2
  dependency-version: 1.213.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-05-02 13:33:03 -07:00
dependabot[bot] f1692f46dc
Bump github.com/shirou/gopsutil/v4 from 4.25.3 to 4.25.4 (#6041)
Bumps [github.com/shirou/gopsutil/v4](https://github.com/shirou/gopsutil) from 4.25.3 to 4.25.4.
- [Release notes](https://github.com/shirou/gopsutil/releases)
- [Commits](https://github.com/shirou/gopsutil/compare/v4.25.3...v4.25.4)

---
updated-dependencies:
- dependency-name: github.com/shirou/gopsutil/v4
  dependency-version: 4.25.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-05-02 11:38:11 -07:00
dependabot[bot] 449b6bf68a
Bump github.com/open-policy-agent/opa from 1.3.0 to 1.4.0 (#6042)
Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.3.0 to 1.4.0.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-policy-agent/opa/compare/v1.3.0...v1.4.0)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-version: 1.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-05-02 11:06:08 -07:00
Sorin Dumitru 9ba374537d
Include SPIFFE ID in audit logs for NewJWTSVID (#6036)
This is present in the logs for BatchNewX509SVID so it should also be present here.

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
2025-04-30 06:56:11 +01:00
Sorin Dumitru 59f23995d2
Fix the BuildSQL benchmark (#6033)
Without including the alias in the name we get duplicate entry errors and the benchmark fails completely.

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
Co-authored-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
2025-04-29 20:34:06 +01:00
Faisal Memon 2bb1232798
Reduce event timeout to 5 minutes (#5966)
* Reduce event timeout to 5 minutes

Signed-off-by: Faisal Memon <fymemon@yahoo.com>
2025-04-29 18:25:50 +01:00
Mike Brown 7015e3a502
pipe through IGNORE_SUITES (#6020)
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
2025-04-29 09:52:29 -03:00
kfox1111 31b855eefc
Extract the trust bundle code from agent/cli/run (#6021)
* Extract the trust bundle code from agent/cli/run

The trust bundle fetching code is only available from the cli run file.
It will need to be in a more common location for reattestation code to
come. We move the existing code to a common location with as few changes
as possible. This will make future reviews easier as changes will not
involve moving large blocks of code at the same time as changing
behavior for reattestation support.

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

* Add tests

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

* Fix path

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

---------

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
2025-04-28 23:49:24 -03:00
Mike Brown 5248b48d78
adding additional unit test variations for sigstore (#6023)
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
2025-04-28 14:56:24 -03:00
dependabot[bot] a95033336c
Bump github.com/sigstore/sigstore from 1.9.3 to 1.9.4 (#6032)
Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.9.3 to 1.9.4.
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.9.3...v1.9.4)

---
updated-dependencies:
- dependency-name: github.com/sigstore/sigstore
  dependency-version: 1.9.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-04-28 09:51:23 +01:00
dependabot[bot] 1c2456c95d
Bump the k8s-io group with 5 updates (#6031)
Bumps the k8s-io group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [k8s.io/api](https://github.com/kubernetes/api) | `0.32.4` | `0.33.0` |
| [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) | `0.32.4` | `0.33.0` |
| [k8s.io/client-go](https://github.com/kubernetes/client-go) | `0.32.4` | `0.33.0` |
| [k8s.io/kube-aggregator](https://github.com/kubernetes/kube-aggregator) | `0.32.4` | `0.33.0` |
| [k8s.io/mount-utils](https://github.com/kubernetes/mount-utils) | `0.32.4` | `0.33.0` |


Updates `k8s.io/api` from 0.32.4 to 0.33.0
- [Commits](https://github.com/kubernetes/api/compare/v0.32.4...v0.33.0)

Updates `k8s.io/apimachinery` from 0.32.4 to 0.33.0
- [Commits](https://github.com/kubernetes/apimachinery/compare/v0.32.4...v0.33.0)

Updates `k8s.io/client-go` from 0.32.4 to 0.33.0
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](https://github.com/kubernetes/client-go/compare/v0.32.4...v0.33.0)

Updates `k8s.io/kube-aggregator` from 0.32.4 to 0.33.0
- [Commits](https://github.com/kubernetes/kube-aggregator/compare/v0.32.4...v0.33.0)

Updates `k8s.io/mount-utils` from 0.32.4 to 0.33.0
- [Commits](https://github.com/kubernetes/mount-utils/compare/v0.32.4...v0.33.0)

---
updated-dependencies:
- dependency-name: k8s.io/api
  dependency-version: 0.33.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: k8s-io
- dependency-name: k8s.io/apimachinery
  dependency-version: 0.33.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: k8s-io
- dependency-name: k8s.io/client-go
  dependency-version: 0.33.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: k8s-io
- dependency-name: k8s.io/kube-aggregator
  dependency-version: 0.33.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: k8s-io
- dependency-name: k8s.io/mount-utils
  dependency-version: 0.33.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: k8s-io
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-04-28 08:07:24 +01:00
dependabot[bot] 5ef3d8dd1e
Bump google.golang.org/api from 0.229.0 to 0.230.0 (#6029)
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.229.0 to 0.230.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.229.0...v0.230.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-version: 0.230.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-04-27 18:33:05 +01:00
dependabot[bot] 3badfa8b37
Bump cloud.google.com/go/storage in the google-cloud-sdk group (#6027)
Bumps the google-cloud-sdk group with 1 update: [cloud.google.com/go/storage](https://github.com/googleapis/google-cloud-go).


Updates `cloud.google.com/go/storage` from 1.51.0 to 1.52.0
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.51.0...spanner/v1.52.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/storage
  dependency-version: 1.52.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: google-cloud-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-04-27 06:26:12 +01:00
Sorin Dumitru acbbb296d1
Add more details to the AWS Roles Anywhere publisher (#5989)
This came up on Slack and I think having some more details in here about the reasons we need an UpstreamAuthority plugin would help

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
2025-04-26 07:10:03 +01:00
Mike Brown 01ebc0e982
correct wording of error message; add unified cgroups test (#6030)
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
2025-04-25 20:07:01 +01:00
dependabot[bot] 3d68fd28e5
Bump github.com/aws/aws-sdk-go-v2/service/ec2 in the aws-sdk group (#6026)
Bumps the aws-sdk group with 1 update: [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2).


Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.211.1 to 1.212.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.211.1...service/ec2/v1.212.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2
  dependency-version: 1.212.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-04-24 19:43:35 +01:00
dependabot[bot] 8e3588f1dd
Bump the k8s-io group with 5 updates (#6028)
Bumps the k8s-io group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [k8s.io/api](https://github.com/kubernetes/api) | `0.32.3` | `0.32.4` |
| [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) | `0.32.3` | `0.32.4` |
| [k8s.io/client-go](https://github.com/kubernetes/client-go) | `0.32.3` | `0.32.4` |
| [k8s.io/kube-aggregator](https://github.com/kubernetes/kube-aggregator) | `0.32.3` | `0.32.4` |
| [k8s.io/mount-utils](https://github.com/kubernetes/mount-utils) | `0.32.3` | `0.32.4` |


Updates `k8s.io/api` from 0.32.3 to 0.32.4
- [Commits](https://github.com/kubernetes/api/compare/v0.32.3...v0.32.4)

Updates `k8s.io/apimachinery` from 0.32.3 to 0.32.4
- [Commits](https://github.com/kubernetes/apimachinery/compare/v0.32.3...v0.32.4)

Updates `k8s.io/client-go` from 0.32.3 to 0.32.4
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](https://github.com/kubernetes/client-go/compare/v0.32.3...v0.32.4)

Updates `k8s.io/kube-aggregator` from 0.32.3 to 0.32.4
- [Commits](https://github.com/kubernetes/kube-aggregator/compare/v0.32.3...v0.32.4)

Updates `k8s.io/mount-utils` from 0.32.3 to 0.32.4
- [Commits](https://github.com/kubernetes/mount-utils/compare/v0.32.3...v0.32.4)

---
updated-dependencies:
- dependency-name: k8s.io/api
  dependency-version: 0.32.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: k8s-io
- dependency-name: k8s.io/apimachinery
  dependency-version: 0.32.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: k8s-io
- dependency-name: k8s.io/client-go
  dependency-version: 0.32.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: k8s-io
- dependency-name: k8s.io/kube-aggregator
  dependency-version: 0.32.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: k8s-io
- dependency-name: k8s.io/mount-utils
  dependency-version: 0.32.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: k8s-io
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-04-24 16:11:10 +01:00
dependabot[bot] 66d95c8f54
Bump google.golang.org/grpc from 1.71.1 to 1.72.0 (#6022)
* Bump google.golang.org/grpc from 1.71.1 to 1.72.0

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.71.1 to 1.72.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.71.1...v1.72.0)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-version: 1.72.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Add new grpc_health_v1 rpc

Latest version of gRPC added a new rpc to the service so we need to add the scaffolding for it.

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Sorin Dumitru <sdumitru@bloomberg.net>
2025-04-23 21:50:43 +01:00
dependabot[bot] 94b907137a
Bump github.com/docker/docker from 28.0.4+incompatible to 28.1.1+incompatible (#6018)
* Bump github.com/docker/docker

Bumps [github.com/docker/docker](https://github.com/docker/docker) from 28.0.4+incompatible to 28.1.1+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v28.0.4...v28.1.1)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-version: 28.1.1+incompatible
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Update docker engine API version in test

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Sorin Dumitru <sdumitru@bloomberg.net>
2025-04-20 10:59:11 -03:00
Mike Brown 8ce1b369ba
update urls to security assessments (#6012)
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
2025-04-20 06:15:24 +01:00
dependabot[bot] ed5f781fcb
Bump github.com/sigstore/rekor from 1.3.9 to 1.3.10 (#6010)
Bumps [github.com/sigstore/rekor](https://github.com/sigstore/rekor) from 1.3.9 to 1.3.10.
- [Release notes](https://github.com/sigstore/rekor/releases)
- [Changelog](https://github.com/sigstore/rekor/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sigstore/rekor/compare/v1.3.9...v1.3.10)

---
updated-dependencies:
- dependency-name: github.com/sigstore/rekor
  dependency-version: 1.3.10
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-04-19 17:35:45 +02:00
dependabot[bot] 31a32b1781
Bump github.com/GoogleCloudPlatform/cloudsql-proxy from 1.37.6 to 1.37.7 (#6015)
Bumps [github.com/GoogleCloudPlatform/cloudsql-proxy](https://github.com/GoogleCloudPlatform/cloudsql-proxy) from 1.37.6 to 1.37.7.
- [Release notes](https://github.com/GoogleCloudPlatform/cloudsql-proxy/releases)
- [Changelog](https://github.com/GoogleCloudPlatform/cloud-sql-proxy/blob/v1.37.7/CHANGELOG.md)
- [Commits](https://github.com/GoogleCloudPlatform/cloudsql-proxy/compare/v1.37.6...v1.37.7)

---
updated-dependencies:
- dependency-name: github.com/GoogleCloudPlatform/cloudsql-proxy
  dependency-version: 1.37.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-04-19 16:44:55 +02:00
Faisal Memon 7a7ad6e894
Fetch updated cache entries in bulk (#5970)
Use the new FetchRegistrationEntries API from #5910 to get the full list of updated entries rather than fetching them individually.

Signed-off-by: Faisal Memon <fymemon@yahoo.com>
2025-04-19 08:37:36 +01:00
dependabot[bot] 9ce2aef3ce
Bump github.com/mattn/go-sqlite3 from 1.14.27 to 1.14.28 (#6014)
Bumps [github.com/mattn/go-sqlite3](https://github.com/mattn/go-sqlite3) from 1.14.27 to 1.14.28.
- [Release notes](https://github.com/mattn/go-sqlite3/releases)
- [Commits](https://github.com/mattn/go-sqlite3/compare/v1.14.27...v1.14.28)

---
updated-dependencies:
- dependency-name: github.com/mattn/go-sqlite3
  dependency-version: 1.14.28
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-04-18 19:32:21 +01:00
dependabot[bot] 3420abfe3e
Bump google.golang.org/api from 0.228.0 to 0.229.0 (#6013)
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.228.0 to 0.229.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.228.0...v0.229.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-version: 0.229.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-04-18 13:03:27 -03:00
Sorin Dumitru d47d6a32e4
Upgrade to go 1.24.2 (#6009)
Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
2025-04-18 11:26:09 -03:00
kfox1111 d76a21aaeb
Unix socket support for trust bundle URL (#5932)
* Unix socket support for trust bundle URL

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

* Pass metadata to the remote

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

* Fix test

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

* Fix extra space

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

* Revert param passing bit for now.

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

* Reserve params for later use

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

* Update path

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

* Incorperate feedback

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

* Apply suggestions from code review

Co-authored-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
Signed-off-by: kfox1111 <Kevin.Fox@pnnl.gov>

* Incorperate feedback

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

* Fix lint

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

* Add socket test

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

* Fix lint

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

* Add config tests

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>

---------

Signed-off-by: Kevin Fox <Kevin.Fox@pnnl.gov>
Signed-off-by: kfox1111 <Kevin.Fox@pnnl.gov>
Co-authored-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
2025-04-17 10:01:15 -07:00
dependabot[bot] 83be5079d2
Bump github.com/sigstore/sigstore from 1.9.1 to 1.9.3 (#6006)
Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.9.1 to 1.9.3.
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.9.1...v1.9.3)

---
updated-dependencies:
- dependency-name: github.com/sigstore/sigstore
  dependency-version: 1.9.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-04-14 20:33:13 +02:00
Tyler Schade 392bafd482
remove dead make target (#6008)
Signed-off-by: tjons <tylerschade99@gmail.com>
2025-04-11 07:19:26 +01:00
dependabot[bot] 6440c58f74
Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity (#6005)
Bumps the azure-sdk group with 1 update: [github.com/Azure/azure-sdk-for-go/sdk/azidentity](https://github.com/Azure/azure-sdk-for-go).


Updates `github.com/Azure/azure-sdk-for-go/sdk/azidentity` from 1.8.2 to 1.9.0
- [Release notes](https://github.com/Azure/azure-sdk-for-go/releases)
- [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md)
- [Commits](https://github.com/Azure/azure-sdk-for-go/compare/sdk/azidentity/v1.8.2...sdk/azcore/v1.9.0)

---
updated-dependencies:
- dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azidentity
  dependency-version: 1.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: azure-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-04-10 17:38:04 +01:00
dependabot[bot] a9f27c9b8c
Bump golang.org/x/net from 0.38.0 to 0.39.0 (#6003)
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.38.0 to 0.39.0.
- [Commits](https://github.com/golang/net/compare/v0.38.0...v0.39.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-version: 0.39.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-04-10 16:55:11 +01:00
dependabot[bot] f769f54d6a
Bump github.com/prometheus/client_golang from 1.21.1 to 1.22.0 (#6004)
Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.21.1 to 1.22.0.
- [Release notes](https://github.com/prometheus/client_golang/releases)
- [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prometheus/client_golang/compare/v1.21.1...v1.22.0)

---
updated-dependencies:
- dependency-name: github.com/prometheus/client_golang
  dependency-version: 1.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-04-09 07:16:42 +01:00
dependabot[bot] 91da9d334c
Bump github.com/go-jose/go-jose/v4 from 4.0.5 to 4.1.0 (#6001)
* Bump github.com/go-jose/go-jose/v4 from 4.0.5 to 4.1.0

Bumps [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) from 4.0.5 to 4.1.0.
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Changelog](https://github.com/go-jose/go-jose/blob/main/CHANGELOG.md)
- [Commits](https://github.com/go-jose/go-jose/compare/v4.0.5...v4.1.0)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v4
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Resolve test issue

Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Marcos Yacob <marcosyacob@gmail.com>
2025-04-08 16:43:39 -03:00
dependabot[bot] f99f8e3131
Bump github.com/sigstore/cosign/v2 from 2.4.3 to 2.5.0 (#6000)
Bumps [github.com/sigstore/cosign/v2](https://github.com/sigstore/cosign) from 2.4.3 to 2.5.0.
- [Release notes](https://github.com/sigstore/cosign/releases)
- [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sigstore/cosign/compare/v2.4.3...v2.5.0)

---
updated-dependencies:
- dependency-name: github.com/sigstore/cosign/v2
  dependency-version: 2.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-04-08 15:17:56 -03:00
dependabot[bot] dfb104403e
Bump github.com/go-sql-driver/mysql from 1.9.1 to 1.9.2 (#5999)
Bumps [github.com/go-sql-driver/mysql](https://github.com/go-sql-driver/mysql) from 1.9.1 to 1.9.2.
- [Release notes](https://github.com/go-sql-driver/mysql/releases)
- [Changelog](https://github.com/go-sql-driver/mysql/blob/master/CHANGELOG.md)
- [Commits](https://github.com/go-sql-driver/mysql/compare/v1.9.1...v1.9.2)

---
updated-dependencies:
- dependency-name: github.com/go-sql-driver/mysql
  dependency-version: 1.9.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-04-07 19:48:02 +01:00
dependabot[bot] 9302a6ef78
Bump google.golang.org/grpc from 1.71.0 to 1.71.1 (#5998)
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.71.0 to 1.71.1.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.71.0...v1.71.1)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-version: 1.71.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-04-07 19:12:10 +01:00
dependabot[bot] 3d9a1f5ddb
Bump golang.org/x/crypto from 0.36.0 to 0.37.0 (#5995)
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.36.0 to 0.37.0.
- [Commits](https://github.com/golang/crypto/compare/v0.36.0...v0.37.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.37.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-04-07 18:40:01 +01:00
dependabot[bot] ceee48c14e
Bump github.com/gofrs/uuid/v5 from 5.3.1 to 5.3.2 (#5978)
Bumps [github.com/gofrs/uuid/v5](https://github.com/gofrs/uuid) from 5.3.1 to 5.3.2.
- [Release notes](https://github.com/gofrs/uuid/releases)
- [Commits](https://github.com/gofrs/uuid/compare/v5.3.1...v5.3.2)

---
updated-dependencies:
- dependency-name: github.com/gofrs/uuid/v5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-04-04 22:01:20 +01:00
dependabot[bot] 7c0778b5ed
Bump github.com/uber-go/tally/v4 from 4.1.16 to 4.1.17 (#5992)
Bumps [github.com/uber-go/tally/v4](https://github.com/uber-go/tally) from 4.1.16 to 4.1.17.
- [Release notes](https://github.com/uber-go/tally/releases)
- [Commits](https://github.com/uber-go/tally/compare/v4.1.16...v4.1.17)

---
updated-dependencies:
- dependency-name: github.com/uber-go/tally/v4
  dependency-version: 4.1.17
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-04-04 20:40:04 +01:00
dependabot[bot] 3997503420
Bump cloud.google.com/go/iam in the google-cloud-sdk group (#5983)
Bumps the google-cloud-sdk group with 1 update: [cloud.google.com/go/iam](https://github.com/googleapis/google-cloud-go).


Updates `cloud.google.com/go/iam` from 1.4.1 to 1.5.0
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/documentai/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/tpu/v1.4.1...ids/v1.5.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/iam
  dependency-version: 1.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: google-cloud-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-04-04 19:22:01 +01:00
dependabot[bot] 4acd4a0de8
Bump github.com/Azure/azure-sdk-for-go/sdk/azcore in the azure-sdk group (#5991)
Bumps the azure-sdk group with 1 update: [github.com/Azure/azure-sdk-for-go/sdk/azcore](https://github.com/Azure/azure-sdk-for-go).


Updates `github.com/Azure/azure-sdk-for-go/sdk/azcore` from 1.17.1 to 1.18.0
- [Release notes](https://github.com/Azure/azure-sdk-for-go/releases)
- [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md)
- [Commits](https://github.com/Azure/azure-sdk-for-go/compare/sdk/azcore/v1.17.1...sdk/azcore/v1.18.0)

---
updated-dependencies:
- dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azcore
  dependency-version: 1.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: azure-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-04-04 18:25:04 +01:00
dependabot[bot] a25a6527e2
Bump github.com/shirou/gopsutil/v4 from 4.25.2 to 4.25.3 (#5984)
Bumps [github.com/shirou/gopsutil/v4](https://github.com/shirou/gopsutil) from 4.25.2 to 4.25.3.
- [Release notes](https://github.com/shirou/gopsutil/releases)
- [Commits](https://github.com/shirou/gopsutil/compare/v4.25.2...v4.25.3)

---
updated-dependencies:
- dependency-name: github.com/shirou/gopsutil/v4
  dependency-version: 4.25.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-04-04 17:53:02 +01:00
dependabot[bot] 1c547ab293
Bump the aws-sdk group across 1 directory with 3 updates (#5986)
Bumps the aws-sdk group with 3 updates in the / directory: [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2), [github.com/aws/aws-sdk-go-v2/service/iam](https://github.com/aws/aws-sdk-go-v2) and [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2).


Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.210.0 to 1.211.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.210.0...service/ec2/v1.211.0)

Updates `github.com/aws/aws-sdk-go-v2/service/iam` from 1.40.0 to 1.41.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.40.0...service/s3/v1.41.0)

Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.78.0 to 1.79.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.78.0...service/s3/v1.79.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2
  dependency-version: 1.211.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/iam
  dependency-version: 1.41.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/s3
  dependency-version: 1.79.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-04-04 17:24:36 +01:00
dependabot[bot] c4aef297cb
Bump golang.org/x/net from 0.37.0 to 0.38.0 (#5979)
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.37.0 to 0.38.0.
- [Commits](https://github.com/golang/net/compare/v0.37.0...v0.38.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-04-04 16:41:58 +01:00
dependabot[bot] f0f6c2018e
Bump github.com/mattn/go-sqlite3 from 1.14.24 to 1.14.27 (#5990)
Bumps [github.com/mattn/go-sqlite3](https://github.com/mattn/go-sqlite3) from 1.14.24 to 1.14.27.
- [Release notes](https://github.com/mattn/go-sqlite3/releases)
- [Commits](https://github.com/mattn/go-sqlite3/compare/v1.14.24...v1.14.27)

---
updated-dependencies:
- dependency-name: github.com/mattn/go-sqlite3
  dependency-version: 1.14.27
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-04-04 16:14:20 +01:00
Dmytro A a56fb1face
Fix OIDC Discovery Provider debug log handler (#5981)
There is no UserAgent field available on Request to access. Instead, we need to use UserAgent method, which extracts the data from the header:
```
// UserAgent returns the client's User-Agent, if sent in the request.
func (r *Request) UserAgent() string {
	return r.Header.Get("User-Agent")
}
```

Signed-off-by: Dmytro A <hippers@gmail.com>
2025-04-01 15:02:10 +01:00
dependabot[bot] 3816e90181
Bump github.com/open-policy-agent/opa from 1.2.0 to 1.3.0 (#5976)
* Bump github.com/open-policy-agent/opa from 1.2.0 to 1.3.0

Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.2.0 to 1.3.0.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-policy-agent/opa/compare/v1.2.0...v1.3.0)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Tidy go.mod

Signed-off-by: Ryan Turner <ryan.turner253@icloud.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Ryan Turner <ryan.turner253@icloud.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Ryan Turner <ryan.turner253@icloud.com>
Co-authored-by: Ryan Turner <rturner3@users.noreply.github.com>
2025-03-27 12:47:52 -07:00
Sorin Dumitru 2b23ecdef4
Cleanup some temporary checks in journal loading (#5918)
These were added a long time ago and are not needed anymore.

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
2025-03-27 18:33:37 +00:00
dependabot[bot] 84c9f8c0c5
Bump github.com/jackc/pgx/v5 from 5.7.2 to 5.7.4 (#5974)
Bumps [github.com/jackc/pgx/v5](https://github.com/jackc/pgx) from 5.7.2 to 5.7.4.
- [Changelog](https://github.com/jackc/pgx/blob/master/CHANGELOG.md)
- [Commits](https://github.com/jackc/pgx/compare/v5.7.2...v5.7.4)

---
updated-dependencies:
- dependency-name: github.com/jackc/pgx/v5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-03-26 21:51:56 -07:00
dependabot[bot] 8bb9df8d1c
Bump sigs.k8s.io/controller-runtime from 0.20.3 to 0.20.4 (#5973)
Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.20.3 to 0.20.4.
- [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases)
- [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md)
- [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.20.3...v0.20.4)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/controller-runtime
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-03-26 19:58:30 -07:00
Ryan Turner ef6b95ebd9
Bump protobuf compiler to v29.4 (#5972)
Signed-off-by: Ryan Turner <ryan.turner253@icloud.com>
2025-03-26 10:31:03 -07:00
dependabot[bot] 010b34ee05
Bump github.com/docker/docker (#5975)
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 28.0.3+incompatible to 28.0.4+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v28.0.3...v28.0.4)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-03-26 10:06:36 -07:00
Sorin Dumitru 76adc18d21
integration tests: wait for spire-server to come up (#5967)
* integration tests: wait for spire-server to come up

We don't wait for spire-server to be up before trying to make use of it. This sometimes leads to failures in integration tests, for example when trying to read the bundle because it might not be available yet.

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
2025-03-26 06:45:07 +00:00
Sorin Dumitru af1a686c04
Add stalebot configuration for blocked issues (#5959)
In the case issues are waiting on some update or are blocked on some other project, we want to be mark those issues as stale quicker, so we can have a look at the blocking issue.

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
Co-authored-by: Ryan Turner <rturner3@users.noreply.github.com>
2025-03-25 22:02:09 -07:00
dependabot[bot] 7a9fc4ca23
Bump google.golang.org/api from 0.225.0 to 0.227.0 (#5958)
* Bump google.golang.org/api from 0.225.0 to 0.227.0

Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.225.0 to 0.227.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.225.0...v0.227.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* Regenerate protos

Signed-off-by: Ryan Turner <ryan.turner253@icloud.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Ryan Turner <ryan.turner253@icloud.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Ryan Turner <ryan.turner253@icloud.com>
Co-authored-by: Ryan Turner <rturner3@users.noreply.github.com>
2025-03-25 20:48:50 -07:00
dependabot[bot] 2db7e8969a
Bump github.com/go-sql-driver/mysql from 1.9.0 to 1.9.1 (#5963)
Bumps [github.com/go-sql-driver/mysql](https://github.com/go-sql-driver/mysql) from 1.9.0 to 1.9.1.
- [Release notes](https://github.com/go-sql-driver/mysql/releases)
- [Changelog](https://github.com/go-sql-driver/mysql/blob/master/CHANGELOG.md)
- [Commits](https://github.com/go-sql-driver/mysql/compare/v1.9.0...v1.9.1)

---
updated-dependencies:
- dependency-name: github.com/go-sql-driver/mysql
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-03-25 15:56:08 -07:00
dependabot[bot] 2317be876c
Bump github.com/Azure/azure-sdk-for-go/sdk/azcore in the azure-sdk group (#5962)
Bumps the azure-sdk group with 1 update: [github.com/Azure/azure-sdk-for-go/sdk/azcore](https://github.com/Azure/azure-sdk-for-go).


Updates `github.com/Azure/azure-sdk-for-go/sdk/azcore` from 1.17.0 to 1.17.1
- [Release notes](https://github.com/Azure/azure-sdk-for-go/releases)
- [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md)
- [Commits](https://github.com/Azure/azure-sdk-for-go/compare/sdk/azcore/v1.17.0...sdk/azcore/v1.17.1)

---
updated-dependencies:
- dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azcore
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: azure-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-03-25 14:47:08 -07:00
dependabot[bot] 4ad6c1b55d
Bump github.com/golang-jwt/jwt/v5 from 5.2.1 to 5.2.2 (#5965)
Bumps [github.com/golang-jwt/jwt/v5](https://github.com/golang-jwt/jwt) from 5.2.1 to 5.2.2.
- [Release notes](https://github.com/golang-jwt/jwt/releases)
- [Changelog](https://github.com/golang-jwt/jwt/blob/main/VERSION_HISTORY.md)
- [Commits](https://github.com/golang-jwt/jwt/compare/v5.2.1...v5.2.2)

---
updated-dependencies:
- dependency-name: github.com/golang-jwt/jwt/v5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-03-25 12:49:37 -07:00
dependabot[bot] acd8d02800
Bump github.com/GoogleCloudPlatform/cloudsql-proxy from 1.37.5 to 1.37.6 (#5964)
Bumps [github.com/GoogleCloudPlatform/cloudsql-proxy](https://github.com/GoogleCloudPlatform/cloudsql-proxy) from 1.37.5 to 1.37.6.
- [Release notes](https://github.com/GoogleCloudPlatform/cloudsql-proxy/releases)
- [Changelog](https://github.com/GoogleCloudPlatform/cloud-sql-proxy/blob/v1.37.6/CHANGELOG.md)
- [Commits](https://github.com/GoogleCloudPlatform/cloudsql-proxy/compare/v1.37.5...v1.37.6)

---
updated-dependencies:
- dependency-name: github.com/GoogleCloudPlatform/cloudsql-proxy
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-03-25 18:30:02 +00:00
dependabot[bot] 8489f7b35d
Bump github.com/docker/docker (#5971)
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 28.0.1+incompatible to 28.0.3+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v28.0.1...v28.0.3)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-03-25 17:42:39 +00:00
Faisal Memon 826a819422
Add FetchRegistrationEntries API (#5910)
* Add FetchRegistrationEntries API

Signed-off-by: Faisal Memon <fymemon@yahoo.com>

* Cleanup, add unit test

Signed-off-by: Faisal Memon <fymemon@yahoo.com>

* Typo

Signed-off-by: Faisal Memon <fymemon@yahoo.com>

* Fix linter errors

Signed-off-by: Faisal Memon <fymemon@yahoo.com>

* Update pkg/server/datastore/sqlstore/sqlstore.go

Co-authored-by: Sorin Dumitru <sorin@returnze.ro>
Signed-off-by: Faisal Memon <fymemon@yahoo.com>

* Use map

Signed-off-by: Faisal Memon <fymemon@yahoo.com>

* Deleted entry unit test

Signed-off-by: Faisal Memon <fymemon@yahoo.com>

* Fix unit tests

Signed-off-by: Faisal Memon <fymemon@yahoo.com>

* Function naming

Signed-off-by: Faisal Memon <fymemon@yahoo.com>

* Cleanup, more unit tests

Signed-off-by: Faisal Memon <fymemon@yahoo.com>

* Preallocate array

Signed-off-by: Faisal Memon <fymemon@yahoo.com>

* Minor cleanup

Signed-off-by: Faisal Memon <fymemon@yahoo.com>

* Improve unit testing

Signed-off-by: Faisal Memon <fymemon@yahoo.com>

* Fix issue with selectors not showing up

Signed-off-by: Faisal Memon <fymemon@yahoo.com>

* Fix linter error

Signed-off-by: Faisal Memon <fymemon@yahoo.com>

* Fill in sql variants

Signed-off-by: Faisal Memon <fymemon@yahoo.com>

---------

Signed-off-by: Faisal Memon <fymemon@yahoo.com>
Co-authored-by: Sorin Dumitru <sorin@returnze.ro>
2025-03-24 10:08:55 +00:00
Sorin Dumitru 8f909c8422
Bump SPIRE 1.12.1 (#5968)
Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
2025-03-22 12:11:54 -03:00
dependabot[bot] 458652ee47
Bump the aws-sdk group with 2 updates (#5951)
Bumps the aws-sdk group with 2 updates: [github.com/aws/aws-sdk-go-v2/service/acmpca](https://github.com/aws/aws-sdk-go-v2) and [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2).


Updates `github.com/aws/aws-sdk-go-v2/service/acmpca` from 1.39.0 to 1.40.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.39.0...service/s3/v1.40.0)

Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.209.0 to 1.210.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.209.0...service/ec2/v1.210.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/acmpca
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-03-20 14:42:40 -03:00
Sorin Dumitru ada8855749
valid_csr test: move mock clock initialisation before any operations (#5942)
Otherwise by the time we run the test the seconds of the clock might have rolled and cause us to think that the CA is valid for 1 hour - 1 second instead of 1 hour.

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
Co-authored-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>
2025-03-18 15:47:07 -03:00
jananiarunachalam e35cb7eb08
Update database connections defaults (#5853)
* Update database connections defaults

Signed-off-by: jananiarunachalam <jananiarunachalam17@gmail.com>

* Update test

Signed-off-by: jananiarunachalam <jananiarunachalam17@gmail.com>

* PR comment: SetConnMaxIdleTime

Signed-off-by: jananiarunachalam <jananiarunachalam17@gmail.com>

* PR comment: update doc

Signed-off-by: jananiarunachalam <jananiarunachalam17@gmail.com>

* Update doc: 30s -> unlimited

Signed-off-by: jananiarunachalam <jananiarunachalam17@gmail.com>

* SetConnMaxLifetime -> SetConnMaxIdleTime

Signed-off-by: jananiarunachalam <jananiarunachalam17@gmail.com>

* Update doc w ConnMaxIdleTime

Signed-off-by: jananiarunachalam <jananiarunachalam17@gmail.com>

---------

Signed-off-by: jananiarunachalam <jananiarunachalam17@gmail.com>
2025-03-14 17:47:12 +00:00
dependabot[bot] ecec291c9c
Bump the k8s-io group with 5 updates (#5947)
Bumps the k8s-io group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [k8s.io/api](https://github.com/kubernetes/api) | `0.32.2` | `0.32.3` |
| [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) | `0.32.2` | `0.32.3` |
| [k8s.io/client-go](https://github.com/kubernetes/client-go) | `0.32.2` | `0.32.3` |
| [k8s.io/kube-aggregator](https://github.com/kubernetes/kube-aggregator) | `0.32.2` | `0.32.3` |
| [k8s.io/mount-utils](https://github.com/kubernetes/mount-utils) | `0.32.2` | `0.32.3` |


Updates `k8s.io/api` from 0.32.2 to 0.32.3
- [Commits](https://github.com/kubernetes/api/compare/v0.32.2...v0.32.3)

Updates `k8s.io/apimachinery` from 0.32.2 to 0.32.3
- [Commits](https://github.com/kubernetes/apimachinery/compare/v0.32.2...v0.32.3)

Updates `k8s.io/client-go` from 0.32.2 to 0.32.3
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](https://github.com/kubernetes/client-go/compare/v0.32.2...v0.32.3)

Updates `k8s.io/kube-aggregator` from 0.32.2 to 0.32.3
- [Commits](https://github.com/kubernetes/kube-aggregator/compare/v0.32.2...v0.32.3)

Updates `k8s.io/mount-utils` from 0.32.2 to 0.32.3
- [Commits](https://github.com/kubernetes/mount-utils/compare/v0.32.2...v0.32.3)

---
updated-dependencies:
- dependency-name: k8s.io/api
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: k8s-io
- dependency-name: k8s.io/apimachinery
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: k8s-io
- dependency-name: k8s.io/client-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: k8s-io
- dependency-name: k8s.io/kube-aggregator
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: k8s-io
- dependency-name: k8s.io/mount-utils
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: k8s-io
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-03-14 14:36:50 +00:00
dependabot[bot] ccb4914983
Bump cloud.google.com/go/storage in the google-cloud-sdk group (#5949)
Bumps the google-cloud-sdk group with 1 update: [cloud.google.com/go/storage](https://github.com/googleapis/google-cloud-go).


Updates `cloud.google.com/go/storage` from 1.50.0 to 1.51.0
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/spanner/v1.50.0...spanner/v1.51.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/storage
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: google-cloud-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-03-14 13:47:18 +00:00
Amit Upadhyay 136a77dbcc
Remove the deprecated k8s_sat node attestor plugin (#5703)
Signed-off-by: Amit Upadhyay <amit.upadhyay021@outlook.com>
2025-03-14 12:47:26 +00:00
Dmitry Kartsev 84ef545c58
Adding support for publishing bundle to Minio Object Storage (#5395) (#5757)
Signed-off-by: Dmitry Kartsev <dimssss@gmail.com>
2025-03-13 18:13:40 +00:00
dependabot[bot] 40fa690c7b
Bump github.com/aws/aws-sdk-go-v2/service/ec2 in the aws-sdk group (#5946)
Bumps the aws-sdk group with 1 update: [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2).


Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.208.0 to 1.209.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.208.0...service/ec2/v1.209.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-03-12 21:04:54 +00:00
dependabot[bot] 9dcdf4c362
Bump google.golang.org/api from 0.224.0 to 0.225.0 (#5948)
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.224.0 to 0.225.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.224.0...v0.225.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-03-12 20:33:14 +00:00
Carlo Teubner f6a11a0ae0
Apply gopls modernize pass (#5909)
* Apply gopls modernize pass

Recent gopls version contain a "modernize" pass that can also be run
standalone. Run this on the spire repo, with small manual fixups
afterwards.

The command I ran was:

    go run golang.org/x/tools/gopls/internal/analysis/modernize/cmd/modernize@latest -fix ./...

Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>

* More simplifications per review comments

Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>

---------

Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>
2025-03-12 07:00:32 +00:00
Faisal Memon 384a1a99ed
Allow reads for cache events to go to RO DB (#5911)
Signed-off-by: Faisal Memon <fymemon@yahoo.com>
2025-03-11 19:38:41 +00:00
dependabot[bot] 11d5780015
Bump github.com/sigstore/sigstore from 1.9.0 to 1.9.1 (#5943)
Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.9.0 to 1.9.1.
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.9.0...v1.9.1)

---
updated-dependencies:
- dependency-name: github.com/sigstore/sigstore
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-03-11 17:24:55 +00:00
dependabot[bot] ca7d7d6b26
Bump github.com/aws/aws-sdk-go-v2/service/ec2 in the aws-sdk group (#5940)
Bumps the aws-sdk group with 1 update: [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2).


Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.207.1 to 1.208.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.207.1...service/ec2/v1.208.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-03-11 10:54:12 +00:00
dependabot[bot] eba9465b05
Bump sigs.k8s.io/controller-runtime from 0.20.2 to 0.20.3 (#5941)
Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.20.2 to 0.20.3.
- [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases)
- [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md)
- [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.20.2...v0.20.3)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/controller-runtime
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-03-11 09:25:32 +00:00
Sorin Dumitru 266a98da1c
Update default integration test binary and image versions (#5934)
For k8s related versions I chose 1.30.10 since it's currently the oldest stable release.

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
2025-03-10 21:48:23 +00:00
Sorin Dumitru 98176459c0
Upgrade to Go 1.24.1 (#5933)
* Upgrade to go 1.24.1

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>

* Also update go.mod

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>

---------

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
2025-03-10 21:22:06 +00:00
Sorin Dumitru 851dbbf451
Make 'use_sync_authorized_entries' the default (#5906)
* Make 'use_sync_authorized_entries' the default

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
2025-03-10 20:56:31 +00:00
Kelly Kane 6670ee71da
Update to Ubuntu 24.04 base dev image image. (#5936)
Signed-off-by: Kelly Kane <kelly@hawknetworks.com>
2025-03-10 20:29:31 +00:00
dependabot[bot] 866412ade7
Bump github.com/sigstore/sigstore from 1.8.15 to 1.9.0 (#5930)
Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.8.15 to 1.9.0.
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.15...v1.9.0)

---
updated-dependencies:
- dependency-name: github.com/sigstore/sigstore
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-03-10 12:48:34 +00:00
dependabot[bot] 079033d370
Bump google.golang.org/api from 0.223.0 to 0.224.0 (#5929)
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.223.0 to 0.224.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.223.0...v0.224.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-03-08 07:50:18 +00:00
Sorin Dumitru 1a4f6f0146
Default 'use_legacy_downstream_x509_ca_ttl' to false (#5917)
Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
2025-03-06 21:42:17 +00:00
dependabot[bot] 267ef8e40f
Bump golang.org/x/net from 0.35.0 to 0.37.0 (#5928)
Bumps [golang.org/x/net](https://github.com/golang/net) from 0.35.0 to 0.37.0.
- [Commits](https://github.com/golang/net/compare/v0.35.0...v0.37.0)

---
updated-dependencies:
- dependency-name: golang.org/x/net
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-03-06 09:56:04 +00:00
dependabot[bot] 99f6f5bacd
Bump google.golang.org/grpc from 1.70.0 to 1.71.0 (#5926)
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.70.0 to 1.71.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.70.0...v1.71.0)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-03-06 06:35:05 +00:00
dependabot[bot] 46a98d46da
Bump golang.org/x/sync from 0.11.0 to 0.12.0 (#5927)
Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.11.0 to 0.12.0.
- [Commits](https://github.com/golang/sync/compare/v0.11.0...v0.12.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sync
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-03-05 20:44:18 +00:00
dependabot[bot] 2adcd08c2b
Bump golang.org/x/time from 0.10.0 to 0.11.0 (#5923)
Bumps [golang.org/x/time](https://github.com/golang/time) from 0.10.0 to 0.11.0.
- [Commits](https://github.com/golang/time/compare/v0.10.0...v0.11.0)

---
updated-dependencies:
- dependency-name: golang.org/x/time
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-03-05 20:15:03 +00:00
dependabot[bot] f4bf647fe5
Bump golang.org/x/sys from 0.30.0 to 0.31.0 (#5924)
Bumps [golang.org/x/sys](https://github.com/golang/sys) from 0.30.0 to 0.31.0.
- [Commits](https://github.com/golang/sys/compare/v0.30.0...v0.31.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sys
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-03-05 19:00:16 +00:00
dependabot[bot] 64722ec925
Bump github.com/aws/aws-sdk-go-v2/service/ec2 (#5922)
Bumps the aws-sdk group with 1 update in the / directory: [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2).


Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.206.0 to 1.207.1
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.206.0...service/ec2/v1.207.1)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-03-05 09:49:29 +00:00
dependabot[bot] bb33927e65
Bump github.com/prometheus/client_golang from 1.21.0 to 1.21.1 (#5921)
Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.21.0 to 1.21.1.
- [Release notes](https://github.com/prometheus/client_golang/releases)
- [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prometheus/client_golang/compare/v1.21.0...v1.21.1)

---
updated-dependencies:
- dependency-name: github.com/prometheus/client_golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-03-05 07:57:23 +00:00
dependabot[bot] e6714a4c3f
Bump github.com/shirou/gopsutil/v4 from 4.25.1 to 4.25.2 (#5915)
Bumps [github.com/shirou/gopsutil/v4](https://github.com/shirou/gopsutil) from 4.25.1 to 4.25.2.
- [Release notes](https://github.com/shirou/gopsutil/releases)
- [Commits](https://github.com/shirou/gopsutil/compare/v4.25.1...v4.25.2)

---
updated-dependencies:
- dependency-name: github.com/shirou/gopsutil/v4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-03-05 07:15:54 +00:00
Ryan Turner 0057a45d64
Manage golangci-lint with `go tool` (#5914)
Go 1.24.0 gained support for managing Go tools using the `go tool` command.
Manage golangci-lint as a Go tool to simplify how it's set up and so
that we can get auto-raised Dependabot PRs for it.

Signed-off-by: Ryan Turner <ryan.turner253@icloud.com>
2025-03-04 21:48:44 +00:00
dependabot[bot] c98e904ba5
Bump the aws-sdk group with 8 updates (#5912)
Bumps the aws-sdk group with 8 updates:

| Package | From | To |
| --- | --- | --- |
| [github.com/aws/aws-sdk-go-v2/service/acmpca](https://github.com/aws/aws-sdk-go-v2) | `1.38.1` | `1.39.0` |
| [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) | `1.205.0` | `1.206.0` |
| [github.com/aws/aws-sdk-go-v2/service/iam](https://github.com/aws/aws-sdk-go-v2) | `1.39.1` | `1.40.0` |
| [github.com/aws/aws-sdk-go-v2/service/kms](https://github.com/aws/aws-sdk-go-v2) | `1.37.18` | `1.38.0` |
| [github.com/aws/aws-sdk-go-v2/service/organizations](https://github.com/aws/aws-sdk-go-v2) | `1.37.0` | `1.38.0` |
| [github.com/aws/aws-sdk-go-v2/service/rolesanywhere](https://github.com/aws/aws-sdk-go-v2) | `1.16.0` | `1.17.0` |
| [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) | `1.77.0` | `1.78.0` |
| [github.com/aws/aws-sdk-go-v2/service/secretsmanager](https://github.com/aws/aws-sdk-go-v2) | `1.34.0` | `1.35.0` |


Updates `github.com/aws/aws-sdk-go-v2/service/acmpca` from 1.38.1 to 1.39.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.38.1...service/s3/v1.39.0)

Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.205.0 to 1.206.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.205.0...service/ec2/v1.206.0)

Updates `github.com/aws/aws-sdk-go-v2/service/iam` from 1.39.1 to 1.40.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ecs/v1.39.1...service/s3/v1.40.0)

Updates `github.com/aws/aws-sdk-go-v2/service/kms` from 1.37.18 to 1.38.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/service/s3/v1.38.0/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/kms/v1.37.18...service/s3/v1.38.0)

Updates `github.com/aws/aws-sdk-go-v2/service/organizations` from 1.37.0 to 1.38.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/service/s3/v1.38.0/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.37.0...service/s3/v1.38.0)

Updates `github.com/aws/aws-sdk-go-v2/service/rolesanywhere` from 1.16.0 to 1.17.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/v1.17.0/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/v1.16.0...v1.17.0)

Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.77.0 to 1.78.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.77.0...service/s3/v1.78.0)

Updates `github.com/aws/aws-sdk-go-v2/service/secretsmanager` from 1.34.0 to 1.35.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/v1.34.0...v1.35.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/acmpca
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/iam
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/kms
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/organizations
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/rolesanywhere
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/s3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/secretsmanager
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-03-02 09:58:07 +00:00
dependabot[bot] d9198c6051
Bump github.com/open-policy-agent/opa from 1.1.0 to 1.2.0 (#5913)
Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 1.1.0 to 1.2.0.
- [Release notes](https://github.com/open-policy-agent/opa/releases)
- [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md)
- [Commits](https://github.com/open-policy-agent/opa/compare/v1.1.0...v1.2.0)

---
updated-dependencies:
- dependency-name: github.com/open-policy-agent/opa
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-03-02 06:24:27 +00:00
dependabot[bot] e2c3055005
Bump github.com/hashicorp/vault/sdk from 0.15.0 to 0.15.2 (#5908)
Bumps [github.com/hashicorp/vault/sdk](https://github.com/hashicorp/vault) from 0.15.0 to 0.15.2.
- [Release notes](https://github.com/hashicorp/vault/releases)
- [Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG-v1.10-v1.15.md)
- [Commits](https://github.com/hashicorp/vault/compare/sdk/v0.15.0...sdk/v0.15.2)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/vault/sdk
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-28 15:48:15 +00:00
Ryan Turner 90c6753d30
Update to Go 1.24.0 (#5880)
* [WIP] Update to Go 1.24.0

Signed-off-by: Ryan Turner <ryan.turner253@icloud.com>

* Make RSA keys in TPM unit tests larger

Signed-off-by: Ryan Turner <ryan.turner253@icloud.com>

* Suppress staticcheck linter warnings for deprecated OPA v1 packages

Signed-off-by: Ryan Turner <ryan.turner253@icloud.com>

* Fix merge

Signed-off-by: Ryan Turner <ryan.turner253@icloud.com>

* Replace hardcoded keys with ones generated by testkey

Signed-off-by: Ryan Turner <ryan.turner253@icloud.com>

---------

Signed-off-by: Ryan Turner <ryan.turner253@icloud.com>
2025-02-28 10:37:43 +00:00
Valentin Fadeev 8a8253894e
Edited and formatted x509pop server nodeattestor doc (#5876)
* Edited and formatted x509pop server nodeattestor doc

Signed-off-by: Valentin Fadeev <vfadeev@bloomberg.net>

* applied suggestions from code review

Signed-off-by: Valentin Fadeev <vfadeev@bloomberg.net>

---------

Signed-off-by: Valentin Fadeev <vfadeev@bloomberg.net>
2025-02-28 07:53:59 +00:00
Sorin Dumitru 76f6104c37
spire-server: improve entry lookup for NewJWTSvid and BatchX509SVID requests (#5819)
* server: speed up specific entry lookup

When we know the entry or entries we are looking up we can do
a faster lookup since we only have to find and copy the entries specified
in the lookup request.

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
2025-02-28 06:28:24 +00:00
dependabot[bot] 9307432c4f
Bump github.com/google/go-tpm-tools from 0.4.4 to 0.4.5 (#5907)
Bumps [github.com/google/go-tpm-tools](https://github.com/google/go-tpm-tools) from 0.4.4 to 0.4.5.
- [Release notes](https://github.com/google/go-tpm-tools/releases)
- [Changelog](https://github.com/google/go-tpm-tools/blob/main/.goreleaser.yaml)
- [Commits](https://github.com/google/go-tpm-tools/compare/v0.4.4...v0.4.5)

---
updated-dependencies:
- dependency-name: github.com/google/go-tpm-tools
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-27 16:09:04 -03:00
dependabot[bot] 81cc2c173c
Bump github.com/aws/aws-sdk-go-v2/service/ec2 (#5903)
Bumps the aws-sdk group with 1 update in the / directory: [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2).


Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.203.0 to 1.205.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.203.0...service/ec2/v1.205.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-27 11:01:40 +00:00
dependabot[bot] 8175933e52
Bump github.com/go-jose/go-jose/v3 from 3.0.3 to 3.0.4 (#5904)
Bumps [github.com/go-jose/go-jose/v3](https://github.com/go-jose/go-jose) from 3.0.3 to 3.0.4.
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Changelog](https://github.com/go-jose/go-jose/blob/main/CHANGELOG.md)
- [Commits](https://github.com/go-jose/go-jose/compare/v3.0.3...v3.0.4)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v3
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-27 09:29:34 +00:00
dependabot[bot] 67b2d2230f
Bump google.golang.org/api from 0.222.0 to 0.223.0 (#5900)
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.222.0 to 0.223.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.222.0...v0.223.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-27 07:42:30 +00:00
dependabot[bot] dd52118e19
Bump golang.org/x/crypto from 0.33.0 to 0.35.0 (#5898)
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.33.0 to 0.35.0.
- [Commits](https://github.com/golang/crypto/compare/v0.33.0...v0.35.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-27 07:00:54 +00:00
dependabot[bot] ebbf4516a9
Bump github.com/docker/docker (#5901)
Bumps [github.com/docker/docker](https://github.com/docker/docker) from 28.0.0+incompatible to 28.0.1+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v28.0.0...v28.0.1)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-26 21:45:01 +00:00
dependabot[bot] 7d03385f70
Bump github.com/google/go-cmp from 0.6.0 to 0.7.0 (#5897)
Bumps [github.com/google/go-cmp](https://github.com/google/go-cmp) from 0.6.0 to 0.7.0.
- [Release notes](https://github.com/google/go-cmp/releases)
- [Commits](https://github.com/google/go-cmp/compare/v0.6.0...v0.7.0)

---
updated-dependencies:
- dependency-name: github.com/google/go-cmp
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-25 15:20:41 -03:00
dependabot[bot] 73a1ddb8bb
Bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 (#5895)
Bumps [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) from 4.0.4 to 4.0.5.
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Changelog](https://github.com/go-jose/go-jose/blob/main/CHANGELOG.md)
- [Commits](https://github.com/go-jose/go-jose/compare/v4.0.4...v4.0.5)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v4
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-25 14:54:48 -03:00
dependabot[bot] 2ae3be687f
Bump github.com/docker/docker from 27.5.1+incompatible to 28.0.0+incompatible (#5890)
* Bump github.com/docker/docker

Bumps [github.com/docker/docker](https://github.com/docker/docker) from 27.5.1+incompatible to 28.0.0+incompatible.
- [Release notes](https://github.com/docker/docker/releases)
- [Commits](https://github.com/docker/docker/compare/v27.5.1...v28.0.0)

---
updated-dependencies:
- dependency-name: github.com/docker/docker
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* Stop using deprecated types

Signed-off-by: Ryan Turner <ryan.turner253@icloud.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Ryan Turner <ryan.turner253@icloud.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Ryan Turner <ryan.turner253@icloud.com>
Co-authored-by: Ryan Turner <rturner3@users.noreply.github.com>
2025-02-21 12:38:24 -08:00
dependabot[bot] 1a52b23ea1
Bump cloud.google.com/go/kms in the google-cloud-sdk group (#5891)
Bumps the google-cloud-sdk group with 1 update: [cloud.google.com/go/kms](https://github.com/googleapis/google-cloud-go).


Updates `cloud.google.com/go/kms` from 1.20.5 to 1.21.0
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/documentai/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/kms/v1.20.5...kms/v1.21.0)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/kms
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: google-cloud-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-21 10:09:54 -08:00
Carlo Teubner 5f3487ed5a
golangci-lint: update to latest version & related tweaks (#5737)
* Update golangci-lint to latest version & tweaks

The latest golangci-lint version comes with two new detected issues,
both of which we choose to silence here:

1) staticcheck: Deprecation of (crypto/x509).CertPool.Subjects():
   This is still useful to us in the tests and there seems to be no good
   alternative (we use it merely to count the number of certs).
2) gosec: Potential integer overflow:
   This is a potentially useful check, but I didn't want to address this
   as part of this PR. https://github.com/ccoVeille/go-safecast might be
   useful for this (in fact it looks like it was inspired by the recent
   addition of this gosec rule).

Additionally, change the Makefile to tell golangci-lint to emit all
lints, as opposed to imposing its default limits. Those limits could
actually be misleading, as it could e.g. lead to someone disabling lints
without having seen all the reported issues.

Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>
Co-authored-by: Ryan Turner <rturner3@users.noreply.github.com>
2025-02-20 15:08:00 -08:00
dependabot[bot] fc71cb9ba4
Bump github.com/aws/smithy-go from 1.22.2 to 1.22.3 (#5888)
Bumps [github.com/aws/smithy-go](https://github.com/aws/smithy-go) from 1.22.2 to 1.22.3.
- [Release notes](https://github.com/aws/smithy-go/releases)
- [Changelog](https://github.com/aws/smithy-go/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/smithy-go/compare/v1.22.2...v1.22.3)

---
updated-dependencies:
- dependency-name: github.com/aws/smithy-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-20 12:27:46 -08:00
dependabot[bot] 9b00a58ceb
Bump github.com/sigstore/cosign/v2 from 2.4.1 to 2.4.3 (#5886)
Bumps [github.com/sigstore/cosign/v2](https://github.com/sigstore/cosign) from 2.4.1 to 2.4.3.
- [Release notes](https://github.com/sigstore/cosign/releases)
- [Changelog](https://github.com/sigstore/cosign/blob/main/CHANGELOG.md)
- [Commits](https://github.com/sigstore/cosign/compare/v2.4.1...v2.4.3)

---
updated-dependencies:
- dependency-name: github.com/sigstore/cosign/v2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-20 11:35:47 -08:00
dependabot[bot] e755bddad7
Bump github.com/GoogleCloudPlatform/cloudsql-proxy from 1.37.4 to 1.37.5 (#5889)
Bumps [github.com/GoogleCloudPlatform/cloudsql-proxy](https://github.com/GoogleCloudPlatform/cloudsql-proxy) from 1.37.4 to 1.37.5.
- [Release notes](https://github.com/GoogleCloudPlatform/cloudsql-proxy/releases)
- [Changelog](https://github.com/GoogleCloudPlatform/cloud-sql-proxy/blob/v1.37.5/CHANGELOG.md)
- [Commits](https://github.com/GoogleCloudPlatform/cloudsql-proxy/compare/v1.37.4...v1.37.5)

---
updated-dependencies:
- dependency-name: github.com/GoogleCloudPlatform/cloudsql-proxy
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-20 11:07:59 -08:00
Shiva Shankar Bidadi Nanjundasamy 4878988646
Add support for San selectors in x509pop node attestor plugin (#5775)
* Add support for San selectors in x509pop node attestor plugin

Signed-off-by: snanjundaswamy <snanjundaswamy@roblox.com>

* modified plugin to use first part in the URI path to be the key of the selector

Signed-off-by: snanjundaswamy <snanjundaswamy@roblox.com>

* removed warning for non-x509pop scheme based sans and redundant selector sorting method

Signed-off-by: snanjundaswamy <snanjundaswamy@roblox.com>

* reformatted x509pop san selector table and fixed log message in san selector parsing logic

Signed-off-by: snanjundaswamy <snanjundaswamy@roblox.com>

---------

Signed-off-by: snanjundaswamy <snanjundaswamy@roblox.com>
2025-02-20 08:44:09 +00:00
dependabot[bot] 653410069c
Bump google.golang.org/api from 0.220.0 to 0.222.0 (#5885)
Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.220.0 to 0.222.0.
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.220.0...v0.222.0)

---
updated-dependencies:
- dependency-name: google.golang.org/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-19 15:42:12 -08:00
dependabot[bot] 518176b889
Bump github.com/prometheus/client_golang from 1.20.5 to 1.21.0 (#5884)
Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.20.5 to 1.21.0.
- [Release notes](https://github.com/prometheus/client_golang/releases)
- [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prometheus/client_golang/compare/v1.20.5...v1.21.0)

---
updated-dependencies:
- dependency-name: github.com/prometheus/client_golang
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-19 15:15:44 -08:00
Sorin Dumitru 532b51964e
Upgrade to OPA v1 (#5769)
Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
Co-authored-by: Ryan Turner <rturner3@users.noreply.github.com>
2025-02-19 13:16:42 -08:00
dependabot[bot] 95d7f9fa06
Bump github.com/go-sql-driver/mysql from 1.8.1 to 1.9.0 (#5883)
Bumps [github.com/go-sql-driver/mysql](https://github.com/go-sql-driver/mysql) from 1.8.1 to 1.9.0.
- [Release notes](https://github.com/go-sql-driver/mysql/releases)
- [Changelog](https://github.com/go-sql-driver/mysql/blob/master/CHANGELOG.md)
- [Commits](https://github.com/go-sql-driver/mysql/compare/v1.8.1...v1.9.0)

---
updated-dependencies:
- dependency-name: github.com/go-sql-driver/mysql
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-19 12:52:20 -08:00
dependabot[bot] 85461f1175
Bump github.com/sigstore/sigstore from 1.8.12 to 1.8.15 (#5882)
Bumps [github.com/sigstore/sigstore](https://github.com/sigstore/sigstore) from 1.8.12 to 1.8.15.
- [Release notes](https://github.com/sigstore/sigstore/releases)
- [Commits](https://github.com/sigstore/sigstore/compare/v1.8.12...v1.8.15)

---
updated-dependencies:
- dependency-name: github.com/sigstore/sigstore
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-19 12:01:08 -08:00
Sorin Dumitru 3fe67eabc7
spire: switch logs to include nanoseconds (#5798)
It makes a bit easier to look at the timing of things inside the server and agent.

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
Co-authored-by: Ryan Turner <rturner3@users.noreply.github.com>
2025-02-19 07:18:53 -08:00
dependabot[bot] 37736e0d96
Bump sigs.k8s.io/controller-runtime from 0.20.1 to 0.20.2 (#5879)
Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.20.1 to 0.20.2.
- [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases)
- [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md)
- [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.20.1...v0.20.2)

---
updated-dependencies:
- dependency-name: sigs.k8s.io/controller-runtime
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-18 22:27:35 -08:00
dependabot[bot] 73a5705ddf
Bump the google-cloud-sdk group with 4 updates (#5877)
Bumps the google-cloud-sdk group with 4 updates: [cloud.google.com/go/iam](https://github.com/googleapis/google-cloud-go), [cloud.google.com/go/kms](https://github.com/googleapis/google-cloud-go), [cloud.google.com/go/secretmanager](https://github.com/googleapis/google-cloud-go) and [cloud.google.com/go/security](https://github.com/googleapis/google-cloud-go).


Updates `cloud.google.com/go/iam` from 1.3.0 to 1.4.0
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/documentai/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/run/v1.3.0...iap/v1.4.0)

Updates `cloud.google.com/go/kms` from 1.20.4 to 1.20.5
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/kms/v1.20.4...kms/v1.20.5)

Updates `cloud.google.com/go/secretmanager` from 1.14.2 to 1.14.3
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/dlp/v1.14.2...dlp/v1.14.3)

Updates `cloud.google.com/go/security` from 1.18.2 to 1.18.3
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](https://github.com/googleapis/google-cloud-go/compare/kms/v1.18.2...kms/v1.18.3)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/iam
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: google-cloud-sdk
- dependency-name: cloud.google.com/go/kms
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: google-cloud-sdk
- dependency-name: cloud.google.com/go/secretmanager
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: google-cloud-sdk
- dependency-name: cloud.google.com/go/security
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: google-cloud-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-18 17:12:08 -08:00
Sorin Dumitru eae6b6da1b
SyncAuthorizedEntries: fix issue with entry id reuse and add integration test (#5764)
* Integration test for sync-authorized-entries

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
Co-authored-by: Ryan Turner <rturner3@users.noreply.github.com>
2025-02-18 13:07:20 -08:00
dependabot[bot] b9a5cb360e
Bump the k8s-io group with 5 updates (#5878)
Bumps the k8s-io group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [k8s.io/api](https://github.com/kubernetes/api) | `0.32.1` | `0.32.2` |
| [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) | `0.32.1` | `0.32.2` |
| [k8s.io/client-go](https://github.com/kubernetes/client-go) | `0.32.1` | `0.32.2` |
| [k8s.io/kube-aggregator](https://github.com/kubernetes/kube-aggregator) | `0.32.1` | `0.32.2` |
| [k8s.io/mount-utils](https://github.com/kubernetes/mount-utils) | `0.32.1` | `0.32.2` |


Updates `k8s.io/api` from 0.32.1 to 0.32.2
- [Commits](https://github.com/kubernetes/api/compare/v0.32.1...v0.32.2)

Updates `k8s.io/apimachinery` from 0.32.1 to 0.32.2
- [Commits](https://github.com/kubernetes/apimachinery/compare/v0.32.1...v0.32.2)

Updates `k8s.io/client-go` from 0.32.1 to 0.32.2
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](https://github.com/kubernetes/client-go/compare/v0.32.1...v0.32.2)

Updates `k8s.io/kube-aggregator` from 0.32.1 to 0.32.2
- [Commits](https://github.com/kubernetes/kube-aggregator/compare/v0.32.1...v0.32.2)

Updates `k8s.io/mount-utils` from 0.32.1 to 0.32.2
- [Commits](https://github.com/kubernetes/mount-utils/compare/v0.32.1...v0.32.2)

---
updated-dependencies:
- dependency-name: k8s.io/api
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: k8s-io
- dependency-name: k8s.io/apimachinery
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: k8s-io
- dependency-name: k8s.io/client-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: k8s-io
- dependency-name: k8s.io/kube-aggregator
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: k8s-io
- dependency-name: k8s.io/mount-utils
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: k8s-io
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-18 12:31:43 -08:00
dependabot[bot] ec2a110073
Bump github.com/hashicorp/vault/api from 1.15.0 to 1.16.0 (#5862)
Bumps [github.com/hashicorp/vault/api](https://github.com/hashicorp/vault) from 1.15.0 to 1.16.0.
- [Release notes](https://github.com/hashicorp/vault/releases)
- [Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG-v1.10-v1.15.md)
- [Commits](https://github.com/hashicorp/vault/compare/v1.15.0...v1.16.0)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/vault/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-17 00:19:11 -03:00
dependabot[bot] 1d2aba2969
Bump the aws-sdk group across 1 directory with 3 updates (#5875)
Bumps the aws-sdk group with 3 updates in the / directory: [github.com/aws/aws-sdk-go-v2/service/acmpca](https://github.com/aws/aws-sdk-go-v2), [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) and [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2).


Updates `github.com/aws/aws-sdk-go-v2/service/acmpca` from 1.37.0 to 1.38.1
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/service/s3/v1.38.1/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.37.0...service/s3/v1.38.1)

Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.202.1 to 1.203.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ec2/v1.202.1...service/ec2/v1.203.0)

Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.76.0 to 1.77.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.76.0...service/s3/v1.77.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/acmpca
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/s3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-16 23:38:00 -03:00
dependabot[bot] b18dad4332
Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity (#5868)
Bumps the azure-sdk group with 1 update: [github.com/Azure/azure-sdk-for-go/sdk/azidentity](https://github.com/Azure/azure-sdk-for-go).


Updates `github.com/Azure/azure-sdk-for-go/sdk/azidentity` from 1.8.1 to 1.8.2
- [Release notes](https://github.com/Azure/azure-sdk-for-go/releases)
- [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md)
- [Commits](https://github.com/Azure/azure-sdk-for-go/compare/sdk/azidentity/v1.8.1...sdk/azidentity/v1.8.2)

---
updated-dependencies:
- dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azidentity
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: azure-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-16 22:32:48 -03:00
jzeng04 9754ba1936
Change return type of keymanagerbase Generator to crypto.Signer (#5843)
Signed-off-by: jzeng4 <jzeng04@gmail.com>
2025-02-16 19:03:25 -03:00
Keegan Witt f48d0218c9
Fix spelling error (#5873)
Signed-off-by: Keegan Witt <keeganwitt@gmail.com>
2025-02-16 18:03:55 -03:00
Marcos Yacob b9bfb4f198
Bump spire 1.12.0 (#5870)
Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>
2025-02-16 15:29:48 -03:00
dependabot[bot] 05a8531190
Bump github.com/hashicorp/vault/sdk from 0.14.1 to 0.15.0 (#5866)
Bumps [github.com/hashicorp/vault/sdk](https://github.com/hashicorp/vault) from 0.14.1 to 0.15.0.
- [Release notes](https://github.com/hashicorp/vault/releases)
- [Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG-v1.10-v1.15.md)
- [Commits](https://github.com/hashicorp/vault/compare/sdk/v0.14.1...sdk/v0.15.0)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/vault/sdk
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-12 18:25:35 -03:00
dependabot[bot] 53574b864b
Bump github.com/gofrs/uuid/v5 from 5.3.0 to 5.3.1 (#5861)
Bumps [github.com/gofrs/uuid/v5](https://github.com/gofrs/uuid) from 5.3.0 to 5.3.1.
- [Release notes](https://github.com/gofrs/uuid/releases)
- [Commits](https://github.com/gofrs/uuid/compare/v5.3.0...v5.3.1)

---
updated-dependencies:
- dependency-name: github.com/gofrs/uuid/v5
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-11 16:26:39 -03:00
dependabot[bot] 2bcb0f0a69
Bump github.com/shirou/gopsutil/v4 from 4.24.12 to 4.25.1 (#5857)
Bumps [github.com/shirou/gopsutil/v4](https://github.com/shirou/gopsutil) from 4.24.12 to 4.25.1.
- [Release notes](https://github.com/shirou/gopsutil/releases)
- [Commits](https://github.com/shirou/gopsutil/compare/v4.24.12...v4.25.1)

---
updated-dependencies:
- dependency-name: github.com/shirou/gopsutil/v4
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-11 14:58:59 -03:00
dependabot[bot] db984991bb
Bump golang.org/x/crypto from 0.32.0 to 0.33.0 (#5858)
Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.32.0 to 0.33.0.
- [Commits](https://github.com/golang/crypto/compare/v0.32.0...v0.33.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-10 21:42:13 +00:00
dependabot[bot] 7ef7e19d7d
Bump github.com/envoyproxy/go-control-plane/envoy from 1.32.3 to 1.32.4 (#5838)
Bumps [github.com/envoyproxy/go-control-plane/envoy](https://github.com/envoyproxy/go-control-plane) from 1.32.3 to 1.32.4.
- [Release notes](https://github.com/envoyproxy/go-control-plane/releases)
- [Changelog](https://github.com/envoyproxy/go-control-plane/blob/main/CHANGELOG.md)
- [Commits](https://github.com/envoyproxy/go-control-plane/compare/envoy/v1.32.3...envoy/v1.32.4)

---
updated-dependencies:
- dependency-name: github.com/envoyproxy/go-control-plane/envoy
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-09 22:10:16 +00:00
dependabot[bot] fd833dcd18
Bump google.golang.org/protobuf from 1.36.4 to 1.36.5 (#5851)
* Bump google.golang.org/protobuf from 1.36.4 to 1.36.5

Bumps google.golang.org/protobuf from 1.36.4 to 1.36.5.

---
updated-dependencies:
- dependency-name: google.golang.org/protobuf
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Regenerate protobuf files

Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Sorin Dumitru <sdumitru@bloomberg.net>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Sorin Dumitru <sdumitru@bloomberg.net>
2025-02-09 21:20:05 +00:00
dependabot[bot] 1b343d9c4b
Bump the aws-sdk group across 1 directory with 2 updates (#5849)
Bumps the aws-sdk group with 2 updates in the / directory: [github.com/aws/aws-sdk-go-v2/service/iam](https://github.com/aws/aws-sdk-go-v2) and [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2).


Updates `github.com/aws/aws-sdk-go-v2/service/iam` from 1.38.1 to 1.39.1
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.38.1...service/ecs/v1.39.1)

Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.75.1 to 1.76.0
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/changelog-template.json)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/s3/v1.75.1...service/s3/v1.76.0)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/iam
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
- dependency-name: github.com/aws/aws-sdk-go-v2/service/s3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-sdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-09 20:22:19 +00:00
dependabot[bot] 03fee0ee5d
Bump golang.org/x/sync from 0.10.0 to 0.11.0 (#5852)
Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.10.0 to 0.11.0.
- [Commits](https://github.com/golang/sync/compare/v0.10.0...v0.11.0)

---
updated-dependencies:
- dependency-name: golang.org/x/sync
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-02-09 19:52:46 +00:00
329 changed files with 7558 additions and 5333 deletions

View File

@ -207,7 +207,7 @@ jobs:
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: ./bin/
key: ${{ runner.os }}-executables-${{ hashFiles('**/*.exe') }}
key: ${{ runner.os }}-executables-${{ github.sha }}
- name: Build images
run: make images-windows
- name: Export images
@ -239,10 +239,9 @@ jobs:
outputs:
test: ${{ steps.set-matrix.outputs.test }}
integration:
name: integration (linux)
runs-on: ubuntu-22.04
name: integration (${{ matrix.arch }}) (${{ strategy.job-index}}/${{ strategy.job-total }})
runs-on: ${{ matrix.runs-on }}
needs: [cache-deps, images]
timeout-minutes: 45
@ -252,8 +251,14 @@ jobs:
strategy:
fail-fast: false
matrix:
num_runners: [5]
runner_id: [1, 2, 3, 4, 5]
arch: [x64, arm64]
num_runners: [10]
runner_id: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
include:
- arch: x64
runs-on: ubuntu-22.04
- arch: arm64
runs-on: ubuntu-22.04-arm
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -294,13 +299,12 @@ jobs:
THIS_RUNNER: ${{ matrix.runner_id }}
TERM: dumb
CICD_TARGET_BRANCH: ${{ github.event.pull_request.base.ref }}
IGNORE_SUITES: ${{ matrix.arch == 'arm64' && 'suites/upstream-authority-ejbca' || '' }} # Waiting for EJBCA to support arm64 (https://github.com/spiffe/spire/issues/6060)
run: ./.github/workflows/scripts/split.sh | xargs ./test/integration/test.sh
integration-k8s:
name: integration-k8s
runs-on: ubuntu-22.04
name: integration-k8s-${{ matrix.test[0] }}-${{ matrix.arch }}
runs-on: ${{ matrix.runs-on }}
needs: [cache-deps, images, build-matrix]
timeout-minutes: 45
@ -310,10 +314,18 @@ jobs:
strategy:
fail-fast: false
matrix:
num_runners: [1]
runner_id: [1]
#Test elements should be added as [KubeCTLVersion, K8s-image, KindVersion]
test: ${{ fromJson(needs.build-matrix.outputs.test) }}
arch: [x64, arm64]
include:
- arch: x64
runs-on: ubuntu-22.04
num_runners: 1
runner_id: 1
- arch: arm64
runs-on: ubuntu-22.04-arm
num_runners: 1
runner_id: 1
#Test elements should be added as [KubeCTLVersion, K8s-image, KindVersion]
test: ${{ fromJson(needs.build-matrix.outputs.test) }}
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -580,7 +592,7 @@ jobs:
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: ./bin/
key: ${{ runner.os }}-executables-${{ hashFiles('**/*.exe') }}
key: ${{ runner.os }}-executables-${{ github.sha }}
- name: Build artifacts
run: ./.github/workflows/scripts/build_artifacts.sh ${{ runner.os }}
- name: Archive artifacts
@ -591,7 +603,7 @@ jobs:
success:
runs-on: ubuntu-22.04
needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, lint-windows, unit-test-windows, artifacts-windows, integration-windows]
needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, integration-k8s, lint-windows, unit-test-windows, artifacts-windows, integration-windows]
timeout-minutes: 30
permissions:
contents: read

View File

@ -192,7 +192,7 @@ jobs:
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: ./bin/
key: ${{ runner.os }}-executables-${{ hashFiles('**/*.exe') }}
key: ${{ runner.os }}-executables-${{ github.sha }}
- name: Build images
run: make images-windows
- name: Export images
@ -225,9 +225,10 @@ jobs:
test: ${{ steps.set-matrix.outputs.test }}
integration:
name: integration (linux)
runs-on: ubuntu-22.04
name: integration (${{ matrix.arch }}) (${{ strategy.job-index}}/${{ strategy.job-total }})
runs-on: ${{ matrix.runs-on }}
needs: [cache-deps, images]
timeout-minutes: 45
permissions:
contents: read
@ -235,8 +236,14 @@ jobs:
strategy:
fail-fast: false
matrix:
num_runners: [5]
runner_id: [1, 2, 3, 4, 5]
arch: [x64, arm64]
num_runners: [10]
runner_id: [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]
include:
- arch: x64
runs-on: ubuntu-22.04
- arch: arm64
runs-on: ubuntu-22.04-arm
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -285,14 +292,15 @@ jobs:
NUM_RUNNERS: ${{ matrix.num_runners }}
THIS_RUNNER: ${{ matrix.runner_id }}
TERM: dumb
IGNORE_SUITES: ${{ matrix.arch == 'arm64' && 'suites/upstream-authority-ejbca' || '' }} # Waiting for EJBCA to support arm64 (https://github.com/spiffe/spire/issues/6060)
# We don't need to specify CICD_TARGET_BRANCH since the upgrade
# integration test will detect the annotated tag for version checking.
# CICD_TARGET_BRANCH:
run: ./.github/workflows/scripts/split.sh | xargs ./test/integration/test.sh
integration-k8s:
name: integration-k8s
runs-on: ubuntu-22.04
name: integration-k8s-${{ matrix.test[0] }}-${{ matrix.arch }}
runs-on: ${{ matrix.runs-on }}
needs: [cache-deps, images, build-matrix]
timeout-minutes: 45
@ -302,10 +310,18 @@ jobs:
strategy:
fail-fast: false
matrix:
num_runners: [1]
runner_id: [1]
#Test elements should be added as [KubeCTLVersion, K8s-image, KindVersion]
test: ${{ fromJson(needs.build-matrix.outputs.test) }}
arch: [x64, arm64]
include:
- arch: x64
runs-on: ubuntu-22.04
num_runners: 1
runner_id: 1
- arch: arm64
runs-on: ubuntu-22.04-arm
num_runners: 1
runner_id: 1
#Test elements should be added as [KubeCTLVersion, K8s-image, KindVersion]
test: ${{ fromJson(needs.build-matrix.outputs.test) }}
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -538,7 +554,7 @@ jobs:
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: ./bin/
key: ${{ runner.os }}-executables-${{ hashFiles('**/*.exe') }}
key: ${{ runner.os }}-executables-${{ github.sha }}
- name: Archive artifacts
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
with:
@ -547,7 +563,7 @@ jobs:
publish-artifacts:
runs-on: ubuntu-22.04
needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, lint-windows, unit-test-windows, artifacts-windows, integration-windows]
needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, integration-k8s, lint-windows, unit-test-windows, artifacts-windows, integration-windows]
permissions:
contents: write
@ -579,7 +595,7 @@ jobs:
publish-images:
runs-on: ubuntu-22.04
needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, lint-windows, unit-test-windows, artifacts-windows, integration-windows]
needs: [lint, unit-test, unit-test-race-detector, artifacts, integration, integration-k8s, lint-windows, unit-test-windows, artifacts-windows, integration-windows]
permissions:
contents: read
id-token: write

View File

@ -16,7 +16,24 @@ jobs:
days-before-issue-stale: 365 # 1 year
days-before-issue-close: 30
stale-issue-label: "stale"
exempt-issue-labels: "blocked" # Ignore blocked issues
stale-issue-message: "This issue is stale because it has been open for 365 days with no activity."
close-issue-message: "This issue was closed because it has been inactive for 30 days since being marked as stale."
days-before-pr-stale: -1 # Don't handle PRs
days-before-pr-close: -1 # Don't handle PRs
process-stale-blocked-issues:
runs-on: ubuntu-latest
permissions:
issues: write
pull-requests: write
steps:
- uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0
with:
only-labels: "blocked"
days-before-issue-stale: 30
days-before-issue-close: -1 # Don't close blocked issues
stale-issue-label: "stale"
stale-issue-message: "This issue has been in the blocked state for 30 days, marking as stale so the blocking issue is re-checked."
days-before-pr-stale: -1 # Don't handle PRs
days-before-pr-close: -1 # Don't handle PRs

View File

@ -1 +1 @@
1.23.6
1.24.4

View File

@ -1,44 +1,87 @@
version: "2"
run:
# timeout for analysis, e.g. 30s, 5m, default is 1m
timeout: 12m
issues:
exclude-dirs:
- testdata$
- test/mock
exclude-files:
- ".*\\.pb\\.go"
linters:
enable:
- bodyclose
- copyloopvar
- durationcheck
- errorlint
- gofmt
- goimports
- revive
- exptostd
- gocritic
- gosec
- intrange
- mirror
- misspell
- nakedret
- nilerr
- nilnesserr
- nolintlint
- predeclared
- reassign
- revive
- unconvert
- unparam
- intrange
- whitespace
- gocritic
- copyloopvar
- wastedassign
- nolintlint
linters-settings:
govet:
enable:
- nilness
- sortslice
- unusedwrite
revive:
# minimal confidence for issues, default is 0.8
confidence: 0.0
- whitespace
settings:
govet:
enable:
- sortslice
- unusedwrite
revive:
confidence: 0
rules:
- name: atomic
- name: bool-literal-in-expr
- name: constant-logical-expr
- name: context-as-argument
- name: datarace
- name: error-naming
- name: error-return
- name: errorf
- name: identical-branches
- name: if-return
- name: increment-decrement
- name: modifies-value-receiver
- name: optimize-operands-order
- name: range
- name: receiver-naming
- name: redundant-import-alias
- name: redundant-test-main-exit
- name: string-of-int
- name: time-equal
- name: unconditional-recursion
- name: unnecessary-stmt
- name: unreachable-code
- name: use-any
- name: use-errors-new
- name: useless-break
- name: var-declaration
- name: waitgroup-by-value
staticcheck:
checks:
- all
- -ST1003
- -QF1001
- -QF1008
exclusions:
generated: lax
presets:
- comments
- common-false-positives
- legacy
- std-error-handling
rules:
- name: unused-parameter
disabled: true
- linters:
- gosec
path: (.*_test\.go$)|(^test/.*)
text: integer overflow conversion
- linters:
- revive
text: Import alias "v1" is redundant
formatters:
enable:
- gofmt
- goimports
exclusions:
generated: lax

View File

@ -1,3 +1,3 @@
golangci_lint v1.60.1
golangci-lint v2.1.6
markdown_lint v0.37.0
protoc 24.4
protoc 29.4

View File

@ -1,5 +1,122 @@
# Changelog
## [1.12.4] - 2025-07-01
### Added
- `k8s_configmap` BundlePublisher plugin (#6105, #6139)
- UpstreamAuthority.SubscribeToLocalBundle RPC to stream updates in the local trust bundle (#6090)
- Integration tests running on ARM64 platform (#6059)
- The OIDC Discovery Provider can now read the trust bundle from a file (#6025)
### Changed
- The "Container id not found" log message in the `k8s` WorkloadAttestor has been lowered to Debug level (#6128)
- Improvements in lookup performance for entries (#6100, #6034)
- Agent no longer pulls the bundle from `trust_bundle_url` if it is not required (#6065)
### Fixed
- The `subject_types_supported` value in the discovery document is now properly populated by the OIDC Discovery Provider (#6126)
- SPIRE Server gRPC servers are now gracefully stopped (#6076)
## [1.12.3] - 2025-06-17
### Security
- Fixed an issue in spire-agent where the WorkloadAPI.ValidateJWTSVID endpoint did not enforce the presence of the exp (expiration) claim in JWT-SVIDs, as required by the SPIFFE specification.
This vulnerability has limited impact: by default, SPIRE does not issue JWT-SVIDs without an expiration claim. Exploitation would require federating with a misconfigured or non-compliant trust domain.
Thanks to Edoardo Geraci for reporting this issue.
## [1.12.2] - 2025-05-19
### Fixed
- Regression where PolicyCredentials set by CredentialComposer plugins were not correctly applied to CA certificates. (#6074)
## [1.12.1] - 2025-05-06
### Added
- Support for Unix sockets in trust bundle URLs (#5932)
- Documentation improvements and additions (#5989, #6012)
### Changed
- `sql_transaction_timeout` replaced by `event_timeout` and value reduced to 15 minutes (#5966)
- Experimental events-based cache performance improvements by batch fetching updated entries (#5970)
- Improved error messages when retrieving CGroups (#6030).
### Fixed
- Corrected invalid `user-agent` value in OIDC Discovery Provider debug logs (#5981).
## [1.12.0] - 2025-03-21
### Added
- Support for any S3 compatible object storage such as MinIO in the `aws_s3` BundlePublisher plugin (#5757)
- Support for Rego V1 in the authorization policy engine (#5769)
- Support for SAN-based selectors in the `x509pop` NodeAttestor plugin (#5775)
### Changed
- Agents now use the SyncAuthorizedEntries API for periodically synchronization of authorized entries by default (#5906)
- Timestamps in logs are now formatted to include nanoseconds (#5798)
- Improved entry lookup performance in NewJWTSVID and BatchNewX509SVID server RPCs (#5819)
- Increased the maximum number of idle database connections to 100 (#5853)
- The maximum idle time per database connection is now set to 30 seconds (#5853)
- Small documentation improvements (#5873, #5876)
- The experimental events-based cache now supports reading events from read-only replicas when data staleness is tolerated, enhancing read performance (#5911)
- The `use_legacy_downstream_x509_ca_ttl` server setting is now set to false by default (#5917)
### Deprecated
- `use_sync_authorized_entries` experimental agent setting (#5906)
- `use_legacy_downstream_x509_ca_ttl` server setting (#5917)
### Removed
- The deprecated `k8s_sat` NodeAttestor plugin (#5703)
### Fixed
- Issue where agents did not receive entry updates when new entries with the same entry ID were created while `use_sync_authorized_entries` was enabled (#5764)
## [1.11.3] - 2025-06-17
### Security
- Fixed an issue in spire-agent where the WorkloadAPI.ValidateJWTSVID endpoint did not enforce the presence of the exp (expiration) claim in JWT-SVIDs, as required by the SPIFFE specification.
This vulnerability has limited impact: by default, SPIRE does not issue JWT-SVIDs without an expiration claim. Exploitation would require federating with a misconfigured or non-compliant trust domain.
Thanks to Edoardo Geraci for reporting this issue.
## [1.11.2] - 2025-02-13
### Added
- `gcp_secretmanager` SVIDStore plugin now supports specifying the regions where secrets are created (#5718)
- Support for expanding environment variables in the OIDC Discovery Provider configuration (#5689)
- Support for optionally enabling `trust_domain` label for all metrics (#5673)
- The JWKS URI returned in the discovery document can now be configured in the OIDC Discovery Provider (#5690)
- A server path prefix can now be specified in the OIDC Discovery Provider (#5690)
### Changed
- Small documentation improvements (#5809, #5720)
### Fixed
- Regression in the hydration of the experimental event-based cache that caused a delay in availability (#5842)
- Do not log an error when the Envoy SDS v3 API connection has been closed cleanly (#5835)
- SVIDStore plugins to properly parse metadata in entry selectors containing ':' characters (#5750)
- Compatibility with deployments that use a server port other than 443 when the `jwt_issuer` configuration is set in the OIDC Discovery Provider (#5690)
- Domain verification is now properly done when setting the `jwt_issuer` configuration in the OIDC Discovery Provider (#5690)
### Security
- Fixed to properly call the CompareObjectHandles function when it's available on Windows systems, as an extra security measure in the peertracker (#5749)
## [1.11.1] - 2024-12-12
### Added

View File

@ -2,7 +2,7 @@
# Build stage
ARG goversion
FROM --platform=${BUILDPLATFORM} golang:${goversion}-alpine3.20 as base
FROM --platform=${BUILDPLATFORM} golang:${goversion}-alpine3.22 as base
WORKDIR /spire
RUN apk --no-cache --update add file bash clang lld pkgconfig git make
COPY go.* ./

View File

@ -1,4 +1,4 @@
FROM ubuntu:xenial
FROM ubuntu:24.04
WORKDIR /spire
RUN apt-get update && apt-get -y install \
curl unzip git build-essential ca-certificates libssl-dev

View File

@ -32,6 +32,7 @@ help:
@echo " $(cyan)race-test$(reset) - run unit tests with race detection"
@echo " $(cyan)integration$(reset) - run integration tests (requires Docker images)"
@echo " support 'SUITES' variable for executing specific tests"
@echo " and 'IGNORE_SUITES' variable for ignoring tests"
@echo " e.g. SUITES='suites/join-token suites/k8s' make integration"
@echo " $(cyan)integration-windows$(reset) - run integration tests for windows (requires Docker images)"
@echo " support 'SUITES' variable for executing specific tests"
@ -103,6 +104,8 @@ else
$(error unsupported ARCH: $(arch1))
endif
ignore_suites := $(IGNORE_SUITES)
############################################################################
# Docker TLS detection for buildx
############################################################################
@ -136,9 +139,8 @@ endif
go_path := PATH="$(go_bin_dir):$(PATH)"
golangci_lint_version := $(shell awk '/golangci_lint/{print $$2}' .spire-tool-versions)
golangci_lint_version := $(shell awk '/golangci-lint/{print $$2}' .spire-tool-versions)
golangci_lint_dir = $(build_dir)/golangci_lint/$(golangci_lint_version)
golangci_lint_bin = $(golangci_lint_dir)/golangci-lint
golangci_lint_cache = $(golangci_lint_dir)/cache
markdown_lint_version := $(shell awk '/markdown_lint/{print $$2}' .spire-tool-versions)
@ -310,11 +312,11 @@ integration:
ifeq ($(os1), windows)
$(error Integration tests are not supported on windows)
else
$(E)$(go_path) ./test/integration/test.sh $(SUITES)
$(E)$(go_path) IGNORE_SUITES='$(ignore_suites)' ./test/integration/test.sh $(SUITES)
endif
integration-windows:
$(E)$(go_path) ./test/integration/test-windows.sh $(SUITES)
$(E)$(go_path) IGNORE_SUITES='$(ignore_suites)' ./test/integration/test-windows.sh $(SUITES)
#############################################################################
# Docker Images
@ -402,8 +404,11 @@ endif
lint: lint-code lint-md
lint-code: $(golangci_lint_bin)
$(E)PATH="$(go_bin_dir):$(PATH)" GOLANGCI_LINT_CACHE="$(golangci_lint_cache)" $(golangci_lint_bin) run ./...
lint-code: | go-check
$(E)mkdir -p $(golangci_lint_cache)
$(E)$(go_path) GOLANGCI_LINT_CACHE="$(golangci_lint_cache)" \
go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@$(golangci_lint_version) \
run --max-issues-per-linter=0 --max-same-issues=0 ./...
lint-md:
$(E)docker run --rm -v "$(DIR):/workdir" $(markdown_lint_image) "**/*.md"
@ -507,7 +512,7 @@ endif
go-bin-path: go-check
@echo "$(go_bin_dir):${PATH}"
install-toolchain: install-protoc install-golangci-lint install-protoc-gen-go install-protoc-gen-doc | go-check
install-toolchain: install-protoc install-protoc-gen-go | go-check
install-protoc: $(protoc_bin)
@ -517,15 +522,6 @@ $(protoc_bin):
$(E)mkdir -p $(protoc_dir)
$(E)curl -sSfL $(protoc_url) -o $(build_dir)/tmp.zip; unzip -q -d $(protoc_dir) $(build_dir)/tmp.zip; rm $(build_dir)/tmp.zip
install-golangci-lint: $(golangci_lint_bin)
$(golangci_lint_bin): | go-check
@echo "Installing golangci-lint $(golangci_lint_version)..."
$(E)rm -rf $(dir $(golangci_lint_dir))
$(E)mkdir -p $(golangci_lint_dir)
$(E)mkdir -p $(golangci_lint_cache)
$(E)GOBIN=$(golangci_lint_dir) $(go_path) go install github.com/golangci/golangci-lint/cmd/golangci-lint@$(golangci_lint_version)
install-protoc-gen-go: $(protoc_gen_go_bin)
$(protoc_gen_go_bin): | go-check

View File

@ -61,8 +61,8 @@ The SPIFFE community maintains the SPIRE project. Information on the various SIG
A third party security firm ([Cure53](https://cure53.de/)) completed a security audit of SPIFFE and SPIRE in February of 2021. Additionally, the [CNCF Technical Advisory Group for Security](https://github.com/cncf/tag-security) conducted two assessments on SPIFFE and SPIRE in 2018 and 2020. Please find the reports and supporting material, including the threat model exercise results, below.
- [Cure53 Security Audit Report](doc/cure53-report.pdf)
- [SIG-Security SPIFFE/SPIRE Security Assessment: summary](https://github.com/cncf/sig-security/tree/main/assessments/projects/spiffe-spire)
- [SIG-Security SPIFFE/SPIRE Security Assessment: full assessment](https://github.com/cncf/sig-security/blob/main/assessments/projects/spiffe-spire/self-assessment.md)
- [SIG-Security SPIFFE/SPIRE Security Assessment: summary](https://github.com/cncf/sig-security/tree/main/community/assessments/projects/spiffe-spire)
- [SIG-Security SPIFFE/SPIRE Security Assessment: full assessment](https://github.com/cncf/sig-security/blob/main/community/assessments/projects/spiffe-spire/self-assessment.md)
- [Scrutinizing SPIRE to Sensibly Strengthen SPIFFE Security](https://blog.spiffe.io/scrutinizing-spire-security-9c82ba542019)
### Reporting Security Vulnerabilities

View File

@ -2,13 +2,11 @@ package run
import (
"context"
"crypto/x509"
"errors"
"flag"
"fmt"
"io"
"net"
"net/http"
"net/url"
"os"
"os/signal"
@ -26,10 +24,9 @@ import (
"github.com/imdario/mergo"
"github.com/mitchellh/cli"
"github.com/sirupsen/logrus"
"github.com/spiffe/go-spiffe/v2/spiffeid"
"github.com/spiffe/spire/pkg/agent"
"github.com/spiffe/spire/pkg/agent/trustbundlesources"
"github.com/spiffe/spire/pkg/agent/workloadkey"
"github.com/spiffe/spire/pkg/common/bundleutil"
"github.com/spiffe/spire/pkg/common/catalog"
common_cli "github.com/spiffe/spire/pkg/common/cli"
"github.com/spiffe/spire/pkg/common/config"
@ -37,7 +34,6 @@ import (
"github.com/spiffe/spire/pkg/common/health"
"github.com/spiffe/spire/pkg/common/idutil"
"github.com/spiffe/spire/pkg/common/log"
"github.com/spiffe/spire/pkg/common/pemutil"
"github.com/spiffe/spire/pkg/common/telemetry"
"github.com/spiffe/spire/pkg/common/tlspolicy"
)
@ -55,9 +51,6 @@ const (
defaultDefaultAllBundlesName = "ALL"
defaultDisableSPIFFECertValidation = false
bundleFormatPEM = "pem"
bundleFormatSPIFFE = "spiffe"
minimumAvailabilityTarget = 24 * time.Hour
)
@ -74,7 +67,7 @@ type agentConfig struct {
DataDir string `hcl:"data_dir"`
AdminSocketPath string `hcl:"admin_socket_path"`
InsecureBootstrap bool `hcl:"insecure_bootstrap"`
RetryBootstrap bool `hcl:"retry_bootstrap"`
RetryBootstrap *bool `hcl:"retry_bootstrap"`
JoinToken string `hcl:"join_token"`
LogFile string `hcl:"log_file"`
LogFormat string `hcl:"log_format"`
@ -87,6 +80,7 @@ type agentConfig struct {
WorkloadX509SVIDKeyType string `hcl:"workload_x509_svid_key_type"`
TrustBundleFormat string `hcl:"trust_bundle_format"`
TrustBundlePath string `hcl:"trust_bundle_path"`
TrustBundleUnixSocket string `hcl:"trust_bundle_unix_socket"`
TrustBundleURL string `hcl:"trust_bundle_url"`
TrustDomain string `hcl:"trust_domain"`
AllowUnauthenticatedVerifiers bool `hcl:"allow_unauthenticated_verifiers"`
@ -121,7 +115,7 @@ type experimentalConfig struct {
SyncInterval string `hcl:"sync_interval"`
NamedPipeName string `hcl:"named_pipe_name"`
AdminNamedPipeName string `hcl:"admin_named_pipe_name"`
UseSyncAuthorizedEntries bool `hcl:"use_sync_authorized_entries"`
UseSyncAuthorizedEntries *bool `hcl:"use_sync_authorized_entries"`
RequirePQKEM bool `hcl:"require_pq_kem"`
Flags fflag.RawConfig `hcl:"feature_flags"`
@ -262,16 +256,32 @@ func (c *agentConfig) validate() error {
return errors.New("only one of trust_bundle_url or trust_bundle_path can be specified, not both")
}
if c.TrustBundleFormat != bundleFormatPEM && c.TrustBundleFormat != bundleFormatSPIFFE {
return fmt.Errorf("invalid value for trust_bundle_format, expected %q or %q", bundleFormatPEM, bundleFormatSPIFFE)
if c.TrustBundleFormat != trustbundlesources.BundleFormatPEM && c.TrustBundleFormat != trustbundlesources.BundleFormatSPIFFE {
return fmt.Errorf("invalid value for trust_bundle_format, expected %q or %q", trustbundlesources.BundleFormatPEM, trustbundlesources.BundleFormatSPIFFE)
}
if c.TrustBundleUnixSocket != "" && c.TrustBundleURL == "" {
return errors.New("if trust_bundle_unix_socket is specified, so must be trust_bundle_url")
}
if c.TrustBundleURL != "" {
u, err := url.Parse(c.TrustBundleURL)
if err != nil {
return fmt.Errorf("unable to parse trust bundle URL: %w", err)
}
if u.Scheme != "https" {
if c.TrustBundleUnixSocket != "" {
if u.Scheme != "http" {
return errors.New("trust bundle URL must start with http:// when used with trust bundle unix socket")
}
params := u.Query()
for key := range params {
if strings.HasPrefix(key, "spiffe-") {
return errors.New("trust_bundle_url query params can not start with spiffe-")
}
if strings.HasPrefix(key, "spire-") {
return errors.New("trust_bundle_url query params can not start with spire-")
}
}
} else if u.Scheme != "https" {
return errors.New("trust bundle URL must start with https://")
}
}
@ -319,6 +329,7 @@ func parseFlags(name string, args []string, output io.Writer) (*agentConfig, err
flags := flag.NewFlagSet(name, flag.ContinueOnError)
flags.SetOutput(output)
c := &agentConfig{}
retryBootstrap := false
flags.StringVar(&c.ConfigPath, "config", defaultConfigPath, "Path to a SPIRE config file")
flags.StringVar(&c.DataDir, "dataDir", "", "A directory the agent can use for its runtime data")
@ -332,10 +343,10 @@ func parseFlags(name string, args []string, output io.Writer) (*agentConfig, err
flags.StringVar(&c.TrustDomain, "trustDomain", "", "The trust domain that this agent belongs to")
flags.StringVar(&c.TrustBundlePath, "trustBundle", "", "Path to the SPIRE server CA bundle")
flags.StringVar(&c.TrustBundleURL, "trustBundleUrl", "", "URL to download the SPIRE server CA bundle")
flags.StringVar(&c.TrustBundleFormat, "trustBundleFormat", "", fmt.Sprintf("Format of the bootstrap trust bundle, %q or %q", bundleFormatPEM, bundleFormatSPIFFE))
flags.StringVar(&c.TrustBundleFormat, "trustBundleFormat", "", fmt.Sprintf("Format of the bootstrap trust bundle, %q or %q", trustbundlesources.BundleFormatPEM, trustbundlesources.BundleFormatSPIFFE))
flags.BoolVar(&c.AllowUnauthenticatedVerifiers, "allowUnauthenticatedVerifiers", false, "If true, the agent permits the retrieval of X509 certificate bundles by unregistered clients")
flags.BoolVar(&c.InsecureBootstrap, "insecureBootstrap", false, "If true, the agent bootstraps without verifying the server's identity")
flags.BoolVar(&c.RetryBootstrap, "retryBootstrap", false, "If true, the agent retries bootstrap with backoff")
flags.BoolVar(&retryBootstrap, "retryBootstrap", true, "If true, the agent retries bootstrap with backoff")
flags.BoolVar(&c.ExpandEnv, "expandEnv", false, "Expand environment variables in SPIRE config file")
c.addOSFlags(flags)
@ -345,6 +356,12 @@ func parseFlags(name string, args []string, output io.Writer) (*agentConfig, err
return nil, err
}
flags.Visit(func(f *flag.Flag) {
if f.Name == "retryBootstrap" {
c.RetryBootstrap = &retryBootstrap
}
})
return c, nil
}
@ -370,87 +387,6 @@ func mergeInput(fileInput *Config, cliInput *agentConfig) (*Config, error) {
return c, nil
}
func parseTrustBundle(bundleBytes []byte, trustBundleContentType string) ([]*x509.Certificate, error) {
switch trustBundleContentType {
case bundleFormatPEM:
bundle, err := pemutil.ParseCertificates(bundleBytes)
if err != nil {
return nil, err
}
return bundle, nil
case bundleFormatSPIFFE:
bundle, err := bundleutil.Unmarshal(spiffeid.TrustDomain{}, bundleBytes)
if err != nil {
return nil, fmt.Errorf("unable to parse SPIFFE trust bundle: %w", err)
}
return bundle.X509Authorities(), nil
}
return nil, fmt.Errorf("unknown trust bundle format: %s", trustBundleContentType)
}
func downloadTrustBundle(trustBundleURL string) ([]byte, error) {
// Download the trust bundle URL from the user specified URL
// We use gosec -- the annotation below will disable a security check that URLs are not tainted
/* #nosec G107 */
resp, err := http.Get(trustBundleURL)
if err != nil {
return nil, fmt.Errorf("unable to fetch trust bundle URL %s: %w", trustBundleURL, err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
return nil, fmt.Errorf("error downloading trust bundle: %s", resp.Status)
}
pemBytes, err := io.ReadAll(resp.Body)
if err != nil {
return nil, fmt.Errorf("unable to read from trust bundle URL %s: %w", trustBundleURL, err)
}
return pemBytes, nil
}
func setupTrustBundle(ac *agent.Config, c *Config) error {
// Either download the trust bundle if TrustBundleURL is set, or read it
// from disk if TrustBundlePath is set
ac.InsecureBootstrap = c.Agent.InsecureBootstrap
var bundleBytes []byte
var err error
switch {
case c.Agent.TrustBundleURL != "":
bundleBytes, err = downloadTrustBundle(c.Agent.TrustBundleURL)
if err != nil {
return err
}
case c.Agent.TrustBundlePath != "":
bundleBytes, err = loadTrustBundle(c.Agent.TrustBundlePath)
if err != nil {
return fmt.Errorf("could not parse trust bundle: %w", err)
}
default:
// If InsecureBootstrap is configured, the bundle is not required
if ac.InsecureBootstrap {
return nil
}
}
bundle, err := parseTrustBundle(bundleBytes, c.Agent.TrustBundleFormat)
if err != nil {
return err
}
if len(bundle) == 0 {
return errors.New("no certificates found in trust bundle")
}
ac.TrustBundle = bundle
return nil
}
func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool) (*agent.Config, error) {
ac := &agent.Config{}
@ -458,8 +394,6 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)
return nil, err
}
ac.RetryBootstrap = c.Agent.RetryBootstrap
if c.Agent.Experimental.SyncInterval != "" {
var err error
ac.SyncInterval, err = time.ParseDuration(c.Agent.Experimental.SyncInterval)
@ -468,8 +402,6 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)
}
}
ac.UseSyncAuthorizedEntries = c.Agent.Experimental.UseSyncAuthorizedEntries
serverHostPort := net.JoinHostPort(c.Agent.ServerAddress, strconv.Itoa(c.Agent.ServerPort))
ac.ServerAddress = fmt.Sprintf("dns:///%s", serverHostPort)
@ -499,6 +431,18 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)
ac.LogReopener = log.ReopenOnSignal(logger, reopenableFile)
}
ac.RetryBootstrap = true
if c.Agent.RetryBootstrap != nil {
ac.Log.Warn("The 'retry_bootstrap' configuration is deprecated. It will be removed in SPIRE 1.14. Please test without the flag before upgrading.")
ac.RetryBootstrap = *c.Agent.RetryBootstrap
}
ac.UseSyncAuthorizedEntries = true
if c.Agent.Experimental.UseSyncAuthorizedEntries != nil {
ac.Log.Warn("The 'use_sync_authorized_entries' configuration is deprecated. The option to disable it will be removed in SPIRE 1.13.")
ac.UseSyncAuthorizedEntries = *c.Agent.Experimental.UseSyncAuthorizedEntries
}
if c.Agent.X509SVIDCacheMaxSize < 0 {
return nil, errors.New("x509_svid_cache_max_size should not be negative")
}
@ -538,11 +482,16 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)
}
ac.DisableSPIFFECertValidation = c.Agent.SDS.DisableSPIFFECertValidation
err = setupTrustBundle(ac, c)
if err != nil {
return nil, err
ts := &trustbundlesources.Config{
InsecureBootstrap: c.Agent.InsecureBootstrap,
TrustBundleFormat: c.Agent.TrustBundleFormat,
TrustBundlePath: c.Agent.TrustBundlePath,
TrustBundleURL: c.Agent.TrustBundleURL,
TrustBundleUnixSocket: c.Agent.TrustBundleUnixSocket,
}
ac.TrustBundleSources = trustbundlesources.New(ts, ac.Log.WithField("Logger", "TrustBundleSources"))
ac.WorkloadKeyType = workloadkey.ECP256
if c.Agent.WorkloadX509SVIDKeyType != "" {
ac.WorkloadKeyType, err = workloadkey.KeyTypeFromString(c.Agent.WorkloadX509SVIDKeyType)
@ -687,7 +636,7 @@ func defaultConfig() *Config {
DataDir: defaultDataDir,
LogLevel: defaultLogLevel,
LogFormat: log.DefaultFormat,
TrustBundleFormat: bundleFormatPEM,
TrustBundleFormat: trustbundlesources.BundleFormatPEM,
SDS: sdsConfig{
DefaultBundleName: defaultDefaultBundleName,
DefaultSVIDName: defaultDefaultSVIDName,
@ -700,12 +649,3 @@ func defaultConfig() *Config {
return c
}
func loadTrustBundle(path string) ([]byte, error) {
bundleBytes, err := os.ReadFile(path)
if err != nil {
return nil, err
}
return bundleBytes, nil
}

View File

@ -2,8 +2,6 @@ package run
import (
"io"
"net/http"
"net/http/httptest"
"os"
"path"
"path/filepath"
@ -39,117 +37,6 @@ type newAgentConfigCase struct {
test func(*testing.T, *agent.Config)
}
func TestDownloadTrustBundle(t *testing.T) {
testTB, _ := os.ReadFile(path.Join(util.ProjectRoot(), "conf/agent/dummy_root_ca.crt"))
testTBSPIFFE := `{
"keys": [
{
"use": "x509-svid",
"kty": "EC",
"crv": "P-384",
"x": "WjB-nSGSxIYiznb84xu5WGDZj80nL7W1c3zf48Why0ma7Y7mCBKzfQkrgDguI4j0",
"y": "Z-0_tDH_r8gtOtLLrIpuMwWHoe4vbVBFte1vj6Xt6WeE8lXwcCvLs_mcmvPqVK9j",
"x5c": [
"MIIBzDCCAVOgAwIBAgIJAJM4DhRH0vmuMAoGCCqGSM49BAMEMB4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQKDAZTUElGRkUwHhcNMTgwNTEzMTkzMzQ3WhcNMjMwNTEyMTkzMzQ3WjAeMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGU1BJRkZFMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEWjB+nSGSxIYiznb84xu5WGDZj80nL7W1c3zf48Why0ma7Y7mCBKzfQkrgDguI4j0Z+0/tDH/r8gtOtLLrIpuMwWHoe4vbVBFte1vj6Xt6WeE8lXwcCvLs/mcmvPqVK9jo10wWzAdBgNVHQ4EFgQUh6XzV6LwNazA+GTEVOdu07o5yOgwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwGQYDVR0RBBIwEIYOc3BpZmZlOi8vbG9jYWwwCgYIKoZIzj0EAwQDZwAwZAIwE4Me13qMC9i6Fkx0h26y09QZIbuRqA9puLg9AeeAAyo5tBzRl1YL0KNEp02VKSYJAjBdeJvqjJ9wW55OGj1JQwDFD7kWeEB6oMlwPbI/5hEY3azJi16I0uN1JSYTSWGSqWc="
]
}
]
}`
cases := []struct {
msg string
status int
fileContents string
format string
expectDownloadError bool
expectParseError bool
}{
{
msg: "if URL is not found, should be an error",
status: http.StatusNotFound,
fileContents: "",
format: bundleFormatPEM,
expectDownloadError: true,
expectParseError: false,
},
{
msg: "if URL returns error 500, should be an error",
status: http.StatusInternalServerError,
fileContents: "",
format: bundleFormatPEM,
expectDownloadError: true,
expectParseError: false,
},
{
msg: "if file is not parseable, should be an error",
status: http.StatusOK,
fileContents: "NON PEM PARSEABLE TEXT HERE",
format: bundleFormatPEM,
expectDownloadError: false,
expectParseError: true,
},
{
msg: "if file is empty, should be an error",
status: http.StatusOK,
fileContents: "",
format: bundleFormatPEM,
expectDownloadError: false,
expectParseError: true,
},
{
msg: "if file is valid, should not be an error",
status: http.StatusOK,
fileContents: string(testTB),
format: bundleFormatPEM,
expectDownloadError: false,
expectParseError: false,
},
{
msg: "if file is not parseable, format is SPIFFE, should not be an error",
status: http.StatusOK,
fileContents: "[}",
format: bundleFormatSPIFFE,
expectDownloadError: false,
expectParseError: true,
},
{
msg: "if file is valid, format is SPIFFE, should not be an error",
status: http.StatusOK,
fileContents: testTBSPIFFE,
format: bundleFormatSPIFFE,
expectDownloadError: false,
expectParseError: false,
},
}
for _, testCase := range cases {
t.Run(testCase.msg, func(t *testing.T) {
testServer := httptest.NewServer(http.HandlerFunc(
func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(testCase.status)
_, _ = io.WriteString(w, testCase.fileContents)
// if err != nil {
// return
// }
}))
defer testServer.Close()
bundleBytes, err := downloadTrustBundle(testServer.URL)
if testCase.expectDownloadError {
require.Error(t, err)
} else {
require.NoError(t, err)
_, err := parseTrustBundle(bundleBytes, testCase.format)
if testCase.expectParseError {
require.Error(t, err)
} else {
require.NoError(t, err)
}
}
})
}
}
func TestMergeInput(t *testing.T) {
cases := []mergeInputCase{
{
@ -679,7 +566,7 @@ func TestNewAgentConfig(t *testing.T) {
c.Agent.InsecureBootstrap = false
},
test: func(t *testing.T, c *agent.Config) {
require.False(t, c.InsecureBootstrap)
require.False(t, c.TrustBundleSources.GetInsecureBootstrap())
},
},
{
@ -691,13 +578,14 @@ func TestNewAgentConfig(t *testing.T) {
c.Agent.InsecureBootstrap = true
},
test: func(t *testing.T, c *agent.Config) {
require.True(t, c.InsecureBootstrap)
require.True(t, c.TrustBundleSources.GetInsecureBootstrap())
},
},
{
msg: "retry_bootstrap should be correctly set to false",
input: func(c *Config) {
c.Agent.RetryBootstrap = false
rb := false
c.Agent.RetryBootstrap = &rb
},
test: func(t *testing.T, c *agent.Config) {
require.False(t, c.RetryBootstrap)
@ -706,7 +594,8 @@ func TestNewAgentConfig(t *testing.T) {
{
msg: "retry_bootstrap should be correctly set to true",
input: func(c *Config) {
c.Agent.RetryBootstrap = true
rb := true
c.Agent.RetryBootstrap = &rb
},
test: func(t *testing.T, c *agent.Config) {
require.True(t, c.RetryBootstrap)
@ -837,6 +726,51 @@ func TestNewAgentConfig(t *testing.T) {
require.Nil(t, c)
},
},
{
msg: "trust_bundle_url must start with http:// when unix socket",
expectError: true,
requireErrorPrefix: "trust bundle URL must start with http://",
input: func(c *Config) {
// remove trust_bundle_path provided by defaultValidConfig()
c.Agent.TrustBundlePath = ""
c.Agent.TrustBundleURL = "foo.bar"
c.Agent.TrustBundleUnixSocket = "foo.bar"
c.Agent.InsecureBootstrap = false
},
test: func(t *testing.T, c *agent.Config) {
require.Nil(t, c)
},
},
{
msg: "trust_bundle_url query params can not start with spiffe- when unix socket",
expectError: true,
requireErrorPrefix: "trust_bundle_url query params can not start with spiffe-",
input: func(c *Config) {
// remove trust_bundle_path provided by defaultValidConfig()
c.Agent.TrustBundlePath = ""
c.Agent.TrustBundleURL = "http://localhost/trustbundle?spiffe-test=foo"
c.Agent.TrustBundleUnixSocket = "foo.bar"
c.Agent.InsecureBootstrap = false
},
test: func(t *testing.T, c *agent.Config) {
require.Nil(t, c)
},
},
{
msg: "trust_bundle_url query params can not start with spire- when unix socket",
expectError: true,
requireErrorPrefix: "trust_bundle_url query params can not start with spire-",
input: func(c *Config) {
// remove trust_bundle_path provided by defaultValidConfig()
c.Agent.TrustBundlePath = ""
c.Agent.TrustBundleURL = "http://localhost/trustbundle?spire-test=foo"
c.Agent.TrustBundleUnixSocket = "foo.bar"
c.Agent.InsecureBootstrap = false
},
test: func(t *testing.T, c *agent.Config) {
require.Nil(t, c)
},
},
{
msg: "workload_key_type is not set",
input: func(c *Config) {

View File

@ -85,11 +85,8 @@ func printBundle(out io.Writer, bundle *types.Bundle) error {
return err
}
if _, err := fmt.Fprintln(out, o.String()); err != nil {
return err
}
return nil
_, err = fmt.Fprintln(out, o.String())
return err
}
// bundleFromProto converts a bundle from the given *types.Bundle to *spiffebundle.Bundle

View File

@ -4,14 +4,16 @@ import (
"context"
"errors"
"flag"
"fmt"
"github.com/mitchellh/cli"
entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1"
"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
"github.com/spiffe/spire/cmd/spire-server/util"
serverutil "github.com/spiffe/spire/cmd/spire-server/util"
commoncli "github.com/spiffe/spire/pkg/common/cli"
"github.com/spiffe/spire/pkg/common/cliprinter"
"github.com/spiffe/spire/pkg/common/idutil"
"github.com/spiffe/spire/pkg/common/util"
"google.golang.org/grpc/codes"
)
@ -21,7 +23,7 @@ func NewCreateCommand() cli.Command {
}
func newCreateCommand(env *commoncli.Env) cli.Command {
return util.AdaptCommand(env, &createCommand{env: env})
return serverutil.AdaptCommand(env, &createCommand{env: env})
}
type createCommand struct {
@ -104,7 +106,7 @@ func (c *createCommand) AppendFlags(f *flag.FlagSet) {
cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, prettyPrintCreate)
}
func (c *createCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
func (c *createCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient serverutil.ServerClient) error {
if err := c.validate(); err != nil {
return err
}
@ -175,6 +177,16 @@ func (c *createCommand) parseConfig() ([]*types.Entry, error) {
return nil, err
}
x509SvidTTL, err := util.CheckedCast[int32](c.x509SVIDTTL)
if err != nil {
return nil, fmt.Errorf("invalid value for X509 SVID TTL: %w", err)
}
jwtSvidTTL, err := util.CheckedCast[int32](c.jwtSVIDTTL)
if err != nil {
return nil, fmt.Errorf("invalid value for JWT SVID TTL: %w", err)
}
e := &types.Entry{
Id: c.entryID,
ParentId: parentID,
@ -183,14 +195,14 @@ func (c *createCommand) parseConfig() ([]*types.Entry, error) {
ExpiresAt: c.entryExpiry,
DnsNames: c.dnsNames,
StoreSvid: c.storeSVID,
X509SvidTtl: int32(c.x509SVIDTTL),
JwtSvidTtl: int32(c.jwtSVIDTTL),
X509SvidTtl: x509SvidTTL,
JwtSvidTtl: jwtSvidTTL,
Hint: c.hint,
}
selectors := []*types.Selector{}
for _, s := range c.selectors {
cs, err := util.ParseSelector(s)
cs, err := serverutil.ParseSelector(s)
if err != nil {
return nil, err
}
@ -254,7 +266,7 @@ func prettyPrintCreate(env *commoncli.Env, results ...any) error {
for _, r := range failed {
env.ErrPrintf("Failed to create the following entry (code: %s, msg: %q):\n",
codes.Code(r.Status.Code),
util.MustCast[codes.Code](r.Status.Code),
r.Status.Message)
printEntry(r.Entry, env.ErrPrintf)
}

View File

@ -10,9 +10,10 @@ import (
"github.com/mitchellh/cli"
entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1"
"github.com/spiffe/spire/cmd/spire-server/util"
serverutil "github.com/spiffe/spire/cmd/spire-server/util"
commoncli "github.com/spiffe/spire/pkg/common/cli"
"github.com/spiffe/spire/pkg/common/cliprinter"
"github.com/spiffe/spire/pkg/common/util"
"google.golang.org/grpc/codes"
)
@ -22,7 +23,7 @@ func NewDeleteCommand() cli.Command {
}
func newDeleteCommand(env *commoncli.Env) cli.Command {
return util.AdaptCommand(env, &deleteCommand{env: env})
return serverutil.AdaptCommand(env, &deleteCommand{env: env})
}
type deleteCommand struct {
@ -70,7 +71,7 @@ func parseEntryDeleteJSON(path string) ([]string, error) {
return batchDeleteEntryRequest.Ids, nil
}
func (c *deleteCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
func (c *deleteCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient serverutil.ServerClient) error {
if err := c.validate(); err != nil {
return err
}
@ -135,7 +136,7 @@ func (c *deleteCommand) prettyPrintDelete(env *commoncli.Env, results ...any) er
for _, result := range failed {
env.ErrPrintf("Failed to delete entry with ID %s (code: %s, msg: %q)\n",
result.Id,
codes.Code(result.Status.Code),
util.MustCast[codes.Code](result.Status.Code),
result.Status.Message)
}

View File

@ -4,13 +4,15 @@ import (
"context"
"errors"
"flag"
"fmt"
"github.com/mitchellh/cli"
entryv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/entry/v1"
"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
"github.com/spiffe/spire/cmd/spire-server/util"
serverutil "github.com/spiffe/spire/cmd/spire-server/util"
commoncli "github.com/spiffe/spire/pkg/common/cli"
"github.com/spiffe/spire/pkg/common/cliprinter"
"github.com/spiffe/spire/pkg/common/util"
"google.golang.org/grpc/codes"
)
@ -20,7 +22,7 @@ func NewUpdateCommand() cli.Command {
}
func newUpdateCommand(env *commoncli.Env) cli.Command {
return util.AdaptCommand(env, &updateCommand{env: env})
return serverutil.AdaptCommand(env, &updateCommand{env: env})
}
type updateCommand struct {
@ -99,7 +101,7 @@ func (c *updateCommand) AppendFlags(f *flag.FlagSet) {
cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, prettyPrintUpdate)
}
func (c *updateCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
func (c *updateCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient serverutil.ServerClient) error {
if err := c.validate(); err != nil {
return err
}
@ -169,6 +171,16 @@ func (c *updateCommand) parseConfig() ([]*types.Entry, error) {
return nil, err
}
x509SvidTTL, err := util.CheckedCast[int32](c.x509SvidTTL)
if err != nil {
return nil, fmt.Errorf("invalid value for X509 SVID TTL: %w", err)
}
jwtSvidTTL, err := util.CheckedCast[int32](c.jwtSvidTTL)
if err != nil {
return nil, fmt.Errorf("invalid value for JWT SVID TTL: %w", err)
}
e := &types.Entry{
Id: c.entryID,
ParentId: parentID,
@ -176,14 +188,14 @@ func (c *updateCommand) parseConfig() ([]*types.Entry, error) {
Downstream: c.downstream,
ExpiresAt: c.entryExpiry,
DnsNames: c.dnsNames,
X509SvidTtl: int32(c.x509SvidTTL),
JwtSvidTtl: int32(c.jwtSvidTTL),
X509SvidTtl: x509SvidTTL,
JwtSvidTtl: jwtSvidTTL,
Hint: c.hint,
}
selectors := []*types.Selector{}
for _, s := range c.selectors {
cs, err := util.ParseSelector(s)
cs, err := serverutil.ParseSelector(s)
if err != nil {
return nil, err
}
@ -240,7 +252,7 @@ func prettyPrintUpdate(env *commoncli.Env, results ...any) error {
// Print entries that failed to be updated
for _, r := range failed {
env.ErrPrintf("Failed to update the following entry (code: %s, msg: %q):\n",
codes.Code(r.Status.Code),
util.MustCast[codes.Code](r.Status.Code),
r.Status.Message)
printEntry(r.Entry, env.ErrPrintf)
}

View File

@ -9,9 +9,10 @@ import (
"github.com/mitchellh/cli"
trustdomainv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/trustdomain/v1"
"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
"github.com/spiffe/spire/cmd/spire-server/util"
serverutil "github.com/spiffe/spire/cmd/spire-server/util"
commoncli "github.com/spiffe/spire/pkg/common/cli"
"github.com/spiffe/spire/pkg/common/cliprinter"
"github.com/spiffe/spire/pkg/common/util"
"google.golang.org/grpc/codes"
)
@ -26,7 +27,7 @@ func NewCreateCommand() cli.Command {
}
func newCreateCommand(env *commoncli.Env) cli.Command {
return util.AdaptCommand(env, &createCommand{env: env})
return serverutil.AdaptCommand(env, &createCommand{env: env})
}
type createCommand struct {
@ -52,7 +53,7 @@ func (c *createCommand) AppendFlags(f *flag.FlagSet) {
cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, c.prettyPrintCreate)
}
func (c *createCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
func (c *createCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient serverutil.ServerClient) error {
federationRelationships, err := getRelationships(c.config, c.path)
if err != nil {
return err
@ -101,7 +102,7 @@ func (c *createCommand) prettyPrintCreate(env *commoncli.Env, results ...any) er
for _, r := range failed {
env.Println()
env.ErrPrintf("Failed to create the following federation relationship (code: %s, msg: %q):\n",
codes.Code(r.Status.Code),
util.MustCast[codes.Code](r.Status.Code),
r.Status.Message)
printFederationRelationship(r.FederationRelationship, env.ErrPrintf)
}

View File

@ -9,9 +9,10 @@ import (
"github.com/mitchellh/cli"
trustdomainv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/trustdomain/v1"
"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
"github.com/spiffe/spire/cmd/spire-server/util"
serverutil "github.com/spiffe/spire/cmd/spire-server/util"
commoncli "github.com/spiffe/spire/pkg/common/cli"
"github.com/spiffe/spire/pkg/common/cliprinter"
"github.com/spiffe/spire/pkg/common/util"
"google.golang.org/grpc/codes"
)
@ -21,7 +22,7 @@ func NewUpdateCommand() cli.Command {
}
func newUpdateCommand(env *commoncli.Env) cli.Command {
return util.AdaptCommand(env, &updateCommand{env: env})
return serverutil.AdaptCommand(env, &updateCommand{env: env})
}
type updateCommand struct {
@ -47,7 +48,7 @@ func (c *updateCommand) AppendFlags(f *flag.FlagSet) {
cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, c.prettyPrintUpdate)
}
func (c *updateCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
func (c *updateCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient serverutil.ServerClient) error {
federationRelationships, err := getRelationships(c.config, c.path)
if err != nil {
return err
@ -97,7 +98,7 @@ func (c *updateCommand) prettyPrintUpdate(env *commoncli.Env, results ...any) er
for _, r := range failed {
env.Println()
env.ErrPrintf("Failed to update the following federation relationship (code: %s, msg: %q):\n",
codes.Code(r.Status.Code),
util.MustCast[codes.Code](r.Status.Code),
r.Status.Message)
printFederationRelationship(r.FederationRelationship, env.ErrPrintf)
}

View File

@ -12,11 +12,12 @@ import (
"github.com/spiffe/go-spiffe/v2/spiffeid"
svidv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/svid/v1"
"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
"github.com/spiffe/spire/cmd/spire-server/util"
serverutil "github.com/spiffe/spire/cmd/spire-server/util"
commoncli "github.com/spiffe/spire/pkg/common/cli"
"github.com/spiffe/spire/pkg/common/cliprinter"
"github.com/spiffe/spire/pkg/common/diskutil"
"github.com/spiffe/spire/pkg/common/jwtsvid"
"github.com/spiffe/spire/pkg/common/util"
)
func NewMintCommand() cli.Command {
@ -24,7 +25,7 @@ func NewMintCommand() cli.Command {
}
func newMintCommand(env *commoncli.Env) cli.Command {
return util.AdaptCommand(env, &mintCommand{env: env})
return serverutil.AdaptCommand(env, &mintCommand{env: env})
}
type mintCommand struct {
@ -52,7 +53,7 @@ func (c *mintCommand) AppendFlags(fs *flag.FlagSet) {
cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, prettyPrintMint)
}
func (c *mintCommand) Run(ctx context.Context, env *commoncli.Env, serverClient util.ServerClient) error {
func (c *mintCommand) Run(ctx context.Context, env *commoncli.Env, serverClient serverutil.ServerClient) error {
if c.spiffeID == "" {
return errors.New("spiffeID must be specified")
}
@ -63,6 +64,10 @@ func (c *mintCommand) Run(ctx context.Context, env *commoncli.Env, serverClient
if err != nil {
return err
}
ttl, err := ttlToSeconds(c.ttl)
if err != nil {
return fmt.Errorf("invalid value for TTL: %w", err)
}
client := serverClient.NewSVIDClient()
resp, err := client.MintJWTSVID(ctx, &svidv1.MintJWTSVIDRequest{
@ -70,7 +75,7 @@ func (c *mintCommand) Run(ctx context.Context, env *commoncli.Env, serverClient
TrustDomain: spiffeID.TrustDomain().Name(),
Path: spiffeID.Path(),
},
Ttl: ttlToSeconds(c.ttl),
Ttl: ttl,
Audience: c.audience,
})
if err != nil {
@ -132,8 +137,8 @@ func getJWTSVIDEndOfLife(token string) (time.Time, error) {
// ttlToSeconds returns the number of seconds in a duration, rounded up to
// the nearest second
func ttlToSeconds(ttl time.Duration) int32 {
return int32((ttl + time.Second - 1) / time.Second)
func ttlToSeconds(ttl time.Duration) (int32, error) {
return util.CheckedCast[int32]((ttl + time.Second - 1) / time.Second)
}
func prettyPrintMint(env *commoncli.Env, results ...any) error {

View File

@ -33,8 +33,5 @@ func PrettyPrintLogger(env *commoncli.Env, results ...any) error {
return fmt.Errorf("internal error: logrus log level %d has no name; please report this as a bug", logrusLaunch)
}
if err := env.Printf("Logger Level : %s\nLaunch Level : %s\n\n", currentText, launchText); err != nil {
return err
}
return nil
return env.Printf("Logger Level : %s\nLaunch Level : %s\n\n", currentText, launchText)
}

View File

@ -14,7 +14,7 @@ import (
func TestPrettyPrintLogger(t *testing.T) {
for _, tt := range []struct {
name string
logger interface{}
logger any
outWriter errorWriter
errWriter errorWriter
env *commoncli.Env

View File

@ -110,6 +110,7 @@ type experimentalConfig struct {
CacheReloadInterval string `hcl:"cache_reload_interval"`
EventsBasedCache bool `hcl:"events_based_cache"`
PruneEventsOlderThan string `hcl:"prune_events_older_than"`
EventTimeout string `hcl:"event_timeout"`
SQLTransactionTimeout string `hcl:"sql_transaction_timeout"`
RequirePQKEM bool `hcl:"require_pq_kem"`
@ -568,6 +569,7 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool
}
if c.Server.UseLegacyDownstreamX509CATTL != nil {
sc.Log.Warn("'use_legacy_downstream_x509_ca_ttl' is deprecated and will be removed in a future release")
sc.UseLegacyDownstreamX509CATTL = *c.Server.UseLegacyDownstreamX509CATTL
if sc.UseLegacyDownstreamX509CATTL {
sc.Log.Warn("Using legacy downstream X509 CA TTL calculation; this option will be removed in a future release")
@ -575,10 +577,9 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool
sc.Log.Info("Using preferred downstream X509 CA TTL calculation")
}
} else {
// The default value should be false in SPIRE 1.11.0 and the flag
// removed in SPIRE 1.12.0.
sc.UseLegacyDownstreamX509CATTL = true
sc.Log.Info("Using legacy downstream X509 CA TTL calculation by default; this default will change in a future release")
// The flag should be removed in SPIRE 1.13.0.
sc.UseLegacyDownstreamX509CATTL = false
sc.Log.Info("Using preferred downstream X509 CA TTL calculation")
}
// If the configured TTLs can lead to surprises, then do our best to log an
@ -707,11 +708,20 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool
}
if c.Server.Experimental.SQLTransactionTimeout != "" {
sc.Log.Warn("experimental.sql_transaction_timeout is deprecated, use experimental.event_timeout instead")
interval, err := time.ParseDuration(c.Server.Experimental.SQLTransactionTimeout)
if err != nil {
return nil, fmt.Errorf("could not parse SQL transaction timeout interval: %w", err)
}
sc.SQLTransactionTimeout = interval
sc.EventTimeout = interval
}
if c.Server.Experimental.EventTimeout != "" {
interval, err := time.ParseDuration(c.Server.Experimental.EventTimeout)
if err != nil {
return nil, fmt.Errorf("could not parse event timeout interval: %w", err)
}
sc.EventTimeout = interval
}
if c.Server.Experimental.EventsBasedCache {
@ -762,10 +772,7 @@ func setBundleEndpointConfigProfile(config *bundleEndpointConfig, dataDir string
return nil
case profileConfig.HTTPSWeb.ServingCertFile != nil:
federationConfig.BundleEndpoint.DiskCertManager, err = configToDiskCertManager(profileConfig.HTTPSWeb.ServingCertFile, log)
if err != nil {
return err
}
return nil
return err
default:
return errors.New("malformed https_web profile configuration: 'acme' or 'serving_cert_file' is required")
}
@ -904,6 +911,10 @@ func validateConfig(c *Config) error {
}
}
if c.Server.Experimental.EventTimeout != "" && c.Server.Experimental.SQLTransactionTimeout != "" {
return errors.New("both experimental sql_transaction_timeout and event_timeout set, only set event_timeout")
}
return c.validateOS()
}

View File

@ -1144,6 +1144,24 @@ func TestNewServerConfig(t *testing.T) {
require.Nil(t, c)
},
},
{
msg: "sql_transaction_timeout is correctly parsed",
input: func(c *Config) {
c.Server.Experimental.SQLTransactionTimeout = "1m"
},
test: func(t *testing.T, c *server.Config) {
require.Equal(t, time.Minute, c.EventTimeout)
},
},
{
msg: "event_timeout is correctly parsed",
input: func(c *Config) {
c.Server.Experimental.EventTimeout = "1m"
},
test: func(t *testing.T, c *server.Config) {
require.Equal(t, time.Minute, c.EventTimeout)
},
},
{
msg: "audit_log_enabled is enabled",
input: func(c *Config) {
@ -1330,6 +1348,14 @@ func TestValidateConfig(t *testing.T) {
},
expectedErr: `federation.federates_with["domain.test"].bundle_endpoint_url must use the HTTPS protocol; URL found: "http://example.org/test"`,
},
{
name: "can't set both sql_transaction_timeout and event_timeout",
applyConf: func(c *Config) {
c.Server.Experimental.EventTimeout = "1h"
c.Server.Experimental.SQLTransactionTimeout = "1h"
},
expectedErr: "both experimental sql_transaction_timeout and event_timeout set, only set event_timeout",
},
}
for _, testCase := range testCases {

View File

@ -3,14 +3,16 @@ package token
import (
"context"
"flag"
"fmt"
"github.com/mitchellh/cli"
"github.com/spiffe/go-spiffe/v2/spiffeid"
agentv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/agent/v1"
prototypes "github.com/spiffe/spire-api-sdk/proto/spire/api/types"
"github.com/spiffe/spire/cmd/spire-server/util"
serverutil "github.com/spiffe/spire/cmd/spire-server/util"
commoncli "github.com/spiffe/spire/pkg/common/cli"
"github.com/spiffe/spire/pkg/common/cliprinter"
"github.com/spiffe/spire/pkg/common/util"
)
func NewGenerateCommand() cli.Command {
@ -18,7 +20,7 @@ func NewGenerateCommand() cli.Command {
}
func newGenerateCommand(env *commoncli.Env) cli.Command {
return util.AdaptCommand(env, &generateCommand{env: env})
return serverutil.AdaptCommand(env, &generateCommand{env: env})
}
type generateCommand struct {
@ -39,16 +41,20 @@ func (g *generateCommand) Synopsis() string {
return "Generates a join token"
}
func (g *generateCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient util.ServerClient) error {
func (g *generateCommand) Run(ctx context.Context, _ *commoncli.Env, serverClient serverutil.ServerClient) error {
id, err := getID(g.SpiffeID)
if err != nil {
return err
}
ttl, err := util.CheckedCast[int32](g.TTL)
if err != nil {
return fmt.Errorf("invalid value for TTL: %w", err)
}
c := serverClient.NewAgentClient()
resp, err := c.CreateJoinToken(ctx, &agentv1.CreateJoinTokenRequest{
AgentId: id,
Ttl: int32(g.TTL),
Ttl: ttl,
})
if err != nil {
return err

View File

@ -19,10 +19,11 @@ import (
"github.com/spiffe/go-spiffe/v2/spiffeid"
bundlev1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/bundle/v1"
svidv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/svid/v1"
"github.com/spiffe/spire/cmd/spire-server/util"
serverutil "github.com/spiffe/spire/cmd/spire-server/util"
commoncli "github.com/spiffe/spire/pkg/common/cli"
"github.com/spiffe/spire/pkg/common/cliprinter"
"github.com/spiffe/spire/pkg/common/diskutil"
"github.com/spiffe/spire/pkg/common/util"
)
type generateKeyFunc func() (crypto.Signer, error)
@ -37,7 +38,7 @@ func newMintCommand(env *commoncli.Env, generateKey generateKeyFunc) cli.Command
return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
}
}
return util.AdaptCommand(env, &mintCommand{
return serverutil.AdaptCommand(env, &mintCommand{
generateKey: generateKey,
env: env,
})
@ -70,7 +71,7 @@ func (c *mintCommand) AppendFlags(fs *flag.FlagSet) {
cliprinter.AppendFlagWithCustomPretty(&c.printer, fs, c.env, c.prettyPrintMint)
}
func (c *mintCommand) Run(ctx context.Context, env *commoncli.Env, serverClient util.ServerClient) error {
func (c *mintCommand) Run(ctx context.Context, env *commoncli.Env, serverClient serverutil.ServerClient) error {
if c.spiffeID == "" {
return errors.New("spiffeID must be specified")
}
@ -80,6 +81,11 @@ func (c *mintCommand) Run(ctx context.Context, env *commoncli.Env, serverClient
return err
}
ttl, err := ttlToSeconds(c.ttl)
if err != nil {
return fmt.Errorf("invalid value for TTL: %w", err)
}
key, err := c.generateKey()
if err != nil {
return fmt.Errorf("unable to generate key: %w", err)
@ -96,7 +102,7 @@ func (c *mintCommand) Run(ctx context.Context, env *commoncli.Env, serverClient
client := serverClient.NewSVIDClient()
resp, err := client.MintX509SVID(ctx, &svidv1.MintX509SVIDRequest{
Csr: csr,
Ttl: ttlToSeconds(c.ttl),
Ttl: ttl,
})
if err != nil {
return fmt.Errorf("unable to mint SVID: %w", err)
@ -167,8 +173,8 @@ func (c *mintCommand) Run(ctx context.Context, env *commoncli.Env, serverClient
// ttlToSeconds returns the number of seconds in a duration, rounded up to
// the nearest second
func ttlToSeconds(ttl time.Duration) int32 {
return int32((ttl + time.Second - 1) / time.Second)
func ttlToSeconds(ttl time.Duration) (int32, error) {
return util.CheckedCast[int32]((ttl + time.Second - 1) / time.Second)
}
type mintResult struct {

View File

@ -59,6 +59,9 @@ agent {
# trust_bundle_url: URL to download the initial SPIRE server trust bundle.
# trust_bundle_url = ""
# trust_bundle_unix_socket: Make the request specified via trust_bundle_url happen against the specified unix socket.
# trust_budnle_unix_socket = "/tmp/your-webserver.sock"
# trust_bundle_format: The format for the initial SPIRE server trust bundle, pem or spiffe
# trust_bundle_format = "pem"
@ -108,6 +111,10 @@ agent {
# # admin_named_pipe_name: Pipe name to bind the Admin API named pipe (Windows only).
# Can be used to access the Debug API and Delegated Identity API.
# admin_named_pipe_name = ""
# # use_sync_authorized_entries: Use SyncAuthorizedEntries API for periodic synchronization
# # of authorized entries.
# use_sync_authorized_entries = true
# }
}
@ -204,20 +211,6 @@ plugins {
}
}
# NodeAttestor "k8s_sat" (deprecated): A node attestor which attests agent identity
# using a Kubernetes Service Account token.
NodeAttestor "k8s_sat" {
plugin_data {
# cluster: Name of the cluster. It must correspond to a cluster
# configured in the server plugin.
# cluster = ""
# token_path: Path to the service account token on disk.
# Default: /var/run/secrets/kubernetes.io/serviceaccount/token.
# token_path = "/var/run/secrets/kubernetes.io/serviceaccount/token"
}
}
# NodeAttestor "sshpop": A node attestor which attests agent identity
# using an existing ssh certificate.
NodeAttestor "sshpop" {

View File

@ -533,47 +533,6 @@ plugins {
# }
# }
# NodeAttestor "k8s_sat" (deprecated): A node attestor which attests agent identity
# using a Kubernetes Service Account token.
# NodeAttestor "k8s_sat" {
# plugin_data {
# # clusters: A map of clusters, keyed by an arbitrary ID, that are
# # authorized for attestation.
# # clusters = {
# # "<arbitrary ID>" = {
# # service_account_allow_list: A list of service account names,
# # qualified by namespace (for example, "default:blog" or
# # "production:web") to allow for node attestation. Attestation
# # will be rejected for tokens bound to service accounts that
# # aren't in the allow list.
# # service_account_allow_list = []
# # use_token_review_api_validation: Specifies how the service
# # account token is validated. If false, validation is done
# # locally using the provided key. If true, validation is done
# # using token review API. Default: false.
# # use_token_review_api_validation = false
# # service_account_key_file: It is only used if
# # use_token_review_api_validation is set to false. Path on disk
# # to a PEM encoded file containing public keys used in
# # validating tokens for that cluster. RSA and ECDSA keys are
# # supported. For RSA, X509 certificates, PKCS1, and PKIX encoded
# # public keys are accepted. For ECDSA, X509 certificates, and
# # PKIX encoded public keys are accepted.
# # service_account_key_file = ""
# # kube_config_file: It is only used if
# # use_token_review_api_validation is set to true. Path to a k8s
# # configuration file for API Server authentication. A kubernetes
# # configuration file must be specified if SPIRE server runs
# # outside of the k8s cluster. If empty, SPIRE server is assumed
# # to be running inside the cluster and in-cluster configuration
# # is used. Default: "".
# # kube_config_file = ""
# }
# }
# NodeAttestor "sshpop": A node attestor which attests agent identity
# using an existing ssh certificate.
# NodeAttestor "sshpop" {
@ -982,6 +941,29 @@ plugins {
# # trust_anchor_id = "153d3e58-cab5-4a59-a0a1-3febad2937c4"
# }
# }
# BundlePublisher "k8s_configmap": A bundle publisher that puts the current trust
# bundle of the server in a designated Kubernetes ConfigMap, keeping it updated.
# BundlePublisher "k8s_configmap" {
# plugin_data {
# clusters = {
# "example-cluster-1" = {
# configmap_name = "example.org"
# configmap_key = "bundle"
# namespace = "spire"
# kubeconfig_path = "/file/path/cluster-1"
# format = "spiffe"
# },
# "example-cluster-2" = {
# configmap_name = "example.org"
# configmap_key = "bundle"
# namespace = "spire"
# kubeconfig_path = "/file/path/cluster-2"
# format = "pem"
# }
# }
# }
# }
}
# telemetry: If telemetry is desired use this section to configure the

View File

@ -44,15 +44,16 @@ If you don't already have Docker installed, please follow these [installation in
$ make dev-shell
```
3. Create a user with uid 1000. The uid will be registered as a selector of the workload's SPIFFE ID. During kernel based attestation the workload process will be interrogated for the registered uid.
3. Create a user with uid 1001. The uid will be registered as a selector of the workload's SPIFFE ID. During kernel based attestation the workload process will be interrogated for the registered uid.
```shell
(in dev shell) # useradd -u 1000 workload
(in dev shell) # useradd -u 1001 workload
```
4. Build SPIRE by running the **build** target. The build target builds all the SPIRE binaries.
4. Build SPIRE by running the **build** target. The build target builds all the SPIRE binaries. This requires configuring `git` to know that the temporary docker container is safe.
```shell
(in dev shell) # git config --global --add safe.directory /spire
(in dev shell) # make build
```
@ -169,12 +170,12 @@ If you don't already have Docker installed, please follow these [installation in
(in dev shell) # ./bin/spire-server entry create \
-parentID spiffe://example.org/host \
-spiffeID spiffe://example.org/workload \
-selector unix:uid:1000
-selector unix:uid:1001
```
At this point, the target workload has been registered with the SPIRE Server. We can now call the Workload API using a command line program to request the workload SVID from the SPIRE Agent.
12. Simulate the Workload API interaction and retrieve the workload SVID bundle by running the `api` subcommand in the agent. Run the command as user **_workload_** created in step #3 with uid 1000
12. Simulate the Workload API interaction and retrieve the workload SVID bundle by running the `api` subcommand in the agent. Run the command as user **_workload_** created in step #3 with uid 1001
```shell
(in dev shell) # su -c "./bin/spire-agent api fetch x509 " workload
@ -183,6 +184,6 @@ If you don't already have Docker installed, please follow these [installation in
13. Examine the output. Optionally, you may write the SVID and key to disk with `-write` in order to examine them in detail.
```shell
(in dev shell) # su -c "./bin/spire-agent api fetch x509 -write ./" workload
(in dev shell) # openssl x509 -in ./svid.0.pem -text -noout
(in dev shell) # su -c "./bin/spire-agent api fetch x509 -write /tmp" workload
(in dev shell) # openssl x509 -in /tmp/svid.0.pem -text -noout
```

View File

@ -18,6 +18,7 @@ server {
local {
rego_path = "./conf/server/policy.rego"
policy_data_path = "./conf/server/policy_data.json"
use_rego_v1 = true
}
}
}

View File

@ -1,50 +0,0 @@
# Agent plugin: NodeAttestor "k8s_sat" (deprecated)
**This plugin has been deprecated in favor of the ["k8s_psat"](plugin_agent_nodeattestor_k8s_psat.md) plugin and will be removed in a future release.**
*Must be used in conjunction with the server-side k8s_sat plugin*
The `k8s_sat` plugin attests nodes running in inside of Kubernetes. The agent
reads and provides the signed service account token to the server.
*Note: If your cluster supports [Service Account Token Volume Projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection)
you should instead consider using the `k8s_psat` attestor due to the [security considerations](#security-considerations) below.*
The server-side `k8s_sat` plugin generates a one-time UUID and generates a SPIFFE ID with the form:
```xml
spiffe://<trust_domain>/spire/agent/k8s_sat/<cluster>/<UUID>
```
The main configuration accepts the following values:
| Configuration | Description | Default |
|---------------|---------------------------------------------------------------------------------------|-------------------------------------------------------|
| `cluster` | Name of the cluster. It must correspond to a cluster configured in the server plugin. |
| `token_path` | Path to the service account token on disk | "/var/run/secrets/kubernetes.io/serviceaccount/token" |
The token path defaults to the default location Kubernetes uses to place the token and should not need to be overridden in most cases.
A sample configuration with the default token path:
```hcl
NodeAttestor "k8s_sat" {
plugin_data {
cluster = "MyCluster"
}
}
```
## Security Considerations
At this time, the service account token does not contain claims that could be
used to strongly identify the node/daemonset/pod running the agent. This means
that any container running in an allowed service account can masquerade as
an agent, giving it access to any identity the agent is capable of issuing. It
is **STRONGLY** recommended that agents run under a dedicated service account.
It should be noted that due to the fact that SPIRE can't positively
identify a node using this method, it is not possible to directly authorize
identities for a distinct node or sets of nodes. Instead, this must be
accomplished indirectly using a service account and deployment that
leverages node affinity or node selectors.

View File

@ -122,7 +122,7 @@ ghcr.io/spiffe/spire-server 1.9.1 e3b24c3cd9e1 4 weeks ago 10
envoyproxy/envoy contrib-v1.29.1 644f45f6626c 7 weeks ago 181MB
```
Then u4se the `REPOSITORY:TAG` as the selector, not the `IMAGE ID` column.
Then use the `REPOSITORY:TAG` as the selector, not the `IMAGE ID` column.
```shell
$ spire-server entry create \

View File

@ -1,7 +1,10 @@
# Server plugin: BundlePublisher "aws_rolesanywhere_trustanchor"
> [!WARNING]
> This plugin is only supported when an UpstreamAuthority plugin is used.
> AWS Roles Anywhere only allows configuring up to two CAs per trust anchor. If you are using this plugin, you will
> need to make sure there are at most 2 CAs in the trust bundle for the trust domain, otherwise publishing the bundle
> will fail. This can be achieved by configuring the spire-server with an `UpstreamAuthority` plugin.
> Also, keep in mind that expired CAs are only removed from the bundle 24 hours after their expiration.
The `aws_rolesanywhere_trustanchor` plugin puts the current trust bundle of the server
in a trust anchor, keeping it updated.

View File

@ -13,6 +13,7 @@ The plugin accepts the following configuration options:
| bucket | The Amazon S3 bucket name to which the trust bundle is uploaded. | Yes. | |
| object_key | The object key inside the bucket. | Yes. | |
| format | Format in which the trust bundle is stored, &lt;spiffe &vert; jwks &vert; pem&gt;. See [Supported bundle formats](#supported-bundle-formats) for more details. | Yes. | |
| endpoint | A custom S3 endpoint should be set when using third-party object storage providers, such as Minio. | No. | |
## Supported bundle formats
@ -48,3 +49,19 @@ The following configuration uploads the local trust bundle contents to the `exam
}
}
```
The following configuration uploads the local trust bundle contents to the `example.org` object in the `spire-trust-bundle` bucket on Minio server.
```hcl
BundlePublisher "aws_s3" {
plugin_data {
endpoint = "https://my-org-minio.example.org"
region = "minio-sample-region"
access_key_id = "minio-key-id"
secret_access_key = "minio-access-key"
bucket = "spire-trust-bundle"
object_key = "example.org"
format = "spiffe"
}
}
```

View File

@ -0,0 +1,127 @@
# Server plugin: BundlePublisher "k8s_configmap"
The `k8s_configmap` plugin puts the current trust bundle of the server in a designated
Kubernetes ConfigMap, keeping it updated. The plugin supports configuring multiple clusters.
The plugin accepts the following configuration:
| Configuration | Description | Default |
|---------------|---------------------------------------------------------------------------------------------------|---------|
| `clusters` | A map of clusters, keyed by an arbitrary ID, where the plugin publishes the current trust bundle. | |
> [!WARNING]
> When `clusters` is empty, the plugin does not publish the bundle.
Each cluster in the main configuration has the following configuration options:
| Configuration | Description | Required | Default |
|-----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|---------|
| configmap_name | The name of the ConfigMap. | Yes. | |
| configmap_key | The key within the ConfigMap for the bundle. | Yes. | |
| namespace | The namespace containing the ConfigMap. | Yes. | |
| kubeconfig_path | The path on disk to the kubeconfig containing configuration to enable interaction with the Kubernetes API server. If unset, in-cluster credentials will be used. | No. | |
| format | Format in which the trust bundle is stored, &lt;spiffe &vert; jwks &vert; pem&gt;. See [Supported bundle formats](#supported-bundle-formats) for more details. | Yes. | |
## Supported bundle formats
The following bundle formats are supported:
### SPIFFE format
The trust bundle is represented as an RFC 7517 compliant JWK Set, with the specific parameters defined in the [SPIFFE Trust Domain and Bundle specification](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md#4-spiffe-bundle-format). Both the JWT authorities and the X.509 authorities are included.
### JWKS format
The trust bundle is encoded as an RFC 7517 compliant JWK Set, omitting SPIFFE-specific parameters. Both the JWT authorities and the X.509 authorities are included.
### PEM format
The trust bundle is formatted using PEM encoding. Only the X.509 authorities are included.
## Configuring Kubernetes
To use this plugin, configure Kubernetes permissions for the SPIRE Server's Service Account:
- For in-cluster SPIRE servers: grant permissions to the Service Account running SPIRE.
- For out-of-cluster SPIRE servers: grant permissions to the Service Account specified in the kubeconfig.
The plugin uses the Kubernetes Apply operation to manage ConfigMaps. This operation will create the ConfigMap if it doesn't exist, or update it if it does. The Service Account needs permission to use the `patch` verb on ConfigMaps in the specified namespace.
### Required Permissions
The Service Account needs the following permissions:
- `get` on ConfigMaps (required for the Apply operation to read the current state)
- `patch` on ConfigMaps (required for the Apply operation to update resources)
- `create` on ConfigMaps (required if the ConfigMap doesn't exist)
### Example
In this example, assume that Service Account is `spire-server`.
```yaml
kind: Role # Note: Using Role instead of ClusterRole for namespace-scoped permissions
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spire-server-role
namespace: spire
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "patch"]
resourceNames: ["spire-bundle"] # Restrict to specific ConfigMap for create, get and patch operations
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spire-server-role-binding
namespace: spire
subjects:
- kind: ServiceAccount
name: spire-server
namespace: spire
roleRef:
kind: Role
name: spire-server-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: ConfigMap
metadata:
name: spire-bundle
namespace: spire
```
> [!NOTE]
> The Apply operation uses Server-Side Apply (SSA) with a field manager name of `spire-bundlepublisher-k8s_configmap`. This ensures that SPIRE's updates to the ConfigMap are tracked and can coexist with other controllers that might be managing different fields of the same ConfigMap.
## Sample configuration
The following configuration keeps the local trust bundle updated in ConfigMaps from two different clusters.
```hcl
BundlePublisher "k8s_configmap" {
plugin_data {
clusters = {
"example-cluster-1" = {
configmap_name = "example.org"
configmap_key = "bundle"
namespace = "spire"
kubeconfig_path = "/file/path/cluster-1"
format = "spiffe"
},
"example-cluster-2" = {
configmap_name = "example.org"
configmap_key = "bundle"
namespace = "spire"
kubeconfig_path = "/file/path/cluster-2"
format = "pem"
}
}
}
}
```

View File

@ -11,13 +11,15 @@ The `sql` plugin implements SQL based data storage for the SPIRE server using SQ
| client_cert_path | Path to client certificate (MySQL only) |
| client_key_path | Path to private key for client certificate (MySQL only) |
| max_open_conns | The maximum number of open db connections (default: 100) |
| max_idle_conns | The maximum number of idle connections in the pool (default: 2) |
| max_idle_conns | The maximum number of idle connections in the pool (default: 100) |
| conn_max_lifetime | The maximum amount of time a connection may be reused (default: unlimited) |
| disable_migration | True to disable auto-migration functionality. Use of this flag allows finer control over when datastore migrations occur and coordination of the migration of a datastore shared with a SPIRE Server cluster. Only available for databases from SPIRE Code version 0.9.0 or later. |
For more information on the `max_open_conns`, `max_idle_conns`, and `conn_max_lifetime`, refer to the
documentation for the Go [`database/sql`](https://golang.org/pkg/database/sql/#DB) package.
> **Note:** The SQL plugin uses an internal default setting of 30 seconds for the maximum idle time per connection (ConnMaxIdleTime). This setting is not configurable through the plugin configuration.
## Database configurations
### `database_type = "sqlite3"`

View File

@ -1,105 +0,0 @@
# Server plugin: NodeAttestor "k8s_sat" (deprecated)
**This plugin has been deprecated in favor of the ["k8s_psat"](plugin_server_nodeattestor_k8s_psat.md) plugin and will be removed in a future release.**
*Must be used in conjunction with the agent-side k8s_sat plugin*
The `k8s_sat` plugin attests nodes running in inside of Kubernetes. The server validates the signed service
account token provided by the agent. This validation can be done in two different ways depending on the value
of the `use_token_review_api_validation` flag:
+ If this value is set to `false` (default behavior), the attestor validates the token locally using the key provided in `service_account_key_file`.
+ If this value is set to `true`, the validation is performed using the Kubernetes [Token Review API](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1/).
*Note: If your cluster supports [Service Account Token Volume Projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection)
you should instead consider using the `k8s_psat` attestor due to the [security considerations](#security-considerations) below.*
The server uses a one-time UUID provided by the agent to generate a SPIFFE ID with the form:
```xml
spiffe://<trust_domain>/spire/agent/k8s_sat/<cluster>/<UUID>
```
The server does not need to be running in Kubernetes in order to perform node
attestation. In fact, the plugin can be configured to attest nodes running in
multiple clusters.
The main configuration accepts the following values:
| Configuration | Description | Default |
|---------------|-----------------------------------------------------------------------------------|---------|
| `clusters` | A map of clusters, keyed by an arbitrary ID, that are authorized for attestation. | |
Each cluster in the main configuration requires the following configuration:
| Configuration | Description | Default |
|-----------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|
| `service_account_allow_list` | A list of service account names, qualified by namespace (for example, "default:blog" or "production:web") to allow for node attestation. Attestation will be rejected for tokens bound to service accounts that aren't in the allow list. | |
| `use_token_review_api_validation` | Specifies how the service account token is validated. If false, validation is done locally using the provided key. If true, validation is done using token review API. | false |
| `service_account_key_file` | It is only used if `use_token_review_api_validation` is set to `false`. Path on disk to a PEM encoded file containing public keys used in validating tokens for that cluster. RSA and ECDSA keys are supported. For RSA, X509 certificates, PKCS1, and PKIX encoded public keys are accepted. For ECDSA, X509 certificates, and PKIX encoded public keys are accepted. | |
| `kube_config_file` | It is only used if `use_token_review_api_validation` is set to `true`. Path to a k8s configuration file for API Server authentication. A Kubernetes configuration file must be specified if SPIRE server runs outside of the k8s cluster. If empty, SPIRE server is assumed to be running inside the cluster and in-cluster configuration is used. | "" |
A sample configuration for SPIRE server running inside or outside a Kubernetes cluster and validating the service account token with a key file located at `"/run/k8s-certs/sa.pub"`:
```hcl
NodeAttestor "k8s_sat" {
plugin_data {
clusters = {
"MyCluster" = {
service_account_allow_list = ["production:spire-agent"]
service_account_key_file = "/run/k8s-certs/sa.pub"
}
}
}
```
A sample configuration for SPIRE server running inside of a Kubernetes cluster and validating the service account token with the kubernetes token review API:
```hcl
NodeAttestor "k8s_sat" {
plugin_data {
clusters = {
"MyCluster" = {
service_account_allow_list = ["production:spire-agent"]
use_token_review_api_validation = true
}
}
}
```
A sample configuration for SPIRE server running outside of a Kubernetes cluster and validating the service account token with the kubernetes token review API:
```hcl
NodeAttestor "k8s_sat" {
plugin_data {
clusters = {
"MyCluster" = {
service_account_allow_list = ["production:spire-agent"]
use_token_review_api_validation = true
kube_config_file = "path/to/kubeconfig/file"
}
}
}
```
In addition, this plugin generates the following selectors:
| Selector | Example | Description |
|--------------------|--------------------------------|---------------------------------------------------------------------------------|
| `k8s_sat:cluster` | `k8s_sat:cluster:MyCluster` | Name of the cluster (from the plugin config) used to verify the token signature |
| `k8s_sat:agent_ns` | `k8s_sat:agent_ns:production` | Namespace that the agent is running under |
| `k8s_sat:agent_sa` | `k8s_sat:agent_sa:spire-agent` | Service Account the agent is running under |
## Security Considerations
At this time, the service account token does not contain claims that could be
used to strongly identify the node/daemonset/pod running the agent. This means
that any container running in an allowed service account can masquerade as
an agent, giving it access to any identity the agent is capable of issuing. It
is **STRONGLY** recommended that agents run under a dedicated service account.
It should be noted that due to the fact that SPIRE can't positively
identify a node using this method, it is not possible to directly authorize
identities for a distinct node or sets of nodes. Instead, this must be
accomplished indirectly using a service account and deployment that
leverages node affinity or node selectors.

View File

@ -4,7 +4,7 @@
The `x509pop` plugin attests nodes that have been provisioned with an x509
identity through an out-of-band mechanism. It verifies that the certificate is
rooted to a trusted set of CAs and issues a signature based proof-of-possession
rooted to a trusted set of CAs and issues a signature-based proof-of-possession
challenge to the agent plugin to verify that the node is in possession of the
private key.
@ -22,7 +22,7 @@ spiffe://<trust_domain>/spire/agent/x509pop/<fingerprint>
| `svid_prefix` | The prefix of the SVID to use for matching valid SVIDS and exchanging them for Node SVIDs | /spire-exchange |
| `ca_bundle_path` | The path to the trusted CA bundle on disk. The file must contain one or more PEM blocks forming the set of trusted root CA's for chain-of-trust verification. If the CA certificates are in more than one file, use `ca_bundle_paths` instead. | |
| `ca_bundle_paths` | A list of paths to trusted CA bundles on disk. The files must contain one or more PEM blocks forming the set of trusted root CA's for chain-of-trust verification. | |
| `agent_path_template` | A URL path portion format of Agent's SPIFFE ID. Describe in text/template format. | `See [Agent Path Template](#agent-path-template) for details` |
| `agent_path_template` | A URL path portion format of Agent's SPIFFE ID. Describe in text/template format. | See [Agent Path Template](#agent-path-template) for details |
A sample configuration:
@ -30,7 +30,7 @@ A sample configuration:
NodeAttestor "x509pop" {
plugin_data {
ca_bundle_path = "/opt/spire/conf/server/agent-cacert.pem"
# Change the agent's SPIFFE ID format
# agent_path_template = "/cn/{{ .Subject.CommonName }}"
}
@ -39,34 +39,29 @@ A sample configuration:
## Selectors
| Selector | Example | Description |
|------------------|-------------------------------------------------------------------|------------------------------------------------------------------------------------------|
| Common Name | `x509pop:subject:cn:example.org` | The Subject's Common Name (see X.500 Distinguished Names) |
| SHA1 Fingerprint | `x509pop:ca:fingerprint:0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33` | The SHA1 fingerprint as a hex string for each cert in the PoP chain, excluding the leaf. |
| SerialNumber | `x509pop:serialnumber:0a1b2c3d4e5f` | The leaf certificate serial number as a lowercase hexadecimal string |
| Selector | Example | Description |
|------------------|-------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Common Name | `x509pop:subject:cn:example.org` | The Subject's Common Name (see X.500 Distinguished Names) |
| SHA1 Fingerprint | `x509pop:ca:fingerprint:0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33` | The SHA1 fingerprint as a hex string for each cert in the PoP chain, excluding the leaf. |
| SerialNumber | `x509pop:serialnumber:0a1b2c3d4e5f` | The leaf certificate serial number as a lowercase hexadecimal string |
| San | `x509pop:san:<key>:<value>` | The san selectors on the leaf certificate. The expected format of the uri san is `x509pop://<trust_domain>/<key>:<value>`. One selector is exposed per uri san corresponding to x509pop uri scheme. string |
## SVID Path Prefix
When mode="spiffe", the SPIFFE ID being exchanged must be prefixed by the specified svid_prefix. The prefix will be removed from the .SVIDPathTrimmed property before sending to the
agent path template. If set to "", all prefixes are allowed and you will want to do limiting logic in in the agent_path_template.
When `mode="spiffe"` the SPIFFE ID being exchanged must be prefixed by the specified `svid_prefix`. The prefix will be removed from the `.SVIDPathTrimmed` property before sending to the agent path template. If `svid_prefix` is set to `""`, all prefixes will be allowed, and the limiting logic will have to be implemented in the `agent_path_template`.
Example: if your trust domain is example.com and svid_prefix = the default of /spire-exchange, and agent path template is the default,
spiffe://example.com/spire-exchange/testhost will render out to spiffe://example.com/spire/agent/x509pop/testhost
If spiffe://example.com/other/testhost is given, it wont match the svid_prefix and it will be rejected.
**Example:** If your trust domain is example.com and `svid_prefix` is set to its default value `/spire-exchange`, and [agent_path_template](#agent-path-template) is the default too, then the SPIFFE ID from the x509 identity `spiffe://example.com/spire-exchange/testhost` will be exchanged for `spiffe://example.com/spire/agent/x509pop/testhost`. If a SPIFFE ID with a different prefix is given, for example `spiffe://example.com/other/testhost`, it will not match the `svid_prefix` and will be rejected.
## Agent Path Template
The agent path template is a way of customizing the format of generated SPIFFE IDs for agents.
Specifying the value of `agent_path_template` provides a way of customizing the format of generated SPIFFE IDs for agents. The default format for every mode is shown below
If using ca_bundle_path(s), the default is:
"{{ .PluginName }}/{{ .Fingerprint }}"
| `mode` | `agent_path_template` |
|----------------|--------------------------------------------|
| `spiffe` | `{{ .PluginName }}/{{ .SVIDPathTrimmed }}` |
| `external_pki` | `{{ .PluginName }}/{{ .Fingerprint }}` |
If using spire_trust_bundle, the default exchanges an SVID under `/spire-exchange/*` for `/spire/agent/x509pop/*`, via:
"{{ .PluginName }}/{{ .SVIDPathTrimmed }}"
The template formatter is using Golang text/template conventions, it can reference values provided by the plugin or in a [golang x509.Certificate](https://pkg.go.dev/crypto/x509#Certificate)
The template formatter is using Golang text/template conventions. It can reference values provided by the plugin or in a [golang x509.Certificate](https://pkg.go.dev/crypto/x509#Certificate).
Details about the template engine are available [here](template_engine.md).
Some useful values are:

View File

@ -21,7 +21,6 @@ This document is a configuration reference for SPIRE Agent. It includes informat
| NodeAttestor | [azure_msi](/doc/plugin_agent_nodeattestor_azure_msi.md) | A node attestor which attests agent identity using an Azure MSI token |
| NodeAttestor | [gcp_iit](/doc/plugin_agent_nodeattestor_gcp_iit.md) | A node attestor which attests agent identity using a GCP Instance Identity Token |
| NodeAttestor | [join_token](/doc/plugin_agent_nodeattestor_jointoken.md) | A node attestor which uses a server-generated join token |
| NodeAttestor | [k8s_sat](/doc/plugin_agent_nodeattestor_k8s_sat.md) (deprecated) | A node attestor which attests agent identity using a Kubernetes Service Account token |
| NodeAttestor | [k8s_psat](/doc/plugin_agent_nodeattestor_k8s_psat.md) | A node attestor which attests agent identity using a Kubernetes Projected Service Account token |
| NodeAttestor | [sshpop](/doc/plugin_agent_nodeattestor_sshpop.md) | A node attestor which attests agent identity using an existing ssh certificate |
| NodeAttestor | [x509pop](/doc/plugin_agent_nodeattestor_x509pop.md) | A node attestor which attests agent identity using an existing X.509 certificate |
@ -66,6 +65,7 @@ This may be useful for templating configuration files, for example across differ
| `sds` | Optional SDS configuration section | |
| `trust_bundle_path` | Path to the SPIRE server CA bundle | |
| `trust_bundle_url` | URL to download the initial SPIRE server trust bundle | |
| `trust_bundle_unix_socket` | Make the request specified via trust_bundle_url happen against the specified unix socket. | |
| `trust_bundle_format` | Format of the initial trust bundle, pem or spiffe | pem |
| `trust_domain` | The trust domain that this agent belongs to (should be no more than 255 characters) | |
| `workload_x509_svid_key_type` | The workload X509 SVID key type &lt;rsa-2048&vert;ec-p256&gt; | ec-p256 |
@ -77,15 +77,17 @@ This may be useful for templating configuration files, for example across differ
|:------------------------------|--------------------------------------------------------------------------------------|-------------------------|
| `named_pipe_name` | Pipe name to bind the SPIRE Agent API named pipe (Windows only) | \spire-agent\public\api |
| `sync_interval` | Sync interval with SPIRE server with exponential backoff | 5 sec |
| `use_sync_authorized_entries` | Use SyncAuthorizedEntries API for periodically synchronization of authorized entries | false |
| `use_sync_authorized_entries` | Use SyncAuthorizedEntries API for periodically synchronization of authorized entries | true |
| `require_pq_kem` | Require use of a post-quantum-safe key exchange method for TLS handshakes | false |
### Initial trust bundle configuration
The agent needs an initial trust bundle in order to connect securely to the SPIRE server. There are three options:
The agent needs an initial trust bundle in order to connect securely to the SPIRE server. There are four options:
1. If the `trust_bundle_path` option is used, the agent will read the initial trust bundle from the file at that path. You need to copy or share the file before starting the SPIRE agent.
2. If the `trust_bundle_url` option is used, the agent will read the initial trust bundle from the specified URL. **The URL must start with `https://` for security, and the server must have a valid certificate (verified with the system trust store).** This can be used to rapidly deploy SPIRE agents without having to manually share a file. Keep in mind the contents of the URL need to be kept up to date.
2. If the `trust_bundle_url` option is used, the agent will read the initial trust bundle from the specified URL.
1. If trust_bundle_unix_socket is unset, **The URL must start with `https://` for security, and the server must have a valid certificate (verified with the system trust store).** This can be used to rapidly deploy SPIRE agents without having to manually share a file. Keep in mind the contents of the URL need to be kept up to date.
2. If trust_bundle_unix_socket is set, **The URL must start with `http://`.** This can be used along with a local service running on the socket to fetch up to date trust bundles via some site specific, secure meachanism.
3. If the `insecure_bootstrap` option is set to `true`, then the agent will not use an initial trust bundle. It will connect to the SPIRE server without authenticating it. This is not a secure configuration, because a man-in-the-middle attacker could control the SPIRE infrastructure. It is included because it is a useful option for testing and development.
Only one of these three options may be set at a time.

View File

@ -27,7 +27,6 @@ This document is a configuration reference for SPIRE Server. It includes informa
| NodeAttestor | [azure_msi](/doc/plugin_server_nodeattestor_azure_msi.md) | A node attestor which attests agent identity using an Azure MSI token |
| NodeAttestor | [gcp_iit](/doc/plugin_server_nodeattestor_gcp_iit.md) | A node attestor which attests agent identity using a GCP Instance Identity Token |
| NodeAttestor | [join_token](/doc/plugin_server_nodeattestor_jointoken.md) | A node attestor which validates agents attesting with server-generated join tokens |
| NodeAttestor | [k8s_sat](/doc/plugin_server_nodeattestor_k8s_sat.md) (deprecated) | A node attestor which attests agent identity using a Kubernetes Service Account token |
| NodeAttestor | [k8s_psat](/doc/plugin_server_nodeattestor_k8s_psat.md) | A node attestor which attests agent identity using a Kubernetes Projected Service Account token |
| NodeAttestor | [sshpop](/doc/plugin_server_nodeattestor_sshpop.md) | A node attestor which attests agent identity using an existing ssh certificate |
| NodeAttestor | [tpm_devid](/doc/plugin_server_nodeattestor_tpm_devid.md) | A node attestor which attests agent identity using a TPM that has been provisioned with a DevID certificate |
@ -82,7 +81,7 @@ This may be useful for templating configuration files, for example across differ
| `ratelimit` | Rate limiting configurations, usually used when the server is behind a load balancer (see below) | |
| `socket_path` | Path to bind the SPIRE Server API socket to (Unix only) | /tmp/spire-server/private/api.sock |
| `trust_domain` | The trust domain that this server belongs to (should be no more than 255 characters) | |
| `use_legacy_downstream_x509_ca_ttl` | Use the downstream spire-server registration entry TTL as the downstream CA TTL. This is deprecated and will be removed in a future version. | true |
| `use_legacy_downstream_x509_ca_ttl` | Use the downstream spire-server registration entry TTL as the downstream CA TTL. This is deprecated and will be removed in a future version. | false |
| ca_subject | Description | Default |
|:----------------------------|--------------------------------|----------------|
@ -95,10 +94,10 @@ This may be useful for templating configuration files, for example across differ
| `cache_reload_interval` | The amount of time between two reloads of the in-memory entry cache. Increasing this will mitigate high database load for extra large deployments, but will also slow propagation of new or updated entries to agents. | 5s |
| `events_based_cache` | Use events to update the cache with what's changed since the last update. Enabling this will reduce overhead on the database. | false |
| `prune_events_older_than` | How old an event can be before being deleted. Used with events based cache. Decreasing this will keep the events table smaller, but will increase risk of missing an event if connection to the database is down. | 12h |
| `sql_transaction_timeout` | Maximum time an SQL transaction could take, used by the events based cache to determine when an event id is unlikely to be used anymore. | 24h |
| `event_timeout` | Maximum time to wait for an event to come in before giving up. | 15m |
| `auth_opa_policy_engine` | The [auth opa_policy engine](/doc/authorization_policy_engine.md) used for authorization decisions | default SPIRE authorization policy |
| `named_pipe_name` | Pipe name of the SPIRE Server API named pipe (Windows only) | \spire-server\private\api |
| `require_pq_kem` | Require use of a post-quantum-safe key exchange method for TLS handshakes | false |
| `require_pq_kem` | Require use of a post-quantum-safe key exchange method for TLS handshakes | false |
| ratelimit | Description | Default |
|:--------------|----------------------------------------------------------------------------------------------------------------------------------------------------|---------|
@ -109,10 +108,11 @@ This may be useful for templating configuration files, for example across differ
|:-----------------------|---------------------------------------------------|---------|
| `local` | Local OPA configuration for authorization policy. | |
| auth_opa_policy_engine.local | Description | Default |
|:------------------------------|----------------------------------------------------------|----------------|
| `rego_path` | File to retrieve OPA rego policy for authorization. | |
| `policy_data_path` | File to retrieve databindings for policy evaluation. | |
| auth_opa_policy_engine.local | Description | Default |
|:------------------------------|-------------------------------------------------------------------------------------------|----------------|
| `rego_path` | File to retrieve OPA rego policy for authorization. | |
| `policy_data_path` | File to retrieve databindings for policy evaluation. | |
| `use_rego_v1` | Use rego V1 when evaluating the policy. This will become the default in a future release. | false |
### Profiling Names
@ -261,7 +261,7 @@ When setting a `bundle_endpoint`, it is `required` to specify the bundle profile
Allowed profiles:
- `https_web` allow to configure either the [Automated Certificate Management Environment](#Configuration options for `federation.bundle_endpoint.profile "https_web".acme`) or the [serving cert file](#Configure options for 'federation.bundle_endpoint.porfile "https_web".serving_cert_file') section.
- `https_web` allow to configure either the [Automated Certificate Management Environment](#configuration-options-for-federationbundle_endpointprofile-https_webacme) or the [serving cert file](#configuration-options-for-federationbundle_endpointprofile-https_webserving_cert_file) section.
- `https_spiffe`
### Configuration options for `federation.bundle_endpoint.profile "https_web".acme`

319
go.mod
View File

@ -1,234 +1,230 @@
module github.com/spiffe/spire
go 1.23.6
go 1.24.4
require (
cloud.google.com/go/iam v1.3.0
cloud.google.com/go/kms v1.20.4
cloud.google.com/go/secretmanager v1.14.2
cloud.google.com/go/security v1.18.2
cloud.google.com/go/storage v1.50.0
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.1
cloud.google.com/go/iam v1.5.2
cloud.google.com/go/kms v1.22.0
cloud.google.com/go/secretmanager v1.15.0
cloud.google.com/go/security v1.18.5
cloud.google.com/go/storage v1.55.0
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1
github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute v1.0.0
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork v1.1.0
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.2.0
github.com/GoogleCloudPlatform/cloudsql-proxy v1.37.4
github.com/GoogleCloudPlatform/cloudsql-proxy v1.37.7
github.com/Keyfactor/ejbca-go-client-sdk v1.0.2
github.com/Masterminds/sprig/v3 v3.3.0
github.com/Microsoft/go-winio v0.6.2
github.com/andres-erbsen/clock v0.0.0-20160526145045-9e14626cd129
github.com/aws/aws-sdk-go-v2 v1.36.0
github.com/aws/aws-sdk-go-v2/config v1.29.0
github.com/aws/aws-sdk-go-v2/credentials v1.17.53
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.24
github.com/aws/aws-sdk-go-v2 v1.36.5
github.com/aws/aws-sdk-go-v2/config v1.29.16
github.com/aws/aws-sdk-go-v2/credentials v1.17.69
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.31
github.com/aws/aws-sdk-go-v2/feature/rds/auth v1.5.1
github.com/aws/aws-sdk-go-v2/service/acmpca v1.37.0
github.com/aws/aws-sdk-go-v2/service/ec2 v1.202.1
github.com/aws/aws-sdk-go-v2/service/iam v1.38.1
github.com/aws/aws-sdk-go-v2/service/kms v1.37.8
github.com/aws/aws-sdk-go-v2/service/organizations v1.37.0
github.com/aws/aws-sdk-go-v2/service/rolesanywhere v1.16.0
github.com/aws/aws-sdk-go-v2/service/s3 v1.75.1
github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.0
github.com/aws/aws-sdk-go-v2/service/sts v1.33.8
github.com/aws/smithy-go v1.22.2
github.com/aws/aws-sdk-go-v2/service/acmpca v1.40.0
github.com/aws/aws-sdk-go-v2/service/ec2 v1.229.0
github.com/aws/aws-sdk-go-v2/service/iam v1.43.0
github.com/aws/aws-sdk-go-v2/service/kms v1.41.0
github.com/aws/aws-sdk-go-v2/service/organizations v1.39.0
github.com/aws/aws-sdk-go-v2/service/rolesanywhere v1.17.0
github.com/aws/aws-sdk-go-v2/service/s3 v1.83.0
github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.35.0
github.com/aws/aws-sdk-go-v2/service/sts v1.34.0
github.com/aws/smithy-go v1.22.4
github.com/blang/semver/v4 v4.0.0
github.com/cenkalti/backoff/v4 v4.3.0
github.com/docker/docker v27.5.1+incompatible
github.com/envoyproxy/go-control-plane/envoy v1.32.3
github.com/docker/docker v28.3.1+incompatible
github.com/envoyproxy/go-control-plane/envoy v1.32.4
github.com/fullsailor/pkcs7 v0.0.0-20190404230743-d7302db945fa
github.com/go-jose/go-jose/v4 v4.0.4
github.com/go-sql-driver/mysql v1.8.1
github.com/go-jose/go-jose/v4 v4.1.1
github.com/go-sql-driver/mysql v1.9.3
github.com/godbus/dbus/v5 v5.1.0
github.com/gofrs/uuid/v5 v5.3.0
github.com/gofrs/uuid/v5 v5.3.2
github.com/gogo/status v1.1.1
github.com/google/btree v1.1.3
github.com/google/go-cmp v0.6.0
github.com/google/go-containerregistry v0.20.3
github.com/google/go-tpm v0.9.3
github.com/google/go-tpm-tools v0.4.4
github.com/googleapis/gax-go/v2 v2.14.1
github.com/google/go-cmp v0.7.0
github.com/google/go-containerregistry v0.20.6
github.com/google/go-tpm v0.9.5
github.com/google/go-tpm-tools v0.4.5
github.com/googleapis/gax-go/v2 v2.14.2
github.com/gorilla/handlers v1.5.2
github.com/hashicorp/go-hclog v1.6.3
github.com/hashicorp/go-metrics v0.5.4
github.com/hashicorp/go-plugin v1.6.3
github.com/hashicorp/hcl v1.0.1-vault-7
github.com/hashicorp/vault/api v1.15.0
github.com/hashicorp/vault/sdk v0.14.1
github.com/hashicorp/vault/api v1.20.0
github.com/hashicorp/vault/sdk v0.18.0
github.com/imdario/mergo v0.3.16
github.com/imkira/go-observer v1.0.3
github.com/jackc/pgx/v5 v5.7.2
github.com/jackc/pgx/v5 v5.7.5
github.com/jinzhu/gorm v1.9.16
github.com/lib/pq v1.10.9
github.com/mattn/go-sqlite3 v1.14.24
github.com/mattn/go-sqlite3 v1.14.28
github.com/mitchellh/cli v1.1.5
github.com/open-policy-agent/opa v0.70.0
github.com/prometheus/client_golang v1.20.5
github.com/shirou/gopsutil/v4 v4.24.12
github.com/sigstore/cosign/v2 v2.4.1
github.com/sigstore/rekor v1.3.9
github.com/sigstore/sigstore v1.8.12
github.com/open-policy-agent/opa v1.5.1
github.com/prometheus/client_golang v1.22.0
github.com/shirou/gopsutil/v4 v4.25.6
github.com/sigstore/cosign/v2 v2.5.2
github.com/sigstore/rekor v1.3.10
github.com/sigstore/sigstore v1.9.5
github.com/sirupsen/logrus v1.9.3
github.com/spiffe/go-spiffe/v2 v2.5.0
github.com/spiffe/spire-api-sdk v1.2.5-0.20240916165922-16526993814a
github.com/spiffe/spire-plugin-sdk v1.4.4-0.20240701180828-594312f4444d
github.com/spiffe/spire-api-sdk v1.2.5-0.20250109200630-101d5e7de758
github.com/spiffe/spire-plugin-sdk v1.4.4-0.20250606112051-68609d83ce7c
github.com/stretchr/testify v1.10.0
github.com/uber-go/tally/v4 v4.1.16
github.com/uber-go/tally/v4 v4.1.17
github.com/valyala/fastjson v1.6.4
golang.org/x/crypto v0.32.0
golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
golang.org/x/net v0.34.0
golang.org/x/sync v0.10.0
golang.org/x/sys v0.29.0
golang.org/x/time v0.10.0
google.golang.org/api v0.220.0
google.golang.org/genproto/googleapis/rpc v0.0.0-20250127172529-29210b9bc287
google.golang.org/grpc v1.70.0
google.golang.org/protobuf v1.36.4
k8s.io/api v0.32.1
k8s.io/apimachinery v0.32.1
k8s.io/client-go v0.32.1
k8s.io/kube-aggregator v0.32.1
k8s.io/mount-utils v0.32.1
sigs.k8s.io/controller-runtime v0.20.1
golang.org/x/crypto v0.39.0
golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0
golang.org/x/net v0.41.0
golang.org/x/sync v0.15.0
golang.org/x/sys v0.33.0
golang.org/x/time v0.12.0
google.golang.org/api v0.240.0
google.golang.org/genproto/googleapis/rpc v0.0.0-20250603155806-513f23925822
google.golang.org/grpc v1.73.0
google.golang.org/protobuf v1.36.6
k8s.io/api v0.33.2
k8s.io/apimachinery v0.33.2
k8s.io/client-go v0.33.2
k8s.io/kube-aggregator v0.33.2
k8s.io/mount-utils v0.33.2
sigs.k8s.io/controller-runtime v0.21.0
)
require (
cel.dev/expr v0.19.0 // indirect
cloud.google.com/go v0.116.0 // indirect
cloud.google.com/go/auth v0.14.1 // indirect
cloud.google.com/go/auth/oauth2adapt v0.2.7 // indirect
cloud.google.com/go/compute/metadata v0.6.0 // indirect
cloud.google.com/go/longrunning v0.6.2 // indirect
cloud.google.com/go/monitoring v1.21.2 // indirect
cel.dev/expr v0.23.0 // indirect
cloud.google.com/go v0.121.1 // indirect
cloud.google.com/go/auth v0.16.2 // indirect
cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
cloud.google.com/go/compute/metadata v0.7.0 // indirect
cloud.google.com/go/longrunning v0.6.7 // indirect
cloud.google.com/go/monitoring v1.24.2 // indirect
dario.cat/mergo v1.0.1 // indirect
filippo.io/edwards25519 v1.1.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect
github.com/AzureAD/microsoft-authentication-library-for-go v1.3.2 // indirect
github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
github.com/DataDog/datadog-go v3.2.0+incompatible // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.48.1 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.48.1 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.27.0 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.51.0 // indirect
github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.51.0 // indirect
github.com/Masterminds/goutils v1.1.1 // indirect
github.com/Masterminds/semver/v3 v3.3.0 // indirect
github.com/OneOfOne/xxhash v1.2.8 // indirect
github.com/agnivade/levenshtein v1.2.0 // indirect
github.com/Masterminds/semver/v3 v3.3.1 // indirect
github.com/agnivade/levenshtein v1.2.1 // indirect
github.com/armon/go-radix v1.0.0 // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.8 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.30 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.30 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.30 // indirect
github.com/aws/aws-sdk-go-v2/service/ecr v1.24.7 // indirect
github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.21.6 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.2 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.5.4 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.11 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.11 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.24.10 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.9 // indirect
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.11 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.36 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.36 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.36 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.4 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.7.4 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.17 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.17 // indirect
github.com/aws/aws-sdk-go-v2/service/sso v1.25.4 // indirect
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.2 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/bgentry/speakeasy v0.1.0 // indirect
github.com/bgentry/speakeasy v0.2.0 // indirect
github.com/blang/semver v3.5.1+incompatible // indirect
github.com/cenkalti/backoff/v5 v5.0.2 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 // indirect
github.com/cncf/xds/go v0.0.0-20250326154945-ae57f3c0d45f // indirect
github.com/containerd/errdefs v1.0.0 // indirect
github.com/containerd/errdefs/pkg v0.3.0 // indirect
github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect
github.com/cyberphone/json-canonicalization v0.0.0-20231011164504-785e29786b46 // indirect
github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/digitorus/pkcs7 v0.0.0-20230818184609-3a137a874352 // indirect
github.com/digitorus/timestamp v0.0.0-20231217203849-220c5c2851b7 // indirect
github.com/distribution/reference v0.6.0 // indirect
github.com/docker/cli v27.5.0+incompatible // indirect
github.com/docker/cli v28.2.2+incompatible // indirect
github.com/docker/distribution v2.8.3+incompatible // indirect
github.com/docker/docker-credential-helpers v0.8.2 // indirect
github.com/docker/docker-credential-helpers v0.9.3 // indirect
github.com/docker/go-connections v0.5.0 // indirect
github.com/docker/go-units v0.5.0 // indirect
github.com/dustin/go-humanize v1.0.1 // indirect
github.com/ebitengine/purego v0.8.1 // indirect
github.com/ebitengine/purego v0.8.4 // indirect
github.com/emicklei/go-restful/v3 v3.11.0 // indirect
github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect
github.com/evanphx/json-patch/v5 v5.9.0 // indirect
github.com/fatih/color v1.17.0 // indirect
github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
github.com/evanphx/json-patch/v5 v5.9.11 // indirect
github.com/fatih/color v1.18.0 // indirect
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/fsnotify/fsnotify v1.7.0 // indirect
github.com/fsnotify/fsnotify v1.9.0 // indirect
github.com/fxamacker/cbor/v2 v2.7.0 // indirect
github.com/go-chi/chi v4.1.2+incompatible // indirect
github.com/go-ini/ini v1.67.0 // indirect
github.com/go-jose/go-jose/v3 v3.0.3 // indirect
github.com/go-logr/logr v1.4.2 // indirect
github.com/go-jose/go-jose/v3 v3.0.4 // indirect
github.com/go-logr/logr v1.4.3 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-ole/go-ole v1.2.6 // indirect
github.com/go-openapi/analysis v0.23.0 // indirect
github.com/go-openapi/errors v0.22.0 // indirect
github.com/go-openapi/errors v0.22.1 // indirect
github.com/go-openapi/jsonpointer v0.21.0 // indirect
github.com/go-openapi/jsonreference v0.21.0 // indirect
github.com/go-openapi/loads v0.22.0 // indirect
github.com/go-openapi/runtime v0.28.0 // indirect
github.com/go-openapi/spec v0.21.0 // indirect
github.com/go-openapi/strfmt v0.23.0 // indirect
github.com/go-openapi/swag v0.23.0 // indirect
github.com/go-openapi/swag v0.23.1 // indirect
github.com/go-openapi/validate v0.24.0 // indirect
github.com/go-viper/mapstructure/v2 v2.3.0 // indirect
github.com/gobwas/glob v0.2.3 // indirect
github.com/gogo/googleapis v0.0.0-20180223154316-0cd9801be74a // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/mock v1.6.0 // indirect
github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
github.com/golang/mock v1.7.0-rc.1 // indirect
github.com/golang/protobuf v1.5.4 // indirect
github.com/golang/snappy v0.0.4 // indirect
github.com/google/certificate-transparency-go v1.2.1 // indirect
github.com/google/flatbuffers v23.5.26+incompatible // indirect
github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
github.com/google/go-configfs-tsm v0.2.2 // indirect
github.com/google/go-sev-guest v0.9.3 // indirect
github.com/google/go-tdx-guest v0.3.1 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/certificate-transparency-go v1.3.2 // indirect
github.com/google/gnostic-models v0.6.9 // indirect
github.com/google/go-configfs-tsm v0.3.3-0.20240919001351-b4b5b84fdcbc // indirect
github.com/google/go-sev-guest v0.12.1 // indirect
github.com/google/go-tdx-guest v0.3.2-0.20241009005452-097ee70d0843 // indirect
github.com/google/logger v1.1.1 // indirect
github.com/google/s2a-go v0.1.9 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
github.com/gorilla/mux v1.8.1 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0 // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
github.com/hashicorp/go-multierror v1.1.1 // indirect
github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
github.com/hashicorp/go-rootcerts v1.0.2 // indirect
github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8 // indirect
github.com/hashicorp/go-secure-stdlib/parseutil v0.2.0 // indirect
github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
github.com/hashicorp/go-sockaddr v1.0.6 // indirect
github.com/hashicorp/go-sockaddr v1.0.7 // indirect
github.com/hashicorp/golang-lru v1.0.2 // indirect
github.com/hashicorp/yamux v0.1.1 // indirect
github.com/hashicorp/yamux v0.1.2 // indirect
github.com/huandu/xstrings v1.5.0 // indirect
github.com/in-toto/attestation v1.1.1 // indirect
github.com/in-toto/in-toto-golang v0.9.0 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/jackc/pgpassfile v1.0.0 // indirect
github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
github.com/jinzhu/inflection v1.0.0 // indirect
github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/klauspost/compress v1.17.11 // indirect
github.com/klauspost/compress v1.18.0 // indirect
github.com/kylelemons/godebug v1.1.0 // indirect
github.com/letsencrypt/boulder v0.0.0-20240620165639-de9c06129bec // indirect
github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
github.com/magiconair/properties v1.8.7 // indirect
github.com/mailru/easyjson v0.7.7 // indirect
github.com/mattn/go-colorable v0.1.13 // indirect
github.com/mailru/easyjson v0.9.0 // indirect
github.com/mattn/go-colorable v0.1.14 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/mitchellh/copystructure v1.2.0 // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/mitchellh/mapstructure v1.5.1-0.20231216201459-8508981c8b6c // indirect
github.com/mitchellh/reflectwalk v1.0.2 // indirect
github.com/moby/docker-image-spec v1.3.1 // indirect
github.com/moby/sys/mountinfo v0.7.2 // indirect
github.com/moby/sys/userns v0.1.0 // indirect
github.com/moby/sys/sequential v0.6.0 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
@ -236,45 +232,46 @@ require (
github.com/oklog/run v1.1.0 // indirect
github.com/oklog/ulid v1.3.1 // indirect
github.com/opencontainers/go-digest v1.0.0 // indirect
github.com/opencontainers/image-spec v1.1.0 // indirect
github.com/opencontainers/image-spec v1.1.1 // indirect
github.com/opentracing/opentracing-go v1.2.0 // indirect
github.com/pborman/uuid v1.2.1 // indirect
github.com/pelletier/go-toml/v2 v2.2.2 // indirect
github.com/pelletier/go-toml/v2 v2.2.4 // indirect
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/posener/complete v1.2.3 // indirect
github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
github.com/prometheus/client_model v0.6.1 // indirect
github.com/prometheus/common v0.55.0 // indirect
github.com/prometheus/client_model v0.6.2 // indirect
github.com/prometheus/common v0.63.0 // indirect
github.com/prometheus/procfs v0.15.1 // indirect
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect
github.com/ryanuber/go-glob v1.0.0 // indirect
github.com/sagikazarmark/locafero v0.4.0 // indirect
github.com/sagikazarmark/slog-shim v0.1.0 // indirect
github.com/sagikazarmark/locafero v0.7.0 // indirect
github.com/sassoftware/relic v7.2.1+incompatible // indirect
github.com/secure-systems-lab/go-securesystemslib v0.9.0 // indirect
github.com/shibumi/go-pathspec v1.3.0 // indirect
github.com/shopspring/decimal v1.4.0 // indirect
github.com/sigstore/protobuf-specs v0.3.3 // indirect
github.com/sigstore/timestamp-authority v1.2.2 // indirect
github.com/sigstore/protobuf-specs v0.4.3 // indirect
github.com/sigstore/sigstore-go v1.0.0 // indirect
github.com/sigstore/timestamp-authority v1.2.8 // indirect
github.com/sourcegraph/conc v0.3.0 // indirect
github.com/spf13/afero v1.11.0 // indirect
github.com/spf13/cast v1.7.0 // indirect
github.com/spf13/cobra v1.8.1 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/spf13/viper v1.19.0 // indirect
github.com/spf13/afero v1.12.0 // indirect
github.com/spf13/cast v1.7.1 // indirect
github.com/spf13/cobra v1.9.1 // indirect
github.com/spf13/pflag v1.0.6 // indirect
github.com/spf13/viper v1.20.1 // indirect
github.com/subosito/gotenv v1.6.0 // indirect
github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
github.com/tchap/go-patricia/v2 v2.3.1 // indirect
github.com/tchap/go-patricia/v2 v2.3.2 // indirect
github.com/theupdateframework/go-tuf v0.7.0 // indirect
github.com/theupdateframework/go-tuf/v2 v2.1.1 // indirect
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
github.com/tklauser/go-sysconf v0.3.12 // indirect
github.com/tklauser/numcpus v0.6.1 // indirect
github.com/transparency-dev/merkle v0.0.2 // indirect
github.com/twmb/murmur3 v1.1.8 // indirect
github.com/vbatts/tar-split v0.11.6 // indirect
github.com/vbatts/tar-split v0.12.1 // indirect
github.com/vektah/gqlparser/v2 v2.5.26 // indirect
github.com/x448/float16 v0.8.4 // indirect
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
@ -282,34 +279,32 @@ require (
github.com/yusufpapurcu/wmi v1.2.4 // indirect
github.com/zeebo/errs v1.4.0 // indirect
go.mongodb.org/mongo-driver v1.14.0 // indirect
go.opencensus.io v0.24.0 // indirect
go.opentelemetry.io/auto/sdk v1.1.0 // indirect
go.opentelemetry.io/contrib/detectors/gcp v1.32.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.58.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
go.opentelemetry.io/otel v1.34.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0 // indirect
go.opentelemetry.io/otel/metric v1.34.0 // indirect
go.opentelemetry.io/otel/sdk v1.34.0 // indirect
go.opentelemetry.io/otel/sdk/metric v1.32.0 // indirect
go.opentelemetry.io/otel/trace v1.34.0 // indirect
go.opentelemetry.io/contrib/detectors/gcp v1.36.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
go.opentelemetry.io/otel v1.36.0 // indirect
go.opentelemetry.io/otel/metric v1.36.0 // indirect
go.opentelemetry.io/otel/sdk v1.36.0 // indirect
go.opentelemetry.io/otel/sdk/metric v1.36.0 // indirect
go.opentelemetry.io/otel/trace v1.36.0 // indirect
go.uber.org/atomic v1.11.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.27.0 // indirect
golang.org/x/mod v0.22.0 // indirect
golang.org/x/oauth2 v0.25.0 // indirect
golang.org/x/term v0.28.0 // indirect
golang.org/x/text v0.21.0 // indirect
google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20250106144421-5f5ef82da422 // indirect
golang.org/x/mod v0.25.0 // indirect
golang.org/x/oauth2 v0.30.0 // indirect
golang.org/x/term v0.32.0 // indirect
golang.org/x/text v0.26.0 // indirect
google.golang.org/genproto v0.0.0-20250505200425-f936aa4a68b2 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20250603155806-513f23925822 // indirect
gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/klog/v2 v2.130.1 // indirect
k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect
k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
k8s.io/utils v0.0.0-20241210054802-24370beab758 // indirect
sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
sigs.k8s.io/randfill v1.0.0 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
sigs.k8s.io/yaml v1.4.0 // indirect
)

887
go.sum

File diff suppressed because it is too large Load Diff

View File

@ -2,6 +2,7 @@ package agent
import (
"context"
"crypto/x509"
"errors"
"fmt"
"net/http"
@ -114,13 +115,20 @@ func (a *Agent) Run(ctx context.Context) error {
)
for {
as, err = a.attest(ctx, sto, cat, metrics, nodeAttestor)
if err == nil {
break
insecureBootstrap := false
bootstrapTrustBundle, err := sto.LoadBundle()
if errors.Is(err, storage.ErrNotCached) {
bootstrapTrustBundle, insecureBootstrap, err = a.c.TrustBundleSources.GetBundle()
}
if err == nil {
as, err = a.attest(ctx, sto, cat, metrics, nodeAttestor, bootstrapTrustBundle, insecureBootstrap)
if err == nil {
break
}
if status.Code(err) == codes.PermissionDenied {
return err
if status.Code(err) == codes.PermissionDenied {
return err
}
}
nextDuration := attBackoff.NextBackOff()
@ -141,7 +149,15 @@ func (a *Agent) Run(ctx context.Context) error {
}
}
} else {
as, err = a.attest(ctx, sto, cat, metrics, nodeAttestor)
insecureBootstrap := false
bootstrapTrustBundle, err := sto.LoadBundle()
if errors.Is(err, storage.ErrNotCached) {
bootstrapTrustBundle, insecureBootstrap, err = a.c.TrustBundleSources.GetBundle()
}
if err != nil {
return err
}
as, err = a.attest(ctx, sto, cat, metrics, nodeAttestor, bootstrapTrustBundle, insecureBootstrap)
if err != nil {
return err
}
@ -249,19 +265,19 @@ func (a *Agent) setupProfiling(ctx context.Context) (stop func()) {
}
}
func (a *Agent) attest(ctx context.Context, sto storage.Storage, cat catalog.Catalog, metrics telemetry.Metrics, na nodeattestor.NodeAttestor) (*node_attestor.AttestationResult, error) {
func (a *Agent) attest(ctx context.Context, sto storage.Storage, cat catalog.Catalog, metrics telemetry.Metrics, na nodeattestor.NodeAttestor, bootstrapTrustBundle []*x509.Certificate, insecureBootstrap bool) (*node_attestor.AttestationResult, error) {
config := node_attestor.Config{
Catalog: cat,
Metrics: metrics,
JoinToken: a.c.JoinToken,
TrustDomain: a.c.TrustDomain,
TrustBundle: a.c.TrustBundle,
InsecureBootstrap: a.c.InsecureBootstrap,
Storage: sto,
Log: a.c.Log.WithField(telemetry.SubsystemName, telemetry.Attestor),
ServerAddress: a.c.ServerAddress,
NodeAttestor: na,
TLSPolicy: a.c.TLSPolicy,
Catalog: cat,
Metrics: metrics,
JoinToken: a.c.JoinToken,
TrustDomain: a.c.TrustDomain,
BootstrapTrustBundle: bootstrapTrustBundle,
InsecureBootstrap: insecureBootstrap,
Storage: sto,
Log: a.c.Log.WithField(telemetry.SubsystemName, telemetry.Attestor),
ServerAddress: a.c.ServerAddress,
NodeAttestor: na,
TLSPolicy: a.c.TLSPolicy,
}
return node_attestor.New(&config).Attest(ctx)
}

View File

@ -3,6 +3,7 @@ package debug
import (
"context"
"crypto/x509"
"fmt"
"sync"
"time"
@ -13,6 +14,7 @@ import (
debugv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/agent/debug/v1"
"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
"github.com/spiffe/spire/pkg/agent/manager"
"github.com/spiffe/spire/pkg/common/util"
"github.com/spiffe/spire/test/clock"
"google.golang.org/grpc"
"google.golang.org/grpc/codes"
@ -92,15 +94,32 @@ func (s *Service) GetInfo(context.Context, *debugv1.GetInfoRequest) (*debugv1.Ge
})
}
uptime, err := util.CheckedCast[int32](int64(s.uptime().Seconds()))
if err != nil {
return nil, fmt.Errorf("invalid value for uptime: %w", err)
}
x509SvidsCount, err := util.CheckedCast[int32](s.m.CountX509SVIDs())
if err != nil {
return nil, fmt.Errorf("out of range value for X.509 SVIDs count: %w", err)
}
jwtSvidsCount, err := util.CheckedCast[int32](s.m.CountJWTSVIDs())
if err != nil {
return nil, fmt.Errorf("out of range value for JWT SVIDs count: %w", err)
}
svidstoreX509SvidsCount, err := util.CheckedCast[int32](s.m.CountSVIDStoreX509SVIDs())
if err != nil {
return nil, fmt.Errorf("out of range value for SVIDStore X.509 SVIDs count: %w", err)
}
// Reset clock and set current response
s.getInfoResp.ts = s.clock.Now()
s.getInfoResp.resp = &debugv1.GetInfoResponse{
SvidChain: svidChain,
Uptime: int32(s.uptime().Seconds()),
SvidsCount: int32(s.m.CountX509SVIDs()),
CachedX509SvidsCount: int32(s.m.CountX509SVIDs()),
CachedJwtSvidsCount: int32(s.m.CountJWTSVIDs()),
CachedSvidstoreX509SvidsCount: int32(s.m.CountSVIDStoreX509SVIDs()),
Uptime: uptime,
SvidsCount: x509SvidsCount,
CachedX509SvidsCount: x509SvidsCount,
CachedJwtSvidsCount: jwtSvidsCount,
CachedSvidstoreX509SvidsCount: svidstoreX509SvidsCount,
LastSyncSuccess: s.m.GetLastSync().UTC().Unix(),
}
}

View File

@ -3,6 +3,7 @@ package delegatedidentity
import (
"context"
"crypto/x509"
"errors"
"fmt"
"sort"
"time"
@ -261,7 +262,7 @@ func composeX509SVIDBySelectors(update *cache.WorkloadUpdate) (*delegatedidentit
// check if SVIDs exist for the identity
if len(identity.SVID) == 0 {
return nil, fmt.Errorf("unable to get SVID from identity")
return nil, errors.New("unable to get SVID from identity")
}
id, err := idutil.IDProtoFromString(identity.Entry.SpiffeId)

View File

@ -48,17 +48,17 @@ type Attestor interface {
}
type Config struct {
Catalog catalog.Catalog
Metrics telemetry.Metrics
JoinToken string
TrustDomain spiffeid.TrustDomain
TrustBundle []*x509.Certificate
InsecureBootstrap bool
Storage storage.Storage
Log logrus.FieldLogger
ServerAddress string
NodeAttestor nodeattestor.NodeAttestor
TLSPolicy tlspolicy.Policy
Catalog catalog.Catalog
Metrics telemetry.Metrics
JoinToken string
TrustDomain spiffeid.TrustDomain
BootstrapTrustBundle []*x509.Certificate
InsecureBootstrap bool
Storage storage.Storage
Log logrus.FieldLogger
ServerAddress string
NodeAttestor nodeattestor.NodeAttestor
TLSPolicy tlspolicy.Policy
}
type attestor struct {
@ -157,12 +157,12 @@ func (a *attestor) loadBundle() (*spiffebundle.Bundle, error) {
bundle, err := a.c.Storage.LoadBundle()
if errors.Is(err, storage.ErrNotCached) {
if a.c.InsecureBootstrap {
if len(a.c.TrustBundle) > 0 {
if len(a.c.BootstrapTrustBundle) > 0 {
a.c.Log.Warn("Trust bundle will be ignored; performing insecure bootstrap")
}
return nil, nil
}
bundle = a.c.TrustBundle
bundle = a.c.BootstrapTrustBundle
} else if err != nil {
return nil, fmt.Errorf("load bundle: %w", err)
}

View File

@ -317,16 +317,16 @@ func TestAttestor(t *testing.T) {
// create the attestor
log, _ := test.NewNullLogger()
attestor := attestor.New(&attestor.Config{
Catalog: catalog,
Metrics: telemetry.Blackhole{},
JoinToken: testCase.agentService.joinToken,
Storage: sto,
Log: log,
TrustDomain: trustDomain,
TrustBundle: makeTrustBundle(testCase.bootstrapBundle),
InsecureBootstrap: testCase.insecureBootstrap,
ServerAddress: listener.Addr().String(),
NodeAttestor: agentNA,
Catalog: catalog,
Metrics: telemetry.Blackhole{},
JoinToken: testCase.agentService.joinToken,
Storage: sto,
Log: log,
TrustDomain: trustDomain,
BootstrapTrustBundle: makeTrustBundle(testCase.bootstrapBundle),
InsecureBootstrap: testCase.insecureBootstrap,
ServerAddress: listener.Addr().String(),
NodeAttestor: agentNA,
})
// perform attestation

View File

@ -2,7 +2,7 @@ package catalog
import (
"context"
"fmt"
"errors"
"github.com/sirupsen/logrus"
"github.com/spiffe/go-spiffe/v2/spiffeid"
@ -84,7 +84,7 @@ func (repo *Repository) Close() {
func Load(ctx context.Context, config Config) (_ *Repository, err error) {
if c, ok := config.PluginConfigs.Find(nodeAttestorType, jointoken.PluginName); ok && c.IsEnabled() && c.IsExternal() {
return nil, fmt.Errorf("the built-in join_token node attestor cannot be overridden by an external plugin")
return nil, errors.New("the built-in join_token node attestor cannot be overridden by an external plugin")
}
// Load the plugins and populate the repository

View File

@ -8,7 +8,6 @@ import (
"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/httpchallenge"
"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/jointoken"
"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/k8spsat"
"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/k8ssat"
"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/sshpop"
"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/tpmdevid"
"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/x509pop"
@ -41,7 +40,6 @@ func (repo *nodeAttestorRepository) BuiltIns() []catalog.BuiltIn {
httpchallenge.BuiltIn(),
jointoken.BuiltIn(),
k8spsat.BuiltIn(),
k8ssat.BuiltIn(),
sshpop.BuiltIn(),
tpmdevid.BuiltIn(),
x509pop.BuiltIn(),

View File

@ -39,6 +39,7 @@ var (
RevisionNumber: true,
StoreSvid: true,
Hint: true,
CreatedAt: true,
}
)
@ -416,6 +417,27 @@ func (c *client) syncEntries(ctx context.Context, cachedEntries map[string]*comm
return stats, nil
}
func entryIsStale(entry *common.RegistrationEntry, revisionNumber, revisionCreatedAt int64) bool {
if entry.RevisionNumber != revisionNumber {
return true
}
// TODO: remove in SPIRE 1.14
if revisionCreatedAt == 0 {
return false
}
// Verify that the CreatedAt of the entries match. If they are different, they are
// completely different entries even if the revision number is the same.
// This can happen for example if an entry is deleted and recreated with the
// same entry id.
if entry.CreatedAt != revisionCreatedAt {
return true
}
return false
}
func (c *client) streamAndSyncEntries(ctx context.Context, entryClient entryv1.EntryClient, cachedEntries map[string]*common.RegistrationEntry) (stats SyncEntriesStats, err error) {
// Build a set of all the entries to be removed. This set is initialized
// with all entries currently known. As entries are synced down from the
@ -459,7 +481,7 @@ func (c *client) streamAndSyncEntries(ctx context.Context, entryClient entryv1.E
// If entry is either not cached or is stale, record the ID so
// the full entry can be requested after syncing down all
// entry revisions.
if cachedEntry, ok := cachedEntries[entryRevision.Id]; !ok || cachedEntry.RevisionNumber < entryRevision.RevisionNumber {
if cachedEntry, ok := cachedEntries[entryRevision.Id]; !ok || entryIsStale(cachedEntry, entryRevision.GetRevisionNumber(), entryRevision.GetCreatedAt()) {
needFull = append(needFull, entryRevision.Id)
}
}
@ -487,7 +509,7 @@ func (c *client) streamAndSyncEntries(ctx context.Context, entryClient entryv1.E
switch {
case !ok:
stats.Missing++
case cachedEntry.RevisionNumber < entry.RevisionNumber:
case entryIsStale(cachedEntry, entry.GetRevisionNumber(), entry.GetCreatedAt()):
stats.Stale++
}
@ -549,10 +571,7 @@ func (c *client) streamAndSyncEntries(ctx context.Context, entryClient entryv1.E
// time using the assumed page size.
for len(needFull) > 0 {
// Request up to a page full of full entries
n := len(needFull)
if n > pageSize {
n = pageSize
}
n := min(len(needFull), pageSize)
if err := stream.Send(&entryv1.SyncAuthorizedEntriesRequest{Ids: needFull[:n]}); err != nil {
return SyncEntriesStats{}, err
}

View File

@ -21,6 +21,7 @@ import (
svidv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/svid/v1"
"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
"github.com/spiffe/spire/pkg/common/telemetry"
"github.com/spiffe/spire/pkg/server/api"
"github.com/spiffe/spire/pkg/server/api/entry/v1"
"github.com/spiffe/spire/proto/spire/common"
"github.com/spiffe/spire/test/spiretest"
@ -285,14 +286,19 @@ func TestSyncUpdatesEntries(t *testing.T) {
assert.Equal(t, expected, cachedEntries)
}
entryA1 := makeEntry("A", 1)
entryB1 := makeEntry("B", 1)
entryC1 := makeEntry("C", 1)
entryD1 := makeEntry("D", 1)
firstDate := time.Date(2024, time.December, 31, 0, 0, 0, 0, time.UTC)
secondDate := time.Date(2025, time.January, 1, 0, 0, 0, 0, time.UTC)
entryA2 := makeEntry("A", 2)
entryB2 := makeEntry("B", 2)
entryC2 := makeEntry("C", 2)
entryA1 := makeEntry("A", 1, firstDate)
entryB1 := makeEntry("B", 1, firstDate)
entryC1 := makeEntry("C", 1, firstDate)
entryD1 := makeEntry("D", 1, firstDate)
entryA2 := makeEntry("A", 2, firstDate)
entryB2 := makeEntry("B", 2, firstDate)
entryC2 := makeEntry("C", 2, firstDate)
entryB1prime := makeEntry("B", 1, secondDate)
// No entries yet
syncAndAssertEntries(t, 0, 0, 0, 0)
@ -314,6 +320,12 @@ func TestSyncUpdatesEntries(t *testing.T) {
// Sync again but with no changes.
syncAndAssertEntries(t, 3, 0, 0, 0, entryA2, entryB2, entryC2)
// Sync again after recreating an entry with the same entry ID, which should be marked stale
syncAndAssertEntries(t, 3, 0, 1, 0, entryA2, entryB1prime, entryC2)
// Sync again after the database has been rolled back to a previous version
syncAndAssertEntries(t, 4, 1, 3, 0, entryA1, entryB1, entryC1, entryD1)
}
func TestRenewSVID(t *testing.T) {
@ -1012,7 +1024,13 @@ func (c *fakeEntryServer) GetAuthorizedEntries(_ context.Context, in *entryv1.Ge
func (c *fakeEntryServer) SyncAuthorizedEntries(stream entryv1.Entry_SyncAuthorizedEntriesServer) error {
const entryPageSize = 2
return entry.SyncAuthorizedEntries(stream, c.entries, entryPageSize)
entries := []api.ReadOnlyEntry{}
for _, entry := range c.entries {
entries = append(entries, api.NewReadOnlyEntry(entry))
}
return entry.SyncAuthorizedEntries(stream, entries, entryPageSize)
}
type fakeBundleServer struct {
@ -1142,6 +1160,7 @@ func checkAuthorizedEntryOutputMask(outputMask *types.EntryMask) error {
RevisionNumber: true,
StoreSvid: true,
Hint: true,
CreatedAt: true,
}, protocmp.Transform()); diff != "" {
return status.Errorf(codes.InvalidArgument, "invalid output mask requested: %s", diff)
}
@ -1162,12 +1181,13 @@ func makeCommonBundle(trustDomainName string) *common.Bundle {
}
}
func makeEntry(id string, revisionNumber int64) *types.Entry {
func makeEntry(id string, revisionNumber int64, createdAt time.Time) *types.Entry {
return &types.Entry{
Id: id,
SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/workload"},
ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/agent"},
Selectors: []*types.Selector{{Type: "not", Value: "relevant"}},
RevisionNumber: revisionNumber,
CreatedAt: createdAt.Unix(),
}
}

View File

@ -34,7 +34,7 @@ func slicedEntryFromProto(e *types.Entry) (*common.RegistrationEntry, error) {
}
if e.Id == "" {
return nil, fmt.Errorf("missing entry ID")
return nil, errors.New("missing entry ID")
}
spiffeID, err := spiffeIDFromProto(e.SpiffeId)
@ -81,5 +81,6 @@ func slicedEntryFromProto(e *types.Entry) (*common.RegistrationEntry, error) {
Admin: e.Admin,
Downstream: e.Downstream,
Hint: e.Hint,
CreatedAt: e.CreatedAt,
}, nil
}

View File

@ -43,7 +43,7 @@ func GetCgroups(pid int32, fs FileSystem) ([]Cgroup, error) {
token := scanner.Text()
substrings := strings.SplitN(token, ":", 3)
if len(substrings) < 3 {
return nil, fmt.Errorf("cgroup entry contains %v colons, but expected at least 2 colons: %q", len(substrings), token)
return nil, fmt.Errorf("invalid cgroup entry, contains %v colon separated fields but expected at least 3: %q", len(substrings), token)
}
cgroups = append(cgroups, Cgroup{
HierarchyID: substrings[0],

View File

@ -23,9 +23,21 @@ const (
2:blkio:/user.slice
1:name=systemd:/user.slice/user-1000.slice/session-2.scope
`
// cgBadFormat is a malformed set of cgroup entries (no slash separator)
// cgBadFormat is a malformed set of cgroup entries (missing cgroup-path)
cgBadFormat = `11:hugetlb
`
// cgUnified is a good set of cgroup entries including unified
cgUnified = `10:devices:/user.slice
9:net_cls,net_prio:/
8:blkio:/
7:freezer:/
6:perf_event:/
5:cpuset:/
4:memory:/user.slice
3:pids:/user.slice/user-1000.slice/user@1000.service
2:cpu,cpuacct:/
1:name=systemd:/user.slice/user-1000.slice/user@1000.service/gnome-terminal-server.service
0::/user.slice/user-1000.slice/user@1000.service/gnome-terminal-server.service`
)
var (
@ -42,6 +54,20 @@ var (
{"2", "blkio", "/user.slice"},
{"1", "name=systemd", "/user.slice/user-1000.slice/session-2.scope"},
}
expectUnifiedCgroup = []Cgroup{
{"10", "devices", "/user.slice"},
{"9", "net_cls,net_prio", "/"},
{"8", "blkio", "/"},
{"7", "freezer", "/"},
{"6", "perf_event", "/"},
{"5", "cpuset", "/"},
{"4", "memory", "/user.slice"},
{"3", "pids", "/user.slice/user-1000.slice/user@1000.service"},
{"2", "cpu,cpuacct", "/"},
{"1", "name=systemd", "/user.slice/user-1000.slice/user@1000.service/gnome-terminal-server.service"},
{"0", "", "/user.slice/user-1000.slice/user@1000.service/gnome-terminal-server.service"},
}
)
func TestCgroups(t *testing.T) {
@ -67,10 +93,21 @@ func TestCgroupsBadFormat(t *testing.T) {
"/proc/123/cgroup": cgBadFormat,
},
})
require.EqualError(t, err, `cgroup entry contains 2 colons, but expected at least 2 colons: "11:hugetlb"`)
require.EqualError(t, err, `invalid cgroup entry, contains 2 colon separated fields but expected at least 3: "11:hugetlb"`)
require.Nil(t, cgroups)
}
func TestUnifiedCgroups(t *testing.T) {
cgroups, err := GetCgroups(1234, FakeFileSystem{
Files: map[string]string{
"/proc/1234/cgroup": cgUnified,
},
})
require.NoError(t, err)
require.Len(t, cgroups, 11)
require.Equal(t, expectUnifiedCgroup, cgroups)
}
type FakeFileSystem struct {
Files map[string]string
}

View File

@ -15,7 +15,6 @@ import (
"time"
"github.com/google/go-containerregistry/pkg/name"
_ "github.com/google/go-containerregistry/pkg/v1"
v1 "github.com/google/go-containerregistry/pkg/v1"
"github.com/google/go-containerregistry/pkg/v1/types"
"github.com/hashicorp/go-hclog"
@ -35,7 +34,6 @@ func TestNewVerifier(t *testing.T) {
config.IgnoreSCT = true
config.IgnoreTlog = true
config.IgnoreAttestations = true
config.RekorURL = "https://rekor.test.com"
config.RegistryCredentials = map[string]*RegistryCredential{
"docker.io": {
Username: "testuser",
@ -45,6 +43,15 @@ func TestNewVerifier(t *testing.T) {
Username: "testuser",
Password: "testpassword",
},
"nopassword.io": { // should warn and ignore
Username: "testuser",
Password: "",
},
"nousername.io": { // should warn and ignore
Username: "",
Password: "testpassword",
},
"nil.io": nil, // should ignore
}
config.SkippedImages = map[string]struct{}{
@ -58,6 +65,8 @@ func TestNewVerifier(t *testing.T) {
verifier := NewVerifier(config)
require.NotNil(t, verifier)
require.NotNil(t, verifier.config.Logger)
require.Equal(t, verifier.config.RekorURL, publicRekorURL) // verify default public RekorURL
identityPlainValues := cosign.Identity{
Issuer: "test-issuer",
@ -70,7 +79,11 @@ func TestNewVerifier(t *testing.T) {
expectedIdentites := []cosign.Identity{identityPlainValues, identityRegExp}
assert.Equal(t, config, verifier.config)
assert.Equal(t, len(config.RegistryCredentials), len(verifier.authOptions))
assert.NotNil(t, verifier.authOptions["docker.io"])
assert.NotNil(t, verifier.authOptions["other.io"])
assert.Nil(t, verifier.authOptions["nopassword.io"])
assert.Nil(t, verifier.authOptions["nousername.io"])
assert.Nil(t, verifier.authOptions["nil.io"])
assert.ElementsMatch(t, expectedIdentites, verifier.allowedIdentities)
assert.NotNil(t, verifier.sigstoreFunctions.verifyImageSignatures)
assert.NotNil(t, verifier.sigstoreFunctions.verifyImageAttestations)
@ -378,6 +391,107 @@ func TestVerify(t *testing.T) {
expectedVerifyCallCount: 0,
expectedAttestationsCallCount: 0,
},
{
name: "fails to extract details from signatures missing cert",
configureTest: func(ctx context.Context, _ *ImageVerifier, signatureVerifyFake *fakeCosignVerifySignatureFn, attestationsVerifyFake *fakeCosignVerifyAttestationsFn) {
signature := &fakeSignature{
payload: createFakePayload(),
base64Signature: "base64signature",
bundle: createFakeBundle(),
}
signatureVerifyFake.Responses = append(signatureVerifyFake.Responses, struct {
Signatures []oci.Signature
BundleVerified bool
Err error
}{
Signatures: []oci.Signature{signature},
BundleVerified: true,
Err: nil,
})
attestationsVerifyFake.Responses = append(attestationsVerifyFake.Responses, struct {
Signatures []oci.Signature
BundleVerified bool
Err error
}{
Signatures: []oci.Signature{signature},
BundleVerified: true,
Err: nil,
})
},
expectedSelectors: nil,
expectedError: true,
expectedVerifyCallCount: 1,
expectedAttestationsCallCount: 1,
},
{
name: "fails to extract details from signatures missing cert subject",
configureTest: func(ctx context.Context, _ *ImageVerifier, signatureVerifyFake *fakeCosignVerifySignatureFn, attestationsVerifyFake *fakeCosignVerifyAttestationsFn) {
signature := &fakeSignature{
payload: createFakePayload(),
base64Signature: "base64signature",
cert: createSubjectlessTestCert(),
bundle: createFakeBundle(),
}
signatureVerifyFake.Responses = append(signatureVerifyFake.Responses, struct {
Signatures []oci.Signature
BundleVerified bool
Err error
}{
Signatures: []oci.Signature{signature},
BundleVerified: true,
Err: nil,
})
attestationsVerifyFake.Responses = append(attestationsVerifyFake.Responses, struct {
Signatures []oci.Signature
BundleVerified bool
Err error
}{
Signatures: []oci.Signature{signature},
BundleVerified: true,
Err: nil,
})
},
expectedSelectors: nil,
expectedError: true,
expectedVerifyCallCount: 1,
expectedAttestationsCallCount: 1,
},
{
name: "fails to extract details from signatures empty names cert subject",
configureTest: func(ctx context.Context, _ *ImageVerifier, signatureVerifyFake *fakeCosignVerifySignatureFn, attestationsVerifyFake *fakeCosignVerifyAttestationsFn) {
signature := &fakeSignature{
payload: createFakePayload(),
base64Signature: "base64signature",
cert: createEmptynamesTestCert(),
bundle: createFakeBundle(),
}
signatureVerifyFake.Responses = append(signatureVerifyFake.Responses, struct {
Signatures []oci.Signature
BundleVerified bool
Err error
}{
Signatures: []oci.Signature{signature},
BundleVerified: true,
Err: nil,
})
attestationsVerifyFake.Responses = append(attestationsVerifyFake.Responses, struct {
Signatures []oci.Signature
BundleVerified bool
Err error
}{
Signatures: []oci.Signature{signature},
BundleVerified: true,
Err: nil,
})
},
expectedSelectors: nil,
expectedError: true,
expectedVerifyCallCount: 1,
expectedAttestationsCallCount: 1,
},
}
for _, tt := range tests {
@ -708,9 +822,35 @@ func createTestCert() *x509.Certificate {
}
}
func createSubjectlessTestCert() *x509.Certificate {
return &x509.Certificate{
Extensions: []pkix.Extension{
{
Id: []int{1, 3, 6, 1, 4, 1, 57264, 1, 1}, // OIDC issuer OID
Value: []byte("test-issuer"),
},
},
}
}
func createEmptynamesTestCert() *x509.Certificate {
return &x509.Certificate{
Subject: pkix.Name{
CommonName: "",
},
DNSNames: []string{""},
Extensions: []pkix.Extension{
{
Id: []int{1, 3, 6, 1, 4, 1, 57264, 1, 1}, // OIDC issuer OID
Value: []byte("test-issuer"),
},
},
}
}
func createFakePayload() []byte {
signaturePayload := payload.SimpleContainerImage{
Optional: map[string]interface{}{
Optional: map[string]any{
"subject": "test-subject",
},
}

View File

@ -2,12 +2,12 @@ package agent
import (
"context"
"crypto/x509"
"net"
"time"
"github.com/sirupsen/logrus"
"github.com/spiffe/go-spiffe/v2/spiffeid"
"github.com/spiffe/spire/pkg/agent/trustbundlesources"
"github.com/spiffe/spire/pkg/agent/workloadkey"
"github.com/spiffe/spire/pkg/common/catalog"
"github.com/spiffe/spire/pkg/common/health"
@ -37,9 +37,6 @@ type Config struct {
// The TLS Certificate resource name to use for the default X509-SVID with Envoy SDS
DefaultSVIDName string
// If true, the agent will bootstrap insecurely with the server
InsecureBootstrap bool
// If true, the agent retries bootstrap with backoff
RetryBootstrap bool
@ -75,7 +72,9 @@ type Config struct {
// Trust domain and associated CA bundle
TrustDomain spiffeid.TrustDomain
TrustBundle []*x509.Certificate
// Sources for getting Trust Bundles
TrustBundleSources *trustbundlesources.Bundle
// Join token to use for attestation, if needed
JoinToken string

View File

@ -7,6 +7,7 @@ import (
"errors"
"fmt"
"io"
"maps"
"sort"
"strconv"
@ -356,9 +357,7 @@ type validationContextBuilder interface {
func (h *Handler) getValidationContextBuilder(req *discovery_v3.DiscoveryRequest, upd *cache.WorkloadUpdate) (validationContextBuilder, error) {
federatedBundles := make(map[spiffeid.TrustDomain]*spiffebundle.Bundle)
for td, federatedBundle := range upd.FederatedBundles {
federatedBundles[td] = federatedBundle
}
maps.Copy(federatedBundles, upd.FederatedBundles)
if !h.isSPIFFECertValidationDisabled(req) && supportsSPIFFEAuthExtension(req) {
return newSpiffeBuilder(upd.Bundle, federatedBundles)
}
@ -423,9 +422,7 @@ func newSpiffeBuilder(tdBundle *spiffebundle.Bundle, federatedBundles map[spiffe
}
// Add all federated bundles
for td, bundle := range federatedBundles {
bundles[td] = bundle
}
maps.Copy(bundles, federatedBundles)
return &spiffeBuilder{
bundles: bundles,

View File

@ -1198,15 +1198,6 @@ func TestFetchSecrets(t *testing.T) {
}
}
func DeltaSecretsTest(t *testing.T) {
test := setupTest(t)
defer test.cleanup()
resp, err := test.handler.DeltaSecrets(context.Background())
spiretest.RequireGRPCStatus(t, err, codes.Unimplemented, "Method is not implemented")
require.Nil(t, resp)
}
func setupTest(t *testing.T) *handlerTest {
return setupTestWithManager(t, Config{}, NewFakeManager(t))
}
@ -1434,7 +1425,7 @@ func requireSecrets(t *testing.T, resp *discovery_v3.DiscoveryResponse, expected
var actualSecrets []*tls_v3.Secret
for _, resource := range resp.Resources {
secret := new(tls_v3.Secret)
require.NoError(t, resource.UnmarshalTo(secret)) //nolint: scopelint // pointer to resource isn't held
require.NoError(t, resource.UnmarshalTo(secret))
actualSecrets = append(actualSecrets, secret)
}

View File

@ -1,6 +1,8 @@
package cache
import (
"maps"
"github.com/imkira/go-observer"
"github.com/spiffe/go-spiffe/v2/bundle/spiffebundle"
"github.com/spiffe/go-spiffe/v2/spiffeid"
@ -98,8 +100,6 @@ func copyBundleMap(bundles map[spiffeid.TrustDomain]*Bundle) map[spiffeid.TrustD
}
out := make(map[spiffeid.TrustDomain]*Bundle, len(bundles))
for key, bundle := range bundles {
out[key] = bundle
}
maps.Copy(out, bundles)
return out
}

View File

@ -8,6 +8,7 @@ import (
"errors"
"fmt"
"io"
"slices"
"sort"
"sync"
@ -166,7 +167,7 @@ func jwtSVIDKey(spiffeID spiffeid.ID, audience []string) string {
// item.
// duplicate and sort the audience slice
audience = append([]string(nil), audience...)
audience = slices.Clone(audience)
sort.Strings(audience)
_, _ = io.WriteString(h, spiffeID.String())

View File

@ -14,7 +14,6 @@ import (
"github.com/spiffe/go-spiffe/v2/spiffeid"
"github.com/spiffe/spire/pkg/common/backoff"
"github.com/spiffe/spire/pkg/common/telemetry"
"github.com/spiffe/spire/pkg/common/telemetry/agent"
agentmetrics "github.com/spiffe/spire/pkg/common/telemetry/agent"
"github.com/spiffe/spire/pkg/common/x509util"
"github.com/spiffe/spire/proto/spire/common"
@ -633,7 +632,7 @@ func (c *LRUCache) notifyTaintedBatchProcessed() {
// processTaintedSVIDs identifies and removes tainted SVIDs from the cache that have been signed by the given tainted authorities.
func (c *LRUCache) processTaintedSVIDs(entryIDs []string, taintedX509Authorities []*x509.Certificate) {
counter := telemetry.StartCall(c.metrics, telemetry.CacheManager, agent.CacheTypeWorkload, telemetry.ProcessTaintedX509SVIDs)
counter := telemetry.StartCall(c.metrics, telemetry.CacheManager, agentmetrics.CacheTypeWorkload, telemetry.ProcessTaintedX509SVIDs)
defer counter.Done(nil)
taintedSVIDs := 0

View File

@ -375,7 +375,7 @@ func TestSVIDRotation(t *testing.T) {
clk := clock.NewMock(t)
baseTTL := 3
baseTTLSeconds := 3
api := newMockAPI(t, &mockAPIConfig{
km: km,
getAuthorizedEntries: func(*mockAPI, int32, *entryv1.GetAuthorizedEntriesRequest) (*entryv1.GetAuthorizedEntriesResponse, error) {
@ -384,12 +384,12 @@ func TestSVIDRotation(t *testing.T) {
batchNewX509SVIDEntries: func(*mockAPI, int32) []*common.RegistrationEntry {
return makeBatchNewX509SVIDEntries("resp1", "resp2")
},
svidTTL: baseTTL,
svidTTL: baseTTLSeconds,
clk: clk,
})
baseTTLSeconds := time.Duration(baseTTL) * time.Second
baseSVID, baseSVIDKey := api.newSVID(joinTokenID, baseTTLSeconds)
baseTTL := time.Duration(baseTTLSeconds) * time.Second
baseSVID, baseSVIDKey := api.newSVID(joinTokenID, baseTTL)
cat := fakeagentcatalog.New()
cat.SetKeyManager(km)
@ -404,7 +404,7 @@ func TestSVIDRotation(t *testing.T) {
Storage: openStorage(t, dir),
Bundle: api.bundle,
Metrics: &telemetry.Blackhole{},
RotationInterval: baseTTLSeconds / 2,
RotationInterval: baseTTL / 2,
SyncInterval: 1 * time.Hour,
Clk: clk,
WorkloadKeyType: workloadkey.ECP256,
@ -449,7 +449,7 @@ func TestSVIDRotation(t *testing.T) {
// Now advance time enough that the cert is expiring soon enough that the
// manager will attempt to rotate, but be unable to since the read lock is
// held.
clk.Add(baseTTLSeconds)
clk.Add(baseTTL)
closer := runManager(t, m)
defer closer()
@ -467,13 +467,7 @@ func TestSVIDRotation(t *testing.T) {
m.GetRotationMtx().RUnlock()
// Loop until we detect an SVID rotation was called in separate process
util.RunWithTimeout(t, time.Minute, func() {
for {
if wasRotHookCalled() {
break
}
}
})
require.Eventually(t, wasRotHookCalled, time.Minute, 100*time.Millisecond)
s := m.GetCurrentCredentials()
svid = s.SVID
@ -1419,7 +1413,7 @@ func TestSurvivesCARotation(t *testing.T) {
km := fakeagentkeymanager.New(t, dir)
clk := clock.NewMock(t)
ttl := 3
ttlSeconds := 3
api := newMockAPI(t, &mockAPIConfig{
km: km,
getAuthorizedEntries: func(h *mockAPI, count int32, req *entryv1.GetAuthorizedEntriesRequest) (*entryv1.GetAuthorizedEntriesResponse, error) {
@ -1432,15 +1426,15 @@ func TestSurvivesCARotation(t *testing.T) {
clk: clk,
// Give a low ttl to get expired entries on each synchronization, forcing
// the manager to fetch entries from the server.
svidTTL: ttl,
svidTTL: ttlSeconds,
})
baseSVID, baseSVIDKey := api.newSVID(joinTokenID, 1*time.Hour)
cat := fakeagentcatalog.New()
cat.SetKeyManager(km)
ttlSeconds := time.Duration(ttl) * time.Second
syncInterval := ttlSeconds / 2
ttl := time.Duration(ttlSeconds) * time.Second
syncInterval := ttl / 2
c := &Config{
ServerAddr: api.addr,
SVID: baseSVID,

View File

@ -12,7 +12,6 @@ import (
"github.com/spiffe/go-spiffe/v2/spiffeid"
"github.com/spiffe/spire/pkg/agent/manager/cache"
"github.com/spiffe/spire/pkg/common/telemetry"
"github.com/spiffe/spire/pkg/common/telemetry/agent"
telemetry_agent "github.com/spiffe/spire/pkg/common/telemetry/agent"
"github.com/spiffe/spire/pkg/common/x509util"
"github.com/spiffe/spire/proto/spire/common"
@ -229,7 +228,7 @@ func (c *Cache) TaintX509SVIDs(ctx context.Context, taintedX509Authorities []*x5
c.mtx.Lock()
defer c.mtx.Unlock()
counter := telemetry.StartCall(c.c.Metrics, telemetry.CacheManager, agent.CacheTypeSVIDStore, telemetry.ProcessTaintedX509SVIDs)
counter := telemetry.StartCall(c.c.Metrics, telemetry.CacheManager, telemetry_agent.CacheTypeSVIDStore, telemetry.ProcessTaintedX509SVIDs)
defer counter.Done(nil)
taintedSVIDs := 0
@ -253,7 +252,7 @@ func (c *Cache) TaintX509SVIDs(ctx context.Context, taintedX509Authorities []*x5
}
}
telemetry_agent.AddCacheManagerExpiredSVIDsSample(c.c.Metrics, agent.CacheTypeSVIDStore, float32(taintedSVIDs))
telemetry_agent.AddCacheManagerExpiredSVIDsSample(c.c.Metrics, telemetry_agent.CacheTypeSVIDStore, float32(taintedSVIDs))
c.c.Log.WithField(telemetry.TaintedX509SVIDs, taintedSVIDs).Info("Tainted X.509 SVIDs")
}

View File

@ -16,7 +16,6 @@ import (
"github.com/spiffe/spire/pkg/agent/workloadkey"
"github.com/spiffe/spire/pkg/common/bundleutil"
"github.com/spiffe/spire/pkg/common/telemetry"
"github.com/spiffe/spire/pkg/common/telemetry/agent"
telemetry_agent "github.com/spiffe/spire/pkg/common/telemetry/agent"
"github.com/spiffe/spire/pkg/common/util"
"github.com/spiffe/spire/pkg/common/x509util"
@ -111,11 +110,11 @@ func (m *manager) synchronize(ctx context.Context) (err error) {
return err
}
if err := m.updateCache(ctx, cacheUpdate, m.c.Log.WithField(telemetry.CacheType, agent.CacheTypeWorkload), "", m.cache); err != nil {
if err := m.updateCache(ctx, cacheUpdate, m.c.Log.WithField(telemetry.CacheType, telemetry_agent.CacheTypeWorkload), "", m.cache); err != nil {
return err
}
if err := m.updateCache(ctx, storeUpdate, m.c.Log.WithField(telemetry.CacheType, agent.CacheTypeSVIDStore), agent.CacheTypeSVIDStore, m.svidStoreCache); err != nil {
if err := m.updateCache(ctx, storeUpdate, m.c.Log.WithField(telemetry.CacheType, telemetry_agent.CacheTypeSVIDStore), telemetry_agent.CacheTypeSVIDStore, m.svidStoreCache); err != nil {
return err
}

View File

@ -15,6 +15,7 @@ import (
"sync"
keymanagerv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/agent/keymanager/v1"
"github.com/spiffe/spire/pkg/common/util"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
"google.golang.org/protobuf/proto"
@ -37,10 +38,10 @@ type Config struct {
}
type Generator interface {
GenerateRSA2048Key() (*rsa.PrivateKey, error)
GenerateRSA4096Key() (*rsa.PrivateKey, error)
GenerateEC256Key() (*ecdsa.PrivateKey, error)
GenerateEC384Key() (*ecdsa.PrivateKey, error)
GenerateRSA2048Key() (crypto.Signer, error)
GenerateRSA4096Key() (crypto.Signer, error)
GenerateEC256Key() (crypto.Signer, error)
GenerateEC384Key() (crypto.Signer, error)
}
// Base is the base KeyManager implementation
@ -170,7 +171,7 @@ func (m *Base) signData(req *keymanagerv1.SignDataRequest) (*keymanagerv1.SignDa
if opts.HashAlgorithm == keymanagerv1.HashAlgorithm_UNSPECIFIED_HASH_ALGORITHM {
return nil, status.Error(codes.InvalidArgument, "hash algorithm is required")
}
signerOpts = crypto.Hash(opts.HashAlgorithm)
signerOpts = util.MustCast[crypto.Hash](opts.HashAlgorithm)
case *keymanagerv1.SignDataRequest_PssOptions:
if opts.PssOptions == nil {
return nil, status.Error(codes.InvalidArgument, "PSS options are nil")
@ -180,7 +181,7 @@ func (m *Base) signData(req *keymanagerv1.SignDataRequest) (*keymanagerv1.SignDa
}
signerOpts = &rsa.PSSOptions{
SaltLength: int(opts.PssOptions.SaltLength),
Hash: crypto.Hash(opts.PssOptions.HashAlgorithm),
Hash: util.MustCast[crypto.Hash](opts.PssOptions.HashAlgorithm),
}
default:
return nil, status.Errorf(codes.InvalidArgument, "unsupported signer opts type %T", opts)
@ -299,19 +300,19 @@ func ecdsaKeyType(privateKey *ecdsa.PrivateKey) (keymanagerv1.KeyType, error) {
type defaultGenerator struct{}
func (defaultGenerator) GenerateRSA2048Key() (*rsa.PrivateKey, error) {
func (defaultGenerator) GenerateRSA2048Key() (crypto.Signer, error) {
return rsa.GenerateKey(rand.Reader, 2048)
}
func (defaultGenerator) GenerateRSA4096Key() (*rsa.PrivateKey, error) {
func (defaultGenerator) GenerateRSA4096Key() (crypto.Signer, error) {
return rsa.GenerateKey(rand.Reader, 4096)
}
func (defaultGenerator) GenerateEC256Key() (*ecdsa.PrivateKey, error) {
func (defaultGenerator) GenerateEC256Key() (crypto.Signer, error) {
return ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
}
func (defaultGenerator) GenerateEC384Key() (*ecdsa.PrivateKey, error) {
func (defaultGenerator) GenerateEC384Key() (crypto.Signer, error) {
return ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
}

View File

@ -13,7 +13,7 @@ import (
keymanagerv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/agent/keymanager/v1"
configv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/service/common/config/v1"
keymanagerbase "github.com/spiffe/spire/pkg/agent/plugin/keymanager/base"
catalog "github.com/spiffe/spire/pkg/common/catalog"
"github.com/spiffe/spire/pkg/common/catalog"
"github.com/spiffe/spire/pkg/common/diskutil"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"

View File

@ -9,6 +9,7 @@ import (
keymanagerv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/agent/keymanager/v1"
"github.com/spiffe/spire/pkg/common/plugin"
"github.com/spiffe/spire/pkg/common/util"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
)
@ -118,7 +119,7 @@ func (v1 *V1) convertKeyType(t KeyType) (keymanagerv1.KeyType, error) {
func (v1 *V1) convertHashAlgorithm(h crypto.Hash) keymanagerv1.HashAlgorithm {
// Hash algorithm constants are aligned.
return keymanagerv1.HashAlgorithm(h)
return util.MustCast[keymanagerv1.HashAlgorithm](h)
}
type v1Key struct {
@ -155,7 +156,7 @@ func (s *v1Key) signContext(ctx context.Context, digest []byte, opts crypto.Sign
case *rsa.PSSOptions:
req.SignerOpts = &keymanagerv1.SignDataRequest_PssOptions{
PssOptions: &keymanagerv1.SignDataRequest_PSSOptions{
SaltLength: int32(opts.SaltLength),
SaltLength: util.MustCast[int32](opts.SaltLength),
HashAlgorithm: s.v1.convertHashAlgorithm(opts.Hash),
},
}

View File

@ -22,10 +22,10 @@ import (
"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor"
nodeattestortest "github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/test"
"github.com/spiffe/spire/pkg/common/catalog"
"github.com/spiffe/spire/pkg/common/pemutil"
"github.com/spiffe/spire/pkg/common/plugin/aws"
"github.com/spiffe/spire/test/plugintest"
"github.com/spiffe/spire/test/spiretest"
"github.com/spiffe/spire/test/testkey"
"google.golang.org/grpc/codes"
)
@ -38,19 +38,7 @@ const (
)
var (
signingKeyPEM = []byte(`-----BEGIN RSA PRIVATE KEY-----
MIIBywIBAAJhAOn4rFLlxONpujl+q/h/kTQzZoqn1nQZbCKEyIPBWO6kkcSqIqON
aB3i+xyxgZNwkGEkLGRl/Uwasbp7O/sU43wh5ywWp/AG0iFe1RhwMd8LMq5ron6o
s2eql71hJKsGEwIDAQABAmEAoDa9YcKe8Q68C5TXE8He33z3Ealea3/hET4VxEsI
p9mfS6kpMQ+qpRSB2aMfVKP1mrAQ4/5TarrG1ZG3T/Mt9Oy1QHbzALvz2XObIvcR
0cnG353CLQK/nobvWcwAtac5AjEA9k+1a9R6eFaO3grl9yg5XY2+MboV4wjbsDS3
s4+MivneTPwvK6eHxtoAlYCNOAslAjEA8yy0PJw3TLBK80DryF3r/Q4wd4uYeFhN
G6EBF0LccLB7GbKpcDHgnNjW/wObx+LXAjBeP4/G6+3U4CIYuojWMvEIaDVPp8m6
LuiJGxLzxUjc4NF8Gb8e8CLXJxG0IxVmTXUCMQDSPJAG5rgYoUHrVPGEZU8llSLp
99J2GUFw5Z3f0nprIukKqqA606RxdjdKeoAwLDkCMCptc0jZR3VM4w1wnwvAe0FL
t61Ol/Q+OqWFX74JwsUU56FqPFm3Y9k7HxDILdedoQ==
-----END RSA PRIVATE KEY-----`)
signingKey = testkey.MustRSA2048()
streamBuilder = nodeattestortest.ServerStream(aws.PluginName)
)
@ -180,15 +168,13 @@ func (s *Suite) buildDefaultIIDDocAndSig() (docBytes []byte, sigBytes []byte, si
s.Require().NoError(err)
rng := rand.Reader
key, err := pemutil.ParseRSAPrivateKey(signingKeyPEM)
s.Require().NoError(err)
// doc signature
docHash := sha256.Sum256(docBytes)
sig, err := rsa.SignPKCS1v15(rng, key, crypto.SHA256, docHash[:])
sig, err := rsa.SignPKCS1v15(rng, signingKey, crypto.SHA256, docHash[:])
s.Require().NoError(err)
sigRSA2048 = s.generatePKCS7Signature(docBytes, key)
sigRSA2048 = s.generatePKCS7Signature(docBytes, signingKey)
return docBytes, sig, sigRSA2048
}

View File

@ -64,7 +64,7 @@ func (s *MSIAttestorSuite) TestAidAttestationFailedToObtainToken() {
func (s *MSIAttestorSuite) TestAidAttestationSuccess() {
s.token = s.makeAccessToken("PRINCIPALID", "TENANTID")
expectPayload := []byte(fmt.Sprintf(`{"token":%q}`, s.token))
expectPayload := fmt.Appendf(nil, `{"token":%q}`, s.token)
attestor := s.loadAttestor(
plugintest.CoreConfig(catalog.CoreConfig{

View File

@ -13,27 +13,15 @@ import (
"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor"
nodeattestortest "github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/test"
"github.com/spiffe/spire/pkg/common/catalog"
"github.com/spiffe/spire/pkg/common/pemutil"
sat_common "github.com/spiffe/spire/pkg/common/plugin/k8s"
"github.com/spiffe/spire/test/plugintest"
"github.com/spiffe/spire/test/spiretest"
"github.com/spiffe/spire/test/testkey"
"google.golang.org/grpc/codes"
)
var sampleKeyPEM = []byte(`-----BEGIN RSA PRIVATE KEY-----
MIIBywIBAAJhAMB4gbT09H2RKXaxbu6IV9C3WY+pvkGAbrlQRIHLHwV3Xt1HchjX
c08v1VEoTBN2YTjhZJlDb/VUsNMJsmBFBBted5geRcbrDtXFlUJ8tQoQx1dWM4Aa
xcdULJ83A9ICKwIDAQABAmBR1asInrIphYQEtHJ/NzdnRd3tqHV9cjch0dAfA5dA
Ar4yBYOsrkaX37WqWSDnkYgN4FWYBWn7WxeotCtA5UQ3SM5hLld67rUqAm2dLrs1
z8va6SwLzrPTu2+rmRgovFECMQDpbfPBRex7FY/xWu1pYv6X9XZ26SrC2Wc6RIpO
38AhKGjTFEMAPJQlud4e2+4I3KkCMQDTFLUvBSXokw2NvcNiM9Kqo5zCnCIkgc+C
hM3EzSh2jh4gZvRzPOhXYvNKgLx8+LMCMQDL4meXlpV45Fp3eu4GsJqi65jvP7VD
v1P0hs0vGyvbSkpUo0vqNv9G/FNQLNR6FRECMFXEMz5wxA91OOuf8HTFg9Lr+fUl
RcY5rJxm48kUZ12Mr3cQ/kCYvftL7HkYR/4rewIxANdritlIPu4VziaEhYZg7dvz
pG3eEhiqPxE++QHpwU78O+F1GznOPBvpZOB3GfyjNQ==
-----END RSA PRIVATE KEY-----`)
var (
sampleKey = testkey.MustRSA2048()
streamBuilder = nodeattestortest.ServerStream(pluginName)
)
@ -76,7 +64,7 @@ func (s *AttestorSuite) TestAttestSuccess() {
na := s.loadPluginWithTokenPath(s.writeValue("token", token))
err = na.Attest(context.Background(), streamBuilder.ExpectAndBuild([]byte(fmt.Sprintf(`{"cluster":"production","token":"%s"}`, token))))
err = na.Attest(context.Background(), streamBuilder.ExpectAndBuild(fmt.Appendf(nil, `{"cluster":"production","token":"%s"}`, token)))
s.Require().NoError(err)
}
@ -168,11 +156,6 @@ func createPSAT(namespace, podName string) (string, error) {
}
func createSigner() (jose.Signer, error) {
sampleKey, err := pemutil.ParseRSAPrivateKey(sampleKeyPEM)
if err != nil {
return nil, err
}
sampleSigner, err := jose.NewSigner(jose.SigningKey{
Algorithm: jose.RS256,
Key: sampleKey,

View File

@ -1,156 +0,0 @@
package k8ssat
import (
"context"
"encoding/json"
"fmt"
"os"
"sync"
"github.com/hashicorp/go-hclog"
"github.com/hashicorp/hcl"
nodeattestorv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/agent/nodeattestor/v1"
configv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/service/common/config/v1"
"github.com/spiffe/spire/pkg/common/catalog"
"github.com/spiffe/spire/pkg/common/plugin/k8s"
"github.com/spiffe/spire/pkg/common/pluginconf"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
)
const (
pluginName = "k8s_sat"
defaultTokenPath = "/var/run/secrets/kubernetes.io/serviceaccount/token" //nolint: gosec // false positive
)
func BuiltIn() catalog.BuiltIn {
return builtin(New())
}
func builtin(p *AttestorPlugin) catalog.BuiltIn {
return catalog.MakeBuiltIn(pluginName,
nodeattestorv1.NodeAttestorPluginServer(p),
configv1.ConfigServiceServer(p))
}
type AttestorConfig struct {
Cluster string `hcl:"cluster"`
TokenPath string `hcl:"token_path"`
}
func buildConfig(coreConfig catalog.CoreConfig, hclText string, status *pluginconf.Status) *attestorConfig {
hclConfig := new(AttestorConfig)
if err := hcl.Decode(hclConfig, hclText); err != nil {
status.ReportErrorf("unable to decode configuration: %v", err)
return nil
}
if hclConfig.Cluster == "" {
status.ReportError("configuration missing cluster")
}
newConfig := &attestorConfig{
cluster: hclConfig.Cluster,
tokenPath: hclConfig.TokenPath,
}
if newConfig.tokenPath == "" {
newConfig.tokenPath = getDefaultTokenPath()
}
return newConfig
}
type attestorConfig struct {
cluster string
tokenPath string
}
type AttestorPlugin struct {
nodeattestorv1.UnsafeNodeAttestorServer
configv1.UnsafeConfigServer
log hclog.Logger
mu sync.RWMutex
config *attestorConfig
}
func New() *AttestorPlugin {
return &AttestorPlugin{}
}
// SetLogger sets a logger in the plugin.
func (p *AttestorPlugin) SetLogger(log hclog.Logger) {
p.log = log
}
func (p *AttestorPlugin) AidAttestation(stream nodeattestorv1.NodeAttestor_AidAttestationServer) error {
config, err := p.getConfig()
if err != nil {
return err
}
token, err := loadTokenFromFile(config.tokenPath)
if err != nil {
return status.Errorf(codes.InvalidArgument, "unable to load token from %s: %v", config.tokenPath, err)
}
payload, err := json.Marshal(k8s.SATAttestationData{
Cluster: config.cluster,
Token: token,
})
if err != nil {
return status.Errorf(codes.Internal, "unable to marshal SAT token data: %v", err)
}
return stream.Send(&nodeattestorv1.PayloadOrChallengeResponse{
Data: &nodeattestorv1.PayloadOrChallengeResponse_Payload{
Payload: payload,
},
})
}
func (p *AttestorPlugin) Configure(_ context.Context, req *configv1.ConfigureRequest) (resp *configv1.ConfigureResponse, err error) {
p.log.Warn(fmt.Sprintf("The %q node attestor plugin has been deprecated in favor of the \"k8s_psat\" plugin and will be removed in a future release", pluginName))
newConfig, _, err := pluginconf.Build(req, buildConfig)
if err != nil {
return nil, err
}
p.mu.Lock()
defer p.mu.Unlock()
p.config = newConfig
return &configv1.ConfigureResponse{}, nil
}
func (p *AttestorPlugin) Validate(_ context.Context, req *configv1.ValidateRequest) (resp *configv1.ValidateResponse, err error) {
_, notes, err := pluginconf.Build(req, buildConfig)
return &configv1.ValidateResponse{
Valid: err == nil,
Notes: notes,
}, nil
}
func (p *AttestorPlugin) getConfig() (*attestorConfig, error) {
p.mu.RLock()
defer p.mu.RUnlock()
if p.config == nil {
return nil, status.Error(codes.FailedPrecondition, "not configured")
}
return p.config, nil
}
func loadTokenFromFile(path string) (string, error) {
data, err := os.ReadFile(path)
if err != nil {
return "", err
}
if len(data) == 0 {
return "", fmt.Errorf("%q is empty", path)
}
return string(data), nil
}

View File

@ -1,7 +0,0 @@
//go:build !windows
package k8ssat
func getDefaultTokenPath() string {
return defaultTokenPath
}

View File

@ -1,40 +0,0 @@
//go:build !windows
package k8ssat
import (
"testing"
"github.com/spiffe/go-spiffe/v2/spiffeid"
"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor"
"github.com/spiffe/spire/pkg/common/catalog"
"github.com/spiffe/spire/test/plugintest"
"github.com/stretchr/testify/require"
)
func TestConfigureDefaultToken(t *testing.T) {
p := New()
var err error
plugintest.Load(t, builtin(p), new(nodeattestor.V1),
plugintest.CaptureConfigureError(&err),
plugintest.CoreConfig(catalog.CoreConfig{
TrustDomain: spiffeid.RequireTrustDomainFromString("example.org"),
}),
plugintest.Configure(`cluster = "production"`),
)
require.NoError(t, err)
require.Equal(t, "/var/run/secrets/kubernetes.io/serviceaccount/token", p.config.tokenPath)
plugintest.Load(t, builtin(p), new(nodeattestor.V1),
plugintest.CaptureConfigureError(&err),
plugintest.CoreConfig(catalog.CoreConfig{
TrustDomain: spiffeid.RequireTrustDomainFromString("example.org"),
}),
plugintest.Configure(`
cluster = "production"
token_path = "/tmp/token"`),
)
require.NoError(t, err)
require.Equal(t, "/tmp/token", p.config.tokenPath)
}

View File

@ -1,120 +0,0 @@
package k8ssat
import (
"context"
"os"
"path/filepath"
"testing"
"github.com/spiffe/go-spiffe/v2/spiffeid"
"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor"
nodeattestortest "github.com/spiffe/spire/pkg/agent/plugin/nodeattestor/test"
"github.com/spiffe/spire/pkg/common/catalog"
"github.com/spiffe/spire/test/plugintest"
"github.com/spiffe/spire/test/spiretest"
"google.golang.org/grpc/codes"
)
var (
streamBuilder = nodeattestortest.ServerStream(pluginName)
)
func TestAttestorPlugin(t *testing.T) {
spiretest.Run(t, new(AttestorSuite))
}
type AttestorSuite struct {
spiretest.Suite
dir string
}
func (s *AttestorSuite) SetupTest() {
s.dir = s.TempDir()
}
func (s *AttestorSuite) TestAttestNotConfigured() {
na := s.loadPlugin()
err := na.Attest(context.Background(), streamBuilder.Build())
s.RequireGRPCStatus(err, codes.FailedPrecondition, "nodeattestor(k8s_sat): not configured")
}
func (s *AttestorSuite) TestAttestNoToken() {
na := s.loadPluginWithTokenPath("example.org", s.joinPath("token"))
err := na.Attest(context.Background(), streamBuilder.Build())
s.RequireGRPCStatusContains(err, codes.InvalidArgument, "nodeattestor(k8s_sat): unable to load token from")
}
func (s *AttestorSuite) TestAttestEmptyToken() {
na := s.loadPluginWithTokenPath("example.org", s.writeValue("token", ""))
err := na.Attest(context.Background(), streamBuilder.Build())
s.RequireGRPCStatusContains(err, codes.InvalidArgument, "nodeattestor(k8s_sat): unable to load token from")
}
func (s *AttestorSuite) TestAttestSuccess() {
na := s.loadPluginWithTokenPath("example.org", s.writeValue("token", "TOKEN"))
err := na.Attest(context.Background(), streamBuilder.ExpectAndBuild([]byte(`{"cluster":"production","token":"TOKEN"}`)))
s.Require().NoError(err)
}
func (s *AttestorSuite) TestConfigure() {
var err error
// malformed configuration
s.loadPlugin(plugintest.CaptureConfigureError(&err),
plugintest.CoreConfig(catalog.CoreConfig{
TrustDomain: spiffeid.RequireTrustDomainFromString("example.org"),
}),
plugintest.Configure("malformed"),
)
s.RequireGRPCStatusContains(err, codes.InvalidArgument, "unable to decode configuration")
// missing cluster
s.loadPlugin(plugintest.CaptureConfigureError(&err),
plugintest.CoreConfig(catalog.CoreConfig{
TrustDomain: spiffeid.RequireTrustDomainFromString("example.org"),
}),
plugintest.Configure(""),
)
s.RequireGRPCStatus(err, codes.InvalidArgument, "configuration missing cluster")
// success
s.loadPlugin(plugintest.CaptureConfigureError(&err),
plugintest.CoreConfig(catalog.CoreConfig{
TrustDomain: spiffeid.RequireTrustDomainFromString("example.org"),
}),
plugintest.Configure(`cluster = "production"`),
)
s.Require().NoError(err)
}
func (s *AttestorSuite) loadPluginWithTokenPath(trustDomain string, tokenPath string) nodeattestor.NodeAttestor {
return s.loadPlugin(
plugintest.CoreConfig(catalog.CoreConfig{
TrustDomain: spiffeid.RequireTrustDomainFromString(trustDomain),
}),
plugintest.Configuref(`
cluster = "production"
token_path = %q`, tokenPath),
)
}
func (s *AttestorSuite) loadPlugin(options ...plugintest.Option) nodeattestor.NodeAttestor {
na := new(nodeattestor.V1)
plugintest.Load(s.T(), BuiltIn(), na, options...)
return na
}
func (s *AttestorSuite) joinPath(path string) string {
return filepath.Join(s.dir, path)
}
func (s *AttestorSuite) writeValue(path, data string) string {
valuePath := s.joinPath(path)
err := os.MkdirAll(filepath.Dir(valuePath), 0755)
s.Require().NoError(err)
err = os.WriteFile(valuePath, []byte(data), 0600)
s.Require().NoError(err)
return valuePath
}

View File

@ -1,20 +0,0 @@
//go:build windows
package k8ssat
import (
"os"
"path/filepath"
)
const (
containerMountPointEnvVar = "CONTAINER_SANDBOX_MOUNT_POINT"
)
func getDefaultTokenPath() string {
mountPoint := os.Getenv(containerMountPointEnvVar)
if mountPoint == "" {
return filepath.FromSlash(defaultTokenPath)
}
return filepath.Join(mountPoint, defaultTokenPath)
}

View File

@ -1,65 +0,0 @@
//go:build windows
package k8ssat
import (
"testing"
"github.com/spiffe/go-spiffe/v2/spiffeid"
"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor"
"github.com/spiffe/spire/pkg/common/catalog"
"github.com/spiffe/spire/test/plugintest"
"github.com/stretchr/testify/require"
)
func TestConfigureDefaultToken(t *testing.T) {
for _, tt := range []struct {
name string
trustDomain string
mountPoint string
config string
expectTokenPath string
}{
{
name: "mountPoint set",
trustDomain: "example.org",
mountPoint: "c:\\somepath",
config: `cluster = "production"`,
expectTokenPath: "c:\\somepath\\var\\run\\secrets\\kubernetes.io\\serviceaccount\\token",
},
{
name: "no mountPoint",
trustDomain: "example.org",
config: `cluster = "production"`,
expectTokenPath: "\\var\\run\\secrets\\kubernetes.io\\serviceaccount\\token",
},
{
name: "token path set on configuration",
trustDomain: "example.org",
mountPoint: "c:\\somepath",
config: `
cluster = "production"
token_path = "c:\\token"`,
expectTokenPath: "c:\\token",
},
} {
t.Run(tt.name, func(t *testing.T) {
if tt.mountPoint != "" {
t.Setenv(containerMountPointEnvVar, tt.mountPoint)
}
p := New()
var err error
plugintest.Load(t, builtin(p), new(nodeattestor.V1),
plugintest.CaptureConfigureError(&err),
plugintest.CoreConfig(catalog.CoreConfig{
TrustDomain: spiffeid.RequireTrustDomainFromString(tt.trustDomain),
}),
plugintest.Configure(tt.config),
)
require.NoError(t, err)
require.Equal(t, tt.expectTokenPath, p.config.tokenPath)
})
}
}

View File

@ -4,6 +4,7 @@ import (
"context"
"errors"
"fmt"
"slices"
"github.com/spiffe/spire/pkg/agent/plugin/nodeattestor"
"google.golang.org/grpc/codes"
@ -82,7 +83,7 @@ func (b *ServerStreamBuilder) FailAndBuild(err error) nodeattestor.ServerStream
}
func (b *ServerStreamBuilder) addHandler(handler ServerStreamHandler) *ServerStreamBuilder {
handlers := append([]ServerStreamHandler(nil), b.handlers...)
handlers := slices.Clone(b.handlers)
handlers = append(handlers, handler)
return &ServerStreamBuilder{
pluginName: b.pluginName,

View File

@ -7,8 +7,8 @@ import (
"strings"
"sync"
"github.com/docker/docker/api/types"
"github.com/docker/docker/api/types/container"
"github.com/docker/docker/api/types/image"
dockerclient "github.com/docker/docker/client"
"github.com/hashicorp/go-hclog"
"github.com/hashicorp/hcl"
@ -43,8 +43,8 @@ func builtin(p *Plugin) catalog.BuiltIn {
// Docker is a subset of the docker client functionality, useful for mocking.
type Docker interface {
ContainerInspect(ctx context.Context, containerID string) (types.ContainerJSON, error)
ImageInspectWithRaw(ctx context.Context, imageID string) (types.ImageInspect, []byte, error)
ContainerInspect(ctx context.Context, containerID string) (container.InspectResponse, error)
ImageInspectWithRaw(ctx context.Context, imageID string) (image.InspectResponse, []byte, error)
}
type Plugin struct {
@ -74,7 +74,7 @@ type dockerPluginConfig struct {
UnusedKeyPositions map[string][]token.Pos `hcl:",unusedKeyPositions"`
Experimental experimentalConfig `hcl:"experimental,omitempty" json:"experimental,omitempty"`
Experimental experimentalConfig `hcl:"experimental,omitempty" json:"experimental"`
containerHelper *containerHelper
dockerOpts []dockerclient.Opt
@ -140,13 +140,10 @@ func (p *Plugin) Attest(ctx context.Context, req *workloadattestorv1.AttestReque
return &workloadattestorv1.AttestResponse{}, nil
}
var container types.ContainerJSON
var container container.InspectResponse
err = p.retryer.Retry(ctx, func() error {
container, err = p.docker.ContainerInspect(ctx, containerID)
if err != nil {
return err
}
return nil
return err
})
if err != nil {
return nil, err

View File

@ -92,7 +92,7 @@ func (h *containerHelper) getContainerID(pID int32, log hclog.Logger) (string, e
}
extractor := containerinfo.Extractor{RootDir: h.rootDir, VerboseLogging: h.verboseContainerLocatorLogs}
return extractor.GetContainerID(int(pID), log)
return extractor.GetContainerID(pID, log)
}
func getDockerHost(c *dockerPluginConfig) string {

View File

@ -8,8 +8,8 @@ import (
"testing"
"time"
"github.com/docker/docker/api/types"
"github.com/docker/docker/api/types/container"
"github.com/docker/docker/api/types/image"
dockerclient "github.com/docker/docker/client"
"github.com/hashicorp/go-hclog"
"github.com/spiffe/go-spiffe/v2/spiffeid"
@ -236,7 +236,6 @@ func TestDockerConfigDefault(t *testing.T) {
require.NotNil(t, p.docker)
require.Equal(t, dockerclient.DefaultDockerHost, p.docker.(*dockerclient.Client).DaemonHost())
require.Equal(t, "1.47", p.docker.(*dockerclient.Client).ClientVersion())
verifyConfigDefault(t, p.c)
}
@ -405,28 +404,28 @@ func newTestPlugin(t *testing.T, opts ...testPluginOpt) *Plugin {
type dockerError struct{}
func (dockerError) ContainerInspect(context.Context, string) (types.ContainerJSON, error) {
return types.ContainerJSON{}, errors.New("docker error")
func (dockerError) ContainerInspect(context.Context, string) (container.InspectResponse, error) {
return container.InspectResponse{}, errors.New("docker error")
}
func (dockerError) ImageInspectWithRaw(context.Context, string) (types.ImageInspect, []byte, error) {
return types.ImageInspect{}, nil, errors.New("docker error")
func (dockerError) ImageInspectWithRaw(context.Context, string) (image.InspectResponse, []byte, error) {
return image.InspectResponse{}, nil, errors.New("docker error")
}
type fakeContainer container.Config
func (f fakeContainer) ContainerInspect(_ context.Context, containerID string) (types.ContainerJSON, error) {
func (f fakeContainer) ContainerInspect(_ context.Context, containerID string) (container.InspectResponse, error) {
if containerID != testContainerID {
return types.ContainerJSON{}, errors.New("expected test container ID")
return container.InspectResponse{}, errors.New("expected test container ID")
}
config := container.Config(f)
return types.ContainerJSON{
return container.InspectResponse{
Config: &config,
}, nil
}
func (f fakeContainer) ImageInspectWithRaw(_ context.Context, imageName string) (types.ImageInspect, []byte, error) {
return types.ImageInspect{ID: imageName, RepoDigests: []string{testImageID}}, nil, nil
func (f fakeContainer) ImageInspectWithRaw(_ context.Context, imageName string) (image.InspectResponse, []byte, error) {
return image.InspectResponse{ID: imageName, RepoDigests: []string{testImageID}}, nil, nil
}
type fakeSigstoreVerifier struct {

View File

@ -390,7 +390,7 @@ func (p *Plugin) Attest(ctx context.Context, req *workloadattestorv1.AttestReque
}
// wait a bit for containers to initialize before trying again.
log.Warn("Container id not found", telemetry.RetryInterval, config.PollRetryInterval)
log.Debug("Container id not found", telemetry.RetryInterval, config.PollRetryInterval)
select {
case <-p.clock.After(config.PollRetryInterval):
@ -651,7 +651,7 @@ func (p *Plugin) getPodList(ctx context.Context, client *kubeletClient, cacheFor
return result, nil
}
podList, err, _ := p.singleflight.Do("podList", func() (interface{}, error) {
podList, err, _ := p.singleflight.Do("podList", func() (any, error) {
result := p.getPodListCache()
if result != nil {
return result, nil

View File

@ -65,7 +65,7 @@ func (h *containerHelper) GetPodUIDAndContainerID(pID int32, log hclog.Logger) (
}
extractor := containerinfo.Extractor{RootDir: h.rootDir, VerboseLogging: h.verboseContainerLocatorLogs}
return extractor.GetPodUIDAndContainerID(int(pID), log)
return extractor.GetPodUIDAndContainerID(pID, log)
}
func getPodUIDAndContainerIDFromCGroups(cgroups []cgroups.Cgroup) (types.UID, string, error) {

View File

@ -14,6 +14,7 @@ import (
"net/http/httptest"
"os"
"path/filepath"
"slices"
"sync"
"testing"
"time"
@ -951,8 +952,8 @@ func (s *Suite) requireAttestFailure(p workloadattestor.WorkloadAttestor, code c
func (s *Suite) requireSelectorsEqual(expected, actual []*common.Selector) {
// assert the selectors (non-destructively sorting for consistency)
actual = append([]*common.Selector(nil), actual...)
expected = append([]*common.Selector(nil), expected...)
actual = slices.Clone(actual)
expected = slices.Clone(expected)
util.SortSelectors(actual)
util.SortSelectors(expected)
s.RequireProtoListEqual(expected, actual)

View File

@ -11,6 +11,7 @@ import (
"github.com/hashicorp/go-hclog"
workloadattestorv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/agent/workloadattestor/v1"
"github.com/spiffe/spire/pkg/common/catalog"
"github.com/spiffe/spire/pkg/common/util"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
)
@ -55,7 +56,11 @@ func (p *Plugin) SetLogger(log hclog.Logger) {
}
func (p *Plugin) Attest(ctx context.Context, req *workloadattestorv1.AttestRequest) (*workloadattestorv1.AttestResponse, error) {
uInfo, err := p.getUnitInfo(ctx, p, uint(req.Pid))
pid, err := util.CheckedCast[uint](req.Pid)
if err != nil {
return nil, fmt.Errorf("invalid value for PID: %w", err)
}
uInfo, err := p.getUnitInfo(ctx, p, pid)
if err != nil {
return nil, err
}

View File

@ -2,9 +2,11 @@ package workloadattestor
import (
"context"
"fmt"
workloadattestorv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/agent/workloadattestor/v1"
"github.com/spiffe/spire/pkg/common/plugin"
"github.com/spiffe/spire/pkg/common/util"
"github.com/spiffe/spire/proto/spire/common"
)
@ -14,8 +16,12 @@ type V1 struct {
}
func (v1 *V1) Attest(ctx context.Context, pid int) ([]*common.Selector, error) {
pidInt32, err := util.CheckedCast[int32](pid)
if err != nil {
return nil, v1.WrapErr(fmt.Errorf("invalid value for PID: %w", err))
}
resp, err := v1.WorkloadAttestorPluginClient.Attest(ctx, &workloadattestorv1.AttestRequest{
Pid: int32(pid),
Pid: pidInt32,
})
if err != nil {
return nil, v1.WrapErr(err)

View File

@ -254,7 +254,11 @@ type processQueryer interface {
type processQuery struct{}
func (q *processQuery) OpenProcess(pid int32) (handle windows.Handle, err error) {
return windows.OpenProcess(windows.PROCESS_QUERY_LIMITED_INFORMATION, false, uint32(pid))
pidUint32, err := util.CheckedCast[uint32](pid)
if err != nil {
return 0, fmt.Errorf("invalid value for PID: %w", err)
}
return windows.OpenProcess(windows.PROCESS_QUERY_LIMITED_INFORMATION, false, pidUint32)
}
func (q *processQuery) OpenProcessToken(h windows.Handle, token *windows.Token) (err error) {

View File

@ -0,0 +1,133 @@
package trustbundlesources
import (
"context"
"crypto/x509"
"errors"
"fmt"
"io"
"net"
"net/http"
"os"
"github.com/sirupsen/logrus"
"github.com/spiffe/go-spiffe/v2/spiffeid"
"github.com/spiffe/spire/pkg/common/bundleutil"
"github.com/spiffe/spire/pkg/common/pemutil"
)
type Bundle struct {
config *Config
log logrus.FieldLogger
}
func New(config *Config, log logrus.FieldLogger) *Bundle {
return &Bundle{
config: config,
log: log,
}
}
func (b *Bundle) GetBundle() ([]*x509.Certificate, bool, error) {
var bundleBytes []byte
var err error
switch {
case b.config.TrustBundleURL != "":
bundleBytes, err = downloadTrustBundle(b.config.TrustBundleURL, b.config.TrustBundleUnixSocket)
if err != nil {
return nil, false, err
}
case b.config.TrustBundlePath != "":
bundleBytes, err = loadTrustBundle(b.config.TrustBundlePath)
if err != nil {
return nil, false, fmt.Errorf("could not parse trust bundle: %w", err)
}
default:
// If InsecureBootstrap is configured, the bundle is not required
if b.config.InsecureBootstrap {
return nil, true, nil
}
}
bundle, err := parseTrustBundle(bundleBytes, b.config.TrustBundleFormat)
if err != nil {
return nil, false, err
}
if len(bundle) == 0 {
return nil, false, errors.New("no certificates found in trust bundle")
}
return bundle, false, nil
}
func (b *Bundle) GetInsecureBootstrap() bool {
return b.config.InsecureBootstrap
}
func parseTrustBundle(bundleBytes []byte, trustBundleContentType string) ([]*x509.Certificate, error) {
switch trustBundleContentType {
case BundleFormatPEM:
bundle, err := pemutil.ParseCertificates(bundleBytes)
if err != nil {
return nil, err
}
return bundle, nil
case BundleFormatSPIFFE:
bundle, err := bundleutil.Unmarshal(spiffeid.TrustDomain{}, bundleBytes)
if err != nil {
return nil, fmt.Errorf("unable to parse SPIFFE trust bundle: %w", err)
}
return bundle.X509Authorities(), nil
}
return nil, fmt.Errorf("unknown trust bundle format: %s", trustBundleContentType)
}
func downloadTrustBundle(trustBundleURL string, trustBundleUnixSocket string) ([]byte, error) {
var req *http.Request
client := http.DefaultClient
if trustBundleUnixSocket != "" {
client = &http.Client{
Transport: &http.Transport{
DialContext: func(_ context.Context, _, _ string) (net.Conn, error) {
return net.Dial("unix", trustBundleUnixSocket)
},
},
}
}
req, err := http.NewRequest("GET", trustBundleURL, nil)
if err != nil {
return nil, err
}
// Download the trust bundle URL from the user specified URL
// We use gosec -- the annotation below will disable a security check that URLs are not tainted
/* #nosec G107 */
resp, err := client.Do(req)
if err != nil {
return nil, fmt.Errorf("unable to fetch trust bundle URL %s: %w", trustBundleURL, err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
return nil, fmt.Errorf("error downloading trust bundle: %s", resp.Status)
}
pemBytes, err := io.ReadAll(resp.Body)
if err != nil {
return nil, fmt.Errorf("unable to read from trust bundle URL %s: %w", trustBundleURL, err)
}
return pemBytes, nil
}
func loadTrustBundle(path string) ([]byte, error) {
bundleBytes, err := os.ReadFile(path)
if err != nil {
return nil, err
}
return bundleBytes, nil
}

View File

@ -0,0 +1,262 @@
package trustbundlesources
import (
"io"
"net"
"net/http"
"net/http/httptest"
"os"
"path"
"path/filepath"
"testing"
"github.com/sirupsen/logrus/hooks/test"
"github.com/spiffe/spire/test/util"
"github.com/stretchr/testify/require"
)
func TestGetBundle(t *testing.T) {
testTrustBundlePath := path.Join(util.ProjectRoot(), "conf/agent/dummy_root_ca.crt")
testTBSPIFFE := `{
"keys": [
{
"use": "x509-svid",
"kty": "EC",
"crv": "P-384",
"x": "WjB-nSGSxIYiznb84xu5WGDZj80nL7W1c3zf48Why0ma7Y7mCBKzfQkrgDguI4j0",
"y": "Z-0_tDH_r8gtOtLLrIpuMwWHoe4vbVBFte1vj6Xt6WeE8lXwcCvLs_mcmvPqVK9j",
"x5c": [
"MIIBzDCCAVOgAwIBAgIJAJM4DhRH0vmuMAoGCCqGSM49BAMEMB4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQKDAZTUElGRkUwHhcNMTgwNTEzMTkzMzQ3WhcNMjMwNTEyMTkzMzQ3WjAeMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGU1BJRkZFMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEWjB+nSGSxIYiznb84xu5WGDZj80nL7W1c3zf48Why0ma7Y7mCBKzfQkrgDguI4j0Z+0/tDH/r8gtOtLLrIpuMwWHoe4vbVBFte1vj6Xt6WeE8lXwcCvLs/mcmvPqVK9jo10wWzAdBgNVHQ4EFgQUh6XzV6LwNazA+GTEVOdu07o5yOgwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwGQYDVR0RBBIwEIYOc3BpZmZlOi8vbG9jYWwwCgYIKoZIzj0EAwQDZwAwZAIwE4Me13qMC9i6Fkx0h26y09QZIbuRqA9puLg9AeeAAyo5tBzRl1YL0KNEp02VKSYJAjBdeJvqjJ9wW55OGj1JQwDFD7kWeEB6oMlwPbI/5hEY3azJi16I0uN1JSYTSWGSqWc="
]
}
]
}`
cases := []struct {
msg string
insecureBootstrap bool
error bool
trustBundlePath string
trustBundleFormat string
trustBundleURL bool
trustBundleSocket string
}{
{
msg: "insecure mode",
insecureBootstrap: true,
error: false,
},
{
msg: "from file",
insecureBootstrap: false,
error: false,
trustBundlePath: testTrustBundlePath,
trustBundleFormat: BundleFormatPEM,
},
{
msg: "from file wrong format",
insecureBootstrap: false,
error: true,
trustBundlePath: testTrustBundlePath,
trustBundleFormat: BundleFormatSPIFFE,
},
{
msg: "from file that doesn't exist",
insecureBootstrap: false,
error: true,
trustBundlePath: "doesnotexist",
trustBundleFormat: BundleFormatPEM,
},
{
msg: "from url ok",
insecureBootstrap: false,
error: false,
trustBundleURL: true,
trustBundleFormat: BundleFormatSPIFFE,
},
{
msg: "from url socket, fail",
insecureBootstrap: false,
error: true,
trustBundleURL: true,
trustBundleFormat: BundleFormatSPIFFE,
trustBundleSocket: "doesnotexist",
},
}
for _, testCase := range cases {
t.Run(testCase.msg, func(t *testing.T) {
var err error
c := Config{
InsecureBootstrap: testCase.insecureBootstrap,
TrustBundlePath: testCase.trustBundlePath,
TrustBundleFormat: testCase.trustBundleFormat,
TrustBundleUnixSocket: testCase.trustBundleSocket,
}
testServer := httptest.NewServer(http.HandlerFunc(
func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
_, _ = io.WriteString(w, testTBSPIFFE)
}))
if testCase.trustBundleURL {
c.TrustBundleURL = testServer.URL
}
log, _ := test.NewNullLogger()
tbs := New(&c, log)
require.NoError(t, err)
trustBundle, insecureBootstrap, err := tbs.GetBundle()
if testCase.error {
require.Error(t, err)
} else {
require.NoError(t, err)
require.Equal(t, insecureBootstrap, testCase.insecureBootstrap)
if testCase.trustBundlePath != "" {
require.Equal(t, len(trustBundle), 1)
}
}
})
}
}
func TestDownloadTrustBundle(t *testing.T) {
testTB, _ := os.ReadFile(path.Join(util.ProjectRoot(), "conf/agent/dummy_root_ca.crt"))
testTBSPIFFE := `{
"keys": [
{
"use": "x509-svid",
"kty": "EC",
"crv": "P-384",
"x": "WjB-nSGSxIYiznb84xu5WGDZj80nL7W1c3zf48Why0ma7Y7mCBKzfQkrgDguI4j0",
"y": "Z-0_tDH_r8gtOtLLrIpuMwWHoe4vbVBFte1vj6Xt6WeE8lXwcCvLs_mcmvPqVK9j",
"x5c": [
"MIIBzDCCAVOgAwIBAgIJAJM4DhRH0vmuMAoGCCqGSM49BAMEMB4xCzAJBgNVBAYTAlVTMQ8wDQYDVQQKDAZTUElGRkUwHhcNMTgwNTEzMTkzMzQ3WhcNMjMwNTEyMTkzMzQ3WjAeMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGU1BJRkZFMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEWjB+nSGSxIYiznb84xu5WGDZj80nL7W1c3zf48Why0ma7Y7mCBKzfQkrgDguI4j0Z+0/tDH/r8gtOtLLrIpuMwWHoe4vbVBFte1vj6Xt6WeE8lXwcCvLs/mcmvPqVK9jo10wWzAdBgNVHQ4EFgQUh6XzV6LwNazA+GTEVOdu07o5yOgwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwGQYDVR0RBBIwEIYOc3BpZmZlOi8vbG9jYWwwCgYIKoZIzj0EAwQDZwAwZAIwE4Me13qMC9i6Fkx0h26y09QZIbuRqA9puLg9AeeAAyo5tBzRl1YL0KNEp02VKSYJAjBdeJvqjJ9wW55OGj1JQwDFD7kWeEB6oMlwPbI/5hEY3azJi16I0uN1JSYTSWGSqWc="
]
}
]
}`
cases := []struct {
msg string
status int
fileContents string
format string
expectDownloadError bool
expectParseError bool
unixSocket bool
}{
{
msg: "if URL is not found, should be an error",
status: http.StatusNotFound,
fileContents: "",
format: BundleFormatPEM,
expectDownloadError: true,
expectParseError: false,
unixSocket: false,
},
{
msg: "if URL returns error 500, should be an error",
status: http.StatusInternalServerError,
fileContents: "",
format: BundleFormatPEM,
expectDownloadError: true,
expectParseError: false,
unixSocket: false,
},
{
msg: "if file is not parseable, should be an error",
status: http.StatusOK,
fileContents: "NON PEM PARSEABLE TEXT HERE",
format: BundleFormatPEM,
expectDownloadError: false,
expectParseError: true,
unixSocket: false,
},
{
msg: "if file is empty, should be an error",
status: http.StatusOK,
fileContents: "",
format: BundleFormatPEM,
expectDownloadError: false,
expectParseError: true,
unixSocket: false,
},
{
msg: "if file is valid, should not be an error",
status: http.StatusOK,
fileContents: string(testTB),
format: BundleFormatPEM,
expectDownloadError: false,
expectParseError: false,
unixSocket: false,
},
{
msg: "if file is not parseable, format is SPIFFE, should not be an error",
status: http.StatusOK,
fileContents: "[}",
format: BundleFormatSPIFFE,
expectDownloadError: false,
expectParseError: true,
unixSocket: false,
},
{
msg: "if file is valid, format is SPIFFE, should not be an error",
status: http.StatusOK,
fileContents: testTBSPIFFE,
format: BundleFormatSPIFFE,
expectDownloadError: false,
expectParseError: false,
unixSocket: false,
},
{
msg: "if file is valid, format is SPIFFE, unix socket true, should not be an error",
status: http.StatusOK,
fileContents: testTBSPIFFE,
format: BundleFormatSPIFFE,
expectDownloadError: false,
expectParseError: false,
unixSocket: true,
},
}
for _, testCase := range cases {
t.Run(testCase.msg, func(t *testing.T) {
var unixSocket string
var err error
var bundleBytes []byte
if testCase.unixSocket {
tempDir, err := os.MkdirTemp("", "my-temp-dir-*")
require.NoError(t, err)
defer os.RemoveAll(tempDir)
unixSocket = filepath.Join(tempDir, "socket")
}
testServer := httptest.NewUnstartedServer(http.HandlerFunc(
func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(testCase.status)
_, _ = io.WriteString(w, testCase.fileContents)
// if err != nil {
// return
// }
}))
if testCase.unixSocket {
testServer.Listener, err = net.Listen("unix", unixSocket)
require.NoError(t, err)
testServer.Start()
bundleBytes, err = downloadTrustBundle("http://localhost/trustbundle", unixSocket)
} else {
testServer.Start()
bundleBytes, err = downloadTrustBundle(testServer.URL, "")
}
if testCase.expectDownloadError {
require.Error(t, err)
} else {
require.NoError(t, err)
_, err := parseTrustBundle(bundleBytes, testCase.format)
if testCase.expectParseError {
require.Error(t, err)
} else {
require.NoError(t, err)
}
}
})
}
}

View File

@ -0,0 +1,14 @@
package trustbundlesources
const (
BundleFormatPEM = "pem"
BundleFormatSPIFFE = "spiffe"
)
type Config struct {
InsecureBootstrap bool
TrustBundleFormat string
TrustBundlePath string
TrustBundleURL string
TrustBundleUnixSocket string
}

View File

@ -18,11 +18,6 @@ func UntrackedUDSCredentials() credentials.TransportCredentials {
return untrackedUDSCredentials{}
}
func IsUntrackedUDSAuth(authInfo credentials.AuthInfo) bool {
_, ok := authInfo.(UntrackedUDSAuthInfo)
return ok
}
type UntrackedUDSAuthInfo struct{}
func (UntrackedUDSAuthInfo) AuthType() string { return "untracked-uds" }

View File

@ -31,19 +31,11 @@ func (r *sizeLimitedBackOff) NextBackOff() int {
}
func (r *sizeLimitedBackOff) Success() {
newSize := r.currentSize * 2
if newSize > r.maxSize {
newSize = r.maxSize
}
r.currentSize = newSize
r.currentSize = min(r.currentSize*2, r.maxSize)
}
func (r *sizeLimitedBackOff) Failure() {
newSize := r.currentSize / 2
if newSize < 1 {
newSize = 1
}
r.currentSize = newSize
r.currentSize = max(r.currentSize/2, 1)
}
func (r *sizeLimitedBackOff) Reset() {

View File

@ -73,12 +73,11 @@ func TestAppendFlag(t *testing.T) {
fs.Var(defaultFlagValue, flagName, "")
}
err := fs.Parse(c.input)
switch {
case err == nil:
if err == nil {
if c.expectError {
t.Fatal("expected an error but got none")
}
default:
} else {
if !c.expectError {
t.Fatalf("got unexpected error: %v", err)
}

View File

@ -28,12 +28,11 @@ func TestStrFormatType(t *testing.T) {
for _, c := range cases {
t.Run(c.name, func(t *testing.T) {
ft, err := strToFormatType(c.input)
switch {
case err == nil:
if err == nil {
if c.expectError {
t.Error("expected error but got none")
}
default:
} else {
if !c.expectError {
t.Errorf("got unexpected error: %v", err)
}

View File

@ -12,7 +12,7 @@ func Print(err error, stdout, _ io.Writer) error {
}
if err.Error() == "" {
err = errors.New("An unknown error occurred")
err = errors.New("an unknown error occurred")
}
_, e := fmt.Fprintln(stdout, err.Error())

View File

@ -24,7 +24,7 @@ func TestPrint(t *testing.T) {
{
name: "error_without_string_is_still_an_error",
err: errors.New(""),
stdout: "An unknown error occurred\n",
stdout: "an unknown error occurred\n",
stderr: "",
},
{

View File

@ -5,11 +5,13 @@ package process
import (
"errors"
"fmt"
"slices"
"strings"
"unsafe"
"github.com/hashicorp/go-hclog"
"github.com/spiffe/spire/pkg/common/telemetry"
"github.com/spiffe/spire/pkg/common/util"
"golang.org/x/sys/windows"
)
@ -46,7 +48,11 @@ func (h *helper) GetContainerIDByProcess(pID int32, log hclog.Logger) (string, e
currentProcess := h.wapi.CurrentProcess()
// Duplicate the process handle that we want to validate, with limited permissions.
childProcessHandle, err := h.wapi.OpenProcess(windows.PROCESS_QUERY_LIMITED_INFORMATION, false, uint32(pID))
pidUint32, err := util.CheckedCast[uint32](pID)
if err != nil {
return "", fmt.Errorf("invalid value for PID: %w", err)
}
childProcessHandle, err := h.wapi.OpenProcess(windows.PROCESS_QUERY_LIMITED_INFORMATION, false, pidUint32)
if err != nil {
return "", fmt.Errorf("failed to open child process: %w", err)
}
@ -63,12 +69,7 @@ func (h *helper) GetContainerIDByProcess(pID int32, log hclog.Logger) (string, e
// Verify if process ID is a vmcompute process
isVmcomputeProcess := func(pID uint32) bool {
for _, vmID := range vmComputeProcessIds {
if pID == vmID {
return true
}
}
return false
return slices.Contains(vmComputeProcessIds, pID)
}
var jobNames []string

View File

@ -6,6 +6,7 @@ import (
"syscall"
"unsafe"
"github.com/spiffe/spire/pkg/common/util"
"golang.org/x/sys/windows"
)
@ -90,7 +91,7 @@ func (a *api) GetObjectType(handle windows.Handle) (string, error) {
length := uint32(0)
status := ntQueryObject(handle, ObjectTypeInformationClass,
&buffer[0], uint32(len(buffer)), &length)
&buffer[0], util.MustCast[uint32](len(buffer)), &length)
if status != windows.STATUS_SUCCESS {
return "", status
}
@ -104,7 +105,7 @@ func (a *api) GetObjectName(handle windows.Handle) (string, error) {
var length uint32
status := ntQueryObject(handle, ObjectNameInformationClass,
&buffer[0], uint32(len(buffer)), &length)
&buffer[0], util.MustCast[uint32](len(buffer)), &length)
if status != windows.STATUS_SUCCESS {
return "", status
}
@ -121,7 +122,7 @@ func (a *api) QuerySystemExtendedHandleInformation() ([]SystemHandleInformationE
status = ntQuerySystemInformation(
windows.SystemExtendedHandleInformation,
unsafe.Pointer(&buffer[0]),
uint32(len(buffer)),
util.MustCast[uint32](len(buffer)),
&retLen,
)

View File

@ -40,16 +40,16 @@ type Extractor struct {
VerboseLogging bool
}
func (e *Extractor) GetContainerID(pid int, log hclog.Logger) (string, error) {
func (e *Extractor) GetContainerID(pid int32, log hclog.Logger) (string, error) {
_, containerID, err := e.extractInfo(pid, log, false)
return containerID, err
}
func (e *Extractor) GetPodUIDAndContainerID(pid int, log hclog.Logger) (types.UID, string, error) {
func (e *Extractor) GetPodUIDAndContainerID(pid int32, log hclog.Logger) (types.UID, string, error) {
return e.extractInfo(pid, log, true)
}
func (e *Extractor) extractInfo(pid int, log hclog.Logger, extractPodUID bool) (types.UID, string, error) {
func (e *Extractor) extractInfo(pid int32, log hclog.Logger, extractPodUID bool) (types.UID, string, error) {
// Try to get the information from /proc/pid/mountinfo first. Otherwise,
// fall back to /proc/pid/cgroup. If it isn't in mountinfo, then the
// workload being attested likely originates in the same Pod as the agent.
@ -74,7 +74,7 @@ func (e *Extractor) extractInfo(pid int, log hclog.Logger, extractPodUID bool) (
return podUID, containerID, nil
}
func (e *Extractor) extractPodUIDAndContainerIDFromMountInfo(pid int, log hclog.Logger, extractPodUID bool) (types.UID, string, error) {
func (e *Extractor) extractPodUIDAndContainerIDFromMountInfo(pid int32, log hclog.Logger, extractPodUID bool) (types.UID, string, error) {
mountInfoPath := filepath.Join(e.RootDir, "/proc", fmt.Sprint(pid), "mountinfo")
mountInfos, err := mount.ParseMountInfo(mountInfoPath)
@ -122,8 +122,8 @@ func (e *Extractor) extractPodUIDAndContainerIDFromMountInfo(pid int, log hclog.
return ex.PodUID(), ex.ContainerID(), nil
}
func (e *Extractor) extractPodUIDAndContainerIDFromCGroups(pid int, log hclog.Logger, extractPodUID bool) (types.UID, string, error) {
cgroups, err := cgroups.GetCgroups(int32(pid), dirFS(e.RootDir))
func (e *Extractor) extractPodUIDAndContainerIDFromCGroups(pid int32, log hclog.Logger, extractPodUID bool) (types.UID, string, error) {
cgroups, err := cgroups.GetCgroups(pid, dirFS(e.RootDir))
if err != nil {
if errors.Is(err, fs.ErrNotExist) {
return "", "", nil

View File

@ -73,12 +73,6 @@ func RequireToPluginFromCertificates(x509Certificates []*x509.Certificate) []*pl
return pbs
}
func RequireToPluginFromCertificate(x509Certificate *x509.Certificate) *plugintypes.X509Certificate {
pb, err := ToPluginFromCertificate(x509Certificate)
panicOnError(err)
return pb
}
func panicOnError(err error) {
if err != nil {
panic(err)

View File

@ -101,7 +101,7 @@ func (m *DiskCertManager) syncCertificateFiles() {
return
}
if certFileInfo.ModTime() != m.certLastModified || keyFileInfo.ModTime() != m.keyLastModified {
if !certFileInfo.ModTime().Equal(m.certLastModified) || !keyFileInfo.ModTime().Equal(m.keyLastModified) {
m.log.Info("File change detected, reloading certificate and key...")
if err := m.loadCert(); err != nil {

Some files were not shown because too many files have changed in this diff Show More