spiffe / spire-api-sdk Goto Github PK

SPIRE API Service Definitions

License: Apache License 2.0

Makefile 100.00%

spire-api-sdk's Introduction

The Secure Production Identity Framework For Everyone (SPIFFE) Project defines a framework and set of standards for identifying and securing communications between application services. At its core, SPIFFE is:

A standard defining how services identify themselves to each other. These are called SPIFFE IDs and are implemented as Uniform Resource Identifiers (URIs).
A standard for encoding SPIFFE IDs in a cryptographically-verifiable document called a SPIFFE Verifiable Identity Document or SVIDs.
An API specification for issuing and/or retrieving SVIDs. This is the Workload API.

The SPIFFE Project has a reference implementation, the SPIRE (the SPIFFE Runtime Environment), that in addition to the above, it:

Performs node and workload attestation.
Implements a signing framework for securely issuing and renewing SVIDs.
Provides an API for registering nodes and workloads, along with their designated SPIFFE IDs.
Provides and manages the rotation of keys and certs for mutual authentication and encryption between workloads.
Simplifies access from identified services to secret stores, databases, services meshes and cloud provider services.
Interoperability and federation to SPIFFE compatible systems across heterogeneous environments and administrative trust boundaries.

SPIFFE is a graduated project of the Cloud Native Computing Foundation (CNCF). If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF.

SPIFFE Standards

Getting Started

spiffe: This repository includes the SPIFFE ID, SVID and Workload API specifications, example code, and tests, as well as project governance, policies, and processes.
spire: This is a reference implementation of SPIFFE and the SPIFFE Workload API that can be run on and across varying hosting environments.
go-spiffe: Golang client libraries.
java-spiffe: Java client libraries

Communications

Slack (Join here).
[email protected] (View or join here).
[email protected] (View or join here).
[email protected] (View or join here).

Contribute

SIGs & Working Groups

Most community activity is organized into Special Interest Groups (SIGs), time-bounded working groups, and our monthly community-wide meetings. SIGs follow these guidelines, although each may operate differently depending on their needs and workflows. Each group's material can be found in the /community directory of this repository.

Name	Lead	Group	Slack Channel	Meetings
SIG-Community	Umair Khan (HPE)	Here	Here	Notes
SIG-Spec	Evan Gilman (VMware)	Here	Here	Notes
SIG-SPIRE	Daniel Feldman (HPE)	Here	Here	Notes

Follow the SPIFFE Project You can find us on Github and Twitter.

SPIFFE SSC

The SPIFFE Steering Committee meets on a regular cadence to review project progress, address maintainer needs, and provide feedback on strategic direction and industry trends. Community members interested in joining this call can find details below.

Calendar: iCal or Browser-based
Meeting Notes: Google Doc
Call Details: Zoom Link

To contact the SSC privately, please send an email to [email protected].

spire-api-sdk's People

Contributors

Stargazers

Watchers

spire-api-sdk's Issues

Create a protobuf for a new privileged API on SPIRE Agent

Pursuant to spiffe/spire#2246, we need a new API for privileged platform components to interact with SPIRE Agent for the purpose of delegated SVID management.

There are many possible shapes here, and given the use cases I've seen before I can think of at least a few. That said, there is one immediate need that is clear. I suggest we start with just one or two RPCs, the minimum to meet the use case at hand, knowing that we will likely add more RPCs in the future as additional integration work arises.

Add UDS API for post-launch log level tuning.

see spiffe/spire#4785

This commit introduces:

New Data Types

Logger : a representation of a logger
- name : the logger's name, empty for the root logger
- current_level : the current log level of the logger
- default_level : the log level of the logger configured
  in the application's config file
LoggerMask : which Logger fields must be populated on a
query response
- current_level : populate the current log level
- default_level : populate the default log level

Single Logger Operations:

GetLogger : Fetches the log level of the logger
- Input: name, the logger name
  (optional, unset is root logger)
- Input: output_mask, the desired logger output fields
  (optional, unset is all fields)
- Output: a Logger record
AdjustLogger : Changes the log level of the logger
- Input: name, the logger name
  (optional, unset is the root logger)
- Input: log_level, the logger's new LogLevel
  (required)
- Output: none

Plural Logger Operations:

CountLoggers : Returns the number of loggers
- Input: none
- Output: the number of loggers
ListLoggers : Show Logger details for a number of loggers
- Input: filter, the control over which loggers are returned.
  (optional, unset is the root logger with all sub-loggers)
  - filter.by_name : the name of the logger forming the root
    of the returned loggers
  - filter.with_subloggers : a flag indicating if sub-loggers
    are to be included in the response
- Input: output_mask, the fields to be returned in the output
  - output_mask.current_level : show the current log level of
    the logger
  - output_mask.default_level : show the log level of the logger
    configured in the process config
    file

Support a prune RPC in the SPIRE Server's Agent API

SPIRE PR spiffe/spire#3982 added a spire-server CLI command for pruning old agents out of the database. That work does client-side filtering of agents to determine which need pruning. During review, this was flagged and we agreed that the prune logic is best handled server-side.

Introduce and implement a new RPC to support this server-side prune feature

Hopes to add some test cases

Document expected status codes in API documentation

The Server and Agent APIs currently provide only a short description of the purpose of each RPC with documentation of each request/response field. It would be helpful to API clients to also be able to see all the expected gRPC status codes for each RPC, with a description of the cases in which each status code is returned. Clients need to understand why a particular status code would be returned so they can determine how to handle it. API dashboards and alerting also need to be built around these status codes.

Documenting the expected RPC status codes in the protobuf presents the following advantages:

One place for all information you need as a consumer of SPIRE APIs. Right now, to discover the returned status codes requires studying the implementation of the APIs. This is not always easy to do because it requires examining middleware and API handler code.
Establishes expected status codes explicitly as part of the API contract. This will help catch potential API regressions that may break client consumption/alerting.