Merge branch 'main' into expand-escape

spiffe · Oct 17, 2024 · 36708f6 · 36708f6
2 parents 506e55f + c8d35fe
commit 36708f6
Show file tree

Hide file tree

Showing 3 changed files with 123 additions and 2 deletions.
diff --git a/doc/spire_server.md b/doc/spire_server.md
@@ -659,6 +659,122 @@ Mints a JWT-SVID.
 | `-ttl` | The TTL of the JWT-SVID | First non-zero value from `Entry.jwt_svid_ttl`, `Entry.ttl`, `default_jwt_svid_ttl`, `5m` |
 | `-write` | File to write token to instead of stdout | |
 
+### `spire-server localauthority jwt activate`
+
+Activates a prepared JWT authority for use, which will cause it to be used for all JWT signing operations serviced by this server going forward.
+
+| Command | Action | Default |
+|:---------------|:----------------------------------------------------|:-----------------------------------|
+| `-authorityID` | The authority ID of the JWT authority to activate | |
+| `-output` | Desired output format (`pretty`, `json`) | `pretty` |
+| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock |
+
+### `spire-server localauthority jwt prepare`
+
+Prepares a new JWT authority for use by generating a new key and injecting it into the bundle.
+
+| Command | Action | Default |
+|:---------------|:----------------------------------------------------|:-----------------------------------|
+| `-output` | Desired output format (`pretty`, `json`) | `pretty` |
+| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock |
+
+### `spire-server localauthority jwt revoke`
+
+Revokes the previously active JWT authority by removing it from the bundle and propagating this update throughout the cluster.
+
+| Command | Action | Default |
+|:---------------|:----------------------------------------------------|:-----------------------------------|
+| `-authorityID` | The authority ID of the JWT authority to revoke | |
+| `-output` | Desired output format (`pretty`, `json`) | `pretty` |
+| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock |
+
+### `spire-server localauthority jwt show`
+
+Shows the local JWT authorities.
+
+| Command | Action | Default |
+|:---------------|:----------------------------------------------------|:-----------------------------------|
+| `-output` | Desired output format (`pretty`, `json`) | `pretty` |
+| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock |
+
+### `spire-server localauthority jwt taint`
+
+Marks the previously active JWT authority as being tainted.
+
+| Command | Action | Default |
+|:---------------|:----------------------------------------------------|:-----------------------------------|
+| `-authorityID` | The authority ID of the JWT authority to taint | |
+| `-output` | Desired output format (`pretty`, `json`) | `pretty` |
+| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock |
+
+### `spire-server localauthority x509 activate`
+
+Activates a prepared X.509 authority for use, which will cause it to be used for all X.509 signing operations serviced by this server going forward.
+
+| Command | Action | Default |
+|:---------------|:----------------------------------------------------|:-----------------------------------|
+| `-authorityID` | The authority ID of the X.509 authority to activate | |
+| `-output` | Desired output format (`pretty`, `json`) | `pretty` |
+| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock |
+
+### `spire-server localauthority x509 prepare`
+
+Prepares a new X.509 authority for use by generating a new key and injecting the resulting CA certificate into the bundle.
+
+| Command | Action | Default |
+|:---------------|:----------------------------------------------------|:-----------------------------------|
+| `-output` | Desired output format (`pretty`, `json`) | `pretty` |
+| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock |
+
+### `spire-server localauthority x509 revoke`
+
+Revokes the previously active X.509 authority by removing it from the bundle and propagating this update throughout the cluster.
+
+| Command | Action | Default |
+|:---------------|:----------------------------------------------------|:-----------------------------------|
+| `-authorityID` | The authority ID of the X.509 authority to revoke | |
+| `-output` | Desired output format (`pretty`, `json`) | `pretty` |
+| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock |
+
+### `spire-server localauthority x509 show`
+
+Shows the local X.509 authorities.
+
+| Command | Action | Default |
+|:---------------|:----------------------------------------------------|:-----------------------------------|
+| `-output` | Desired output format (`pretty`, `json`) | `pretty` |
+| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock |
+
+### `spire-server localauthority x509 taint`
+
+Marks the previously active X.509 authority as being tainted.
+
+| Command | Action | Default |
+|:---------------|:----------------------------------------------------|:-----------------------------------|
+| `-authorityID` | The authority ID of the X.509 authority to taint | |
+| `-output` | Desired output format (`pretty`, `json`) | `pretty` |
+| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock |
+
+### `spire-server upstreamauthority revoke`
+
+Revokes the previously active X.509 upstream authority by removing it from the bundle and propagating this update throughout the cluster.
+
+| Command | Action | Default |
+|:----------------|:-----------------------------------------------------------------------------------------------------------------------|:-----------------------------------|
+| `-output` | Desired output format (`pretty`, `json`) | `pretty` |
+| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock |
+| `-subjectKeyID` | The X.509 Subject Key Identifier (or SKID) of the authority's CA certificate of the X.509 upstream authority to revoke | |
+
+### `spire-server upstreamauthority taint`
+
+Marks the provided X.509 upstream authority as being tainted.
+
+| Command | Action | Default |
+|:----------------|:-----------------------------------------------------------------------------------------------------------------------|:-----------------------------------|
+| `-output` | Desired output format (`pretty`, `json`) | `pretty` |
+| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock |
+| `-subjectKeyID` | The X.509 Subject Key Identifier (or SKID) of the authority's CA certificate of the upstream X.509 authority to taint | |
+
 ## JSON object for `-data`
 
 A JSON object passed to `-data` for `entry create/update` expects the following form:

diff --git a/doc/telemetry/telemetry.md b/doc/telemetry/telemetry.md
@@ -81,12 +81,17 @@ The following metrics are emitted:
 | Call Counter | `agent_svid`, `rotate` | | The Agent's SVID is being rotated. |
 | Sample | `cache_manager`, `expiring_svids` | | The number of expiring SVIDs that the Cache Manager has. |
 | Sample | `cache_manager`, `outdated_svids` | | The number of outdated SVIDs that the Cache Manager has. |
+| Sample | `cache_manager`, `tainted_jwt_svids`, `workload` | | The number of tainted JWT-SVIDs according to the agent cache manager. |
+| Sample | `cache_manager`, `tainted_x509_svids`, `workload` | | The number of tainted X509-SVIDs according to the agent cache manager. |
 | Counter | `lru_cache_entry_add` | | The number of entries added to the LRU cache. |
 | Counter | `lru_cache_entry_remove` | | The number of entries removed from the LRU cache. |
 | Counter | `lru_cache_entry_update` | | The number of entries updated in the LRU cache. |
 | Call Counter | `manager`, `sync`, `fetch_entries_updates` | | The Sync Manager is fetching entries updates. |
 | Call Counter | `manager`, `sync`, `fetch_svids_updates` | | The Sync Manager is fetching SVIDs updates. |
 | Call Counter | `node`, `attestor`, `new_svid` | | The Node Attestor is calling to get an SVID. |
+| Call Counter | `cache_manager`, `workload`, `process_tainted_jwt_svids` | | The Sync Manager is processing tainted JWTSVIDs. |
+| Call Counter | `cache_manager`, `workload`, `process_tainted_x509_svids` | | The Sync Manager is processing tainted X.509 SVIDs. |
+| Call Counter | `cache_manager`, `svid_store`, `process_tainted_x509_svids` | | The Sync Manager is processing tainted X.509 SVIDs in the SVID store cache. |
 | Gauge | `lru_cache_record_map_size` | | The total number of entries in the LRU cache records map. |
 | Counter | `sds_api`, `connections` | | The SDS API has successfully established a connection. |
 | Gauge | `sds_api`, `connections` | | The number of active connection that the SDS API has. |

diff --git a/pkg/common/telemetry/agent/manager.go b/pkg/common/telemetry/agent/manager.go
@@ -51,7 +51,7 @@ func AddCacheManagerOutdatedSVIDsSample(m telemetry.Metrics, cacheType string, c
  m.AddSample(key, count)
 }
 
-// AddCacheManagerTaintedX509SVIDsSample count of tainted SVIDs according to
+// AddCacheManagerTaintedX509SVIDsSample count of tainted X509-SVIDs according to
 // agent cache manager
 func AddCacheManagerTaintedX509SVIDsSample(m telemetry.Metrics, cacheType string, count float32) {
  key := []string{telemetry.CacheManager, telemetry.TaintedX509SVIDs}
@@ -61,7 +61,7 @@ func AddCacheManagerTaintedX509SVIDsSample(m telemetry.Metrics, cacheType string
  m.AddSample(key, count)
 }
 
-// AddCacheManagerTaintedJWTSVIDsSample count of tainted SVIDs according to
+// AddCacheManagerTaintedJWTSVIDsSample count of tainted JWT-SVIDs according to
 // agent cache manager
 func AddCacheManagerTaintedJWTSVIDsSample(m telemetry.Metrics, cacheType string, count float32) {
  key := []string{telemetry.CacheManager, telemetry.TaintedJWTSVIDs}