-
Notifications
You must be signed in to change notification settings - Fork 474
/
config.go
133 lines (97 loc) · 3.78 KB
/
config.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
package server
import (
"context"
"crypto/x509/pkix"
"net"
"time"
"github.com/spiffe/go-spiffe/v2/spiffeid"
common "github.com/spiffe/spire/pkg/common/catalog"
"github.com/spiffe/spire/pkg/common/health"
"github.com/spiffe/spire/pkg/common/telemetry"
loggerv1 "github.com/spiffe/spire/pkg/server/api/logger/v1"
"github.com/spiffe/spire/pkg/server/authpolicy"
bundle_client "github.com/spiffe/spire/pkg/server/bundle/client"
"github.com/spiffe/spire/pkg/server/endpoints"
"github.com/spiffe/spire/pkg/server/endpoints/bundle"
"github.com/spiffe/spire/pkg/server/plugin/keymanager"
)
type Config struct {
// Configurations for server plugins
PluginConfigs common.PluginConfigs
Log loggerv1.Logger
// LogReopener facilitates handling a signal to rotate log file.
LogReopener func(context.Context) error
// If true enables audit logs
AuditLogEnabled bool
// Address of SPIRE server
BindAddress *net.TCPAddr
// Address of SPIRE Server to be reached locally
BindLocalAddress net.Addr
// Directory to store runtime data
DataDir string
// Trust domain
TrustDomain spiffeid.TrustDomain
Experimental ExperimentalConfig
// If true enables profiling.
ProfilingEnabled bool
// Port used by the pprof web server when ProfilingEnabled == true
ProfilingPort int
// Frequency in seconds by which each profile file will be generated.
ProfilingFreq int
// Array of profiles names that will be generated on each profiling tick.
ProfilingNames []string
// AgentTTL is time-to-live for agent SVIDs
AgentTTL time.Duration
// X509SVIDTTL is default time-to-live for X509-SVIDs (overrides SVIDTTL)
X509SVIDTTL time.Duration
// JWTSVIDTTL is default time-to-live for SVIDs (overrides SVIDTTL)
JWTSVIDTTL time.Duration
// CATTL is the time-to-live for the server CA. This only applies to
// self-signed CA certificates, otherwise it is up to the upstream CA.
CATTL time.Duration
// JWTIssuer is used as the issuer claim in JWT-SVIDs minted by the server.
// If unset, the JWT-SVID will not have an issuer claim.
JWTIssuer string
// CASubject is the subject used in the CA certificate
CASubject pkix.Name
// Telemetry provides the configuration for metrics exporting
Telemetry telemetry.FileConfig
// HealthChecks provides the configuration for health monitoring
HealthChecks health.Config
// CAKeyType is the key type used for the X509 and JWT signing keys
CAKeyType keymanager.KeyType
// JWTKeyType is the key type used for JWT signing keys
JWTKeyType keymanager.KeyType
// Federation holds the configuration needed to federate with other
// trust domains.
Federation FederationConfig
// RateLimit holds rate limiting configurations.
RateLimit endpoints.RateLimitConfig
// CacheReloadInterval controls how often the in-memory entry cache reloads
CacheReloadInterval time.Duration
// EventsBasedCache enabled event driven cache reloads
EventsBasedCache bool
// PruneEventsOlderThan controls how long events can live before they are pruned
PruneEventsOlderThan time.Duration
// AuthPolicyEngineConfig determines the config for authz policy
AuthOpaPolicyEngineConfig *authpolicy.OpaEngineConfig
// AdminIDs are a list of fixed IDs that when presented by a caller in an
// X509-SVID, are granted admin rights.
AdminIDs []spiffeid.ID
// Temporary flag to allow disabling the inclusion of serial number in X509 CAs Subject field
ExcludeSNFromCASubject bool
}
type ExperimentalConfig struct {
}
type FederationConfig struct {
// BundleEndpoint contains the federation bundle endpoint configuration.
BundleEndpoint *bundle.EndpointConfig
// FederatesWith holds the federation configuration for trust domains this
// server federates with.
FederatesWith map[spiffeid.TrustDomain]bundle_client.TrustDomainConfig
}
func New(config Config) *Server {
return &Server{
config: config,
}
}