diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 00000000..a4e4d549 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,7 @@ +root = true + +[*.{yaml,yml}] +indent_size = 4 + +[*.py] +indent_size = 4 diff --git a/.gitignore b/.gitignore index c4772154..ac34c48f 100644 --- a/.gitignore +++ b/.gitignore @@ -13,4 +13,5 @@ node_modules/ # Temporal content checkouts/ -static/img/checkouts/ \ No newline at end of file +static/img/checkouts/ +data/releases.yaml diff --git a/CODEOWNERS b/CODEOWNERS index d97c27f5..3b730b3e 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1 +1 @@ -* @sanderson042 @mchurichi @ajessup @drrt @evan2645 @umairmkhan +* @sanderson042 @mchurichi @ajessup @Andres-GC @evan2645 @umairmkhan diff --git a/Dockerfile.linkchecker b/Dockerfile.linkchecker new file mode 100644 index 00000000..70c960c7 --- /dev/null +++ b/Dockerfile.linkchecker @@ -0,0 +1,9 @@ +FROM python:3.7-alpine + +ENV HOME /tmp + +RUN pip install linkchecker + +ADD linkcheckerrc . + +ENTRYPOINT [ "linkchecker" ] diff --git a/Makefile b/Makefile index 5e2a3ffe..e982cbf5 100644 --- a/Makefile +++ b/Makefile @@ -18,12 +18,12 @@ serve-with-releases: --buildFuture \ --disableFastRender -production-build: pull-external-content +production-build: ci-check-links hugo \ --gc \ --ignoreCache -preview-build: pull-external-content +preview-build: ci-check-links hugo \ --gc \ --ignoreCache \ @@ -49,4 +49,22 @@ docker-serve-with-releases: docker-build spiffe.io:latest pull-external-content: - python ./pull_external.py \ No newline at end of file + python ./pull_external.py + +ci-check-links: pull-external-content + echo "Running Hugo server..." && \ + hugo server -p 1212 & \ + sleep 2 && \ + echo "Running links checker..." && \ + linkchecker -f linkcheckerrc http://localhost:1212; \ + echo "Stopping Hugo server..." && \ + pkill hugo + +check-links: + pipenv run linkchecker -f linkcheckerrc http://localhost:1313 + +docker-check-links-build: + docker build -f Dockerfile.linkchecker -t linkchecker . + +docker-check-links: docker-check-links-build + docker run --rm -it -u $(shell id -u):$(shell id -g) --net host linkchecker -f linkcheckerrc http://localhost:1313 diff --git a/Pipfile b/Pipfile index 31728832..111c0afc 100644 --- a/Pipfile +++ b/Pipfile @@ -12,6 +12,8 @@ argh = "*" [packages] pyyaml = "~=5.3" toml = "~=0.10.1" +requests = "~=2.25.1" +linkchecker = "~=10.0.1" [requires] python_version = "3.7" diff --git a/Pipfile.lock b/Pipfile.lock index ec9a9b20..c76cae3c 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "001544007f6d775205f087d9c37f67ed0325de1736d345a917486f9f072cb3ed" + "sha256": "9dde01aa10154bcff3ca47f5c85002ca026da6d29d79b583795c39bc621e10b1" }, "pipfile-spec": 6, "requires": { @@ -16,30 +16,126 @@ ] }, "default": { + "beautifulsoup4": { + "hashes": [ + "sha256:4c98143716ef1cb40bf7f39a8e3eec8f8b009509e74904ba3a7b315431577e35", + "sha256:84729e322ad1d5b4d25f805bfa05b902dd96450f43842c4e99067d5e1369eb25", + "sha256:fff47e031e34ec82bf17e00da8f592fe7de69aeea38be00523c04623c04fb666" + ], + "version": "==4.9.3" + }, + "certifi": { + "hashes": [ + "sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee", + "sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8" + ], + "version": "==2021.5.30" + }, + "chardet": { + "hashes": [ + "sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa", + "sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5" + ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", + "version": "==4.0.0" + }, + "dnspython": { + "hashes": [ + "sha256:95d12f6ef0317118d2a1a6fc49aac65ffec7eb8087474158f42f26a639135216", + "sha256:e4a87f0b573201a0f3727fa18a516b055fd1107e0e5477cded4a2de497df1dd4" + ], + "markers": "python_version >= '3.6'", + "version": "==2.1.0" + }, + "idna": { + "hashes": [ + "sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6", + "sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0" + ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", + "version": "==2.10" + }, + "linkchecker": { + "hashes": [ + "sha256:9440dab68d40225160724f87238f2cfb59174a8280695f37e1c18a277e0361f2", + "sha256:97039d8ef166fc6313816f853bdf7d4a98243d3c3d4953eedda339c5d0072b20" + ], + "index": "pypi", + "version": "==10.0.1" + }, + "pyxdg": { + "hashes": [ + "sha256:2d6701ab7c74bbab8caa6a95e0a0a129b1643cf6c298bf7c569adec06d0709a0", + "sha256:80bd93aae5ed82435f20462ea0208fb198d8eec262e831ee06ce9ddb6b91c5a5" + ], + "version": "==0.27" + }, "pyyaml": { "hashes": [ - "sha256:06a0d7ba600ce0b2d2fe2e78453a470b5a6e000a985dd4a4e54e436cc36b0e97", - "sha256:240097ff019d7c70a4922b6869d8a86407758333f02203e0fc6ff79c5dcede76", - "sha256:4f4b913ca1a7319b33cfb1369e91e50354d6f07a135f3b901aca02aa95940bd2", - "sha256:69f00dca373f240f842b2931fb2c7e14ddbacd1397d57157a9b005a6a9942648", - "sha256:73f099454b799e05e5ab51423c7bcf361c58d3206fa7b0d555426b1f4d9a3eaf", - "sha256:74809a57b329d6cc0fdccee6318f44b9b8649961fa73144a98735b0aaf029f1f", - "sha256:7739fc0fa8205b3ee8808aea45e968bc90082c10aef6ea95e855e10abf4a37b2", - "sha256:95f71d2af0ff4227885f7a6605c37fd53d3a106fcab511b8860ecca9fcf400ee", - "sha256:b8eac752c5e14d3eca0e6dd9199cd627518cb5ec06add0de9d32baeee6fe645d", - "sha256:cc8955cfbfc7a115fa81d85284ee61147059a753344bc51098f3ccd69b0d7e0c", - "sha256:d13155f591e6fcc1ec3b30685d50bf0711574e2c0dfffd7644babf8b5102ca1a" + "sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf", + "sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696", + "sha256:129def1b7c1bf22faffd67b8f3724645203b79d8f4cc81f674654d9902cb4393", + "sha256:294db365efa064d00b8d1ef65d8ea2c3426ac366c0c4368d930bf1c5fb497f77", + "sha256:3b2b1824fe7112845700f815ff6a489360226a5609b96ec2190a45e62a9fc922", + "sha256:3bd0e463264cf257d1ffd2e40223b197271046d09dadf73a0fe82b9c1fc385a5", + "sha256:4465124ef1b18d9ace298060f4eccc64b0850899ac4ac53294547536533800c8", + "sha256:49d4cdd9065b9b6e206d0595fee27a96b5dd22618e7520c33204a4a3239d5b10", + "sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc", + "sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018", + "sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e", + "sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253", + "sha256:72a01f726a9c7851ca9bfad6fd09ca4e090a023c00945ea05ba1638c09dc3347", + "sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183", + "sha256:895f61ef02e8fed38159bb70f7e100e00f471eae2bc838cd0f4ebb21e28f8541", + "sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb", + "sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185", + "sha256:bfb51918d4ff3d77c1c856a9699f8492c612cde32fd3bcd344af9be34999bfdc", + "sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db", + "sha256:cb333c16912324fd5f769fff6bc5de372e9e7a202247b48870bc251ed40239aa", + "sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46", + "sha256:d483ad4e639292c90170eb6f7783ad19490e7a8defb3e46f97dfe4bacae89122", + "sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b", + "sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63", + "sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df", + "sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc", + "sha256:fd7f6999a8070df521b6384004ef42833b9bd62cfee11a09bda1079b4b704247", + "sha256:fdc842473cd33f45ff6bce46aea678a54e3d21f1b61a7750ce3c498eedfe25d6", + "sha256:fe69978f3f768926cfa37b867e3843918e012cf83f680806599ddce33c2c68b0" + ], + "index": "pypi", + "version": "==5.4.1" + }, + "requests": { + "hashes": [ + "sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804", + "sha256:c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e" ], "index": "pypi", - "version": "==5.3.1" + "version": "==2.25.1" + }, + "soupsieve": { + "hashes": [ + "sha256:052774848f448cf19c7e959adf5566904d525f33a3f8b6ba6f6f8f26ec7de0cc", + "sha256:c2c1c2d44f158cdbddab7824a9af8c4f83c76b1e23e049479aa432feb6c4c23b" + ], + "markers": "python_version >= '3.0'", + "version": "==2.2.1" }, "toml": { "hashes": [ - "sha256:926b612be1e5ce0634a2ca03470f95169cf16f939018233a670519cb4ac58b0f", - "sha256:bda89d5935c2eac546d648028b9901107a595863cb36bae0c73ac804a9b4ce88" + "sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b", + "sha256:b3bda1d108d5dd99f4a20d24d9c348e91c4db7ab1b749200bded2f839ccbe68f" ], "index": "pypi", - "version": "==0.10.1" + "version": "==0.10.2" + }, + "urllib3": { + "hashes": [ + "sha256:753a0374df26658f99d826cfe40394a686d05985786d946fbe4165b5148f5a7c", + "sha256:a7acd0977125325f516bda9735fa7142b909a8d01e8b2e4c8108d0984e6e0098" + ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' and python_version < '4'", + "version": "==1.26.5" } }, "develop": { @@ -60,26 +156,35 @@ }, "black": { "hashes": [ - "sha256:1c02557aa099101b9d21496f8a914e9ed2222ef70336404eeeac8edba836fbea" + "sha256:1fc0e0a2c8ae7d269dfcf0c60a89afa299664f3e811395d40b1922dff8f854b5", + "sha256:e5cf21ebdffc7a9b29d73912b6a6a9a4df4ce70220d523c21647da2eae0751ef" ], "index": "pypi", - "version": "==20.8b1" + "version": "==21.5b2" }, "click": { "hashes": [ - "sha256:d2b5255c7c6349bc1bd1e59e08cd12acbbd63ce649f2588755783aa94dfb6b1a", - "sha256:dacca89f4bfadd5de3d7489b7c8a566eee0d3676333fbb50030263894c38c0dc" + "sha256:8c04c11192119b1ef78ea049e0a6f0463e4c48ef00a30160c704337586f3ad7a", + "sha256:fba402a4a47334742d782209a7c79bc448911afe1149d07bdabdf480b3e2f4b6" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", - "version": "==7.1.2" + "markers": "python_version >= '3.6'", + "version": "==8.0.1" }, "flake8": { "hashes": [ - "sha256:749dbbd6bfd0cf1318af27bf97a14e28e5ff548ef8e5b1566ccfb25a11e7c839", - "sha256:aadae8761ec651813c24be05c6f7b4680857ef6afaae4651a4eccaef97ce6c3b" + "sha256:07528381786f2a6237b061f6e96610a4167b226cb926e2aa2b6b1d78057c576b", + "sha256:bf8fd333346d844f616e8d47905ef3a3384edae6b4e9beb0c5101e25e3110907" ], "index": "pypi", - "version": "==3.8.4" + "version": "==3.9.2" + }, + "importlib-metadata": { + "hashes": [ + "sha256:960d52ba7c21377c990412aca380bf3642d734c2eaab78a2c39319f67c6a5786", + "sha256:e592faad8de1bda9fe920cf41e15261e7131bcf266c30306eec00e8e225c1dd5" + ], + "markers": "python_version < '3.8' and python_version < '3.8'", + "version": "==4.4.0" }, "mccabe": { "hashes": [ @@ -97,113 +202,156 @@ }, "pathspec": { "hashes": [ - "sha256:7d91249d21749788d07a2d0f94147accd8f845507400749ea19c1ec9054a12b0", - "sha256:da45173eb3a6f2a5a487efba21f050af2b41948be6ab52b6a1e3ff22bb8b7061" - ], - "version": "==0.8.0" - }, - "pathtools": { - "hashes": [ - "sha256:7c35c5421a39bb82e58018febd90e3b6e5db34c5443aaaf742b3f33d4655f1c0" + "sha256:86379d6b86d75816baba717e64b1a3a3469deb93bb76d613c9ce79edc5cb68fd", + "sha256:aa0cb481c4041bf52ffa7b0d8fa6cd3e88a2ca4879c533c9153882ee2556790d" ], - "version": "==0.1.2" + "version": "==0.8.1" }, "pycodestyle": { "hashes": [ - "sha256:2295e7b2f6b5bd100585ebcb1f616591b652db8a741695b3d8f5d28bdc934367", - "sha256:c58a7d2815e0e8d7972bf1803331fb0152f867bd89adf8a01dfd55085434192e" + "sha256:514f76d918fcc0b55c6680472f0a37970994e07bbb80725808c17089be302068", + "sha256:c389c1d06bf7904078ca03399a4816f974a1d590090fecea0c63ec26ebaf1cef" ], "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==2.6.0" + "version": "==2.7.0" }, "pyflakes": { "hashes": [ - "sha256:0d94e0e05a19e57a99444b6ddcf9a6eb2e5c68d3ca1e98e90707af8152c90a92", - "sha256:35b2d75ee967ea93b55750aa9edbbf72813e06a66ba54438df2cfac9e3c27fc8" + "sha256:7893783d01b8a89811dd72d7dfd4d84ff098e5eed95cfa8905b22bbffe52efc3", + "sha256:f5bc8ecabc05bb9d291eb5203d6810b49040f6ff446a756326104746cc00c1db" ], "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==2.2.0" + "version": "==2.3.1" }, "regex": { "hashes": [ - "sha256:1a16afbfadaadc1397353f9b32e19a65dc1d1804c80ad73a14f435348ca017ad", - "sha256:2308491b3e6c530a3bb38a8a4bb1dc5fd32cbf1e11ca623f2172ba17a81acef1", - "sha256:39a5ef30bca911f5a8a3d4476f5713ed4d66e313d9fb6755b32bec8a2e519635", - "sha256:3d5a8d007116021cf65355ada47bf405656c4b3b9a988493d26688275fde1f1c", - "sha256:4302153abb96859beb2c778cc4662607a34175065fc2f33a21f49eb3fbd1ccd3", - "sha256:463e770c48da76a8da82b8d4a48a541f314e0df91cbb6d873a341dbe578efafd", - "sha256:46ab6070b0d2cb85700b8863b3f5504c7f75d8af44289e9562195fe02a8dd72d", - "sha256:4f5c0fe46fb79a7adf766b365cae56cafbf352c27358fda811e4a1dc8216d0db", - "sha256:60c4f64d9a326fe48e8738c3dbc068e1edc41ff7895a9e3723840deec4bc1c28", - "sha256:671c51d352cfb146e48baee82b1ee8d6ffe357c292f5e13300cdc5c00867ebfc", - "sha256:6cf527ec2f3565248408b61dd36e380d799c2a1047eab04e13a2b0c15dd9c767", - "sha256:7c4fc5a8ec91a2254bb459db27dbd9e16bba1dabff638f425d736888d34aaefa", - "sha256:850339226aa4fec04916386577674bb9d69abe0048f5d1a99f91b0004bfdcc01", - "sha256:8ba3efdd60bfee1aa784dbcea175eb442d059b576934c9d099e381e5a9f48930", - "sha256:8c8c42aa5d3ac9a49829c4b28a81bebfa0378996f9e0ca5b5ab8a36870c3e5ee", - "sha256:8e7ef296b84d44425760fe813cabd7afbb48c8dd62023018b338bbd9d7d6f2f0", - "sha256:a2a31ee8a354fa3036d12804730e1e20d58bc4e250365ead34b9c30bbe9908c3", - "sha256:a63907332531a499b8cdfd18953febb5a4c525e9e7ca4ac147423b917244b260", - "sha256:a8240df4957a5b0e641998a5d78b3c4ea762c845d8cb8997bf820626826fde9a", - "sha256:b8806649983a1c78874ec7e04393ef076805740f6319e87a56f91f1767960212", - "sha256:c077c9d04a040dba001cf62b3aff08fd85be86bccf2c51a770c77377662a2d55", - "sha256:c529ba90c1775697a65b46c83d47a2d3de70f24d96da5d41d05a761c73b063af", - "sha256:d537e270b3e6bfaea4f49eaf267984bfb3628c86670e9ad2a257358d3b8f0955", - "sha256:d629d750ebe75a88184db98f759633b0a7772c2e6f4da529f0027b4a402c0e2f", - "sha256:d9d53518eeed12190744d366ec4a3f39b99d7daa705abca95f87dd8b442df4ad", - "sha256:e490f08897cb44e54bddf5c6e27deca9b58c4076849f32aaa7a0b9f1730f2c20", - "sha256:f579caecbbca291b0fcc7d473664c8c08635da2f9b1567c22ea32311c86ef68c" - ], - "version": "==2020.10.11" + "sha256:01afaf2ec48e196ba91b37451aa353cb7eda77efe518e481707e0515025f0cd5", + "sha256:11d773d75fa650cd36f68d7ca936e3c7afaae41b863b8c387a22aaa78d3c5c79", + "sha256:18c071c3eb09c30a264879f0d310d37fe5d3a3111662438889ae2eb6fc570c31", + "sha256:1e1c20e29358165242928c2de1482fb2cf4ea54a6a6dea2bd7a0e0d8ee321500", + "sha256:281d2fd05555079448537fe108d79eb031b403dac622621c78944c235f3fcf11", + "sha256:314d66636c494ed9c148a42731b3834496cc9a2c4251b1661e40936814542b14", + "sha256:32e65442138b7b76dd8173ffa2cf67356b7bc1768851dded39a7a13bf9223da3", + "sha256:339456e7d8c06dd36a22e451d58ef72cef293112b559010db3d054d5560ef439", + "sha256:3916d08be28a1149fb97f7728fca1f7c15d309a9f9682d89d79db75d5e52091c", + "sha256:3a9cd17e6e5c7eb328517969e0cb0c3d31fd329298dd0c04af99ebf42e904f82", + "sha256:47bf5bf60cf04d72bf6055ae5927a0bd9016096bf3d742fa50d9bf9f45aa0711", + "sha256:4c46e22a0933dd783467cf32b3516299fb98cfebd895817d685130cc50cd1093", + "sha256:4c557a7b470908b1712fe27fb1ef20772b78079808c87d20a90d051660b1d69a", + "sha256:52ba3d3f9b942c49d7e4bc105bb28551c44065f139a65062ab7912bef10c9afb", + "sha256:563085e55b0d4fb8f746f6a335893bda5c2cef43b2f0258fe1020ab1dd874df8", + "sha256:598585c9f0af8374c28edd609eb291b5726d7cbce16be6a8b95aa074d252ee17", + "sha256:619d71c59a78b84d7f18891fe914446d07edd48dc8328c8e149cbe0929b4e000", + "sha256:67bdb9702427ceddc6ef3dc382455e90f785af4c13d495f9626861763ee13f9d", + "sha256:6d1b01031dedf2503631d0903cb563743f397ccaf6607a5e3b19a3d76fc10480", + "sha256:741a9647fcf2e45f3a1cf0e24f5e17febf3efe8d4ba1281dcc3aa0459ef424dc", + "sha256:7c2a1af393fcc09e898beba5dd59196edaa3116191cc7257f9224beaed3e1aa0", + "sha256:7d9884d86dd4dd489e981d94a65cd30d6f07203d90e98f6f657f05170f6324c9", + "sha256:90f11ff637fe8798933fb29f5ae1148c978cccb0452005bf4c69e13db951e765", + "sha256:919859aa909429fb5aa9cf8807f6045592c85ef56fdd30a9a3747e513db2536e", + "sha256:96fcd1888ab4d03adfc9303a7b3c0bd78c5412b2bfbe76db5b56d9eae004907a", + "sha256:97f29f57d5b84e73fbaf99ab3e26134e6687348e95ef6b48cfd2c06807005a07", + "sha256:980d7be47c84979d9136328d882f67ec5e50008681d94ecc8afa8a65ed1f4a6f", + "sha256:a91aa8619b23b79bcbeb37abe286f2f408d2f2d6f29a17237afda55bb54e7aac", + "sha256:ade17eb5d643b7fead300a1641e9f45401c98eee23763e9ed66a43f92f20b4a7", + "sha256:b9c3db21af35e3b3c05764461b262d6f05bbca08a71a7849fd79d47ba7bc33ed", + "sha256:bd28bc2e3a772acbb07787c6308e00d9626ff89e3bfcdebe87fa5afbfdedf968", + "sha256:bf5824bfac591ddb2c1f0a5f4ab72da28994548c708d2191e3b87dd207eb3ad7", + "sha256:c0502c0fadef0d23b128605d69b58edb2c681c25d44574fc673b0e52dce71ee2", + "sha256:c38c71df845e2aabb7fb0b920d11a1b5ac8526005e533a8920aea97efb8ec6a4", + "sha256:ce15b6d103daff8e9fee13cf7f0add05245a05d866e73926c358e871221eae87", + "sha256:d3029c340cfbb3ac0a71798100ccc13b97dddf373a4ae56b6a72cf70dfd53bc8", + "sha256:e512d8ef5ad7b898cdb2d8ee1cb09a8339e4f8be706d27eaa180c2f177248a10", + "sha256:e8e5b509d5c2ff12f8418006d5a90e9436766133b564db0abaec92fd27fcee29", + "sha256:ee54ff27bf0afaf4c3b3a62bcd016c12c3fdb4ec4f413391a90bd38bc3624605", + "sha256:fa4537fb4a98fe8fde99626e4681cc644bdcf2a795038533f9f711513a862ae6", + "sha256:fd45ff9293d9274c5008a2054ecef86a9bfe819a67c7be1afb65e69b405b3042" + ], + "version": "==2021.4.4" }, "toml": { "hashes": [ - "sha256:926b612be1e5ce0634a2ca03470f95169cf16f939018233a670519cb4ac58b0f", - "sha256:bda89d5935c2eac546d648028b9901107a595863cb36bae0c73ac804a9b4ce88" + "sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b", + "sha256:b3bda1d108d5dd99f4a20d24d9c348e91c4db7ab1b749200bded2f839ccbe68f" ], "index": "pypi", - "version": "==0.10.1" + "version": "==0.10.2" }, "typed-ast": { "hashes": [ - "sha256:0666aa36131496aed8f7be0410ff974562ab7eeac11ef351def9ea6fa28f6355", - "sha256:0c2c07682d61a629b68433afb159376e24e5b2fd4641d35424e462169c0a7919", - "sha256:249862707802d40f7f29f6e1aad8d84b5aa9e44552d2cc17384b209f091276aa", - "sha256:24995c843eb0ad11a4527b026b4dde3da70e1f2d8806c99b7b4a7cf491612652", - "sha256:269151951236b0f9a6f04015a9004084a5ab0d5f19b57de779f908621e7d8b75", - "sha256:4083861b0aa07990b619bd7ddc365eb7fa4b817e99cf5f8d9cf21a42780f6e01", - "sha256:498b0f36cc7054c1fead3d7fc59d2150f4d5c6c56ba7fb150c013fbc683a8d2d", - "sha256:4e3e5da80ccbebfff202a67bf900d081906c358ccc3d5e3c8aea42fdfdfd51c1", - "sha256:6daac9731f172c2a22ade6ed0c00197ee7cc1221aa84cfdf9c31defeb059a907", - "sha256:715ff2f2df46121071622063fc7543d9b1fd19ebfc4f5c8895af64a77a8c852c", - "sha256:73d785a950fc82dd2a25897d525d003f6378d1cb23ab305578394694202a58c3", - "sha256:8c8aaad94455178e3187ab22c8b01a3837f8ee50e09cf31f1ba129eb293ec30b", - "sha256:8ce678dbaf790dbdb3eba24056d5364fb45944f33553dd5869b7580cdbb83614", - "sha256:aaee9905aee35ba5905cfb3c62f3e83b3bec7b39413f0a7f19be4e547ea01ebb", - "sha256:bcd3b13b56ea479b3650b82cabd6b5343a625b0ced5429e4ccad28a8973f301b", - "sha256:c9e348e02e4d2b4a8b2eedb48210430658df6951fa484e59de33ff773fbd4b41", - "sha256:d205b1b46085271b4e15f670058ce182bd1199e56b317bf2ec004b6a44f911f6", - "sha256:d43943ef777f9a1c42bf4e552ba23ac77a6351de620aa9acf64ad54933ad4d34", - "sha256:d5d33e9e7af3b34a40dc05f498939f0ebf187f07c385fd58d591c533ad8562fe", - "sha256:fc0fea399acb12edbf8a628ba8d2312f583bdbdb3335635db062fa98cf71fca4", - "sha256:fe460b922ec15dd205595c9b5b99e2f056fd98ae8f9f56b888e7a17dc2b757e7" - ], - "version": "==1.4.1" + "sha256:01ae5f73431d21eead5015997ab41afa53aa1fbe252f9da060be5dad2c730ace", + "sha256:067a74454df670dcaa4e59349a2e5c81e567d8d65458d480a5b3dfecec08c5ff", + "sha256:0fb71b8c643187d7492c1f8352f2c15b4c4af3f6338f21681d3681b3dc31a266", + "sha256:1b3ead4a96c9101bef08f9f7d1217c096f31667617b58de957f690c92378b528", + "sha256:2068531575a125b87a41802130fa7e29f26c09a2833fea68d9a40cf33902eba6", + "sha256:209596a4ec71d990d71d5e0d312ac935d86930e6eecff6ccc7007fe54d703808", + "sha256:2c726c276d09fc5c414693a2de063f521052d9ea7c240ce553316f70656c84d4", + "sha256:398e44cd480f4d2b7ee8d98385ca104e35c81525dd98c519acff1b79bdaac363", + "sha256:52b1eb8c83f178ab787f3a4283f68258525f8d70f778a2f6dd54d3b5e5fb4341", + "sha256:5feca99c17af94057417d744607b82dd0a664fd5e4ca98061480fd8b14b18d04", + "sha256:7538e495704e2ccda9b234b82423a4038f324f3a10c43bc088a1636180f11a41", + "sha256:760ad187b1041a154f0e4d0f6aae3e40fdb51d6de16e5c99aedadd9246450e9e", + "sha256:777a26c84bea6cd934422ac2e3b78863a37017618b6e5c08f92ef69853e765d3", + "sha256:95431a26309a21874005845c21118c83991c63ea800dd44843e42a916aec5899", + "sha256:9ad2c92ec681e02baf81fdfa056fe0d818645efa9af1f1cd5fd6f1bd2bdfd805", + "sha256:9c6d1a54552b5330bc657b7ef0eae25d00ba7ffe85d9ea8ae6540d2197a3788c", + "sha256:aee0c1256be6c07bd3e1263ff920c325b59849dc95392a05f258bb9b259cf39c", + "sha256:af3d4a73793725138d6b334d9d247ce7e5f084d96284ed23f22ee626a7b88e39", + "sha256:b36b4f3920103a25e1d5d024d155c504080959582b928e91cb608a65c3a49e1a", + "sha256:b9574c6f03f685070d859e75c7f9eeca02d6933273b5e69572e5ff9d5e3931c3", + "sha256:bff6ad71c81b3bba8fa35f0f1921fb24ff4476235a6e94a26ada2e54370e6da7", + "sha256:c190f0899e9f9f8b6b7863debfb739abcb21a5c054f911ca3596d12b8a4c4c7f", + "sha256:c907f561b1e83e93fad565bac5ba9c22d96a54e7ea0267c708bffe863cbe4075", + "sha256:cae53c389825d3b46fb37538441f75d6aecc4174f615d048321b716df2757fb0", + "sha256:dd4a21253f42b8d2b48410cb31fe501d32f8b9fbeb1f55063ad102fe9c425e40", + "sha256:dde816ca9dac1d9c01dd504ea5967821606f02e510438120091b84e852367428", + "sha256:f2362f3cb0f3172c42938946dbc5b7843c2a28aec307c49100c8b38764eb6927", + "sha256:f328adcfebed9f11301eaedfa48e15bdece9b519fb27e6a8c01aa52a17ec31b3", + "sha256:f8afcf15cc511ada719a88e013cec87c11aff7b91f019295eb4530f96fe5ef2f", + "sha256:fb1bbeac803adea29cedd70781399c99138358c26d05fcbd23c13016b7f5ec65" + ], + "markers": "python_version < '3.8'", + "version": "==1.4.3" }, "typing-extensions": { "hashes": [ - "sha256:7cb407020f00f7bfc3cb3e7881628838e69d8f3fcab2f64742a5e76b2f841918", - "sha256:99d4073b617d30288f569d3f13d2bd7548c3a7e4c8de87db09a9d29bb3a4a60c", - "sha256:dafc7639cde7f1b6e1acc0f457842a83e722ccca8eef5270af2d74792619a89f" + "sha256:0ac0f89795dd19de6b97debb0c6af1c70987fd80a2d62d1958f7e56fcc31b497", + "sha256:50b6f157849174217d0656f99dc82fe932884fb250826c18350e159ec6cdf342", + "sha256:779383f6086d90c99ae41cf0ff39aac8a7937a9283ce0a414e5dd782f4c94a84" ], - "version": "==3.7.4.3" + "markers": "python_version < '3.8' and python_version < '3.8'", + "version": "==3.10.0.0" }, "watchdog": { "hashes": [ - "sha256:4214e1379d128b0588021880ccaf40317ee156d4603ac388b9adcf29165e0c04" + "sha256:0237db4d9024859bea27d0efb59fe75eef290833fd988b8ead7a879b0308c2db", + "sha256:104266a778906ae0e971368d368a65c4cd032a490a9fca5ba0b78c6c7ae11720", + "sha256:188145185c08c73c56f1478ccf1f0f0f85101191439679b35b6b100886ce0b39", + "sha256:1a62a4671796dc93d1a7262286217d9e75823c63d4c42782912d39a506d30046", + "sha256:255a32d44bbbe62e52874ff755e2eefe271b150e0ec240ad7718a62a7a7a73c4", + "sha256:3d6405681471ebe0beb3aa083998c4870e48b57f8afdb45ea1b5957cc5cf1014", + "sha256:4b219d46d89cfa49af1d73175487c14a318a74cb8c5442603fd13c6a5b418c86", + "sha256:581e3548159fe7d2a9f377a1fbcb41bdcee46849cca8ab803c7ac2e5e04ec77c", + "sha256:58ebb1095ee493008a7789d47dd62e4999505d82be89fc884d473086fccc6ebd", + "sha256:598d772beeaf9c98d0df946fbabf0c8365dd95ea46a250c224c725fe0c4730bc", + "sha256:668391e6c32742d76e5be5db6bf95c455fa4b3d11e76a77c13b39bccb3a47a72", + "sha256:6ef9fe57162c4c361692620e1d9167574ba1975ee468b24051ca11c9bba6438e", + "sha256:91387ee2421f30b75f7ff632c9d48f76648e56bf346a7c805c0a34187a93aab4", + "sha256:a42e6d652f820b2b94cd03156c62559a2ea68d476476dfcd77d931e7f1012d4a", + "sha256:a6471517315a8541a943c00b45f1d252e36898a3ae963d2d52509b89a50cb2b9", + "sha256:d34ce2261f118ecd57eedeef95fc2a495fc4a40b3ed7b3bf0bd7a8ccc1ab4f8f", + "sha256:edcd9ef3fd460bb8a98eb1fcf99941e9fd9f275f45f1a82cb1359ec92975d647" ], "index": "pypi", - "version": "==0.10.3" + "version": "==2.1.2" + }, + "zipp": { + "hashes": [ + "sha256:3607921face881ba3e026887d8150cca609d517579abe052ac81fc5aeffdbd76", + "sha256:51cb66cc54621609dd593d1787f286ee42a5c0adbb4b29abea5a63edc3e03098" + ], + "markers": "python_version >= '3.6'", + "version": "==3.4.1" } } } diff --git a/README.md b/README.md index 16e85ac6..211f18d6 100644 --- a/README.md +++ b/README.md @@ -66,6 +66,26 @@ Web Server is available at //localhost:1313/ (bind address 0.0.0.0) The website is now available at [`http://localhost:1313`](http://localhost:1313). Changes in the Markdown files or the [external content descriptor file](./external.yaml) trigger a rebuild of the site. After the rebuild, the site is reloaded in your browser. +### Checking for broken links + +It is common that URLs you are pointing to get deprecated or moved somewhere else over time, leading to broken links on our website. + +In order to avoid this, there is a tool that lets you check whether there are broken links in the whole website or not. + +First, make sure you are serving the website locally using the `-with-releases` form of the script (`make docker-serve-with-releases` or `make serve-with-releases`), and that it is accessible at `http://localhost:1313`, then run the following command: + +```shell +make docker-check-links # if you are using Docker to serve the website +``` + +or + +```shell +make check-links # if you are using a local toolchain to serve the website +``` + +The tool will crawl your local website and report if there's any broken link on it. If there's any, and you can't create a PR to fix the link right away, please [file an issue on GitHub](https://github.com/spiffe/spiffe.io/issues/new) + ## Publishing the site The site is published automatically by [Netlify](https://netlify.com). Whenever you merge pull requests to `master`, the site is automatically built and published in about a minute. **There's no need to handle this manually**. diff --git a/assets/sass/custom.sass b/assets/sass/custom.sass index 575679f8..520f4a47 100644 --- a/assets/sass/custom.sass +++ b/assets/sass/custom.sass @@ -107,4 +107,7 @@ a code - color: $link \ No newline at end of file + color: $link + +.non-actionable + cursor: default diff --git a/config.toml b/config.toml index 500c84c0..ed241113 100644 --- a/config.toml +++ b/config.toml @@ -7,6 +7,7 @@ canonifyurls = true googleAnalytics = "UA-99605331-1" enableGitInfo = true publicUrl = "https://spiffe.io" +spireGitHubUrl = "https://github.com/spiffe/spire" [markup] [markup.tableOfContents] diff --git a/content/docs/latest/deploying/configuring.md b/content/docs/latest/deploying/configuring.md index 39825796..03e1575c 100644 --- a/content/docs/latest/deploying/configuring.md +++ b/content/docs/latest/deploying/configuring.md @@ -14,9 +14,9 @@ To customize the behavior of the SPIRE Server and SPIRE Agent to meet your appli The SPIRE Server and Agent are configured in a file called `server.conf` and `agent.conf` respectively. -By default the Server expects the configuration file to reside at `conf/server/server.conf`, however the Server can be configured to use a configuration file in a different location with the `--config` flag. See the [SPIRE Server reference](https://github.com/spiffe/spire/blob/master/doc/spire_server.md) for more information. +By default the Server expects the configuration file to reside at `conf/server/server.conf`, however the Server can be configured to use a configuration file in a different location with the `--config` flag. See the [SPIRE Server reference](/docs/latest/deploying/spire_server/) for more information. -Similarly, the Agent expects this file to reside at `conf/agent/agent.conf`, however the Server can be configured to use a configuration file in a different location with the `--config` flag. See the [SPIRE Agent reference](https://github.com/spiffe/spire/blob/master/doc/spire_agent.md) for more information. +Similarly, the Agent expects this file to reside at `conf/agent/agent.conf`, however the Server can be configured to use a configuration file in a different location with the `--config` flag. See the [SPIRE Agent reference](/docs/latest/deploying/spire_agent/) for more information. The configuration file is loaded once when the Server or Agent is started. If the configuration file for either is modified, the Server or Agent must be restarted for the configuration to take effect. @@ -65,7 +65,7 @@ Your choice of node attestation method determines which node-attestor plugins yo To issue identities to workloads running in a Kubernetes cluster, it is necessary to deploy a SPIRE Agent to each node in that cluster that is running a workload ([read more](/docs/latest/spire/installing/install-agents/#installing-spire-agents-on-kubernetes) on how to install SPIRE Agents on Kubernetes). -Service Account Tokens can be validated using the Kubernetes [Token Review API](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#tokenreview-v1-authentication-k8s-io). Because of this, the SPIRE Server does not itself need to be running on Kubernetes, and a single SPIRE Server may support agents running on multiple Kubernetes clusters with PSAT attestation enabled. +Service Account Tokens can be validated using the Kubernetes [Token Review API](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1/). Because of this, the SPIRE Server does not itself need to be running on Kubernetes, and a single SPIRE Server may support agents running on multiple Kubernetes clusters with PSAT attestation enabled. ### Projected Service Account Tokens @@ -75,7 +75,7 @@ At the time of this writing,  projected service accounts are a relatively new f Node attestation using Kubernetes [Projected Service Account Tokens](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) (PSATs) allows a SPIRE Server to verify the identity of a SPIRE Agent running on a Kubernetes Cluster. Projected Service Account Tokens provide additional security guarantees over traditional Kubernetes Service Account Tokens and when supported by a Kubernetes cluster, PSAT is the recommended attestation strategy. -To use PSAT Node Attestation, configure enable the PSAT Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/master/doc/plugin_server_nodeattestor_k8s_psat.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_nodeattestor_k8s_psat.md). +To use PSAT Node Attestation, configure enable the PSAT Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_nodeattestor_k8s_psat.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_nodeattestor_k8s_psat.md). ### Service Account Tokens @@ -83,7 +83,7 @@ In cases where workloads are running on Kubernetes but the Projected Service Acc Because the service account token does not contain claims that could be used to strongly identify the node/daemonset/pod running the agent, any container running in a whitelisted service account can masquerade as an agent. For this reason it is strongly recommended that agents run under a dedicated service account when using this attestation method. -To use SAT Node Attestation, configure and enable the SAT Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/master/doc/plugin_server_nodeattestor_k8s_sat.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_nodeattestor_k8s_sat.md). +To use SAT Node Attestation, configure and enable the SAT Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_nodeattestor_k8s_sat.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_nodeattestor_k8s_sat.md). ## Attestation of nodes running Linux {#customize-server-linux-attestation} @@ -102,13 +102,13 @@ NodeAttestor "join_token" { } ``` -Once join token node attestation has been configured, a join token can be generated on the server using the `spire-server token generate` command. Optionally you can associate a particular SPIFFE ID with the Join Token with the `-spiffeID` flag. [Read more](https://github.com/spiffe/spire/blob/master/doc/spire_server.md#spire-server-token-generate) about using this command. +Once join token node attestation has been configured, a join token can be generated on the server using the `spire-server token generate` command. Optionally you can associate a particular SPIFFE ID with the Join Token with the `-spiffeID` flag. [Read more](/docs/latest/deploying/spire_server/#spire-server-token-generate) about using this command. -When starting a SPIRE Agent for the first time with Join Token attestation enabled, the agent can be started with the `spire-agent run` command, and specifying the join token generated by the server using the `-joinToken` flag. [Read more](https://github.com/spiffe/spire/blob/master/doc/spire_agent.md#spire-agent-run) about this command. +When starting a SPIRE Agent for the first time with Join Token attestation enabled, the agent can be started with the `spire-agent run` command, and specifying the join token generated by the server using the `-joinToken` flag. [Read more](/docs/latest/deploying/spire_agent/#spire-agent-run) about this command. The server will validate the join token and issue the Agent an SVID, and the SVID will be rotated automatically as long as it maintains a connection to the Server. On subsequent starts the Agent will use that SVID to authenticate to the server unless it has expired and not renewed. -To use Join Token Node Attestation, configure and enable the join token Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/master/doc/plugin_server_nodeattestor_jointoken.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_nodeattestor_jointoken.md). +To use Join Token Node Attestation, configure and enable the join token Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_nodeattestor_jointoken.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_nodeattestor_jointoken.md). To disable join token attestation on the server, comment out or delete this stanza from the configuration file before starting it. @@ -121,7 +121,7 @@ of this guide, they will be called the *root certificate bundle*). The Server mu In addition attestor exposes the selector `subject:cn` which will match any certificate that is both (a) valid, as described above, and (b) whose common name (CN) matches that described in the selector. -To use X.509 Certificate Node Attestation, configure and enable the x509pop Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/master/doc/plugin_server_nodeattestor_x509pop.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_nodeattestor_x509pop.md). +To use X.509 Certificate Node Attestation, configure and enable the x509pop Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_nodeattestor_x509pop.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_nodeattestor_x509pop.md). ### SSH Certificate @@ -135,7 +135,7 @@ spiffe:///spire/agent/sshpop/ Where `` is a hash of the certificate itself. This SPIFFE ID can then be used as the basis of other workload registration entries. -To use SSH Certificate Node Attestation, configure and enable the sshpop Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/master/doc/plugin_server_nodeattestor_sshpop.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_nodeattestor_sshpop.md). +To use SSH Certificate Node Attestation, configure and enable the sshpop Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_nodeattestor_sshpop.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_nodeattestor_sshpop.md). ## Attestation for Linux nodes on a Cloud Provider {#customize-server-cloud-attestation} @@ -150,7 +150,7 @@ Google Compute Engine (GCE) node attestation and resolution allows a SPIRE Serve 3. Once verification takes place, the SPIRE Agent is considered attested, and issued its own SPIFFE ID 4. Finally, SPIRE issues SVIDs to workloads on the nodes if they match a registration entry. The registration entry may include selectors exposed by the Node Attestor or Resolver, or have the SPIFFE ID of the SPIRE Agent as a parent. -To use GCP IIT Node Attestation, configure and enable the gcp_iit Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/master/doc/plugin_server_nodeattestor_gcp_iit.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_nodeattestor_gcp_iit.md). +To use GCP IIT Node Attestation, configure and enable the gcp_iit Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_nodeattestor_gcp_iit.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_nodeattestor_gcp_iit.md). ### Amazon EC2 Instances @@ -162,7 +162,7 @@ EC2 node attestation and resolution allows a SPIRE Server to identify and authen 4. Once verification takes place, the SPIRE Agent is considered attested, and issued its own SPIFFE ID 5. Finally, SPIRE issues SVIDs to workloads on the nodes if they match a registration entry. The registration entry may include selectors exposed by the Node Attestor or Resolver, or have the SPIFFE ID of the SPIRE Agent as a parent. -For more information on configuring AWS EC2 Node Attestors or Resolver plugins, refer to the corresponding SPIRE documentation for the AWS [SPIRE Server Node Attestor](https://github.com/spiffe/spire/blob/master/doc/plugin_server_nodeattestor_aws_iid.md) and [SPIRE Server Node Resolver](https://github.com/spiffe/spire/blob/master/doc/plugin_server_noderesolver_aws_iid.md) on the SPIRE Server, and the [SPIRE Agent Node Attestor](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_nodeattestor_aws_iid.md) on the agent. +For more information on configuring AWS EC2 Node Attestors or Resolver plugins, refer to the corresponding SPIRE documentation for the AWS [SPIRE Server Node Attestor](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_nodeattestor_aws_iid.md) and [SPIRE Server Node Resolver](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_noderesolver_aws_iid.md) on the SPIRE Server, and the [SPIRE Agent Node Attestor](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_nodeattestor_aws_iid.md) on the agent. ### Azure Virtual Machines @@ -181,7 +181,7 @@ The default resource–assigned by the agent plugin–is scoped relatively widel If you configure a custom resource ID in the agent configuration file, you must specify custom resource IDs for each tenant, in the `NodeAttestor` stanza of the `server.conf` configuration file. {{< /warning >}} -For more information on configuring Azure MSI Node Attestors or Resolver plugins, refer to the corresponding SPIRE documentation for the Azure MSI [SPIRE Server Node Attestor](https://github.com/spiffe/spire/blob/master/doc/plugin_server_nodeattestor_azure_msi.md) and [SPIRE Server Node Resolver](https://github.com/spiffe/spire/blob/master/doc/plugin_server_noderesolver_azure_msi.md) on the SPIRE Server, and the [SPIRE Agent Node Attestor](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_nodeattestor_azure_msi.md) on the agent. +For more information on configuring Azure MSI Node Attestors or Resolver plugins, refer to the corresponding SPIRE documentation for the Azure MSI [SPIRE Server Node Attestor](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_nodeattestor_azure_msi.md) and [SPIRE Server Node Resolver](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_noderesolver_azure_msi.md) on the SPIRE Server, and the [SPIRE Agent Node Attestor](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_nodeattestor_azure_msi.md) on the agent. # Configuring workload attestation _This configuration applies to the SPIRE Agent_ @@ -196,7 +196,7 @@ When workloads are running in Kubernetes, it is valuable to be able to describe The Kubernetes Workload Attestor plugin works by interrogating the local Kubelet to retrieve kubernetes-specific metadata about particular process when it calls the Workload API, and uses that to identify workloads whose registration entries match those values. -For more information, including details of the exposed selectors, refer to the corresponding SPIRE documentation for the [Kubernetes Workload Attestor plugin](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_workloadattestor_k8s.md). +For more information, including details of the exposed selectors, refer to the corresponding SPIRE documentation for the [Kubernetes Workload Attestor plugin](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_workloadattestor_k8s.md). ## Workload Attestation for Docker containers @@ -204,7 +204,7 @@ When workloads are running in a Docker container, it can be helpful to be able t The Docker Workload Attestor plugin works by interrogating to the local Docker daemon to retrieve Docker-specific metadata about a particular process when it calls the Workload API. -For more information, including details of the exposed selectors, refer to the corresponding SPIRE documentation for the [Docker Workload Attestor plugin](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_workloadattestor_docker.md). +For more information, including details of the exposed selectors, refer to the corresponding SPIRE documentation for the [Docker Workload Attestor plugin](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_workloadattestor_docker.md). ## Workload Attestation for Unix processes @@ -212,7 +212,7 @@ When workloads are running on Unix, it can be helpful to be able to describe the The Unix Workload Attestor works by determining kernel metadata from the workload calling the Workload API by examining the caller of the Unix domain socket. -For more information, including details of the exposed selectors, refer to the corresponding SPIRE documentation for the [Unix Workload Attestor plugin](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_workloadattestor_unix.md). +For more information, including details of the exposed selectors, refer to the corresponding SPIRE documentation for the [Unix Workload Attestor plugin](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_workloadattestor_unix.md). # Configuring where to store agent and server data _This configuration applies to the SPIRE Server and SPIRE Agent_ @@ -232,7 +232,7 @@ _This configuration applies to the SPIRE Server_ The data-store is where SPIRE Server persists dynamic configuration such as registration entries and identity mapping policies that are retrieved from the SPIRE Server. By default, SPIRE bundles SQLite and sets it as the default for storage of server data. SPIRE also supports other compatible data-stores. For production purposes, you should carefully consider which database to use, particularly when deploying SPIRE in a High Availability configuration. -The SPIRE Server can be configured to utilize different SQL-compatible storage backends by configuring the default SQL data-store plugin as described below. A complete reference for how this block is configured can be found in the [SPIRE documentation](https://github.com/spiffe/spire/blob/master/doc/plugin_server_datastore_sql.md). +The SPIRE Server can be configured to utilize different SQL-compatible storage backends by configuring the default SQL data-store plugin as described below. A complete reference for how this block is configured can be found in the [SPIRE documentation](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_datastore_sql.md). Alternatively, SPIRE can be configured to use non-SQL compatible storage backends through third party datastore plugins. The guide on [Extending SPIRE](/docs/latest/spire/developing/extending/) covers this in more detail. @@ -318,9 +318,9 @@ Both the SPIRE Agent and SPIRE Server generate private keys and certificates dur Currently SPIRE supports two key management strategies on both the Agent and Server. -* **Store in-memory**. In this strategy keys and certificates are only stored in-memory. This means that if the Server or Agent crashes or is otherwise re-started, the keys must be re-generated. In the case of the SPIRE Agent this typically requires the agent to re-attest to the Server upon restart. This strategy can be managed by enabling and configuring the memory key manager plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/master/doc/plugin_server_keymanager_memory.md) and/or [SPIRE Agent](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_keymanager_memory.md). +* **Store in-memory**. In this strategy keys and certificates are only stored in-memory. This means that if the Server or Agent crashes or is otherwise re-started, the keys must be re-generated. In the case of the SPIRE Agent this typically requires the agent to re-attest to the Server upon restart. This strategy can be managed by enabling and configuring the memory key manager plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_keymanager_memory.md) and/or [SPIRE Agent](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_keymanager_memory.md). -* **Store on disk**. In this strategy, keys and certificates are stored in a specified file on disk. An advantage of this approach is they survive a restart of the SPIRE Server or Agent. A disadvantage is that since they keys are stored in files on disk, additional precautions must be taken to prevent a malicious process from reading those files. This strategy can be managed by enabling and configuring the disk key manager plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/master/doc/plugin_server_keymanager_disk.md) and/or [SPIRE Agent](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_keymanager_disk.md). +* **Store on disk**. In this strategy, keys and certificates are stored in a specified file on disk. An advantage of this approach is they survive a restart of the SPIRE Server or Agent. A disadvantage is that since they keys are stored in files on disk, additional precautions must be taken to prevent a malicious process from reading those files. This strategy can be managed by enabling and configuring the disk key manager plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_keymanager_disk.md) and/or [SPIRE Agent](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_keymanager_disk.md). Alternatively, SPIRE can be configured to integrating a custom backend such as a secret store through third party key manager plugins. The guide on [Extending SPIRE](/docs/latest/spire/developing/extending/) covers this in more detail. @@ -341,7 +341,7 @@ This signing key should be considered extremely sensitive as to obtain it would To help ensure the integrity of the signing key a SPIRE Server may either sign material itself using a signing key stored on disk, or delegate signing to an independent Certificate Authority (CA), such as the AWS Secrets Manager. This behavior is configured through the `UpstreamAuthority` section in the `server.conf` file. -For a complete server configuration reference, see the [SPIRE Server Configuration Reference](https://github.com/spiffe/spire/blob/master/doc/spire_server.md). +For a complete server configuration reference, see the [SPIRE Server Configuration Reference](/docs/latest/deploying/spire_server/). #### Configure an On-disk Signing Key @@ -358,25 +358,25 @@ sudo openssl req \ -x509 -days 365 -out /opt/spire/conf/root.crt ``` -This strategy can be managed by enabling and configuring the `disk` UpstreamAuthority plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/master/doc/plugin_server_upstreamauthority_disk.md). +This strategy can be managed by enabling and configuring the `disk` UpstreamAuthority plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_upstreamauthority_disk.md). #### Configure AWS Secrets Manager The SPIRE Server can be configured to load CA credentials from [Amazon Web Services Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html), using them to generate intermediate signing certificates for the server's signing authority. -This strategy can be managed by enabling and configuring the `awssecret` UpstreamAuthority plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/master/doc/plugin_server_upstreamauthority_awssecret.md). +This strategy can be managed by enabling and configuring the `awssecret` UpstreamAuthority plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_upstreamauthority_awssecret.md). #### Configure AWS Certificate Manager The SPIRE Server can be configured to load CA credentials from Amazon Web Services Certificate Manager [Private Certificate Authority](https://aws.amazon.com/certificate-manager/private-certificate-authority/) (PCA) them to generate intermediate signing certificates for the server's signing authority. -This strategy can be managed by enabling and configuring the `aws_pca` UpstreamAuthority plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/master/doc/plugin_server_upstreamauthority_aws_pca.md). +This strategy can be managed by enabling and configuring the `aws_pca` UpstreamAuthority plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_upstreamauthority_aws_pca.md). #### Configure another SPIRE installation The SPIRE Server can be configured to load CA credentials from the Workload API of another SPIFFE implementation such as SPIRE. This enables a technique called "Nested SPIRE" that, as a compliment to HA deployments, allows independent SPIRE Servers to issue identities against a single trust domain. -A full treatment for Nested SPIRE is beyond the scope of this guide. However this strategy can be managed by enabling and configuring the `spire` UpstreamAuthority plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/master/doc/plugin_server_upstreamauthority_spire.md). +A full treatment for Nested SPIRE is beyond the scope of this guide. However this strategy can be managed by enabling and configuring the `spire` UpstreamAuthority plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_upstreamauthority_spire.md). # Export Metrics for Monitoring _This configuration applies to the SPIRE Server and SPIRE Agent_ @@ -420,7 +420,7 @@ telemetry { } ``` -For more information, see the [telemetry configuration](https://github.com/spiffe/spire/blob/master/doc/telemetry_config.md) guide. +For more information, see the [telemetry configuration](/docs/latest/deploying/telemetry_config/) guide. # Logging _This configuration applies to the SPIRE Server and SPIRE Agent_ diff --git a/content/docs/latest/deploying/install-agents.md b/content/docs/latest/deploying/install-agents.md index cd3174c1..df12ed13 100644 --- a/content/docs/latest/deploying/install-agents.md +++ b/content/docs/latest/deploying/install-agents.md @@ -13,7 +13,7 @@ aliases: Pre-built SPIRE releases can be found on the [SPIRE downloads page](/downloads/#spire-releases). The tarballs contain both server and agent binaries. -If you wish, you may also [build SPIRE from source](https://github.com/spiffe/spire/blob/master/CONTRIBUTING.md). +If you wish, you may also [build SPIRE from source](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/CONTRIBUTING.md). ## Step 2: Install the Server and Agent {#step-2} diff --git a/content/docs/latest/deploying/libraries.md b/content/docs/latest/deploying/libraries.md index e4718ffc..3db4c88a 100644 --- a/content/docs/latest/deploying/libraries.md +++ b/content/docs/latest/deploying/libraries.md @@ -13,21 +13,24 @@ You can use one of the following libraries to fetch SVIDs and trust bundles from The following code samples demonstrate how to use the libraries to establish and maintain SPIFFE-enabled connections transparently between applications. -# C++ +# C, C++ + +See the [c-spiffe library GitHub page](https://github.com/HewlettPackard/c-spiffe) for more information about a SPIFFE C/C++ library. This library is not yet part of the official SPIFFE repo and is still under development in June 2021. An earlier official c-spiffe library became out-of-date and was archived. -See the [c-spiffe library GitHub page](https://github.com/spiffe/c-spiffe) for more information about the SPIFFE C++ library. # Go -See the [go-spiffe library GitHub page](https://github.com/spiffe/go-spiffe/tree/master/v2) for more information about the SPIFFE Go library. +See the [go-spiffe library GitHub page](https://github.com/spiffe/go-spiffe/tree/main/v2) for more information about the SPIFFE Go library. -* [SPIFFE to SPIFFE authentication using X.509 SVIDs](https://github.com/spiffe/go-spiffe/tree/master/v2/examples/spiffe-tls) +* [SPIFFE to SPIFFE authentication using X.509 SVIDs](https://github.com/spiffe/go-spiffe/tree/main/v2/examples/spiffe-tls) -* [SPIFFE to SPIFFE authentication using JWT SVIDs](https://github.com/spiffe/go-spiffe/tree/master/v2/examples/spiffe-jwt-using-proxy) +* [SPIFFE to SPIFFE authentication using JWT SVIDs](https://github.com/spiffe/go-spiffe/tree/main/v2/examples/spiffe-jwt-using-proxy) # Java -See the [java-spiffe library GitHub page](https://github.com/spiffe/java-spiffe) for more information about the SPIFFE Java library. +See the [java-spiffe library GitHub page](https://github.com/spiffe/java-spiffe) for more information about the SPIFFE Java library. -* [Federation and TCP Support](https://github.com/spiffe/spiffe-example/tree/master/java-spiffe-federation-jboss) +# Rust +See the [spiffe crate](https://crates.io/crates/spiffe) for more information about the SPIFFE Rust library. +This library is not yet part of the official SPIFFE repo and is still under development. \ No newline at end of file diff --git a/content/docs/latest/deploying/registering.md b/content/docs/latest/deploying/registering.md index d75202a7..260a2834 100644 --- a/content/docs/latest/deploying/registering.md +++ b/content/docs/latest/deploying/registering.md @@ -21,7 +21,7 @@ The server will send to the agent a list of all registration entries for workloa During workload attestation, the agent discovers selectors and compares them to those in the cached registration entries to determine which SVIDs they should assign to the workload. -You register a workload either by issuing the `spire-server entry create` command at the command line or calling directly into the Registration API, as described in the [Registration API documentation](https://github.com/spiffe/spire/blob/master/proto/spire/api/registration/registration.proto). Existing entries can be modified using the `spire-server entry update` command. +You register a workload either by issuing the `spire-server entry create` command at the command line or calling directly into the Registration API, as described in the [Registration API documentation](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/proto/spire/api/registration/registration.proto). Existing entries can be modified using the `spire-server entry update` command. {{< info >}} When running on Kubernetes, a common way to invoke commands on the SPIRE Server is through the `kubectl exec` command on a pod running the SPIRE Server. For example: @@ -34,7 +34,7 @@ kubectl exec -n spire spire-server-0 -- \ ``` {{< /info >}} -To learn more about the `spire-server entry create` and `spire-server entry update` commands and options, consult the [SPIRE Server reference guide](https://github.com/spiffe/spire/blob/master/doc/spire_server.md). +To learn more about the `spire-server entry create` and `spire-server entry update` commands and options, consult the [SPIRE Server reference guide](/docs/latest/deploying/spire_server/). # How to register a workload @@ -62,9 +62,9 @@ Different selectors are available depending on the platform or architecture on w | For a list of supported selectors for this platform | Go here | | ---------------- | ----------- | -| **Kubernetes** | The [configuration reference page for the Kubernetes Node Attestor](https://github.com/spiffe/spire/blob/master/doc/plugin_server_nodeattestor_k8s_sat.md) -| **AWS** | The [configuration reference page for the AWS Node Resolver](https://github.com/spiffe/spire/blob/master/doc/plugin_server_noderesolver_aws_iid.md) -| **Azure** | The [configuration reference page for the Azure Managed Service Identity Node Resolver](https://github.com/spiffe/spire/blob/master/doc/plugin_server_noderesolver_azure_msi.md) +| **Kubernetes** | The [configuration reference page for the Kubernetes Node Attestor](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_nodeattestor_k8s_sat.md) +| **AWS** | The [configuration reference page for the AWS Node Resolver](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_noderesolver_aws_iid.md) +| **Azure** | The [configuration reference page for the Azure Managed Service Identity Node Resolver](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_noderesolver_azure_msi.md) ## 2. Defining the SPIFFE ID of the Workload @@ -81,9 +81,9 @@ spire-server entry create \ | For a list of supported selectors for this platform | Go here | | ---------------- | ----------- | -| **Unix** | The [configuration reference page for the Unix Workload Attestor](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_workloadattestor_unix.md) -| **Kubernetes** | The [configuration reference page for the Kubernetes Workload Attestor](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_workloadattestor_k8s.md) -| **Docker** | The [configuration reference page for the Docker Workload Attestor](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_workloadattestor_docker.md) +| **Unix** | The [configuration reference page for the Unix Workload Attestor](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_workloadattestor_unix.md) +| **Kubernetes** | The [configuration reference page for the Kubernetes Workload Attestor](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_workloadattestor_k8s.md) +| **Docker** | The [configuration reference page for the Docker Workload Attestor](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_workloadattestor_docker.md) # How to list registration entries @@ -101,7 +101,7 @@ For example, to list all registration entries that match a set of EC2 instances spire-server entry show -selector tag:app:webserver ``` -To learn more about the `spire-server entry show` command and options, consult the [SPIRE Server reference guide](https://github.com/spiffe/spire/blob/master/doc/spire_server.md). +To learn more about the `spire-server entry show` command and options, consult the [SPIRE Server reference guide](/docs/latest/deploying/spire_server/). # How to remove registration entries @@ -113,7 +113,7 @@ For example: spire-server entry delete -entryID 92f4518e-61c9-420d-b984-074afa7c7002 ``` -To learn more about the `spire-server entry delete` command and options, consult the [SPIRE Server reference guide](https://github.com/spiffe/spire/blob/master/doc/spire_server.md). +To learn more about the `spire-server entry delete` command and options, consult the [SPIRE Server reference guide](/docs/latest/deploying/spire_server/). # Mapping Workloads to Multiple Nodes diff --git a/content/docs/latest/deploying/svids.md b/content/docs/latest/deploying/svids.md index bb13a129..8ee3c520 100644 --- a/content/docs/latest/deploying/svids.md +++ b/content/docs/latest/deploying/svids.md @@ -19,13 +19,13 @@ Developers coding a new workload that needs to interact with SPIFFE can interact * Generate short-lived keys and certificates on behalf of the workload, specifically: * A private key tied to that SPIFFE ID that can be used to sign data on behalf of the workload. - * A corresponding short-lived X.509 certificate - an [X509-SVID](https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md). This can be used to establish TLS or otherwise authenticate to other workloads. + * A corresponding short-lived X.509 certificate - an [X509-SVID](https://github.com/spiffe/spiffe/blob/main/standards/X509-SVID.md). This can be used to establish TLS or otherwise authenticate to other workloads. * A set of certificates – known as a [trust bundle](/docs/latest/spiffe/concepts/#trust-bundle) – that a workload can use to verify an X.509-SVID presented by another workload in the same trust domain or a federated trust domain. -* Generate or validate JSON Web Tokens ([JWT-SVIDs](https://github.com/spiffe/spiffe/blob/master/standards/JWT-SVID.md)) issued on behalf of the workload or another workload in the same trust domain or a federated trust domain. +* Generate or validate JSON Web Tokens ([JWT-SVIDs](https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md)) issued on behalf of the workload or another workload in the same trust domain or a federated trust domain. The Workload API doesn't require any explicit authentication (such as a secret). Rather, the SPIFFE specification leaves it to implementation of the SPIFFE Workload API to determine how to authenticate the workload. In the case of SPIRE, this is achieved by inspecting the Unix kernel metadata collected by the SPIRE Agent when a workload calls the API. -The API is a gRPC API, derived [from a protobuf](https://github.com/spiffe/go-spiffe/blob/master/proto/spiffe/workload/workload.proto). The [gRPC project](https://grpc.io/) provides tools to generate client libraries from a protobuf in a variety of languages. +The API is a gRPC API, derived [from a protobuf](https://github.com/spiffe/go-spiffe/blob/main/proto/spiffe/workload/workload.proto). The [gRPC project](https://grpc.io/) provides tools to generate client libraries from a protobuf in a variety of languages. ## Working with SVIDs in Go @@ -62,4 +62,4 @@ will: 3. Write the X.509-SVID, private key associated with each of those identities to `/tmp/` 4. Write the trust bundle (certificate chain) needed to validate X.509-SVIDs issued under that trust domain to `/tmp/` as well -A complete list of relevant commands can be found in the [SPIRE Agent Documentation](https://github.com/spiffe/spire/blob/master/doc/spire_agent.md#command-line-options). +A complete list of relevant commands can be found in the [SPIRE Agent Documentation](/docs/latest/deploying/spire_agent/#command-line-options). diff --git a/content/docs/latest/planning/extending.md b/content/docs/latest/planning/extending.md index 8dc82e63..f0487ba3 100644 --- a/content/docs/latest/planning/extending.md +++ b/content/docs/latest/planning/extending.md @@ -2,20 +2,24 @@ title: Extend SPIRE short: Extending kind: planning -description: Learn how to extend SPIRE with third-party plugins +description: Learn how to extend SPIRE with plugins weight: 100 aliases: - /spire/docs/extending - /docs/latest/spire/developing/extending --- -SPIRE is highly extensible via a plugin framework that allows many core operations to be added and customized. +SPIRE is highly extensible via a plugin framework that allows many core operations to be added and customized. This page describes the types of plugins available, how to integrate plugins while deploying SPIRE, and has a link to the SPIRE Plugin SDK for those interested in authoring a plugin. + +# Authoring SPIRE plugins + +Refer to the [SPIRE Plugin SDK](https://github.com/spiffe/spire-plugin-sdk) GitHub page for documentation and templates that you can use to code your own SPIRE plugins. # Node Attestor plugins A Node Attestor implements validation logic for nodes (physical or virtual machines) that are attempting to establish their identity. Typically a Node Attestor is implemented as a plugin on the Server and with a corresponding plugin on the Agent. A Node Attestor plugin will often expose selectors that can be used when creating the registration entries that define a workload. -SPIRE comes with a set of built-in Node Attestor plugins for the [Server](https://github.com/spiffe/spire/blob/master/doc/spire_server.md) and [Agent](https://github.com/spiffe/spire/blob/master/doc/spire_agent.md) that support various cloud platforms, schedulers and other machine identity sources. Servers can have multiple Node Attestor plugins enabled simultaneously, however a given Agent may only have one Node Attestor plugin enabled at a time. +SPIRE comes with a set of built-in Node Attestor plugins for the [Server](/docs/latest/deploying/spire_server/) and [Agent](/docs/latest/deploying/spire_agent/) that support various cloud platforms, schedulers and other machine identity sources. Servers can have multiple Node Attestor plugins enabled simultaneously, however a given Agent may only have one Node Attestor plugin enabled at a time. In addition, known third-party Node Attestor plugins include: @@ -25,43 +29,43 @@ In addition, known third-party Node Attestor plugins include: # Node Resolver plugins -Once the identity of an individual node has been determined, in some cases it is valuable to be able to expose additional verified metadata about that workload as selectors for registration entries. For example, the AWS EC2 IID Node Attestor plugin can be used to prove the Instance ID of a given EC2 instance, but the AWS EC2 IID Node Resolver plugin will - by looking up additional instance metadata in AWS - expose additional selectors (such as instance tag or label) based on this verified metadata. +Once the identity of an individual node has been determined, in some cases it is valuable to be able to expose additional verified metadata about that node as selectors for registration entries. For example, the AWS EC2 IID Node Attestor plugin can be used to prove the Instance ID of a given EC2 instance, but the AWS EC2 IID Node Resolver plugin will - by looking up additional instance metadata in AWS - expose additional selectors (such as instance tag or label) based on this verified metadata. Node Resolver plugins are typically coupled to a specific Node Attestor plugin (such as the AWS EC2 IID Node Attestor), since they will rely on that plugin to verify the initial identity of the node. -SPIRE comes with a set of built-in Node Resolver plugins for the [Server](https://github.com/spiffe/spire/blob/master/doc/spire_server.md). +SPIRE comes with a set of built-in Node Resolver plugins for the [Server](/docs/latest/deploying/spire_server/). # Workload Attestor plugins While Node Attestors help SPIRE verify the identity of a node running a workload, Workload Attestors identify a specific workload running on that node. Workload attestors run on the Agent. A workload attestor may leverage kernel metadata retrieved during a call to the Workload API to determine the identity of a workload, but it may also choose to interrogate other local sources (such as the calling binary, the Docker daemon or the Kubernetes kubelet) to verify the identity of a workload. As with Node Attestor plugins, Workload Attestor plugins expose selectors that allow registration entries to be created for workloads based on the properties of the workload that the attestor verified. -SPIRE comes with a set of built-in Workload Attestor plugins for the [Agent](https://github.com/spiffe/spire/blob/master/doc/spire_agent.md). +SPIRE comes with a set of built-in Workload Attestor plugins for the [Agent](/docs/latest/deploying/spire_agent/). # Upstream Authority plugins UpstreamAuthority plugins allow the SPIRE Server to integrate with existing public key infrastructure, such that the certificates it generates derive from specific intermediate or root certificates supplied to SPIRE. By choosing or developing different UpstreamAuthority plugins it is possible to customize how SPIRE retrieves these certificates (for example from a file, or a particular secrets manager or certificate vault). -SPIRE comes with a set of built-in UpstreamAuthority plugins for the [Server](https://github.com/spiffe/spire/blob/master/doc/spire_server.md). +SPIRE comes with a set of built-in UpstreamAuthority plugins for the [Server](/docs/latest/deploying/spire_server/). -# KeyManager plugins +# Key Manager plugins -In some cases it might be desirable for SPIRE to avoid being exposed to a signing key at all - for example if the signing key is held in a secure hardware enclave. In such a case, the SPIRE Server and Agent can leverage KeyManager plugins to delegate the actual signing operation to another system (such as a TPM). +In some cases it might be desirable for SPIRE to avoid being exposed to a signing key at all - for example if the signing key is held in a secure hardware enclave. In such a case, the SPIRE Server and Agent can leverage Key Manager plugins to delegate the actual signing operation to another system (such as a TPM). -SPIRE comes with a set of built-in KeyManager plugins for the [Server](https://github.com/spiffe/spire/blob/master/doc/spire_server.md) and [Agent](https://github.com/spiffe/spire/blob/master/doc/spire_agent.md). +SPIRE comes with a set of built-in Key Manager plugins for the [Server](/docs/latest/deploying/spire_server/) and [Agent](/docs/latest/deploying/spire_agent/). # Notifier plugins Notifier plugins allow actions to be triggered in other systems when certain events occur on the SPIRE Server, and in some cases interrupt the event itself. Notifier plugins can support a number of different use cases, such as when certificate rotation events occur. -SPIRE comes with a set of built-in Notifier plugins for the [Server](https://github.com/spiffe/spire/blob/master/doc/spire_server.md). +SPIRE comes with a set of built-in Notifier plugins for the [Server](/docs/latest/deploying/spire_server/). # Working with first-party plugins First party plugins can be enabled by including the appropriate configuration stanza in the `plugins` section of the Server or Agent configuration file. * For instructions on modifying the Server and Agent configuration files, please follow [Configuring the SPIRE Server](/docs/latest/spire/using/configuring/). -* For more information on enabling the plugins in the Server, read the [Server configuration guide](https://github.com/spiffe/spire/blob/master/doc/spire_server.md). -* For more information on enabling the plugins in the Agent, read the [Agent configuration guide](https://github.com/spiffe/spire/blob/master/doc/spire_agent.md). +* For more information on enabling the plugins in the Server, read the [Server configuration guide](/docs/latest/deploying/spire_server/). +* For more information on enabling the plugins in the Agent, read the [Agent configuration guide](/docs/latest/deploying/spire_agent/). # Working with third party plugins diff --git a/content/docs/latest/spiffe-about/get-involved.md b/content/docs/latest/spiffe-about/get-involved.md index cdedd366..555634ef 100644 --- a/content/docs/latest/spiffe-about/get-involved.md +++ b/content/docs/latest/spiffe-about/get-involved.md @@ -25,12 +25,12 @@ SPIFFE is guided by a small but very active community of passionate software eng You can contribute to SPIFFE and SPIRE by filing issues and submitting pull requests on GitHub. See these contribution guidelines for details such as GitHub etiquette and coding conventions: -* [SPIFFE contribution guidelines](https://github.com/spiffe/spiffe/blob/master/CONTRIBUTING.md) -* [SPIRE contribution guidelines](https://github.com/spiffe/spire/blob/master/CONTRIBUTING.md) +* [SPIFFE contribution guidelines](https://github.com/spiffe/spiffe/blob/main/CONTRIBUTING.md) +* [SPIRE contribution guidelines](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/CONTRIBUTING.md) While anyone is welcome to propose contributions via pull requests, we strongly encourage significant contributions - particularly those that might require a significant change to core components - to be first discussed and a high level design agreed upon with the appropriate SIGs or WGs (see above). -Day to day contributions are vetted by the project's maintainers. Overall project direction, guidance and conflict resolution is overseen by the projects' Technical Steering Committee. Full details on this process can be found [in the project GOVERNANCE page](https://github.com/spiffe/spiffe/blob/master/GOVERNANCE.md). +Day to day contributions are vetted by the project's maintainers. Overall project direction, guidance and conflict resolution is overseen by the projects' Technical Steering Committee. Full details on this process can be found [in the project GOVERNANCE page](https://github.com/spiffe/spiffe/blob/main/GOVERNANCE.md). ## SPIFFE and SPIRE Branding Media Library diff --git a/content/docs/latest/spiffe-about/spiffe-concepts.md b/content/docs/latest/spiffe-about/spiffe-concepts.md index 9398d461..6244ac0e 100644 --- a/content/docs/latest/spiffe-about/spiffe-concepts.md +++ b/content/docs/latest/spiffe-about/spiffe-concepts.md @@ -33,7 +33,7 @@ SPIFFE IDs are a [Uniform Resource Identifier (URI)](https://tools.ietf.org/html The _workload identifier_ uniquely identifies a specific workload within a [trust domain](#trust-domain). -The [SPIFFE specification](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE.md) describes in detail the format and use of SPIFFE IDs. +The [SPIFFE specification](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE.md) describes in detail the format and use of SPIFFE IDs. ## Trust Domain @@ -49,7 +49,7 @@ An SVID contains a single SPIFFE ID, which represents the identity of the servic As tokens are susceptible to _replay attacks_, in which an attacker that obtains the token in transit can use it to impersonate a workload, it is advised to use X.509-SVIDs whenever possible. However, there may be some situations in which the only option is the JWT token format, for example, when your architecture has an L7 proxy or load balancer between two workloads. -For detailed information on the SVID, see the [SVID specification](https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md). +For detailed information on the SVID, see the [SVID specification](https://github.com/spiffe/spiffe/blob/main/standards/X509-SVID.md). ## SPIFFE Workload API diff --git a/content/docs/latest/spire-about/spire-concepts.md b/content/docs/latest/spire-about/spire-concepts.md index fc76898e..363489b4 100644 --- a/content/docs/latest/spire-about/spire-concepts.md +++ b/content/docs/latest/spire-about/spire-concepts.md @@ -41,7 +41,7 @@ The behavior of the server is determined through a series of plugins. SPIRE come **Upstream authority plugins**. By default the SPIRE Server acts as its own certificate authority. However, you can use an upstream authority plugin to use a different CA from a different PKI system. -You customize the server’s behavior by configuring plugins and various other configuration variables. See the [SPIRE Server Configuration Reference](https://github.com/spiffe/spire/blob/master/doc/spire_server.md) for details. +You customize the server’s behavior by configuring plugins and various other configuration variables. See the [SPIRE Server Configuration Reference](/docs/latest/deploying/spire_server/) for details. ## All About the Agent @@ -61,14 +61,12 @@ The agent’s main components include: * Key manager plugins, which the agent uses to generate and use private keys for X.509-SVIDs issued to workloads. -You customize the agent’s behavior by configuring plugins and other configuration variables. See the [SPIRE Agent Configuration Reference](https://github.com/spiffe/spire/blob/master/doc/spire_agent.md) for details. +You customize the agent’s behavior by configuring plugins and other configuration variables. See the [SPIRE Agent Configuration Reference](/docs/latest/deploying/spire_agent/) for details. ## Custom Server and Agent Plugins You can create custom server and agent plugins for particular platforms and architectures for which SPIRE doesn’t include plugins. For example, you could create server and agent node attestors for an architecture other than those summarized under [Node Attestation](#node-attestation). Or you could create a custom keymanager plugin to handle private keys in a way SPIRE doesn’t currently support. Because SPIRE loads custom plugins at runtime, you do not need recompile SPIRE in order to enable them. -For help creating custom server and agent plugins, see [SPIRE Plugin Development](https://github.com/spiffe/plugin-template/blob/master/SPIRE_PLUGIN_GUIDE.md). - # A Day in the Life of an SVID This section walks through a “day in the life” of how SPIRE issues an identity to a workload, from the time the agent starts up on a node to the point of a workload on the same node receiving a valid identity in the form of an X.509 SVID. Note that SVIDs in JWT format are handled differently. For the purposes of simple demonstration, the workload is running on AWS EC2. @@ -76,7 +74,7 @@ This section walks through a “day in the life” of how SPIRE issues an identi 1. The SPIRE Server starts up. 2. Unless the user has configured an UpstreamAuthority plugin, the server generates a self-signed certificate (a certificate signed with its own private key); the server will use this certificate to sign SVIDs for all the workloads in this server’s trust domain. 3. If it’s the first time starting up, the server automatically generates a trust bundle, whose contents it stores in a sql datastore you specify in the datastore configuration -- described in the section "Built-in plugins" in the -[Server plugin: DataStore sql](https://github.com/spiffe/spire/blob/master/doc/plugin_server_datastore_sql.md). +[Server plugin: DataStore sql](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_datastore_sql.md). 4. The server turns on its registration API, to allow you to register workloads. 5. The SPIRE Agent starts up on the node that the workload is running on. 6. The agent performs node attestation, to prove to the server the identity of the node it is running on. For example, when running on an AWS EC2 Instance it would typically perform node attestation by supplying an [AWS Instance Identity Document](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html) to the server. @@ -179,7 +177,7 @@ For cases where there is no platform that can directly identify a node, SPIRE in **with server-generated join tokens** -- A join token is a pre-shared key between a SPIRE Server and Agent. The server can generate join tokens once installed that can be used to verify an agent when it starts. To help protect against misuse, join tokens expire immediately after use. -**using an existing X.509 certificate** -- For information on configuring node attestors, see the [SPIRE Server Configuration Reference](https://github.com/spiffe/spire/blob/master/doc/spire_server.md) and [SPIRE Agent Configuration Reference](https://github.com/spiffe/spire/blob/master/doc/spire_agent.md). +**using an existing X.509 certificate** -- For information on configuring node attestors, see the [SPIRE Server Configuration Reference](/docs/latest/deploying/spire_server/) and [SPIRE Agent Configuration Reference](/docs/latest/deploying/spire_agent/). #### Node Resolution diff --git a/content/docs/latest/try/getting-started-k8s.md b/content/docs/latest/try/getting-started-k8s.md index c77643e4..e65fb008 100644 --- a/content/docs/latest/try/getting-started-k8s.md +++ b/content/docs/latest/try/getting-started-k8s.md @@ -251,9 +251,9 @@ When deploying SPIRE in a production environment the following considerations sh In the [Create Server Configmap](#create-server-configmap) step: set the the cluster name in the `k8s_sat NodeAttestor` entry to the name you provide in the **agent-configmap.yaml** configuration file. If your Kubernetes cluster supports projected service account tokens, consider using the built-in -[Projected Service Account Token k8s Node Attestor](https://github.com/spiffe/spire/blob/master/doc/plugin_server_nodeattestor_k8s_psat.md) for authenticating the SPIRE agent to the server. Projected Service Account Tokens are more tightly scoped than regular service account tokens, and thus more secure. +[Projected Service Account Token k8s Node Attestor](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_nodeattestor_k8s_psat.md) for authenticating the SPIRE agent to the server. Projected Service Account Tokens are more tightly scoped than regular service account tokens, and thus more secure. -As configured, the SPIRE agent does not verify the identity of the Kubernetes kubelet when requesting metadata for workload attestation. For additional security, you may wish to configure the Kubernetes workload attestor to perform this verification on compatible Kubernetes distributions by setting `skip_kubelet_verification` to `false`. [Read more](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_workloadattestor_k8s.md) +As configured, the SPIRE agent does not verify the identity of the Kubernetes kubelet when requesting metadata for workload attestation. For additional security, you may wish to configure the Kubernetes workload attestor to perform this verification on compatible Kubernetes distributions by setting `skip_kubelet_verification` to `false`. [Read more](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_workloadattestor_k8s.md) # Next steps diff --git a/data/users.yaml b/data/users.yaml index e09c82f0..7048b152 100644 --- a/data/users.yaml +++ b/data/users.yaml @@ -1,30 +1,30 @@ issuers: -- name: The SPIRE project - description: SPIRE is an open-source toolchain that implements the SPIFFE specification in a wide variety of environments - link: /docs/latest/spire/understand/concepts/ - logo: spire/icon/color/spire-icon-color.png -- name: Istio - description: The Istio control plane issues SPIFFE IDs for all workloads - link: https://istio.io/latest/docs/concepts/security/#pki - logo: istio.svg -- name: HashiCorp Consul - description: The Consul Connect service mesh uses the SPIFFE specification for establishing service identities, enabling Consul Connect services to connect with other SPIFFE-compliant systems - link: https://www.consul.io/segmentation.html - logo: consul.svg -- name: Kuma - description: Kuma automatically generates SPIFFE-compatible certificates that identify all the services and workloads running in the service mesh, and encrypts all the traffic generated between them - link: https://kuma.io - logo: kuma.svg + - name: The SPIRE project + description: SPIRE is an open-source toolchain that implements the SPIFFE specification in a wide variety of environments + link: /docs/latest/spire/understand/concepts/ + logo: spire/icon/color/spire-icon-color.png + - name: Istio + description: The Istio control plane issues SPIFFE IDs for all workloads + link: https://istio.io/latest/docs/concepts/security/#pki + logo: istio.svg + - name: HashiCorp Consul + description: The Consul Connect service mesh uses the SPIFFE specification for establishing service identities, enabling Consul Connect services to connect with other SPIFFE-compliant systems + link: https://www.consul.io/segmentation.html + logo: consul.svg + - name: Kuma + description: Kuma automatically generates SPIFFE-compatible certificates that identify all the services and workloads running in the service mesh, and encrypts all the traffic generated between them + link: https://kuma.io + logo: kuma.svg consumers: -- name: The Envoy proxy - description: Customers can use SPIFFE IDs to establish [mTLS](https://en.wikipedia.org/wiki/Mutual_authentication) connections between Envoy proxies - link: https://blog.envoyproxy.io/securing-the-service-mesh-with-spire-0-3-abb45cd79810 - logo: envoy.svg -- name: Pinterest Knox - description: Customers can authenticate to Knox with SPIFFE IDs - link: https://medium.com/@Pinterest_Engineering/secret-management-in-multi-tenant-environments-debc9236a744 - logo: pinterest.png -- name: The Ghostunnel proxy - description: Customers can use SPIFFE IDs to establish [mTLS](https://en.wikipedia.org/wiki/Multiplexed_Transport_Layer_Security) connections between Ghostunnel proxies with built-in support for obtaining X.509-SVID identities via the [SPIFFE Workload API](/docs/latest/spiffe/concepts/#spiffe-workload-api) - link: https://github.com/square/ghostunnel - logo: square.jpg + - name: The Envoy proxy + description: Customers can use SPIFFE IDs to establish [mTLS](https://en.wikipedia.org/wiki/Mutual_authentication#mTLS) connections between Envoy proxies + link: https://blog.envoyproxy.io/securing-the-service-mesh-with-spire-0-3-abb45cd79810 + logo: envoy.svg + - name: Pinterest Knox + description: Customers can authenticate to Knox with SPIFFE IDs + link: https://medium.com/@Pinterest_Engineering/secret-management-in-multi-tenant-environments-debc9236a744 + logo: pinterest.png + - name: The Ghostunnel proxy + description: Customers can use SPIFFE IDs to establish [mTLS](https://en.wikipedia.org/wiki/Mutual_authentication#mTLS) connections between Ghostunnel proxies with built-in support for obtaining X.509-SVID identities via the [SPIFFE Workload API](/docs/latest/spiffe-about/spiffe-concepts/#spiffe-workload-api) + link: https://github.com/square/ghostunnel + logo: square.jpg diff --git a/layouts/partials/docs/dashboard-panel.html b/layouts/partials/docs/dashboard-panel.html index 013a6eca..921c6c93 100644 --- a/layouts/partials/docs/dashboard-panel.html +++ b/layouts/partials/docs/dashboard-panel.html @@ -1,74 +1,24 @@ {{ $home := site.BaseURL }} {{ $logo := site.Params.logos.sidebar | relURL }} {{ $spiffeLogo := "/img/logos/spiffe/horizontal/color/spiffe-horizontal-color.png" | relURL }} -{{ $releases := site.Data.releases }} -{{/* $latest := index $releases 1 */}} -{{ $latest := "v0.10.0" }} -{{ $version := index (split .File.Path "/") 1 }} -{{ $isLatest := or (eq $version $latest) (eq $version "latest") }} +{{ $latest := site.Data.releases.latest }} +
- {{/*}} - - - {{*/}}
diff --git a/layouts/shortcodes/releases.html b/layouts/shortcodes/releases.html index 96137f6e..40718f9d 100644 --- a/layouts/shortcodes/releases.html +++ b/layouts/shortcodes/releases.html @@ -1,6 +1,5 @@ {{- $displayReleases := ne (getenv "HIDE_RELEASES") "true" }} {{- $spireReleasesUrl := "https://api.github.com/repos/spiffe/spire/releases" }} -{{- $spireLatestReleaseUrl := "https://api.github.com/repos/spiffe/spire/releases/latest" }} {{- $downloadUrl := "https://github.com/spiffe/spire/releases/download" }} {{- if $displayReleases }} @@ -20,7 +19,7 @@ {{- $releases := sort (getJSON $spireReleasesUrl) "created_at" "desc" }} - {{- $latestRelease := getJSON $spireLatestReleaseUrl }} + {{- $latestRelease := site.Data.releases.latest }} {{- $latest := $latestRelease.tag_name }} {{- range $releases -}} {{- $hasExtras := (index .assets 2).name }} diff --git a/layouts/shortcodes/specs.html b/layouts/shortcodes/specs.html index 8b9cf8cf..04a533d9 100644 --- a/layouts/shortcodes/specs.html +++ b/layouts/shortcodes/specs.html @@ -1,5 +1,5 @@ {{- $documents := .Site.Data.spec.documents }} -{{- $rootUrl := "https://github.com/spiffe/spiffe/blob/master/standards" }} +{{- $rootUrl := "https://github.com/spiffe/spiffe/blob/main/standards" }}
    {{- range $documents }} {{- $url := printf "%s/%s" $rootUrl .filename }} diff --git a/layouts/shortcodes/spire-latest.html b/layouts/shortcodes/spire-latest.html index 9b1c3218..55bf4c98 100644 --- a/layouts/shortcodes/spire-latest.html +++ b/layouts/shortcodes/spire-latest.html @@ -1,7 +1,6 @@ {{- $displayReleases := ne (getenv "HIDE_RELEASES") "true" }} -{{- if $displayReleases }} - {{- $latestReleaseUrl := "https://api.github.com/repos/spiffe/spire/releases/latest" }} - {{- $latest := getJSON $latestReleaseUrl }} +{{- if $displayReleases -}} + {{- $latest := site.Data.releases.latest -}} {{- if eq (.Get 0) "tag" }} {{- $latest.tag_name -}} diff --git a/linkcheckerrc b/linkcheckerrc new file mode 100644 index 00000000..579cdb26 --- /dev/null +++ b/linkcheckerrc @@ -0,0 +1,6 @@ +[filtering] +checkextern=1 +ignore=letsencrypt\.org + +[output] +status=0 diff --git a/pull_external.py b/pull_external.py index 0e392b13..fa9a017d 100644 --- a/pull_external.py +++ b/pull_external.py @@ -3,33 +3,42 @@ import shutil import re import toml -from typing import List, Set, Tuple, Pattern, Match +import subprocess +import requests +from typing import Dict, List, Set, Tuple, Pattern, Match from urllib.parse import urlparse from pathlib import Path CHECKOUT_DIR = "checkouts" GIT_CLONE_CMD = "git clone {{}} ./{}/{{}}/{{}}".format(CHECKOUT_DIR) +GIT_CHECKOUT_CMD = "git checkout {}" +GITHUB_API_LATEST_RELEASE = "https://api.github.com/repos/spiffe/spire/releases/latest" MARKDOWN_IMAGE_REFERENCE_STYLE_OPENING = "[" RE_EXTRACT_TITLE: Pattern[str] = re.compile("([#\s]*)(?P.*)") RE_EXTRACT_IMAGES: Pattern[str] = re.compile( "\!\[(?P<alt>.*)\](?P<style>[\(\[])(?P<url>.*)[\)\]]" ) RE_EXTRACT_LINKS: Pattern[str] = re.compile( - "\[(?P<alt>[^\]]*)\]\((?P<rel>[\.\/]*)(?P<url>(?P<domain>https?:\/\/[a-zA-Z\.0-9-]+)?(?!#)\S+)\)" + "\[(?P<alt>[^\]]*)\]\((?P<rel>[\.\/]*)(?P<url>(?P<domain>https?:\/\/(?P<host>[a-zA-Z\.0-9-]+))?(?!#)\S+)\)" +) +RE_EXTRACT_GITHUB_PATH: Pattern[str] = re.compile( + "https?:\/\/github\.com\/\w+\/\w+\/\w+\/\w+\/(?P<path>.*)" ) # holds the git URL and the new path for links between pulled in files -internal_links: dict = {} -config: dict = toml.load("config.toml") +internal_links: Dict = {} +config: Dict = toml.load("config.toml") +latest_release = None def main(): + _pull_latest_release() os.system("rm -rf ./{}/".format(CHECKOUT_DIR)) yaml_external = _read_yaml("external.yaml") repos_to_clone: Set[str] = set() directories_to_create: List[str] = [] - content: dict + content: Dict for directory, content in yaml_external.items(): directories_to_create.append(directory) @@ -37,12 +46,20 @@ def main(): repos_to_clone.add(repo) _clone_repos(repos_to_clone) - # pull_directories(yaml_external) generated_files = _pull_files(yaml_external) _generate_gitignore(generated_files) -def _read_yaml(file_name: str) -> dict: +def _pull_latest_release(): + global latest_release + json = _get_latest_spire_release() + latest_release = json.get("tag_name", "master") + + with open("data/releases.yaml", "w") as releases_file: + releases_file.write(yaml.dump({"latest": json})) + + +def _read_yaml(file_name: str) -> Dict: with open(file_name, "r", encoding="utf-8") as stream: yaml_file = yaml.safe_load(stream) return yaml_file @@ -77,7 +94,7 @@ def _get_file_content(filename: str, remove_heading=False) -> Tuple[str, str]: return "".join(raw[i:]), heading -def _generate_yaml_front_matter(front_matter: dict = {}) -> List[str]: +def _generate_yaml_front_matter(front_matter: Dict = {}) -> List[str]: fm = ["---"] for key, value in front_matter.items(): if type(value) == dict: @@ -97,26 +114,61 @@ def _clone_repos(repos: List[str]): os.system(cmd) -def _pull_files(yaml_external: dict) -> List[str]: - generated_files: List[str] = [] - content: dict +def _get_latest_spire_release() -> Dict: + global latest_release + + if latest_release: + return latest_release + + data = requests.get(GITHUB_API_LATEST_RELEASE) + latest_release = data.json() + + return latest_release + + +def _checkout_switch(content: Dict): + source = content.get("source") + latest_release = _get_latest_spire_release() + cmd = GIT_CHECKOUT_CMD.format(latest_release).split() + repo_owner, repo_name = _get_canonical_repo_from_url(source) + cwd = os.path.join(CHECKOUT_DIR, repo_owner, repo_name) + subprocess.run(cmd, stdout=subprocess.PIPE, cwd=cwd) - # collects all the URLs and new file paths for the pulled in files. - # we need to do this as a prep step before processing each file - # so we can redirect internally + +def _get_branch_by_repo_url(url: str) -> str: + repo_owner, repo_name = _get_canonical_repo_from_url(url) + branch = ( + _get_latest_spire_release() + if (repo_owner, repo_name) == ("spiffe", "spire") + else "master" + ) + + return branch + + +def _get_internal_links(yaml_external: Dict): + links = {} for target_dir, content in yaml_external.items(): + source = content.get("source", "").strip() + if source == config.get("spireGitHubUrl"): + _checkout_switch(content) for rel_file in content.get("pullFiles", []): - full_url = "{}/blob/master/{}".format(content.get("source"), rel_file) + branch = _get_branch_by_repo_url(source) + full_url = "{}/blob/{}/{}".format(source, branch, rel_file) file_name = os.path.basename(rel_file) file_path = os.path.join(target_dir, file_name) rel_path_to_target_file = ("".join(file_path.split(".")[:-1])).lower() - internal_links[full_url] = "/docs/latest/{}/".format( - rel_path_to_target_file - ) + links[full_url] = "/docs/latest/{}/".format(rel_path_to_target_file) + + return links + +def _process_files(yaml_external: Dict) -> List[str]: + files = [] for target_dir, content in yaml_external.items(): + source = content.get("source", "").strip() pull_files: List[str] = content.get("pullFiles", []) - repo_owner, repo_name = _get_canonical_repo_from_url(content.get("source")) + repo_owner, repo_name = _get_canonical_repo_from_url(source) # processes and copies content from the git checkout to the desired location for rel_file in pull_files: @@ -130,10 +182,17 @@ def _pull_files(yaml_external: dict) -> List[str]: target_dir=target_dir, transform_file=content.get("transform", {}).get(filename, None), remove_heading=True, - repo_owner=repo_owner, - repo_name=repo_name, + source=source, ) - generated_files.append(abs_path_to_target_file) + files.append(abs_path_to_target_file) + return files + + +def _pull_files(yaml_external: Dict) -> List[str]: + global internal_links + + internal_links = _get_internal_links(yaml_external) + generated_files = _process_files(yaml_external) return generated_files @@ -149,10 +208,9 @@ def _copy_file( abs_path_to_repo_checkout_dir: str, rel_path_to_source_file: str, target_dir: str, - transform_file: dict = {}, + source: str, + transform_file: Dict = {}, remove_heading: bool = True, - repo_owner: str = "", - repo_name: str = "", ) -> str: file_name = os.path.basename(rel_path_to_source_file) @@ -190,8 +248,7 @@ def _copy_file( content=content, abs_path_to_source_dir=abs_path_to_repo_checkout_dir, rel_path_to_source_file=rel_path_to_source_file, - repo_owner=repo_owner, - repo_name=repo_name, + source=source, ) target_file.write(final_content) @@ -202,9 +259,10 @@ def _process_content( content: str, abs_path_to_source_dir: str, rel_path_to_source_file: str, - repo_owner: str, - repo_name: str, + source: str, ): + repo_owner, repo_name = _get_canonical_repo_from_url(source) + def repl_images(m: Match[str]): url = m.group("url") alt = m.group("alt") @@ -234,25 +292,43 @@ def repl_links(m: Match[str]): rel = m.group("rel") url = m.group("url") domain = m.group("domain") + host = m.group("host") rel_url = url - # this is an external url + + # this is a FQDN if domain is not None: + is_link_to_spire_repo = ( + host == "github.com" + and _get_canonical_repo_from_url(url) == ("spiffe", "spire") + ) + # that points to this site + new_url = url if domain == config.get("publicUrl"): new_url = url[len(config.get("publicUrl")) :] - else: - new_url = url + elif is_link_to_spire_repo: + github_url = RE_EXTRACT_GITHUB_PATH.search(url) + if github_url and github_url.group("path"): + branch = _get_latest_spire_release() + new_url = "https://github.com/{}/{}/blob/{}/{}".format( + "spiffe", "spire", branch, github_url.group("path") + ) + # this is an internal relative url else: - if rel == "/": - rel_url = url - elif rel == "./" or rel == "": + if rel == "./" or rel == "": rel_url = os.path.join(os.path.dirname(rel_path_to_source_file), url) + rel_url = os.path.normpath( + os.path.join(os.path.dirname(rel_path_to_source_file), rel, url) + ) - new_url = "https://github.com/{}/{}/blob/master/{}".format( - repo_owner, repo_name, rel_url + branch = _get_branch_by_repo_url(source) + + new_url = "https://github.com/{}/{}/blob/{}/{}".format( + repo_owner, repo_name, branch, rel_url ) + # if this file has been already pulled in, we can use the new internal URL # instead of pointing to the original github location if new_url in internal_links: