From 5f30bced2ea91bf1ce8bdae69aff5957f554ef05 Mon Sep 17 00:00:00 2001 From: Maximiliano Churichi Date: Mon, 12 Apr 2021 13:32:14 -0300 Subject: [PATCH 01/28] Fixes broken links generated on relative urls when importing external markdown Signed-off-by: Maximiliano Churichi --- pull_external.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pull_external.py b/pull_external.py index 0e392b13..dfbc89c2 100644 --- a/pull_external.py +++ b/pull_external.py @@ -245,14 +245,14 @@ def repl_links(m: Match[str]): new_url = url # this is an internal relative url else: - if rel == "/": - rel_url = url - elif rel == "./" or rel == "": - rel_url = os.path.join(os.path.dirname(rel_path_to_source_file), url) + rel_url = os.path.normpath( + os.path.join(os.path.dirname(rel_path_to_source_file), rel, url) + ) new_url = "https://github.com/{}/{}/blob/master/{}".format( repo_owner, repo_name, rel_url ) + # if this file has been already pulled in, we can use the new internal URL # instead of pointing to the original github location if new_url in internal_links: From 35ea988f9f4962fbb3afbf82630e2713db3319ca Mon Sep 17 00:00:00 2001 From: Maximiliano Churichi Date: Tue, 20 Apr 2021 14:31:50 -0300 Subject: [PATCH 02/28] Removes outdated java-spiffe example Signed-off-by: Maximiliano Churichi --- content/docs/latest/deploying/libraries.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/content/docs/latest/deploying/libraries.md b/content/docs/latest/deploying/libraries.md index e4718ffc..b51babce 100644 --- a/content/docs/latest/deploying/libraries.md +++ b/content/docs/latest/deploying/libraries.md @@ -27,7 +27,4 @@ See the [go-spiffe library GitHub page](https://github.com/spiffe/go-spiffe/tree # Java -See the [java-spiffe library GitHub page](https://github.com/spiffe/java-spiffe) for more information about the SPIFFE Java library. - -* [Federation and TCP Support](https://github.com/spiffe/spiffe-example/tree/master/java-spiffe-federation-jboss) - +See the [java-spiffe library GitHub page](https://github.com/spiffe/java-spiffe) for more information about the SPIFFE Java library. From a05f66530abbba04cc94a79a86accdbadb467424 Mon Sep 17 00:00:00 2001 From: Maximiliano Churichi Date: Tue, 20 Apr 2021 14:39:51 -0300 Subject: [PATCH 03/28] Updates go-spiffe default branch Signed-off-by: Maximiliano Churichi --- content/docs/latest/deploying/libraries.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/docs/latest/deploying/libraries.md b/content/docs/latest/deploying/libraries.md index b51babce..7a67855e 100644 --- a/content/docs/latest/deploying/libraries.md +++ b/content/docs/latest/deploying/libraries.md @@ -19,11 +19,11 @@ See the [c-spiffe library GitHub page](https://github.com/spiffe/c-spiffe) for m # Go -See the [go-spiffe library GitHub page](https://github.com/spiffe/go-spiffe/tree/master/v2) for more information about the SPIFFE Go library. +See the [go-spiffe library GitHub page](https://github.com/spiffe/go-spiffe/tree/main/v2) for more information about the SPIFFE Go library. -* [SPIFFE to SPIFFE authentication using X.509 SVIDs](https://github.com/spiffe/go-spiffe/tree/master/v2/examples/spiffe-tls) +* [SPIFFE to SPIFFE authentication using X.509 SVIDs](https://github.com/spiffe/go-spiffe/tree/main/v2/examples/spiffe-tls) -* [SPIFFE to SPIFFE authentication using JWT SVIDs](https://github.com/spiffe/go-spiffe/tree/master/v2/examples/spiffe-jwt-using-proxy) +* [SPIFFE to SPIFFE authentication using JWT SVIDs](https://github.com/spiffe/go-spiffe/tree/main/v2/examples/spiffe-jwt-using-proxy) # Java From ff21e1ca0fc6cca444bf25cf969fc327a6f79595 Mon Sep 17 00:00:00 2001 From: Maximiliano Churichi Date: Thu, 6 May 2021 18:11:04 -0300 Subject: [PATCH 04/28] Replace David Langhorst with Andres Gomez Coronel as codeowner Signed-off-by: Maximiliano Churichi --- CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CODEOWNERS b/CODEOWNERS index d97c27f5..3b730b3e 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1 +1 @@ -* @sanderson042 @mchurichi @ajessup @drrt @evan2645 @umairmkhan +* @sanderson042 @mchurichi @ajessup @Andres-GC @evan2645 @umairmkhan From beed7a7fd2132d1d0665fc3e458ff30de5598fc4 Mon Sep 17 00:00:00 2001 From: Maximiliano Churichi Date: Tue, 4 May 2021 14:50:09 -0300 Subject: [PATCH 05/28] Fixes broken links Signed-off-by: Maximiliano Churichi --- content/docs/latest/deploying/configuring.md | 48 ++++++++-------- content/docs/latest/deploying/registering.md | 6 +- .../docs/latest/spire-about/spire-concepts.md | 2 - data/users.yaml | 56 +++++++++---------- 4 files changed, 55 insertions(+), 57 deletions(-) diff --git a/content/docs/latest/deploying/configuring.md b/content/docs/latest/deploying/configuring.md index 39825796..2c3f050b 100644 --- a/content/docs/latest/deploying/configuring.md +++ b/content/docs/latest/deploying/configuring.md @@ -14,9 +14,9 @@ To customize the behavior of the SPIRE Server and SPIRE Agent to meet your appli The SPIRE Server and Agent are configured in a file called `server.conf` and `agent.conf` respectively. -By default the Server expects the configuration file to reside at `conf/server/server.conf`, however the Server can be configured to use a configuration file in a different location with the `--config` flag. See the [SPIRE Server reference](https://github.com/spiffe/spire/blob/master/doc/spire_server.md) for more information. +By default the Server expects the configuration file to reside at `conf/server/server.conf`, however the Server can be configured to use a configuration file in a different location with the `--config` flag. See the [SPIRE Server reference](https://github.com/spiffe/spire/blob/main/doc/spire_server.md) for more information. -Similarly, the Agent expects this file to reside at `conf/agent/agent.conf`, however the Server can be configured to use a configuration file in a different location with the `--config` flag. See the [SPIRE Agent reference](https://github.com/spiffe/spire/blob/master/doc/spire_agent.md) for more information. +Similarly, the Agent expects this file to reside at `conf/agent/agent.conf`, however the Server can be configured to use a configuration file in a different location with the `--config` flag. See the [SPIRE Agent reference](https://github.com/spiffe/spire/blob/main/doc/spire_agent.md) for more information. The configuration file is loaded once when the Server or Agent is started. If the configuration file for either is modified, the Server or Agent must be restarted for the configuration to take effect. @@ -75,7 +75,7 @@ At the time of this writing,  projected service accounts are a relatively new f Node attestation using Kubernetes [Projected Service Account Tokens](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) (PSATs) allows a SPIRE Server to verify the identity of a SPIRE Agent running on a Kubernetes Cluster. Projected Service Account Tokens provide additional security guarantees over traditional Kubernetes Service Account Tokens and when supported by a Kubernetes cluster, PSAT is the recommended attestation strategy. -To use PSAT Node Attestation, configure enable the PSAT Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/master/doc/plugin_server_nodeattestor_k8s_psat.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_nodeattestor_k8s_psat.md). +To use PSAT Node Attestation, configure enable the PSAT Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_k8s_psat.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_nodeattestor_k8s_psat.md). ### Service Account Tokens @@ -83,7 +83,7 @@ In cases where workloads are running on Kubernetes but the Projected Service Acc Because the service account token does not contain claims that could be used to strongly identify the node/daemonset/pod running the agent, any container running in a whitelisted service account can masquerade as an agent. For this reason it is strongly recommended that agents run under a dedicated service account when using this attestation method. -To use SAT Node Attestation, configure and enable the SAT Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/master/doc/plugin_server_nodeattestor_k8s_sat.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_nodeattestor_k8s_sat.md). +To use SAT Node Attestation, configure and enable the SAT Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_k8s_sat.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_nodeattestor_k8s_sat.md). ## Attestation of nodes running Linux {#customize-server-linux-attestation} @@ -102,13 +102,13 @@ NodeAttestor "join_token" { } ``` -Once join token node attestation has been configured, a join token can be generated on the server using the `spire-server token generate` command. Optionally you can associate a particular SPIFFE ID with the Join Token with the `-spiffeID` flag. [Read more](https://github.com/spiffe/spire/blob/master/doc/spire_server.md#spire-server-token-generate) about using this command. +Once join token node attestation has been configured, a join token can be generated on the server using the `spire-server token generate` command. Optionally you can associate a particular SPIFFE ID with the Join Token with the `-spiffeID` flag. [Read more](https://github.com/spiffe/spire/blob/main/doc/spire_server.md#spire-server-token-generate) about using this command. -When starting a SPIRE Agent for the first time with Join Token attestation enabled, the agent can be started with the `spire-agent run` command, and specifying the join token generated by the server using the `-joinToken` flag. [Read more](https://github.com/spiffe/spire/blob/master/doc/spire_agent.md#spire-agent-run) about this command. +When starting a SPIRE Agent for the first time with Join Token attestation enabled, the agent can be started with the `spire-agent run` command, and specifying the join token generated by the server using the `-joinToken` flag. [Read more](https://github.com/spiffe/spire/blob/main/doc/spire_agent.md#spire-agent-run) about this command. The server will validate the join token and issue the Agent an SVID, and the SVID will be rotated automatically as long as it maintains a connection to the Server. On subsequent starts the Agent will use that SVID to authenticate to the server unless it has expired and not renewed. -To use Join Token Node Attestation, configure and enable the join token Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/master/doc/plugin_server_nodeattestor_jointoken.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_nodeattestor_jointoken.md). +To use Join Token Node Attestation, configure and enable the join token Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_jointoken.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_nodeattestor_jointoken.md). To disable join token attestation on the server, comment out or delete this stanza from the configuration file before starting it. @@ -121,7 +121,7 @@ of this guide, they will be called the *root certificate bundle*). The Server mu In addition attestor exposes the selector `subject:cn` which will match any certificate that is both (a) valid, as described above, and (b) whose common name (CN) matches that described in the selector. -To use X.509 Certificate Node Attestation, configure and enable the x509pop Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/master/doc/plugin_server_nodeattestor_x509pop.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_nodeattestor_x509pop.md). +To use X.509 Certificate Node Attestation, configure and enable the x509pop Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_x509pop.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_nodeattestor_x509pop.md). ### SSH Certificate @@ -135,7 +135,7 @@ spiffe:///spire/agent/sshpop/ Where `` is a hash of the certificate itself. This SPIFFE ID can then be used as the basis of other workload registration entries. -To use SSH Certificate Node Attestation, configure and enable the sshpop Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/master/doc/plugin_server_nodeattestor_sshpop.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_nodeattestor_sshpop.md). +To use SSH Certificate Node Attestation, configure and enable the sshpop Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_sshpop.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_nodeattestor_sshpop.md). ## Attestation for Linux nodes on a Cloud Provider {#customize-server-cloud-attestation} @@ -150,7 +150,7 @@ Google Compute Engine (GCE) node attestation and resolution allows a SPIRE Serve 3. Once verification takes place, the SPIRE Agent is considered attested, and issued its own SPIFFE ID 4. Finally, SPIRE issues SVIDs to workloads on the nodes if they match a registration entry. The registration entry may include selectors exposed by the Node Attestor or Resolver, or have the SPIFFE ID of the SPIRE Agent as a parent. -To use GCP IIT Node Attestation, configure and enable the gcp_iit Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/master/doc/plugin_server_nodeattestor_gcp_iit.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_nodeattestor_gcp_iit.md). +To use GCP IIT Node Attestation, configure and enable the gcp_iit Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_gcp_iit.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_nodeattestor_gcp_iit.md). ### Amazon EC2 Instances @@ -162,7 +162,7 @@ EC2 node attestation and resolution allows a SPIRE Server to identify and authen 4. Once verification takes place, the SPIRE Agent is considered attested, and issued its own SPIFFE ID 5. Finally, SPIRE issues SVIDs to workloads on the nodes if they match a registration entry. The registration entry may include selectors exposed by the Node Attestor or Resolver, or have the SPIFFE ID of the SPIRE Agent as a parent. -For more information on configuring AWS EC2 Node Attestors or Resolver plugins, refer to the corresponding SPIRE documentation for the AWS [SPIRE Server Node Attestor](https://github.com/spiffe/spire/blob/master/doc/plugin_server_nodeattestor_aws_iid.md) and [SPIRE Server Node Resolver](https://github.com/spiffe/spire/blob/master/doc/plugin_server_noderesolver_aws_iid.md) on the SPIRE Server, and the [SPIRE Agent Node Attestor](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_nodeattestor_aws_iid.md) on the agent. +For more information on configuring AWS EC2 Node Attestors or Resolver plugins, refer to the corresponding SPIRE documentation for the AWS [SPIRE Server Node Attestor](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_aws_iid.md) on the SPIRE Server, and the [SPIRE Agent Node Attestor](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_nodeattestor_aws_iid.md) on the agent. ### Azure Virtual Machines @@ -181,7 +181,7 @@ The default resource–assigned by the agent plugin–is scoped relatively widel If you configure a custom resource ID in the agent configuration file, you must specify custom resource IDs for each tenant, in the `NodeAttestor` stanza of the `server.conf` configuration file. {{< /warning >}} -For more information on configuring Azure MSI Node Attestors or Resolver plugins, refer to the corresponding SPIRE documentation for the Azure MSI [SPIRE Server Node Attestor](https://github.com/spiffe/spire/blob/master/doc/plugin_server_nodeattestor_azure_msi.md) and [SPIRE Server Node Resolver](https://github.com/spiffe/spire/blob/master/doc/plugin_server_noderesolver_azure_msi.md) on the SPIRE Server, and the [SPIRE Agent Node Attestor](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_nodeattestor_azure_msi.md) on the agent. +For more information on configuring Azure MSI Node Attestors or Resolver plugins, refer to the corresponding SPIRE documentation for the Azure MSI [SPIRE Server Node Attestor](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_azure_msi.md) and [SPIRE Server Node Resolver](https://github.com/spiffe/spire/blob/main/doc/plugin_server_noderesolver_azure_msi.md) on the SPIRE Server, and the [SPIRE Agent Node Attestor](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_nodeattestor_azure_msi.md) on the agent. # Configuring workload attestation _This configuration applies to the SPIRE Agent_ @@ -196,7 +196,7 @@ When workloads are running in Kubernetes, it is valuable to be able to describe The Kubernetes Workload Attestor plugin works by interrogating the local Kubelet to retrieve kubernetes-specific metadata about particular process when it calls the Workload API, and uses that to identify workloads whose registration entries match those values. -For more information, including details of the exposed selectors, refer to the corresponding SPIRE documentation for the [Kubernetes Workload Attestor plugin](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_workloadattestor_k8s.md). +For more information, including details of the exposed selectors, refer to the corresponding SPIRE documentation for the [Kubernetes Workload Attestor plugin](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_workloadattestor_k8s.md). ## Workload Attestation for Docker containers @@ -204,7 +204,7 @@ When workloads are running in a Docker container, it can be helpful to be able t The Docker Workload Attestor plugin works by interrogating to the local Docker daemon to retrieve Docker-specific metadata about a particular process when it calls the Workload API. -For more information, including details of the exposed selectors, refer to the corresponding SPIRE documentation for the [Docker Workload Attestor plugin](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_workloadattestor_docker.md). +For more information, including details of the exposed selectors, refer to the corresponding SPIRE documentation for the [Docker Workload Attestor plugin](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_workloadattestor_docker.md). ## Workload Attestation for Unix processes @@ -212,7 +212,7 @@ When workloads are running on Unix, it can be helpful to be able to describe the The Unix Workload Attestor works by determining kernel metadata from the workload calling the Workload API by examining the caller of the Unix domain socket. -For more information, including details of the exposed selectors, refer to the corresponding SPIRE documentation for the [Unix Workload Attestor plugin](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_workloadattestor_unix.md). +For more information, including details of the exposed selectors, refer to the corresponding SPIRE documentation for the [Unix Workload Attestor plugin](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_workloadattestor_unix.md). # Configuring where to store agent and server data _This configuration applies to the SPIRE Server and SPIRE Agent_ @@ -232,7 +232,7 @@ _This configuration applies to the SPIRE Server_ The data-store is where SPIRE Server persists dynamic configuration such as registration entries and identity mapping policies that are retrieved from the SPIRE Server. By default, SPIRE bundles SQLite and sets it as the default for storage of server data. SPIRE also supports other compatible data-stores. For production purposes, you should carefully consider which database to use, particularly when deploying SPIRE in a High Availability configuration. -The SPIRE Server can be configured to utilize different SQL-compatible storage backends by configuring the default SQL data-store plugin as described below. A complete reference for how this block is configured can be found in the [SPIRE documentation](https://github.com/spiffe/spire/blob/master/doc/plugin_server_datastore_sql.md). +The SPIRE Server can be configured to utilize different SQL-compatible storage backends by configuring the default SQL data-store plugin as described below. A complete reference for how this block is configured can be found in the [SPIRE documentation](https://github.com/spiffe/spire/blob/main/doc/plugin_server_datastore_sql.md). Alternatively, SPIRE can be configured to use non-SQL compatible storage backends through third party datastore plugins. The guide on [Extending SPIRE](/docs/latest/spire/developing/extending/) covers this in more detail. @@ -318,9 +318,9 @@ Both the SPIRE Agent and SPIRE Server generate private keys and certificates dur Currently SPIRE supports two key management strategies on both the Agent and Server. -* **Store in-memory**. In this strategy keys and certificates are only stored in-memory. This means that if the Server or Agent crashes or is otherwise re-started, the keys must be re-generated. In the case of the SPIRE Agent this typically requires the agent to re-attest to the Server upon restart. This strategy can be managed by enabling and configuring the memory key manager plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/master/doc/plugin_server_keymanager_memory.md) and/or [SPIRE Agent](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_keymanager_memory.md). +* **Store in-memory**. In this strategy keys and certificates are only stored in-memory. This means that if the Server or Agent crashes or is otherwise re-started, the keys must be re-generated. In the case of the SPIRE Agent this typically requires the agent to re-attest to the Server upon restart. This strategy can be managed by enabling and configuring the memory key manager plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/main/doc/plugin_server_keymanager_memory.md) and/or [SPIRE Agent](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_keymanager_memory.md). -* **Store on disk**. In this strategy, keys and certificates are stored in a specified file on disk. An advantage of this approach is they survive a restart of the SPIRE Server or Agent. A disadvantage is that since they keys are stored in files on disk, additional precautions must be taken to prevent a malicious process from reading those files. This strategy can be managed by enabling and configuring the disk key manager plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/master/doc/plugin_server_keymanager_disk.md) and/or [SPIRE Agent](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_keymanager_disk.md). +* **Store on disk**. In this strategy, keys and certificates are stored in a specified file on disk. An advantage of this approach is they survive a restart of the SPIRE Server or Agent. A disadvantage is that since they keys are stored in files on disk, additional precautions must be taken to prevent a malicious process from reading those files. This strategy can be managed by enabling and configuring the disk key manager plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/main/doc/plugin_server_keymanager_disk.md) and/or [SPIRE Agent](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_keymanager_disk.md). Alternatively, SPIRE can be configured to integrating a custom backend such as a secret store through third party key manager plugins. The guide on [Extending SPIRE](/docs/latest/spire/developing/extending/) covers this in more detail. @@ -341,7 +341,7 @@ This signing key should be considered extremely sensitive as to obtain it would To help ensure the integrity of the signing key a SPIRE Server may either sign material itself using a signing key stored on disk, or delegate signing to an independent Certificate Authority (CA), such as the AWS Secrets Manager. This behavior is configured through the `UpstreamAuthority` section in the `server.conf` file. -For a complete server configuration reference, see the [SPIRE Server Configuration Reference](https://github.com/spiffe/spire/blob/master/doc/spire_server.md). +For a complete server configuration reference, see the [SPIRE Server Configuration Reference](https://github.com/spiffe/spire/blob/main/doc/spire_server.md). #### Configure an On-disk Signing Key @@ -358,25 +358,25 @@ sudo openssl req \ -x509 -days 365 -out /opt/spire/conf/root.crt ``` -This strategy can be managed by enabling and configuring the `disk` UpstreamAuthority plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/master/doc/plugin_server_upstreamauthority_disk.md). +This strategy can be managed by enabling and configuring the `disk` UpstreamAuthority plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/main/doc/plugin_server_upstreamauthority_disk.md). #### Configure AWS Secrets Manager The SPIRE Server can be configured to load CA credentials from [Amazon Web Services Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html), using them to generate intermediate signing certificates for the server's signing authority. -This strategy can be managed by enabling and configuring the `awssecret` UpstreamAuthority plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/master/doc/plugin_server_upstreamauthority_awssecret.md). +This strategy can be managed by enabling and configuring the `awssecret` UpstreamAuthority plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/main/doc/plugin_server_upstreamauthority_awssecret.md). #### Configure AWS Certificate Manager The SPIRE Server can be configured to load CA credentials from Amazon Web Services Certificate Manager [Private Certificate Authority](https://aws.amazon.com/certificate-manager/private-certificate-authority/) (PCA) them to generate intermediate signing certificates for the server's signing authority. -This strategy can be managed by enabling and configuring the `aws_pca` UpstreamAuthority plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/master/doc/plugin_server_upstreamauthority_aws_pca.md). +This strategy can be managed by enabling and configuring the `aws_pca` UpstreamAuthority plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/main/doc/plugin_server_upstreamauthority_aws_pca.md). #### Configure another SPIRE installation The SPIRE Server can be configured to load CA credentials from the Workload API of another SPIFFE implementation such as SPIRE. This enables a technique called "Nested SPIRE" that, as a compliment to HA deployments, allows independent SPIRE Servers to issue identities against a single trust domain. -A full treatment for Nested SPIRE is beyond the scope of this guide. However this strategy can be managed by enabling and configuring the `spire` UpstreamAuthority plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/master/doc/plugin_server_upstreamauthority_spire.md). +A full treatment for Nested SPIRE is beyond the scope of this guide. However this strategy can be managed by enabling and configuring the `spire` UpstreamAuthority plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/main/doc/plugin_server_upstreamauthority_spire.md). # Export Metrics for Monitoring _This configuration applies to the SPIRE Server and SPIRE Agent_ @@ -420,7 +420,7 @@ telemetry { } ``` -For more information, see the [telemetry configuration](https://github.com/spiffe/spire/blob/master/doc/telemetry_config.md) guide. +For more information, see the [telemetry configuration](https://github.com/spiffe/spire/blob/main/doc/telemetry_config.md) guide. # Logging _This configuration applies to the SPIRE Server and SPIRE Agent_ diff --git a/content/docs/latest/deploying/registering.md b/content/docs/latest/deploying/registering.md index d75202a7..4acfd16d 100644 --- a/content/docs/latest/deploying/registering.md +++ b/content/docs/latest/deploying/registering.md @@ -62,9 +62,9 @@ Different selectors are available depending on the platform or architecture on w | For a list of supported selectors for this platform | Go here | | ---------------- | ----------- | -| **Kubernetes** | The [configuration reference page for the Kubernetes Node Attestor](https://github.com/spiffe/spire/blob/master/doc/plugin_server_nodeattestor_k8s_sat.md) -| **AWS** | The [configuration reference page for the AWS Node Resolver](https://github.com/spiffe/spire/blob/master/doc/plugin_server_noderesolver_aws_iid.md) -| **Azure** | The [configuration reference page for the Azure Managed Service Identity Node Resolver](https://github.com/spiffe/spire/blob/master/doc/plugin_server_noderesolver_azure_msi.md) +| **Kubernetes** | The [configuration reference page for the Kubernetes Node Attestor](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_k8s_sat.md) +| **AWS** | The [configuration reference page for the AWS Node Attestor](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_aws_iid.md) +| **Azure** | The [configuration reference page for the Azure Managed Service Identity Node Resolver](https://github.com/spiffe/spire/blob/main/doc/plugin_server_noderesolver_azure_msi.md) ## 2. Defining the SPIFFE ID of the Workload diff --git a/content/docs/latest/spire-about/spire-concepts.md b/content/docs/latest/spire-about/spire-concepts.md index fc76898e..5823fc04 100644 --- a/content/docs/latest/spire-about/spire-concepts.md +++ b/content/docs/latest/spire-about/spire-concepts.md @@ -67,8 +67,6 @@ You customize the agent’s behavior by configuring plugins and other configurat You can create custom server and agent plugins for particular platforms and architectures for which SPIRE doesn’t include plugins. For example, you could create server and agent node attestors for an architecture other than those summarized under [Node Attestation](#node-attestation). Or you could create a custom keymanager plugin to handle private keys in a way SPIRE doesn’t currently support. Because SPIRE loads custom plugins at runtime, you do not need recompile SPIRE in order to enable them. -For help creating custom server and agent plugins, see [SPIRE Plugin Development](https://github.com/spiffe/plugin-template/blob/master/SPIRE_PLUGIN_GUIDE.md). - # A Day in the Life of an SVID This section walks through a “day in the life” of how SPIRE issues an identity to a workload, from the time the agent starts up on a node to the point of a workload on the same node receiving a valid identity in the form of an X.509 SVID. Note that SVIDs in JWT format are handled differently. For the purposes of simple demonstration, the workload is running on AWS EC2. diff --git a/data/users.yaml b/data/users.yaml index e09c82f0..7048b152 100644 --- a/data/users.yaml +++ b/data/users.yaml @@ -1,30 +1,30 @@ issuers: -- name: The SPIRE project - description: SPIRE is an open-source toolchain that implements the SPIFFE specification in a wide variety of environments - link: /docs/latest/spire/understand/concepts/ - logo: spire/icon/color/spire-icon-color.png -- name: Istio - description: The Istio control plane issues SPIFFE IDs for all workloads - link: https://istio.io/latest/docs/concepts/security/#pki - logo: istio.svg -- name: HashiCorp Consul - description: The Consul Connect service mesh uses the SPIFFE specification for establishing service identities, enabling Consul Connect services to connect with other SPIFFE-compliant systems - link: https://www.consul.io/segmentation.html - logo: consul.svg -- name: Kuma - description: Kuma automatically generates SPIFFE-compatible certificates that identify all the services and workloads running in the service mesh, and encrypts all the traffic generated between them - link: https://kuma.io - logo: kuma.svg + - name: The SPIRE project + description: SPIRE is an open-source toolchain that implements the SPIFFE specification in a wide variety of environments + link: /docs/latest/spire/understand/concepts/ + logo: spire/icon/color/spire-icon-color.png + - name: Istio + description: The Istio control plane issues SPIFFE IDs for all workloads + link: https://istio.io/latest/docs/concepts/security/#pki + logo: istio.svg + - name: HashiCorp Consul + description: The Consul Connect service mesh uses the SPIFFE specification for establishing service identities, enabling Consul Connect services to connect with other SPIFFE-compliant systems + link: https://www.consul.io/segmentation.html + logo: consul.svg + - name: Kuma + description: Kuma automatically generates SPIFFE-compatible certificates that identify all the services and workloads running in the service mesh, and encrypts all the traffic generated between them + link: https://kuma.io + logo: kuma.svg consumers: -- name: The Envoy proxy - description: Customers can use SPIFFE IDs to establish [mTLS](https://en.wikipedia.org/wiki/Mutual_authentication) connections between Envoy proxies - link: https://blog.envoyproxy.io/securing-the-service-mesh-with-spire-0-3-abb45cd79810 - logo: envoy.svg -- name: Pinterest Knox - description: Customers can authenticate to Knox with SPIFFE IDs - link: https://medium.com/@Pinterest_Engineering/secret-management-in-multi-tenant-environments-debc9236a744 - logo: pinterest.png -- name: The Ghostunnel proxy - description: Customers can use SPIFFE IDs to establish [mTLS](https://en.wikipedia.org/wiki/Multiplexed_Transport_Layer_Security) connections between Ghostunnel proxies with built-in support for obtaining X.509-SVID identities via the [SPIFFE Workload API](/docs/latest/spiffe/concepts/#spiffe-workload-api) - link: https://github.com/square/ghostunnel - logo: square.jpg + - name: The Envoy proxy + description: Customers can use SPIFFE IDs to establish [mTLS](https://en.wikipedia.org/wiki/Mutual_authentication#mTLS) connections between Envoy proxies + link: https://blog.envoyproxy.io/securing-the-service-mesh-with-spire-0-3-abb45cd79810 + logo: envoy.svg + - name: Pinterest Knox + description: Customers can authenticate to Knox with SPIFFE IDs + link: https://medium.com/@Pinterest_Engineering/secret-management-in-multi-tenant-environments-debc9236a744 + logo: pinterest.png + - name: The Ghostunnel proxy + description: Customers can use SPIFFE IDs to establish [mTLS](https://en.wikipedia.org/wiki/Mutual_authentication#mTLS) connections between Ghostunnel proxies with built-in support for obtaining X.509-SVID identities via the [SPIFFE Workload API](/docs/latest/spiffe-about/spiffe-concepts/#spiffe-workload-api) + link: https://github.com/square/ghostunnel + logo: square.jpg From 342a749b26ef2f4d9c2bde6f74e13752a779297a Mon Sep 17 00:00:00 2001 From: Maximiliano Churichi Date: Mon, 5 Apr 2021 19:24:48 -0300 Subject: [PATCH 06/28] Changes to pull docs from latest spire release Signed-off-by: Maximiliano Churichi --- .editorconfig | 7 + Pipfile | 1 + Pipfile.lock | 289 ++++++++++++------ assets/sass/custom.sass | 5 +- config.toml | 1 + content/docs/latest/deploying/configuring.md | 48 +-- .../docs/latest/deploying/install-agents.md | 2 +- content/docs/latest/deploying/registering.md | 20 +- content/docs/latest/deploying/svids.md | 2 +- content/docs/latest/planning/extending.md | 16 +- .../docs/latest/spiffe-about/get-involved.md | 2 +- .../docs/latest/spire-about/spire-concepts.md | 8 +- .../docs/latest/try/getting-started-k8s.md | 4 +- layouts/partials/docs/dashboard-panel.html | 68 +---- pull_external.py | 93 ++++-- 15 files changed, 346 insertions(+), 220 deletions(-) create mode 100644 .editorconfig diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 00000000..d9c0e800 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,7 @@ +root = true + +[*.{yaml,yml}] +indent_size = 4 + +[*.py] +indent_size = 4 \ No newline at end of file diff --git a/Pipfile b/Pipfile index 31728832..602e81dc 100644 --- a/Pipfile +++ b/Pipfile @@ -12,6 +12,7 @@ argh = "*" [packages] pyyaml = "~=5.3" toml = "~=0.10.1" +requests = "~=2.25.1" [requires] python_version = "3.7" diff --git a/Pipfile.lock b/Pipfile.lock index ec9a9b20..83a9c53c 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "001544007f6d775205f087d9c37f67ed0325de1736d345a917486f9f072cb3ed" + "sha256": "aa09ee83074fb079080714b65d3376a660fb0ec27879eaa2954ee665f7e4d741" }, "pipfile-spec": 6, "requires": { @@ -16,30 +16,87 @@ ] }, "default": { + "certifi": { + "hashes": [ + "sha256:1a4995114262bffbc2413b159f2a1a480c969de6e6eb13ee966d470af86af59c", + "sha256:719a74fb9e33b9bd44cc7f3a8d94bc35e4049deebe19ba7d8e108280cfd59830" + ], + "version": "==2020.12.5" + }, + "chardet": { + "hashes": [ + "sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa", + "sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5" + ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", + "version": "==4.0.0" + }, + "idna": { + "hashes": [ + "sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6", + "sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0" + ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", + "version": "==2.10" + }, "pyyaml": { "hashes": [ - "sha256:06a0d7ba600ce0b2d2fe2e78453a470b5a6e000a985dd4a4e54e436cc36b0e97", - "sha256:240097ff019d7c70a4922b6869d8a86407758333f02203e0fc6ff79c5dcede76", - "sha256:4f4b913ca1a7319b33cfb1369e91e50354d6f07a135f3b901aca02aa95940bd2", - "sha256:69f00dca373f240f842b2931fb2c7e14ddbacd1397d57157a9b005a6a9942648", - "sha256:73f099454b799e05e5ab51423c7bcf361c58d3206fa7b0d555426b1f4d9a3eaf", - "sha256:74809a57b329d6cc0fdccee6318f44b9b8649961fa73144a98735b0aaf029f1f", - "sha256:7739fc0fa8205b3ee8808aea45e968bc90082c10aef6ea95e855e10abf4a37b2", - "sha256:95f71d2af0ff4227885f7a6605c37fd53d3a106fcab511b8860ecca9fcf400ee", - "sha256:b8eac752c5e14d3eca0e6dd9199cd627518cb5ec06add0de9d32baeee6fe645d", - "sha256:cc8955cfbfc7a115fa81d85284ee61147059a753344bc51098f3ccd69b0d7e0c", - "sha256:d13155f591e6fcc1ec3b30685d50bf0711574e2c0dfffd7644babf8b5102ca1a" + "sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf", + "sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696", + "sha256:129def1b7c1bf22faffd67b8f3724645203b79d8f4cc81f674654d9902cb4393", + "sha256:294db365efa064d00b8d1ef65d8ea2c3426ac366c0c4368d930bf1c5fb497f77", + "sha256:3b2b1824fe7112845700f815ff6a489360226a5609b96ec2190a45e62a9fc922", + "sha256:3bd0e463264cf257d1ffd2e40223b197271046d09dadf73a0fe82b9c1fc385a5", + "sha256:4465124ef1b18d9ace298060f4eccc64b0850899ac4ac53294547536533800c8", + "sha256:49d4cdd9065b9b6e206d0595fee27a96b5dd22618e7520c33204a4a3239d5b10", + "sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc", + "sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018", + "sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e", + "sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253", + "sha256:72a01f726a9c7851ca9bfad6fd09ca4e090a023c00945ea05ba1638c09dc3347", + "sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183", + "sha256:895f61ef02e8fed38159bb70f7e100e00f471eae2bc838cd0f4ebb21e28f8541", + "sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb", + "sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185", + "sha256:bfb51918d4ff3d77c1c856a9699f8492c612cde32fd3bcd344af9be34999bfdc", + "sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db", + "sha256:cb333c16912324fd5f769fff6bc5de372e9e7a202247b48870bc251ed40239aa", + "sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46", + "sha256:d483ad4e639292c90170eb6f7783ad19490e7a8defb3e46f97dfe4bacae89122", + "sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b", + "sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63", + "sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df", + "sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc", + "sha256:fd7f6999a8070df521b6384004ef42833b9bd62cfee11a09bda1079b4b704247", + "sha256:fdc842473cd33f45ff6bce46aea678a54e3d21f1b61a7750ce3c498eedfe25d6", + "sha256:fe69978f3f768926cfa37b867e3843918e012cf83f680806599ddce33c2c68b0" + ], + "index": "pypi", + "version": "==5.4.1" + }, + "requests": { + "hashes": [ + "sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804", + "sha256:c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e" ], "index": "pypi", - "version": "==5.3.1" + "version": "==2.25.1" }, "toml": { "hashes": [ - "sha256:926b612be1e5ce0634a2ca03470f95169cf16f939018233a670519cb4ac58b0f", - "sha256:bda89d5935c2eac546d648028b9901107a595863cb36bae0c73ac804a9b4ce88" + "sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b", + "sha256:b3bda1d108d5dd99f4a20d24d9c348e91c4db7ab1b749200bded2f839ccbe68f" ], "index": "pypi", - "version": "==0.10.1" + "version": "==0.10.2" + }, + "urllib3": { + "hashes": [ + "sha256:2f4da4594db7e1e110a944bb1b551fdf4e6c136ad42e4234131391e21eb5b0df", + "sha256:e7b021f7241115872f92f43c6508082facffbd1c048e3c6e2bb9c2a157e28937" + ], + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' and python_version < '4'", + "version": "==1.26.4" } }, "develop": { @@ -75,11 +132,19 @@ }, "flake8": { "hashes": [ - "sha256:749dbbd6bfd0cf1318af27bf97a14e28e5ff548ef8e5b1566ccfb25a11e7c839", - "sha256:aadae8761ec651813c24be05c6f7b4680857ef6afaae4651a4eccaef97ce6c3b" + "sha256:12d05ab02614b6aee8df7c36b97d1a3b2372761222b19b58621355e82acddcff", + "sha256:78873e372b12b093da7b5e5ed302e8ad9e988b38b063b61ad937f26ca58fc5f0" ], "index": "pypi", - "version": "==3.8.4" + "version": "==3.9.0" + }, + "importlib-metadata": { + "hashes": [ + "sha256:1cedf994a9b6885dcbb7ed40b24c332b1de3956319f4b1a0f07c0621d453accc", + "sha256:c9c1b6c7dbc62084f3e6a614a194eb16ded7947736c18e3300125d5c0a7a8b3c" + ], + "markers": "python_version < '3.8'", + "version": "==3.9.1" }, "mccabe": { "hashes": [ @@ -97,98 +162,115 @@ }, "pathspec": { "hashes": [ - "sha256:7d91249d21749788d07a2d0f94147accd8f845507400749ea19c1ec9054a12b0", - "sha256:da45173eb3a6f2a5a487efba21f050af2b41948be6ab52b6a1e3ff22bb8b7061" - ], - "version": "==0.8.0" - }, - "pathtools": { - "hashes": [ - "sha256:7c35c5421a39bb82e58018febd90e3b6e5db34c5443aaaf742b3f33d4655f1c0" + "sha256:86379d6b86d75816baba717e64b1a3a3469deb93bb76d613c9ce79edc5cb68fd", + "sha256:aa0cb481c4041bf52ffa7b0d8fa6cd3e88a2ca4879c533c9153882ee2556790d" ], - "version": "==0.1.2" + "version": "==0.8.1" }, "pycodestyle": { "hashes": [ - "sha256:2295e7b2f6b5bd100585ebcb1f616591b652db8a741695b3d8f5d28bdc934367", - "sha256:c58a7d2815e0e8d7972bf1803331fb0152f867bd89adf8a01dfd55085434192e" + "sha256:514f76d918fcc0b55c6680472f0a37970994e07bbb80725808c17089be302068", + "sha256:c389c1d06bf7904078ca03399a4816f974a1d590090fecea0c63ec26ebaf1cef" ], "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==2.6.0" + "version": "==2.7.0" }, "pyflakes": { "hashes": [ - "sha256:0d94e0e05a19e57a99444b6ddcf9a6eb2e5c68d3ca1e98e90707af8152c90a92", - "sha256:35b2d75ee967ea93b55750aa9edbbf72813e06a66ba54438df2cfac9e3c27fc8" + "sha256:7893783d01b8a89811dd72d7dfd4d84ff098e5eed95cfa8905b22bbffe52efc3", + "sha256:f5bc8ecabc05bb9d291eb5203d6810b49040f6ff446a756326104746cc00c1db" ], "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==2.2.0" + "version": "==2.3.1" }, "regex": { "hashes": [ - "sha256:1a16afbfadaadc1397353f9b32e19a65dc1d1804c80ad73a14f435348ca017ad", - "sha256:2308491b3e6c530a3bb38a8a4bb1dc5fd32cbf1e11ca623f2172ba17a81acef1", - "sha256:39a5ef30bca911f5a8a3d4476f5713ed4d66e313d9fb6755b32bec8a2e519635", - "sha256:3d5a8d007116021cf65355ada47bf405656c4b3b9a988493d26688275fde1f1c", - "sha256:4302153abb96859beb2c778cc4662607a34175065fc2f33a21f49eb3fbd1ccd3", - "sha256:463e770c48da76a8da82b8d4a48a541f314e0df91cbb6d873a341dbe578efafd", - "sha256:46ab6070b0d2cb85700b8863b3f5504c7f75d8af44289e9562195fe02a8dd72d", - "sha256:4f5c0fe46fb79a7adf766b365cae56cafbf352c27358fda811e4a1dc8216d0db", - "sha256:60c4f64d9a326fe48e8738c3dbc068e1edc41ff7895a9e3723840deec4bc1c28", - "sha256:671c51d352cfb146e48baee82b1ee8d6ffe357c292f5e13300cdc5c00867ebfc", - "sha256:6cf527ec2f3565248408b61dd36e380d799c2a1047eab04e13a2b0c15dd9c767", - "sha256:7c4fc5a8ec91a2254bb459db27dbd9e16bba1dabff638f425d736888d34aaefa", - "sha256:850339226aa4fec04916386577674bb9d69abe0048f5d1a99f91b0004bfdcc01", - "sha256:8ba3efdd60bfee1aa784dbcea175eb442d059b576934c9d099e381e5a9f48930", - "sha256:8c8c42aa5d3ac9a49829c4b28a81bebfa0378996f9e0ca5b5ab8a36870c3e5ee", - "sha256:8e7ef296b84d44425760fe813cabd7afbb48c8dd62023018b338bbd9d7d6f2f0", - "sha256:a2a31ee8a354fa3036d12804730e1e20d58bc4e250365ead34b9c30bbe9908c3", - "sha256:a63907332531a499b8cdfd18953febb5a4c525e9e7ca4ac147423b917244b260", - "sha256:a8240df4957a5b0e641998a5d78b3c4ea762c845d8cb8997bf820626826fde9a", - "sha256:b8806649983a1c78874ec7e04393ef076805740f6319e87a56f91f1767960212", - "sha256:c077c9d04a040dba001cf62b3aff08fd85be86bccf2c51a770c77377662a2d55", - "sha256:c529ba90c1775697a65b46c83d47a2d3de70f24d96da5d41d05a761c73b063af", - "sha256:d537e270b3e6bfaea4f49eaf267984bfb3628c86670e9ad2a257358d3b8f0955", - "sha256:d629d750ebe75a88184db98f759633b0a7772c2e6f4da529f0027b4a402c0e2f", - "sha256:d9d53518eeed12190744d366ec4a3f39b99d7daa705abca95f87dd8b442df4ad", - "sha256:e490f08897cb44e54bddf5c6e27deca9b58c4076849f32aaa7a0b9f1730f2c20", - "sha256:f579caecbbca291b0fcc7d473664c8c08635da2f9b1567c22ea32311c86ef68c" - ], - "version": "==2020.10.11" + "sha256:07ef35301b4484bce843831e7039a84e19d8d33b3f8b2f9aab86c376813d0139", + "sha256:13f50969028e81765ed2a1c5fcfdc246c245cf8d47986d5172e82ab1a0c42ee5", + "sha256:14de88eda0976020528efc92d0a1f8830e2fb0de2ae6005a6fc4e062553031fa", + "sha256:159fac1a4731409c830d32913f13f68346d6b8e39650ed5d704a9ce2f9ef9cb3", + "sha256:18e25e0afe1cf0f62781a150c1454b2113785401ba285c745acf10c8ca8917df", + "sha256:201e2619a77b21a7780580ab7b5ce43835e242d3e20fef50f66a8df0542e437f", + "sha256:360a01b5fa2ad35b3113ae0c07fb544ad180603fa3b1f074f52d98c1096fa15e", + "sha256:39c44532d0e4f1639a89e52355b949573e1e2c5116106a395642cbbae0ff9bcd", + "sha256:3d9356add82cff75413bec360c1eca3e58db4a9f5dafa1f19650958a81e3249d", + "sha256:3d9a7e215e02bd7646a91fb8bcba30bc55fd42a719d6b35cf80e5bae31d9134e", + "sha256:4651f839dbde0816798e698626af6a2469eee6d9964824bb5386091255a1694f", + "sha256:486a5f8e11e1f5bbfcad87f7c7745eb14796642323e7e1829a331f87a713daaa", + "sha256:4b8a1fb724904139149a43e172850f35aa6ea97fb0545244dc0b805e0154ed68", + "sha256:4c0788010a93ace8a174d73e7c6c9d3e6e3b7ad99a453c8ee8c975ddd9965643", + "sha256:4c2e364491406b7888c2ad4428245fc56c327e34a5dfe58fd40df272b3c3dab3", + "sha256:575a832e09d237ae5fedb825a7a5bc6a116090dd57d6417d4f3b75121c73e3be", + "sha256:5770a51180d85ea468234bc7987f5597803a4c3d7463e7323322fe4a1b181578", + "sha256:633497504e2a485a70a3268d4fc403fe3063a50a50eed1039083e9471ad0101c", + "sha256:63f3ca8451e5ff7133ffbec9eda641aeab2001be1a01878990f6c87e3c44b9d5", + "sha256:709f65bb2fa9825f09892617d01246002097f8f9b6dde8d1bb4083cf554701ba", + "sha256:808404898e9a765e4058bf3d7607d0629000e0a14a6782ccbb089296b76fa8fe", + "sha256:882f53afe31ef0425b405a3f601c0009b44206ea7f55ee1c606aad3cc213a52c", + "sha256:8bd4f91f3fb1c9b1380d6894bd5b4a519409135bec14c0c80151e58394a4e88a", + "sha256:8e65e3e4c6feadf6770e2ad89ad3deb524bcb03d8dc679f381d0568c024e0deb", + "sha256:976a54d44fd043d958a69b18705a910a8376196c6b6ee5f2596ffc11bff4420d", + "sha256:a0d04128e005142260de3733591ddf476e4902c0c23c1af237d9acf3c96e1b38", + "sha256:a0df9a0ad2aad49ea3c7f65edd2ffb3d5c59589b85992a6006354f6fb109bb18", + "sha256:a2ee026f4156789df8644d23ef423e6194fad0bc53575534101bb1de5d67e8ce", + "sha256:a59a2ee329b3de764b21495d78c92ab00b4ea79acef0f7ae8c1067f773570afa", + "sha256:b97ec5d299c10d96617cc851b2e0f81ba5d9d6248413cd374ef7f3a8871ee4a6", + "sha256:b98bc9db003f1079caf07b610377ed1ac2e2c11acc2bea4892e28cc5b509d8d5", + "sha256:b9d8d286c53fe0cbc6d20bf3d583cabcd1499d89034524e3b94c93a5ab85ca90", + "sha256:bcd945175c29a672f13fce13a11893556cd440e37c1b643d6eeab1988c8b209c", + "sha256:c66221e947d7207457f8b6f42b12f613b09efa9669f65a587a2a71f6a0e4d106", + "sha256:c782da0e45aff131f0bed6e66fbcfa589ff2862fc719b83a88640daa01a5aff7", + "sha256:cb4ee827857a5ad9b8ae34d3c8cc51151cb4a3fe082c12ec20ec73e63cc7c6f0", + "sha256:d47d359545b0ccad29d572ecd52c9da945de7cd6cf9c0cfcb0269f76d3555689", + "sha256:dc9963aacb7da5177e40874585d7407c0f93fb9d7518ec58b86e562f633f36cd", + "sha256:ea2f41445852c660ba7c3ebf7d70b3779b20d9ca8ba54485a17740db49f46932", + "sha256:f5d0c921c99297354cecc5a416ee4280bd3f20fd81b9fb671ca6be71499c3fdf", + "sha256:f85d6f41e34f6a2d1607e312820971872944f1661a73d33e1e82d35ea3305e14" + ], + "version": "==2021.3.17" }, "toml": { "hashes": [ - "sha256:926b612be1e5ce0634a2ca03470f95169cf16f939018233a670519cb4ac58b0f", - "sha256:bda89d5935c2eac546d648028b9901107a595863cb36bae0c73ac804a9b4ce88" + "sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b", + "sha256:b3bda1d108d5dd99f4a20d24d9c348e91c4db7ab1b749200bded2f839ccbe68f" ], "index": "pypi", - "version": "==0.10.1" + "version": "==0.10.2" }, "typed-ast": { "hashes": [ - "sha256:0666aa36131496aed8f7be0410ff974562ab7eeac11ef351def9ea6fa28f6355", - "sha256:0c2c07682d61a629b68433afb159376e24e5b2fd4641d35424e462169c0a7919", - "sha256:249862707802d40f7f29f6e1aad8d84b5aa9e44552d2cc17384b209f091276aa", - "sha256:24995c843eb0ad11a4527b026b4dde3da70e1f2d8806c99b7b4a7cf491612652", - "sha256:269151951236b0f9a6f04015a9004084a5ab0d5f19b57de779f908621e7d8b75", - "sha256:4083861b0aa07990b619bd7ddc365eb7fa4b817e99cf5f8d9cf21a42780f6e01", - "sha256:498b0f36cc7054c1fead3d7fc59d2150f4d5c6c56ba7fb150c013fbc683a8d2d", - "sha256:4e3e5da80ccbebfff202a67bf900d081906c358ccc3d5e3c8aea42fdfdfd51c1", - "sha256:6daac9731f172c2a22ade6ed0c00197ee7cc1221aa84cfdf9c31defeb059a907", - "sha256:715ff2f2df46121071622063fc7543d9b1fd19ebfc4f5c8895af64a77a8c852c", - "sha256:73d785a950fc82dd2a25897d525d003f6378d1cb23ab305578394694202a58c3", - "sha256:8c8aaad94455178e3187ab22c8b01a3837f8ee50e09cf31f1ba129eb293ec30b", - "sha256:8ce678dbaf790dbdb3eba24056d5364fb45944f33553dd5869b7580cdbb83614", - "sha256:aaee9905aee35ba5905cfb3c62f3e83b3bec7b39413f0a7f19be4e547ea01ebb", - "sha256:bcd3b13b56ea479b3650b82cabd6b5343a625b0ced5429e4ccad28a8973f301b", - "sha256:c9e348e02e4d2b4a8b2eedb48210430658df6951fa484e59de33ff773fbd4b41", - "sha256:d205b1b46085271b4e15f670058ce182bd1199e56b317bf2ec004b6a44f911f6", - "sha256:d43943ef777f9a1c42bf4e552ba23ac77a6351de620aa9acf64ad54933ad4d34", - "sha256:d5d33e9e7af3b34a40dc05f498939f0ebf187f07c385fd58d591c533ad8562fe", - "sha256:fc0fea399acb12edbf8a628ba8d2312f583bdbdb3335635db062fa98cf71fca4", - "sha256:fe460b922ec15dd205595c9b5b99e2f056fd98ae8f9f56b888e7a17dc2b757e7" - ], - "version": "==1.4.1" + "sha256:07d49388d5bf7e863f7fa2f124b1b1d89d8aa0e2f7812faff0a5658c01c59aa1", + "sha256:14bf1522cdee369e8f5581238edac09150c765ec1cb33615855889cf33dcb92d", + "sha256:240296b27397e4e37874abb1df2a608a92df85cf3e2a04d0d4d61055c8305ba6", + "sha256:36d829b31ab67d6fcb30e185ec996e1f72b892255a745d3a82138c97d21ed1cd", + "sha256:37f48d46d733d57cc70fd5f30572d11ab8ed92da6e6b28e024e4a3edfb456e37", + "sha256:4c790331247081ea7c632a76d5b2a265e6d325ecd3179d06e9cf8d46d90dd151", + "sha256:5dcfc2e264bd8a1db8b11a892bd1647154ce03eeba94b461effe68790d8b8e07", + "sha256:7147e2a76c75f0f64c4319886e7639e490fee87c9d25cb1d4faef1d8cf83a440", + "sha256:7703620125e4fb79b64aa52427ec192822e9f45d37d4b6625ab37ef403e1df70", + "sha256:8368f83e93c7156ccd40e49a783a6a6850ca25b556c0fa0240ed0f659d2fe496", + "sha256:84aa6223d71012c68d577c83f4e7db50d11d6b1399a9c779046d75e24bed74ea", + "sha256:85f95aa97a35bdb2f2f7d10ec5bbdac0aeb9dafdaf88e17492da0504de2e6400", + "sha256:8db0e856712f79c45956da0c9a40ca4246abc3485ae0d7ecc86a20f5e4c09abc", + "sha256:9044ef2df88d7f33692ae3f18d3be63dec69c4fb1b5a4a9ac950f9b4ba571606", + "sha256:963c80b583b0661918718b095e02303d8078950b26cc00b5e5ea9ababe0de1fc", + "sha256:987f15737aba2ab5f3928c617ccf1ce412e2e321c77ab16ca5a293e7bbffd581", + "sha256:9ec45db0c766f196ae629e509f059ff05fc3148f9ffd28f3cfe75d4afb485412", + "sha256:9fc0b3cb5d1720e7141d103cf4819aea239f7d136acf9ee4a69b047b7986175a", + "sha256:a2c927c49f2029291fbabd673d51a2180038f8cd5a5b2f290f78c4516be48be2", + "sha256:a38878a223bdd37c9709d07cd357bb79f4c760b29210e14ad0fb395294583787", + "sha256:b4fcdcfa302538f70929eb7b392f536a237cbe2ed9cba88e3bf5027b39f5f77f", + "sha256:c0c74e5579af4b977c8b932f40a5464764b2f86681327410aa028a22d2f54937", + "sha256:c1c876fd795b36126f773db9cbb393f19808edd2637e00fd6caba0e25f2c7b64", + "sha256:c9aadc4924d4b5799112837b226160428524a9a45f830e0d0f184b19e4090487", + "sha256:cc7b98bf58167b7f2db91a4327da24fb93368838eb84a44c472283778fc2446b", + "sha256:cf54cfa843f297991b7388c281cb3855d911137223c6b6d2dd82a47ae5125a41", + "sha256:d003156bb6a59cda9050e983441b7fa2487f7800d76bdc065566b7d728b4581a", + "sha256:d175297e9533d8d37437abc14e8a83cbc68af93cc9c1c59c2c292ec59a0697a3", + "sha256:d746a437cdbca200622385305aedd9aef68e8a645e385cc483bdc5e488f07166", + "sha256:e683e409e5c45d5c9082dc1daf13f6374300806240719f95dc783d1fc942af10" + ], + "version": "==1.4.2" }, "typing-extensions": { "hashes": [ @@ -196,14 +278,39 @@ "sha256:99d4073b617d30288f569d3f13d2bd7548c3a7e4c8de87db09a9d29bb3a4a60c", "sha256:dafc7639cde7f1b6e1acc0f457842a83e722ccca8eef5270af2d74792619a89f" ], + "markers": "python_version < '3.8'", "version": "==3.7.4.3" }, "watchdog": { "hashes": [ - "sha256:4214e1379d128b0588021880ccaf40317ee156d4603ac388b9adcf29165e0c04" + "sha256:035f4816daf3c62e03503c267620f3aa8fc7472df85ff3ef1e0c100ea1ed2744", + "sha256:0f7e9de9ba84af15e9e9fc29c3b13c972daa4d2b11de29aa86b26a26bc877c06", + "sha256:13c9ff58508dce55ba416eb0ef7af5aa5858558f2ec51112f099fd03503b670b", + "sha256:19675b8d1f00dabe74a0e66d87980623250d9360a21612e8c27b70a4b214ceeb", + "sha256:1cd715c4fb803581ded8943f39a51f21c17375d009ca9e3398d6b20638863a70", + "sha256:1f518a6940cde8720b8826a705c164e6b9bd6cf8c00f14269ffac51e017e06ec", + "sha256:3e933f3567c4521dd1a5d59fd54a522cae90bebcbeb8b74b84a2f33c90f08388", + "sha256:41b1a773f364f232b5bc184688e8d60451745d9e0971ac60c648bd47be8f4733", + "sha256:532fedd993e75554671faa36cd04c580ced3fae084254a779afbbd8aaf00566b", + "sha256:74528772516228f6a015a647027057939ff0b695a0b864cb3037e8e1aabc7ca0", + "sha256:89102465764e453609463cf620e744da1b0aa1f9f321b05961e2e7e15b3c9d8b", + "sha256:a412b1914e27f67b0a10e1ee19b5d035a9f7c115a062bbbd640653d9820ba4c8", + "sha256:ac6adbdf32e1d180574f9d0819e80259ae48e68727e80c3d950ed5a023714c3e", + "sha256:adda34bfe6db05485c1dfcd98232bdec385f991fe16358750c2163473eefb985", + "sha256:d2fcbc15772a82cd139c803a513c45b0fbc72a10a8a34dc2a8b429110b6f1236", + "sha256:d54e187b76053982180532cb7fd31152201c438b348c456f699929f8a89e786d", + "sha256:e0114e48ee981b38e328eaa0d5a625c7b4fc144b8dc7f7637749d6b5f7fefb0e" ], "index": "pypi", - "version": "==0.10.3" + "version": "==2.0.2" + }, + "zipp": { + "hashes": [ + "sha256:3607921face881ba3e026887d8150cca609d517579abe052ac81fc5aeffdbd76", + "sha256:51cb66cc54621609dd593d1787f286ee42a5c0adbb4b29abea5a63edc3e03098" + ], + "markers": "python_version >= '3.6'", + "version": "==3.4.1" } } } diff --git a/assets/sass/custom.sass b/assets/sass/custom.sass index 575679f8..520f4a47 100644 --- a/assets/sass/custom.sass +++ b/assets/sass/custom.sass @@ -107,4 +107,7 @@ a code - color: $link \ No newline at end of file + color: $link + +.non-actionable + cursor: default diff --git a/config.toml b/config.toml index 500c84c0..875e6430 100644 --- a/config.toml +++ b/config.toml @@ -7,6 +7,7 @@ canonifyurls = true googleAnalytics = "UA-99605331-1" enableGitInfo = true publicUrl = "https://spiffe.io" +spireGitHubUrl = "http://github.com/spiffe/spire" [markup] [markup.tableOfContents] diff --git a/content/docs/latest/deploying/configuring.md b/content/docs/latest/deploying/configuring.md index 2c3f050b..d447711c 100644 --- a/content/docs/latest/deploying/configuring.md +++ b/content/docs/latest/deploying/configuring.md @@ -14,9 +14,9 @@ To customize the behavior of the SPIRE Server and SPIRE Agent to meet your appli The SPIRE Server and Agent are configured in a file called `server.conf` and `agent.conf` respectively. -By default the Server expects the configuration file to reside at `conf/server/server.conf`, however the Server can be configured to use a configuration file in a different location with the `--config` flag. See the [SPIRE Server reference](https://github.com/spiffe/spire/blob/main/doc/spire_server.md) for more information. +By default the Server expects the configuration file to reside at `conf/server/server.conf`, however the Server can be configured to use a configuration file in a different location with the `--config` flag. See the [SPIRE Server reference](/docs/latest/deploying/spire_server/) for more information. -Similarly, the Agent expects this file to reside at `conf/agent/agent.conf`, however the Server can be configured to use a configuration file in a different location with the `--config` flag. See the [SPIRE Agent reference](https://github.com/spiffe/spire/blob/main/doc/spire_agent.md) for more information. +Similarly, the Agent expects this file to reside at `conf/agent/agent.conf`, however the Server can be configured to use a configuration file in a different location with the `--config` flag. See the [SPIRE Agent reference](/docs/latest/deploying/spire_agent/) for more information. The configuration file is loaded once when the Server or Agent is started. If the configuration file for either is modified, the Server or Agent must be restarted for the configuration to take effect. @@ -75,7 +75,7 @@ At the time of this writing,  projected service accounts are a relatively new f Node attestation using Kubernetes [Projected Service Account Tokens](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) (PSATs) allows a SPIRE Server to verify the identity of a SPIRE Agent running on a Kubernetes Cluster. Projected Service Account Tokens provide additional security guarantees over traditional Kubernetes Service Account Tokens and when supported by a Kubernetes cluster, PSAT is the recommended attestation strategy. -To use PSAT Node Attestation, configure enable the PSAT Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_k8s_psat.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_nodeattestor_k8s_psat.md). +To use PSAT Node Attestation, configure enable the PSAT Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_nodeattestor_k8s_psat.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_nodeattestor_k8s_psat.md). ### Service Account Tokens @@ -83,7 +83,7 @@ In cases where workloads are running on Kubernetes but the Projected Service Acc Because the service account token does not contain claims that could be used to strongly identify the node/daemonset/pod running the agent, any container running in a whitelisted service account can masquerade as an agent. For this reason it is strongly recommended that agents run under a dedicated service account when using this attestation method. -To use SAT Node Attestation, configure and enable the SAT Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_k8s_sat.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_nodeattestor_k8s_sat.md). +To use SAT Node Attestation, configure and enable the SAT Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_nodeattestor_k8s_sat.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_nodeattestor_k8s_sat.md). ## Attestation of nodes running Linux {#customize-server-linux-attestation} @@ -102,13 +102,13 @@ NodeAttestor "join_token" { } ``` -Once join token node attestation has been configured, a join token can be generated on the server using the `spire-server token generate` command. Optionally you can associate a particular SPIFFE ID with the Join Token with the `-spiffeID` flag. [Read more](https://github.com/spiffe/spire/blob/main/doc/spire_server.md#spire-server-token-generate) about using this command. +Once join token node attestation has been configured, a join token can be generated on the server using the `spire-server token generate` command. Optionally you can associate a particular SPIFFE ID with the Join Token with the `-spiffeID` flag. [Read more](/docs/latest/deploying/spire_server/#spire-server-token-generate) about using this command. -When starting a SPIRE Agent for the first time with Join Token attestation enabled, the agent can be started with the `spire-agent run` command, and specifying the join token generated by the server using the `-joinToken` flag. [Read more](https://github.com/spiffe/spire/blob/main/doc/spire_agent.md#spire-agent-run) about this command. +When starting a SPIRE Agent for the first time with Join Token attestation enabled, the agent can be started with the `spire-agent run` command, and specifying the join token generated by the server using the `-joinToken` flag. [Read more](/docs/latest/deploying/spire_agent/#spire-agent-run) about this command. The server will validate the join token and issue the Agent an SVID, and the SVID will be rotated automatically as long as it maintains a connection to the Server. On subsequent starts the Agent will use that SVID to authenticate to the server unless it has expired and not renewed. -To use Join Token Node Attestation, configure and enable the join token Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_jointoken.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_nodeattestor_jointoken.md). +To use Join Token Node Attestation, configure and enable the join token Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_nodeattestor_jointoken.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_nodeattestor_jointoken.md). To disable join token attestation on the server, comment out or delete this stanza from the configuration file before starting it. @@ -121,7 +121,7 @@ of this guide, they will be called the *root certificate bundle*). The Server mu In addition attestor exposes the selector `subject:cn` which will match any certificate that is both (a) valid, as described above, and (b) whose common name (CN) matches that described in the selector. -To use X.509 Certificate Node Attestation, configure and enable the x509pop Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_x509pop.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_nodeattestor_x509pop.md). +To use X.509 Certificate Node Attestation, configure and enable the x509pop Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_nodeattestor_x509pop.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_nodeattestor_x509pop.md). ### SSH Certificate @@ -135,7 +135,7 @@ spiffe:///spire/agent/sshpop/ Where `` is a hash of the certificate itself. This SPIFFE ID can then be used as the basis of other workload registration entries. -To use SSH Certificate Node Attestation, configure and enable the sshpop Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_sshpop.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_nodeattestor_sshpop.md). +To use SSH Certificate Node Attestation, configure and enable the sshpop Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_nodeattestor_sshpop.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_nodeattestor_sshpop.md). ## Attestation for Linux nodes on a Cloud Provider {#customize-server-cloud-attestation} @@ -150,7 +150,7 @@ Google Compute Engine (GCE) node attestation and resolution allows a SPIRE Serve 3. Once verification takes place, the SPIRE Agent is considered attested, and issued its own SPIFFE ID 4. Finally, SPIRE issues SVIDs to workloads on the nodes if they match a registration entry. The registration entry may include selectors exposed by the Node Attestor or Resolver, or have the SPIFFE ID of the SPIRE Agent as a parent. -To use GCP IIT Node Attestation, configure and enable the gcp_iit Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_gcp_iit.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_nodeattestor_gcp_iit.md). +To use GCP IIT Node Attestation, configure and enable the gcp_iit Node Attestor plugin on the [SPIRE Server](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_nodeattestor_gcp_iit.md) and [SPIRE Agent](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_nodeattestor_gcp_iit.md). ### Amazon EC2 Instances @@ -162,7 +162,7 @@ EC2 node attestation and resolution allows a SPIRE Server to identify and authen 4. Once verification takes place, the SPIRE Agent is considered attested, and issued its own SPIFFE ID 5. Finally, SPIRE issues SVIDs to workloads on the nodes if they match a registration entry. The registration entry may include selectors exposed by the Node Attestor or Resolver, or have the SPIFFE ID of the SPIRE Agent as a parent. -For more information on configuring AWS EC2 Node Attestors or Resolver plugins, refer to the corresponding SPIRE documentation for the AWS [SPIRE Server Node Attestor](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_aws_iid.md) on the SPIRE Server, and the [SPIRE Agent Node Attestor](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_nodeattestor_aws_iid.md) on the agent. +For more information on configuring AWS EC2 Node Attestors or Resolver plugins, refer to the corresponding SPIRE documentation for the AWS [SPIRE Server Node Attestor](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_nodeattestor_aws_iid.md) and [SPIRE Server Node Resolver](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_noderesolver_aws_iid.md) on the SPIRE Server, and the [SPIRE Agent Node Attestor](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_nodeattestor_aws_iid.md) on the agent. ### Azure Virtual Machines @@ -181,7 +181,7 @@ The default resource–assigned by the agent plugin–is scoped relatively widel If you configure a custom resource ID in the agent configuration file, you must specify custom resource IDs for each tenant, in the `NodeAttestor` stanza of the `server.conf` configuration file. {{< /warning >}} -For more information on configuring Azure MSI Node Attestors or Resolver plugins, refer to the corresponding SPIRE documentation for the Azure MSI [SPIRE Server Node Attestor](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_azure_msi.md) and [SPIRE Server Node Resolver](https://github.com/spiffe/spire/blob/main/doc/plugin_server_noderesolver_azure_msi.md) on the SPIRE Server, and the [SPIRE Agent Node Attestor](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_nodeattestor_azure_msi.md) on the agent. +For more information on configuring Azure MSI Node Attestors or Resolver plugins, refer to the corresponding SPIRE documentation for the Azure MSI [SPIRE Server Node Attestor](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_nodeattestor_azure_msi.md) and [SPIRE Server Node Resolver](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_noderesolver_azure_msi.md) on the SPIRE Server, and the [SPIRE Agent Node Attestor](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_nodeattestor_azure_msi.md) on the agent. # Configuring workload attestation _This configuration applies to the SPIRE Agent_ @@ -196,7 +196,7 @@ When workloads are running in Kubernetes, it is valuable to be able to describe The Kubernetes Workload Attestor plugin works by interrogating the local Kubelet to retrieve kubernetes-specific metadata about particular process when it calls the Workload API, and uses that to identify workloads whose registration entries match those values. -For more information, including details of the exposed selectors, refer to the corresponding SPIRE documentation for the [Kubernetes Workload Attestor plugin](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_workloadattestor_k8s.md). +For more information, including details of the exposed selectors, refer to the corresponding SPIRE documentation for the [Kubernetes Workload Attestor plugin](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_workloadattestor_k8s.md). ## Workload Attestation for Docker containers @@ -204,7 +204,7 @@ When workloads are running in a Docker container, it can be helpful to be able t The Docker Workload Attestor plugin works by interrogating to the local Docker daemon to retrieve Docker-specific metadata about a particular process when it calls the Workload API. -For more information, including details of the exposed selectors, refer to the corresponding SPIRE documentation for the [Docker Workload Attestor plugin](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_workloadattestor_docker.md). +For more information, including details of the exposed selectors, refer to the corresponding SPIRE documentation for the [Docker Workload Attestor plugin](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_workloadattestor_docker.md). ## Workload Attestation for Unix processes @@ -212,7 +212,7 @@ When workloads are running on Unix, it can be helpful to be able to describe the The Unix Workload Attestor works by determining kernel metadata from the workload calling the Workload API by examining the caller of the Unix domain socket. -For more information, including details of the exposed selectors, refer to the corresponding SPIRE documentation for the [Unix Workload Attestor plugin](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_workloadattestor_unix.md). +For more information, including details of the exposed selectors, refer to the corresponding SPIRE documentation for the [Unix Workload Attestor plugin](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_workloadattestor_unix.md). # Configuring where to store agent and server data _This configuration applies to the SPIRE Server and SPIRE Agent_ @@ -232,7 +232,7 @@ _This configuration applies to the SPIRE Server_ The data-store is where SPIRE Server persists dynamic configuration such as registration entries and identity mapping policies that are retrieved from the SPIRE Server. By default, SPIRE bundles SQLite and sets it as the default for storage of server data. SPIRE also supports other compatible data-stores. For production purposes, you should carefully consider which database to use, particularly when deploying SPIRE in a High Availability configuration. -The SPIRE Server can be configured to utilize different SQL-compatible storage backends by configuring the default SQL data-store plugin as described below. A complete reference for how this block is configured can be found in the [SPIRE documentation](https://github.com/spiffe/spire/blob/main/doc/plugin_server_datastore_sql.md). +The SPIRE Server can be configured to utilize different SQL-compatible storage backends by configuring the default SQL data-store plugin as described below. A complete reference for how this block is configured can be found in the [SPIRE documentation](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_datastore_sql.md). Alternatively, SPIRE can be configured to use non-SQL compatible storage backends through third party datastore plugins. The guide on [Extending SPIRE](/docs/latest/spire/developing/extending/) covers this in more detail. @@ -318,9 +318,9 @@ Both the SPIRE Agent and SPIRE Server generate private keys and certificates dur Currently SPIRE supports two key management strategies on both the Agent and Server. -* **Store in-memory**. In this strategy keys and certificates are only stored in-memory. This means that if the Server or Agent crashes or is otherwise re-started, the keys must be re-generated. In the case of the SPIRE Agent this typically requires the agent to re-attest to the Server upon restart. This strategy can be managed by enabling and configuring the memory key manager plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/main/doc/plugin_server_keymanager_memory.md) and/or [SPIRE Agent](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_keymanager_memory.md). +* **Store in-memory**. In this strategy keys and certificates are only stored in-memory. This means that if the Server or Agent crashes or is otherwise re-started, the keys must be re-generated. In the case of the SPIRE Agent this typically requires the agent to re-attest to the Server upon restart. This strategy can be managed by enabling and configuring the memory key manager plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_keymanager_memory.md) and/or [SPIRE Agent](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_keymanager_memory.md). -* **Store on disk**. In this strategy, keys and certificates are stored in a specified file on disk. An advantage of this approach is they survive a restart of the SPIRE Server or Agent. A disadvantage is that since they keys are stored in files on disk, additional precautions must be taken to prevent a malicious process from reading those files. This strategy can be managed by enabling and configuring the disk key manager plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/main/doc/plugin_server_keymanager_disk.md) and/or [SPIRE Agent](https://github.com/spiffe/spire/blob/main/doc/plugin_agent_keymanager_disk.md). +* **Store on disk**. In this strategy, keys and certificates are stored in a specified file on disk. An advantage of this approach is they survive a restart of the SPIRE Server or Agent. A disadvantage is that since they keys are stored in files on disk, additional precautions must be taken to prevent a malicious process from reading those files. This strategy can be managed by enabling and configuring the disk key manager plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_keymanager_disk.md) and/or [SPIRE Agent](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_keymanager_disk.md). Alternatively, SPIRE can be configured to integrating a custom backend such as a secret store through third party key manager plugins. The guide on [Extending SPIRE](/docs/latest/spire/developing/extending/) covers this in more detail. @@ -341,7 +341,7 @@ This signing key should be considered extremely sensitive as to obtain it would To help ensure the integrity of the signing key a SPIRE Server may either sign material itself using a signing key stored on disk, or delegate signing to an independent Certificate Authority (CA), such as the AWS Secrets Manager. This behavior is configured through the `UpstreamAuthority` section in the `server.conf` file. -For a complete server configuration reference, see the [SPIRE Server Configuration Reference](https://github.com/spiffe/spire/blob/main/doc/spire_server.md). +For a complete server configuration reference, see the [SPIRE Server Configuration Reference](/docs/latest/deploying/spire_server/). #### Configure an On-disk Signing Key @@ -358,25 +358,25 @@ sudo openssl req \ -x509 -days 365 -out /opt/spire/conf/root.crt ``` -This strategy can be managed by enabling and configuring the `disk` UpstreamAuthority plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/main/doc/plugin_server_upstreamauthority_disk.md). +This strategy can be managed by enabling and configuring the `disk` UpstreamAuthority plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_upstreamauthority_disk.md). #### Configure AWS Secrets Manager The SPIRE Server can be configured to load CA credentials from [Amazon Web Services Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html), using them to generate intermediate signing certificates for the server's signing authority. -This strategy can be managed by enabling and configuring the `awssecret` UpstreamAuthority plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/main/doc/plugin_server_upstreamauthority_awssecret.md). +This strategy can be managed by enabling and configuring the `awssecret` UpstreamAuthority plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_upstreamauthority_awssecret.md). #### Configure AWS Certificate Manager The SPIRE Server can be configured to load CA credentials from Amazon Web Services Certificate Manager [Private Certificate Authority](https://aws.amazon.com/certificate-manager/private-certificate-authority/) (PCA) them to generate intermediate signing certificates for the server's signing authority. -This strategy can be managed by enabling and configuring the `aws_pca` UpstreamAuthority plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/main/doc/plugin_server_upstreamauthority_aws_pca.md). +This strategy can be managed by enabling and configuring the `aws_pca` UpstreamAuthority plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_upstreamauthority_aws_pca.md). #### Configure another SPIRE installation The SPIRE Server can be configured to load CA credentials from the Workload API of another SPIFFE implementation such as SPIRE. This enables a technique called "Nested SPIRE" that, as a compliment to HA deployments, allows independent SPIRE Servers to issue identities against a single trust domain. -A full treatment for Nested SPIRE is beyond the scope of this guide. However this strategy can be managed by enabling and configuring the `spire` UpstreamAuthority plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/main/doc/plugin_server_upstreamauthority_spire.md). +A full treatment for Nested SPIRE is beyond the scope of this guide. However this strategy can be managed by enabling and configuring the `spire` UpstreamAuthority plugin for the [SPIRE Server](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_upstreamauthority_spire.md). # Export Metrics for Monitoring _This configuration applies to the SPIRE Server and SPIRE Agent_ @@ -420,7 +420,7 @@ telemetry { } ``` -For more information, see the [telemetry configuration](https://github.com/spiffe/spire/blob/main/doc/telemetry_config.md) guide. +For more information, see the [telemetry configuration](/docs/latest/deploying/telemetry_config/) guide. # Logging _This configuration applies to the SPIRE Server and SPIRE Agent_ diff --git a/content/docs/latest/deploying/install-agents.md b/content/docs/latest/deploying/install-agents.md index cd3174c1..df12ed13 100644 --- a/content/docs/latest/deploying/install-agents.md +++ b/content/docs/latest/deploying/install-agents.md @@ -13,7 +13,7 @@ aliases: Pre-built SPIRE releases can be found on the [SPIRE downloads page](/downloads/#spire-releases). The tarballs contain both server and agent binaries. -If you wish, you may also [build SPIRE from source](https://github.com/spiffe/spire/blob/master/CONTRIBUTING.md). +If you wish, you may also [build SPIRE from source](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/CONTRIBUTING.md). ## Step 2: Install the Server and Agent {#step-2} diff --git a/content/docs/latest/deploying/registering.md b/content/docs/latest/deploying/registering.md index 4acfd16d..260a2834 100644 --- a/content/docs/latest/deploying/registering.md +++ b/content/docs/latest/deploying/registering.md @@ -21,7 +21,7 @@ The server will send to the agent a list of all registration entries for workloa During workload attestation, the agent discovers selectors and compares them to those in the cached registration entries to determine which SVIDs they should assign to the workload. -You register a workload either by issuing the `spire-server entry create` command at the command line or calling directly into the Registration API, as described in the [Registration API documentation](https://github.com/spiffe/spire/blob/master/proto/spire/api/registration/registration.proto). Existing entries can be modified using the `spire-server entry update` command. +You register a workload either by issuing the `spire-server entry create` command at the command line or calling directly into the Registration API, as described in the [Registration API documentation](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/proto/spire/api/registration/registration.proto). Existing entries can be modified using the `spire-server entry update` command. {{< info >}} When running on Kubernetes, a common way to invoke commands on the SPIRE Server is through the `kubectl exec` command on a pod running the SPIRE Server. For example: @@ -34,7 +34,7 @@ kubectl exec -n spire spire-server-0 -- \ ``` {{< /info >}} -To learn more about the `spire-server entry create` and `spire-server entry update` commands and options, consult the [SPIRE Server reference guide](https://github.com/spiffe/spire/blob/master/doc/spire_server.md). +To learn more about the `spire-server entry create` and `spire-server entry update` commands and options, consult the [SPIRE Server reference guide](/docs/latest/deploying/spire_server/). # How to register a workload @@ -62,9 +62,9 @@ Different selectors are available depending on the platform or architecture on w | For a list of supported selectors for this platform | Go here | | ---------------- | ----------- | -| **Kubernetes** | The [configuration reference page for the Kubernetes Node Attestor](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_k8s_sat.md) -| **AWS** | The [configuration reference page for the AWS Node Attestor](https://github.com/spiffe/spire/blob/main/doc/plugin_server_nodeattestor_aws_iid.md) -| **Azure** | The [configuration reference page for the Azure Managed Service Identity Node Resolver](https://github.com/spiffe/spire/blob/main/doc/plugin_server_noderesolver_azure_msi.md) +| **Kubernetes** | The [configuration reference page for the Kubernetes Node Attestor](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_nodeattestor_k8s_sat.md) +| **AWS** | The [configuration reference page for the AWS Node Resolver](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_noderesolver_aws_iid.md) +| **Azure** | The [configuration reference page for the Azure Managed Service Identity Node Resolver](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_noderesolver_azure_msi.md) ## 2. Defining the SPIFFE ID of the Workload @@ -81,9 +81,9 @@ spire-server entry create \ | For a list of supported selectors for this platform | Go here | | ---------------- | ----------- | -| **Unix** | The [configuration reference page for the Unix Workload Attestor](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_workloadattestor_unix.md) -| **Kubernetes** | The [configuration reference page for the Kubernetes Workload Attestor](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_workloadattestor_k8s.md) -| **Docker** | The [configuration reference page for the Docker Workload Attestor](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_workloadattestor_docker.md) +| **Unix** | The [configuration reference page for the Unix Workload Attestor](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_workloadattestor_unix.md) +| **Kubernetes** | The [configuration reference page for the Kubernetes Workload Attestor](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_workloadattestor_k8s.md) +| **Docker** | The [configuration reference page for the Docker Workload Attestor](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_workloadattestor_docker.md) # How to list registration entries @@ -101,7 +101,7 @@ For example, to list all registration entries that match a set of EC2 instances spire-server entry show -selector tag:app:webserver ``` -To learn more about the `spire-server entry show` command and options, consult the [SPIRE Server reference guide](https://github.com/spiffe/spire/blob/master/doc/spire_server.md). +To learn more about the `spire-server entry show` command and options, consult the [SPIRE Server reference guide](/docs/latest/deploying/spire_server/). # How to remove registration entries @@ -113,7 +113,7 @@ For example: spire-server entry delete -entryID 92f4518e-61c9-420d-b984-074afa7c7002 ``` -To learn more about the `spire-server entry delete` command and options, consult the [SPIRE Server reference guide](https://github.com/spiffe/spire/blob/master/doc/spire_server.md). +To learn more about the `spire-server entry delete` command and options, consult the [SPIRE Server reference guide](/docs/latest/deploying/spire_server/). # Mapping Workloads to Multiple Nodes diff --git a/content/docs/latest/deploying/svids.md b/content/docs/latest/deploying/svids.md index bb13a129..85e2af1d 100644 --- a/content/docs/latest/deploying/svids.md +++ b/content/docs/latest/deploying/svids.md @@ -62,4 +62,4 @@ will: 3. Write the X.509-SVID, private key associated with each of those identities to `/tmp/` 4. Write the trust bundle (certificate chain) needed to validate X.509-SVIDs issued under that trust domain to `/tmp/` as well -A complete list of relevant commands can be found in the [SPIRE Agent Documentation](https://github.com/spiffe/spire/blob/master/doc/spire_agent.md#command-line-options). +A complete list of relevant commands can be found in the [SPIRE Agent Documentation](/docs/latest/deploying/spire_agent/#command-line-options). diff --git a/content/docs/latest/planning/extending.md b/content/docs/latest/planning/extending.md index 8dc82e63..dc3e7bd3 100644 --- a/content/docs/latest/planning/extending.md +++ b/content/docs/latest/planning/extending.md @@ -15,7 +15,7 @@ SPIRE is highly extensible via a plugin framework that allows many core operatio A Node Attestor implements validation logic for nodes (physical or virtual machines) that are attempting to establish their identity. Typically a Node Attestor is implemented as a plugin on the Server and with a corresponding plugin on the Agent. A Node Attestor plugin will often expose selectors that can be used when creating the registration entries that define a workload. -SPIRE comes with a set of built-in Node Attestor plugins for the [Server](https://github.com/spiffe/spire/blob/master/doc/spire_server.md) and [Agent](https://github.com/spiffe/spire/blob/master/doc/spire_agent.md) that support various cloud platforms, schedulers and other machine identity sources. Servers can have multiple Node Attestor plugins enabled simultaneously, however a given Agent may only have one Node Attestor plugin enabled at a time. +SPIRE comes with a set of built-in Node Attestor plugins for the [Server](/docs/latest/deploying/spire_server/) and [Agent](/docs/latest/deploying/spire_agent/) that support various cloud platforms, schedulers and other machine identity sources. Servers can have multiple Node Attestor plugins enabled simultaneously, however a given Agent may only have one Node Attestor plugin enabled at a time. In addition, known third-party Node Attestor plugins include: @@ -29,39 +29,39 @@ Once the identity of an individual node has been determined, in some cases it is Node Resolver plugins are typically coupled to a specific Node Attestor plugin (such as the AWS EC2 IID Node Attestor), since they will rely on that plugin to verify the initial identity of the node. -SPIRE comes with a set of built-in Node Resolver plugins for the [Server](https://github.com/spiffe/spire/blob/master/doc/spire_server.md). +SPIRE comes with a set of built-in Node Resolver plugins for the [Server](/docs/latest/deploying/spire_server/). # Workload Attestor plugins While Node Attestors help SPIRE verify the identity of a node running a workload, Workload Attestors identify a specific workload running on that node. Workload attestors run on the Agent. A workload attestor may leverage kernel metadata retrieved during a call to the Workload API to determine the identity of a workload, but it may also choose to interrogate other local sources (such as the calling binary, the Docker daemon or the Kubernetes kubelet) to verify the identity of a workload. As with Node Attestor plugins, Workload Attestor plugins expose selectors that allow registration entries to be created for workloads based on the properties of the workload that the attestor verified. -SPIRE comes with a set of built-in Workload Attestor plugins for the [Agent](https://github.com/spiffe/spire/blob/master/doc/spire_agent.md). +SPIRE comes with a set of built-in Workload Attestor plugins for the [Agent](/docs/latest/deploying/spire_agent/). # Upstream Authority plugins UpstreamAuthority plugins allow the SPIRE Server to integrate with existing public key infrastructure, such that the certificates it generates derive from specific intermediate or root certificates supplied to SPIRE. By choosing or developing different UpstreamAuthority plugins it is possible to customize how SPIRE retrieves these certificates (for example from a file, or a particular secrets manager or certificate vault). -SPIRE comes with a set of built-in UpstreamAuthority plugins for the [Server](https://github.com/spiffe/spire/blob/master/doc/spire_server.md). +SPIRE comes with a set of built-in UpstreamAuthority plugins for the [Server](/docs/latest/deploying/spire_server/). # KeyManager plugins In some cases it might be desirable for SPIRE to avoid being exposed to a signing key at all - for example if the signing key is held in a secure hardware enclave. In such a case, the SPIRE Server and Agent can leverage KeyManager plugins to delegate the actual signing operation to another system (such as a TPM). -SPIRE comes with a set of built-in KeyManager plugins for the [Server](https://github.com/spiffe/spire/blob/master/doc/spire_server.md) and [Agent](https://github.com/spiffe/spire/blob/master/doc/spire_agent.md). +SPIRE comes with a set of built-in KeyManager plugins for the [Server](/docs/latest/deploying/spire_server/) and [Agent](/docs/latest/deploying/spire_agent/). # Notifier plugins Notifier plugins allow actions to be triggered in other systems when certain events occur on the SPIRE Server, and in some cases interrupt the event itself. Notifier plugins can support a number of different use cases, such as when certificate rotation events occur. -SPIRE comes with a set of built-in Notifier plugins for the [Server](https://github.com/spiffe/spire/blob/master/doc/spire_server.md). +SPIRE comes with a set of built-in Notifier plugins for the [Server](/docs/latest/deploying/spire_server/). # Working with first-party plugins First party plugins can be enabled by including the appropriate configuration stanza in the `plugins` section of the Server or Agent configuration file. * For instructions on modifying the Server and Agent configuration files, please follow [Configuring the SPIRE Server](/docs/latest/spire/using/configuring/). -* For more information on enabling the plugins in the Server, read the [Server configuration guide](https://github.com/spiffe/spire/blob/master/doc/spire_server.md). -* For more information on enabling the plugins in the Agent, read the [Agent configuration guide](https://github.com/spiffe/spire/blob/master/doc/spire_agent.md). +* For more information on enabling the plugins in the Server, read the [Server configuration guide](/docs/latest/deploying/spire_server/). +* For more information on enabling the plugins in the Agent, read the [Agent configuration guide](/docs/latest/deploying/spire_agent/). # Working with third party plugins diff --git a/content/docs/latest/spiffe-about/get-involved.md b/content/docs/latest/spiffe-about/get-involved.md index cdedd366..f4df651b 100644 --- a/content/docs/latest/spiffe-about/get-involved.md +++ b/content/docs/latest/spiffe-about/get-involved.md @@ -26,7 +26,7 @@ SPIFFE is guided by a small but very active community of passionate software eng You can contribute to SPIFFE and SPIRE by filing issues and submitting pull requests on GitHub. See these contribution guidelines for details such as GitHub etiquette and coding conventions: * [SPIFFE contribution guidelines](https://github.com/spiffe/spiffe/blob/master/CONTRIBUTING.md) -* [SPIRE contribution guidelines](https://github.com/spiffe/spire/blob/master/CONTRIBUTING.md) +* [SPIRE contribution guidelines](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/CONTRIBUTING.md) While anyone is welcome to propose contributions via pull requests, we strongly encourage significant contributions - particularly those that might require a significant change to core components - to be first discussed and a high level design agreed upon with the appropriate SIGs or WGs (see above). diff --git a/content/docs/latest/spire-about/spire-concepts.md b/content/docs/latest/spire-about/spire-concepts.md index 5823fc04..363489b4 100644 --- a/content/docs/latest/spire-about/spire-concepts.md +++ b/content/docs/latest/spire-about/spire-concepts.md @@ -41,7 +41,7 @@ The behavior of the server is determined through a series of plugins. SPIRE come **Upstream authority plugins**. By default the SPIRE Server acts as its own certificate authority. However, you can use an upstream authority plugin to use a different CA from a different PKI system. -You customize the server’s behavior by configuring plugins and various other configuration variables. See the [SPIRE Server Configuration Reference](https://github.com/spiffe/spire/blob/master/doc/spire_server.md) for details. +You customize the server’s behavior by configuring plugins and various other configuration variables. See the [SPIRE Server Configuration Reference](/docs/latest/deploying/spire_server/) for details. ## All About the Agent @@ -61,7 +61,7 @@ The agent’s main components include: * Key manager plugins, which the agent uses to generate and use private keys for X.509-SVIDs issued to workloads. -You customize the agent’s behavior by configuring plugins and other configuration variables. See the [SPIRE Agent Configuration Reference](https://github.com/spiffe/spire/blob/master/doc/spire_agent.md) for details. +You customize the agent’s behavior by configuring plugins and other configuration variables. See the [SPIRE Agent Configuration Reference](/docs/latest/deploying/spire_agent/) for details. ## Custom Server and Agent Plugins @@ -74,7 +74,7 @@ This section walks through a “day in the life” of how SPIRE issues an identi 1. The SPIRE Server starts up. 2. Unless the user has configured an UpstreamAuthority plugin, the server generates a self-signed certificate (a certificate signed with its own private key); the server will use this certificate to sign SVIDs for all the workloads in this server’s trust domain. 3. If it’s the first time starting up, the server automatically generates a trust bundle, whose contents it stores in a sql datastore you specify in the datastore configuration -- described in the section "Built-in plugins" in the -[Server plugin: DataStore sql](https://github.com/spiffe/spire/blob/master/doc/plugin_server_datastore_sql.md). +[Server plugin: DataStore sql](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_datastore_sql.md). 4. The server turns on its registration API, to allow you to register workloads. 5. The SPIRE Agent starts up on the node that the workload is running on. 6. The agent performs node attestation, to prove to the server the identity of the node it is running on. For example, when running on an AWS EC2 Instance it would typically perform node attestation by supplying an [AWS Instance Identity Document](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html) to the server. @@ -177,7 +177,7 @@ For cases where there is no platform that can directly identify a node, SPIRE in **with server-generated join tokens** -- A join token is a pre-shared key between a SPIRE Server and Agent. The server can generate join tokens once installed that can be used to verify an agent when it starts. To help protect against misuse, join tokens expire immediately after use. -**using an existing X.509 certificate** -- For information on configuring node attestors, see the [SPIRE Server Configuration Reference](https://github.com/spiffe/spire/blob/master/doc/spire_server.md) and [SPIRE Agent Configuration Reference](https://github.com/spiffe/spire/blob/master/doc/spire_agent.md). +**using an existing X.509 certificate** -- For information on configuring node attestors, see the [SPIRE Server Configuration Reference](/docs/latest/deploying/spire_server/) and [SPIRE Agent Configuration Reference](/docs/latest/deploying/spire_agent/). #### Node Resolution diff --git a/content/docs/latest/try/getting-started-k8s.md b/content/docs/latest/try/getting-started-k8s.md index c77643e4..e65fb008 100644 --- a/content/docs/latest/try/getting-started-k8s.md +++ b/content/docs/latest/try/getting-started-k8s.md @@ -251,9 +251,9 @@ When deploying SPIRE in a production environment the following considerations sh In the [Create Server Configmap](#create-server-configmap) step: set the the cluster name in the `k8s_sat NodeAttestor` entry to the name you provide in the **agent-configmap.yaml** configuration file. If your Kubernetes cluster supports projected service account tokens, consider using the built-in -[Projected Service Account Token k8s Node Attestor](https://github.com/spiffe/spire/blob/master/doc/plugin_server_nodeattestor_k8s_psat.md) for authenticating the SPIRE agent to the server. Projected Service Account Tokens are more tightly scoped than regular service account tokens, and thus more secure. +[Projected Service Account Token k8s Node Attestor](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_server_nodeattestor_k8s_psat.md) for authenticating the SPIRE agent to the server. Projected Service Account Tokens are more tightly scoped than regular service account tokens, and thus more secure. -As configured, the SPIRE agent does not verify the identity of the Kubernetes kubelet when requesting metadata for workload attestation. For additional security, you may wish to configure the Kubernetes workload attestor to perform this verification on compatible Kubernetes distributions by setting `skip_kubelet_verification` to `false`. [Read more](https://github.com/spiffe/spire/blob/master/doc/plugin_agent_workloadattestor_k8s.md) +As configured, the SPIRE agent does not verify the identity of the Kubernetes kubelet when requesting metadata for workload attestation. For additional security, you may wish to configure the Kubernetes workload attestor to perform this verification on compatible Kubernetes distributions by setting `skip_kubelet_verification` to `false`. [Read more](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/doc/plugin_agent_workloadattestor_k8s.md) # Next steps diff --git a/layouts/partials/docs/dashboard-panel.html b/layouts/partials/docs/dashboard-panel.html index 013a6eca..82a18240 100644 --- a/layouts/partials/docs/dashboard-panel.html +++ b/layouts/partials/docs/dashboard-panel.html @@ -1,74 +1,24 @@ {{ $home := site.BaseURL }} {{ $logo := site.Params.logos.sidebar | relURL }} {{ $spiffeLogo := "/img/logos/spiffe/horizontal/color/spiffe-horizontal-color.png" | relURL }} -{{ $releases := site.Data.releases }} -{{/* $latest := index $releases 1 */}} -{{ $latest := "v0.10.0" }} -{{ $version := index (split .File.Path "/") 1 }} -{{ $isLatest := or (eq $version $latest) (eq $version "latest") }} +{{ $latest := getJSON "https://api.github.com/repos/spiffe/spire/releases/latest" }} +
- {{/*}} - -
- -
- -
-
- {{ range $releases }} - {{ if ne . "latest" }} - {{ $isLatest := eq . (index site.Data.releases 1) }} - {{ $verRef := . }} - {{ if $isLatest }} - {{ $verRef = "latest" }} - {{ end }} - - {{ . }} - {{ if $isLatest }} - - latest - - {{ end }} - - {{ end }} - {{ end }} -
+
- {{*/}}
diff --git a/pull_external.py b/pull_external.py index 0e392b13..5374d9dc 100644 --- a/pull_external.py +++ b/pull_external.py @@ -3,24 +3,32 @@ import shutil import re import toml +import subprocess +import requests from typing import List, Set, Tuple, Pattern, Match from urllib.parse import urlparse from pathlib import Path CHECKOUT_DIR = "checkouts" GIT_CLONE_CMD = "git clone {{}} ./{}/{{}}/{{}}".format(CHECKOUT_DIR) +GIT_CHECKOUT_CMD = "git checkout {}" +GITHUB_API_LATEST_RELEASE = "https://api.github.com/repos/spiffe/spire/releases/latest" MARKDOWN_IMAGE_REFERENCE_STYLE_OPENING = "[" RE_EXTRACT_TITLE: Pattern[str] = re.compile("([#\s]*)(?P.*)") RE_EXTRACT_IMAGES: Pattern[str] = re.compile( "\!\[(?P<alt>.*)\](?P<style>[\(\[])(?P<url>.*)[\)\]]" ) RE_EXTRACT_LINKS: Pattern[str] = re.compile( - "\[(?P<alt>[^\]]*)\]\((?P<rel>[\.\/]*)(?P<url>(?P<domain>https?:\/\/[a-zA-Z\.0-9-]+)?(?!#)\S+)\)" + "\[(?P<alt>[^\]]*)\]\((?P<rel>[\.\/]*)(?P<url>(?P<domain>https?:\/\/(?P<host>[a-zA-Z\.0-9-]+))?(?!#)\S+)\)" +) +RE_EXTRACT_GITHUB_PATH: Pattern[str] = re.compile( + "https?:\/\/github\.com\/\w+\/\w+\/\w+\/\w+\/(?P<path>.*)" ) # holds the git URL and the new path for links between pulled in files internal_links: dict = {} config: dict = toml.load("config.toml") +latest_release = None def main(): @@ -37,7 +45,6 @@ def main(): repos_to_clone.add(repo) _clone_repos(repos_to_clone) - # pull_directories(yaml_external) generated_files = _pull_files(yaml_external) _generate_gitignore(generated_files) @@ -97,6 +104,37 @@ def _clone_repos(repos: List[str]): os.system(cmd) +def _get_latest_spire_release() -> str: + global latest_release + if latest_release is not None: + return latest_release + data = requests.get(GITHUB_API_LATEST_RELEASE) + tag_name = data.json().get("tag_name", "master") + latest_release = tag_name + + return latest_release + + +def _checkout_switch(content: dict): + source = content.get("source") + latest_release = _get_latest_spire_release() + cmd = GIT_CHECKOUT_CMD.format(latest_release).split() + repo_owner, repo_name = _get_canonical_repo_from_url(source) + cwd = os.path.join(CHECKOUT_DIR, repo_owner, repo_name) + subprocess.run(cmd, stdout=subprocess.PIPE, cwd=cwd) + + +def _get_branch_by_repo_url(url: str) -> str: + repo_owner, repo_name = _get_canonical_repo_from_url(url) + branch = ( + _get_latest_spire_release() + if (repo_owner, repo_name) == ("spiffe", "spire") + else "master" + ) + + return branch + + def _pull_files(yaml_external: dict) -> List[str]: generated_files: List[str] = [] content: dict @@ -105,8 +143,12 @@ def _pull_files(yaml_external: dict) -> List[str]: # we need to do this as a prep step before processing each file # so we can redirect internally for target_dir, content in yaml_external.items(): + source = content.get("source", "").strip() + if source == config.get("spireGitHubUrl"): + _checkout_switch(content) for rel_file in content.get("pullFiles", []): - full_url = "{}/blob/master/{}".format(content.get("source"), rel_file) + branch = _get_branch_by_repo_url(source) + full_url = "{}/blob/{}/{}".format(content.get("source"), branch, rel_file) file_name = os.path.basename(rel_file) file_path = os.path.join(target_dir, file_name) rel_path_to_target_file = ("".join(file_path.split(".")[:-1])).lower() @@ -115,6 +157,7 @@ def _pull_files(yaml_external: dict) -> List[str]: ) for target_dir, content in yaml_external.items(): + source = content.get("source", "").strip() pull_files: List[str] = content.get("pullFiles", []) repo_owner, repo_name = _get_canonical_repo_from_url(content.get("source")) @@ -130,8 +173,7 @@ def _pull_files(yaml_external: dict) -> List[str]: target_dir=target_dir, transform_file=content.get("transform", {}).get(filename, None), remove_heading=True, - repo_owner=repo_owner, - repo_name=repo_name, + source=source, ) generated_files.append(abs_path_to_target_file) @@ -149,10 +191,9 @@ def _copy_file( abs_path_to_repo_checkout_dir: str, rel_path_to_source_file: str, target_dir: str, + source: str, transform_file: dict = {}, remove_heading: bool = True, - repo_owner: str = "", - repo_name: str = "", ) -> str: file_name = os.path.basename(rel_path_to_source_file) @@ -190,8 +231,7 @@ def _copy_file( content=content, abs_path_to_source_dir=abs_path_to_repo_checkout_dir, rel_path_to_source_file=rel_path_to_source_file, - repo_owner=repo_owner, - repo_name=repo_name, + source=source, ) target_file.write(final_content) @@ -202,9 +242,10 @@ def _process_content( content: str, abs_path_to_source_dir: str, rel_path_to_source_file: str, - repo_owner: str, - repo_name: str, + source: str, ): + repo_owner, repo_name = _get_canonical_repo_from_url(source) + def repl_images(m: Match[str]): url = m.group("url") alt = m.group("alt") @@ -234,25 +275,41 @@ def repl_links(m: Match[str]): rel = m.group("rel") url = m.group("url") domain = m.group("domain") + host = m.group("host") rel_url = url - # this is an external url + + # this is a FQDN if domain is not None: + is_link_to_spire_repo = ( + host == "github.com" + and _get_canonical_repo_from_url(url) == ("spiffe", "spire") + ) + # that points to this site + new_url = url if domain == config.get("publicUrl"): new_url = url[len(config.get("publicUrl")) :] - else: + elif is_link_to_spire_repo: new_url = url + github_url = RE_EXTRACT_GITHUB_PATH.search(url) + if github_url is not None and github_url.group("path") != "": + branch = _get_latest_spire_release() + new_url = "https://github.com/{}/{}/blob/{}/{}".format( + "spiffe", "spire", branch, github_url.group("path") + ) + # this is an internal relative url else: - if rel == "/": - rel_url = url - elif rel == "./" or rel == "": + if rel == "./" or rel == "": rel_url = os.path.join(os.path.dirname(rel_path_to_source_file), url) - new_url = "https://github.com/{}/{}/blob/master/{}".format( - repo_owner, repo_name, rel_url + branch = _get_branch_by_repo_url(source) + + new_url = "https://github.com/{}/{}/blob/{}/{}".format( + repo_owner, repo_name, branch, rel_url ) + # if this file has been already pulled in, we can use the new internal URL # instead of pointing to the original github location if new_url in internal_links: From 94562c515c40ba74f9d61f7778d08bee9f030f1a Mon Sep 17 00:00:00 2001 From: Maximiliano Churichi <maximiliano.churichi@hpe.com> Date: Mon, 5 Apr 2021 20:10:28 -0300 Subject: [PATCH 07/28] Pull latest release only once per build Signed-off-by: Maximiliano Churichi <maximiliano.churichi@hpe.com> --- .gitignore | 3 ++- layouts/shortcodes/releases.html | 3 +-- layouts/shortcodes/spire-latest.html | 5 ++--- pull_external.py | 16 ++++++++++++---- 4 files changed, 17 insertions(+), 10 deletions(-) diff --git a/.gitignore b/.gitignore index c4772154..355c59a5 100644 --- a/.gitignore +++ b/.gitignore @@ -13,4 +13,5 @@ node_modules/ # Temporal content checkouts/ -static/img/checkouts/ \ No newline at end of file +static/img/checkouts/ +data/releases.yaml \ No newline at end of file diff --git a/layouts/shortcodes/releases.html b/layouts/shortcodes/releases.html index 96137f6e..40718f9d 100644 --- a/layouts/shortcodes/releases.html +++ b/layouts/shortcodes/releases.html @@ -1,6 +1,5 @@ {{- $displayReleases := ne (getenv "HIDE_RELEASES") "true" }} {{- $spireReleasesUrl := "https://api.github.com/repos/spiffe/spire/releases" }} -{{- $spireLatestReleaseUrl := "https://api.github.com/repos/spiffe/spire/releases/latest" }} {{- $downloadUrl := "https://github.com/spiffe/spire/releases/download" }} {{- if $displayReleases }} @@ -20,7 +19,7 @@ </thead> <tbody> {{- $releases := sort (getJSON $spireReleasesUrl) "created_at" "desc" }} - {{- $latestRelease := getJSON $spireLatestReleaseUrl }} + {{- $latestRelease := site.Data.releases.latest }} {{- $latest := $latestRelease.tag_name }} {{- range $releases -}} {{- $hasExtras := (index .assets 2).name }} diff --git a/layouts/shortcodes/spire-latest.html b/layouts/shortcodes/spire-latest.html index 9b1c3218..55bf4c98 100644 --- a/layouts/shortcodes/spire-latest.html +++ b/layouts/shortcodes/spire-latest.html @@ -1,7 +1,6 @@ {{- $displayReleases := ne (getenv "HIDE_RELEASES") "true" }} -{{- if $displayReleases }} - {{- $latestReleaseUrl := "https://api.github.com/repos/spiffe/spire/releases/latest" }} - {{- $latest := getJSON $latestReleaseUrl }} +{{- if $displayReleases -}} + {{- $latest := site.Data.releases.latest -}} {{- if eq (.Get 0) "tag" }} {{- $latest.tag_name -}} diff --git a/pull_external.py b/pull_external.py index 5374d9dc..536e5c19 100644 --- a/pull_external.py +++ b/pull_external.py @@ -32,6 +32,7 @@ def main(): + _pull_latest_release() os.system("rm -rf ./{}/".format(CHECKOUT_DIR)) yaml_external = _read_yaml("external.yaml") repos_to_clone: Set[str] = set() @@ -49,6 +50,15 @@ def main(): _generate_gitignore(generated_files) +def _pull_latest_release(): + global latest_release + json = _get_latest_spire_release() + latest_release = json.get("tag_name", "master") + + with open("data/releases.yaml", "w") as releases_file: + releases_file.write(yaml.dump({"latest": json})) + + def _read_yaml(file_name: str) -> dict: with open(file_name, "r", encoding="utf-8") as stream: yaml_file = yaml.safe_load(stream) @@ -104,15 +114,13 @@ def _clone_repos(repos: List[str]): os.system(cmd) -def _get_latest_spire_release() -> str: +def _get_latest_spire_release() -> dict: global latest_release if latest_release is not None: return latest_release data = requests.get(GITHUB_API_LATEST_RELEASE) - tag_name = data.json().get("tag_name", "master") - latest_release = tag_name - return latest_release + return data.json() def _checkout_switch(content: dict): From 068f14e48c9660c91a3a194153d7af72331a3a50 Mon Sep 17 00:00:00 2001 From: Maximiliano Churichi <maximiliano.churichi@hpe.com> Date: Mon, 5 Apr 2021 20:24:16 -0300 Subject: [PATCH 08/28] Removes extra sentence Signed-off-by: Maximiliano Churichi <maximiliano.churichi@hpe.com> --- pull_external.py | 1 - 1 file changed, 1 deletion(-) diff --git a/pull_external.py b/pull_external.py index 536e5c19..fab726ac 100644 --- a/pull_external.py +++ b/pull_external.py @@ -299,7 +299,6 @@ def repl_links(m: Match[str]): if domain == config.get("publicUrl"): new_url = url[len(config.get("publicUrl")) :] elif is_link_to_spire_repo: - new_url = url github_url = RE_EXTRACT_GITHUB_PATH.search(url) if github_url is not None and github_url.group("path") != "": branch = _get_latest_spire_release() From 1cec96e12b688253e38aefd09fb048baf017d86d Mon Sep 17 00:00:00 2001 From: Maximiliano Churichi <maximiliano.churichi@hpe.com> Date: Tue, 20 Apr 2021 14:22:12 -0300 Subject: [PATCH 09/28] Addresses PR comments Signed-off-by: Maximiliano Churichi <maximiliano.churichi@hpe.com> --- .editorconfig | 2 +- .gitignore | 2 +- layouts/partials/docs/dashboard-panel.html | 2 +- pull_external.py | 57 +++++++++++++--------- 4 files changed, 36 insertions(+), 27 deletions(-) diff --git a/.editorconfig b/.editorconfig index d9c0e800..a4e4d549 100644 --- a/.editorconfig +++ b/.editorconfig @@ -4,4 +4,4 @@ root = true indent_size = 4 [*.py] -indent_size = 4 \ No newline at end of file +indent_size = 4 diff --git a/.gitignore b/.gitignore index 355c59a5..ac34c48f 100644 --- a/.gitignore +++ b/.gitignore @@ -14,4 +14,4 @@ node_modules/ # Temporal content checkouts/ static/img/checkouts/ -data/releases.yaml \ No newline at end of file +data/releases.yaml diff --git a/layouts/partials/docs/dashboard-panel.html b/layouts/partials/docs/dashboard-panel.html index 82a18240..921c6c93 100644 --- a/layouts/partials/docs/dashboard-panel.html +++ b/layouts/partials/docs/dashboard-panel.html @@ -1,7 +1,7 @@ {{ $home := site.BaseURL }} {{ $logo := site.Params.logos.sidebar | relURL }} {{ $spiffeLogo := "/img/logos/spiffe/horizontal/color/spiffe-horizontal-color.png" | relURL }} -{{ $latest := getJSON "https://api.github.com/repos/spiffe/spire/releases/latest" }} +{{ $latest := site.Data.releases.latest }} <div class="dashboard-panel left has-background-white-bis is-hidden-mobile"> <div class="dashboard-panel-header has-text-centered"> diff --git a/pull_external.py b/pull_external.py index fab726ac..02ca35cb 100644 --- a/pull_external.py +++ b/pull_external.py @@ -5,7 +5,7 @@ import toml import subprocess import requests -from typing import List, Set, Tuple, Pattern, Match +from typing import Dict, List, Set, Tuple, Pattern, Match from urllib.parse import urlparse from pathlib import Path @@ -26,8 +26,8 @@ ) # holds the git URL and the new path for links between pulled in files -internal_links: dict = {} -config: dict = toml.load("config.toml") +internal_links: Dict = {} +config: Dict = toml.load("config.toml") latest_release = None @@ -38,7 +38,7 @@ def main(): repos_to_clone: Set[str] = set() directories_to_create: List[str] = [] - content: dict + content: Dict for directory, content in yaml_external.items(): directories_to_create.append(directory) @@ -59,7 +59,7 @@ def _pull_latest_release(): releases_file.write(yaml.dump({"latest": json})) -def _read_yaml(file_name: str) -> dict: +def _read_yaml(file_name: str) -> Dict: with open(file_name, "r", encoding="utf-8") as stream: yaml_file = yaml.safe_load(stream) return yaml_file @@ -94,7 +94,7 @@ def _get_file_content(filename: str, remove_heading=False) -> Tuple[str, str]: return "".join(raw[i:]), heading -def _generate_yaml_front_matter(front_matter: dict = {}) -> List[str]: +def _generate_yaml_front_matter(front_matter: Dict = {}) -> List[str]: fm = ["---"] for key, value in front_matter.items(): if type(value) == dict: @@ -114,16 +114,19 @@ def _clone_repos(repos: List[str]): os.system(cmd) -def _get_latest_spire_release() -> dict: +def _get_latest_spire_release() -> Dict: global latest_release - if latest_release is not None: + + if latest_release: return latest_release + data = requests.get(GITHUB_API_LATEST_RELEASE) + latest_release = data.json() - return data.json() + return latest_release -def _checkout_switch(content: dict): +def _checkout_switch(content: Dict): source = content.get("source") latest_release = _get_latest_spire_release() cmd = GIT_CHECKOUT_CMD.format(latest_release).split() @@ -143,27 +146,25 @@ def _get_branch_by_repo_url(url: str) -> str: return branch -def _pull_files(yaml_external: dict) -> List[str]: - generated_files: List[str] = [] - content: dict - - # collects all the URLs and new file paths for the pulled in files. - # we need to do this as a prep step before processing each file - # so we can redirect internally +def _get_internal_links(yaml_external: Dict): + links = {} for target_dir, content in yaml_external.items(): source = content.get("source", "").strip() if source == config.get("spireGitHubUrl"): _checkout_switch(content) for rel_file in content.get("pullFiles", []): branch = _get_branch_by_repo_url(source) - full_url = "{}/blob/{}/{}".format(content.get("source"), branch, rel_file) + full_url = "{}/blob/{}/{}".format(source, branch, rel_file) file_name = os.path.basename(rel_file) file_path = os.path.join(target_dir, file_name) rel_path_to_target_file = ("".join(file_path.split(".")[:-1])).lower() - internal_links[full_url] = "/docs/latest/{}/".format( - rel_path_to_target_file - ) + links[full_url] = "/docs/latest/{}/".format(rel_path_to_target_file) + + return links + +def _process_files(yaml_external: Dict) -> List[str]: + files = [] for target_dir, content in yaml_external.items(): source = content.get("source", "").strip() pull_files: List[str] = content.get("pullFiles", []) @@ -183,7 +184,15 @@ def _pull_files(yaml_external: dict) -> List[str]: remove_heading=True, source=source, ) - generated_files.append(abs_path_to_target_file) + files.append(abs_path_to_target_file) + return files + + +def _pull_files(yaml_external: Dict) -> List[str]: + global internal_links + + internal_links = _get_internal_links(yaml_external) + generated_files = _process_files(yaml_external) return generated_files @@ -200,7 +209,7 @@ def _copy_file( rel_path_to_source_file: str, target_dir: str, source: str, - transform_file: dict = {}, + transform_file: Dict = {}, remove_heading: bool = True, ) -> str: file_name = os.path.basename(rel_path_to_source_file) @@ -300,7 +309,7 @@ def repl_links(m: Match[str]): new_url = url[len(config.get("publicUrl")) :] elif is_link_to_spire_repo: github_url = RE_EXTRACT_GITHUB_PATH.search(url) - if github_url is not None and github_url.group("path") != "": + if github_url and github_url.group("path"): branch = _get_latest_spire_release() new_url = "https://github.com/{}/{}/blob/{}/{}".format( "spiffe", "spire", branch, github_url.group("path") From ef93dfa670ec5afced5b7aca5f09f3c6f845f3ea Mon Sep 17 00:00:00 2001 From: Maximiliano Churichi <maximiliano.churichi@hpe.com> Date: Mon, 3 May 2021 13:44:11 -0300 Subject: [PATCH 10/28] Addresses comment Signed-off-by: Maximiliano Churichi <maximiliano.churichi@hpe.com> --- pull_external.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pull_external.py b/pull_external.py index 02ca35cb..3aa769ae 100644 --- a/pull_external.py +++ b/pull_external.py @@ -168,7 +168,7 @@ def _process_files(yaml_external: Dict) -> List[str]: for target_dir, content in yaml_external.items(): source = content.get("source", "").strip() pull_files: List[str] = content.get("pullFiles", []) - repo_owner, repo_name = _get_canonical_repo_from_url(content.get("source")) + repo_owner, repo_name = _get_canonical_repo_from_url(source) # processes and copies content from the git checkout to the desired location for rel_file in pull_files: From cc5eb0e7900f02c6f04dbe5b0e7ca39aa86b4782 Mon Sep 17 00:00:00 2001 From: Maximiliano Churichi <maximiliano.churichi@hpe.com> Date: Fri, 14 May 2021 14:40:36 -0300 Subject: [PATCH 11/28] Fixes wrong spire github url Signed-off-by: Maximiliano Churichi <maximiliano.churichi@hpe.com> --- config.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config.toml b/config.toml index 875e6430..ed241113 100644 --- a/config.toml +++ b/config.toml @@ -7,7 +7,7 @@ canonifyurls = true googleAnalytics = "UA-99605331-1" enableGitInfo = true publicUrl = "https://spiffe.io" -spireGitHubUrl = "http://github.com/spiffe/spire" +spireGitHubUrl = "https://github.com/spiffe/spire" [markup] [markup.tableOfContents] From 5a299287f1d29e5ea0c3944c6f2dcff5603dcbd1 Mon Sep 17 00:00:00 2001 From: Steve Anderson <steve.anderson@hpe.com> Date: Fri, 28 May 2021 15:01:45 -0700 Subject: [PATCH 12/28] Fix broken URLs discovered by new link checker * In configuring.md, replaced link to k8s Token Review API with different location that doesn't include a version number * In libraries.md, replaced link to archived c-spiffe library with new c-spiffe library under development by HPE Signed-off-by: Steve Anderson <steve.anderson@hpe.com> --- content/docs/latest/deploying/configuring.md | 2 +- content/docs/latest/deploying/libraries.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/content/docs/latest/deploying/configuring.md b/content/docs/latest/deploying/configuring.md index d447711c..03e1575c 100644 --- a/content/docs/latest/deploying/configuring.md +++ b/content/docs/latest/deploying/configuring.md @@ -65,7 +65,7 @@ Your choice of node attestation method determines which node-attestor plugins yo To issue identities to workloads running in a Kubernetes cluster, it is necessary to deploy a SPIRE Agent to each node in that cluster that is running a workload ([read more](/docs/latest/spire/installing/install-agents/#installing-spire-agents-on-kubernetes) on how to install SPIRE Agents on Kubernetes). -Service Account Tokens can be validated using the Kubernetes [Token Review API](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#tokenreview-v1-authentication-k8s-io). Because of this, the SPIRE Server does not itself need to be running on Kubernetes, and a single SPIRE Server may support agents running on multiple Kubernetes clusters with PSAT attestation enabled. +Service Account Tokens can be validated using the Kubernetes [Token Review API](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1/). Because of this, the SPIRE Server does not itself need to be running on Kubernetes, and a single SPIRE Server may support agents running on multiple Kubernetes clusters with PSAT attestation enabled. ### Projected Service Account Tokens diff --git a/content/docs/latest/deploying/libraries.md b/content/docs/latest/deploying/libraries.md index 7a67855e..f2d47816 100644 --- a/content/docs/latest/deploying/libraries.md +++ b/content/docs/latest/deploying/libraries.md @@ -13,9 +13,9 @@ You can use one of the following libraries to fetch SVIDs and trust bundles from The following code samples demonstrate how to use the libraries to establish and maintain SPIFFE-enabled connections transparently between applications. -# C++ +# C, C++ -See the [c-spiffe library GitHub page](https://github.com/spiffe/c-spiffe) for more information about the SPIFFE C++ library. +See the [c-spiffe library GitHub page](https://github.com/HewlettPackard/c-spiffe) for more information about the SPIFFE C/C++ library, which is under development in 2021. This library replaces an earlier c-spiffe library that was archived. # Go From bccc4648cdd6181c9fe9be620c4c998de91a3533 Mon Sep 17 00:00:00 2001 From: Steve Anderson <steve.anderson@hpe.com> Date: Wed, 2 Jun 2021 16:18:25 -0700 Subject: [PATCH 13/28] Clarify status of new c-spiffe library Signed-off-by: Steve Anderson <steve.anderson@hpe.com> --- content/docs/latest/deploying/libraries.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/docs/latest/deploying/libraries.md b/content/docs/latest/deploying/libraries.md index f2d47816..356c7493 100644 --- a/content/docs/latest/deploying/libraries.md +++ b/content/docs/latest/deploying/libraries.md @@ -15,7 +15,8 @@ The following code samples demonstrate how to use the libraries to establish and # C, C++ -See the [c-spiffe library GitHub page](https://github.com/HewlettPackard/c-spiffe) for more information about the SPIFFE C/C++ library, which is under development in 2021. This library replaces an earlier c-spiffe library that was archived. +See the [c-spiffe library GitHub page](https://github.com/HewlettPackard/c-spiffe) for more information about a SPIFFE C/C++ library. This library is not yet part of the official SPIFFE repo and is still under development in June 2021. An earlier official c-spiffe library became out-of-date and was archived. + # Go From 1b50a096d4235c4f07554b6c93bca81d7b719237 Mon Sep 17 00:00:00 2001 From: Maximiliano Churichi <maximiliano.churichi@hpe.com> Date: Thu, 22 Apr 2021 15:12:47 -0300 Subject: [PATCH 14/28] Adds broken links checks Signed-off-by: Maximiliano Churichi <maximiliano.churichi@hpe.com> --- Dockerfile.linkchecker | 9 ++ Makefile | 24 +++- Pipfile | 1 + Pipfile.lock | 273 ++++++++++++++++++++++++----------------- README.md | 22 ++++ linkcheckerrc | 7 ++ 6 files changed, 217 insertions(+), 119 deletions(-) create mode 100644 Dockerfile.linkchecker create mode 100644 linkcheckerrc diff --git a/Dockerfile.linkchecker b/Dockerfile.linkchecker new file mode 100644 index 00000000..05829de3 --- /dev/null +++ b/Dockerfile.linkchecker @@ -0,0 +1,9 @@ +FROM python:3.7-alpine + +ENV HOME /tmp + +RUN pip install linkchecker + +ADD linkcheckerrc . + +ENTRYPOINT [ "linkchecker" ] \ No newline at end of file diff --git a/Makefile b/Makefile index 5e2a3ffe..2f6745b1 100644 --- a/Makefile +++ b/Makefile @@ -18,12 +18,12 @@ serve-with-releases: --buildFuture \ --disableFastRender -production-build: pull-external-content +production-build: ci-check-links hugo \ --gc \ --ignoreCache -preview-build: pull-external-content +preview-build: ci-check-links hugo \ --gc \ --ignoreCache \ @@ -49,4 +49,22 @@ docker-serve-with-releases: docker-build spiffe.io:latest pull-external-content: - python ./pull_external.py \ No newline at end of file + python ./pull_external.py + +ci-check-links: pull-external-content + echo "Running HTTP Server..." && \ + hugo server -p 1212 & \ + sleep 2 && \ + echo "Running links checker..." && \ + linkchecker -f linkcheckerrc http://localhost:1212; \ + echo "Stopping HTTP Server..." && \ + pkill hugo + +check-links: + linkchecker -f linkcheckerrc http://localhost:1313 + +docker-check-links-build: + docker build -f Dockerfile.linkchecker -t linkchecker . + +docker-check-links: docker-check-links-build + docker run --rm -it -u $(shell id -u):$(shell id -g) --net host linkchecker -f linkcheckerrc http://localhost:1313 diff --git a/Pipfile b/Pipfile index 602e81dc..f0a551e6 100644 --- a/Pipfile +++ b/Pipfile @@ -13,6 +13,7 @@ argh = "*" pyyaml = "~=5.3" toml = "~=0.10.1" requests = "~=2.25.1" +linkchecker = "*" [requires] python_version = "3.7" diff --git a/Pipfile.lock b/Pipfile.lock index 83a9c53c..0efb0e12 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "aa09ee83074fb079080714b65d3376a660fb0ec27879eaa2954ee665f7e4d741" + "sha256": "5c7d6489bbd89351fd5b4416367e147ced7f6ed721d6062975f97f933eda5ec1" }, "pipfile-spec": 6, "requires": { @@ -16,12 +16,20 @@ ] }, "default": { + "beautifulsoup4": { + "hashes": [ + "sha256:4c98143716ef1cb40bf7f39a8e3eec8f8b009509e74904ba3a7b315431577e35", + "sha256:84729e322ad1d5b4d25f805bfa05b902dd96450f43842c4e99067d5e1369eb25", + "sha256:fff47e031e34ec82bf17e00da8f592fe7de69aeea38be00523c04623c04fb666" + ], + "version": "==4.9.3" + }, "certifi": { "hashes": [ - "sha256:1a4995114262bffbc2413b159f2a1a480c969de6e6eb13ee966d470af86af59c", - "sha256:719a74fb9e33b9bd44cc7f3a8d94bc35e4049deebe19ba7d8e108280cfd59830" + "sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee", + "sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8" ], - "version": "==2020.12.5" + "version": "==2021.5.30" }, "chardet": { "hashes": [ @@ -31,6 +39,14 @@ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", "version": "==4.0.0" }, + "dnspython": { + "hashes": [ + "sha256:95d12f6ef0317118d2a1a6fc49aac65ffec7eb8087474158f42f26a639135216", + "sha256:e4a87f0b573201a0f3727fa18a516b055fd1107e0e5477cded4a2de497df1dd4" + ], + "markers": "python_version >= '3.6'", + "version": "==2.1.0" + }, "idna": { "hashes": [ "sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6", @@ -39,6 +55,21 @@ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==2.10" }, + "linkchecker": { + "hashes": [ + "sha256:9440dab68d40225160724f87238f2cfb59174a8280695f37e1c18a277e0361f2", + "sha256:97039d8ef166fc6313816f853bdf7d4a98243d3c3d4953eedda339c5d0072b20" + ], + "index": "pypi", + "version": "==10.0.1" + }, + "pyxdg": { + "hashes": [ + "sha256:2d6701ab7c74bbab8caa6a95e0a0a129b1643cf6c298bf7c569adec06d0709a0", + "sha256:80bd93aae5ed82435f20462ea0208fb198d8eec262e831ee06ce9ddb6b91c5a5" + ], + "version": "==0.27" + }, "pyyaml": { "hashes": [ "sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf", @@ -82,6 +113,14 @@ "index": "pypi", "version": "==2.25.1" }, + "soupsieve": { + "hashes": [ + "sha256:052774848f448cf19c7e959adf5566904d525f33a3f8b6ba6f6f8f26ec7de0cc", + "sha256:c2c1c2d44f158cdbddab7824a9af8c4f83c76b1e23e049479aa432feb6c4c23b" + ], + "markers": "python_version >= '3.0'", + "version": "==2.2.1" + }, "toml": { "hashes": [ "sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b", @@ -92,11 +131,11 @@ }, "urllib3": { "hashes": [ - "sha256:2f4da4594db7e1e110a944bb1b551fdf4e6c136ad42e4234131391e21eb5b0df", - "sha256:e7b021f7241115872f92f43c6508082facffbd1c048e3c6e2bb9c2a157e28937" + "sha256:753a0374df26658f99d826cfe40394a686d05985786d946fbe4165b5148f5a7c", + "sha256:a7acd0977125325f516bda9735fa7142b909a8d01e8b2e4c8108d0984e6e0098" ], "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' and python_version < '4'", - "version": "==1.26.4" + "version": "==1.26.5" } }, "develop": { @@ -117,34 +156,35 @@ }, "black": { "hashes": [ - "sha256:1c02557aa099101b9d21496f8a914e9ed2222ef70336404eeeac8edba836fbea" + "sha256:1fc0e0a2c8ae7d269dfcf0c60a89afa299664f3e811395d40b1922dff8f854b5", + "sha256:e5cf21ebdffc7a9b29d73912b6a6a9a4df4ce70220d523c21647da2eae0751ef" ], "index": "pypi", - "version": "==20.8b1" + "version": "==21.5b2" }, "click": { "hashes": [ - "sha256:d2b5255c7c6349bc1bd1e59e08cd12acbbd63ce649f2588755783aa94dfb6b1a", - "sha256:dacca89f4bfadd5de3d7489b7c8a566eee0d3676333fbb50030263894c38c0dc" + "sha256:8c04c11192119b1ef78ea049e0a6f0463e4c48ef00a30160c704337586f3ad7a", + "sha256:fba402a4a47334742d782209a7c79bc448911afe1149d07bdabdf480b3e2f4b6" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", - "version": "==7.1.2" + "markers": "python_version >= '3.6'", + "version": "==8.0.1" }, "flake8": { "hashes": [ - "sha256:12d05ab02614b6aee8df7c36b97d1a3b2372761222b19b58621355e82acddcff", - "sha256:78873e372b12b093da7b5e5ed302e8ad9e988b38b063b61ad937f26ca58fc5f0" + "sha256:07528381786f2a6237b061f6e96610a4167b226cb926e2aa2b6b1d78057c576b", + "sha256:bf8fd333346d844f616e8d47905ef3a3384edae6b4e9beb0c5101e25e3110907" ], "index": "pypi", - "version": "==3.9.0" + "version": "==3.9.2" }, "importlib-metadata": { "hashes": [ - "sha256:1cedf994a9b6885dcbb7ed40b24c332b1de3956319f4b1a0f07c0621d453accc", - "sha256:c9c1b6c7dbc62084f3e6a614a194eb16ded7947736c18e3300125d5c0a7a8b3c" + "sha256:960d52ba7c21377c990412aca380bf3642d734c2eaab78a2c39319f67c6a5786", + "sha256:e592faad8de1bda9fe920cf41e15261e7131bcf266c30306eec00e8e225c1dd5" ], - "markers": "python_version < '3.8'", - "version": "==3.9.1" + "markers": "python_version < '3.8' and python_version < '3.8'", + "version": "==4.4.0" }, "mccabe": { "hashes": [ @@ -185,49 +225,49 @@ }, "regex": { "hashes": [ - "sha256:07ef35301b4484bce843831e7039a84e19d8d33b3f8b2f9aab86c376813d0139", - "sha256:13f50969028e81765ed2a1c5fcfdc246c245cf8d47986d5172e82ab1a0c42ee5", - "sha256:14de88eda0976020528efc92d0a1f8830e2fb0de2ae6005a6fc4e062553031fa", - "sha256:159fac1a4731409c830d32913f13f68346d6b8e39650ed5d704a9ce2f9ef9cb3", - "sha256:18e25e0afe1cf0f62781a150c1454b2113785401ba285c745acf10c8ca8917df", - "sha256:201e2619a77b21a7780580ab7b5ce43835e242d3e20fef50f66a8df0542e437f", - "sha256:360a01b5fa2ad35b3113ae0c07fb544ad180603fa3b1f074f52d98c1096fa15e", - "sha256:39c44532d0e4f1639a89e52355b949573e1e2c5116106a395642cbbae0ff9bcd", - "sha256:3d9356add82cff75413bec360c1eca3e58db4a9f5dafa1f19650958a81e3249d", - "sha256:3d9a7e215e02bd7646a91fb8bcba30bc55fd42a719d6b35cf80e5bae31d9134e", - "sha256:4651f839dbde0816798e698626af6a2469eee6d9964824bb5386091255a1694f", - "sha256:486a5f8e11e1f5bbfcad87f7c7745eb14796642323e7e1829a331f87a713daaa", - "sha256:4b8a1fb724904139149a43e172850f35aa6ea97fb0545244dc0b805e0154ed68", - "sha256:4c0788010a93ace8a174d73e7c6c9d3e6e3b7ad99a453c8ee8c975ddd9965643", - "sha256:4c2e364491406b7888c2ad4428245fc56c327e34a5dfe58fd40df272b3c3dab3", - "sha256:575a832e09d237ae5fedb825a7a5bc6a116090dd57d6417d4f3b75121c73e3be", - "sha256:5770a51180d85ea468234bc7987f5597803a4c3d7463e7323322fe4a1b181578", - "sha256:633497504e2a485a70a3268d4fc403fe3063a50a50eed1039083e9471ad0101c", - "sha256:63f3ca8451e5ff7133ffbec9eda641aeab2001be1a01878990f6c87e3c44b9d5", - "sha256:709f65bb2fa9825f09892617d01246002097f8f9b6dde8d1bb4083cf554701ba", - "sha256:808404898e9a765e4058bf3d7607d0629000e0a14a6782ccbb089296b76fa8fe", - "sha256:882f53afe31ef0425b405a3f601c0009b44206ea7f55ee1c606aad3cc213a52c", - "sha256:8bd4f91f3fb1c9b1380d6894bd5b4a519409135bec14c0c80151e58394a4e88a", - "sha256:8e65e3e4c6feadf6770e2ad89ad3deb524bcb03d8dc679f381d0568c024e0deb", - "sha256:976a54d44fd043d958a69b18705a910a8376196c6b6ee5f2596ffc11bff4420d", - "sha256:a0d04128e005142260de3733591ddf476e4902c0c23c1af237d9acf3c96e1b38", - "sha256:a0df9a0ad2aad49ea3c7f65edd2ffb3d5c59589b85992a6006354f6fb109bb18", - "sha256:a2ee026f4156789df8644d23ef423e6194fad0bc53575534101bb1de5d67e8ce", - "sha256:a59a2ee329b3de764b21495d78c92ab00b4ea79acef0f7ae8c1067f773570afa", - "sha256:b97ec5d299c10d96617cc851b2e0f81ba5d9d6248413cd374ef7f3a8871ee4a6", - "sha256:b98bc9db003f1079caf07b610377ed1ac2e2c11acc2bea4892e28cc5b509d8d5", - "sha256:b9d8d286c53fe0cbc6d20bf3d583cabcd1499d89034524e3b94c93a5ab85ca90", - "sha256:bcd945175c29a672f13fce13a11893556cd440e37c1b643d6eeab1988c8b209c", - "sha256:c66221e947d7207457f8b6f42b12f613b09efa9669f65a587a2a71f6a0e4d106", - "sha256:c782da0e45aff131f0bed6e66fbcfa589ff2862fc719b83a88640daa01a5aff7", - "sha256:cb4ee827857a5ad9b8ae34d3c8cc51151cb4a3fe082c12ec20ec73e63cc7c6f0", - "sha256:d47d359545b0ccad29d572ecd52c9da945de7cd6cf9c0cfcb0269f76d3555689", - "sha256:dc9963aacb7da5177e40874585d7407c0f93fb9d7518ec58b86e562f633f36cd", - "sha256:ea2f41445852c660ba7c3ebf7d70b3779b20d9ca8ba54485a17740db49f46932", - "sha256:f5d0c921c99297354cecc5a416ee4280bd3f20fd81b9fb671ca6be71499c3fdf", - "sha256:f85d6f41e34f6a2d1607e312820971872944f1661a73d33e1e82d35ea3305e14" + "sha256:01afaf2ec48e196ba91b37451aa353cb7eda77efe518e481707e0515025f0cd5", + "sha256:11d773d75fa650cd36f68d7ca936e3c7afaae41b863b8c387a22aaa78d3c5c79", + "sha256:18c071c3eb09c30a264879f0d310d37fe5d3a3111662438889ae2eb6fc570c31", + "sha256:1e1c20e29358165242928c2de1482fb2cf4ea54a6a6dea2bd7a0e0d8ee321500", + "sha256:281d2fd05555079448537fe108d79eb031b403dac622621c78944c235f3fcf11", + "sha256:314d66636c494ed9c148a42731b3834496cc9a2c4251b1661e40936814542b14", + "sha256:32e65442138b7b76dd8173ffa2cf67356b7bc1768851dded39a7a13bf9223da3", + "sha256:339456e7d8c06dd36a22e451d58ef72cef293112b559010db3d054d5560ef439", + "sha256:3916d08be28a1149fb97f7728fca1f7c15d309a9f9682d89d79db75d5e52091c", + "sha256:3a9cd17e6e5c7eb328517969e0cb0c3d31fd329298dd0c04af99ebf42e904f82", + "sha256:47bf5bf60cf04d72bf6055ae5927a0bd9016096bf3d742fa50d9bf9f45aa0711", + "sha256:4c46e22a0933dd783467cf32b3516299fb98cfebd895817d685130cc50cd1093", + "sha256:4c557a7b470908b1712fe27fb1ef20772b78079808c87d20a90d051660b1d69a", + "sha256:52ba3d3f9b942c49d7e4bc105bb28551c44065f139a65062ab7912bef10c9afb", + "sha256:563085e55b0d4fb8f746f6a335893bda5c2cef43b2f0258fe1020ab1dd874df8", + "sha256:598585c9f0af8374c28edd609eb291b5726d7cbce16be6a8b95aa074d252ee17", + "sha256:619d71c59a78b84d7f18891fe914446d07edd48dc8328c8e149cbe0929b4e000", + "sha256:67bdb9702427ceddc6ef3dc382455e90f785af4c13d495f9626861763ee13f9d", + "sha256:6d1b01031dedf2503631d0903cb563743f397ccaf6607a5e3b19a3d76fc10480", + "sha256:741a9647fcf2e45f3a1cf0e24f5e17febf3efe8d4ba1281dcc3aa0459ef424dc", + "sha256:7c2a1af393fcc09e898beba5dd59196edaa3116191cc7257f9224beaed3e1aa0", + "sha256:7d9884d86dd4dd489e981d94a65cd30d6f07203d90e98f6f657f05170f6324c9", + "sha256:90f11ff637fe8798933fb29f5ae1148c978cccb0452005bf4c69e13db951e765", + "sha256:919859aa909429fb5aa9cf8807f6045592c85ef56fdd30a9a3747e513db2536e", + "sha256:96fcd1888ab4d03adfc9303a7b3c0bd78c5412b2bfbe76db5b56d9eae004907a", + "sha256:97f29f57d5b84e73fbaf99ab3e26134e6687348e95ef6b48cfd2c06807005a07", + "sha256:980d7be47c84979d9136328d882f67ec5e50008681d94ecc8afa8a65ed1f4a6f", + "sha256:a91aa8619b23b79bcbeb37abe286f2f408d2f2d6f29a17237afda55bb54e7aac", + "sha256:ade17eb5d643b7fead300a1641e9f45401c98eee23763e9ed66a43f92f20b4a7", + "sha256:b9c3db21af35e3b3c05764461b262d6f05bbca08a71a7849fd79d47ba7bc33ed", + "sha256:bd28bc2e3a772acbb07787c6308e00d9626ff89e3bfcdebe87fa5afbfdedf968", + "sha256:bf5824bfac591ddb2c1f0a5f4ab72da28994548c708d2191e3b87dd207eb3ad7", + "sha256:c0502c0fadef0d23b128605d69b58edb2c681c25d44574fc673b0e52dce71ee2", + "sha256:c38c71df845e2aabb7fb0b920d11a1b5ac8526005e533a8920aea97efb8ec6a4", + "sha256:ce15b6d103daff8e9fee13cf7f0add05245a05d866e73926c358e871221eae87", + "sha256:d3029c340cfbb3ac0a71798100ccc13b97dddf373a4ae56b6a72cf70dfd53bc8", + "sha256:e512d8ef5ad7b898cdb2d8ee1cb09a8339e4f8be706d27eaa180c2f177248a10", + "sha256:e8e5b509d5c2ff12f8418006d5a90e9436766133b564db0abaec92fd27fcee29", + "sha256:ee54ff27bf0afaf4c3b3a62bcd016c12c3fdb4ec4f413391a90bd38bc3624605", + "sha256:fa4537fb4a98fe8fde99626e4681cc644bdcf2a795038533f9f711513a862ae6", + "sha256:fd45ff9293d9274c5008a2054ecef86a9bfe819a67c7be1afb65e69b405b3042" ], - "version": "==2021.3.17" + "version": "==2021.4.4" }, "toml": { "hashes": [ @@ -239,70 +279,71 @@ }, "typed-ast": { "hashes": [ - "sha256:07d49388d5bf7e863f7fa2f124b1b1d89d8aa0e2f7812faff0a5658c01c59aa1", - "sha256:14bf1522cdee369e8f5581238edac09150c765ec1cb33615855889cf33dcb92d", - "sha256:240296b27397e4e37874abb1df2a608a92df85cf3e2a04d0d4d61055c8305ba6", - "sha256:36d829b31ab67d6fcb30e185ec996e1f72b892255a745d3a82138c97d21ed1cd", - "sha256:37f48d46d733d57cc70fd5f30572d11ab8ed92da6e6b28e024e4a3edfb456e37", - "sha256:4c790331247081ea7c632a76d5b2a265e6d325ecd3179d06e9cf8d46d90dd151", - "sha256:5dcfc2e264bd8a1db8b11a892bd1647154ce03eeba94b461effe68790d8b8e07", - "sha256:7147e2a76c75f0f64c4319886e7639e490fee87c9d25cb1d4faef1d8cf83a440", - "sha256:7703620125e4fb79b64aa52427ec192822e9f45d37d4b6625ab37ef403e1df70", - "sha256:8368f83e93c7156ccd40e49a783a6a6850ca25b556c0fa0240ed0f659d2fe496", - "sha256:84aa6223d71012c68d577c83f4e7db50d11d6b1399a9c779046d75e24bed74ea", - "sha256:85f95aa97a35bdb2f2f7d10ec5bbdac0aeb9dafdaf88e17492da0504de2e6400", - "sha256:8db0e856712f79c45956da0c9a40ca4246abc3485ae0d7ecc86a20f5e4c09abc", - "sha256:9044ef2df88d7f33692ae3f18d3be63dec69c4fb1b5a4a9ac950f9b4ba571606", - "sha256:963c80b583b0661918718b095e02303d8078950b26cc00b5e5ea9ababe0de1fc", - "sha256:987f15737aba2ab5f3928c617ccf1ce412e2e321c77ab16ca5a293e7bbffd581", - "sha256:9ec45db0c766f196ae629e509f059ff05fc3148f9ffd28f3cfe75d4afb485412", - "sha256:9fc0b3cb5d1720e7141d103cf4819aea239f7d136acf9ee4a69b047b7986175a", - "sha256:a2c927c49f2029291fbabd673d51a2180038f8cd5a5b2f290f78c4516be48be2", - "sha256:a38878a223bdd37c9709d07cd357bb79f4c760b29210e14ad0fb395294583787", - "sha256:b4fcdcfa302538f70929eb7b392f536a237cbe2ed9cba88e3bf5027b39f5f77f", - "sha256:c0c74e5579af4b977c8b932f40a5464764b2f86681327410aa028a22d2f54937", - "sha256:c1c876fd795b36126f773db9cbb393f19808edd2637e00fd6caba0e25f2c7b64", - "sha256:c9aadc4924d4b5799112837b226160428524a9a45f830e0d0f184b19e4090487", - "sha256:cc7b98bf58167b7f2db91a4327da24fb93368838eb84a44c472283778fc2446b", - "sha256:cf54cfa843f297991b7388c281cb3855d911137223c6b6d2dd82a47ae5125a41", - "sha256:d003156bb6a59cda9050e983441b7fa2487f7800d76bdc065566b7d728b4581a", - "sha256:d175297e9533d8d37437abc14e8a83cbc68af93cc9c1c59c2c292ec59a0697a3", - "sha256:d746a437cdbca200622385305aedd9aef68e8a645e385cc483bdc5e488f07166", - "sha256:e683e409e5c45d5c9082dc1daf13f6374300806240719f95dc783d1fc942af10" + "sha256:01ae5f73431d21eead5015997ab41afa53aa1fbe252f9da060be5dad2c730ace", + "sha256:067a74454df670dcaa4e59349a2e5c81e567d8d65458d480a5b3dfecec08c5ff", + "sha256:0fb71b8c643187d7492c1f8352f2c15b4c4af3f6338f21681d3681b3dc31a266", + "sha256:1b3ead4a96c9101bef08f9f7d1217c096f31667617b58de957f690c92378b528", + "sha256:2068531575a125b87a41802130fa7e29f26c09a2833fea68d9a40cf33902eba6", + "sha256:209596a4ec71d990d71d5e0d312ac935d86930e6eecff6ccc7007fe54d703808", + "sha256:2c726c276d09fc5c414693a2de063f521052d9ea7c240ce553316f70656c84d4", + "sha256:398e44cd480f4d2b7ee8d98385ca104e35c81525dd98c519acff1b79bdaac363", + "sha256:52b1eb8c83f178ab787f3a4283f68258525f8d70f778a2f6dd54d3b5e5fb4341", + "sha256:5feca99c17af94057417d744607b82dd0a664fd5e4ca98061480fd8b14b18d04", + "sha256:7538e495704e2ccda9b234b82423a4038f324f3a10c43bc088a1636180f11a41", + "sha256:760ad187b1041a154f0e4d0f6aae3e40fdb51d6de16e5c99aedadd9246450e9e", + "sha256:777a26c84bea6cd934422ac2e3b78863a37017618b6e5c08f92ef69853e765d3", + "sha256:95431a26309a21874005845c21118c83991c63ea800dd44843e42a916aec5899", + "sha256:9ad2c92ec681e02baf81fdfa056fe0d818645efa9af1f1cd5fd6f1bd2bdfd805", + "sha256:9c6d1a54552b5330bc657b7ef0eae25d00ba7ffe85d9ea8ae6540d2197a3788c", + "sha256:aee0c1256be6c07bd3e1263ff920c325b59849dc95392a05f258bb9b259cf39c", + "sha256:af3d4a73793725138d6b334d9d247ce7e5f084d96284ed23f22ee626a7b88e39", + "sha256:b36b4f3920103a25e1d5d024d155c504080959582b928e91cb608a65c3a49e1a", + "sha256:b9574c6f03f685070d859e75c7f9eeca02d6933273b5e69572e5ff9d5e3931c3", + "sha256:bff6ad71c81b3bba8fa35f0f1921fb24ff4476235a6e94a26ada2e54370e6da7", + "sha256:c190f0899e9f9f8b6b7863debfb739abcb21a5c054f911ca3596d12b8a4c4c7f", + "sha256:c907f561b1e83e93fad565bac5ba9c22d96a54e7ea0267c708bffe863cbe4075", + "sha256:cae53c389825d3b46fb37538441f75d6aecc4174f615d048321b716df2757fb0", + "sha256:dd4a21253f42b8d2b48410cb31fe501d32f8b9fbeb1f55063ad102fe9c425e40", + "sha256:dde816ca9dac1d9c01dd504ea5967821606f02e510438120091b84e852367428", + "sha256:f2362f3cb0f3172c42938946dbc5b7843c2a28aec307c49100c8b38764eb6927", + "sha256:f328adcfebed9f11301eaedfa48e15bdece9b519fb27e6a8c01aa52a17ec31b3", + "sha256:f8afcf15cc511ada719a88e013cec87c11aff7b91f019295eb4530f96fe5ef2f", + "sha256:fb1bbeac803adea29cedd70781399c99138358c26d05fcbd23c13016b7f5ec65" ], - "version": "==1.4.2" + "markers": "python_version < '3.8'", + "version": "==1.4.3" }, "typing-extensions": { "hashes": [ - "sha256:7cb407020f00f7bfc3cb3e7881628838e69d8f3fcab2f64742a5e76b2f841918", - "sha256:99d4073b617d30288f569d3f13d2bd7548c3a7e4c8de87db09a9d29bb3a4a60c", - "sha256:dafc7639cde7f1b6e1acc0f457842a83e722ccca8eef5270af2d74792619a89f" + "sha256:0ac0f89795dd19de6b97debb0c6af1c70987fd80a2d62d1958f7e56fcc31b497", + "sha256:50b6f157849174217d0656f99dc82fe932884fb250826c18350e159ec6cdf342", + "sha256:779383f6086d90c99ae41cf0ff39aac8a7937a9283ce0a414e5dd782f4c94a84" ], - "markers": "python_version < '3.8'", - "version": "==3.7.4.3" + "markers": "python_version < '3.8' and python_version < '3.8'", + "version": "==3.10.0.0" }, "watchdog": { "hashes": [ - "sha256:035f4816daf3c62e03503c267620f3aa8fc7472df85ff3ef1e0c100ea1ed2744", - "sha256:0f7e9de9ba84af15e9e9fc29c3b13c972daa4d2b11de29aa86b26a26bc877c06", - "sha256:13c9ff58508dce55ba416eb0ef7af5aa5858558f2ec51112f099fd03503b670b", - "sha256:19675b8d1f00dabe74a0e66d87980623250d9360a21612e8c27b70a4b214ceeb", - "sha256:1cd715c4fb803581ded8943f39a51f21c17375d009ca9e3398d6b20638863a70", - "sha256:1f518a6940cde8720b8826a705c164e6b9bd6cf8c00f14269ffac51e017e06ec", - "sha256:3e933f3567c4521dd1a5d59fd54a522cae90bebcbeb8b74b84a2f33c90f08388", - "sha256:41b1a773f364f232b5bc184688e8d60451745d9e0971ac60c648bd47be8f4733", - "sha256:532fedd993e75554671faa36cd04c580ced3fae084254a779afbbd8aaf00566b", - "sha256:74528772516228f6a015a647027057939ff0b695a0b864cb3037e8e1aabc7ca0", - "sha256:89102465764e453609463cf620e744da1b0aa1f9f321b05961e2e7e15b3c9d8b", - "sha256:a412b1914e27f67b0a10e1ee19b5d035a9f7c115a062bbbd640653d9820ba4c8", - "sha256:ac6adbdf32e1d180574f9d0819e80259ae48e68727e80c3d950ed5a023714c3e", - "sha256:adda34bfe6db05485c1dfcd98232bdec385f991fe16358750c2163473eefb985", - "sha256:d2fcbc15772a82cd139c803a513c45b0fbc72a10a8a34dc2a8b429110b6f1236", - "sha256:d54e187b76053982180532cb7fd31152201c438b348c456f699929f8a89e786d", - "sha256:e0114e48ee981b38e328eaa0d5a625c7b4fc144b8dc7f7637749d6b5f7fefb0e" + "sha256:0237db4d9024859bea27d0efb59fe75eef290833fd988b8ead7a879b0308c2db", + "sha256:104266a778906ae0e971368d368a65c4cd032a490a9fca5ba0b78c6c7ae11720", + "sha256:188145185c08c73c56f1478ccf1f0f0f85101191439679b35b6b100886ce0b39", + "sha256:1a62a4671796dc93d1a7262286217d9e75823c63d4c42782912d39a506d30046", + "sha256:255a32d44bbbe62e52874ff755e2eefe271b150e0ec240ad7718a62a7a7a73c4", + "sha256:3d6405681471ebe0beb3aa083998c4870e48b57f8afdb45ea1b5957cc5cf1014", + "sha256:4b219d46d89cfa49af1d73175487c14a318a74cb8c5442603fd13c6a5b418c86", + "sha256:581e3548159fe7d2a9f377a1fbcb41bdcee46849cca8ab803c7ac2e5e04ec77c", + "sha256:58ebb1095ee493008a7789d47dd62e4999505d82be89fc884d473086fccc6ebd", + "sha256:598d772beeaf9c98d0df946fbabf0c8365dd95ea46a250c224c725fe0c4730bc", + "sha256:668391e6c32742d76e5be5db6bf95c455fa4b3d11e76a77c13b39bccb3a47a72", + "sha256:6ef9fe57162c4c361692620e1d9167574ba1975ee468b24051ca11c9bba6438e", + "sha256:91387ee2421f30b75f7ff632c9d48f76648e56bf346a7c805c0a34187a93aab4", + "sha256:a42e6d652f820b2b94cd03156c62559a2ea68d476476dfcd77d931e7f1012d4a", + "sha256:a6471517315a8541a943c00b45f1d252e36898a3ae963d2d52509b89a50cb2b9", + "sha256:d34ce2261f118ecd57eedeef95fc2a495fc4a40b3ed7b3bf0bd7a8ccc1ab4f8f", + "sha256:edcd9ef3fd460bb8a98eb1fcf99941e9fd9f275f45f1a82cb1359ec92975d647" ], "index": "pypi", - "version": "==2.0.2" + "version": "==2.1.2" }, "zipp": { "hashes": [ diff --git a/README.md b/README.md index 16e85ac6..9040fc8e 100644 --- a/README.md +++ b/README.md @@ -66,6 +66,28 @@ Web Server is available at //localhost:1313/ (bind address 0.0.0.0) The website is now available at [`http://localhost:1313`](http://localhost:1313). Changes in the Markdown files or the [external content descriptor file](./external.yaml) trigger a rebuild of the site. After the rebuild, the site is reloaded in your browser. +### Avoiding broken links + +It is common that URLs you are pointing to get deprecated or moved somewhere else over time, leading to broken links on our website. + +In order to avoid this, there is a tool that lets you check whether there are broken links in the whole website or not. + +First, make sure you are serving the website locally and that it is accesible at `http://localhost:1313`, then run the following command: + +```shell +make docker-check-links # if you prefer to use Docker +``` + +or + +```shell +make check-links # if you prefer to run the toolchain in your machine +``` + +The tool will crawl your local website and will report if there's any broken link on it. + +If there's any, and you can't fix it right away, please [file an issue on GitHub](https://github.com/spiffe/spiffe.io/issues/new]). + ## Publishing the site The site is published automatically by [Netlify](https://netlify.com). Whenever you merge pull requests to `master`, the site is automatically built and published in about a minute. **There's no need to handle this manually**. diff --git a/linkcheckerrc b/linkcheckerrc new file mode 100644 index 00000000..e99dfd6c --- /dev/null +++ b/linkcheckerrc @@ -0,0 +1,7 @@ +[filtering] +check_extern=1 + +[output] +status=0 + +[AnchorCheck] \ No newline at end of file From 1eb887fb328dfd9db4e0fbd852cfb3127f8d1705 Mon Sep 17 00:00:00 2001 From: Maximiliano Churichi <maximiliano.churichi@hpe.com> Date: Tue, 27 Apr 2021 16:18:08 -0300 Subject: [PATCH 15/28] Locks linkchecker version Signed-off-by: Maximiliano Churichi <maximiliano.churichi@hpe.com> --- Makefile | 6 +++--- Pipfile | 2 +- Pipfile.lock | 2 +- linkcheckerrc | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Makefile b/Makefile index 2f6745b1..e982cbf5 100644 --- a/Makefile +++ b/Makefile @@ -52,16 +52,16 @@ pull-external-content: python ./pull_external.py ci-check-links: pull-external-content - echo "Running HTTP Server..." && \ + echo "Running Hugo server..." && \ hugo server -p 1212 & \ sleep 2 && \ echo "Running links checker..." && \ linkchecker -f linkcheckerrc http://localhost:1212; \ - echo "Stopping HTTP Server..." && \ + echo "Stopping Hugo server..." && \ pkill hugo check-links: - linkchecker -f linkcheckerrc http://localhost:1313 + pipenv run linkchecker -f linkcheckerrc http://localhost:1313 docker-check-links-build: docker build -f Dockerfile.linkchecker -t linkchecker . diff --git a/Pipfile b/Pipfile index f0a551e6..111c0afc 100644 --- a/Pipfile +++ b/Pipfile @@ -13,7 +13,7 @@ argh = "*" pyyaml = "~=5.3" toml = "~=0.10.1" requests = "~=2.25.1" -linkchecker = "*" +linkchecker = "~=10.0.1" [requires] python_version = "3.7" diff --git a/Pipfile.lock b/Pipfile.lock index 0efb0e12..c76cae3c 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "5c7d6489bbd89351fd5b4416367e147ced7f6ed721d6062975f97f933eda5ec1" + "sha256": "9dde01aa10154bcff3ca47f5c85002ca026da6d29d79b583795c39bc621e10b1" }, "pipfile-spec": 6, "requires": { diff --git a/linkcheckerrc b/linkcheckerrc index e99dfd6c..9da10d0a 100644 --- a/linkcheckerrc +++ b/linkcheckerrc @@ -4,4 +4,4 @@ check_extern=1 [output] status=0 -[AnchorCheck] \ No newline at end of file +[AnchorCheck] From 81ca767a8a1a8a85d16c37a405a405e32d049908 Mon Sep 17 00:00:00 2001 From: Maximiliano Churichi <maximiliano.churichi@hpe.com> Date: Wed, 28 Apr 2021 10:30:56 -0300 Subject: [PATCH 16/28] Fixes checkextern mode Signed-off-by: Maximiliano Churichi <maximiliano.churichi@hpe.com> --- linkcheckerrc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/linkcheckerrc b/linkcheckerrc index 9da10d0a..3cda6f77 100644 --- a/linkcheckerrc +++ b/linkcheckerrc @@ -1,5 +1,5 @@ [filtering] -check_extern=1 +checkextern=1 [output] status=0 From 744ac8abe92c9f5cdccc42e15f82a1cff2665028 Mon Sep 17 00:00:00 2001 From: Maximiliano Churichi <maximiliano.churichi@hpe.com> Date: Wed, 28 Apr 2021 15:24:52 -0300 Subject: [PATCH 17/28] Ignores letsencrypt's urls Signed-off-by: Maximiliano Churichi <maximiliano.churichi@hpe.com> --- linkcheckerrc | 1 + 1 file changed, 1 insertion(+) diff --git a/linkcheckerrc b/linkcheckerrc index 3cda6f77..8d92d76d 100644 --- a/linkcheckerrc +++ b/linkcheckerrc @@ -1,5 +1,6 @@ [filtering] checkextern=1 +ignore=letsencrypt\.org [output] status=0 From 68832ed870820e2f9d2539cf60b0b30f8fc9134a Mon Sep 17 00:00:00 2001 From: Maximiliano Churichi <maximiliano.churichi@hpe.com> Date: Thu, 29 Apr 2021 09:52:30 -0300 Subject: [PATCH 18/28] Adds missing newline Signed-off-by: Maximiliano Churichi <maximiliano.churichi@hpe.com> --- Dockerfile.linkchecker | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile.linkchecker b/Dockerfile.linkchecker index 05829de3..70c960c7 100644 --- a/Dockerfile.linkchecker +++ b/Dockerfile.linkchecker @@ -6,4 +6,4 @@ RUN pip install linkchecker ADD linkcheckerrc . -ENTRYPOINT [ "linkchecker" ] \ No newline at end of file +ENTRYPOINT [ "linkchecker" ] From af0a97ff2b87fa5eadcb095b9bbba1085a4e2cad Mon Sep 17 00:00:00 2001 From: Maximiliano Churichi <maximiliano.churichi@hpe.com> Date: Mon, 3 May 2021 14:36:08 -0300 Subject: [PATCH 19/28] Disables anchor checking Signed-off-by: Maximiliano Churichi <maximiliano.churichi@hpe.com> --- linkcheckerrc | 2 -- 1 file changed, 2 deletions(-) diff --git a/linkcheckerrc b/linkcheckerrc index 8d92d76d..579cdb26 100644 --- a/linkcheckerrc +++ b/linkcheckerrc @@ -4,5 +4,3 @@ ignore=letsencrypt\.org [output] status=0 - -[AnchorCheck] From 31a2c483df3364d76fba3fe92003e0444b590e19 Mon Sep 17 00:00:00 2001 From: Maximiliano Churichi <maximiliano.churichi@hpe.com> Date: Wed, 2 Jun 2021 12:50:40 -0300 Subject: [PATCH 20/28] Add clarification about serve commands Signed-off-by: Maximiliano Churichi <maximiliano.churichi@hpe.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9040fc8e..b11e5ca4 100644 --- a/README.md +++ b/README.md @@ -72,7 +72,7 @@ It is common that URLs you are pointing to get deprecated or moved somewhere els In order to avoid this, there is a tool that lets you check whether there are broken links in the whole website or not. -First, make sure you are serving the website locally and that it is accesible at `http://localhost:1313`, then run the following command: +First, make sure you are serving the website locally using the `-with-releases` form of the script (`make docker-serve-with-releases` or `make serve-with-releases`), and that it is accesible at `http://localhost:1313`, then run the following command: ```shell make docker-check-links # if you prefer to use Docker From 202848056f2a6785d853cc9580dd571a9cca6202 Mon Sep 17 00:00:00 2001 From: Maximiliano Churichi <maximiliano.churichi@hpe.com> Date: Tue, 8 Jun 2021 12:31:01 -0300 Subject: [PATCH 21/28] Addresses PR comments by @sanderson042 Signed-off-by: Maximiliano Churichi <maximiliano.churichi@hpe.com> --- README.md | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index b11e5ca4..211f18d6 100644 --- a/README.md +++ b/README.md @@ -66,27 +66,25 @@ Web Server is available at //localhost:1313/ (bind address 0.0.0.0) The website is now available at [`http://localhost:1313`](http://localhost:1313). Changes in the Markdown files or the [external content descriptor file](./external.yaml) trigger a rebuild of the site. After the rebuild, the site is reloaded in your browser. -### Avoiding broken links +### Checking for broken links It is common that URLs you are pointing to get deprecated or moved somewhere else over time, leading to broken links on our website. In order to avoid this, there is a tool that lets you check whether there are broken links in the whole website or not. -First, make sure you are serving the website locally using the `-with-releases` form of the script (`make docker-serve-with-releases` or `make serve-with-releases`), and that it is accesible at `http://localhost:1313`, then run the following command: +First, make sure you are serving the website locally using the `-with-releases` form of the script (`make docker-serve-with-releases` or `make serve-with-releases`), and that it is accessible at `http://localhost:1313`, then run the following command: ```shell -make docker-check-links # if you prefer to use Docker +make docker-check-links # if you are using Docker to serve the website ``` or ```shell -make check-links # if you prefer to run the toolchain in your machine +make check-links # if you are using a local toolchain to serve the website ``` -The tool will crawl your local website and will report if there's any broken link on it. - -If there's any, and you can't fix it right away, please [file an issue on GitHub](https://github.com/spiffe/spiffe.io/issues/new]). +The tool will crawl your local website and report if there's any broken link on it. If there's any, and you can't create a PR to fix the link right away, please [file an issue on GitHub](https://github.com/spiffe/spiffe.io/issues/new) ## Publishing the site From eb09d038c10c7df3969228cc46b68f0d6101b697 Mon Sep 17 00:00:00 2001 From: Max Lambrecht <maxlambrecht@gmail.com> Date: Mon, 28 Jun 2021 15:54:58 -0300 Subject: [PATCH 22/28] Add Rust library link to the libraries doc. Signed-off-by: Max Lambrecht <maxlambrecht@gmail.com> --- content/docs/latest/deploying/libraries.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/content/docs/latest/deploying/libraries.md b/content/docs/latest/deploying/libraries.md index 356c7493..fea14b97 100644 --- a/content/docs/latest/deploying/libraries.md +++ b/content/docs/latest/deploying/libraries.md @@ -29,3 +29,7 @@ See the [go-spiffe library GitHub page](https://github.com/spiffe/go-spiffe/tree # Java See the [java-spiffe library GitHub page](https://github.com/spiffe/java-spiffe) for more information about the SPIFFE Java library. + +# Rust + +See the [spiffe crate](https://crates.io/crates/spiffe) for more information about the SPIFFE Rust library. \ No newline at end of file From 008fb1441b16e472611213b98b7dfaa1319479f1 Mon Sep 17 00:00:00 2001 From: Max Lambrecht <maxlambrecht@gmail.com> Date: Mon, 28 Jun 2021 17:12:10 -0300 Subject: [PATCH 23/28] Add comment about Rust not official library. Signed-off-by: Max Lambrecht <maxlambrecht@gmail.com> --- content/docs/latest/deploying/libraries.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/docs/latest/deploying/libraries.md b/content/docs/latest/deploying/libraries.md index fea14b97..3db4c88a 100644 --- a/content/docs/latest/deploying/libraries.md +++ b/content/docs/latest/deploying/libraries.md @@ -32,4 +32,5 @@ See the [java-spiffe library GitHub page](https://github.com/spiffe/java-spiffe) # Rust -See the [spiffe crate](https://crates.io/crates/spiffe) for more information about the SPIFFE Rust library. \ No newline at end of file +See the [spiffe crate](https://crates.io/crates/spiffe) for more information about the SPIFFE Rust library. +This library is not yet part of the official SPIFFE repo and is still under development. \ No newline at end of file From 464ab4383adb06c1572165b79a2785506240b656 Mon Sep 17 00:00:00 2001 From: Steve Anderson <steve.anderson@hpe.com> Date: Fri, 24 Sep 2021 11:44:44 -0500 Subject: [PATCH 24/28] Fix #227 - Add link to Plugin SDK in "Extend SPIRE" page Signed-off-by: Steve Anderson <steve.anderson@hpe.com> --- content/docs/latest/planning/extending.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/content/docs/latest/planning/extending.md b/content/docs/latest/planning/extending.md index dc3e7bd3..7f62f1df 100644 --- a/content/docs/latest/planning/extending.md +++ b/content/docs/latest/planning/extending.md @@ -2,14 +2,18 @@ title: Extend SPIRE short: Extending kind: planning -description: Learn how to extend SPIRE with third-party plugins +description: Learn how to extend SPIRE with plugins weight: 100 aliases: - /spire/docs/extending - /docs/latest/spire/developing/extending --- -SPIRE is highly extensible via a plugin framework that allows many core operations to be added and customized. +SPIRE is highly extensible via a plugin framework that allows many core operations to be added and customized. This page describes the types of plugins available, how to integrate plugins while deploying SPIRE, and has a link to the SPIRE Plugin SDK for those interested in authoring a plugin. + +# Authoring SPIRE plugins + +Refer to the [Spire Plugin SDK](https://github.com/spiffe/spire-plugin-sdk) GitHub page for documentation and templates that you can use to code your own SPIRE plugins. # Node Attestor plugins From cd2e2ee19756d560bb02f7876af92ac819fea6c7 Mon Sep 17 00:00:00 2001 From: Steve Anderson <steve.anderson@hpe.com> Date: Fri, 24 Sep 2021 14:30:39 -0500 Subject: [PATCH 25/28] Fix SPIRE capitalization and make Key Manager spelling consistent Thanks Max and Andrew for your tweaks to this doc change! Signed-off-by: Steve Anderson <steve.anderson@hpe.com> --- content/docs/latest/planning/extending.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/content/docs/latest/planning/extending.md b/content/docs/latest/planning/extending.md index 7f62f1df..54b03546 100644 --- a/content/docs/latest/planning/extending.md +++ b/content/docs/latest/planning/extending.md @@ -13,7 +13,7 @@ SPIRE is highly extensible via a plugin framework that allows many core operatio # Authoring SPIRE plugins -Refer to the [Spire Plugin SDK](https://github.com/spiffe/spire-plugin-sdk) GitHub page for documentation and templates that you can use to code your own SPIRE plugins. +Refer to the [SPIRE Plugin SDK](https://github.com/spiffe/spire-plugin-sdk) GitHub page for documentation and templates that you can use to code your own SPIRE plugins. # Node Attestor plugins @@ -47,11 +47,11 @@ UpstreamAuthority plugins allow the SPIRE Server to integrate with existing publ SPIRE comes with a set of built-in UpstreamAuthority plugins for the [Server](/docs/latest/deploying/spire_server/). -# KeyManager plugins +# Key Manager plugins -In some cases it might be desirable for SPIRE to avoid being exposed to a signing key at all - for example if the signing key is held in a secure hardware enclave. In such a case, the SPIRE Server and Agent can leverage KeyManager plugins to delegate the actual signing operation to another system (such as a TPM). +In some cases it might be desirable for SPIRE to avoid being exposed to a signing key at all - for example if the signing key is held in a secure hardware enclave. In such a case, the SPIRE Server and Agent can leverage Key Manager plugins to delegate the actual signing operation to another system (such as a TPM). -SPIRE comes with a set of built-in KeyManager plugins for the [Server](/docs/latest/deploying/spire_server/) and [Agent](/docs/latest/deploying/spire_agent/). +SPIRE comes with a set of built-in Key Manager plugins for the [Server](/docs/latest/deploying/spire_server/) and [Agent](/docs/latest/deploying/spire_agent/). # Notifier plugins From 2b80387b82890a3e5b457de6526daf68572721a3 Mon Sep 17 00:00:00 2001 From: glaucimar <glaucimar@gmail.com> Date: Wed, 20 Oct 2021 12:11:33 -0300 Subject: [PATCH 26/28] Fixing a small fix on Node Resolver text. Signed-off-by: glaucimar <glaucimar@gmail.com> --- content/docs/latest/planning/extending.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/latest/planning/extending.md b/content/docs/latest/planning/extending.md index 54b03546..f0487ba3 100644 --- a/content/docs/latest/planning/extending.md +++ b/content/docs/latest/planning/extending.md @@ -29,7 +29,7 @@ In addition, known third-party Node Attestor plugins include: # Node Resolver plugins -Once the identity of an individual node has been determined, in some cases it is valuable to be able to expose additional verified metadata about that workload as selectors for registration entries. For example, the AWS EC2 IID Node Attestor plugin can be used to prove the Instance ID of a given EC2 instance, but the AWS EC2 IID Node Resolver plugin will - by looking up additional instance metadata in AWS - expose additional selectors (such as instance tag or label) based on this verified metadata. +Once the identity of an individual node has been determined, in some cases it is valuable to be able to expose additional verified metadata about that node as selectors for registration entries. For example, the AWS EC2 IID Node Attestor plugin can be used to prove the Instance ID of a given EC2 instance, but the AWS EC2 IID Node Resolver plugin will - by looking up additional instance metadata in AWS - expose additional selectors (such as instance tag or label) based on this verified metadata. Node Resolver plugins are typically coupled to a specific Node Attestor plugin (such as the AWS EC2 IID Node Attestor), since they will rely on that plugin to verify the initial identity of the node. From b11a960ff8c13addf5e9fbd2923394763b03d2dc Mon Sep 17 00:00:00 2001 From: Michael Shen <mishen@umich.edu> Date: Fri, 21 Jan 2022 11:55:50 -0500 Subject: [PATCH 27/28] Update links to spiffe master branch to main instead Signed-off-by: Michael Shen <mishen@umich.edu> --- content/docs/latest/deploying/svids.md | 6 +++--- content/docs/latest/spiffe-about/get-involved.md | 4 ++-- content/docs/latest/spiffe-about/spiffe-concepts.md | 4 ++-- layouts/shortcodes/specs.html | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/content/docs/latest/deploying/svids.md b/content/docs/latest/deploying/svids.md index 85e2af1d..8ee3c520 100644 --- a/content/docs/latest/deploying/svids.md +++ b/content/docs/latest/deploying/svids.md @@ -19,13 +19,13 @@ Developers coding a new workload that needs to interact with SPIFFE can interact * Generate short-lived keys and certificates on behalf of the workload, specifically: * A private key tied to that SPIFFE ID that can be used to sign data on behalf of the workload. - * A corresponding short-lived X.509 certificate - an [X509-SVID](https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md). This can be used to establish TLS or otherwise authenticate to other workloads. + * A corresponding short-lived X.509 certificate - an [X509-SVID](https://github.com/spiffe/spiffe/blob/main/standards/X509-SVID.md). This can be used to establish TLS or otherwise authenticate to other workloads. * A set of certificates – known as a [trust bundle](/docs/latest/spiffe/concepts/#trust-bundle) – that a workload can use to verify an X.509-SVID presented by another workload in the same trust domain or a federated trust domain. -* Generate or validate JSON Web Tokens ([JWT-SVIDs](https://github.com/spiffe/spiffe/blob/master/standards/JWT-SVID.md)) issued on behalf of the workload or another workload in the same trust domain or a federated trust domain. +* Generate or validate JSON Web Tokens ([JWT-SVIDs](https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md)) issued on behalf of the workload or another workload in the same trust domain or a federated trust domain. The Workload API doesn't require any explicit authentication (such as a secret). Rather, the SPIFFE specification leaves it to implementation of the SPIFFE Workload API to determine how to authenticate the workload. In the case of SPIRE, this is achieved by inspecting the Unix kernel metadata collected by the SPIRE Agent when a workload calls the API. -The API is a gRPC API, derived [from a protobuf](https://github.com/spiffe/go-spiffe/blob/master/proto/spiffe/workload/workload.proto). The [gRPC project](https://grpc.io/) provides tools to generate client libraries from a protobuf in a variety of languages. +The API is a gRPC API, derived [from a protobuf](https://github.com/spiffe/go-spiffe/blob/main/proto/spiffe/workload/workload.proto). The [gRPC project](https://grpc.io/) provides tools to generate client libraries from a protobuf in a variety of languages. ## Working with SVIDs in Go diff --git a/content/docs/latest/spiffe-about/get-involved.md b/content/docs/latest/spiffe-about/get-involved.md index f4df651b..555634ef 100644 --- a/content/docs/latest/spiffe-about/get-involved.md +++ b/content/docs/latest/spiffe-about/get-involved.md @@ -25,12 +25,12 @@ SPIFFE is guided by a small but very active community of passionate software eng You can contribute to SPIFFE and SPIRE by filing issues and submitting pull requests on GitHub. See these contribution guidelines for details such as GitHub etiquette and coding conventions: -* [SPIFFE contribution guidelines](https://github.com/spiffe/spiffe/blob/master/CONTRIBUTING.md) +* [SPIFFE contribution guidelines](https://github.com/spiffe/spiffe/blob/main/CONTRIBUTING.md) * [SPIRE contribution guidelines](https://github.com/spiffe/spire/blob/{{< spire-latest "tag" >}}/CONTRIBUTING.md) While anyone is welcome to propose contributions via pull requests, we strongly encourage significant contributions - particularly those that might require a significant change to core components - to be first discussed and a high level design agreed upon with the appropriate SIGs or WGs (see above). -Day to day contributions are vetted by the project's maintainers. Overall project direction, guidance and conflict resolution is overseen by the projects' Technical Steering Committee. Full details on this process can be found [in the project GOVERNANCE page](https://github.com/spiffe/spiffe/blob/master/GOVERNANCE.md). +Day to day contributions are vetted by the project's maintainers. Overall project direction, guidance and conflict resolution is overseen by the projects' Technical Steering Committee. Full details on this process can be found [in the project GOVERNANCE page](https://github.com/spiffe/spiffe/blob/main/GOVERNANCE.md). ## SPIFFE and SPIRE Branding Media Library diff --git a/content/docs/latest/spiffe-about/spiffe-concepts.md b/content/docs/latest/spiffe-about/spiffe-concepts.md index 9398d461..6244ac0e 100644 --- a/content/docs/latest/spiffe-about/spiffe-concepts.md +++ b/content/docs/latest/spiffe-about/spiffe-concepts.md @@ -33,7 +33,7 @@ SPIFFE IDs are a [Uniform Resource Identifier (URI)](https://tools.ietf.org/html The _workload identifier_ uniquely identifies a specific workload within a [trust domain](#trust-domain). -The [SPIFFE specification](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE.md) describes in detail the format and use of SPIFFE IDs. +The [SPIFFE specification](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE.md) describes in detail the format and use of SPIFFE IDs. ## Trust Domain @@ -49,7 +49,7 @@ An SVID contains a single SPIFFE ID, which represents the identity of the servic As tokens are susceptible to _replay attacks_, in which an attacker that obtains the token in transit can use it to impersonate a workload, it is advised to use X.509-SVIDs whenever possible. However, there may be some situations in which the only option is the JWT token format, for example, when your architecture has an L7 proxy or load balancer between two workloads. -For detailed information on the SVID, see the [SVID specification](https://github.com/spiffe/spiffe/blob/master/standards/X509-SVID.md). +For detailed information on the SVID, see the [SVID specification](https://github.com/spiffe/spiffe/blob/main/standards/X509-SVID.md). ## SPIFFE Workload API diff --git a/layouts/shortcodes/specs.html b/layouts/shortcodes/specs.html index 8b9cf8cf..04a533d9 100644 --- a/layouts/shortcodes/specs.html +++ b/layouts/shortcodes/specs.html @@ -1,5 +1,5 @@ {{- $documents := .Site.Data.spec.documents }} -{{- $rootUrl := "https://github.com/spiffe/spiffe/blob/master/standards" }} +{{- $rootUrl := "https://github.com/spiffe/spiffe/blob/main/standards" }} <ul> {{- range $documents }} {{- $url := printf "%s/%s" $rootUrl .filename }} From f54800e26a705a9499a046e4fb92f714c0a9ee66 Mon Sep 17 00:00:00 2001 From: Maximiliano Churichi <maximiliano.churichi@hpe.com> Date: Mon, 12 Apr 2021 13:32:14 -0300 Subject: [PATCH 28/28] Fixes broken links generated on relative urls when importing external markdown Signed-off-by: Maximiliano Churichi <maximiliano.churichi@hpe.com> --- pull_external.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pull_external.py b/pull_external.py index 3aa769ae..fa9a017d 100644 --- a/pull_external.py +++ b/pull_external.py @@ -319,6 +319,9 @@ def repl_links(m: Match[str]): else: if rel == "./" or rel == "": rel_url = os.path.join(os.path.dirname(rel_path_to_source_file), url) + rel_url = os.path.normpath( + os.path.join(os.path.dirname(rel_path_to_source_file), rel, url) + ) branch = _get_branch_by_repo_url(source)