-
Notifications
You must be signed in to change notification settings - Fork 628
Added Azure bundle publisher #7030
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
sabre1041
wants to merge
1
commit into
spiffe:main
Choose a base branch
from
sabre1041:azure-bundle-publisher
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,104 @@ | ||
| # Server plugin: BundlePublisher "azure_blob" | ||
|
|
||
| The `azure_blob` plugin puts the current trust bundle of the server in a designated | ||
| Azure Blob Storage container, keeping it updated. | ||
|
|
||
| The plugin accepts the following configuration options: | ||
|
|
||
| | Configuration | Description | Required | Default | | ||
| |----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------|-----------------------| | ||
| | storage_account_name | The name of the Azure Storage account. | Yes. | | | ||
| | storage_account_key | The base64-encoded access key for the Azure Storage account. Used for shared key authentication (found in the Azure Portal, **Access keys**). | Required only when using shared key authentication. | | | ||
| | container_name | The name of the blob container to which the trust bundle is uploaded. | Yes. | | | ||
| | blob_name | The blob name inside the container. | Yes. | | | ||
| | format | Format in which the trust bundle is stored, <spiffe | jwks | pem>. See [Supported bundle formats](#supported-bundle-formats) for more details. | Yes. | | | ||
| | service_endpoint | The Azure Blob Storage service endpoint. | No. | blob.core.windows.net | | ||
| | tenant_id | The Azure tenant ID for client secret credential authentication. | Required only when using client secret credentials. | | | ||
| | app_id | The Azure application (client) ID for client secret credential authentication. | Required only when using client secret credentials. | | | ||
| | app_secret | The Azure application client secret for client secret credential authentication. | Required only when using client secret credentials. | | | ||
| | refresh_hint | Sets the refresh hint for the bundle when using the spiffe format. Specified as string e.g. '10m', '1h'. See [time.ParseDuration](https://pkg.go.dev/time#ParseDuration) for details | No. | | | ||
|
|
||
| ## Supported bundle formats | ||
|
|
||
| The following bundle formats are supported: | ||
|
|
||
| ### SPIFFE format | ||
|
|
||
| The trust bundle is represented as an RFC 7517 compliant JWK Set, with the specific parameters defined in the [SPIFFE Trust Domain and Bundle specification](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md#4-spiffe-bundle-format). Both the JWT authorities and the X.509 authorities are included. | ||
|
|
||
| ### JWKS format | ||
|
|
||
| The trust bundle is encoded as an RFC 7517 compliant JWK Set, omitting SPIFFE-specific parameters. Both the JWT authorities and the X.509 authorities are included. | ||
|
|
||
| ### PEM format | ||
|
|
||
| The trust bundle is formatted using PEM encoding. Only the X.509 authorities are included. | ||
|
|
||
| ## Authentication | ||
|
|
||
| The plugin supports three authentication methods. Only one method may be used at a time; shared key authentication and client secret credentials are mutually exclusive. | ||
|
|
||
| ### Shared key authentication | ||
|
|
||
| When `storage_account_key` is provided, the plugin authenticates using the storage account's access key. This method does not require Azure AD and is useful in environments where Azure AD is not available. | ||
|
|
||
| ### Client secret credentials | ||
|
|
||
| When `tenant_id`, `app_id`, and `app_secret` are all provided, the plugin authenticates using Azure client secret credentials. All three fields must be specified together. | ||
|
|
||
| ### Default Azure credentials | ||
|
|
||
| When neither shared key nor client secret credentials are configured, the plugin uses the [Azure Default Credential](https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication) chain. This supports Managed Identity, environment variables, Azure CLI credentials, and other methods provided by the Azure SDK. | ||
|
|
||
| ## Required permissions | ||
|
|
||
| The authenticated identity must have the `Storage Blob Data Contributor` role (or equivalent permissions to write blobs) on the configured storage account or container. | ||
|
|
||
| ## Sample configuration using Default Azure Credentials | ||
|
|
||
| The following configuration uploads the local trust bundle contents to the `example.org` blob in the `spire-bundle` container within the `mystorageaccount` storage account. Since client secret credentials are not configured, [Default Azure Credentials](https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication) are used. | ||
|
|
||
| ```hcl | ||
| BundlePublisher "azure_blob" { | ||
| plugin_data { | ||
| storage_account_name = "mystorageaccount" | ||
| container_name = "spire-bundle" | ||
| blob_name = "example.org" | ||
| format = "spiffe" | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| ## Sample configuration using shared key authentication | ||
|
|
||
| The following configuration uploads the local trust bundle contents to the `example.org` blob in the `spire-bundle` container, authenticating with a storage account access key. | ||
|
|
||
| ```hcl | ||
| BundlePublisher "azure_blob" { | ||
| plugin_data { | ||
| storage_account_name = "mystorageaccount" | ||
| storage_account_key = "my-storage-account-key" | ||
|
|
||
| container_name = "spire-bundle" | ||
| blob_name = "example.org" | ||
| format = "spiffe" | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| ## Sample configuration using client secret credentials | ||
|
|
||
| The following configuration uploads the local trust bundle contents to the `example.org` blob in the `spire-bundle` container, authenticating with client secret credentials. | ||
|
|
||
| ```hcl | ||
| BundlePublisher "azure_blob" { | ||
| plugin_data { | ||
| storage_account_name = "mystorageaccount" | ||
| container_name = "spire-bundle" | ||
| blob_name = "example.org" | ||
| format = "spiffe" | ||
| tenant_id = "my-tenant-id" | ||
| app_id = "my-app-id" | ||
| app_secret = "my-app-secret" | ||
| } | ||
| } | ||
| ``` | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This new plugin needs an entry in the BundlePublisher table in doc/spire_server.mdto to keep the built-in plugin index updated.