Merge branch 'main' into pqrequire

Signed-off-by: Andrew Harding <[email protected]>

.github/workflows/release_build.yaml

@@ -568,7 +568,7 @@ jobs:
       - name: Create Release
         env:
           # GH_REPO is required for older releases of `gh`. Until we're
-          # reasonably confident that that the gh release is new enough,
+          # reasonably confident that the gh release is new enough,
           # set GH_REPO to the repository to create the release in.
           #
           # See https://github.com/cli/cli/issues/3556

CHANGELOG.md

@@ -86,15 +86,15 @@
 
 ### Changed
 
-- SPIRE Server and OIDC provider images to use non root users (#4967, #5227)
+- SPIRE Server and OIDC provider images to use non-root users (#4967, #5227)
 - `k8s_psat` NodeAttestor attestor to no longer fail when a cluster is not configured (#5216)
 - Agents are required to renew SVIDs through re-attestation when using a supporting Node Attestor (#5204)
 - Small documentation improvements (#5181, #5189)
 - Evicted agents that support reattestation can now reattest without being restarted (#4991)
 
 ### Fixed
 
-- PSAT node attestor to cross check the audience fields (#5142)
+- PSAT node attestor to cross-check the audience fields (#5142)
 - Events-based cache to handle out of order events (#5071)
 
 ### Deprecated
@@ -1075,7 +1075,7 @@
 - Regression preventing agent selectors from showing in `spire-server agent show` command (#2133)
 - Issue in the token authentication method of the Vault Upstream Authority plugin (#2110)
 - Reporting of errors in server entry cache telemetry (#2091)
-- Agent logs an error and automatically shuts down when its SVID has expired and it requires re-attestation (#2065)
+- Agent logs an error and automatically shuts down when its SVID has expired, and it requires re-attestation (#2065)
 
 ## [0.12.1] - 2021-03-04
 
@@ -1161,7 +1161,7 @@
 
 - Fixed Kubernetes Workload Registrar issues (#1814, #1818, #1823)
 - Fixed BatchCreateEntry return value to match docs, returning the contents of an entry if it already exists (#1824)
-- Fixed issue preventing brand new deployments from downgrading successfully (#1829)
+- Fixed issue preventing brand-new deployments from downgrading successfully (#1829)
 - Fixed a regression introduced in 0.11.0 that caused external node attestor plugins that rely on binary data to fail (#1863)
 
 ## [0.11.0] - 2020-08-28
@@ -1265,7 +1265,7 @@
 
 ## [0.9.0] - 2019-11-14
 
-- Users can now opt-out of workload executable hashing when enabling the workload path as a selector (#1078)
+- Users can now opt out of workload executable hashing when enabling the workload path as a selector (#1078)
 - Added M3 support to telemetry and other telemetry and logging improvements (#1059, #1085, #1086, #1094, #1102, #1122,#1138,#1160,#1186,#1208)
 - SQL auto-migration can be disabled (#1089)
 - SQL schema compatibility checks are aligned with upgrade compatibility guarantees (#1089)

CONTRIBUTING.md

@@ -45,7 +45,7 @@ toolchain and other build related files are cached under the `.build` folder
 
 ### Development in Docker
 
-You can either build SPIRE on your host or in a Ubuntu docker container. In
+You can either build SPIRE on your host or in an Ubuntu docker container. In
 both cases you will use the same Makefile commands.
 
 To build SPIRE within a container, first build the development image:
@@ -105,7 +105,7 @@ Packages should be exported through interfaces. Interaction with packages must b
 interfaces
 
 Interfaces should be defined in their own file, named (in lowercase) after the name of the
-interface. eg. `foodata.go` implements `type FooData any`
+interface. e.g. `foodata.go` implements `type FooData any`
 
 ### Metrics
 

MAINTAINERS.md

@@ -31,9 +31,9 @@ This section of the document can and should be updated as the above consideratio
 
 ### Changes in Maintainership
 
-SPIRE maintainers are appointed according to the [process described in the governance document][2]. Maintainers may voluntarily step down at any time. Unseating a maintainer against their will requires a unanimous vote with the exception of the unseated.
+SPIRE maintainers are appointed according to the [process described in the governance document][2]. Maintainers may voluntarily step down at any time. Unseating a maintainer against their will requires a unanimous vote except the unseated.
 
-Unseating a maintainer is an extraordinary circumstance. A process to do so is necessary, but its use is not intended. Careful consideration should be made when voting in a new maintainer, particularly in validating that they pledge to uphold the terms of this document. To ensure that these decisions are not taken lightly, and to maintain long term project stability and foresight, no more than one maintainer can be involuntarily unseated in any given nine month period.
+Unseating a maintainer is an extraordinary circumstance. A process to do so is necessary, but its use is not intended. Careful consideration should be made when voting in a new maintainer, particularly in validating that they pledge to uphold the terms of this document. To ensure that these decisions are not taken lightly, and to maintain long term project stability and foresight, no more than one maintainer can be involuntarily unseated in any given nine-month period.
 
 The CNCF MUST be notified of any changes in maintainership via the CNCF Service Desk.
 
@@ -103,7 +103,7 @@ This is a very important aspect of SPIRE maintainership. Adoption and contributi
 
 ## Product Management and Roadmap Curation
 
-In addition to the maintainer seats, the SPIRE project designates one product manager seat. While maintainers strive to ensure that project development and direction is a function of community needs, and interact with end users and contributors on a daily basis, the product manager works to clarify user needs by gathering additional information and context. This includes, but is not limited to, conducting user research and field testing to better inform maintainers, and communicating project development information to the community.
+In addition to the maintainer seats, the SPIRE project designates one product manager seat. While maintainers strive to ensure that project development and direction is a function of community needs, and interact with end users and contributors on a daily basis, the product manager works to clarify user needs by gathering additional information and context. This includes, but is not limited to, conducting user research and field-testing to better inform maintainers, and communicating project development information to the community.
 
 Maintainers are expected to have heavy participation in the community, but it may be impractical to dedicate themselves to gathering and analyzing community feedback and end-user pain points. Based on data collection, the role of the product manager is intended to aid maintainers to validate the desirability, feasibility, and viability of efforts to help drive project direction and priorities in long term planning.
 

RELEASING.md

@@ -14,7 +14,7 @@ The base commit of the release branch is based on the type of release being gene
 
 When a bug is discovered in the latest release that also affects releases of the prior minor version, it is necessary to backport the fix.
 
-Once the version branch is created, the patch is either cherry picked or backported into a PR against the version branch. The version branch is maintained via the same process as the main branch, including PR approval process etc.
+Once the version branch is created, the patch is either cherry-picked or backported into a PR against the version branch. The version branch is maintained via the same process as the main branch, including PR approval process etc.
 
 Ensure that the CHANGELOG is updated in both `main` and the version branch to reflect the new release.
 

cmd/spire-agent/cli/run/run_posix_test.go

@@ -238,7 +238,7 @@ func mergeInputCasesOS() []mergeInputCase {
 			},
 		},
 		{
-			msg:       "socket_path should be configuable by CLI flag",
+			msg:       "socket_path should be configurable by CLI flag",
 			fileInput: func(c *Config) {},
 			cliInput: func(c *agentConfig) {
 				c.SocketPath = "foo"

cmd/spire-agent/cli/run/run_windows_test.go

@@ -224,7 +224,7 @@ func mergeInputCasesOS() []mergeInputCase {
 			},
 		},
 		{
-			msg:       "named_pipe_name should be configuable by CLI flag",
+			msg:       "named_pipe_name should be configurable by CLI flag",
 			fileInput: func(c *Config) {},
 			cliInput: func(c *agentConfig) {
 				c.Experimental.NamedPipeName = "foo"

cmd/spire-server/cli/agent/count.go

@@ -27,7 +27,7 @@ type countCommand struct {
 	// Filters agents to those that are banned.
 	banned commoncli.BoolFlag
 
-	// Filters agents by those expires before.
+	// Filters agents by those that expire before this value.
 	expiresBefore string
 
 	// Filters agents to those matching the attestation type.

cmd/spire-server/cli/agent/list.go

@@ -28,7 +28,7 @@ type listCommand struct {
 	// Filters agents to those that are banned.
 	banned commoncli.BoolFlag
 
-	// Filters agents by those expires before.
+	// Filters agents by those that expire before this value.
 	expiresBefore string
 
 	// Filters agents to those matching the attestation type.

cmd/spire-server/cli/agent/show.go

@@ -17,7 +17,7 @@ import (
 
 type showCommand struct {
 	env *commoncli.Env
-	// SPIFFE ID of the agent being showed
+	// SPIFFE ID of the agent being shown
 	spiffeID string
 	printer  cliprinter.Printer
 }

cmd/spire-server/cli/entry/count.go

@@ -31,7 +31,7 @@ type countCommand struct {
 	// List of SPIFFE IDs of trust domains the registration entry is federated with
 	federatesWith StringsFlag
 
-	// Whether or not the entry is for a downstream SPIRE server
+	// Whether the entry is for a downstream SPIRE server
 	downstream bool
 
 	// Match used when filtering by federates with

cmd/spire-server/cli/entry/create.go

@@ -54,13 +54,13 @@ type createCommand struct {
 	// List of SPIFFE IDs of trust domains the registration entry is federated with
 	federatesWith StringsFlag
 
-	// Whether or not the registration entry is for an "admin" workload
+	// whether the registration entry is for an "admin" workload
 	admin bool
 
-	// Whether or not the entry is for a downstream SPIRE server
+	// whether the entry is for a downstream SPIRE server
 	downstream bool
 
-	// Whether or not the entry represents a node or group of nodes
+	// whether the entry represents a node or group of nodes
 	node bool
 
 	// Expiry of entry

cmd/spire-server/cli/entry/show.go

@@ -47,7 +47,7 @@ type showCommand struct {
 	// List of SPIFFE IDs of trust domains the registration entry is federated with
 	federatesWith StringsFlag
 
-	// Whether or not the entry is for a downstream SPIRE server
+	// whether the entry is for a downstream SPIRE server
 	downstream bool
 
 	// Match used when filtering by federates with

cmd/spire-server/cli/entry/update.go

@@ -41,7 +41,7 @@ type updateCommand struct {
 	// Workload spiffeID
 	spiffeID string
 
-	// Whether or not the entry is for a downstream SPIRE server
+	// whether the entry is for a downstream SPIRE server
 	downstream bool
 
 	// TTL for x509 SVIDs issued to this workload
@@ -53,7 +53,7 @@ type updateCommand struct {
 	// List of SPIFFE IDs of trust domains the registration entry is federated with
 	federatesWith StringsFlag
 
-	// Whether or not the registration entry is for an "admin" workload
+	// whether the registration entry is for an "admin" workload
 	admin bool
 
 	// Expiry of entry

cmd/spire-server/cli/run/run_posix_test.go

@@ -236,7 +236,7 @@ func mergeInputCasesOS(*testing.T) []mergeInputCase {
 			},
 		},
 		{
-			msg:       "socket_path should be configuable by CLI flag",
+			msg:       "socket_path should be configurable by CLI flag",
 			fileInput: func(c *Config) {},
 			cliFlags:  []string{"-socketPath=foo"},
 			test: func(t *testing.T, c *Config) {

cmd/spire-server/cli/run/run_test.go

@@ -1720,7 +1720,7 @@ func TestHasCompatibleTTLs(t *testing.T) {
 			msg:                      "default_jwt_svid_ttl is small enough for the configured CA TTL but larger than the max",
 			caTTL:                    time.Hour * 24 * 7 * 4 * 6, // Six months
 			x509SvidTTL:              0,
-			jwtSvidTTL:               time.Hour * 24 * 7 * 2, // Two weeks,,
+			jwtSvidTTL:               time.Hour * 24 * 7 * 2, // Two weeks
 			hasCompatibleSvidTTL:     true,
 			hasCompatibleX509SvidTTL: true,
 			hasCompatibleJwtSvidTTL:  false,

cmd/spire-server/cli/run/run_windows_test.go

@@ -160,7 +160,7 @@ func mergeInputCasesOS(*testing.T) []mergeInputCase {
 			},
 		},
 		{
-			msg:       "named_pipe_name be configuable by CLI flag",
+			msg:       "named_pipe_name be configurable by CLI flag",
 			fileInput: func(c *Config) {},
 			cliFlags:  []string{"-namedPipeName=foo"},
 			test: func(t *testing.T, c *Config) {

conf/server/server_full.conf

@@ -146,11 +146,11 @@ server {
 
     # ratelimit: Holds rate limiting configurations.
     # ratelimit = {
-    #     # Controls whether or not node attestation is rate limited to one
+    #     # Controls whether node attestation is rate limited to one
     #     # attempt per-second per-IP. Default: true.
     #     attestation = true
 
-    #     # Controls whether or not X509 and JWT signing are rate limited to 500
+    #     # Controls whether X509 and JWT signing are rate limited to 500
     #     # requests per-second per-IP (separately). Default: true.
     #     signing = true
     # }
@@ -340,7 +340,7 @@ plugins {
     #         # key_vault_uri = "https://spire-server.vault.azure.net/"
     #
     #         # use_msi: Deprecated and will be removed in a future release; will be used implicitly if other mechanisms to authenticate fail.
-    #         # Whether or not to use MSI to authenticate to
+    #         # whether to use MSI to authenticate to
     #         # Azure Key Vault. Mutually exclusive with
     #         # tenant_id, subscription_id, app_id, and app_secret.
     #         # use_msi = false
@@ -430,7 +430,7 @@ plugins {
     #                 # resource_id = "https://management.azure.com/"
 
     #                 # use_msi: Deprecated and will be removed in a future release; will be used implicitly if other mechanisms to authenticate fail.
-    #                 # Whether or not to use MSI to authenticate to
+    #                 # whether to use MSI to authenticate to
     #                 # Azure services. Mutually exclusive with
     #                 # subscription_id, app_id, and app_secret.
     #                 # use_msi = false

doc/SPIRE101.md

@@ -2,7 +2,7 @@
 
 ## Overview
 
-This walkthrough will guide you through the steps needed to setup a running example of a SPIRE Server and SPIRE Agent. Interaction with the [Workload API](https://github.com/spiffe/go-spiffe/blob/main/v2/proto/spiffe/workload/workload.proto) will be simulated via a command line tool.
+This walkthrough will guide you through the steps needed to set up a running example of a SPIRE Server and SPIRE Agent. Interaction with the [Workload API](https://github.com/spiffe/go-spiffe/blob/main/v2/proto/spiffe/workload/workload.proto) will be simulated via a command line tool.
 
  ![SPIRE101](images/SPIRE101.png)
 

doc/authorization_policy_engine.md

@@ -1,7 +1,7 @@
 # Authorization policy engine
 
 **Warning**: Use of custom authorization policies is experimental and can
-result in security degredation if not configured correctly. Please refer to
+result in security degradation if not configured correctly. Please refer to
 [this section](#extending-the-policy) for more details on extending the default
 policy.
 
@@ -325,7 +325,7 @@ this example, we will fully lock down the ability to delete entries.
 
 This can be easily done by leveraging the set of default rules. In the default
 policy data file, there are general allow restrictions for APIs. For example,
-for the batch deletion of entries, here is the exerpt:
+for the batch deletion of entries, here is the excerpt:
 
 ```rego
 {

doc/migrating_registration_api_clients.md

@@ -37,7 +37,7 @@ the old registration API.
 
 ## List Operations
 
-Unlike the Registration API (with the exception of `ListAllEntriesWithPages`),
+Unlike the Registration API (except `ListAllEntriesWithPages`),
 the new APIs `List*` operations all support paging. If clients provide a page
 size, the server _will_ page the response, using the page size as an upper bound.
 However, even if clients do not provide a page size, the server is free to

doc/plugin_agent_nodeattestor_azure_msi.md

@@ -15,8 +15,8 @@ spiffe://<trust_domain>/spire/agent/azure_msi/<tenant_id>/<principal_id>
 The agent needs to be running in Azure, in a VM with MSI enabled, in order to
 use this method of node attestation.
 
-| Configuration | Description                                                                                                                       | Default                       |
-|---------------|-----------------------------------------------------------------------------------------------------------------------------------|-------------------------------|
+| Configuration | Description                                                                                                                       | Default                         |
+|---------------|-----------------------------------------------------------------------------------------------------------------------------------|---------------------------------|
 | `resource_id` | The resource ID (or audience) to request for the MSI token. The server will reject tokens with resource IDs it does not recognize | <https://management.azure.com/> |
 
 It is important to note that the resource ID MUST be for a well known Azure

doc/plugin_agent_nodeattestor_http_challenge.md

@@ -19,7 +19,7 @@ spiffe://<trust_domain>/spire/agent/http_challenge/<hostname>
 | `port`            | The port to listen on. If unspecified, a random value will be used.                                                                              | random    |
 | `advertised_port` | The port to tell the server to call back on.                                                                                                     | $port     |
 
-If `advertised_port` != `port`, you will need to setup an http proxy between the two ports. This is useful if you already run a webserver on port 80.
+If `advertised_port` != `port`, you will need to set up an http proxy between the two ports. This is useful if you already run a webserver on port 80.
 
 A sample configuration:
 

doc/plugin_agent_workloadattestor_k8s.md

@@ -27,7 +27,7 @@ server name validation against the kubelet certificate.
 <!-- different notes -->
 
 > **Note** The kubelet uses the TokenReview API to validate bearer tokens.
-> This requires reachability to the Kubernetes API server. Therefore API server downtime can
+> This requires reachability to the Kubernetes API server. Therefore, API server downtime can
 > interrupt workload attestation. The `--authentication-token-webhook-cache-ttl` kubelet flag
 > controls how long the kubelet caches TokenReview responses and may help to
 > mitigate this issue. A large cache ttl value is not recommended however, as
@@ -47,7 +47,7 @@ server name validation against the kubelet certificate.
 since [hostprocess](https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/) container is required on the agent container.
 
 | Configuration                    | Description                                                                                                                                                                                                                             |
-|--------------------------------  |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+|----------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `disable_container_selectors`    | If true, container selectors are not produced. This can be used to produce pod selectors when the workload pod is known but the workload container is not ready at the time of attestation.                                             |
 | `kubelet_read_only_port`         | The kubelet read-only port. This is mutually exclusive with `kubelet_secure_port`.                                                                                                                                                      |
 | `kubelet_secure_port`            | The kubelet secure port. It defaults to `10250` unless `kubelet_read_only_port` is set.                                                                                                                                                 |