From 20d424283213900e5ba570ca054dfd793dd6d09e Mon Sep 17 00:00:00 2001 From: Keegan Witt Date: Mon, 4 Nov 2024 18:18:44 -0500 Subject: [PATCH 1/9] Spelling and grammar fixes (#5571) Signed-off-by: Keegan Witt --- .github/workflows/release_build.yaml | 2 +- CHANGELOG.md | 10 +- CONTRIBUTING.md | 4 +- MAINTAINERS.md | 6 +- RELEASING.md | 2 +- cmd/spire-agent/cli/run/run_posix_test.go | 2 +- cmd/spire-agent/cli/run/run_windows_test.go | 2 +- cmd/spire-server/cli/agent/count.go | 2 +- cmd/spire-server/cli/agent/list.go | 2 +- cmd/spire-server/cli/agent/show.go | 2 +- cmd/spire-server/cli/entry/count.go | 2 +- cmd/spire-server/cli/entry/create.go | 6 +- cmd/spire-server/cli/entry/show.go | 2 +- cmd/spire-server/cli/entry/update.go | 4 +- cmd/spire-server/cli/run/run_posix_test.go | 2 +- cmd/spire-server/cli/run/run_test.go | 2 +- cmd/spire-server/cli/run/run_windows_test.go | 2 +- conf/server/server_full.conf | 8 +- doc/SPIRE101.md | 2 +- doc/authorization_policy_engine.md | 4 +- doc/migrating_registration_api_clients.md | 2 +- doc/plugin_agent_nodeattestor_azure_msi.md | 4 +- ...lugin_agent_nodeattestor_http_challenge.md | 2 +- doc/plugin_agent_workloadattestor_k8s.md | 4 +- ...publisher_aws_rolesanywhere_trustanchor.md | 12 +- ...server_bundlepublisher_gcp_cloudstorage.md | 12 +- doc/plugin_server_datastore_sql.md | 4 +- doc/plugin_server_keymanager_aws_kms.md | 2 +- doc/plugin_server_keymanager_gcp_kms.md | 2 +- doc/plugin_server_nodeattestor_aws_iid.md | 6 +- doc/plugin_server_nodeattestor_azure_msi.md | 4 +- doc/plugin_server_nodeattestor_k8s_psat.md | 2 +- doc/plugin_server_nodeattestor_k8s_sat.md | 2 +- doc/plugin_server_notifier_k8sbundle.md | 16 +-- ...ugin_server_upstreamauthority_awssecret.md | 20 +-- ...n_server_upstreamauthority_cert_manager.md | 2 +- doc/plugin_server_upstreamauthority_disk.md | 2 +- doc/plugin_server_upstreamauthority_ejbca.md | 2 +- doc/plugin_server_upstreamauthority_vault.md | 2 +- doc/scaling_spire.md | 2 +- doc/spire_agent.md | 6 +- doc/spire_server.md | 84 ++++++------ doc/telemetry/telemetry.md | 126 +++++++++--------- doc/telemetry/telemetry_config.md | 4 +- pkg/agent/api/debug/v1/service.go | 2 +- pkg/agent/attestor/node/node.go | 2 +- pkg/agent/catalog/catalog_test.go | 2 +- pkg/agent/manager/cache/bundle_cache.go | 4 +- pkg/agent/manager/cache/lru_cache.go | 8 +- pkg/agent/manager/cache/lru_cache_test.go | 6 +- pkg/agent/manager/manager.go | 2 +- pkg/agent/manager/manager_test.go | 2 +- pkg/agent/manager/storecache/cache.go | 2 +- pkg/agent/manager/storecache/cache_test.go | 6 +- .../httpchallenge/httpchallenge.go | 2 +- .../nodeattestor/jointoken/join_token.go | 2 +- .../nodeattestor/tpmdevid/tpmutil/session.go | 8 +- .../tpmdevid/tpmutil/session_test.go | 2 +- .../tpmdevid/tpmutil/signingkey.go | 2 +- .../svidstore/awssecretsmanager/aws_test.go | 22 +-- .../svidstore/gcpsecretmanager/gcloud_test.go | 2 +- .../docker/cgroup/dockerfinder.go | 2 +- pkg/agent/plugin/workloadattestor/k8s/k8s.go | 4 +- .../plugin/workloadattestor/k8s/k8s_posix.go | 2 +- pkg/agent/svid/rotator.go | 4 +- pkg/agent/svid/store/service_test.go | 2 +- pkg/common/api/middleware/middleware.go | 2 +- pkg/common/bundleutil/bundle.go | 2 +- pkg/common/catalog/catalog.go | 4 +- pkg/common/cli/env.go | 2 +- pkg/common/cliprinter/flag_test.go | 2 +- pkg/common/container/process/helper.go | 2 +- pkg/common/containerinfo/extract.go | 4 +- pkg/common/coretypes/bundle/bundle_test.go | 8 +- pkg/common/errorutil/wrapper.go | 2 +- pkg/common/fflag/fflag.go | 2 +- pkg/common/health/cache.go | 2 +- pkg/common/health/health.go | 4 +- pkg/common/health/health_test.go | 8 +- pkg/common/idutil/require.go | 4 +- .../peertracker/peertracker_test_windows.go | 2 +- pkg/common/pemutil/block.go | 4 +- pkg/common/protoutil/masks.go | 2 +- pkg/common/selector/selector_test.go | 2 +- pkg/common/telemetry/names.go | 10 +- pkg/common/util/addr.go | 2 +- pkg/common/util/certs.go | 4 +- pkg/common/util/task.go | 4 +- pkg/common/x509svid/uniqueid.go | 2 +- pkg/common/x509util/cert.go | 10 +- pkg/server/api/audit/audit.go | 2 +- pkg/server/api/debug/v1/service.go | 2 +- pkg/server/api/entry/v1/service.go | 2 +- pkg/server/api/entry/v1/service_test.go | 2 +- pkg/server/api/entry_test.go | 16 +-- pkg/server/api/id_test.go | 4 +- .../api/localauthority/v1/service_test.go | 4 +- pkg/server/api/logger/v1/service_test.go | 8 +- pkg/server/api/middleware/ratelimit.go | 6 +- pkg/server/api/middleware/ratelimit_test.go | 2 +- pkg/server/api/svid/v1/service.go | 2 +- pkg/server/authorizedentries/agent.go | 2 +- pkg/server/authorizedentries/cache.go | 2 +- pkg/server/authpolicy/policy_test.go | 2 +- pkg/server/ca/ca_health.go | 2 +- pkg/server/ca/manager/manager_test.go | 2 +- pkg/server/ca/manager/slot.go | 4 +- pkg/server/ca/manager/slot_test.go | 4 +- pkg/server/cache/dscache/cache_test.go | 2 +- pkg/server/credtemplate/builder.go | 2 +- pkg/server/credtemplate/builder_test.go | 4 +- .../datastore/sqldriver/awsrds/awsrds_test.go | 2 +- pkg/server/datastore/sqlstore/migration.go | 2 +- pkg/server/datastore/sqlstore/models.go | 2 +- pkg/server/datastore/sqlstore/sqlstore.go | 4 +- ...orized_entryfetcher_attested_nodes_test.go | 8 +- ..._entryfetcher_registration_entries_test.go | 6 +- pkg/server/endpoints/bundle/acme_auth.go | 4 +- .../bundle/internal/autocert/autocert.go | 22 +-- .../bundle/internal/autocert/cache.go | 4 +- .../bundle/internal/autocert/renewal.go | 5 +- pkg/server/endpoints/endpoints.go | 4 +- .../credentialcomposer/uniqueid/plugin.go | 2 +- pkg/server/plugin/keymanager/awskms/awskms.go | 6 +- .../plugin/keymanager/awskms/fetcher.go | 2 +- pkg/server/plugin/keymanager/gcpkms/gcpkms.go | 4 +- .../plugin/keymanager/gcpkms/gcpkms_test.go | 2 +- .../plugin/nodeattestor/awsiid/client.go | 2 +- pkg/server/plugin/nodeattestor/awsiid/iid.go | 4 +- .../plugin/nodeattestor/awsiid/iid_test.go | 2 +- .../nodeattestor/awsiid/organization.go | 18 +-- .../plugin/nodeattestor/azuremsi/client.go | 2 +- .../httpchallenge/httpchallenge.go | 2 +- .../plugin/nodeattestor/tpmdevid/devid.go | 10 +- .../plugin/notifier/k8sbundle/k8sbundle.go | 4 +- .../upstreamauthority/awspca/pca_test.go | 4 +- .../plugin/upstreamauthority/disk/disk.go | 2 +- .../plugin/upstreamauthority/gcpcas/gcpcas.go | 6 +- .../upstreamauthority/gcpcas/gcpcas_test.go | 10 +- pkg/server/plugin/upstreamauthority/v1.go | 4 +- pkg/server/svid/rotator.go | 6 +- proto/spire/common/common.pb.go | 4 +- proto/spire/common/common.proto | 4 +- support/oidc-discovery-provider/README.md | 8 +- support/oidc-discovery-provider/handler.go | 2 +- .../fakeagentnodeattestor/nodeattestor.go | 4 +- .../upstreamauthority.go | 4 +- test/grpctest/server.go | 2 +- .../setup/downstreamclient/client.go | 2 +- .../suites-windows/windows-service/README.md | 2 +- test/integration/suites/evict-agent/README.md | 2 +- .../conf/ejbca/scripts/ejbca-init.sh | 2 +- test/spiretest/x509.go | 4 +- test/testca/ca.go | 4 +- test/tpmsimulator/simulator.go | 2 +- 155 files changed, 425 insertions(+), 424 deletions(-) diff --git a/.github/workflows/release_build.yaml b/.github/workflows/release_build.yaml index 8a4e0cae46..a998c89754 100644 --- a/.github/workflows/release_build.yaml +++ b/.github/workflows/release_build.yaml @@ -568,7 +568,7 @@ jobs: - name: Create Release env: # GH_REPO is required for older releases of `gh`. Until we're - # reasonably confident that that the gh release is new enough, + # reasonably confident that the gh release is new enough, # set GH_REPO to the repository to create the release in. # # See https://github.com/cli/cli/issues/3556 diff --git a/CHANGELOG.md b/CHANGELOG.md index 6b3af9b68c..9e7707fb05 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -86,7 +86,7 @@ ### Changed -- SPIRE Server and OIDC provider images to use non root users (#4967, #5227) +- SPIRE Server and OIDC provider images to use non-root users (#4967, #5227) - `k8s_psat` NodeAttestor attestor to no longer fail when a cluster is not configured (#5216) - Agents are required to renew SVIDs through re-attestation when using a supporting Node Attestor (#5204) - Small documentation improvements (#5181, #5189) @@ -94,7 +94,7 @@ ### Fixed -- PSAT node attestor to cross check the audience fields (#5142) +- PSAT node attestor to cross-check the audience fields (#5142) - Events-based cache to handle out of order events (#5071) ### Deprecated @@ -1075,7 +1075,7 @@ - Regression preventing agent selectors from showing in `spire-server agent show` command (#2133) - Issue in the token authentication method of the Vault Upstream Authority plugin (#2110) - Reporting of errors in server entry cache telemetry (#2091) -- Agent logs an error and automatically shuts down when its SVID has expired and it requires re-attestation (#2065) +- Agent logs an error and automatically shuts down when its SVID has expired, and it requires re-attestation (#2065) ## [0.12.1] - 2021-03-04 @@ -1161,7 +1161,7 @@ - Fixed Kubernetes Workload Registrar issues (#1814, #1818, #1823) - Fixed BatchCreateEntry return value to match docs, returning the contents of an entry if it already exists (#1824) -- Fixed issue preventing brand new deployments from downgrading successfully (#1829) +- Fixed issue preventing brand-new deployments from downgrading successfully (#1829) - Fixed a regression introduced in 0.11.0 that caused external node attestor plugins that rely on binary data to fail (#1863) ## [0.11.0] - 2020-08-28 @@ -1265,7 +1265,7 @@ ## [0.9.0] - 2019-11-14 -- Users can now opt-out of workload executable hashing when enabling the workload path as a selector (#1078) +- Users can now opt out of workload executable hashing when enabling the workload path as a selector (#1078) - Added M3 support to telemetry and other telemetry and logging improvements (#1059, #1085, #1086, #1094, #1102, #1122,#1138,#1160,#1186,#1208) - SQL auto-migration can be disabled (#1089) - SQL schema compatibility checks are aligned with upgrade compatibility guarantees (#1089) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 53e25f337a..6899a4e680 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -45,7 +45,7 @@ toolchain and other build related files are cached under the `.build` folder ### Development in Docker -You can either build SPIRE on your host or in a Ubuntu docker container. In +You can either build SPIRE on your host or in an Ubuntu docker container. In both cases you will use the same Makefile commands. To build SPIRE within a container, first build the development image: @@ -105,7 +105,7 @@ Packages should be exported through interfaces. Interaction with packages must b interfaces Interfaces should be defined in their own file, named (in lowercase) after the name of the -interface. eg. `foodata.go` implements `type FooData any` +interface. e.g. `foodata.go` implements `type FooData any` ### Metrics diff --git a/MAINTAINERS.md b/MAINTAINERS.md index 93bad4ca94..9ff5c3e9aa 100644 --- a/MAINTAINERS.md +++ b/MAINTAINERS.md @@ -31,9 +31,9 @@ This section of the document can and should be updated as the above consideratio ### Changes in Maintainership -SPIRE maintainers are appointed according to the [process described in the governance document][2]. Maintainers may voluntarily step down at any time. Unseating a maintainer against their will requires a unanimous vote with the exception of the unseated. +SPIRE maintainers are appointed according to the [process described in the governance document][2]. Maintainers may voluntarily step down at any time. Unseating a maintainer against their will requires a unanimous vote except the unseated. -Unseating a maintainer is an extraordinary circumstance. A process to do so is necessary, but its use is not intended. Careful consideration should be made when voting in a new maintainer, particularly in validating that they pledge to uphold the terms of this document. To ensure that these decisions are not taken lightly, and to maintain long term project stability and foresight, no more than one maintainer can be involuntarily unseated in any given nine month period. +Unseating a maintainer is an extraordinary circumstance. A process to do so is necessary, but its use is not intended. Careful consideration should be made when voting in a new maintainer, particularly in validating that they pledge to uphold the terms of this document. To ensure that these decisions are not taken lightly, and to maintain long term project stability and foresight, no more than one maintainer can be involuntarily unseated in any given nine-month period. The CNCF MUST be notified of any changes in maintainership via the CNCF Service Desk. @@ -103,7 +103,7 @@ This is a very important aspect of SPIRE maintainership. Adoption and contributi ## Product Management and Roadmap Curation -In addition to the maintainer seats, the SPIRE project designates one product manager seat. While maintainers strive to ensure that project development and direction is a function of community needs, and interact with end users and contributors on a daily basis, the product manager works to clarify user needs by gathering additional information and context. This includes, but is not limited to, conducting user research and field testing to better inform maintainers, and communicating project development information to the community. +In addition to the maintainer seats, the SPIRE project designates one product manager seat. While maintainers strive to ensure that project development and direction is a function of community needs, and interact with end users and contributors on a daily basis, the product manager works to clarify user needs by gathering additional information and context. This includes, but is not limited to, conducting user research and field-testing to better inform maintainers, and communicating project development information to the community. Maintainers are expected to have heavy participation in the community, but it may be impractical to dedicate themselves to gathering and analyzing community feedback and end-user pain points. Based on data collection, the role of the product manager is intended to aid maintainers to validate the desirability, feasibility, and viability of efforts to help drive project direction and priorities in long term planning. diff --git a/RELEASING.md b/RELEASING.md index e404891f95..2a4f349fac 100644 --- a/RELEASING.md +++ b/RELEASING.md @@ -14,7 +14,7 @@ The base commit of the release branch is based on the type of release being gene When a bug is discovered in the latest release that also affects releases of the prior minor version, it is necessary to backport the fix. -Once the version branch is created, the patch is either cherry picked or backported into a PR against the version branch. The version branch is maintained via the same process as the main branch, including PR approval process etc. +Once the version branch is created, the patch is either cherry-picked or backported into a PR against the version branch. The version branch is maintained via the same process as the main branch, including PR approval process etc. Ensure that the CHANGELOG is updated in both `main` and the version branch to reflect the new release. diff --git a/cmd/spire-agent/cli/run/run_posix_test.go b/cmd/spire-agent/cli/run/run_posix_test.go index aba0169cb8..8767f9a681 100644 --- a/cmd/spire-agent/cli/run/run_posix_test.go +++ b/cmd/spire-agent/cli/run/run_posix_test.go @@ -238,7 +238,7 @@ func mergeInputCasesOS() []mergeInputCase { }, }, { - msg: "socket_path should be configuable by CLI flag", + msg: "socket_path should be configurable by CLI flag", fileInput: func(c *Config) {}, cliInput: func(c *agentConfig) { c.SocketPath = "foo" diff --git a/cmd/spire-agent/cli/run/run_windows_test.go b/cmd/spire-agent/cli/run/run_windows_test.go index 1843ef880b..99d416451f 100644 --- a/cmd/spire-agent/cli/run/run_windows_test.go +++ b/cmd/spire-agent/cli/run/run_windows_test.go @@ -224,7 +224,7 @@ func mergeInputCasesOS() []mergeInputCase { }, }, { - msg: "named_pipe_name should be configuable by CLI flag", + msg: "named_pipe_name should be configurable by CLI flag", fileInput: func(c *Config) {}, cliInput: func(c *agentConfig) { c.Experimental.NamedPipeName = "foo" diff --git a/cmd/spire-server/cli/agent/count.go b/cmd/spire-server/cli/agent/count.go index ef59d0de7b..339b1a9351 100644 --- a/cmd/spire-server/cli/agent/count.go +++ b/cmd/spire-server/cli/agent/count.go @@ -27,7 +27,7 @@ type countCommand struct { // Filters agents to those that are banned. banned commoncli.BoolFlag - // Filters agents by those expires before. + // Filters agents by those that expire before this value. expiresBefore string // Filters agents to those matching the attestation type. diff --git a/cmd/spire-server/cli/agent/list.go b/cmd/spire-server/cli/agent/list.go index 8062294c43..d9b1078847 100644 --- a/cmd/spire-server/cli/agent/list.go +++ b/cmd/spire-server/cli/agent/list.go @@ -28,7 +28,7 @@ type listCommand struct { // Filters agents to those that are banned. banned commoncli.BoolFlag - // Filters agents by those expires before. + // Filters agents by those that expire before this value. expiresBefore string // Filters agents to those matching the attestation type. diff --git a/cmd/spire-server/cli/agent/show.go b/cmd/spire-server/cli/agent/show.go index 70a44f4cd8..f101260df8 100644 --- a/cmd/spire-server/cli/agent/show.go +++ b/cmd/spire-server/cli/agent/show.go @@ -17,7 +17,7 @@ import ( type showCommand struct { env *commoncli.Env - // SPIFFE ID of the agent being showed + // SPIFFE ID of the agent being shown spiffeID string printer cliprinter.Printer } diff --git a/cmd/spire-server/cli/entry/count.go b/cmd/spire-server/cli/entry/count.go index ce3f8153f6..01444b0880 100644 --- a/cmd/spire-server/cli/entry/count.go +++ b/cmd/spire-server/cli/entry/count.go @@ -31,7 +31,7 @@ type countCommand struct { // List of SPIFFE IDs of trust domains the registration entry is federated with federatesWith StringsFlag - // Whether or not the entry is for a downstream SPIRE server + // Whether the entry is for a downstream SPIRE server downstream bool // Match used when filtering by federates with diff --git a/cmd/spire-server/cli/entry/create.go b/cmd/spire-server/cli/entry/create.go index 7de2c66aa1..2ef733b075 100644 --- a/cmd/spire-server/cli/entry/create.go +++ b/cmd/spire-server/cli/entry/create.go @@ -54,13 +54,13 @@ type createCommand struct { // List of SPIFFE IDs of trust domains the registration entry is federated with federatesWith StringsFlag - // Whether or not the registration entry is for an "admin" workload + // whether the registration entry is for an "admin" workload admin bool - // Whether or not the entry is for a downstream SPIRE server + // whether the entry is for a downstream SPIRE server downstream bool - // Whether or not the entry represents a node or group of nodes + // whether the entry represents a node or group of nodes node bool // Expiry of entry diff --git a/cmd/spire-server/cli/entry/show.go b/cmd/spire-server/cli/entry/show.go index 94f5503854..22218f3e82 100644 --- a/cmd/spire-server/cli/entry/show.go +++ b/cmd/spire-server/cli/entry/show.go @@ -47,7 +47,7 @@ type showCommand struct { // List of SPIFFE IDs of trust domains the registration entry is federated with federatesWith StringsFlag - // Whether or not the entry is for a downstream SPIRE server + // whether the entry is for a downstream SPIRE server downstream bool // Match used when filtering by federates with diff --git a/cmd/spire-server/cli/entry/update.go b/cmd/spire-server/cli/entry/update.go index 4b1503819c..a6121c6f99 100644 --- a/cmd/spire-server/cli/entry/update.go +++ b/cmd/spire-server/cli/entry/update.go @@ -41,7 +41,7 @@ type updateCommand struct { // Workload spiffeID spiffeID string - // Whether or not the entry is for a downstream SPIRE server + // whether the entry is for a downstream SPIRE server downstream bool // TTL for x509 SVIDs issued to this workload @@ -53,7 +53,7 @@ type updateCommand struct { // List of SPIFFE IDs of trust domains the registration entry is federated with federatesWith StringsFlag - // Whether or not the registration entry is for an "admin" workload + // whether the registration entry is for an "admin" workload admin bool // Expiry of entry diff --git a/cmd/spire-server/cli/run/run_posix_test.go b/cmd/spire-server/cli/run/run_posix_test.go index 23f5a6362b..6b5b48b6a3 100644 --- a/cmd/spire-server/cli/run/run_posix_test.go +++ b/cmd/spire-server/cli/run/run_posix_test.go @@ -236,7 +236,7 @@ func mergeInputCasesOS(*testing.T) []mergeInputCase { }, }, { - msg: "socket_path should be configuable by CLI flag", + msg: "socket_path should be configurable by CLI flag", fileInput: func(c *Config) {}, cliFlags: []string{"-socketPath=foo"}, test: func(t *testing.T, c *Config) { diff --git a/cmd/spire-server/cli/run/run_test.go b/cmd/spire-server/cli/run/run_test.go index 754a43fdc9..cb089b1a10 100644 --- a/cmd/spire-server/cli/run/run_test.go +++ b/cmd/spire-server/cli/run/run_test.go @@ -1693,7 +1693,7 @@ func TestHasCompatibleTTLs(t *testing.T) { msg: "default_jwt_svid_ttl is small enough for the configured CA TTL but larger than the max", caTTL: time.Hour * 24 * 7 * 4 * 6, // Six months x509SvidTTL: 0, - jwtSvidTTL: time.Hour * 24 * 7 * 2, // Two weeks,, + jwtSvidTTL: time.Hour * 24 * 7 * 2, // Two weeks hasCompatibleSvidTTL: true, hasCompatibleX509SvidTTL: true, hasCompatibleJwtSvidTTL: false, diff --git a/cmd/spire-server/cli/run/run_windows_test.go b/cmd/spire-server/cli/run/run_windows_test.go index 6931e4d48b..697c8d4831 100644 --- a/cmd/spire-server/cli/run/run_windows_test.go +++ b/cmd/spire-server/cli/run/run_windows_test.go @@ -160,7 +160,7 @@ func mergeInputCasesOS(*testing.T) []mergeInputCase { }, }, { - msg: "named_pipe_name be configuable by CLI flag", + msg: "named_pipe_name be configurable by CLI flag", fileInput: func(c *Config) {}, cliFlags: []string{"-namedPipeName=foo"}, test: func(t *testing.T, c *Config) { diff --git a/conf/server/server_full.conf b/conf/server/server_full.conf index c31f80e423..796745d348 100644 --- a/conf/server/server_full.conf +++ b/conf/server/server_full.conf @@ -146,11 +146,11 @@ server { # ratelimit: Holds rate limiting configurations. # ratelimit = { - # # Controls whether or not node attestation is rate limited to one + # # Controls whether node attestation is rate limited to one # # attempt per-second per-IP. Default: true. # attestation = true - # # Controls whether or not X509 and JWT signing are rate limited to 500 + # # Controls whether X509 and JWT signing are rate limited to 500 # # requests per-second per-IP (separately). Default: true. # signing = true # } @@ -340,7 +340,7 @@ plugins { # # key_vault_uri = "https://spire-server.vault.azure.net/" # # # use_msi: Deprecated and will be removed in a future release; will be used implicitly if other mechanisms to authenticate fail. - # # Whether or not to use MSI to authenticate to + # # whether to use MSI to authenticate to # # Azure Key Vault. Mutually exclusive with # # tenant_id, subscription_id, app_id, and app_secret. # # use_msi = false @@ -430,7 +430,7 @@ plugins { # # resource_id = "https://management.azure.com/" # # use_msi: Deprecated and will be removed in a future release; will be used implicitly if other mechanisms to authenticate fail. - # # Whether or not to use MSI to authenticate to + # # whether to use MSI to authenticate to # # Azure services. Mutually exclusive with # # subscription_id, app_id, and app_secret. # # use_msi = false diff --git a/doc/SPIRE101.md b/doc/SPIRE101.md index 2f0bdcc8d0..cec3c9ead0 100644 --- a/doc/SPIRE101.md +++ b/doc/SPIRE101.md @@ -2,7 +2,7 @@ ## Overview -This walkthrough will guide you through the steps needed to setup a running example of a SPIRE Server and SPIRE Agent. Interaction with the [Workload API](https://github.com/spiffe/go-spiffe/blob/main/v2/proto/spiffe/workload/workload.proto) will be simulated via a command line tool. +This walkthrough will guide you through the steps needed to set up a running example of a SPIRE Server and SPIRE Agent. Interaction with the [Workload API](https://github.com/spiffe/go-spiffe/blob/main/v2/proto/spiffe/workload/workload.proto) will be simulated via a command line tool. ![SPIRE101](images/SPIRE101.png) diff --git a/doc/authorization_policy_engine.md b/doc/authorization_policy_engine.md index 6cf1a9d0b1..906aa464ec 100644 --- a/doc/authorization_policy_engine.md +++ b/doc/authorization_policy_engine.md @@ -1,7 +1,7 @@ # Authorization policy engine **Warning**: Use of custom authorization policies is experimental and can -result in security degredation if not configured correctly. Please refer to +result in security degradation if not configured correctly. Please refer to [this section](#extending-the-policy) for more details on extending the default policy. @@ -325,7 +325,7 @@ this example, we will fully lock down the ability to delete entries. This can be easily done by leveraging the set of default rules. In the default policy data file, there are general allow restrictions for APIs. For example, -for the batch deletion of entries, here is the exerpt: +for the batch deletion of entries, here is the excerpt: ```rego { diff --git a/doc/migrating_registration_api_clients.md b/doc/migrating_registration_api_clients.md index befb2ac3bb..c6147f453c 100644 --- a/doc/migrating_registration_api_clients.md +++ b/doc/migrating_registration_api_clients.md @@ -37,7 +37,7 @@ the old registration API. ## List Operations -Unlike the Registration API (with the exception of `ListAllEntriesWithPages`), +Unlike the Registration API (except `ListAllEntriesWithPages`), the new APIs `List*` operations all support paging. If clients provide a page size, the server _will_ page the response, using the page size as an upper bound. However, even if clients do not provide a page size, the server is free to diff --git a/doc/plugin_agent_nodeattestor_azure_msi.md b/doc/plugin_agent_nodeattestor_azure_msi.md index c5935bd04a..67c42f6d7d 100644 --- a/doc/plugin_agent_nodeattestor_azure_msi.md +++ b/doc/plugin_agent_nodeattestor_azure_msi.md @@ -15,8 +15,8 @@ spiffe:///spire/agent/azure_msi// The agent needs to be running in Azure, in a VM with MSI enabled, in order to use this method of node attestation. -| Configuration | Description | Default | -|---------------|-----------------------------------------------------------------------------------------------------------------------------------|-------------------------------| +| Configuration | Description | Default | +|---------------|-----------------------------------------------------------------------------------------------------------------------------------|---------------------------------| | `resource_id` | The resource ID (or audience) to request for the MSI token. The server will reject tokens with resource IDs it does not recognize | | It is important to note that the resource ID MUST be for a well known Azure diff --git a/doc/plugin_agent_nodeattestor_http_challenge.md b/doc/plugin_agent_nodeattestor_http_challenge.md index 5fd14c1e3d..1f703b0481 100644 --- a/doc/plugin_agent_nodeattestor_http_challenge.md +++ b/doc/plugin_agent_nodeattestor_http_challenge.md @@ -19,7 +19,7 @@ spiffe:///spire/agent/http_challenge/ | `port` | The port to listen on. If unspecified, a random value will be used. | random | | `advertised_port` | The port to tell the server to call back on. | $port | -If `advertised_port` != `port`, you will need to setup an http proxy between the two ports. This is useful if you already run a webserver on port 80. +If `advertised_port` != `port`, you will need to set up an http proxy between the two ports. This is useful if you already run a webserver on port 80. A sample configuration: diff --git a/doc/plugin_agent_workloadattestor_k8s.md b/doc/plugin_agent_workloadattestor_k8s.md index 8be4b72539..04d65f8ff9 100644 --- a/doc/plugin_agent_workloadattestor_k8s.md +++ b/doc/plugin_agent_workloadattestor_k8s.md @@ -27,7 +27,7 @@ server name validation against the kubelet certificate. > **Note** The kubelet uses the TokenReview API to validate bearer tokens. -> This requires reachability to the Kubernetes API server. Therefore API server downtime can +> This requires reachability to the Kubernetes API server. Therefore, API server downtime can > interrupt workload attestation. The `--authentication-token-webhook-cache-ttl` kubelet flag > controls how long the kubelet caches TokenReview responses and may help to > mitigate this issue. A large cache ttl value is not recommended however, as @@ -47,7 +47,7 @@ server name validation against the kubelet certificate. since [hostprocess](https://kubernetes.io/docs/tasks/configure-pod-container/create-hostprocess-pod/) container is required on the agent container. | Configuration | Description | -|-------------------------------- |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +|----------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `disable_container_selectors` | If true, container selectors are not produced. This can be used to produce pod selectors when the workload pod is known but the workload container is not ready at the time of attestation. | | `kubelet_read_only_port` | The kubelet read-only port. This is mutually exclusive with `kubelet_secure_port`. | | `kubelet_secure_port` | The kubelet secure port. It defaults to `10250` unless `kubelet_read_only_port` is set. | diff --git a/doc/plugin_server_bundlepublisher_aws_rolesanywhere_trustanchor.md b/doc/plugin_server_bundlepublisher_aws_rolesanywhere_trustanchor.md index 4b751f7b34..7152aa916c 100644 --- a/doc/plugin_server_bundlepublisher_aws_rolesanywhere_trustanchor.md +++ b/doc/plugin_server_bundlepublisher_aws_rolesanywhere_trustanchor.md @@ -8,12 +8,12 @@ in a trust anchor, keeping it updated. The plugin accepts the following configuration options: -| Configuration | Description | Required | Default | -|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------|------------------------------------------------------| -| access_key_id | AWS access key id. | Required only if AWS credentials aren't otherwise set in the environment. | Value of AWS_ACCESS_KEY_ID environment variable. | -| secret_access_key | AWS secret access key. | Required only if AWS credentials aren't otherwise set in the environment. | Value of AWS_SECRET_ACCESS_KEY environment variable. | -| region | AWS region to store the trust bundle. | Yes. | | -| trust_anchor_id | The AWS IAM Roles Anywhere trust anchor id of the trust anchor to which to put the trust bundle. | Yes. | | +| Configuration | Description | Required | Default | +|-------------------|--------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------|------------------------------------------------------| +| access_key_id | AWS access key id. | Required only if AWS credentials aren't otherwise set in the environment. | Value of AWS_ACCESS_KEY_ID environment variable. | +| secret_access_key | AWS secret access key. | Required only if AWS credentials aren't otherwise set in the environment. | Value of AWS_SECRET_ACCESS_KEY environment variable. | +| region | AWS region to store the trust bundle. | Yes. | | +| trust_anchor_id | The AWS IAM Roles Anywhere trust anchor id of the trust anchor to which to put the trust bundle. | Yes. | | ## AWS IAM Permissions diff --git a/doc/plugin_server_bundlepublisher_gcp_cloudstorage.md b/doc/plugin_server_bundlepublisher_gcp_cloudstorage.md index dfe7d530f1..faf5b5506f 100644 --- a/doc/plugin_server_bundlepublisher_gcp_cloudstorage.md +++ b/doc/plugin_server_bundlepublisher_gcp_cloudstorage.md @@ -5,12 +5,12 @@ Google Cloud Storage bucket, keeping it updated. The plugin accepts the following configuration options: -| Configuration | Description | Required | Default | -|----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------|----------------------------------------------------------------| -| service_account_file | Path to the service account file used to authenticate with the Cloud Storage API. | No. | Value of `GOOGLE_APPLICATION_CREDENTIALS` environment variable.| -| bucket_name | The Google Cloud Storage bucket name to which the trust bundle is uploaded. | Yes. | | -| object_name | The object name inside the bucket. | Yes. | | -| format | Format in which the trust bundle is stored, <spiffe | jwks | pem>. See [Supported bundle formats](#supported-bundle-formats) for more details. | Yes. | | +| Configuration | Description | Required | Default | +|----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|-----------------------------------------------------------------| +| service_account_file | Path to the service account file used to authenticate with the Cloud Storage API. | No. | Value of `GOOGLE_APPLICATION_CREDENTIALS` environment variable. | +| bucket_name | The Google Cloud Storage bucket name to which the trust bundle is uploaded. | Yes. | | +| object_name | The object name inside the bucket. | Yes. | | +| format | Format in which the trust bundle is stored, <spiffe | jwks | pem>. See [Supported bundle formats](#supported-bundle-formats) for more details. | Yes. | | ## Supported bundle formats diff --git a/doc/plugin_server_datastore_sql.md b/doc/plugin_server_datastore_sql.md index 657b2b2497..cb343d9cbf 100644 --- a/doc/plugin_server_datastore_sql.md +++ b/doc/plugin_server_datastore_sql.md @@ -10,7 +10,7 @@ The `sql` plugin implements SQL based data storage for the SPIRE server using SQ | root_ca_path | Path to Root CA bundle (MySQL only) | | client_cert_path | Path to client certificate (MySQL only) | | client_key_path | Path to private key for client certificate (MySQL only) | -| max_open_conns | The maximum number of open db connections (default: 100) | +| max_open_conns | The maximum number of open db connections (default: 100) | | max_idle_conns | The maximum number of idle connections in the pool (default: 2) | | conn_max_lifetime | The maximum amount of time a connection may be reused (default: unlimited) | | disable_migration | True to disable auto-migration functionality. Use of this flag allows finer control over when datastore migrations occur and coordination of the migration of a datastore shared with a SPIRE Server cluster. Only available for databases from SPIRE Code version 0.9.0 or later. | @@ -67,7 +67,7 @@ Consult the [lib/pq driver documentation](https://pkg.go.dev/github.com/lib/pq#h * host - The host to connect to. Values that start with / are for unix domain sockets. (default is localhost) * port - The port to bind to. (default is 5432) -* sslmode - Whether or not to use SSL (default is require, this is not +* sslmode - whether to use SSL (default is require, this is not the default for libpq) * fallback_application_name - An application_name to fall back to if one isn't provided. * connect_timeout - Maximum wait for connection, in seconds. Zero or diff --git a/doc/plugin_server_keymanager_aws_kms.md b/doc/plugin_server_keymanager_aws_kms.md index cf7d1e6bc2..b67f6986dc 100644 --- a/doc/plugin_server_keymanager_aws_kms.md +++ b/doc/plugin_server_keymanager_aws_kms.md @@ -59,7 +59,7 @@ The IAM role must have an attached policy with the following permissions: ### Key policy -The plugin can generate keys using a default key policy or it can load and use a user defined policy. +The plugin can generate keys using a default key policy, or it can load and use a user defined policy. #### Default key policy diff --git a/doc/plugin_server_keymanager_gcp_kms.md b/doc/plugin_server_keymanager_gcp_kms.md index beb6a5447f..39e072b196 100644 --- a/doc/plugin_server_keymanager_gcp_kms.md +++ b/doc/plugin_server_keymanager_gcp_kms.md @@ -14,7 +14,7 @@ The plugin accepts the following configuration options: |----------------------|--------|---------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------| | key_policy_file | string | no | A file path location to a custom [IAM Policy (v3)](https://cloud.google.com/pubsub/docs/reference/rpc/google.iam.v1#google.iam.v1.Policy) in JSON format to be attached to created CryptoKeys. | "" | | key_identifier_file | string | Required if key_identifier_value is not set | A file path location where key metadata used by the plugin will be persisted. See "[Management of keys](#management-of-keys)" for more information. | "" | -| key_identifier_value | string | Required if key_identifier_file is not set | A static identifier for the SPIRE server instance (used instead of `key_identifier_file`) | "" | +| key_identifier_value | string | Required if key_identifier_file is not set | A static identifier for the SPIRE server instance (used instead of `key_identifier_file`) | "" | | key_ring | string | yes | Resource ID of the key ring where the keys managed by this plugin reside, in the format projects/\*/locations/\*/keyRings/\* | "" | | service_account_file | string | no | Path to the service account file used to authenticate with the Cloud KMS API. | Value of `GOOGLE_APPLICATION_CREDENTIALS` environment variable. | diff --git a/doc/plugin_server_nodeattestor_aws_iid.md b/doc/plugin_server_nodeattestor_aws_iid.md index 68babbcf96..9d9e3f4ecf 100644 --- a/doc/plugin_server_nodeattestor_aws_iid.md +++ b/doc/plugin_server_nodeattestor_aws_iid.md @@ -18,8 +18,8 @@ this plugin resolves the agent's AWS IID-based SPIFFE ID into a set of selectors | `skip_block_device` | Skip anti-tampering mechanism which checks to make sure that the underlying root volume has not been detached prior to attestation. | false | | `disable_instance_profile_selectors` | Disables retrieving the attesting instance profile information that is used in the selectors. Useful in cases where the server cannot reach iam.amazonaws.com | false | | `assume_role` | The role to assume | Empty string, Optional parameter. | -| `partition` | The AWS partition SPIRE server is running in <aws|aws-cn|aws-us-gov> | aws | -| `verify_organization` | Verify that nodes belong to a specified AWS Organization [see below](#enabling-aws-node-attestation-organization-validation) | | +| `partition` | The AWS partition SPIRE server is running in <aws|aws-cn|aws-us-gov> | aws | +| `verify_organization` | Verify that nodes belong to a specified AWS Organization [see below](#enabling-aws-node-attestation-organization-validation) | | Sample configuration: @@ -144,7 +144,7 @@ This plugin generates the following selectors related to the instance where the | Security Group ID | `aws_iid:sg:id:sg-01234567` | The id of the security group the instance belongs to | | Security Group Name | `aws_iid:sg:name:blog` | The name of the security group the instance belongs to | -All of the selectors have the type `aws_iid`. +All the selectors have the type `aws_iid`. The `IAM role` selector is included in the generated set of selectors only if the instance has an IAM Instance Profile associated and `disable_instance_profile_selectors = false` diff --git a/doc/plugin_server_nodeattestor_azure_msi.md b/doc/plugin_server_nodeattestor_azure_msi.md index efaa07167a..92914568cc 100644 --- a/doc/plugin_server_nodeattestor_azure_msi.md +++ b/doc/plugin_server_nodeattestor_azure_msi.md @@ -96,9 +96,9 @@ The plugin produces the following selectors. | Virtual Machine Name | `vm-name:frontend:blog` | The name of the virtual machine (e.g. `blog`) qualified by the resource group (e.g. `frontend`) | | Network Security Group | `network-security-group:frontend:webservers` | The name of the network security group (e.g. `webservers`) qualified by the resource group (e.g. `frontend`) | | Virtual Network | `virtual-network:frontend:vnet` | The name of the virtual network (e.g. `vnet`) qualified by the resource group (e.g. `frontend`) | -| Virtual Network Subnet | `virtual-network-subnet:frontend:vnet:default` | The name of the virtual network subnet (e.g. `default`) qualified by the virtual network and resource group | +| Virtual Network Subnet | `virtual-network-subnet:frontend:vnet:default` | The name of the virtual network subnet (e.g. `default`) qualified by the virtual network and resource group | -All of the selectors have the type `azure_msi`. +All the selectors have the type `azure_msi`. ## Agent Path Template diff --git a/doc/plugin_server_nodeattestor_k8s_psat.md b/doc/plugin_server_nodeattestor_k8s_psat.md index 418becaa89..29071a9086 100644 --- a/doc/plugin_server_nodeattestor_k8s_psat.md +++ b/doc/plugin_server_nodeattestor_k8s_psat.md @@ -34,7 +34,7 @@ Each cluster in the main configuration requires the following configuration: | `allowed_node_label_keys` | Node label keys considered for selectors | | | `allowed_pod_label_keys` | Pod label keys considered for selectors | | -A sample configuration for SPIRE server running inside of a Kubernetes cluster: +A sample configuration for SPIRE server running inside a Kubernetes cluster: ```hcl NodeAttestor "k8s_psat" { diff --git a/doc/plugin_server_nodeattestor_k8s_sat.md b/doc/plugin_server_nodeattestor_k8s_sat.md index f582645363..2935e6224b 100644 --- a/doc/plugin_server_nodeattestor_k8s_sat.md +++ b/doc/plugin_server_nodeattestor_k8s_sat.md @@ -39,7 +39,7 @@ Each cluster in the main configuration requires the following configuration: | `service_account_key_file` | It is only used if `use_token_review_api_validation` is set to `false`. Path on disk to a PEM encoded file containing public keys used in validating tokens for that cluster. RSA and ECDSA keys are supported. For RSA, X509 certificates, PKCS1, and PKIX encoded public keys are accepted. For ECDSA, X509 certificates, and PKIX encoded public keys are accepted. | | | `kube_config_file` | It is only used if `use_token_review_api_validation` is set to `true`. Path to a k8s configuration file for API Server authentication. A Kubernetes configuration file must be specified if SPIRE server runs outside of the k8s cluster. If empty, SPIRE server is assumed to be running inside the cluster and in-cluster configuration is used. | "" | -A sample configuration for SPIRE server running inside or outside of a Kubernetes cluster and validating the service account token with a key file located at `"/run/k8s-certs/sa.pub"`: +A sample configuration for SPIRE server running inside or outside a Kubernetes cluster and validating the service account token with a key file located at `"/run/k8s-certs/sa.pub"`: ```hcl NodeAttestor "k8s_sat" { diff --git a/doc/plugin_server_notifier_k8sbundle.md b/doc/plugin_server_notifier_k8sbundle.md index 70dabd05e7..cb8eed926a 100644 --- a/doc/plugin_server_notifier_k8sbundle.md +++ b/doc/plugin_server_notifier_k8sbundle.md @@ -8,15 +8,15 @@ The certificates in the ConfigMap can be used to bootstrap SPIRE agents. The plugin accepts the following configuration options: -| Configuration | Description | Default | -|-----------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| -| namespace | The namespace containing the ConfigMap | `spire` | -| config_map | The name of the ConfigMap | `spire-bundle` | -| config_map_key | The key within the ConfigMap for the bundle | `bundle.crt` | +| Configuration | Description | Default | +|-----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------| +| namespace | The namespace containing the ConfigMap | `spire` | +| config_map | The name of the ConfigMap | `spire-bundle` | +| config_map_key | The key within the ConfigMap for the bundle | `bundle.crt` | | kube_config_file_path | The path on disk to the kubeconfig containing configuration to enable interaction with the Kubernetes API server. If unset, it is assumed the notifier is in-cluster and in-cluster credentials will be used. Required when configuring a remote cluster. See the `clusters` setting to configure multiple remote clusters. | | -| api_service_label | If set, rotate the CA Bundle in API services with this label set to `true`. | | -| webhook_label | If set, rotate the CA Bundle in validating and mutating webhooks with this label set to `true`. | | -| clusters | A list of remote cluster configurations. If set it can be used to configure multiple. Each cluster allows the same values as the root configuration. | | +| api_service_label | If set, rotate the CA Bundle in API services with this label set to `true`. | | +| webhook_label | If set, rotate the CA Bundle in validating and mutating webhooks with this label set to `true`. | | +| clusters | A list of remote cluster configurations. If set it can be used to configure multiple. Each cluster allows the same values as the root configuration. | | ## Configuring Kubernetes diff --git a/doc/plugin_server_upstreamauthority_awssecret.md b/doc/plugin_server_upstreamauthority_awssecret.md index c95f630e21..390d9aacce 100644 --- a/doc/plugin_server_upstreamauthority_awssecret.md +++ b/doc/plugin_server_upstreamauthority_awssecret.md @@ -7,16 +7,16 @@ the ServerCA plugin. The plugin accepts the following configuration options: -| Configuration | Description | -|-------------------|-------------------------------------------------------| -| region | AWS Region that the AWS Secrets Manager is running in | -| cert_file_arn | ARN of the "upstream" CA certificate that will be used for signing. If more than one certificate is present, they will be added to the chain in order of appearance, where the first certificate will be the one used for signing. | -| key_file_arn | ARN of the "upstream" CA key file | -| bundle_file_arn | ARN of roots to include in the trust bundle. If `cert_file_arn` contains a self-signed root CA certificate this field can be left unset. Otherwise, `bundle_file_arn` must include one or more root CA certificates | -| access_key_id | AWS access key ID | -| secret_access_key | AWS secret access key | -| secret_token | AWS secret token | -| assume_role_arn | ARN of role to assume | +| Configuration | Description | +|-------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| region | AWS Region that the AWS Secrets Manager is running in | +| cert_file_arn | ARN of the "upstream" CA certificate that will be used for signing. If more than one certificate is present, they will be added to the chain in order of appearance, where the first certificate will be the one used for signing. | +| key_file_arn | ARN of the "upstream" CA key file | +| bundle_file_arn | ARN of roots to include in the trust bundle. If `cert_file_arn` contains a self-signed root CA certificate this field can be left unset. Otherwise, `bundle_file_arn` must include one or more root CA certificates | +| access_key_id | AWS access key ID | +| secret_access_key | AWS secret access key | +| secret_token | AWS secret token | +| assume_role_arn | ARN of role to assume | Only the region, cert_file_arn, and key_file_arn must be configured. You optionally configure the remaining fields depending on how you choose to give SPIRE Server access to the ARNs. diff --git a/doc/plugin_server_upstreamauthority_cert_manager.md b/doc/plugin_server_upstreamauthority_cert_manager.md index 74feae02cd..68e3379054 100644 --- a/doc/plugin_server_upstreamauthority_cert_manager.md +++ b/doc/plugin_server_upstreamauthority_cert_manager.md @@ -1,7 +1,7 @@ # Server plugin: UpstreamAuthority "cert-manager" The `cert-manager` plugin uses an instance of -[cert-manager](https://cert-manager.io) running in Kubernetes to to request +[cert-manager](https://cert-manager.io) running in Kubernetes to request intermediate signing certificates for SPIRE Server. This plugin will request a signing certificate from cert-manager via a diff --git a/doc/plugin_server_upstreamauthority_disk.md b/doc/plugin_server_upstreamauthority_disk.md index 4e4335af57..24ada6e173 100644 --- a/doc/plugin_server_upstreamauthority_disk.md +++ b/doc/plugin_server_upstreamauthority_disk.md @@ -10,7 +10,7 @@ credentials cannot be loaded, then the previously loaded credentials will be used. This provides two things: first, it ensures that the spire-server process does not need to be restarted to load a new UpstreamAuthority from disk, providing a seamless rotation; second, it ensures that a failed disk does -not effect a running spire-server until the loaded UpstreamAuthority expires. +not affect a running spire-server until the loaded UpstreamAuthority expires. The plugin accepts the following configuration options: diff --git a/doc/plugin_server_upstreamauthority_ejbca.md b/doc/plugin_server_upstreamauthority_ejbca.md index d7203dcdcf..ce3c310021 100644 --- a/doc/plugin_server_upstreamauthority_ejbca.md +++ b/doc/plugin_server_upstreamauthority_ejbca.md @@ -20,7 +20,7 @@ The EJBCA UpstreamAuthority Plugin accepts the following configuration options. | `hostname` | The hostname of the connected EJBCA server. | | | `ca_cert_path` | (optional) The path to the CA certificate file used to validate the EJBCA server's certificate. Certificates must be in PEM format. | `EJBCA_CA_CERT_PATH` | | `client_cert_path` | The path to the client certificate (public key only) used to authenticate to EJBCA. Must be in PEM format. | `EJBCA_CLIENT_CERT_PATH` | -| `client_cert_key_path` | The path to the client key matching `client_cert` used to authenticate to EJBCA. Must be in PEM format. | `EJBCA_CLIENT_CERT_KEY_PATH` | +| `client_cert_key_path` | The path to the client key matching `client_cert` used to authenticate to EJBCA. Must be in PEM format. | `EJBCA_CLIENT_CERT_KEY_PATH` | | `ca_name` | The name of a CA in the connected EJBCA instance that will issue the intermediate signing certificates. | | | `end_entity_profile_name` | The name of an end entity profile in the connected EJBCA instance that is configured to issue SPIFFE certificates. | | | `certificate_profile_name` | The name of a certificate profile in the connected EJBCA instance that is configured to issue intermediate CA certificates. | | diff --git a/doc/plugin_server_upstreamauthority_vault.md b/doc/plugin_server_upstreamauthority_vault.md index b8d3a00c1e..8946e32f5b 100644 --- a/doc/plugin_server_upstreamauthority_vault.md +++ b/doc/plugin_server_upstreamauthority_vault.md @@ -22,7 +22,7 @@ The plugin accepts the following configuration options: The plugin supports **Client Certificate**, **Token** and **AppRole** authentication methods. - **Client Certificate** method authenticates to Vault using a TLS client certificate. -- **Token** method authenticates to Vault using the token in a HTTP Request header. +- **Token** method authenticates to Vault using the token in an HTTP Request header. - **AppRole** method authenticates to Vault using a RoleID and SecretID that are issued from Vault. The [`ca_ttl` SPIRE Server configurable](https://github.com/spiffe/spire/blob/main/doc/spire_server.md#server-configuration-file) should be less than or equal to the Vault's PKI secret engine TTL. diff --git a/doc/scaling_spire.md b/doc/scaling_spire.md index b0ba93e43a..48f1696a87 100644 --- a/doc/scaling_spire.md +++ b/doc/scaling_spire.md @@ -14,7 +14,7 @@ To support larger numbers of Agents and Workloads within a given deployment (ten To scale the SPIRE Server horizontally, be it for high availability or load distribution purposes, configure all servers in same trust domain to read and write to the same shared datastore. -The datastore is where SPIRE Server persists dynamic configuration information such as registration entries and identity mapping policies. SQLite is bundled with SPIRE Server and it is the default datastore. A number of compatible SQL databases are supported, as well as one plugin for Kubernetes using Kubernetes CRDs. When scaling SPIRE servers horizontally, choose a datastore that fits your requirements and configure all SPIRE servers to use the selected datastore. For details please refer to the [datastore plugin configuration reference](https://github.com/spiffe/spire/blob/main/doc/plugin_server_datastore_sql.md). +The datastore is where SPIRE Server persists dynamic configuration information such as registration entries and identity mapping policies. SQLite is bundled with SPIRE Server and is the default datastore. A number of compatible SQL databases are supported, as well as one plugin for Kubernetes using Kubernetes CRDs. When scaling SPIRE servers horizontally, choose a datastore that fits your requirements and configure all SPIRE servers to use the selected datastore. For details please refer to the [datastore plugin configuration reference](https://github.com/spiffe/spire/blob/main/doc/plugin_server_datastore_sql.md). In High Availability mode, each server maintains its own Certificate Authority, which may be either self-signed certificates or an intermediate certificate off of a shared root authority (i.e. when configured with an UpstreamAuthority). diff --git a/doc/spire_agent.md b/doc/spire_agent.md index 7f8cd81d98..afbf7132a8 100644 --- a/doc/spire_agent.md +++ b/doc/spire_agent.md @@ -50,7 +50,7 @@ This may be useful for templating configuration files, for example across differ | `data_dir` | A directory the agent can use for its runtime data | $PWD | | `experimental` | The experimental options that are subject to change or removal (see below) | | | `insecure_bootstrap` | If true, the agent bootstraps without verifying the server's identity | false | -| `retry_bootstrap` | If true, the agent retries bootstrap with backoff | false | +| `retry_bootstrap` | If true, the agent retries bootstrap with backoff | false | | `join_token` | An optional token which has been generated by the SPIRE server | | | `log_file` | File to write logs to | | | `log_level` | Sets the logging level <DEBUG|INFO|WARN|ERROR> | INFO | @@ -197,7 +197,7 @@ Please see the [Telemetry Configuration](./telemetry_config.md) guide for more i ## Health check configuration -The agent can expose additional endpoint that can be used for health checking. It is enabled by setting `listener_enabled = true`. Currently it exposes 2 paths: one for liveness (is agent up) and one for readiness (is agent ready to serve requests). By default, health checking endpoint will listen on localhost:80, unless configured otherwise. +The agent can expose additional endpoint that can be used for health checking. It is enabled by setting `listener_enabled = true`. Currently, it exposes 2 paths: one for liveness (is agent up) and one for readiness (is agent ready to serve requests). By default, health checking endpoint will listen on localhost:80, unless configured otherwise. ```hcl health_checks { @@ -213,7 +213,7 @@ health_checks { ### `spire-agent run` -All of the configuration file above options have identical command-line counterparts. In addition, +All the configuration file above options have identical command-line counterparts. In addition, the following flags are available: | Command | Action | Default | diff --git a/doc/spire_server.md b/doc/spire_server.md index 046ce747bc..468583185f 100644 --- a/doc/spire_server.md +++ b/doc/spire_server.md @@ -54,35 +54,35 @@ SPIRE configuration files may be represented in either HCL or JSON. Please see t If the -expandEnv flag is passed to SPIRE, `$VARIABLE` or `${VARIABLE}` style environment variables are expanded before parsing. This may be useful for templating configuration files, for example across different trust domains, or for inserting secrets like database connection passwords. -| Configuration | Description | Default | -|:-----------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------| -| `admin_ids` | SPIFFE IDs that, when present in a caller's X509-SVID, grant that caller admin privileges. The admin IDs must reside on the server trust domain or a federated one, and need not have a corresponding admin registration entry with the server. | | -| `agent_ttl` | The TTL to use for agent SVIDs | The value of `default_x509_svid_ttl` | -| `audit_log_enabled` | If true, enables audit logging | false | -| `bind_address` | IP address or DNS name of the SPIRE server | 0.0.0.0 | -| `bind_port` | HTTP Port number of the SPIRE server | 8081 | -| `ca_key_type` | The key type used for the server CA (both X509 and JWT), <rsa-2048|rsa-4096|ec-p256|ec-p384> | ec-p256 (the JWT key type can be overridden by `jwt_key_type`) | -| `ca_subject` | The Subject that CA certificates should use (see below) | | -| `ca_ttl` | The default CA/signing key TTL | 24h | -| `data_dir` | A directory the server can use for its runtime | | -| `default_x509_svid_ttl` | The default X509-SVID TTL | 1h | -| `default_jwt_svid_ttl` | The default JWT-SVID TTL | 5m | -| `experimental` | The experimental options that are subject to change or removal (see below) | | -| `federation` | Bundle endpoints configuration section used for [federation](#federation-configuration) | | -| `jwt_key_type` | The key type used for the server CA (JWT), <rsa-2048|rsa-4096|ec-p256|ec-p384> | The value of `ca_key_type` or ec-p256 if not defined | -| `jwt_issuer` | The issuer claim used when minting JWT-SVIDs | | -| `log_file` | File to write logs to | | -| `log_level` | Sets the logging level <DEBUG|INFO|WARN|ERROR> | INFO | -| `log_format` | Format of logs, <text|json> | text | -| `log_source_location` | If true, logs include source file, line number, and method name fields (adds a bit of runtime cost) | false | -| `profiling_enabled` | If true, enables a [net/http/pprof](https://pkg.go.dev/net/http/pprof) endpoint | false | -| `profiling_freq` | Frequency of dumping profiling data to disk. Only enabled when `profiling_enabled` is `true` and `profiling_freq` > 0. | | -| `profiling_names` | List of profile names that will be dumped to disk on each profiling tick, see [Profiling Names](#profiling-names) | | -| `profiling_port` | Port number of the [net/http/pprof](https://pkg.go.dev/net/http/pprof) endpoint. Only used when `profiling_enabled` is `true`. | | -| `ratelimit` | Rate limiting configurations, usually used when the server is behind a load balancer (see below) | | -| `socket_path` | Path to bind the SPIRE Server API socket to (Unix only) | /tmp/spire-server/private/api.sock | -| `trust_domain` | The trust domain that this server belongs to (should be no more than 255 characters) | | -| `use_legacy_downstream_x509_ca_ttl` | Use the downstream spire-server registration entry TTL as the downstream CA TTL. This is deprecated and will be removed in a future version. | true | +| Configuration | Description | Default | +|:------------------------------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:---------------------------------------------------------------| +| `admin_ids` | SPIFFE IDs that, when present in a caller's X509-SVID, grant that caller admin privileges. The admin IDs must reside on the server trust domain or a federated one, and need not have a corresponding admin registration entry with the server. | | +| `agent_ttl` | The TTL to use for agent SVIDs | The value of `default_x509_svid_ttl` | +| `audit_log_enabled` | If true, enables audit logging | false | +| `bind_address` | IP address or DNS name of the SPIRE server | 0.0.0.0 | +| `bind_port` | HTTP Port number of the SPIRE server | 8081 | +| `ca_key_type` | The key type used for the server CA (both X509 and JWT), <rsa-2048|rsa-4096|ec-p256|ec-p384> | ec-p256 (the JWT key type can be overridden by `jwt_key_type`) | +| `ca_subject` | The Subject that CA certificates should use (see below) | | +| `ca_ttl` | The default CA/signing key TTL | 24h | +| `data_dir` | A directory the server can use for its runtime | | +| `default_x509_svid_ttl` | The default X509-SVID TTL | 1h | +| `default_jwt_svid_ttl` | The default JWT-SVID TTL | 5m | +| `experimental` | The experimental options that are subject to change or removal (see below) | | +| `federation` | Bundle endpoints configuration section used for [federation](#federation-configuration) | | +| `jwt_key_type` | The key type used for the server CA (JWT), <rsa-2048|rsa-4096|ec-p256|ec-p384> | The value of `ca_key_type` or ec-p256 if not defined | +| `jwt_issuer` | The issuer claim used when minting JWT-SVIDs | | +| `log_file` | File to write logs to | | +| `log_level` | Sets the logging level <DEBUG|INFO|WARN|ERROR> | INFO | +| `log_format` | Format of logs, <text|json> | text | +| `log_source_location` | If true, logs include source file, line number, and method name fields (adds a bit of runtime cost) | false | +| `profiling_enabled` | If true, enables a [net/http/pprof](https://pkg.go.dev/net/http/pprof) endpoint | false | +| `profiling_freq` | Frequency of dumping profiling data to disk. Only enabled when `profiling_enabled` is `true` and `profiling_freq` > 0. | | +| `profiling_names` | List of profile names that will be dumped to disk on each profiling tick, see [Profiling Names](#profiling-names) | | +| `profiling_port` | Port number of the [net/http/pprof](https://pkg.go.dev/net/http/pprof) endpoint. Only used when `profiling_enabled` is `true`. | | +| `ratelimit` | Rate limiting configurations, usually used when the server is behind a load balancer (see below) | | +| `socket_path` | Path to bind the SPIRE Server API socket to (Unix only) | /tmp/spire-server/private/api.sock | +| `trust_domain` | The trust domain that this server belongs to (should be no more than 255 characters) | | +| `use_legacy_downstream_x509_ca_ttl` | Use the downstream spire-server registration entry TTL as the downstream CA TTL. This is deprecated and will be removed in a future version. | true | | ca_subject | Description | Default | |:----------------------------|--------------------------------|----------------| @@ -90,19 +90,19 @@ This may be useful for templating configuration files, for example across differ | `organization` | Array of `Organization` values | | | `common_name` | The `CommonName` value | | -| experimental | Description | Default | -|:-------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------| -| `cache_reload_interval` | The amount of time between two reloads of the in-memory entry cache. Increasing this will mitigate high database load for extra large deployments, but will also slow propagation of new or updated entries to agents. | 5s | -| `events_based_cache` | Use events to update the cache with what's changed since the last update. Enabling this will reduce overhead on the database. | false | -| `prune_events_older_than`| How old an event can be before being deleted. Used with events based cache. Decreasing this will keep the events table smaller, but will increase risk of missing an event if connection to the database is down. | 12h | -| `sql_transaction_timeout`| Maximum time an SQL transaction could take, used by the events based cache to determine when an event id is unlikely to be used anymore. | 24h | -| `auth_opa_policy_engine` | The [auth opa_policy engine](/doc/authorization_policy_engine.md) used for authorization decisions | default SPIRE authorization policy | -| `named_pipe_name` | Pipe name of the SPIRE Server API named pipe (Windows only) | \spire-server\private\api | +| experimental | Description | Default | +|:--------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------| +| `cache_reload_interval` | The amount of time between two reloads of the in-memory entry cache. Increasing this will mitigate high database load for extra large deployments, but will also slow propagation of new or updated entries to agents. | 5s | +| `events_based_cache` | Use events to update the cache with what's changed since the last update. Enabling this will reduce overhead on the database. | false | +| `prune_events_older_than` | How old an event can be before being deleted. Used with events based cache. Decreasing this will keep the events table smaller, but will increase risk of missing an event if connection to the database is down. | 12h | +| `sql_transaction_timeout` | Maximum time an SQL transaction could take, used by the events based cache to determine when an event id is unlikely to be used anymore. | 24h | +| `auth_opa_policy_engine` | The [auth opa_policy engine](/doc/authorization_policy_engine.md) used for authorization decisions | default SPIRE authorization policy | +| `named_pipe_name` | Pipe name of the SPIRE Server API named pipe (Windows only) | \spire-server\private\api | -| ratelimit | Description | Default | -|:--------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------|---------| -| `attestation` | Whether or not to rate limit node attestation. If true, node attestation is rate limited to one attempt per second per IP address. | true | -| `signing` | Whether or not to rate limit JWT and X509 signing. If true, JWT and X509 signing are rate limited to 500 requests per second per IP address (separately). | true | +| ratelimit | Description | Default | +|:--------------|----------------------------------------------------------------------------------------------------------------------------------------------------|---------| +| `attestation` | whether to rate limit node attestation. If true, node attestation is rate limited to one attempt per second per IP address. | true | +| `signing` | whether to rate limit JWT and X509 signing. If true, JWT and X509 signing are rate limited to 500 requests per second per IP address (separately). | true | | auth_opa_policy_engine | Description | Default | |:-----------------------|---------------------------------------------------|---------| @@ -307,7 +307,7 @@ Please see the [Telemetry Configuration](./telemetry_config.md) guide for more i ## Health check configuration -The server can expose an additional endpoint that can be used for health checking. It is enabled by setting `listener_enabled = true`. Currently it exposes 2 paths: one for liveness (is server up?) and one for readiness (is server ready to serve requests?). By default, health checking endpoint will listen on localhost:80, unless configured otherwise. +The server can expose an additional endpoint that can be used for health checking. It is enabled by setting `listener_enabled = true`. Currently, it exposes 2 paths: one for liveness (is server up?) and one for readiness (is server ready to serve requests?). By default, health checking endpoint will listen on localhost:80, unless configured otherwise. ```hcl health_checks { diff --git a/doc/telemetry/telemetry.md b/doc/telemetry/telemetry.md index 01d2a6eb01..847e1d6e9d 100644 --- a/doc/telemetry/telemetry.md +++ b/doc/telemetry/telemetry.md @@ -6,69 +6,69 @@ The following metrics are emitted: ## SPIRE Server -| Type | Keys | Labels | Description | -|--------------|--------------------------------------------------|------------------------------|---------------------------------------------------------------------------------------| -| Call Counter | `rpc`, ``, `` | | Call counters over the [SPIRE Server RPCs](https://github.com/spiffe/spire-api-sdk). | -| Counter | `bundle_manager`, `update`, `federated_bundle` | `trust_domain_id` | The bundle endpoint manager updated a federated bundle | -| Call Counter | `bundle_manager`, `fetch`, `federated_bundle` | `trust_domain_id` | The bundle endpoint manager is fetching federated bundle. | -| Call Counter | `ca`, `manager`, `bundle`, `prune` | | The CA manager is pruning a bundle. | -| Counter | `ca`, `manager`, `bundle`, `pruned` | | The CA manager has successfully pruned a bundle. | -| Call Counter | `ca`, `manager`, `jwt_key`, `prepare` | | The CA manager is preparing a JWT Key. | -| Counter | `ca`, `manager`, `x509_ca`, `activate` | | The CA manager has successfully activated an X.509 CA. | -| Call Counter | `ca`, `manager`, `x509_ca`, `prepare` | | The CA manager is preparing an X.509 CA. | -| Call Counter | `datastore`, `bundle`, `append` | | The Datastore is appending a bundle. | -| Call Counter | `datastore`, `bundle`, `count` | | The Datastore is counting bundles. | -| Call Counter | `datastore`, `bundle`, `create` | | The Datastore is creating a bundle. | -| Call Counter | `datastore`, `bundle`, `delete` | | The Datastore is deleting a bundle. | -| Call Counter | `datastore`, `bundle`, `fetch` | | The Datastore is fetching a bundle. | -| Call Counter | `datastore`, `bundle`, `list` | | The Datastore is listing bundles. | -| Call Counter | `datastore`, `bundle`, `prune` | | The Datastore is pruning a bundle. | -| Call Counter | `datastore`, `bundle`, `set` | | The Datastore is setting a bundle. | -| Call Counter | `datastore`, `bundle`, `update` | | The Datastore is updating a bundle. | -| Call Counter | `datastore`, `join_token`, `create` | | The Datastore is creating a join token. | -| Call Counter | `datastore`, `join_token`, `delete` | | The Datastore is deleting a join token. | -| Call Counter | `datastore`, `join_token`, `fetch` | | The Datastore is fetching a join token. | -| Call Counter | `datastore`, `join_token`, `prune` | | The Datastore is pruning join tokens. | -| Call Counter | `datastore`, `node`, `count` | | The Datastore is counting nodes. | -| Call Counter | `datastore`, `node`, `create` | | The Datastore is creating a node. | -| Call Counter | `datastore`, `node`, `delete` | | The Datastore is deleting a node. | -| Call Counter | `datastore`, `node`, `fetch` | | The Datastore is fetching nodes. | -| Call Counter | `datastore`, `node`, `list` | | The Datastore is listing nodes. | -| Call Counter | `datastore`, `node`, `selectors`, `fetch` | | The Datastore is fetching selectors for a node. | -| Call Counter | `datastore`, `node`, `selectors`, `list` | | The Datastore is listing selectors for a node. | -| Call Counter | `datastore`, `node`, `selectors`, `set` | | The Datastore is setting selectors for a node. | -| Call Counter | `datastore`, `node`, `update` | | The Datastore is updating a node. | -| Call Counter | `datastore`, `node_event`, `list` | | The Datastore is listing node events. | -| Call Counter | `datastore`, `node_event`, `prune` | | The Datastore is pruning expired node events. | -| Call Counter | `datastore`, `node_event`, `fetch` | | The Datastore is fetching a specific node event. | -| Call Counter | `datastore`, `registration_entry`, `count` | | The Datastore is counting registration entries. | -| Call Counter | `datastore`, `registration_entry`, `create` | | The Datastore is creating a registration entry. | -| Call Counter | `datastore`, `registration_entry`, `delete` | | The Datastore is deleting a registration entry. | -| Call Counter | `datastore`, `registration_entry`, `fetch` | | The Datastore is fetching registration entries. | -| Call Counter | `datastore`, `registration_entry`, `list` | | The Datastore is listing registration entries. | -| Call Counter | `datastore`, `registration_entry`, `prune` | | The Datastore is pruning registration entries. | -| Call Counter | `datastore`, `registration_entry`, `update` | | The Datastore is updating a registration entry. | -| Call Counter | `datastore`, `registration_entry_event`, `list` | | The Datastore is listing a registration entry events. | -| Call Counter | `datastore`, `registration_entry_event`, `prune` | | The Datastore is pruning expired registration entry events. | -| Call Counter | `datastore`, `registration_entry_event`, `fetch` | | The Datastore is fetching a specific registration entry event. | -| Call Counter | `entry`, `cache`, `reload` | | The Server is reloading its in-memory entry cache from the datastore | -| Gauge | `node`, `agents_by_id_cache`, `count` | | The Server is re-hydrating the agents-by-id event-based cache | -| Gauge | `node`, `agents_by_expiresat_cache`, `count` | | The Server is re-hydrating the agents-by-expiresat event-based cache | -| Gauge | `node`, `skipped_node_event_ids`, `count` | | The count of skipped ids detected in the last `sql_transaction_timout` period. For databases that autoincrement ids by more than one, this number will overreport the skipped ids. [Issue](https://github.com/spiffe/spire/issues/5341) | -| Gauge | `entry`, `nodealiases_by_entryid_cache`, `count` | | The Server is re-hydrating the nodealiases-by-entryid event-based cache | -| Gauge | `entry`, `nodealiases_by_selector_cache`, `count` | | The Server is re-hydrating the nodealiases-by-selector event-based cache | -| Gauge | `entry`, `entries_by_entryid_cache`, `count` | | The Server is re-hydrating the entries-by-entryid event-based cache | -| Gauge | `entry`, `entries_by_parentid_cache`, `count` | | The Server is re-hydrating the entries-by-parentid event-based cache | -| Gauge | `entry`, `skipped_entry_event_ids`, `count` | | The count of skipped ids detected in the last sql_transaction_timout period. For databases that autoincrement ids by more than one, this number will overreport the skipped ids. [Issue](https://github.com/spiffe/spire/issues/5341) | -| Counter | `manager`, `jwt_key`, `activate` | | The CA manager has successfully activated a JWT Key. | -| Gauge | `manager`, `x509_ca`, `rotate`, `ttl` | `trust_domain_id` | The CA manager is rotating the X.509 CA with a given TTL for a specific Trust Domain. | -| Call Counter | `registration_entry`, `manager`, `prune` | | The Registration manager is pruning entries. | -| Counter | `server_ca`, `sign`, `jwt_svid` | | The CA has successfully signed a JWT SVID. | -| Counter | `server_ca`, `sign`, `x509_ca_svid` | | The CA has successfully signed an X.509 CA SVID. | -| Counter | `server_ca`, `sign`, `x509_svid` | | The CA has successfully signed an X.509 SVID. | -| Call Counter | `svid`, `rotate` | | The Server's SVID is being rotated. | -| Gauge | `started` | `version`, `trust_domain_id` | Information about the Server. | -| Gauge | `uptime_in_ms` | | The uptime of the Server in milliseconds. | +| Type | Keys | Labels | Description | +|--------------|---------------------------------------------------|------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Call Counter | `rpc`, ``, `` | | Call counters over the [SPIRE Server RPCs](https://github.com/spiffe/spire-api-sdk). | +| Counter | `bundle_manager`, `update`, `federated_bundle` | `trust_domain_id` | The bundle endpoint manager updated a federated bundle | +| Call Counter | `bundle_manager`, `fetch`, `federated_bundle` | `trust_domain_id` | The bundle endpoint manager is fetching federated bundle. | +| Call Counter | `ca`, `manager`, `bundle`, `prune` | | The CA manager is pruning a bundle. | +| Counter | `ca`, `manager`, `bundle`, `pruned` | | The CA manager has successfully pruned a bundle. | +| Call Counter | `ca`, `manager`, `jwt_key`, `prepare` | | The CA manager is preparing a JWT Key. | +| Counter | `ca`, `manager`, `x509_ca`, `activate` | | The CA manager has successfully activated an X.509 CA. | +| Call Counter | `ca`, `manager`, `x509_ca`, `prepare` | | The CA manager is preparing an X.509 CA. | +| Call Counter | `datastore`, `bundle`, `append` | | The Datastore is appending a bundle. | +| Call Counter | `datastore`, `bundle`, `count` | | The Datastore is counting bundles. | +| Call Counter | `datastore`, `bundle`, `create` | | The Datastore is creating a bundle. | +| Call Counter | `datastore`, `bundle`, `delete` | | The Datastore is deleting a bundle. | +| Call Counter | `datastore`, `bundle`, `fetch` | | The Datastore is fetching a bundle. | +| Call Counter | `datastore`, `bundle`, `list` | | The Datastore is listing bundles. | +| Call Counter | `datastore`, `bundle`, `prune` | | The Datastore is pruning a bundle. | +| Call Counter | `datastore`, `bundle`, `set` | | The Datastore is setting a bundle. | +| Call Counter | `datastore`, `bundle`, `update` | | The Datastore is updating a bundle. | +| Call Counter | `datastore`, `join_token`, `create` | | The Datastore is creating a join token. | +| Call Counter | `datastore`, `join_token`, `delete` | | The Datastore is deleting a join token. | +| Call Counter | `datastore`, `join_token`, `fetch` | | The Datastore is fetching a join token. | +| Call Counter | `datastore`, `join_token`, `prune` | | The Datastore is pruning join tokens. | +| Call Counter | `datastore`, `node`, `count` | | The Datastore is counting nodes. | +| Call Counter | `datastore`, `node`, `create` | | The Datastore is creating a node. | +| Call Counter | `datastore`, `node`, `delete` | | The Datastore is deleting a node. | +| Call Counter | `datastore`, `node`, `fetch` | | The Datastore is fetching nodes. | +| Call Counter | `datastore`, `node`, `list` | | The Datastore is listing nodes. | +| Call Counter | `datastore`, `node`, `selectors`, `fetch` | | The Datastore is fetching selectors for a node. | +| Call Counter | `datastore`, `node`, `selectors`, `list` | | The Datastore is listing selectors for a node. | +| Call Counter | `datastore`, `node`, `selectors`, `set` | | The Datastore is setting selectors for a node. | +| Call Counter | `datastore`, `node`, `update` | | The Datastore is updating a node. | +| Call Counter | `datastore`, `node_event`, `list` | | The Datastore is listing node events. | +| Call Counter | `datastore`, `node_event`, `prune` | | The Datastore is pruning expired node events. | +| Call Counter | `datastore`, `node_event`, `fetch` | | The Datastore is fetching a specific node event. | +| Call Counter | `datastore`, `registration_entry`, `count` | | The Datastore is counting registration entries. | +| Call Counter | `datastore`, `registration_entry`, `create` | | The Datastore is creating a registration entry. | +| Call Counter | `datastore`, `registration_entry`, `delete` | | The Datastore is deleting a registration entry. | +| Call Counter | `datastore`, `registration_entry`, `fetch` | | The Datastore is fetching registration entries. | +| Call Counter | `datastore`, `registration_entry`, `list` | | The Datastore is listing registration entries. | +| Call Counter | `datastore`, `registration_entry`, `prune` | | The Datastore is pruning registration entries. | +| Call Counter | `datastore`, `registration_entry`, `update` | | The Datastore is updating a registration entry. | +| Call Counter | `datastore`, `registration_entry_event`, `list` | | The Datastore is listing a registration entry events. | +| Call Counter | `datastore`, `registration_entry_event`, `prune` | | The Datastore is pruning expired registration entry events. | +| Call Counter | `datastore`, `registration_entry_event`, `fetch` | | The Datastore is fetching a specific registration entry event. | +| Call Counter | `entry`, `cache`, `reload` | | The Server is reloading its in-memory entry cache from the datastore | +| Gauge | `node`, `agents_by_id_cache`, `count` | | The Server is re-hydrating the agents-by-id event-based cache | +| Gauge | `node`, `agents_by_expiresat_cache`, `count` | | The Server is re-hydrating the agents-by-expiresat event-based cache | +| Gauge | `node`, `skipped_node_event_ids`, `count` | | The count of skipped ids detected in the last `sql_transaction_timout` period. For databases that autoincrement ids by more than one, this number will overreport the skipped ids. [Issue](https://github.com/spiffe/spire/issues/5341) | +| Gauge | `entry`, `nodealiases_by_entryid_cache`, `count` | | The Server is re-hydrating the nodealiases-by-entryid event-based cache | +| Gauge | `entry`, `nodealiases_by_selector_cache`, `count` | | The Server is re-hydrating the nodealiases-by-selector event-based cache | +| Gauge | `entry`, `entries_by_entryid_cache`, `count` | | The Server is re-hydrating the entries-by-entryid event-based cache | +| Gauge | `entry`, `entries_by_parentid_cache`, `count` | | The Server is re-hydrating the entries-by-parentid event-based cache | +| Gauge | `entry`, `skipped_entry_event_ids`, `count` | | The count of skipped ids detected in the last sql_transaction_timout period. For databases that autoincrement ids by more than one, this number will overreport the skipped ids. [Issue](https://github.com/spiffe/spire/issues/5341) | +| Counter | `manager`, `jwt_key`, `activate` | | The CA manager has successfully activated a JWT Key. | +| Gauge | `manager`, `x509_ca`, `rotate`, `ttl` | `trust_domain_id` | The CA manager is rotating the X.509 CA with a given TTL for a specific Trust Domain. | +| Call Counter | `registration_entry`, `manager`, `prune` | | The Registration manager is pruning entries. | +| Counter | `server_ca`, `sign`, `jwt_svid` | | The CA has successfully signed a JWT SVID. | +| Counter | `server_ca`, `sign`, `x509_ca_svid` | | The CA has successfully signed an X.509 CA SVID. | +| Counter | `server_ca`, `sign`, `x509_svid` | | The CA has successfully signed an X.509 SVID. | +| Call Counter | `svid`, `rotate` | | The Server's SVID is being rotated. | +| Gauge | `started` | `version`, `trust_domain_id` | Information about the Server. | +| Gauge | `uptime_in_ms` | | The uptime of the Server in milliseconds. | ## SPIRE Agent diff --git a/doc/telemetry/telemetry_config.md b/doc/telemetry/telemetry_config.md index 171461c457..b7584de4f5 100644 --- a/doc/telemetry/telemetry_config.md +++ b/doc/telemetry/telemetry_config.md @@ -33,8 +33,8 @@ You may use all, some, or none of the collectors. The following collectors suppo ### `Prometheus` -| Configuration | Type | Description | -|---------------|----------|---------------------------| +| Configuration | Type | Description | +|---------------|----------|------------------------------------| | `host` | `string` | Prometheus exporter listen address | | `port` | `int` | Prometheus exporter listen port | diff --git a/pkg/agent/api/debug/v1/service.go b/pkg/agent/api/debug/v1/service.go index 8ba5d376f2..4a6987bd7a 100644 --- a/pkg/agent/api/debug/v1/service.go +++ b/pkg/agent/api/debug/v1/service.go @@ -72,7 +72,7 @@ func (s *Service) GetInfo(context.Context, *debugv1.GetInfoRequest) (*debugv1.Ge s.getInfoResp.mtx.Lock() defer s.getInfoResp.mtx.Unlock() - // Update cache when expired or does not exists + // Update cache when expired or does not exist if s.getInfoResp.ts.IsZero() || s.clock.Now().Sub(s.getInfoResp.ts) >= cacheExpiry { state := s.m.GetCurrentCredentials() // Get current agent's credential SVID diff --git a/pkg/agent/attestor/node/node.go b/pkg/agent/attestor/node/node.go index aa0cf63355..f31113dc52 100644 --- a/pkg/agent/attestor/node/node.go +++ b/pkg/agent/attestor/node/node.go @@ -193,7 +193,7 @@ func (a *attestor) getBundle(ctx context.Context, conn *grpc.ClientConn) (*spiff } func (a *attestor) getSVID(ctx context.Context, conn *grpc.ClientConn, csr []byte, attestor nodeattestor.NodeAttestor) ([]*x509.Certificate, bool, error) { - // make sure all of the streams are cancelled if something goes awry + // make sure all the streams are cancelled if something goes awry ctx, cancel := context.WithCancel(ctx) defer cancel() diff --git a/pkg/agent/catalog/catalog_test.go b/pkg/agent/catalog/catalog_test.go index ad125f6662..a21b5063ea 100644 --- a/pkg/agent/catalog/catalog_test.go +++ b/pkg/agent/catalog/catalog_test.go @@ -10,7 +10,7 @@ import ( "github.com/stretchr/testify/require" ) -func TestJoinTokenNodeAttestorCannotBeOverriden(t *testing.T) { +func TestJoinTokenNodeAttestorCannotBeOverridden(t *testing.T) { dir := t.TempDir() log, _ := test.NewNullLogger() diff --git a/pkg/agent/manager/cache/bundle_cache.go b/pkg/agent/manager/cache/bundle_cache.go index f7f6c5a6d8..587bee8b68 100644 --- a/pkg/agent/manager/cache/bundle_cache.go +++ b/pkg/agent/manager/cache/bundle_cache.go @@ -25,7 +25,7 @@ func NewBundleCache(trustDomain spiffeid.TrustDomain, bundle *Bundle) *BundleCac func (c *BundleCache) Update(bundles map[spiffeid.TrustDomain]*Bundle) { // the bundle map must be copied so that the source can be mutated - // afterwards. + // afterward. c.bundles.Update(copyBundleMap(bundles)) } @@ -82,7 +82,7 @@ func (b *BundleStream) WaitNext() map[spiffeid.TrustDomain]*Bundle { } // Clone creates a new independent stream from this one but sharing the same -// Property. Updates to the property will be reflected in both streams but +// Property. Updates to the property will be reflected in both streams, but // they may have different values depending on when they advance the stream // with Next. func (b *BundleStream) Clone() *BundleStream { diff --git a/pkg/agent/manager/cache/lru_cache.go b/pkg/agent/manager/cache/lru_cache.go index 07a07a3eec..4fe51f16af 100644 --- a/pkg/agent/manager/cache/lru_cache.go +++ b/pkg/agent/manager/cache/lru_cache.go @@ -73,7 +73,7 @@ type StaleEntry struct { // related identities and trust bundles. // // The cache does this efficiently by building an index for each unique -// selector it encounters. Each selector index tracks the subscribers (i.e +// selector it encounters. Each selector index tracks the subscribers (i.e. // workloads) and registration entries that have that selector. // // The LRU-like SVID cache has a size limit and expiry period. @@ -869,7 +869,7 @@ func (c *LRUCache) delSelectorIndicesRecord(selectors selectorSet, record *lruCa } // delSelectorIndexRecord removes the record from the selector index. If -// the selector index is empty afterwards, it is also removed. +// the selector index is empty afterward, it is also removed. func (c *LRUCache) delSelectorIndexRecord(s selector, record *lruCacheRecord) { index, ok := c.selectors[s] if ok { @@ -886,7 +886,7 @@ func (c *LRUCache) addSelectorIndexSub(s selector, sub *lruCacheSubscriber) { } // delSelectorIndexSub removes the subscription from the selector index. If -// the selector index is empty afterwards, it is also removed. +// the selector index is empty afterward, it is also removed. func (c *LRUCache) delSelectorIndexSub(s selector, sub *lruCacheSubscriber) { index, ok := c.selectors[s] if ok { @@ -1030,7 +1030,7 @@ func (c *LRUCache) buildWorkloadUpdate(set selectorSet) *WorkloadUpdate { func (c *LRUCache) getRecordsForSelectors(set selectorSet) (lruCacheRecordSet, func()) { // Build and dedup a list of candidate entries. Don't check for selector set inclusion yet, since - // that is a more expensive operation and we could easily have duplicate + // that is a more expensive operation, and we could easily have duplicate // entries to check. records, recordsDone := allocLRUCacheRecordSet() for selector := range set { diff --git a/pkg/agent/manager/cache/lru_cache_test.go b/pkg/agent/manager/cache/lru_cache_test.go index c490cbd2d4..d42e6ff516 100644 --- a/pkg/agent/manager/cache/lru_cache_test.go +++ b/pkg/agent/manager/cache/lru_cache_test.go @@ -316,7 +316,7 @@ func TestLRUCacheSubscriberIsNotNotifiedIfNothingChanges(t *testing.T) { assertAnyWorkloadUpdate(t, sub) // Second update is the same (other than X509SVIDs, which, when set, - // always constitute a "change" for the impacted registration entries. + // always constitute a "change" for the impacted registration entries). cache.UpdateEntries(&UpdateEntries{ Bundles: makeBundles(bundleV1), RegistrationEntries: makeRegistrationEntries(foo), @@ -560,7 +560,7 @@ func TestLRUCacheGetStaleEntries(t *testing.T) { bar := makeRegistrationEntryWithTTL("BAR", 130, 140, "B") // Create entry but don't mark it stale from checkSVID method; - // it will be marked stale cause it does not have SVID cached + // it will be marked stale because it does not have SVID cached cache.UpdateEntries(&UpdateEntries{ Bundles: makeBundles(bundleV2), RegistrationEntries: makeRegistrationEntries(bar), @@ -1143,7 +1143,7 @@ func TestTaintX509SVIDsNoSVIDs(t *testing.T) { Bundles: makeBundles(bundleV1), RegistrationEntries: makeRegistrationEntries(entries...), } - // All entries has no chain... + // All entries have no chain... cache.svids = makeX509SVIDs(entries...) // Add entries to cache diff --git a/pkg/agent/manager/manager.go b/pkg/agent/manager/manager.go index 56013309df..206683bb7e 100644 --- a/pkg/agent/manager/manager.go +++ b/pkg/agent/manager/manager.go @@ -67,7 +67,7 @@ type Manager interface { // SetRotationFinishedHook sets a hook that will be called when a rotation finished SetRotationFinishedHook(func()) - // MatchingRegistrationEntries returns all of the cached registration entries whose + // MatchingRegistrationEntries returns all the cached registration entries whose // selectors are a subset of the passed selectors. MatchingRegistrationEntries(selectors []*common.Selector) []*common.RegistrationEntry diff --git a/pkg/agent/manager/manager_test.go b/pkg/agent/manager/manager_test.go index 695825e00c..ffc35407ff 100644 --- a/pkg/agent/manager/manager_test.go +++ b/pkg/agent/manager/manager_test.go @@ -1405,7 +1405,7 @@ func TestSyncSVIDsWithLRUCache(t *testing.T) { // ensure 2 SVIDs corresponding to selectors are cached. assert.Equal(t, 2, m.cache.CountX509SVIDs()) - // cancel the ctx to stop go routines + // cancel the ctx to stop Go routines cancel() syncErr := <-syncErrCh diff --git a/pkg/agent/manager/storecache/cache.go b/pkg/agent/manager/storecache/cache.go index 85de43a544..25aa6a04fe 100644 --- a/pkg/agent/manager/storecache/cache.go +++ b/pkg/agent/manager/storecache/cache.go @@ -81,7 +81,7 @@ func New(config *Config) *Cache { // record's revision number is incremented on each record based on: // - Knowledge or when the SVID for that entry changes // - Knowledge when the bundle changes -// - Knowledge when a federated bundle related to an storable entry changes +// - Knowledge when a federated bundle related to a storable entry changes func (c *Cache) UpdateEntries(update *cache.UpdateEntries, checkSVID func(*common.RegistrationEntry, *common.RegistrationEntry, *cache.X509SVID) bool) { c.mtx.Lock() defer c.mtx.Unlock() diff --git a/pkg/agent/manager/storecache/cache_test.go b/pkg/agent/manager/storecache/cache_test.go index dbb4031e78..008748126a 100644 --- a/pkg/agent/manager/storecache/cache_test.go +++ b/pkg/agent/manager/storecache/cache_test.go @@ -536,7 +536,7 @@ func TestUpdateEntries(t *testing.T) { c.UpdateEntries(tt.initialUpdate, nil) update := tt.setUpdate(*tt.initialUpdate) - // Dont care about initialization logs + // Don't care about initialization logs hook.Reset() // Set check SVID only in updates, creation will is tested in a different test @@ -649,7 +649,7 @@ func TestUpdateEntriesRemoveEntry(t *testing.T) { }, } - // Reset logs, this test dont cares about creating logs + // Reset logs, this test don't care about creating logs hook.Reset() // Update entry to remove 'bar' c.UpdateEntries(update, nil) @@ -697,7 +697,7 @@ func TestUpdateEntriesRemoveEntry(t *testing.T) { require.Equal(t, expectedRecords, c.Records()) - // Update SVIDs does not updates records that are in remove state + // Update SVIDs does not update records that are in remove state c.UpdateSVIDs(&cache.UpdateSVIDs{ X509SVIDs: map[string]*cache.X509SVID{ "bar": { diff --git a/pkg/agent/plugin/nodeattestor/httpchallenge/httpchallenge.go b/pkg/agent/plugin/nodeattestor/httpchallenge/httpchallenge.go index 07f3e5795f..1c568815e9 100644 --- a/pkg/agent/plugin/nodeattestor/httpchallenge/httpchallenge.go +++ b/pkg/agent/plugin/nodeattestor/httpchallenge/httpchallenge.go @@ -157,7 +157,7 @@ func (p *Plugin) AidAttestation(stream nodeattestorv1.NodeAttestor_AidAttestatio return status.Errorf(codes.Internal, "unable to unmarshal challenge: %v", err) } - // due to https://github.com/spiffe/spire/blob/8f9fa036e182a2fab968e03cd25a7fdb2d8c88bb/pkg/agent/plugin/nodeattestor/v1.go#L63, we must respond with a non blank challenge response + // due to https://github.com/spiffe/spire/blob/8f9fa036e182a2fab968e03cd25a7fdb2d8c88bb/pkg/agent/plugin/nodeattestor/v1.go#L63, we must respond with a non-blank challenge response responseBytes := []byte{'\n'} if err := stream.Send(&nodeattestorv1.PayloadOrChallengeResponse{ Data: &nodeattestorv1.PayloadOrChallengeResponse_ChallengeResponse{ diff --git a/pkg/agent/plugin/nodeattestor/jointoken/join_token.go b/pkg/agent/plugin/nodeattestor/jointoken/join_token.go index c7a01547f9..9085ed5241 100644 --- a/pkg/agent/plugin/nodeattestor/jointoken/join_token.go +++ b/pkg/agent/plugin/nodeattestor/jointoken/join_token.go @@ -30,7 +30,7 @@ func New() *Plugin { func (p *Plugin) AidAttestation(_ nodeattestorv1.NodeAttestor_AidAttestationServer) error { // The agent handles the case where the join token is set using special // cased code. The special code is only activated when the join token has - // been provided via CLI flag or HCL configuration, whether or not the + // been provided via CLI flag or HCL configuration, whether the // join_token node attestor has been configured. If the join token is not // set, but the join_token node attestor is configured, then the special // case code will not be activated and this plugin will end up being diff --git a/pkg/agent/plugin/nodeattestor/tpmdevid/tpmutil/session.go b/pkg/agent/plugin/nodeattestor/tpmdevid/tpmutil/session.go index b12bcc8378..0ae2878b81 100644 --- a/pkg/agent/plugin/nodeattestor/tpmdevid/tpmutil/session.go +++ b/pkg/agent/plugin/nodeattestor/tpmdevid/tpmutil/session.go @@ -256,8 +256,8 @@ func (c *Session) GetAKPublic() []byte { } // loadKey loads a key pair into the TPM. -func (c *Session) loadKey(pubKey, privKey []byte, parentKeyPassword, keyPassword string) (*SigningKey, error) { - pub, err := tpm2.DecodePublic(pubKey) +func (c *Session) loadKey(publicKey, privateKey []byte, parentKeyPassword, keyPassword string) (*SigningKey, error) { + pub, err := tpm2.DecodePublic(publicKey) if err != nil { return nil, fmt.Errorf("tpm2.DecodePublic failed: %w", err) } @@ -303,7 +303,7 @@ func (c *Session) loadKey(pubKey, privKey []byte, parentKeyPassword, keyPassword } defer c.flushContext(srkHandle) - keyHandle, _, err := tpm2.Load(c.rwc, srkHandle, parentKeyPassword, pubKey, privKey) + keyHandle, _, err := tpm2.Load(c.rwc, srkHandle, parentKeyPassword, publicKey, privateKey) if err != nil { return nil, fmt.Errorf("tpm2.Load failed: %w", err) } @@ -349,7 +349,7 @@ func (c *Session) createAttestationKey(parentKeyPassword, keyPassword string) ([ // We need a session-based authorization to run the activate credential command // (password-based auth is not enough) because of the attributes of the EK template. func (c *Session) createPolicySessionForEK() (tpmutil.Handle, error) { - // The TPM is accesed in a plain session (we assume the bus is trusted) so we use an: + // The TPM is accessed in a plain session (we assume the bus is trusted) so we use an: // un-bounded and un-salted policy session (bindKey = HandleNull, tpmKey = HandleNull, secret = nil, // (sym = algNull, nonceCaller = all zeros). diff --git a/pkg/agent/plugin/nodeattestor/tpmdevid/tpmutil/session_test.go b/pkg/agent/plugin/nodeattestor/tpmdevid/tpmutil/session_test.go index 53bff71073..1adc873b47 100644 --- a/pkg/agent/plugin/nodeattestor/tpmdevid/tpmutil/session_test.go +++ b/pkg/agent/plugin/nodeattestor/tpmdevid/tpmutil/session_test.go @@ -628,7 +628,7 @@ func (f keyCloser) Close() error { return nil } -// createTPMKey creates a key on the simulated TPM. It returns a io.Closer to +// createTPMKey creates a key on the simulated TPM. It returns an io.Closer to // flush the key once it is no more required. // This function is used to out-of-memory the TPM in unit tests. func createTPMKey(t *testing.T, sim *tpmsimulator.TPMSimulator) io.Closer { diff --git a/pkg/agent/plugin/nodeattestor/tpmdevid/tpmutil/signingkey.go b/pkg/agent/plugin/nodeattestor/tpmdevid/tpmutil/signingkey.go index d433dc826f..8d16df3b59 100644 --- a/pkg/agent/plugin/nodeattestor/tpmdevid/tpmutil/signingkey.go +++ b/pkg/agent/plugin/nodeattestor/tpmdevid/tpmutil/signingkey.go @@ -62,7 +62,7 @@ func (k *SigningKey) Sign(data []byte) ([]byte, error) { // handle as object. func (k *SigningKey) Certify(object tpmutil.Handle, objectPassword string) ([]byte, []byte, error) { // For some reason 'tpm2.Certify()' sometimes fails the first attempt and asks for retry. - // So, we retry some times in case of getting the RCRetry error. + // So, we retry in case of getting the RCRetry error. // It seems that this issue has been reported: https://github.com/google/go-tpm/issues/59 var err error for i := 1; i <= maxAttempts; i++ { diff --git a/pkg/agent/plugin/svidstore/awssecretsmanager/aws_test.go b/pkg/agent/plugin/svidstore/awssecretsmanager/aws_test.go index e7f1bf8879..85023acd21 100644 --- a/pkg/agent/plugin/svidstore/awssecretsmanager/aws_test.go +++ b/pkg/agent/plugin/svidstore/awssecretsmanager/aws_test.go @@ -185,7 +185,7 @@ func TestConfigure(t *testing.T) { plugintest.Load(t, builtin(p), nil, options...) spiretest.RequireGRPCStatusHasPrefix(t, err, tt.expectCode, tt.expectMsgPrefix) - // Expect no client unsuccess calls + // Expect no client unsuccessful calls switch tt.expectCode { case codes.OK: require.NotNil(t, p.smClient) @@ -358,7 +358,7 @@ func TestPutX509SVID(t *testing.T) { expectMsg: "svidstore(aws_secretsmanager): failed to parse request: failed to parse CertChain: x509: malformed certificate", }, { - name: "unnexpected aws error when describe secret", + name: "unexpected aws error when describe secret", req: successReq, expectCode: codes.Internal, expectMsg: "svidstore(aws_secretsmanager): failed to describe secret: InvalidParameterException: failed to describe secret", @@ -546,7 +546,7 @@ func TestPutX509SVID(t *testing.T) { require.Equal(t, putSecretInput, sm.putSecretInput) require.Equal(t, tt.expectDeleteSecretInput, sm.deleteSecretInput) - require.Equal(t, tt.expectDescribeInput, sm.drescribeSecretInput) + require.Equal(t, tt.expectDescribeInput, sm.describeSecretInput) require.Equal(t, tt.expectRestoreSecretInput, sm.restoreSecretInput) }) } @@ -674,7 +674,7 @@ func TestDeleteX509SVID(t *testing.T) { require.NoError(t, err) require.Equal(t, tt.expectDeleteSecretInput, sm.deleteSecretInput) - require.Equal(t, tt.expectDescribeInput, sm.drescribeSecretInput) + require.Equal(t, tt.expectDescribeInput, sm.describeSecretInput) }) } } @@ -694,12 +694,12 @@ type smConfig struct { type fakeSecretsManagerClient struct { t testing.TB - drescribeSecretInput *secretsmanager.DescribeSecretInput - createSecretInput *secretsmanager.CreateSecretInput - putSecretInput *secretsmanager.PutSecretValueInput - deleteSecretInput *secretsmanager.DeleteSecretInput - restoreSecretInput *secretsmanager.RestoreSecretInput - c *smConfig + describeSecretInput *secretsmanager.DescribeSecretInput + createSecretInput *secretsmanager.CreateSecretInput + putSecretInput *secretsmanager.PutSecretValueInput + deleteSecretInput *secretsmanager.DeleteSecretInput + restoreSecretInput *secretsmanager.RestoreSecretInput + c *smConfig } func (sm *fakeSecretsManagerClient) createTestClient(_ context.Context, _, _, region string) (SecretsManagerClient, error) { @@ -729,7 +729,7 @@ func (sm *fakeSecretsManagerClient) DescribeSecret(_ context.Context, input *sec resp.DeletedDate = aws.Time(time.Now()) } - sm.drescribeSecretInput = input + sm.describeSecretInput = input return resp, nil } diff --git a/pkg/agent/plugin/svidstore/gcpsecretmanager/gcloud_test.go b/pkg/agent/plugin/svidstore/gcpsecretmanager/gcloud_test.go index 8fe2aad9b3..a2645a2342 100644 --- a/pkg/agent/plugin/svidstore/gcpsecretmanager/gcloud_test.go +++ b/pkg/agent/plugin/svidstore/gcpsecretmanager/gcloud_test.go @@ -871,7 +871,7 @@ func TestDeleteX509SVID(t *testing.T) { err = ss.DeleteX509SVID(ctx, tt.metadata) spiretest.RequireGRPCStatus(t, err, tt.expectCode, tt.expectMsgPrefix) - // Validate what is send to gcp + // Validate what is sent to gcp spiretest.AssertProtoEqual(t, tt.expectDeleteSecretReq, client.deleteSecretReq) spiretest.AssertProtoEqual(t, tt.expectGetSecretReq, client.getSecretReq) }) diff --git a/pkg/agent/plugin/workloadattestor/docker/cgroup/dockerfinder.go b/pkg/agent/plugin/workloadattestor/docker/cgroup/dockerfinder.go index f5a791774b..1c39872d0d 100644 --- a/pkg/agent/plugin/workloadattestor/docker/cgroup/dockerfinder.go +++ b/pkg/agent/plugin/workloadattestor/docker/cgroup/dockerfinder.go @@ -130,7 +130,7 @@ func (f *containerIDFinders) FindContainerID(cgroup string) (string, bool) { // is done as follows: // // 1. If the number of path components in two patterns differ, they cannot match identical inputs. -// This assertions follows from the path focused grammar and the fact that the regex +// This assertion follows from the path focused grammar and the fact that the regex // wildcards (regexpWildcard and regexpContainerID) cannot match "/". // 2. If the number of path components in two patterns are the same, we test "component // equivalence" at each index. wildcardToken and containerIDToken are equivalent to diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s.go b/pkg/agent/plugin/workloadattestor/k8s/k8s.go index 04575b1772..af7cbe5368 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s.go @@ -80,7 +80,7 @@ type HCLConfig struct { // SkipKubeletVerification is set. Defaults to the cluster trust bundle. KubeletCAPath string `hcl:"kubelet_ca_path"` - // SkipKubeletVerification controls whether or not the plugin will + // SkipKubeletVerification controls whether the plugin will // verify the certificate presented by the kubelet. SkipKubeletVerification bool `hcl:"skip_kubelet_verification"` @@ -97,7 +97,7 @@ type HCLConfig struct { // authentication with the kubelet. Must be used with CertificatePath. PrivateKeyPath string `hcl:"private_key_path"` - // UseAnonymousAuthentication controls whether or not communication to the + // UseAnonymousAuthentication controls whether communication to the // kubelet over the secure port is unauthenticated. This option is mutually // exclusive with other authentication configuration fields TokenPath, // CertificatePath, and PrivateKeyPath. diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go index 4f6b996833..9985cb3843 100644 --- a/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go +++ b/pkg/agent/plugin/workloadattestor/k8s/k8s_posix.go @@ -103,7 +103,7 @@ var cgroupREs = []*regexp.Regexp{ // cgroup name. It assumes that any ".scope" suffix has been trimmed off // beforehand. CAUTION: we used to verify that the pod and container id were // descendants of a kubepods directory, however, as of Kubernetes 1.21, cgroups - // namespaces are in use and therefore we can no longer discern if that is the + // namespaces are in use, and therefore we can no longer discern if that is the // case from within SPIRE agent container (since the container itself is // namespaced). As such, the regex has been relaxed to simply find the pod UID // followed by the container ID with allowances for arbitrary punctuation, and diff --git a/pkg/agent/svid/rotator.go b/pkg/agent/svid/rotator.go index 0b66fe3df9..ca8324e6b6 100644 --- a/pkg/agent/svid/rotator.go +++ b/pkg/agent/svid/rotator.go @@ -268,7 +268,7 @@ func (r *rotator) reattest(ctx context.Context) (err error) { r.state.Update(s) r.tainted = false - // We must release the client because its underlaying connection is tied to an + // We must release the client because its underlying connection is tied to an // expired SVID, so next time the client is used, it will get a new connection with // the most up-to-date SVID. r.client.Release() @@ -316,7 +316,7 @@ func (r *rotator) rotateSVID(ctx context.Context) (err error) { r.state.Update(s) r.tainted = false - // We must release the client because its underlaying connection is tied to an + // We must release the client because its underlying connection is tied to an // expired SVID, so next time the client is used, it will get a new connection with // the most up-to-date SVID. r.client.Release() diff --git a/pkg/agent/svid/store/service_test.go b/pkg/agent/svid/store/service_test.go index b8b9428c3d..c3219b5077 100644 --- a/pkg/agent/svid/store/service_test.go +++ b/pkg/agent/svid/store/service_test.go @@ -161,7 +161,7 @@ func TestRunDeleteSecrets(t *testing.T) { // readyRecords list of records that are ready to be stored readyRecords []*storecache.Record // stores is a list of configured SVIDStores, - // it contains the list of expected configurations to be send + // it contains the list of expected configurations to be sent stores map[string]*fakeSVIDStore // logs is the list of expected logs logs []spiretest.LogEntry diff --git a/pkg/common/api/middleware/middleware.go b/pkg/common/api/middleware/middleware.go index 47d6541ba9..1c751f4079 100644 --- a/pkg/common/api/middleware/middleware.go +++ b/pkg/common/api/middleware/middleware.go @@ -25,7 +25,7 @@ type Middleware interface { Postprocess(ctx context.Context, fullMethod string, handlerInvoked bool, rpcErr error) } -// Preprocess creates a middleware from a function that does preprocessing only. +// Preprocess creates a middleware from a function that does pre-processing only. func Preprocess(fn PreprocessFunc) Middleware { return funcs{ preprocess: fn, diff --git a/pkg/common/bundleutil/bundle.go b/pkg/common/bundleutil/bundle.go index 592c348648..8290160eed 100644 --- a/pkg/common/bundleutil/bundle.go +++ b/pkg/common/bundleutil/bundle.go @@ -178,7 +178,7 @@ func MergeBundles(a, b *common.Bundle) (*common.Bundle, bool) { } // PruneBundle removes the bundle RootCAs and JWT keys that expired before a given time -// It returns an error if prunning results in a bundle with no CAs or keys +// It returns an error if pruning results in a bundle with no CAs or keys func PruneBundle(bundle *common.Bundle, expiration time.Time, log logrus.FieldLogger) (*common.Bundle, bool, error) { if bundle == nil { return nil, false, errors.New("current bundle is nil") diff --git a/pkg/common/catalog/catalog.go b/pkg/common/catalog/catalog.go index ddc8d76b6f..d1ce9cd413 100644 --- a/pkg/common/catalog/catalog.go +++ b/pkg/common/catalog/catalog.go @@ -65,7 +65,7 @@ type Version interface { // by the plugin. New() Facade - // Deprecated returns whether or not the version is deprecated. + // Deprecated returns whether the version is deprecated. Deprecated() bool } @@ -202,7 +202,7 @@ func Load(ctx context.Context, config Config, repo Repository) (_ *Catalog, err pluginCounts[pluginConfig.Type]++ } - // Make sure all of the plugin constraints are satisfied + // Make sure all plugin constraints are satisfied for pluginType, pluginRepo := range pluginRepos { if err := pluginRepo.Constraints().Check(pluginCounts[pluginType]); err != nil { return nil, fmt.Errorf("plugin type %q constraint not satisfied: %w", pluginType, err) diff --git a/pkg/common/cli/env.go b/pkg/common/cli/env.go index e3d6ebb8ef..479cc2052d 100644 --- a/pkg/common/cli/env.go +++ b/pkg/common/cli/env.go @@ -16,7 +16,7 @@ var ( } ) -// Env provides an pluggable environment for CLI commands that facilitates easy +// Env provides a pluggable environment for CLI commands that facilitates easy // testing. type Env struct { Stdin io.Reader diff --git a/pkg/common/cliprinter/flag_test.go b/pkg/common/cliprinter/flag_test.go index 01fca6a808..c321716bd5 100644 --- a/pkg/common/cliprinter/flag_test.go +++ b/pkg/common/cliprinter/flag_test.go @@ -83,7 +83,7 @@ func TestAppendFlag(t *testing.T) { t.Fatalf("got unexpected error: %v", err) } - // If we received an error and we expected it, then we're + // If we received an error, and we expected it, then we're // done with this test case return } diff --git a/pkg/common/container/process/helper.go b/pkg/common/container/process/helper.go index 8c01f2c5ca..785073af00 100644 --- a/pkg/common/container/process/helper.go +++ b/pkg/common/container/process/helper.go @@ -193,7 +193,7 @@ func (h *helper) getJobName(handle SystemHandleInformationExItem, currentProcess return "", fmt.Errorf("failed to get object name: %w", err) } - // Jobs created on windows environments start with "\Container_" + // Jobs created on Windows environments start with "\Container_" if !strings.HasPrefix(objectName, containerPrefix) { return "", nil } diff --git a/pkg/common/containerinfo/extract.go b/pkg/common/containerinfo/extract.go index e18e4cccf5..a60a3930cb 100644 --- a/pkg/common/containerinfo/extract.go +++ b/pkg/common/containerinfo/extract.go @@ -225,7 +225,7 @@ func (e *extractor) extract(cgroupPathOrMountRoot string) (types.UID, string) { // The container ID is typically in the last segment but in some cases // there can other path segments that come after. Further, some // combinations of kubernetes/cgroups driver/cgroups version/container - // runtime, etc, use colon separators between the pod UID and containerID, + // runtime, etc., use colon separators between the pod UID and containerID, // which means they can end up in the same segment together. // // The basic algorithm is to walk backwards through the path segments until @@ -265,7 +265,7 @@ func (e *extractor) extract(cgroupPathOrMountRoot string) (types.UID, string) { } // If the container ID occupied the beginning of the last segment, then - // that segment is consumed and we should grab the next one. + // that segment is consumed, and we should grab the next one. if segment == "" { rest, segment = stripSegment(rest) } diff --git a/pkg/common/coretypes/bundle/bundle_test.go b/pkg/common/coretypes/bundle/bundle_test.go index d297393f5d..f07b876564 100644 --- a/pkg/common/coretypes/bundle/bundle_test.go +++ b/pkg/common/coretypes/bundle/bundle_test.go @@ -66,7 +66,7 @@ MWnIPs59/JF8AiBeKSM/rkL2igQchDTvlJJWsyk9YL8UZI/XfZO7907TWA== RefreshHint: 1, SequenceNumber: 2, } - apiInvalidJWTAutorities = &apitypes.Bundle{ + apiInvalidJWTAuthorities = &apitypes.Bundle{ TrustDomain: "example.org", X509Authorities: apiX509AuthoritiesGood, JwtAuthorities: apiJWTAuthoritiesBad, @@ -132,7 +132,7 @@ MWnIPs59/JF8AiBeKSM/rkL2igQchDTvlJJWsyk9YL8UZI/XfZO7907TWA== RefreshHint: 1, SequenceNumber: 2, } - pluginInvalidJWTAutorities = &plugintypes.Bundle{ + pluginInvalidJWTAuthorities = &plugintypes.Bundle{ TrustDomain: "example.org", X509Authorities: pluginX509AuthoritiesGood, JwtAuthorities: pluginJWTAuthoritiesBad, @@ -170,7 +170,7 @@ func TestToPluginFromAPIProto(t *testing.T) { assertOK(t, apiGood, pluginGood) assertFail(t, apiInvalidTD, "malformed trust domain:") assertFail(t, apiInvalidX509Authorities, "invalid X.509 authority: failed to parse X.509 certificate data: ") - assertFail(t, apiInvalidJWTAutorities, "invalid JWT authority: missing key ID for JWT key") + assertFail(t, apiInvalidJWTAuthorities, "invalid JWT authority: missing key ID for JWT key") assertOK(t, nil, nil) } @@ -192,7 +192,7 @@ func TestToCommonFromPluginProto(t *testing.T) { assertOK(t, pluginGood, commonGood) assertFail(t, pluginInvalidTD, "malformed trust domain:") assertFail(t, pluginInvalidX509Authorities, "invalid X.509 authority: failed to parse X.509 certificate data: ") - assertFail(t, pluginInvalidJWTAutorities, "invalid JWT authority: missing key ID for JWT key") + assertFail(t, pluginInvalidJWTAuthorities, "invalid JWT authority: missing key ID for JWT key") assertOK(t, nil, nil) } diff --git a/pkg/common/errorutil/wrapper.go b/pkg/common/errorutil/wrapper.go index 3b9bec87b6..b3a44026d1 100644 --- a/pkg/common/errorutil/wrapper.go +++ b/pkg/common/errorutil/wrapper.go @@ -10,7 +10,7 @@ import ( // WrapError creates a new error in the format: ": ". // This function is intended to be used to wrap errors -// when an error is received from calling a function/method inside of a function or private method. +// when an error is received from calling a function/method inside a function or private method. func WrapError(err error, newErrStr string) error { return fmt.Errorf(newErrStr+": %v", err) } diff --git a/pkg/common/fflag/fflag.go b/pkg/common/fflag/fflag.go index 870b47e330..fd753c0b83 100644 --- a/pkg/common/fflag/fflag.go +++ b/pkg/common/fflag/fflag.go @@ -98,7 +98,7 @@ func Unload() error { return nil } -// IsSet can be used to determine whether or not a particular feature flag is +// IsSet can be used to determine whether a particular feature flag is // set. func IsSet(f Flag) bool { singleton.mtx.RLock() diff --git a/pkg/common/health/cache.go b/pkg/common/health/cache.go index 710efcaa78..350c5dad3d 100644 --- a/pkg/common/health/cache.go +++ b/pkg/common/health/cache.go @@ -157,7 +157,7 @@ func (c *cache) setStatus(name string, prevState checkState, state checkState) { c.mtx.Lock() defer c.mtx.Unlock() - // We are sure that checker exist in this place, to be able to check + // We are sure that checker exists in this place, to be able to check // status of a subsystem we must call the checker inside this map c.checkerSubsystems[name].state = state } diff --git a/pkg/common/health/health.go b/pkg/common/health/health.go index 0ba28ecf4f..11d7e4e3e6 100644 --- a/pkg/common/health/health.go +++ b/pkg/common/health/health.go @@ -25,12 +25,12 @@ const ( // State is the health state of a subsystem. type State struct { - // Live is whether or not the subsystem is live (i.e. in a good state + // Live is whether the subsystem is live (i.e. in a good state // or in a state it can recover from while remaining alive). Global // liveness is only reported true if all subsystems report live. Live bool - // Ready is whether or not the subsystem is ready (i.e. ready to perform + // Ready is whether the subsystem is ready (i.e. ready to perform // its function). Global readiness is only reported true if all subsystems // report ready. Ready bool diff --git a/pkg/common/health/health_test.go b/pkg/common/health/health_test.go index c7d9127f43..2d701a0074 100644 --- a/pkg/common/health/health_test.go +++ b/pkg/common/health/health_test.go @@ -38,7 +38,7 @@ func TestCheckerListeners(t *testing.T) { servableChecker := NewChecker(config, log) - fooCheker := &fakeCheckable{ + fooChecker := &fakeCheckable{ state: State{ Live: true, Ready: true, @@ -46,7 +46,7 @@ func TestCheckerListeners(t *testing.T) { LiveDetails: healthDetails{}, }, } - err := servableChecker.AddCheck("foo", fooCheker) + err := servableChecker.AddCheck("foo", fooChecker) require.NoError(t, err) barChecker := &fakeCheckable{ @@ -106,8 +106,8 @@ func TestCheckerListeners(t *testing.T) { require.JSONEq(t, "{\"bar\":{},\"foo\":{}}\n", string(actual)) }) - fooCheker.state.Live = false - fooCheker.state.LiveDetails = healthDetails{Err: "live fails"} + fooChecker.state.Live = false + fooChecker.state.LiveDetails = healthDetails{Err: "live fails"} barChecker.state.Ready = false barChecker.state.ReadyDetails = healthDetails{Err: "ready fails"} diff --git a/pkg/common/idutil/require.go b/pkg/common/idutil/require.go index e1caf5169c..e0ca9fff0f 100644 --- a/pkg/common/idutil/require.go +++ b/pkg/common/idutil/require.go @@ -6,7 +6,7 @@ import ( ) // RequireIDProtoString constructs a SPIFFE ID string for the given ID proto. -// It panics if the proto is not well formed. +// It panics if the proto is not well-formed. func RequireIDProtoString(id *types.SPIFFEID) string { out, err := IDProtoString(id) panicOnErr(err) @@ -14,7 +14,7 @@ func RequireIDProtoString(id *types.SPIFFEID) string { } // RequireIDFromProto returns a SPIFFE ID from the proto representation. It -// panics if the proto is not well formed. +// panics if the proto is not well-formed. func RequireIDFromProto(id *types.SPIFFEID) spiffeid.ID { out, err := IDFromProto(id) panicOnErr(err) diff --git a/pkg/common/peertracker/peertracker_test_windows.go b/pkg/common/peertracker/peertracker_test_windows.go index 44fcbfd46b..3a34c1a7d2 100644 --- a/pkg/common/peertracker/peertracker_test_windows.go +++ b/pkg/common/peertracker/peertracker_test_windows.go @@ -38,7 +38,7 @@ func (f *fakePeer) killGrandchild() { } // Wait for the process to exit, so we are sure that we can - // cleanup the directory containing the executable + // clean up the directory containing the executable if _, err := process.Wait(); err != nil { f.t.Fatalf("wait failed: %v", err) } diff --git a/pkg/common/pemutil/block.go b/pkg/common/pemutil/block.go index b380286330..795c8c037d 100644 --- a/pkg/common/pemutil/block.go +++ b/pkg/common/pemutil/block.go @@ -51,7 +51,7 @@ func parseBlock(pemBytes []byte, expectedTypes ...string) (*Block, error) { } func parseBlocks(pemBytes []byte, expectedCount int, expectedTypes ...string) (blocks []Block, err error) { - for blockno := 1; ; blockno++ { + for blockNumber := 1; ; blockNumber++ { var pemBlock *pem.Block pemBlock, pemBytes = pem.Decode(pemBytes) if pemBlock == nil { @@ -101,7 +101,7 @@ func parseBlocks(pemBytes []byte, expectedCount int, expectedTypes ...string) (b block.Object, err = x509.ParsePKIXPublicKey(pemBlock.Bytes) } if err != nil { - return nil, fmt.Errorf("unable to parse %q PEM block %d: %w", pemBlock.Type, blockno, err) + return nil, fmt.Errorf("unable to parse %q PEM block %d: %w", pemBlock.Type, blockNumber, err) } blocks = append(blocks, block) diff --git a/pkg/common/protoutil/masks.go b/pkg/common/protoutil/masks.go index 1dc734c1b1..91ce3455ff 100644 --- a/pkg/common/protoutil/masks.go +++ b/pkg/common/protoutil/masks.go @@ -25,7 +25,7 @@ func MakeAllTrueMask(m proto.Message) proto.Message { for i := 0; i < v.NumField(); i++ { ft := t.Field(i) fv := v.Field(i) - // Skip the protobuf internal fields or those that aren't bool's + // Skip the protobuf internal fields or those that aren't bools if strings.HasPrefix(ft.Name, "XXX_") || ft.Type.Kind() != reflect.Bool { continue } diff --git a/pkg/common/selector/selector_test.go b/pkg/common/selector/selector_test.go index 61fef8dd1e..9c011a1de3 100644 --- a/pkg/common/selector/selector_test.go +++ b/pkg/common/selector/selector_test.go @@ -7,7 +7,7 @@ import ( "github.com/stretchr/testify/assert" ) -func TestValiate(t *testing.T) { +func TestValidate(t *testing.T) { tests := []struct { name string selectorType string diff --git a/pkg/common/telemetry/names.go b/pkg/common/telemetry/names.go index 7038e7f0b4..2ee2dfc43e 100644 --- a/pkg/common/telemetry/names.go +++ b/pkg/common/telemetry/names.go @@ -269,10 +269,10 @@ const ( // ElapsedTime tags some duration of time. ElapsedTime = "elapsed_time" - // EntryAdded is the counter key for when a entry is added to LRU cache + // EntryAdded is the counter key for when an entry is added to LRU cache EntryAdded = "lru_cache_entry_add" - // EntryRemoved is the counter key for when a entry is removed from LRU cache + // EntryRemoved is the counter key for when an entry is removed from LRU cache EntryRemoved = "lru_cache_entry_remove" // EntryUpdated is the counter key for when an LRU cache entry is updated @@ -463,7 +463,7 @@ const ( // RecordMapSize is the gauge key to hold the size of the LRU cache entries map RecordMapSize = "lru_cache_record_map_size" - // Reconfigurable tags whether or not something is reconfigurable. + // Reconfigurable tags whether something is reconfigurable. Reconfigurable = "reconfigurable" // RefreshHint tags a bundle refresh hint @@ -479,7 +479,7 @@ const ( // RegistrationEntry tags a registration entry RegistrationEntry = "registration_entry" - // RegistrationEntryEvent is a notice a registration entry has been create, modified, or deleted + // RegistrationEntryEvent is a notice a registration entry has been created, modified, or deleted RegistrationEntryEvent = "registration_entry_event" // RequestID tags a request identifier @@ -516,7 +516,7 @@ const ( // SelectorsRemoved labels some count of selectors that have been removed from an entity SelectorsRemoved = "selectors_removed" - // SelfSigned tags whether or not some entity is self-signed + // SelfSigned tags whether some entity is self-signed SelfSigned = "self_signed" // SendJWTBundleLatency tags latency for sending JWT bundle diff --git a/pkg/common/util/addr.go b/pkg/common/util/addr.go index 88997e78bc..dd7d3834cb 100644 --- a/pkg/common/util/addr.go +++ b/pkg/common/util/addr.go @@ -28,7 +28,7 @@ func GetUnixAddr(name string) *net.UnixAddr { } } -// GetTargetName gets the fully qualified, self contained name used +// GetTargetName gets the fully qualified, self-contained name used // for gRPC channel construction. Supported networks are unix and tcp. // Unix paths must be absolute. func GetTargetName(addr net.Addr) (string, error) { diff --git a/pkg/common/util/certs.go b/pkg/common/util/certs.go index 930cebf7c2..0ae6304884 100644 --- a/pkg/common/util/certs.go +++ b/pkg/common/util/certs.go @@ -37,7 +37,7 @@ func LoadCertificates(path string) ([]*x509.Certificate, error) { } var certs []*x509.Certificate - for blockno := 0; ; blockno++ { + for blockNumber := 0; ; blockNumber++ { var block *pem.Block block, rest = pem.Decode(rest) if block == nil { @@ -49,7 +49,7 @@ func LoadCertificates(path string) ([]*x509.Certificate, error) { cert, err := x509.ParseCertificate(block.Bytes) if err != nil { - return nil, fmt.Errorf("unable to parse certificate in block %d: %w", blockno, err) + return nil, fmt.Errorf("unable to parse certificate in block %d: %w", blockNumber, err) } certs = append(certs, cert) } diff --git a/pkg/common/util/task.go b/pkg/common/util/task.go index 27584f17f7..4b0e9db263 100644 --- a/pkg/common/util/task.go +++ b/pkg/common/util/task.go @@ -7,7 +7,7 @@ import ( "sync" ) -// RunTasks executes all of the provided functions concurrently and waits for +// RunTasks executes all the provided functions concurrently and waits for // them all to complete. If a function returns an error, all other functions // are canceled (i.e. the context they are passed is canceled) and the error is // returned. If all functions finish to completion successfully, RunTasks @@ -58,7 +58,7 @@ func RunTasks(ctx context.Context, tasks ...func(context.Context) error) error { return nil } -// SerialRun executes all of the provided functions serially. +// SerialRun executes all the provided functions serially. // If all functions finish to completion successfully, SerialRun // returns nil. If the context passed to SerialRun is canceled // then each function is canceled and SerialRun returns ctx.Err(). diff --git a/pkg/common/x509svid/uniqueid.go b/pkg/common/x509svid/uniqueid.go index b837c1331b..210f27a675 100644 --- a/pkg/common/x509svid/uniqueid.go +++ b/pkg/common/x509svid/uniqueid.go @@ -14,7 +14,7 @@ var ( uniqueIDOID = asn1.ObjectIdentifier{2, 5, 4, 45} ) -// UniqueIDAttribute returns a X.500 Unique ID attribute (OID 2.5.4.45) for the +// UniqueIDAttribute returns an X.500 Unique ID attribute (OID 2.5.4.45) for the // given SPIFFE ID for inclusion in an X509-SVID to satisfy RFC 5280 // requirements that the subject "DN MUST be unique for each subject entity // certified by the one CA as defined by the issuer field" (see issue #3110 for diff --git a/pkg/common/x509util/cert.go b/pkg/common/x509util/cert.go index 2cfb4ba216..637c84b706 100644 --- a/pkg/common/x509util/cert.go +++ b/pkg/common/x509util/cert.go @@ -11,11 +11,11 @@ import ( ) const ( - unknowAuthorityErr = "x509: certificate signed by unknown authority" + unknownAuthorityErr = "x509: certificate signed by unknown authority" ) -func CreateCertificate(template, parent *x509.Certificate, pub, priv any) (*x509.Certificate, error) { - certDER, err := x509.CreateCertificate(rand.Reader, template, parent, pub, priv) +func CreateCertificate(template, parent *x509.Certificate, publicKey, privateKey any) (*x509.Certificate, error) { + certDER, err := x509.CreateCertificate(rand.Reader, template, parent, publicKey, privateKey) if err != nil { return nil, err } @@ -79,7 +79,7 @@ func RawCertsFromCertificates(certs []*x509.Certificate) [][]byte { return rawCerts } -// IsUnknownAuthorityError returns tru if the Server returned an unknow authority error when verifying +// IsUnknownAuthorityError returns tru if the Server returned an unknown authority error when verifying // presented SVID func IsUnknownAuthorityError(err error) bool { if err == nil { @@ -87,7 +87,7 @@ func IsUnknownAuthorityError(err error) bool { } // Since it is an rpc error we are unable to use errors.As since it is not possible to unwrap - return strings.Contains(err.Error(), unknowAuthorityErr) + return strings.Contains(err.Error(), unknownAuthorityErr) } // IsSignedByRoot checks if the provided certificate chain is signed by one of the specified root CAs. diff --git a/pkg/server/api/audit/audit.go b/pkg/server/api/audit/audit.go index f9d1b83879..5ef806434d 100644 --- a/pkg/server/api/audit/audit.go +++ b/pkg/server/api/audit/audit.go @@ -67,7 +67,7 @@ func fieldsFromStatus(s *types.Status) logrus.Fields { func fieldsFromError(err error) logrus.Fields { fields := logrus.Fields{} - // Unknown status is returned for non proto status + // Unknown status is returned for non-proto status statusErr, _ := status.FromError(err) switch { case statusErr.Code() == codes.OK: diff --git a/pkg/server/api/debug/v1/service.go b/pkg/server/api/debug/v1/service.go index 163be708d3..216a7e2154 100644 --- a/pkg/server/api/debug/v1/service.go +++ b/pkg/server/api/debug/v1/service.go @@ -76,7 +76,7 @@ func (s *Service) GetInfo(ctx context.Context, _ *debugv1.GetInfoRequest) (*debu s.getInfoResp.mtx.Lock() defer s.getInfoResp.mtx.Unlock() - // Update cache when expired or does not exists + // Update cache when expired or does not exist if s.getInfoResp.ts.IsZero() || s.clock.Now().Sub(s.getInfoResp.ts) >= cacheExpiry { nodes, err := s.ds.CountAttestedNodes(ctx, &datastore.CountAttestedNodesRequest{}) if err != nil { diff --git a/pkg/server/api/entry/v1/service.go b/pkg/server/api/entry/v1/service.go index 7cfeadcbfa..637691894f 100644 --- a/pkg/server/api/entry/v1/service.go +++ b/pkg/server/api/entry/v1/service.go @@ -515,7 +515,7 @@ func SyncAuthorizedEntries(stream entryv1.Entry_SyncAuthorizedEntriesServer, ent } // Sort the requested IDs for efficient lookups into the sorted entry - // list. Agents SHOULD already send the list sorted but we need to + // list. Agents SHOULD already send the list sorted, but we need to // make sure they are sorted for correctness of the search loop below. // The go stdlib sorting algorithm performs well on pre-sorted data. slices.Sort(req.Ids) diff --git a/pkg/server/api/entry/v1/service_test.go b/pkg/server/api/entry/v1/service_test.go index 3f98469bf1..b8bb18d7e0 100644 --- a/pkg/server/api/entry/v1/service_test.go +++ b/pkg/server/api/entry/v1/service_test.go @@ -3410,7 +3410,7 @@ func FuzzSyncAuthorizedStreams(f *testing.F) { require.False(t, resp.More) actualIDs = appendEntryIDs(actualIDs, resp.Entries) - // Ensure that all of the entries were received that were requested + // Ensure that all the entries were received that were requested sort.Strings(staleIDs) require.Equal(t, staleIDs, actualIDs) diff --git a/pkg/server/api/entry_test.go b/pkg/server/api/entry_test.go index dbfa9fb5fc..d0ae6de23b 100644 --- a/pkg/server/api/entry_test.go +++ b/pkg/server/api/entry_test.go @@ -38,7 +38,7 @@ func TestRegistrationEntryToProto(t *testing.T) { }, FederatesWith: []string{ "spiffe://domain1.com", - // common registration entries use the trust domain ID but + // common registration entries use the trust domain ID, but // we should assert that they are normalized to trust // domain name either way. "domain2.com", @@ -136,7 +136,7 @@ func TestProtoToRegistrationEntryWithMask(t *testing.T) { }, FederatesWith: []string{ "domain1.com", - // types entries use the trust domain name but we should + // types entries use the trust domain name, but we should // assert that they are normalized to trust domain ID // either way. "spiffe://domain2.com", @@ -205,7 +205,7 @@ func TestProtoToRegistrationEntryWithMask(t *testing.T) { }, FederatesWith: []string{ "domain1.com", - // types entries use the trust domain name but we should + // types entries use the trust domain name, but we should // assert that they are normalized to trust domain ID // either way. "spiffe://domain2.com", @@ -255,7 +255,7 @@ func TestProtoToRegistrationEntryWithMask(t *testing.T) { }, FederatesWith: []string{ "domain1.com", - // types entries use the trust domain name but we should + // types entries use the trust domain name, but we should // assert that they are normalized to trust domain ID // either way. "spiffe://domain2.com", @@ -305,7 +305,7 @@ func TestProtoToRegistrationEntryWithMask(t *testing.T) { }, FederatesWith: []string{ "domain1.com", - // types entries use the trust domain name but we should + // types entries use the trust domain name, but we should // assert that they are normalized to trust domain ID // either way. "spiffe://domain2.com", @@ -398,7 +398,7 @@ func TestProtoToRegistrationEntryWithMask(t *testing.T) { Selectors: []*types.Selector{}, FederatesWith: []string{ "domain1.com", - // types entries use the trust domain name but we should + // types entries use the trust domain name, but we should // assert that they are normalized to trust domain ID // either way. "spiffe://domain2.com", @@ -448,7 +448,7 @@ func TestProtoToRegistrationEntryWithMask(t *testing.T) { }, FederatesWith: []string{ "domain1.com", - // types entries use the trust domain name but we should + // types entries use the trust domain name, but we should // assert that they are normalized to trust domain ID // either way. "spiffe://domain2.com", @@ -504,7 +504,7 @@ func TestProtoToRegistrationEntry(t *testing.T) { }, FederatesWith: []string{ "domain1.com", - // types entries use the trust domain name but we should + // types entries use the trust domain name, but we should // assert that they are normalized to trust domain ID // either way. "spiffe://domain2.com", diff --git a/pkg/server/api/id_test.go b/pkg/server/api/id_test.go index 088366a025..639b3d32d0 100644 --- a/pkg/server/api/id_test.go +++ b/pkg/server/api/id_test.go @@ -29,7 +29,7 @@ func TestIDFromProto(t *testing.T) { expectLogs []spiretest.LogEntry } - // These test cases are common to all of the *IDFromProto methods + // These test cases are common to all the *IDFromProto methods baseCases := []testCase{ { name: "no SPIFFE ID", @@ -47,7 +47,7 @@ func TestIDFromProto(t *testing.T) { }, } - // runTests exercises all of the test cases against the given function + // runTests exercises all the test cases against the given function runTests := func(t *testing.T, fn func(ctx context.Context, td spiffeid.TrustDomain, protoID *types.SPIFFEID) (spiffeid.ID, error), testCases []testCase) { for _, testCase := range append(baseCases, testCases...) { testCase := testCase diff --git a/pkg/server/api/localauthority/v1/service_test.go b/pkg/server/api/localauthority/v1/service_test.go index f09ba7556d..ca240db741 100644 --- a/pkg/server/api/localauthority/v1/service_test.go +++ b/pkg/server/api/localauthority/v1/service_test.go @@ -1608,7 +1608,7 @@ func TestTaintX509Authority(t *testing.T) { func TestTaintX509UpstreamAuthority(t *testing.T) { getUpstreamCertAndSubjectID := func(ca *testca.CA) (*x509.Certificate, string) { - // Self signed CA will return itself + // Self-signed CA will return itself cert := ca.X509Authorities()[0] return cert, x509util.SubjectKeyIDToString(cert.SubjectKeyId) } @@ -2158,7 +2158,7 @@ func TestRevokeX509Authority(t *testing.T) { func TestRevokeX509UpstreamAuthority(t *testing.T) { getUpstreamCertAndSubjectID := func(ca *testca.CA) (*x509.Certificate, string) { - // Self signed CA will return itself + // Self-signed CA will return itself cert := ca.X509Authorities()[0] return cert, x509util.SubjectKeyIDToString(cert.SubjectKeyId) } diff --git a/pkg/server/api/logger/v1/service_test.go b/pkg/server/api/logger/v1/service_test.go index 4f602c226a..d3731b7aae 100644 --- a/pkg/server/api/logger/v1/service_test.go +++ b/pkg/server/api/logger/v1/service_test.go @@ -35,7 +35,7 @@ func TestGetLogger(t *testing.T) { CurrentLevel: apitype.LogLevel_PANIC, LaunchLevel: apitype.LogLevel_PANIC, }, - // no outputted log messages, as the are at INFO level + // no outputted log messages, as they are at INFO level expectedLogs: nil, }, { @@ -46,7 +46,7 @@ func TestGetLogger(t *testing.T) { CurrentLevel: apitype.LogLevel_FATAL, LaunchLevel: apitype.LogLevel_FATAL, }, - // no outputted log messages, as the are at INFO level + // no outputted log messages, as they are at INFO level expectedLogs: nil, }, { @@ -57,7 +57,7 @@ func TestGetLogger(t *testing.T) { CurrentLevel: apitype.LogLevel_ERROR, LaunchLevel: apitype.LogLevel_ERROR, }, - // no outputted log messages, as the are at INFO level + // no outputted log messages, as they are at INFO level expectedLogs: nil, }, { @@ -68,7 +68,7 @@ func TestGetLogger(t *testing.T) { CurrentLevel: apitype.LogLevel_WARN, LaunchLevel: apitype.LogLevel_WARN, }, - // no outputted log messages, as the are at INFO level + // no outputted log messages, as they are at INFO level expectedLogs: nil, }, { diff --git a/pkg/server/api/middleware/ratelimit.go b/pkg/server/api/middleware/ratelimit.go index 9d6b010742..383d8864d5 100644 --- a/pkg/server/api/middleware/ratelimit.go +++ b/pkg/server/api/middleware/ratelimit.go @@ -128,10 +128,10 @@ type perIPLimiter struct { mtx sync.RWMutex - // previous holds all of the limiters that were current at the GC + // previous holds all the limiters that were current at the GC previous map[string]rawRateLimiter - // current holds all of the limiters that have been created or moved + // current holds all the limiters that have been created or moved // from the previous limiters since the last GC. current map[string]rawRateLimiter @@ -242,7 +242,7 @@ func logLimiterMisuse(ctx context.Context, rateLimiter api.RateLimiter, used boo case noLimit: // RPC should not invoke the rate limiter, since that would imply a // misconfiguration. Either the RPC is wrong, or the middleware is - // wrong as to whether or not the RPC should rate limit. + // wrong as to whether the RPC should rate limit. if used { middleware.LogMisconfiguration(ctx, "Rate limiter used unexpectedly; this is a bug") } diff --git a/pkg/server/api/middleware/ratelimit_test.go b/pkg/server/api/middleware/ratelimit_test.go index 9f5217cffa..443c051d45 100644 --- a/pkg/server/api/middleware/ratelimit_test.go +++ b/pkg/server/api/middleware/ratelimit_test.go @@ -129,7 +129,7 @@ func TestPerIPLimitGC(t *testing.T) { require.NoError(t, m.RateLimit(tcpCallerContext("4.4.4.4"), 1)) require.Equal(t, 4, limiters.Count) - // Use all of the limiters but 2.2.2.2 and make sure the limiter count is stable. + // Use all the limiters but 2.2.2.2 and make sure the limiter count is stable. require.NoError(t, m.RateLimit(tcpCallerContext("1.1.1.1"), 1)) require.NoError(t, m.RateLimit(tcpCallerContext("3.3.3.3"), 1)) require.NoError(t, m.RateLimit(tcpCallerContext("4.4.4.4"), 1)) diff --git a/pkg/server/api/svid/v1/service.go b/pkg/server/api/svid/v1/service.go index ae70fd69e2..0b04139178 100644 --- a/pkg/server/api/svid/v1/service.go +++ b/pkg/server/api/svid/v1/service.go @@ -449,7 +449,7 @@ func (s Service) fieldsFromJWTSvidParams(ctx context.Context, protoID *types.SPI telemetry.TTL: ttl, } if protoID != nil { - // Dont care about parsing error + // Don't care about parsing error id, err := api.TrustDomainWorkloadIDFromProto(ctx, s.td, protoID) if err == nil { fields[telemetry.SPIFFEID] = id.String() diff --git a/pkg/server/authorizedentries/agent.go b/pkg/server/authorizedentries/agent.go index 2a58326350..37876aa0c9 100644 --- a/pkg/server/authorizedentries/agent.go +++ b/pkg/server/authorizedentries/agent.go @@ -3,7 +3,7 @@ package authorizedentries type agentRecord struct { ID string - // ExpiresAt is seconds since unix epoch. Using intead of time.Time for + // ExpiresAt is seconds since unix epoch. Using instead of time.Time for // reduced memory usage and better cache locality. ExpiresAt int64 diff --git a/pkg/server/authorizedentries/cache.go b/pkg/server/authorizedentries/cache.go index bbf3c464cb..7a3261782b 100644 --- a/pkg/server/authorizedentries/cache.go +++ b/pkg/server/authorizedentries/cache.go @@ -13,7 +13,7 @@ import ( ) const ( - // We can tweak these degrees to try and get optimal L1 cache use but + // We can tweak these degrees to try and get optimal L1 cache use, but // it's probably not worth it unless we have benchmarks showing that it // is a problem at scale in production. Initial benchmarking by myself // at similar scale to some of our bigger, existing deployments didn't diff --git a/pkg/server/authpolicy/policy_test.go b/pkg/server/authpolicy/policy_test.go index 4f9afd3a6b..dc91d0dfb5 100644 --- a/pkg/server/authpolicy/policy_test.go +++ b/pkg/server/authpolicy/policy_test.go @@ -418,7 +418,7 @@ func TestNewEngineFromRego(t *testing.T) { // We can't test for Eval failure because NewEngine is designed to // validate the policy so that it will not fail later on during // Eval, so failures of Eval will be purely system exceptions. - // Instead we test the cases that would fail Eval by testing the + // Instead, we test the cases that would fail Eval by testing the // creation of the new engine. name: "test validation of SPIRE required fields", rego: badEvalPolicy, diff --git a/pkg/server/ca/ca_health.go b/pkg/server/ca/ca_health.go index c4139e5314..607d8cec5c 100644 --- a/pkg/server/ca/ca_health.go +++ b/pkg/server/ca/ca_health.go @@ -37,7 +37,7 @@ func (h *caHealth) CheckHealth() health.State { }) } - // Both liveness and readiness are determined by whether or not the + // Both liveness and readiness are determined by whether the // x509 CA was successfully signed. ready := err == nil live := err == nil diff --git a/pkg/server/ca/manager/manager_test.go b/pkg/server/ca/manager/manager_test.go index f6112d940a..79462f00ec 100644 --- a/pkg/server/ca/manager/manager_test.go +++ b/pkg/server/ca/manager/manager_test.go @@ -592,7 +592,7 @@ func TestUpstreamIntermediateSigned(t *testing.T) { // The trust bundle should contain the upstream root test.requireBundleRootCAs(ctx, t, fakeUA.X509Root()) - // We expect this warning because the UpstreamAuthority doesn't implements PublishJWTKey + // We expect this warning because the UpstreamAuthority doesn't implement PublishJWTKey assert.Equal(t, 1, test.countLogEntries(logrus.WarnLevel, "UpstreamAuthority plugin does not support JWT-SVIDs. Workloads managed "+ diff --git a/pkg/server/ca/manager/slot.go b/pkg/server/ca/manager/slot.go index d47a0c9b39..cbfff8c768 100644 --- a/pkg/server/ca/manager/slot.go +++ b/pkg/server/ca/manager/slot.go @@ -134,7 +134,7 @@ func (s *SlotLoader) getX509CASlots(ctx context.Context, entries []*journal.X509 } // Unable to load slot - // TODO: the previous implementation analized only the last two entries, + // TODO: the previous implementation analyzed only the last two entries, // and if those slots were empty, we created new slots. // Now we iterate through all the file, to try to get a useful slot. // Maybe there is room for improvement here, by just verifying if the @@ -207,7 +207,7 @@ func (s *SlotLoader) getJWTKeysSlots(ctx context.Context, entries []*journal.JWT } // Unable to load slot - // TODO: the previous implementation analized only the last two entries, + // TODO: the previous implementation analyzed only the last two entries, // and if those slots were empty, we created new slots. // Now we iterate through all the file, to try to get a useful slot. // Maybe there is room for improvement here, by just verifying if the diff --git a/pkg/server/ca/manager/slot_test.go b/pkg/server/ca/manager/slot_test.go index 4f8eb784d1..bce068097d 100644 --- a/pkg/server/ca/manager/slot_test.go +++ b/pkg/server/ca/manager/slot_test.go @@ -580,7 +580,7 @@ func TestJournalLoad(t *testing.T) { name: "There are another entries before Active entry", entries: &journal.Entries{ X509CAs: []*journal.X509CAEntry{ - // This can happens when force rotation is executed + // This can happen when force rotation is executed { SlotId: "A", IssuedAt: firstIssuedAtUnix, @@ -604,7 +604,7 @@ func TestJournalLoad(t *testing.T) { }, }, JwtKeys: []*journal.JWTKeyEntry{ - // This can happens when force rotation is executed + // This can happen when force rotation is executed { SlotId: "A", IssuedAt: firstIssuedAtUnix, diff --git a/pkg/server/cache/dscache/cache_test.go b/pkg/server/cache/dscache/cache_test.go index d23c2373ae..a433fcafa9 100644 --- a/pkg/server/cache/dscache/cache_test.go +++ b/pkg/server/cache/dscache/cache_test.go @@ -162,7 +162,7 @@ func TestBundleInvalidations(t *testing.T) { _, err = cache.FetchBundle(context.Background(), td) require.NoError(t, err) - // Run the function that invalidates the bundle (Prune, Append, etc) + // Run the function that invalidates the bundle (Prune, Append, etc.) // (which may or not fail according to dsFailure flag) if tt.dsFailure { ds.SetNextError(fmt.Errorf("failure")) diff --git a/pkg/server/credtemplate/builder.go b/pkg/server/credtemplate/builder.go index 32204aa082..150d2dd9e2 100644 --- a/pkg/server/credtemplate/builder.go +++ b/pkg/server/credtemplate/builder.go @@ -289,7 +289,7 @@ func (b *Builder) BuildWorkloadX509SVIDTemplate(ctx context.Context, params Work // The first DNS name is also added as the CN by default. This happens // even if the subject is provided explicitly in the params for backwards // compatibility. Ideally we wouldn't do override the subject in this - // case. It is still overridable via the credential composers however. + // case. It is still overridable via the credential composers, however. if len(params.DNSNames) > 0 { tmpl.Subject.CommonName = params.DNSNames[0] tmpl.DNSNames = params.DNSNames diff --git a/pkg/server/credtemplate/builder_test.go b/pkg/server/credtemplate/builder_test.go index 627c8b0d1c..7ab426c458 100644 --- a/pkg/server/credtemplate/builder_test.go +++ b/pkg/server/credtemplate/builder_test.go @@ -68,7 +68,7 @@ func TestNewBuilderSetsDefaults(t *testing.T) { // Assert that the Clock and NewSerialNumber are not nil and then set them // to nil before comparing the whole config. Checking the whole config in a - // single equality check is more future proof but the defaults for these + // single equality check is more future-proof but the defaults for these // fields are hard to compare. assert.NotNil(t, config.Clock) config.Clock = nil @@ -105,7 +105,7 @@ func TestNewBuilderAllowsConfigOverrides(t *testing.T) { // Assert that the Clock and NewSerialNumber are not nil and then set them // to nil before comparing the whole config. Checking the whole config in a - // single equality check is more future proof but the defaults for these + // single equality check is more future-proof but the defaults for these // fields are hard to compare. assert.NotNil(t, configOut.Clock) configOut.Clock = nil diff --git a/pkg/server/datastore/sqldriver/awsrds/awsrds_test.go b/pkg/server/datastore/sqldriver/awsrds/awsrds_test.go index 5b9510a60f..e71218d741 100644 --- a/pkg/server/datastore/sqldriver/awsrds/awsrds_test.go +++ b/pkg/server/datastore/sqldriver/awsrds/awsrds_test.go @@ -328,7 +328,7 @@ func TestCacheToken(t *testing.T) { newTime := initialTime.Add(time.Second * time.Duration(ttl)) // nowFunc will subtract the clock skew from the new time, to make sure - // that we get a new token even if it's not expired but it's within the + // that we get a new token even if it's not expired, but it's within the // clock skew period. nowFunc = func() time.Time { return newTime.Add(-clockSkew) } diff --git a/pkg/server/datastore/sqlstore/migration.go b/pkg/server/datastore/sqlstore/migration.go index 344ea66659..df3e3504cb 100644 --- a/pkg/server/datastore/sqlstore/migration.go +++ b/pkg/server/datastore/sqlstore/migration.go @@ -365,7 +365,7 @@ func migrateDB(db *gorm.DB, dbType string, disableMigration bool, log logrus.Fie } func isDisabledMigrationAllowed(thisCodeVersion, dbCodeVersion semver.Version) error { - // If auto-migrate is disabled and we are running a compatible version (+/- 1 + // If auto-migrate is disabled, and we are running a compatible version (+/- 1 // minor from the stored code version) then we are done here if !isCompatibleCodeVersion(thisCodeVersion, dbCodeVersion) { return errors.New("auto-migration must be enabled for current DB") diff --git a/pkg/server/datastore/sqlstore/models.go b/pkg/server/datastore/sqlstore/models.go index db91f27a45..c66f7e7436 100644 --- a/pkg/server/datastore/sqlstore/models.go +++ b/pkg/server/datastore/sqlstore/models.go @@ -176,7 +176,7 @@ type FederatedTrustDomain struct { // is "https_spiffe" EndpointSPIFFEID string - // Implicit indicates wether the trust domain automatically federates with + // Implicit indicates whether the trust domain automatically federates with // all registration entries by default or not. Implicit bool } diff --git a/pkg/server/datastore/sqlstore/sqlstore.go b/pkg/server/datastore/sqlstore/sqlstore.go index cda5262b33..9b2f6a253a 100644 --- a/pkg/server/datastore/sqlstore/sqlstore.go +++ b/pkg/server/datastore/sqlstore/sqlstore.go @@ -2299,7 +2299,7 @@ func setNodeSelectors(tx *gorm.DB, spiffeID string, selectors []*common.Selector // deadlocks when SetNodeSelectors was being called concurrently. Changing // the transaction isolation level fixed the deadlocks but only when there // were no existing rows; the deadlocks still occurred when existing rows - // existed (i.e. re-attestation). Instead, gather all of the IDs to be + // existed (i.e. re-attestation). Instead, gather all the IDs to be // deleted and delete them from separate queries, which does not trigger // gap locks on the index. var ids []int64 @@ -4610,7 +4610,7 @@ func makeFederatesWith(tx *gorm.DB, ids []string) ([]*Bundle, error) { return nil, err } - // make sure all of the ids were found + // make sure all the ids were found idset := make(map[string]bool) for _, bundle := range bundles { idset[bundle.TrustDomain] = true diff --git a/pkg/server/endpoints/authorized_entryfetcher_attested_nodes_test.go b/pkg/server/endpoints/authorized_entryfetcher_attested_nodes_test.go index ba50386079..7e4b8b187d 100644 --- a/pkg/server/endpoints/authorized_entryfetcher_attested_nodes_test.go +++ b/pkg/server/endpoints/authorized_entryfetcher_attested_nodes_test.go @@ -29,7 +29,7 @@ var ( cachedAgentsByExpiresAt = []string{telemetry.Node, telemetry.AgentsByExpiresAtCache, telemetry.Count} skippedNodeEventID = []string{telemetry.Node, telemetry.SkippedNodeEventIDs, telemetry.Count} - // defaults used to setup a small initial load of attested nodes and events. + // defaults used to set up a small initial load of attested nodes and events. defaultAttestedNodes = []*common.AttestedNode{ { SpiffeId: "spiffe://example.org/test_node_2", @@ -1090,7 +1090,7 @@ func TestUpdateAttestedNodesCache(t *testing.T) { name string setup *nodeScenarioSetup createAttestedNodes []*common.AttestedNode // Nodes created after setup - deleteAttestedNodes []string // Nodes delted after setup + deleteAttestedNodes []string // Nodes deleted after setup fetchNodes []string expectedAuthorizedEntries []string @@ -1462,8 +1462,8 @@ func TestUpdateAttestedNodesCache(t *testing.T) { cacheStats := attestedNodes.cache.Stats() require.Equal(t, len(tt.expectedAuthorizedEntries), cacheStats.AgentsByID, "wrong number of agents by ID") - // for now, the only way to ensure the desired agent ids are prsent is - // to remove the desired ids and check the count it zero. + // for now, the only way to ensure the desired agent ids are present is + // to remove the desired ids and check that the count is zero. for _, expectedAuthorizedId := range tt.expectedAuthorizedEntries { attestedNodes.cache.RemoveAgent(expectedAuthorizedId) } diff --git a/pkg/server/endpoints/authorized_entryfetcher_registration_entries_test.go b/pkg/server/endpoints/authorized_entryfetcher_registration_entries_test.go index 2bd21cf98a..d9e4d6d4e1 100644 --- a/pkg/server/endpoints/authorized_entryfetcher_registration_entries_test.go +++ b/pkg/server/endpoints/authorized_entryfetcher_registration_entries_test.go @@ -1304,7 +1304,7 @@ func TestUpdateRegistrationEntriesCache(t *testing.T) { name string setup *entryScenarioSetup createRegistrationEntries []*common.RegistrationEntry // Entries created after setup - deleteRegistrationEntries []string // Entries delted after setup + deleteRegistrationEntries []string // Entries deleted after setup fetchEntries []string expectedAuthorizedEntries []string @@ -1817,8 +1817,8 @@ func TestUpdateRegistrationEntriesCache(t *testing.T) { cacheStats := registeredEntries.cache.Stats() require.Equal(t, len(tt.expectedAuthorizedEntries), cacheStats.EntriesByEntryID, "wrong number of registered entries by ID") - // for now, the only way to ensure the desired agent ids are prsent is - // to remove the desired ids and check the count it zero. + // for now, the only way to ensure the desired agent ids are present is + // to remove the desired ids and check that the count is zero. for _, expectedAuthorizedId := range tt.expectedAuthorizedEntries { registeredEntries.cache.RemoveEntry(expectedAuthorizedId) } diff --git a/pkg/server/endpoints/bundle/acme_auth.go b/pkg/server/endpoints/bundle/acme_auth.go index 32bd00ddbf..a9d12c5bcc 100644 --- a/pkg/server/endpoints/bundle/acme_auth.go +++ b/pkg/server/endpoints/bundle/acme_auth.go @@ -38,14 +38,14 @@ type ACMEConfig struct { // Email is the email address of the account to register with ACME Email string - // ToSAccepted is whether or not the terms of service have been accepted. If + // ToSAccepted is whether the terms of service have been accepted. If // not true, and the provider requires acceptance, then certificate // retrieval will fail. ToSAccepted bool } func ACMEAuth(log logrus.FieldLogger, km keymanager.KeyManager, config ACMEConfig) ServerAuth { - // The acme client already defaulting to Let's Encrypt if the URL is unset + // The acme client already defaulting to Let's Encrypt if the URL is unset, // but we want it populated for logging purposes. if config.DirectoryURL == "" { config.DirectoryURL = acme.LetsEncryptURL diff --git a/pkg/server/endpoints/bundle/internal/autocert/autocert.go b/pkg/server/endpoints/bundle/internal/autocert/autocert.go index 08a2a05454..cc2e1d4fd3 100644 --- a/pkg/server/endpoints/bundle/internal/autocert/autocert.go +++ b/pkg/server/endpoints/bundle/internal/autocert/autocert.go @@ -41,7 +41,7 @@ // key match when the key a crypto.Signer and not a concrete RSA/ECDSA private // key type. -//nolint // forked code +//nolint //forked code package autocert import ( @@ -131,7 +131,7 @@ func defaultHostPolicy(context.Context, string) error { // // You must specify a cache implementation, such as DirCache, // to reuse obtained certificates across program restarts. -// Otherwise your server is very likely to exceed the certificate +// Otherwise, your server is very likely to exceed the certificate // issuer's request rate limits. type Manager struct { // Prompt specifies a callback function to conditionally accept a CA's Terms of Service (TOS). @@ -523,28 +523,28 @@ func (m *Manager) cacheGet(ctx context.Context, ck certKey) (*tls.Certificate, e return nil, ErrCacheMiss } - privKey, err := m.KeyStore.GetPrivateKey(ctx, ck.String()) + privateKey, err := m.KeyStore.GetPrivateKey(ctx, ck.String()) if err != nil { // No such private key. Corrupt. Ignore. return nil, ErrCacheMiss } // verify and create TLS cert - leaf, err := validCert(ck, pubDER, privKey, m.now()) + leaf, err := validCert(ck, pubDER, privateKey, m.now()) if err != nil { return nil, ErrCacheMiss } tlscert := &tls.Certificate{ Certificate: pubDER, - PrivateKey: privKey, + PrivateKey: privateKey, Leaf: leaf, // Limit the supported signature algorithms to those that use SHA256 // to align with a minimum set supported by known key managers. // See issue #2302. // TODO: Query the key manager for supported algorithms to determine // this set dynamically. - SupportedSignatureAlgorithms: supportedSignatureAlgorithms(privKey), + SupportedSignatureAlgorithms: supportedSignatureAlgorithms(privateKey), } return tlscert, nil } @@ -588,7 +588,7 @@ func (m *Manager) createCert(ctx context.Context, ck certKey) (*tls.Certificate, } // We are the first; state is locked. - // Unblock the readers when domain ownership is verified + // Unblock the readers when domain ownership is verified, // and we got the cert or the process failed. defer state.Unlock() state.locked = false @@ -773,7 +773,7 @@ func (m *Manager) verify(ctx context.Context, client *acme.Client, domain string func (m *Manager) verifyRFC(ctx context.Context, client *acme.Client, domain string) (*acme.Order, error) { // Try each supported challenge type starting with a new order each time. // The nextTyp index of the next challenge type to try is shared across - // all order authorizations: if we've tried a challenge type once and it didn't work, + // all order authorizations: if we've tried a challenge type once, and it didn't work, // it will most likely not work on another order's authorization either. challengeTypes := m.supportedChallengeTypes() nextTyp := 0 // challengeTypes index @@ -945,7 +945,7 @@ func (m *Manager) httpToken(ctx context.Context, tokenPath string) ([]byte, erro return m.Cache.Get(ctx, httpTokenCacheKey(tokenPath)) } -// putHTTPToken stores an http-01 token value using tokenPath as key +// putHTTPToken stores a http-01 token value using tokenPath as key // in both in-memory map and the optional Cache. // // It ignores any error returned from Cache.Put. @@ -962,7 +962,7 @@ func (m *Manager) putHTTPToken(ctx context.Context, tokenPath, val string) { } } -// deleteHTTPToken removes an http-01 token value from both in-memory map +// deleteHTTPToken removes a http-01 token value from both in-memory map // and the optional Cache, ignoring any error returned from the latter. // // If m.Cache is non-nil, it blocks until Cache.Delete returns without a timeout. @@ -975,7 +975,7 @@ func (m *Manager) deleteHTTPToken(tokenPath string) { } } -// httpTokenCacheKey returns a key at which an http-01 token value may be stored +// httpTokenCacheKey returns a key at which a http-01 token value may be stored // in the Manager's optional Cache. func httpTokenCacheKey(tokenPath string) string { return path.Base(tokenPath) + "+http-01" diff --git a/pkg/server/endpoints/bundle/internal/autocert/cache.go b/pkg/server/endpoints/bundle/internal/autocert/cache.go index f65659cce2..312664c191 100644 --- a/pkg/server/endpoints/bundle/internal/autocert/cache.go +++ b/pkg/server/endpoints/bundle/internal/autocert/cache.go @@ -140,14 +140,14 @@ func (d DirCache) Delete(ctx context.Context, name string) error { } // writeTempFile writes b to a temporary file, closes the file and returns its path. -func (d DirCache) writeTempFile(prefix string, b []byte) (name string, reterr error) { +func (d DirCache) writeTempFile(prefix string, b []byte) (name string, returnError error) { // TempFile uses 0600 permissions f, err := os.CreateTemp(string(d), prefix) if err != nil { return "", err } defer func() { - if reterr != nil { + if returnError != nil { os.Remove(f.Name()) } }() diff --git a/pkg/server/endpoints/bundle/internal/autocert/renewal.go b/pkg/server/endpoints/bundle/internal/autocert/renewal.go index 0f622f18d4..57428761fd 100644 --- a/pkg/server/endpoints/bundle/internal/autocert/renewal.go +++ b/pkg/server/endpoints/bundle/internal/autocert/renewal.go @@ -26,7 +26,7 @@ // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -//nolint // forked code +//nolint //forked code package autocert import ( @@ -65,6 +65,7 @@ func (dr *domainRenewal) start(exp time.Time) { // stop stops the cert renewal timer. // If the timer is already stopped, calling stop is a noop. +// //nolint:unused func (dr *domainRenewal) stop() { dr.timerMu.Lock() @@ -106,7 +107,7 @@ func (dr *domainRenewal) updateState(state *certState) { dr.m.state[dr.ck] = state } -// do is similar to Manager.createCert but it doesn't lock a Manager.state item. +// do is similar to Manager.createCert, but it doesn't lock a Manager.state item. // Instead, it requests a new certificate independently and, upon success, // replaces dr.m.state item with a new one and updates cache for the given domain. // diff --git a/pkg/server/endpoints/endpoints.go b/pkg/server/endpoints/endpoints.go index 5ffee7217c..983f3e94ba 100644 --- a/pkg/server/endpoints/endpoints.go +++ b/pkg/server/endpoints/endpoints.go @@ -268,7 +268,7 @@ func (e *Endpoints) createUDSServer(unaryInterceptor grpc.UnaryServerInterceptor return grpc.NewServer(options...) } -// runTCPServer will start the server and block until it exits or we are dying. +// runTCPServer will start the server and block until it exits, or we are dying. func (e *Endpoints) runTCPServer(ctx context.Context, server *grpc.Server) error { l, err := net.Listen(e.TCPAddr.Network(), e.TCPAddr.String()) if err != nil { @@ -299,7 +299,7 @@ func (e *Endpoints) runTCPServer(ctx context.Context, server *grpc.Server) error } // runLocalAccess will start a grpc server to be accessed locally -// and block until it exits or we are dying. +// and block until it exits, or we are dying. func (e *Endpoints) runLocalAccess(ctx context.Context, server *grpc.Server) error { os.Remove(e.LocalAddr.String()) var l net.Listener diff --git a/pkg/server/plugin/credentialcomposer/uniqueid/plugin.go b/pkg/server/plugin/credentialcomposer/uniqueid/plugin.go index bc57d4f0e5..30cd1319a1 100644 --- a/pkg/server/plugin/credentialcomposer/uniqueid/plugin.go +++ b/pkg/server/plugin/credentialcomposer/uniqueid/plugin.go @@ -63,7 +63,7 @@ func (p *Plugin) ComposeWorkloadX509SVID(_ context.Context, req *credentialcompo attributes.Subject = &credentialcomposerv1.DistinguishedName{} } - // Add the attribute if does not already exist. Otherwise replace the old value. + // Add the attribute if it does not already exist. Otherwise, replace the old value. found := false for i := 0; i < len(attributes.Subject.ExtraNames); i++ { if attributes.Subject.ExtraNames[i].Oid == uniqueID.Oid { diff --git a/pkg/server/plugin/keymanager/awskms/awskms.go b/pkg/server/plugin/keymanager/awskms/awskms.go index f94bc8ba79..f2bdc74d1e 100644 --- a/pkg/server/plugin/keymanager/awskms/awskms.go +++ b/pkg/server/plugin/keymanager/awskms/awskms.go @@ -223,7 +223,7 @@ func (p *Plugin) Configure(ctx context.Context, req *configv1.ConfigureRequest) p.trustDomain = req.CoreConfiguration.TrustDomain p.serverID = serverID - // cancels previous tasks in case of re configure + // cancels previous tasks in case of re-configure if p.cancelTasks != nil { p.cancelTasks() } @@ -442,7 +442,7 @@ func (p *Plugin) setCache(keyEntries []*keyEntry) { } } -// scheduleDeleteTask ia a long running task that deletes keys that were rotated +// scheduleDeleteTask ia a long-running task that deletes keys that were rotated func (p *Plugin) scheduleDeleteTask(ctx context.Context) { backoffMin := 1 * time.Second backoffMax := 60 * time.Second @@ -994,7 +994,7 @@ func makeFingerprint(pkixData []byte) string { } // encodeKeyID maps "." and "+" characters to the asciihex value using "_" as -// escape character. Currently KMS does not support those characters to be used +// escape character. Currently, KMS does not support those characters to be used // as alias name. func encodeKeyID(keyID string) string { keyID = strings.ReplaceAll(keyID, ".", "_2e") diff --git a/pkg/server/plugin/keymanager/awskms/fetcher.go b/pkg/server/plugin/keymanager/awskms/fetcher.go index 72545f0275..504dc5f5b0 100644 --- a/pkg/server/plugin/keymanager/awskms/fetcher.go +++ b/pkg/server/plugin/keymanager/awskms/fetcher.go @@ -53,7 +53,7 @@ func (kf *keyFetcher) fetchKeyEntries(ctx context.Context) ([]*keyEntry, error) continue } - // The following checks are purely defensive but we want to ensure + // The following checks are purely defensive, but we want to ensure // we don't try and handle an alias with a malformed shape. switch { case alias.AliasArn == nil: diff --git a/pkg/server/plugin/keymanager/gcpkms/gcpkms.go b/pkg/server/plugin/keymanager/gcpkms/gcpkms.go index cfc918afeb..53bc797f3e 100644 --- a/pkg/server/plugin/keymanager/gcpkms/gcpkms.go +++ b/pkg/server/plugin/keymanager/gcpkms/gcpkms.go @@ -256,7 +256,7 @@ func (p *Plugin) Configure(ctx context.Context, req *configv1.ConfigureRequest) p.setCache(keyEntries) p.kmsClient = kc - // Cancel previous tasks in case of re configure. + // Cancel previous tasks in case of re-configure. if p.cancelTasks != nil { p.cancelTasks() } @@ -873,7 +873,7 @@ func (p *Plugin) notifyKeepActiveCryptoKeys(err error) { } } -// scheduleDestroyTask is a long running task that schedules the destruction +// scheduleDestroyTask is a long-running task that schedules the destruction // of inactive CryptoKeyVersions and sets the corresponding CryptoKey as inactive. func (p *Plugin) scheduleDestroyTask(ctx context.Context) { backoffMin := 1 * time.Second diff --git a/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go b/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go index c129bdbdbe..849103728e 100644 --- a/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go +++ b/pkg/server/plugin/keymanager/gcpkms/gcpkms_test.go @@ -481,7 +481,7 @@ func TestDisposeStaleCryptoKeys(t *testing.T) { ts.plugin.hooks.disposeCryptoKeysSignal = make(chan error) ts.plugin.hooks.scheduleDestroySignal = make(chan error) ts.plugin.hooks.setInactiveSignal = make(chan error) - // Set up an unbuffered channel for the keepActiveCryptoKeys task so that it gets blocked and we can simulate a key getting stale. + // Set up an unbuffered channel for the keepActiveCryptoKeys task so that it gets blocked, and we can simulate a key getting stale. ts.plugin.hooks.keepActiveCryptoKeysSignal = make(chan error) _, err := ts.plugin.Configure(ctx, configureRequest) diff --git a/pkg/server/plugin/nodeattestor/awsiid/client.go b/pkg/server/plugin/nodeattestor/awsiid/client.go index 8325203c22..cde1a39188 100644 --- a/pkg/server/plugin/nodeattestor/awsiid/client.go +++ b/pkg/server/plugin/nodeattestor/awsiid/client.go @@ -119,7 +119,7 @@ func newClient(ctx context.Context, config *SessionConfig, region string, assume return nil, err } - // If the orgnizationAttestation feature is enabled, use the role configured for feature. + // If the organizationAttestation feature is enabled, use the role configured for feature. orgConf, err := newAWSConfig(ctx, config.AccessKeyID, config.SecretAccessKey, region, orgRoleArn) if err != nil { return nil, err diff --git a/pkg/server/plugin/nodeattestor/awsiid/iid.go b/pkg/server/plugin/nodeattestor/awsiid/iid.go index d6c0206893..db8fda9f9b 100644 --- a/pkg/server/plugin/nodeattestor/awsiid/iid.go +++ b/pkg/server/plugin/nodeattestor/awsiid/iid.go @@ -55,7 +55,7 @@ var ( } defaultPartition = "aws" - // No constant was found in the sdk, using the list of paritions defined on + // No constant was found in the sdk, using the list of partitions defined on // the page https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html partitions = []string{ defaultPartition, @@ -256,7 +256,7 @@ func (p *IIDAttestorPlugin) Attest(stream nodeattestorv1.NodeAttestor_AttestServ // e.g. do it after the call to `p.AssessTOFU`, however, we may need // the instance to construct tags used in the agent ID. // - // This overhead will only effect agents attempting to re-attest which + // This overhead will only affect agents attempting to re-attest which // should be a very small portion of the overall server workload. This // is a potential DoS vector. shouldCheckBlockDevice := !inTrustAcctList && !c.SkipBlockDevice diff --git a/pkg/server/plugin/nodeattestor/awsiid/iid_test.go b/pkg/server/plugin/nodeattestor/awsiid/iid_test.go index b5f1375cf5..0a139b9105 100644 --- a/pkg/server/plugin/nodeattestor/awsiid/iid_test.go +++ b/pkg/server/plugin/nodeattestor/awsiid/iid_test.go @@ -747,7 +747,7 @@ func (c *fakeClient) GetInstanceProfile(_ context.Context, input *iam.GetInstanc } func (c *fakeClient) ListAccounts(_ context.Context, input *organizations.ListAccountsInput, _ ...func(*organizations.Options)) (*organizations.ListAccountsOutput, error) { - // Only modify the output if its not being mutated in test for : mutateListAccountOutput. + // Only modify the output if it's not being mutated in test for : mutateListAccountOutput. if c.ListAccountOutput.Accounts == nil { c.ListAccountOutput = &organizations.ListAccountsOutput{ Accounts: []types.Account{{ diff --git a/pkg/server/plugin/nodeattestor/awsiid/organization.go b/pkg/server/plugin/nodeattestor/awsiid/organization.go index 1e388388fa..9878626fad 100644 --- a/pkg/server/plugin/nodeattestor/awsiid/organization.go +++ b/pkg/server/plugin/nodeattestor/awsiid/organization.go @@ -85,7 +85,7 @@ func (o *orgValidator) configure(config *orgValidationConfig) error { o.orgConfig = config - // While doing configuration invalidate the map so we dont keep using old one. + // While doing configuration invalidate the map so we don't keep using old one. o.orgAccountList = make(map[string]any) o.retries = orgAccountRetries @@ -103,10 +103,10 @@ func (o *orgValidator) setLogger(log hclog.Logger) { o.log = log } -// IsMemberAccount method checks if the Account ID attached on the node is part of the organisation. -// If it part of the organisation then validation should be succesfull if not attestation should fail, on enabling this verification method. +// IsMemberAccount method checks if the Account ID attached on the node is part of the organization. +// If it is part of the organization then validation should be successful if not attestation should fail, on enabling this verification method. // This could be alternative for not explicitly maintaining allowed list of account ids. -// Method pulls the list of accounts from organization and caches it for certain time, cache time can be configured. +// Method pulls the list of accounts from the organization and caches it for certain time, cache time can be configured. func (o *orgValidator) IsMemberAccount(ctx context.Context, orgClient organizations.ListAccountsAPIClient, accountIDOfNode string) (bool, error) { reValidatedCache, err := o.validateCache(ctx, orgClient) if err != nil { @@ -142,19 +142,19 @@ func (o *orgValidator) lookupCache(ctx context.Context, orgClient organizations. orgAccountList := o.orgAccountList o.mutex.RUnlock() - _, accoutIsmemberOfOrg := orgAccountList[accountIDOfNode] + _, accountIsmemberOfOrg := orgAccountList[accountIDOfNode] // Retry if it doesn't exist in cache and cache was not revalidated - if !accoutIsmemberOfOrg && !reValidatedCache { + if !accountIsmemberOfOrg && !reValidatedCache { orgAccountList, err := o.refreshCache(ctx, orgClient) if err != nil { - o.log.Error("Failed to refesh cache, while validating account id: %v", accountIDOfNode, "error", err.Error()) + o.log.Error("Failed to refresh cache, while validating account id: %v", accountIDOfNode, "error", err.Error()) return false, err } - _, accoutIsmemberOfOrg = orgAccountList[accountIDOfNode] + _, accountIsmemberOfOrg = orgAccountList[accountIDOfNode] } - return accoutIsmemberOfOrg, nil + return accountIsmemberOfOrg, nil } // refreshCache refreshes list with new cache if cache miss happens and check if element exist diff --git a/pkg/server/plugin/nodeattestor/azuremsi/client.go b/pkg/server/plugin/nodeattestor/azuremsi/client.go index faaf9a0282..bb0f36cf66 100644 --- a/pkg/server/plugin/nodeattestor/azuremsi/client.go +++ b/pkg/server/plugin/nodeattestor/azuremsi/client.go @@ -12,7 +12,7 @@ import ( "google.golang.org/grpc/status" ) -// apiClient is an interface representing all of the API methods the resolver +// apiClient is an interface representing all API methods the resolver // needs to do its job. type apiClient interface { SubscriptionID() string diff --git a/pkg/server/plugin/nodeattestor/httpchallenge/httpchallenge.go b/pkg/server/plugin/nodeattestor/httpchallenge/httpchallenge.go index 838cced731..8d5c91f4bc 100644 --- a/pkg/server/plugin/nodeattestor/httpchallenge/httpchallenge.go +++ b/pkg/server/plugin/nodeattestor/httpchallenge/httpchallenge.go @@ -189,7 +189,7 @@ func (p *Plugin) Attest(stream nodeattestorv1.NodeAttestor_AttestServer) error { return err } - // receive the response. We dont really care what it is but the plugin system requiries it. + // receive the response. We don't really care what it is but the plugin system requires it. _, err = stream.Recv() if err != nil { return err diff --git a/pkg/server/plugin/nodeattestor/tpmdevid/devid.go b/pkg/server/plugin/nodeattestor/tpmdevid/devid.go index c196c2b03b..eb55de2e3d 100644 --- a/pkg/server/plugin/nodeattestor/tpmdevid/devid.go +++ b/pkg/server/plugin/nodeattestor/tpmdevid/devid.go @@ -264,10 +264,10 @@ func verifyDevIDSignature(cert *x509.Certificate, intermediates *x509.CertPool, return chains, nil } -// verifyDevIDResidency verifies that the DevID resides on the same TPM than EK. +// verifyDevIDResidency verifies that the DevID resides on the same TPM as EK. // This is done in two steps: -// (1) Verify that the DevID resides in the same TPM than the AK -// (2) Verify that the AK is in the same TPM than the EK. +// (1) Verify that the DevID resides in the same TPM as the AK +// (2) Verify that the AK is in the same TPM as the EK. // The verification is complete once the agent solves the challenge that this // function generates. func verifyDevIDResidency(attData *common_devid.AttestationRequest, ekRoots *x509.CertPool) (*common_devid.CredActivation, []byte, error) { @@ -299,7 +299,7 @@ func verifyDevIDResidency(attData *common_devid.AttestationRequest, ekRoots *x50 } // Verify the public part of the EK generated from the template is the same - // than the one in the EK certificate. + // as the one in the EK certificate. err = verifyEKsMatch(ekCert, ekPub) if err != nil { return nil, nil, status.Errorf(codes.InvalidArgument, "public key in EK certificate differs from public key created via EK template: %v", err) @@ -317,7 +317,7 @@ func verifyDevIDResidency(attData *common_devid.AttestationRequest, ekRoots *x50 return nil, nil, status.Errorf(codes.InvalidArgument, "cannot verify that DevID is in the same TPM than AK: %v", err) } - // Issue a credential activation challenge (to verify AK is in the same TPM than EK) + // Issue a credential activation challenge (to verify AK is in the same TPM as EK) challenge, nonce, err := NewCredActivationChallenge(akPub, ekPub) if err != nil { return nil, nil, status.Errorf(codes.Internal, "cannot generate credential activation challenge: %v", err) diff --git a/pkg/server/plugin/notifier/k8sbundle/k8sbundle.go b/pkg/server/plugin/notifier/k8sbundle/k8sbundle.go index a6c3a6daee..bf2085a458 100644 --- a/pkg/server/plugin/notifier/k8sbundle/k8sbundle.go +++ b/pkg/server/plugin/notifier/k8sbundle/k8sbundle.go @@ -316,9 +316,9 @@ func (p *Plugin) informerCallback(client kubeClient, obj runtime.Object) { case err == nil: p.log.Debug("Set bundle for object", "name", objectMeta.GetName()) case status.Code(err) == codes.FailedPrecondition: - // Ignore FailPrecondition errors for when SPIRE is booting and we receive an event prior to + // Ignore FailPrecondition errors for when SPIRE is booting, and we receive an event prior to // IdentityProvider being initialized. In this case the BundleLoaded event will come - // to populate the caBundle, so its safe to ignore this error. + // to populate the caBundle, so it's safe to ignore this error. case status.Code(err) == codes.AlreadyExists: // Updating the bundle from an ADD event triggers a subsequent MODIFIED event. updateBundle will // return AlreadyExists since nothing needs to be updated. diff --git a/pkg/server/plugin/upstreamauthority/awspca/pca_test.go b/pkg/server/plugin/upstreamauthority/awspca/pca_test.go index 1854db2379..f6eaa14f15 100644 --- a/pkg/server/plugin/upstreamauthority/awspca/pca_test.go +++ b/pkg/server/plugin/upstreamauthority/awspca/pca_test.go @@ -272,7 +272,7 @@ func TestMintX509CA(t *testing.T) { return csr } - endcodeCSR := func(csr []byte) *bytes.Buffer { + encodeCSR := func(csr []byte) *bytes.Buffer { encodedCsr := new(bytes.Buffer) err := pem.Encode(encodedCsr, &pem.Block{ Type: csrRequestType, @@ -434,7 +434,7 @@ func TestMintX509CA(t *testing.T) { var expectPem []byte if len(tt.csr) > 0 { - expectPem = endcodeCSR(tt.csr).Bytes() + expectPem = encodeCSR(tt.csr).Bytes() } // Setup expected responses and verify parameters to AWS client diff --git a/pkg/server/plugin/upstreamauthority/disk/disk.go b/pkg/server/plugin/upstreamauthority/disk/disk.go index 2b111b00d9..1347e5e17a 100644 --- a/pkg/server/plugin/upstreamauthority/disk/disk.go +++ b/pkg/server/plugin/upstreamauthority/disk/disk.go @@ -193,7 +193,7 @@ func (p *Plugin) loadUpstreamCAAndCerts(config *Configuration) (*x509svid.Upstre var trustBundle []*x509.Certificate if config.BundleFilePath == "" { // If there is no bundle path configured then we assume we have - // a self signed cert. We enforce this by requiring that there is + // a self-signed cert. We enforce this by requiring that there is // exactly one cert. This cert is reused for the trust bundle and // config.BundleFilePath is ignored if len(certs) != 1 { diff --git a/pkg/server/plugin/upstreamauthority/gcpcas/gcpcas.go b/pkg/server/plugin/upstreamauthority/gcpcas/gcpcas.go index 7cecf37f05..d6d4b9dced 100644 --- a/pkg/server/plugin/upstreamauthority/gcpcas/gcpcas.go +++ b/pkg/server/plugin/upstreamauthority/gcpcas/gcpcas.go @@ -225,7 +225,7 @@ func (p *Plugin) mintX509CA(ctx context.Context, csr []byte, preferredTTL int32) return nil, status.Errorf(codes.InvalidArgument, "no certificate authorities found with label pair %q:%q", rootSpec.LabelKey, rootSpec.LabelValue) } - // We dont want to use revoked, disabled or pending deletion CAs + // We don't want to use revoked, disabled or pending deletion CAs // In short, we only need CAs that are in enabled state allCertRoots = filterOutNonEnabledCAs(allCertRoots) // we want the CA that is expiring the earliest @@ -239,7 +239,7 @@ func (p *Plugin) mintX509CA(ctx context.Context, csr []byte, preferredTTL int32) chosenCA := allCertRoots[0] - // All of the CAs that are eligible for signing are still trusted + // All the CAs that are eligible for signing are still trusted var trustBundle []*privatecapb.CertificateAuthority if len(allCertRoots) > 1 { trustBundle = append(trustBundle, allCertRoots[1:]...) @@ -429,7 +429,7 @@ func (client *gcpCAClient) LoadCertificateAuthorities(ctx context.Context, spec certIt := client.pcaClient.ListCertificateAuthorities(ctx, &privatecapb.ListCertificateAuthoritiesRequest{ Parent: pool, Filter: fmt.Sprintf("labels.%s:%s", spec.LabelKey, spec.LabelValue), - // There is "OrderBy" option but it seems to work only for the name field + // There is "OrderBy" option, but it seems to work only for the name field // So we will have to sort it by expiry timestamp at our end }) diff --git a/pkg/server/plugin/upstreamauthority/gcpcas/gcpcas_test.go b/pkg/server/plugin/upstreamauthority/gcpcas/gcpcas_test.go index e8975cfcf8..2fc834dbb5 100644 --- a/pkg/server/plugin/upstreamauthority/gcpcas/gcpcas_test.go +++ b/pkg/server/plugin/upstreamauthority/gcpcas/gcpcas_test.go @@ -103,7 +103,7 @@ func TestGcpCAS(t *testing.T) { // Scenario: // We mock client's LoadCertificateAuthorities() to return in the following order: // * caZ is an intermediate CA which is signed by externalCAY - // * caX is a root CA that is in GCP CAS with the second oldest expiry (T + 2) + // * caX is a root CA that is in GCP CAS with the second-oldest expiry (T + 2) // * caM is a root CA that is in GCP CAS with the earliest expiry (T + 1) but it is DISABLED // Everything except caM are in ENABLED state // Also note that the above is not ordered by expiry time @@ -185,7 +185,7 @@ func TestGcpCAS(t *testing.T) { } func generateCert(t *testing.T, cn string, issuer *x509.Certificate, issuerKey crypto.PrivateKey, ttlInHours int, keyfn func(testing.TB) *ecdsa.PrivateKey) (*x509.Certificate, crypto.PrivateKey, error) { - priv := keyfn(t) + keyPair := keyfn(t) serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) serialNumber, _ := rand.Int(rand.Reader, serialNumberLimit) @@ -202,10 +202,10 @@ func generateCert(t *testing.T, cn string, issuer *x509.Certificate, issuerKey c } if issuer == nil { issuer = template - issuerKey = priv + issuerKey = keyPair } - derBytes, err := x509.CreateCertificate(rand.Reader, template, issuer, priv.Public(), issuerKey) + derBytes, err := x509.CreateCertificate(rand.Reader, template, issuer, keyPair.Public(), issuerKey) if err != nil { return nil, nil, err } @@ -214,7 +214,7 @@ func generateCert(t *testing.T, cn string, issuer *x509.Certificate, issuerKey c return nil, nil, err } - return cert, priv, nil + return cert, keyPair, nil } type fakeClient struct { // implements CAClient interface diff --git a/pkg/server/plugin/upstreamauthority/v1.go b/pkg/server/plugin/upstreamauthority/v1.go index 7444671858..63f1330806 100644 --- a/pkg/server/plugin/upstreamauthority/v1.go +++ b/pkg/server/plugin/upstreamauthority/v1.go @@ -26,7 +26,7 @@ type V1 struct { func (v1 *V1) MintX509CA(ctx context.Context, csr []byte, preferredTTL time.Duration) (_ []*x509.Certificate, _ []*x509certificate.X509Authority, _ UpstreamX509AuthorityStream, err error) { ctx, cancel := context.WithCancel(ctx) defer func() { - // Only cancel the context if the function fails. Otherwise the + // Only cancel the context if the function fails. Otherwise, the // returned stream will be in charge of cancellation. if err != nil { defer cancel() @@ -60,7 +60,7 @@ func (v1 *V1) MintX509CA(ctx context.Context, csr []byte, preferredTTL time.Dura func (v1 *V1) PublishJWTKey(ctx context.Context, jwtKey *common.PublicKey) (_ []*common.PublicKey, _ UpstreamJWTAuthorityStream, err error) { ctx, cancel := context.WithCancel(ctx) defer func() { - // Only cancel the context if the function fails. Otherwise the + // Only cancel the context if the function fails. Otherwise, the // returned stream will be in charge of cancellation. if err != nil { defer cancel() diff --git a/pkg/server/svid/rotator.go b/pkg/server/svid/rotator.go index 169c16988d..a535ef137c 100644 --- a/pkg/server/svid/rotator.go +++ b/pkg/server/svid/rotator.go @@ -60,8 +60,8 @@ func (r *Rotator) Run(ctx context.Context) error { t := r.c.Clock.Ticker(r.c.Interval) defer t.Stop() - bundeVerificationTicker := r.c.Clock.Ticker(defaultBundleVerificationTicker) - defer bundeVerificationTicker.Stop() + bundleVerificationTicker := r.c.Clock.Ticker(defaultBundleVerificationTicker) + defer bundleVerificationTicker.Stop() for { select { @@ -85,7 +85,7 @@ func (r *Rotator) Run(ctx context.Context) error { } } -// shouldRotate returns a boolean informing the caller of whether or not the +// shouldRotate returns a boolean informing the caller of whether the // SVID should be rotated. func (r *Rotator) shouldRotate() bool { s := r.state.Value().(State) diff --git a/proto/spire/common/common.pb.go b/proto/spire/common/common.pb.go index f480cd203f..753243582c 100644 --- a/proto/spire/common/common.pb.go +++ b/proto/spire/common/common.pb.go @@ -350,7 +350,7 @@ type RegistrationEntry struct { FederatesWith []string `protobuf:"bytes,5,rep,name=federates_with,json=federatesWith,proto3" json:"federates_with,omitempty"` // * Entry ID EntryId string `protobuf:"bytes,6,opt,name=entry_id,json=entryId,proto3" json:"entry_id,omitempty"` - // * Whether or not the workload is an admin workload. Admin workloads + // * whether the workload is an admin workload. Admin workloads // can use their SVID's to authenticate with the Server APIs, for // example. Admin bool `protobuf:"varint,7,opt,name=admin,proto3" json:"admin,omitempty"` @@ -763,7 +763,7 @@ type PublicKey struct { Kid string `protobuf:"bytes,2,opt,name=kid,proto3" json:"kid,omitempty"` // * not after (seconds since unix epoch, 0 means "never expires") NotAfter int64 `protobuf:"varint,3,opt,name=not_after,json=notAfter,proto3" json:"not_after,omitempty"` - // * Whether or not the key is tainted + // * whether the key is tainted TaintedKey bool `protobuf:"varint,4,opt,name=tainted_key,json=taintedKey,proto3" json:"tainted_key,omitempty"` } diff --git a/proto/spire/common/common.proto b/proto/spire/common/common.proto index cd1ed63c61..779934b08a 100644 --- a/proto/spire/common/common.proto +++ b/proto/spire/common/common.proto @@ -75,7 +75,7 @@ message RegistrationEntry { repeated string federates_with = 5; /** Entry ID */ string entry_id = 6; - /** Whether or not the workload is an admin workload. Admin workloads + /** whether the workload is an admin workload. Admin workloads can use their SVID's to authenticate with the Server APIs, for example. */ bool admin = 7; @@ -139,7 +139,7 @@ message PublicKey { /** not after (seconds since unix epoch, 0 means "never expires") */ int64 not_after = 3; - /** Whether or not the key is tainted */ + /** whether the key is tainted */ bool tainted_key = 4; } diff --git a/support/oidc-discovery-provider/README.md b/support/oidc-discovery-provider/README.md index f89ec8a3bf..8dce3b5c9a 100644 --- a/support/oidc-discovery-provider/README.md +++ b/support/oidc-discovery-provider/README.md @@ -100,11 +100,11 @@ will terminate if another domain is requested. #### Server API Section -| Key | Type | Required? | Description | Default | -|-----------------|----------|-----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|---------| +| Key | Type | Required? | Description | Default | +|-----------------|----------|-----------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------| | `address` | string | required | SPIRE Server API gRPC target address. Only the unix name system is supported. See . Unix platforms only. | | -| `experimental` | section | optional | The experimental options that are subject to change or removal. | | -| `poll_interval` | duration | optional | How often to poll for changes to the public key material. | `"10s"` | +| `experimental` | section | optional | The experimental options that are subject to change or removal. | | +| `poll_interval` | duration | optional | How often to poll for changes to the public key material. | `"10s"` | | experimental | Type | Required? | Description | Default | |:------------------|--------|-----------|-------------------------------------------------------------|---------| diff --git a/support/oidc-discovery-provider/handler.go b/support/oidc-discovery-provider/handler.go index 0d089c1397..a0cf837009 100644 --- a/support/oidc-discovery-provider/handler.go +++ b/support/oidc-discovery-provider/handler.go @@ -137,7 +137,7 @@ func (h *Handler) verifyHost(host string) error { // ProxyHeaders middleware). The value may be in host or host:port form. domain, _, err := net.SplitHostPort(host) if err != nil { - // `Host` was not in the host:port form form. + // `Host` was not in the host:port form. domain = host } return h.domainPolicy(domain) diff --git a/test/fakes/fakeagentnodeattestor/nodeattestor.go b/test/fakes/fakeagentnodeattestor/nodeattestor.go index 13ebf925be..77ff48ea25 100644 --- a/test/fakes/fakeagentnodeattestor/nodeattestor.go +++ b/test/fakes/fakeagentnodeattestor/nodeattestor.go @@ -13,10 +13,10 @@ import ( ) type Config struct { - // Fail indicates whether or not fetching attestation data should fail. + // Fail indicates whether fetching attestation data should fail. Fail bool - // Responses is list of echo responses. The response to each challenge is + // Responses are a list of echo responses. The response to each challenge is // expected to match the challenge value. Responses []string } diff --git a/test/fakes/fakeupstreamauthority/upstreamauthority.go b/test/fakes/fakeupstreamauthority/upstreamauthority.go index ae7a2a0967..60e3daf806 100644 --- a/test/fakes/fakeupstreamauthority/upstreamauthority.go +++ b/test/fakes/fakeupstreamauthority/upstreamauthority.go @@ -321,8 +321,8 @@ func createCATemplate(now time.Time, cn string, sn int64, keyUsage x509.KeyUsage } } -func createCertificate(t *testing.T, template, parent *x509.Certificate, pub crypto.PublicKey, priv crypto.PrivateKey) *x509.Certificate { - certDER, err := x509.CreateCertificate(rand.Reader, template, parent, pub, priv) +func createCertificate(t *testing.T, template, parent *x509.Certificate, publicKey crypto.PublicKey, privateKey crypto.PrivateKey) *x509.Certificate { + certDER, err := x509.CreateCertificate(rand.Reader, template, parent, publicKey, privateKey) require.NoError(t, err, "unable to sign certificate") cert, err := x509.ParseCertificate(certDER) diff --git a/test/grpctest/server.go b/test/grpctest/server.go index 44e97ac3eb..3ccf972dab 100644 --- a/test/grpctest/server.go +++ b/test/grpctest/server.go @@ -99,7 +99,7 @@ func StartServer(tb testing.TB, registerFn func(s grpc.ServiceRegistrar), opts . serverListener = listener } - // Clean up the when the test is closed. + // Clean up when the test is closed. tb.Cleanup(func() { _ = serverListener.Close() }) diff --git a/test/integration/setup/downstreamclient/client.go b/test/integration/setup/downstreamclient/client.go index af8544b441..32c46b2c49 100644 --- a/test/integration/setup/downstreamclient/client.go +++ b/test/integration/setup/downstreamclient/client.go @@ -110,7 +110,7 @@ func validatePublishJWTAUthorirty(ctx context.Context, c *itclient.Client) error case err != nil: return fmt.Errorf("failed to publish JWT authority: %w", err) case len(resp.JwtAuthorities) == 0: - return errors.New("no authorities ruturned") + return errors.New("no authorities returned") } for _, a := range resp.JwtAuthorities { diff --git a/test/integration/suites-windows/windows-service/README.md b/test/integration/suites-windows/windows-service/README.md index 0a001f6f79..7925c60d5c 100644 --- a/test/integration/suites-windows/windows-service/README.md +++ b/test/integration/suites-windows/windows-service/README.md @@ -3,7 +3,7 @@ ## Description This suite validates that we can run both spire agent and spire server natively on Windows OS, asserting that spire components -can run as a [windows service application](https://learn.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications#service-applications-vs-other-visual-studio-applications), +can run as a [Windows service application](https://learn.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications#service-applications-vs-other-visual-studio-applications), and perform [service state transitions](https://learn.microsoft.com/en-us/windows/win32/services/service-status-transitions). The suite steps are structured as follows: diff --git a/test/integration/suites/evict-agent/README.md b/test/integration/suites/evict-agent/README.md index 090baed414..b2659e01ff 100644 --- a/test/integration/suites/evict-agent/README.md +++ b/test/integration/suites/evict-agent/README.md @@ -2,5 +2,5 @@ ## Description -This suite validates than banned agent is not longer able to fetch updates from SPIRE Server, +This suite validates than banned agent is no longer able to fetch updates from SPIRE Server, and once agent entry is evicted agent is shutdown. diff --git a/test/integration/suites/upstream-authority-ejbca/conf/ejbca/scripts/ejbca-init.sh b/test/integration/suites/upstream-authority-ejbca/conf/ejbca/scripts/ejbca-init.sh index d553dd4515..4b58e0acdc 100755 --- a/test/integration/suites/upstream-authority-ejbca/conf/ejbca/scripts/ejbca-init.sh +++ b/test/integration/suites/upstream-authority-ejbca/conf/ejbca/scripts/ejbca-init.sh @@ -107,7 +107,7 @@ EOF # name - The name of the crypto token # type - The type of the crypto token (e.g. SoftCryptoToken) # pin - The pin for the crypto token -# autoactivate - Whether or not to autoactivate the crypto token +# autoactivate - whether to autoactivate the crypto token createCryptoToken() { local name=$1 local type=$2 diff --git a/test/spiretest/x509.go b/test/spiretest/x509.go index 14da7e4dec..b32f759dd2 100644 --- a/test/spiretest/x509.go +++ b/test/spiretest/x509.go @@ -28,8 +28,8 @@ func SelfSignCertificateWithKey(tb testing.TB, tmpl *x509.Certificate, key crypt return CreateCertificate(tb, tmpl, tmpl, key.Public(), key) } -func CreateCertificate(tb testing.TB, tmpl, parent *x509.Certificate, pub, priv any) *x509.Certificate { - certDER, err := x509.CreateCertificate(rand.Reader, tmpl, parent, pub, priv) +func CreateCertificate(tb testing.TB, tmpl, parent *x509.Certificate, publicKey, privateKey any) *x509.Certificate { + certDER, err := x509.CreateCertificate(rand.Reader, tmpl, parent, publicKey, privateKey) require.NoError(tb, err) cert, err := x509.ParseCertificate(certDER) require.NoError(tb, err) diff --git a/test/testca/ca.go b/test/testca/ca.go index 442af982a2..9dec10eb25 100644 --- a/test/testca/ca.go +++ b/test/testca/ca.go @@ -234,8 +234,8 @@ func CreateX509SVID(tb testing.TB, parent *x509.Certificate, parentKey crypto.Si return CreateX509Certificate(tb, parent, parentKey, options...) } -func CreateCertificate(tb testing.TB, tmpl, parent *x509.Certificate, pub, priv any) *x509.Certificate { - certDER, err := x509.CreateCertificate(rand.Reader, tmpl, parent, pub, priv) +func CreateCertificate(tb testing.TB, tmpl, parent *x509.Certificate, publicKey, privateKey any) *x509.Certificate { + certDER, err := x509.CreateCertificate(rand.Reader, tmpl, parent, publicKey, privateKey) require.NoError(tb, err) cert, err := x509.ParseCertificate(certDER) require.NoError(tb, err) diff --git a/test/tpmsimulator/simulator.go b/test/tpmsimulator/simulator.go index 83e2c3c6b1..04f6b05315 100644 --- a/test/tpmsimulator/simulator.go +++ b/test/tpmsimulator/simulator.go @@ -215,7 +215,7 @@ func (s *TPMSimulator) OpenTPM(path ...string) (io.ReadWriteCloser, error) { // GenerateDevID generates a new DevID credential using the given provisioning // authority and key type. -// DevIDs generated using this function are for test only. There is not guarantee +// DevIDs generated using this function are for test only. There is no guarantee // that the identities generated by this method are compliant with the TCG/IEEE // specification. func (s *TPMSimulator) GenerateDevID(p *ProvisioningAuthority, keyType KeyType, keyPassword string) (*Credential, error) { From 98ad13af13e6744173cef3b9a7a5c74a631bdaab Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Nov 2024 11:59:17 -0300 Subject: [PATCH 2/9] Bump github.com/zeebo/errs from 1.3.0 to 1.4.0 (#5581) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Bump github.com/zeebo/errs from 1.3.0 to 1.4.0 Bumps [github.com/zeebo/errs](https://github.com/zeebo/errs) from 1.3.0 to 1.4.0. - [Commits](https://github.com/zeebo/errs/compare/v1.3.0...v1.4.0) --- updated-dependencies: - dependency-name: github.com/zeebo/errs dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * Use errors.As instead of the deprecated errs.Unwrap function Signed-off-by: Agustín Martínez Fayó --------- Signed-off-by: dependabot[bot] Signed-off-by: Agustín Martínez Fayó Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Agustín Martínez Fayó Co-authored-by: Marcos Yacob --- go.mod | 2 +- go.sum | 3 ++- pkg/server/datastore/sqlstore/sqlstore.go | 12 +++++++++--- 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/go.mod b/go.mod index 21b21a2882..7eeb79d6d1 100644 --- a/go.mod +++ b/go.mod @@ -78,7 +78,7 @@ require ( github.com/stretchr/testify v1.9.0 github.com/uber-go/tally/v4 v4.1.16 github.com/valyala/fastjson v1.6.4 - github.com/zeebo/errs v1.3.0 + github.com/zeebo/errs v1.4.0 golang.org/x/crypto v0.28.0 golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 golang.org/x/net v0.30.0 diff --git a/go.sum b/go.sum index 978c2bbc6a..212a018712 100644 --- a/go.sum +++ b/go.sum @@ -1498,8 +1498,9 @@ github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0= github.com/zalando/go-keyring v0.2.3 h1:v9CUu9phlABObO4LPWycf+zwMG7nlbb3t/B5wa97yms= github.com/zalando/go-keyring v0.2.3/go.mod h1:HL4k+OXQfJUWaMnqyuSOc0drfGPX2b51Du6K+MRgZMk= -github.com/zeebo/errs v1.3.0 h1:hmiaKqgYZzcVgRL1Vkc1Mn2914BbzB0IBxs+ebeutGs= github.com/zeebo/errs v1.3.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= +github.com/zeebo/errs v1.4.0 h1:XNdoD/RRMKP7HD0UhJnIzUy74ISdGGxURlYG8HSWSfM= +github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4= go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd80= go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= diff --git a/pkg/server/datastore/sqlstore/sqlstore.go b/pkg/server/datastore/sqlstore/sqlstore.go index 9b2f6a253a..76c4f3ed5c 100644 --- a/pkg/server/datastore/sqlstore/sqlstore.go +++ b/pkg/server/datastore/sqlstore/sqlstore.go @@ -1009,9 +1009,14 @@ func (ds *Plugin) withTx(ctx context.Context, op func(tx *gorm.DB) error, readOn // if the error is a gorm error type with a known mapping to a GRPC status, // that code will be set, otherwise the code will be set to Unknown. func (ds *Plugin) gormToGRPCStatus(err error) error { - unwrapped := errs.Unwrap(err) - if _, ok := status.FromError(unwrapped); ok { - return unwrapped + type grpcStatusError interface { + error + GRPCStatus() *status.Status + } + + var statusError grpcStatusError + if errors.As(err, &statusError) { + return statusError } code := codes.Unknown @@ -1019,6 +1024,7 @@ func (ds *Plugin) gormToGRPCStatus(err error) error { code = codes.InvalidArgument } + unwrapped := errors.Unwrap(err) switch { case gorm.IsRecordNotFoundError(unwrapped): code = codes.NotFound From 4a4670c2485f5d01b50e5443185e2675d06238ae Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Nov 2024 14:09:06 -0300 Subject: [PATCH 3/9] Bump cloud.google.com/go/storage in the google-cloud-sdk group (#5627) Bumps the google-cloud-sdk group with 1 update: [cloud.google.com/go/storage](https://github.com/googleapis/google-cloud-go). Updates `cloud.google.com/go/storage` from 1.45.0 to 1.46.0 - [Release notes](https://github.com/googleapis/google-cloud-go/releases) - [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-cloud-go/compare/pubsub/v1.45.0...spanner/v1.46.0) --- updated-dependencies: - dependency-name: cloud.google.com/go/storage dependency-type: direct:production update-type: version-update:semver-minor dependency-group: google-cloud-sdk ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 6 +++--- go.sum | 12 ++++++------ 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/go.mod b/go.mod index 7eeb79d6d1..3f582161be 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ require ( cloud.google.com/go/kms v1.20.0 cloud.google.com/go/secretmanager v1.14.1 cloud.google.com/go/security v1.18.1 - cloud.google.com/go/storage v1.45.0 + cloud.google.com/go/storage v1.46.0 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0 github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 @@ -100,8 +100,8 @@ require ( require ( cel.dev/expr v0.16.1 // indirect cloud.google.com/go v0.116.0 // indirect - cloud.google.com/go/auth v0.9.9 // indirect - cloud.google.com/go/auth/oauth2adapt v0.2.4 // indirect + cloud.google.com/go/auth v0.10.0 // indirect + cloud.google.com/go/auth/oauth2adapt v0.2.5 // indirect cloud.google.com/go/compute/metadata v0.5.2 // indirect cloud.google.com/go/longrunning v0.6.1 // indirect cloud.google.com/go/monitoring v1.21.1 // indirect diff --git a/go.sum b/go.sum index 212a018712..1e4e405b29 100644 --- a/go.sum +++ b/go.sum @@ -72,10 +72,10 @@ cloud.google.com/go/assuredworkloads v1.6.0/go.mod h1:yo2YOk37Yc89Rsd5QMVECvjaMK cloud.google.com/go/assuredworkloads v1.7.0/go.mod h1:z/736/oNmtGAyU47reJgGN+KVoYoxeLBoj4XkKYscNI= cloud.google.com/go/assuredworkloads v1.8.0/go.mod h1:AsX2cqyNCOvEQC8RMPnoc0yEarXQk6WEKkxYfL6kGIo= cloud.google.com/go/assuredworkloads v1.9.0/go.mod h1:kFuI1P78bplYtT77Tb1hi0FMxM0vVpRC7VVoJC3ZoT0= -cloud.google.com/go/auth v0.9.9 h1:BmtbpNQozo8ZwW2t7QJjnrQtdganSdmqeIBxHxNkEZQ= -cloud.google.com/go/auth v0.9.9/go.mod h1:xxA5AqpDrvS+Gkmo9RqrGGRh6WSNKKOXhY3zNOr38tI= -cloud.google.com/go/auth/oauth2adapt v0.2.4 h1:0GWE/FUsXhf6C+jAkWgYm7X9tK8cuEIfy19DBn6B6bY= -cloud.google.com/go/auth/oauth2adapt v0.2.4/go.mod h1:jC/jOpwFP6JBxhB3P5Rr0a9HLMC/Pe3eaL4NmdvqPtc= +cloud.google.com/go/auth v0.10.0 h1:tWlkvFAh+wwTOzXIjrwM64karR1iTBZ/GRr0S/DULYo= +cloud.google.com/go/auth v0.10.0/go.mod h1:xxA5AqpDrvS+Gkmo9RqrGGRh6WSNKKOXhY3zNOr38tI= +cloud.google.com/go/auth/oauth2adapt v0.2.5 h1:2p29+dePqsCHPP1bqDJcKj4qxRyYCcbzKpFyKGt3MTk= +cloud.google.com/go/auth/oauth2adapt v0.2.5/go.mod h1:AlmsELtlEBnaNTL7jCj8VQFLy6mbZv0s4Q7NGBeQ5E8= cloud.google.com/go/automl v1.5.0/go.mod h1:34EjfoFGMZ5sgJ9EoLsRtdPSNZLcfflJR39VbVNS2M0= cloud.google.com/go/automl v1.6.0/go.mod h1:ugf8a6Fx+zP0D59WLhqgTDsQI9w07o64uf/Is3Nh5p8= cloud.google.com/go/automl v1.7.0/go.mod h1:RL9MYCCsJEOmt0Wf3z9uzG0a7adTT1fe+aObgSpkCt8= @@ -373,8 +373,8 @@ cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3f cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y= cloud.google.com/go/storage v1.23.0/go.mod h1:vOEEDNFnciUMhBeT6hsJIn3ieU5cFRmzeLgDvXzfIXc= cloud.google.com/go/storage v1.27.0/go.mod h1:x9DOL8TK/ygDUMieqwfhdpQryTeEkhGKMi80i/iqR2s= -cloud.google.com/go/storage v1.45.0 h1:5av0QcIVj77t+44mV4gffFC/LscFRUhto6UBMB5SimM= -cloud.google.com/go/storage v1.45.0/go.mod h1:wpPblkIuMP5jCB/E48Pz9zIo2S/zD8g+ITmxKkPCITE= +cloud.google.com/go/storage v1.46.0 h1:OTXISBpFd8KaA2ClT3K3oRk8UGOcTHtrZ1bW88xKiic= +cloud.google.com/go/storage v1.46.0/go.mod h1:lM+gMAW91EfXIeMTBmixRsKL/XCxysytoAgduVikjMk= cloud.google.com/go/storagetransfer v1.5.0/go.mod h1:dxNzUopWy7RQevYFHewchb29POFv3/AaBgnhqzqiK0w= cloud.google.com/go/storagetransfer v1.6.0/go.mod h1:y77xm4CQV/ZhFZH75PLEXY0ROiS7Gh6pSKrM8dJyg6I= cloud.google.com/go/talent v1.1.0/go.mod h1:Vl4pt9jiHKvOgF9KoZo6Kob9oV4lwd/ZD5Cto54zDRw= From 4d1c8e7b02866ab623db804d47a355c167bef61b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Nov 2024 14:37:53 -0300 Subject: [PATCH 4/9] Bump github.com/open-policy-agent/opa from 0.69.0 to 0.70.0 (#5628) Bumps [github.com/open-policy-agent/opa](https://github.com/open-policy-agent/opa) from 0.69.0 to 0.70.0. - [Release notes](https://github.com/open-policy-agent/opa/releases) - [Changelog](https://github.com/open-policy-agent/opa/blob/main/CHANGELOG.md) - [Commits](https://github.com/open-policy-agent/opa/compare/v0.69.0...v0.70.0) --- updated-dependencies: - dependency-name: github.com/open-policy-agent/opa dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 3f582161be..558e94f457 100644 --- a/go.mod +++ b/go.mod @@ -65,7 +65,7 @@ require ( github.com/lib/pq v1.10.9 github.com/mattn/go-sqlite3 v1.14.24 github.com/mitchellh/cli v1.1.5 - github.com/open-policy-agent/opa v0.69.0 + github.com/open-policy-agent/opa v0.70.0 github.com/prometheus/client_golang v1.20.5 github.com/shirou/gopsutil/v3 v3.24.5 github.com/sigstore/cosign/v2 v2.4.1 diff --git a/go.sum b/go.sum index 1e4e405b29..6a9bb597b5 100644 --- a/go.sum +++ b/go.sum @@ -1272,8 +1272,8 @@ github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAl github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro= github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk= github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0= -github.com/open-policy-agent/opa v0.69.0 h1:s2igLw2Z6IvGWGuXSfugWkVultDMsM9pXiDuMp7ckWw= -github.com/open-policy-agent/opa v0.69.0/go.mod h1:+qyXJGkpEJ6kpB1kGo8JSwHtVXbTdsGdQYPWWNYNj+4= +github.com/open-policy-agent/opa v0.70.0 h1:B3cqCN2iQAyKxK6+GI+N40uqkin+wzIrM7YA60t9x1U= +github.com/open-policy-agent/opa v0.70.0/go.mod h1:Y/nm5NY0BX0BqjBriKUiV81sCl8XOjjvqQG7dXrggtI= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug= From 9fa2afd7691515131657cdedb715e549c65cd49b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Nov 2024 15:22:22 -0300 Subject: [PATCH 5/9] Bump google.golang.org/api from 0.203.0 to 0.204.0 (#5629) Bumps [google.golang.org/api](https://github.com/googleapis/google-api-go-client) from 0.203.0 to 0.204.0. - [Release notes](https://github.com/googleapis/google-api-go-client/releases) - [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md) - [Commits](https://github.com/googleapis/google-api-go-client/compare/v0.203.0...v0.204.0) --- updated-dependencies: - dependency-name: google.golang.org/api dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 8 ++++---- go.sum | 20 ++++++++++---------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/go.mod b/go.mod index 558e94f457..fd6325f721 100644 --- a/go.mod +++ b/go.mod @@ -85,8 +85,8 @@ require ( golang.org/x/sync v0.8.0 golang.org/x/sys v0.26.0 golang.org/x/time v0.7.0 - google.golang.org/api v0.203.0 - google.golang.org/genproto/googleapis/rpc v0.0.0-20241015192408-796eee8c2d53 + google.golang.org/api v0.204.0 + google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38 google.golang.org/grpc v1.67.1 google.golang.org/protobuf v1.35.1 k8s.io/api v0.31.2 @@ -311,8 +311,8 @@ require ( golang.org/x/oauth2 v0.23.0 // indirect golang.org/x/term v0.25.0 // indirect golang.org/x/text v0.19.0 // indirect - google.golang.org/genproto v0.0.0-20241015192408-796eee8c2d53 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 // indirect + google.golang.org/genproto v0.0.0-20241021214115-324edc3d5d38 // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20241015192408-796eee8c2d53 // indirect google.golang.org/grpc/stats/opentelemetry v0.0.0-20240907200651-3ffb98b2c93a // indirect gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect diff --git a/go.sum b/go.sum index 6a9bb597b5..3087a38311 100644 --- a/go.sum +++ b/go.sum @@ -239,8 +239,8 @@ cloud.google.com/go/language v1.8.0/go.mod h1:qYPVHf7SPoNNiCL2Dr0FfEFNil1qi3pQEy cloud.google.com/go/lifesciences v0.5.0/go.mod h1:3oIKy8ycWGPUyZDR/8RNnTOYevhaMLqh5vLUXs9zvT8= cloud.google.com/go/lifesciences v0.6.0/go.mod h1:ddj6tSX/7BOnhxCSd3ZcETvtNr8NZ6t/iPhY2Tyfu08= cloud.google.com/go/logging v1.6.1/go.mod h1:5ZO0mHHbvm8gEmeEUHrmDlTDSu5imF6MUP9OfilNXBw= -cloud.google.com/go/logging v1.11.0 h1:v3ktVzXMV7CwHq1MBF65wcqLMA7i+z3YxbUsoK7mOKs= -cloud.google.com/go/logging v1.11.0/go.mod h1:5LDiJC/RxTt+fHc1LAt20R9TKiUTReDg6RuuFOZ67+A= +cloud.google.com/go/logging v1.12.0 h1:ex1igYcGFd4S/RZWOCU51StlIEuey5bjqwH9ZYjHibk= +cloud.google.com/go/logging v1.12.0/go.mod h1:wwYBt5HlYP1InnrtYI0wtwttpVU1rifnMT7RejksUAM= cloud.google.com/go/longrunning v0.1.1/go.mod h1:UUFxuDWkv22EuY93jjmDMFT5GPQKeFVJBIF6QlTqdsE= cloud.google.com/go/longrunning v0.3.0/go.mod h1:qth9Y41RRSUE69rDcOn6DdK3HfQfsUI0YSmW3iIlLJc= cloud.google.com/go/longrunning v0.6.1 h1:lOLTFxYpr8hcRtcwWir5ITh1PAKUD/sG2lKrTSYjyMc= @@ -1977,8 +1977,8 @@ google.golang.org/api v0.102.0/go.mod h1:3VFl6/fzoA+qNuS1N1/VfXY4LjoXN/wzeIp7Twe google.golang.org/api v0.103.0/go.mod h1:hGtW6nK1AC+d9si/UBhw8Xli+QMOf6xyNAyJw4qU9w0= google.golang.org/api v0.108.0/go.mod h1:2Ts0XTHNVWxypznxWOYUeI4g3WdP9Pk2Qk58+a/O9MY= google.golang.org/api v0.110.0/go.mod h1:7FC4Vvx1Mooxh8C5HWjzZHcavuS2f6pmJpZx60ca7iI= -google.golang.org/api v0.203.0 h1:SrEeuwU3S11Wlscsn+LA1kb/Y5xT8uggJSkIhD08NAU= -google.golang.org/api v0.203.0/go.mod h1:BuOVyCSYEPwJb3npWvDnNmFI92f3GeRnHNkETneT3SI= +google.golang.org/api v0.204.0 h1:3PjmQQEDkR/ENVZZwIYB4W/KzYtN8OrqnNcHWpeR8E4= +google.golang.org/api v0.204.0/go.mod h1:69y8QSoKIbL9F94bWgWAq6wGqGwyjBgi2y8rAK8zLag= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -2104,12 +2104,12 @@ google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f/go.mod h1:RGgjbofJ google.golang.org/genproto v0.0.0-20230124163310-31e0e69b6fc2/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM= google.golang.org/genproto v0.0.0-20230209215440-0dfe4f8abfcc/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM= google.golang.org/genproto v0.0.0-20230223222841-637eb2293923/go.mod h1:3Dl5ZL0q0isWJt+FVcfpQyirqemEuLAK/iFvg1UP1Hw= -google.golang.org/genproto v0.0.0-20241015192408-796eee8c2d53 h1:Df6WuGvthPzc+JiQ/G+m+sNX24kc0aTBqoDN/0yyykE= -google.golang.org/genproto v0.0.0-20241015192408-796eee8c2d53/go.mod h1:fheguH3Am2dGp1LfXkrvwqC/KlFq8F0nLq3LryOMrrE= -google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9 h1:T6rh4haD3GVYsgEfWExoCZA2o2FmbNyKpTuAxbEFPTg= -google.golang.org/genproto/googleapis/api v0.0.0-20241007155032-5fefd90f89a9/go.mod h1:wp2WsuBYj6j8wUdo3ToZsdxxixbvQNAHqVJrTgi5E5M= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241015192408-796eee8c2d53 h1:X58yt85/IXCx0Y3ZwN6sEIKZzQtDEYaBWrDvErdXrRE= -google.golang.org/genproto/googleapis/rpc v0.0.0-20241015192408-796eee8c2d53/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= +google.golang.org/genproto v0.0.0-20241021214115-324edc3d5d38 h1:Q3nlH8iSQSRUwOskjbcSMcF2jiYMNiQYZ0c2KEJLKKU= +google.golang.org/genproto v0.0.0-20241021214115-324edc3d5d38/go.mod h1:xBI+tzfqGGN2JBeSebfKXFSdBpWVQ7sLW40PTupVRm4= +google.golang.org/genproto/googleapis/api v0.0.0-20241015192408-796eee8c2d53 h1:fVoAXEKA4+yufmbdVYv+SE73+cPZbbbe8paLsHfkK+U= +google.golang.org/genproto/googleapis/api v0.0.0-20241015192408-796eee8c2d53/go.mod h1:riSXTwQ4+nqmPGtobMFyW5FqVAmIs0St6VPp4Ug7CE4= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38 h1:zciRKQ4kBpFgpfC5QQCVtnnNAcLIqweL7plyZRQHVpI= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241021214115-324edc3d5d38/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.12.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= From 3d257b207046dc78da0c60c3d8559eeb219c70c1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Nov 2024 16:04:32 -0300 Subject: [PATCH 6/9] Bump github.com/hashicorp/go-plugin from 1.6.1 to 1.6.2 (#5630) Bumps [github.com/hashicorp/go-plugin](https://github.com/hashicorp/go-plugin) from 1.6.1 to 1.6.2. - [Release notes](https://github.com/hashicorp/go-plugin/releases) - [Changelog](https://github.com/hashicorp/go-plugin/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/go-plugin/compare/v1.6.1...v1.6.2) --- updated-dependencies: - dependency-name: github.com/hashicorp/go-plugin dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 3 +-- go.sum | 6 ++---- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index fd6325f721..129c4455ab 100644 --- a/go.mod +++ b/go.mod @@ -53,7 +53,7 @@ require ( github.com/gorilla/handlers v1.5.2 github.com/hashicorp/go-hclog v1.6.3 github.com/hashicorp/go-metrics v0.5.3 - github.com/hashicorp/go-plugin v1.6.1 + github.com/hashicorp/go-plugin v1.6.2 github.com/hashicorp/hcl v1.0.1-vault-5 github.com/hashicorp/vault/api v1.15.0 github.com/hashicorp/vault/sdk v0.14.0 @@ -233,7 +233,6 @@ require ( github.com/mattn/go-isatty v0.0.20 // indirect github.com/mitchellh/copystructure v1.2.0 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect - github.com/mitchellh/go-testing-interface v1.14.1 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/mitchellh/reflectwalk v1.0.2 // indirect github.com/moby/docker-image-spec v1.3.1 // indirect diff --git a/go.sum b/go.sum index 3087a38311..cfb301b760 100644 --- a/go.sum +++ b/go.sum @@ -1049,8 +1049,8 @@ github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHh github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= github.com/hashicorp/go-plugin v1.4.0/go.mod h1:5fGEH17QVwTTcR0zV7yhDPLLmFX9YSZ38b18Udy6vYQ= -github.com/hashicorp/go-plugin v1.6.1 h1:P7MR2UP6gNKGPp+y7EZw2kOiq4IR9WiqLvp0XOsVdwI= -github.com/hashicorp/go-plugin v1.6.1/go.mod h1:XPHFku2tFo3o3QKFgSYo+cghcUhw1NA1hZyMK0PWAw0= +github.com/hashicorp/go-plugin v1.6.2 h1:zdGAEd0V1lCaU0u+MxWQhtSDQmahpkwOun8U8EiRVog= +github.com/hashicorp/go-plugin v1.6.2/go.mod h1:CkgLQ5CZqNmdL9U9JzM532t8ZiYQ35+pj3b1FD37R0Q= github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU= github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk= @@ -1215,8 +1215,6 @@ github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HK github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/mitchellh/go-testing-interface v0.0.0-20171004221916-a61a99592b77/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI= -github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU= -github.com/mitchellh/go-testing-interface v1.14.1/go.mod h1:gfgS7OtZj6MA4U1UrDRp04twqAjfvlZyCfX3sDjEym8= github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0= github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0= github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= From 3445432e00ed72d67673e444f9d1cc2787517b89 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Nov 2024 16:33:59 -0300 Subject: [PATCH 7/9] Bump sigs.k8s.io/controller-runtime from 0.19.0 to 0.19.1 (#5634) Bumps [sigs.k8s.io/controller-runtime](https://github.com/kubernetes-sigs/controller-runtime) from 0.19.0 to 0.19.1. - [Release notes](https://github.com/kubernetes-sigs/controller-runtime/releases) - [Changelog](https://github.com/kubernetes-sigs/controller-runtime/blob/main/RELEASE.md) - [Commits](https://github.com/kubernetes-sigs/controller-runtime/compare/v0.19.0...v0.19.1) --- updated-dependencies: - dependency-name: sigs.k8s.io/controller-runtime dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 129c4455ab..5dec8c2bc3 100644 --- a/go.mod +++ b/go.mod @@ -94,7 +94,7 @@ require ( k8s.io/client-go v0.31.2 k8s.io/kube-aggregator v0.31.2 k8s.io/mount-utils v0.31.2 - sigs.k8s.io/controller-runtime v0.19.0 + sigs.k8s.io/controller-runtime v0.19.1 ) require ( diff --git a/go.sum b/go.sum index cfb301b760..53e11f80be 100644 --- a/go.sum +++ b/go.sum @@ -2231,8 +2231,8 @@ k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= -sigs.k8s.io/controller-runtime v0.19.0 h1:nWVM7aq+Il2ABxwiCizrVDSlmDcshi9llbaFbC0ji/Q= -sigs.k8s.io/controller-runtime v0.19.0/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= +sigs.k8s.io/controller-runtime v0.19.1 h1:Son+Q40+Be3QWb+niBXAg2vFiYWolDjjRfO8hn/cxOk= +sigs.k8s.io/controller-runtime v0.19.1/go.mod h1:iRmWllt8IlaLjvTTDLhRBXIEtkCK6hwVBJJsYS9Ajf4= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/release-utils v0.8.4 h1:4QVr3UgbyY/d9p74LBhg0njSVQofUsAZqYOzVZBhdBw= From ac5eb6aa0ffdac60c4fb544b234bbb1ef6d638c0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Nov 2024 17:15:54 -0300 Subject: [PATCH 8/9] Bump github.com/hashicorp/hcl from 1.0.1-vault-5 to 1.0.1-vault-6 (#5635) Bumps [github.com/hashicorp/hcl](https://github.com/hashicorp/hcl) from 1.0.1-vault-5 to 1.0.1-vault-6. - [Release notes](https://github.com/hashicorp/hcl/releases) - [Changelog](https://github.com/hashicorp/hcl/blob/main/CHANGELOG.md) - [Commits](https://github.com/hashicorp/hcl/compare/v1.0.1-vault-5...v1.0.1-vault-6) --- updated-dependencies: - dependency-name: github.com/hashicorp/hcl dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 5dec8c2bc3..ee81bb481b 100644 --- a/go.mod +++ b/go.mod @@ -54,7 +54,7 @@ require ( github.com/hashicorp/go-hclog v1.6.3 github.com/hashicorp/go-metrics v0.5.3 github.com/hashicorp/go-plugin v1.6.2 - github.com/hashicorp/hcl v1.0.1-vault-5 + github.com/hashicorp/hcl v1.0.1-vault-6 github.com/hashicorp/vault/api v1.15.0 github.com/hashicorp/vault/sdk v0.14.0 github.com/imdario/mergo v0.3.16 diff --git a/go.sum b/go.sum index 53e11f80be..1964f9d4f2 100644 --- a/go.sum +++ b/go.sum @@ -1070,8 +1070,8 @@ github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ github.com/hashicorp/golang-lru v1.0.2 h1:dV3g9Z/unq5DpblPpw+Oqcv4dU/1omnb4Ok8iPY6p1c= github.com/hashicorp/golang-lru v1.0.2/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= -github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM= -github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM= +github.com/hashicorp/hcl v1.0.1-vault-6 h1:qThxNRouu5cv9LCLZ7pY43TroykqN+Uc7fT3f7tyYh4= +github.com/hashicorp/hcl v1.0.1-vault-6/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM= github.com/hashicorp/vault/api v1.15.0 h1:O24FYQCWwhwKnF7CuSqP30S51rTV7vz1iACXE/pj5DA= github.com/hashicorp/vault/api v1.15.0/go.mod h1:+5YTO09JGn0u+b6ySD/LLVf8WkJCPLAL2Vkmrn2+CM8= github.com/hashicorp/vault/sdk v0.14.0 h1:8vagjlpLurkFTnKT9aFSGs4U1XnK2IFytnWSxgFrDo0= From 6fd9e75d47fbc2b78774e27922848f644cbe5bf7 Mon Sep 17 00:00:00 2001 From: Sorin Dumitru Date: Tue, 5 Nov 2024 23:04:23 +0000 Subject: [PATCH 9/9] spire-server/agent: log version at start up (#5637) Signed-off-by: Sorin Dumitru --- pkg/agent/agent.go | 6 +++++- pkg/server/server.go | 2 ++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/pkg/agent/agent.go b/pkg/agent/agent.go index 6b3f2d62a7..e32a500707 100644 --- a/pkg/agent/agent.go +++ b/pkg/agent/agent.go @@ -32,6 +32,7 @@ import ( "github.com/spiffe/spire/pkg/common/telemetry" "github.com/spiffe/spire/pkg/common/uptime" "github.com/spiffe/spire/pkg/common/util" + "github.com/spiffe/spire/pkg/common/version" _ "golang.org/x/net/trace" // registers handlers on the DefaultServeMux "google.golang.org/grpc" "google.golang.org/grpc/codes" @@ -51,7 +52,10 @@ type Agent struct { // This method initializes the agent, including its plugins, // and then blocks on the main event loop. func (a *Agent) Run(ctx context.Context) error { - a.c.Log.Infof("Starting agent with data directory: %q", a.c.DataDir) + a.c.Log.WithFields(logrus.Fields{ + telemetry.DataDir: a.c.DataDir, + telemetry.Version: version.Version(), + }).Info("Starting agent") if err := diskutil.CreateDataDirectory(a.c.DataDir); err != nil { return err } diff --git a/pkg/server/server.go b/pkg/server/server.go index f0fcabfe17..27db8ca41b 100644 --- a/pkg/server/server.go +++ b/pkg/server/server.go @@ -21,6 +21,7 @@ import ( "github.com/spiffe/spire/pkg/common/telemetry" "github.com/spiffe/spire/pkg/common/uptime" "github.com/spiffe/spire/pkg/common/util" + "github.com/spiffe/spire/pkg/common/version" "github.com/spiffe/spire/pkg/server/authpolicy" bundle_client "github.com/spiffe/spire/pkg/server/bundle/client" ds_pubmanager "github.com/spiffe/spire/pkg/server/bundle/datastore" @@ -74,6 +75,7 @@ func (s *Server) run(ctx context.Context) (err error) { telemetry.AdminIDs: s.config.AdminIDs, telemetry.DataDir: s.config.DataDir, telemetry.LaunchLogLevel: s.config.Log.GetLevel(), + telemetry.Version: version.Version(), }).Info("Configured") // create the data directory if needed