]> go.fuhry.dev Git - runtime.git/commit
projects / runtime.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e3e672a) | patch
[mint] add new service: mint
authorDan Fuhry <dan@fuhry.com>
Wed, 19 Nov 2025 21:48:52 +0000 (16:48 -0500)
committerDan Fuhry <dan@fuhry.com>
Wed, 19 Nov 2025 21:48:52 +0000 (16:48 -0500)
commit4d8e9e7a0b0fc28624ba666e49ab4c51bf63e18d
treef979fae97f7e6f4ee2dc7c372e3e1dcce19d68b9tree | snapshot (tar.gz zip)
parente3e672a590ea7aa5d108cc93e93f758ab63b0c42commit | diff
[mint] add new service: mint

Add a mint service which can issue certificates for other service identities based on configured rules. This allows, for example, a service to use its own identity to request a temporary `etcd-client` certificate.

The mint service applies the following restrictions:

1. Only service account identities may be requested.
2. Clients are not allowed to request a certificate for their own identity.
3. Issued certificates will always use the same SPIFFE domain as the original requester's certificate.
4. Certificates issued by the mint service expire at the same time as the client certificate used to make the connection to the mint service.
5. The rules for which services are allowed to request which identities are defined in a YAML file stored in ephs at (by default) `/ephs/local/services/mint/rules.yaml`.
28 files changed:
MODULE.bazel diff | blob | history
cmd/echo_client/BUILD.bazel diff | blob | history
cmd/echo_client/main.go diff | blob | history
cmd/echo_server/BUILD.bazel diff | blob | history
cmd/echo_server/main.go diff | blob | history
cmd/mint_server/BUILD.bazel [new file with mode: 0644] blob
cmd/mint_server/main.go [new file with mode: 0644] blob
cmd/mint_server/mint_acl.example.yaml [new file with mode: 0644] blob
cmd/mint_server/rules.example.yaml [new file with mode: 0644] blob
go.mod diff | blob | history
go.sum diff | blob | history
mint/BUILD.bazel [new file with mode: 0644] blob
mint/client.go [new file with mode: 0644] blob
mint/mtls_driver.go [new file with mode: 0644] blob
mint/remote_signer/BUILD.bazel [new file with mode: 0644] blob
mint/remote_signer/remote_signer.go [new file with mode: 0644] blob
mint/servicer/BUILD.bazel [new file with mode: 0644] blob
mint/servicer/acl.go [new file with mode: 0644] blob
mint/servicer/acl_test.go [new file with mode: 0644] blob
mint/servicer/servicer.go [new file with mode: 0644] blob
mint/servicer/signer.go [new file with mode: 0644] blob
proto/service/mint/BUILD.bazel [new file with mode: 0644] blob
proto/service/mint/mint_service.pb.go [new file with mode: 0644] blob
proto/service/mint/mint_service.proto [new file with mode: 0644] blob
proto/service/mint/mint_service_grpc.pb.go [new file with mode: 0644] blob
proto/service/mint/mint_types.pb.go [new file with mode: 0644] blob
proto/service/mint/mint_types.proto [new file with mode: 0644] blob
utils/log/log.go diff | blob | history