]> go.fuhry.dev Git - runtime.git/commit
projects / runtime.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 525a9b9) | patch
[mint] add new service: mint
authorDan Fuhry <dan@fuhry.com>
Wed, 19 Nov 2025 21:48:52 +0000 (16:48 -0500)
committerDan Fuhry <dan@fuhry.com>
Wed, 19 Nov 2025 21:48:52 +0000 (16:48 -0500)
commitdd952c266996c9957d4e25baf3944885d553d4e0
tree2757275d819bca0b13523d797b2e9a57cee5c0e4tree | snapshot (tar.gz zip)
parent525a9b921854c687f453f3febd675242636c6ea6commit | diff
[mint] add new service: mint

Add a mint service which can issue certificates for other service identities based on configured rules. This allows, for example, a service to use its own identity to request a temporary `etcd-client` certificate.

The mint service applies the following restrictions:

1. Only service account identities may be requested.
2. Clients are not allowed to request a certificate for their own identity.
3. Issued certificates will always use the same SPIFFE domain as the original requester's certificate.
4. Certificates issued by the mint service expire at the same time as the client certificate used to make the connection to the mint service.
5. The rules for which services are allowed to request which identities are defined in a YAML file stored in ephs at (by default) `/ephs/local/services/mint/rules.yaml`.
28 files changed:
MODULE.bazel diff | blob | history
cmd/echo_client/BUILD.bazel diff | blob | history
cmd/echo_client/main.go diff | blob | history
cmd/echo_server/BUILD.bazel diff | blob | history
cmd/echo_server/main.go diff | blob | history
cmd/mint_server/BUILD.bazel [new file with mode: 0644] blob
cmd/mint_server/main.go [new file with mode: 0644] blob
cmd/mint_server/mint_acl.example.yaml [new file with mode: 0644] blob
cmd/mint_server/rules.example.yaml [new file with mode: 0644] blob
go.mod diff | blob | history
go.sum diff | blob | history
mint/BUILD.bazel [new file with mode: 0644] blob
mint/client.go [new file with mode: 0644] blob
mint/mtls_driver.go [new file with mode: 0644] blob
mint/remote_signer/BUILD.bazel [new file with mode: 0644] blob
mint/remote_signer/remote_signer.go [new file with mode: 0644] blob
mint/servicer/BUILD.bazel [new file with mode: 0644] blob
mint/servicer/acl.go [new file with mode: 0644] blob
mint/servicer/acl_test.go [new file with mode: 0644] blob
mint/servicer/servicer.go [new file with mode: 0644] blob
mint/servicer/signer.go [new file with mode: 0644] blob
proto/service/mint/BUILD.bazel [new file with mode: 0644] blob
proto/service/mint/mint_service.pb.go [new file with mode: 0644] blob
proto/service/mint/mint_service.proto [new file with mode: 0644] blob
proto/service/mint/mint_service_grpc.pb.go [new file with mode: 0644] blob
proto/service/mint/mint_types.pb.go [new file with mode: 0644] blob
proto/service/mint/mint_types.proto [new file with mode: 0644] blob
utils/log/log.go diff | blob | history