Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add documentation for spire-server localauthority and spire-server upstreamauthority commands #5588

Merged
merged 2 commits into from
Oct 17, 2024
Merged

Add documentation for spire-server localauthority and spire-server upstreamauthority commands #5588

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c73fc3e
Add documentation for `spire-server localauthority` and `spire-server…
amartinezfayo Oct 17, 2024
99a30ab
Merge branch 'main' into doc-localauthority-upstreamauthority-commands
azdagron Oct 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
116 changes: 116 additions & 0 deletions doc/spire_server.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -659,6 +659,122 @@ Mints a JWT-SVID.
| `-ttl` | The TTL of the JWT-SVID | First non-zero value from `Entry.jwt_svid_ttl`, `Entry.ttl`, `default_jwt_svid_ttl`, `5m` |
| `-write` | File to write token to instead of stdout | |

### `spire-server localauthority jwt activate`

Activates a prepared JWT authority for use, which will cause it to be used for all JWT signing operations serviced by this server going forward.

| Command | Action | Default |
|:---------------|:----------------------------------------------------|:-----------------------------------|
| `-authorityID` | The authority ID of the JWT authority to activate | |
| `-output` | Desired output format (`pretty`, `json`) | `pretty` |
| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock |

### `spire-server localauthority jwt prepare`

Prepares a new JWT authority for use by generating a new key and injecting it into the bundle.

| Command | Action | Default |
|:---------------|:----------------------------------------------------|:-----------------------------------|
| `-output` | Desired output format (`pretty`, `json`) | `pretty` |
| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock |

### `spire-server localauthority jwt revoke`

Revokes the previously active JWT authority by removing it from the bundle and propagating this update throughout the cluster.

| Command | Action | Default |
|:---------------|:----------------------------------------------------|:-----------------------------------|
| `-authorityID` | The authority ID of the JWT authority to revoke | |
| `-output` | Desired output format (`pretty`, `json`) | `pretty` |
| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock |

### `spire-server localauthority jwt show`

Shows the local JWT authorities.

| Command | Action | Default |
|:---------------|:----------------------------------------------------|:-----------------------------------|
| `-output` | Desired output format (`pretty`, `json`) | `pretty` |
| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock |

### `spire-server localauthority jwt taint`

Marks the previously active JWT authority as being tainted.

| Command | Action | Default |
|:---------------|:----------------------------------------------------|:-----------------------------------|
| `-authorityID` | The authority ID of the JWT authority to taint | |
| `-output` | Desired output format (`pretty`, `json`) | `pretty` |
| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock |

### `spire-server localauthority x509 activate`

Activates a prepared X.509 authority for use, which will cause it to be used for all X.509 signing operations serviced by this server going forward.

| Command | Action | Default |
|:---------------|:----------------------------------------------------|:-----------------------------------|
| `-authorityID` | The authority ID of the X.509 authority to activate | |
| `-output` | Desired output format (`pretty`, `json`) | `pretty` |
| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock |

### `spire-server localauthority x509 prepare`

Prepares a new X.509 authority for use by generating a new key and injecting the resulting CA certificate into the bundle.

| Command | Action | Default |
|:---------------|:----------------------------------------------------|:-----------------------------------|
| `-output` | Desired output format (`pretty`, `json`) | `pretty` |
| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock |

### `spire-server localauthority x509 revoke`

Revokes the previously active X.509 authority by removing it from the bundle and propagating this update throughout the cluster.

| Command | Action | Default |
|:---------------|:----------------------------------------------------|:-----------------------------------|
| `-authorityID` | The authority ID of the X.509 authority to revoke | |
| `-output` | Desired output format (`pretty`, `json`) | `pretty` |
| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock |

### `spire-server localauthority x509 show`

Shows the local X.509 authorities.

| Command | Action | Default |
|:---------------|:----------------------------------------------------|:-----------------------------------|
| `-output` | Desired output format (`pretty`, `json`) | `pretty` |
| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock |

### `spire-server localauthority x509 taint`

Marks the previously active X.509 authority as being tainted.

| Command | Action | Default |
|:---------------|:----------------------------------------------------|:-----------------------------------|
| `-authorityID` | The authority ID of the X.509 authority to taint | |
| `-output` | Desired output format (`pretty`, `json`) | `pretty` |
| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock |

### `spire-server upstreamauthority revoke`

Revokes the previously active X.509 upstream authority by removing it from the bundle and propagating this update throughout the cluster.

| Command | Action | Default |
|:----------------|:-----------------------------------------------------------------------------------------------------------------------|:-----------------------------------|
| `-output` | Desired output format (`pretty`, `json`) | `pretty` |
| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock |
| `-subjectKeyID` | The X.509 Subject Key Identifier (or SKID) of the authority's CA certificate of the X.509 upstream authority to revoke | |

### `spire-server upstreamauthority taint`

Marks the provided X.509 upstream authority as being tainted.

| Command | Action | Default |
|:----------------|:-----------------------------------------------------------------------------------------------------------------------|:-----------------------------------|
| `-output` | Desired output format (`pretty`, `json`) | `pretty` |
| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock |
| `-subjectKeyID` | The X.509 Subject Key Identifier (or SKID) of the authority's CA certificate of the upstream X.509 authority to taint | |

## JSON object for `-data`

A JSON object passed to `-data` for `entry create/update` expects the following form:
Expand Down
Loading