From c73fc3ecd2ac8b5df422d4af82819a3c28620874 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Agust=C3=ADn=20Mart=C3=ADnez=20Fay=C3=B3?= Date: Thu, 17 Oct 2024 09:38:05 -0300 Subject: [PATCH] Add documentation for `spire-server localauthority` and `spire-server upstreamauthority` commands MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Agustín Martínez Fayó --- doc/spire_server.md | 116 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 116 insertions(+) diff --git a/doc/spire_server.md b/doc/spire_server.md index 79852c5f21..046ce747bc 100644 --- a/doc/spire_server.md +++ b/doc/spire_server.md @@ -659,6 +659,122 @@ Mints a JWT-SVID. | `-ttl` | The TTL of the JWT-SVID | First non-zero value from `Entry.jwt_svid_ttl`, `Entry.ttl`, `default_jwt_svid_ttl`, `5m` | | `-write` | File to write token to instead of stdout | | +### `spire-server localauthority jwt activate` + +Activates a prepared JWT authority for use, which will cause it to be used for all JWT signing operations serviced by this server going forward. + +| Command | Action | Default | +|:---------------|:----------------------------------------------------|:-----------------------------------| +| `-authorityID` | The authority ID of the JWT authority to activate | | +| `-output` | Desired output format (`pretty`, `json`) | `pretty` | +| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock | + +### `spire-server localauthority jwt prepare` + +Prepares a new JWT authority for use by generating a new key and injecting it into the bundle. + +| Command | Action | Default | +|:---------------|:----------------------------------------------------|:-----------------------------------| +| `-output` | Desired output format (`pretty`, `json`) | `pretty` | +| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock | + +### `spire-server localauthority jwt revoke` + +Revokes the previously active JWT authority by removing it from the bundle and propagating this update throughout the cluster. + +| Command | Action | Default | +|:---------------|:----------------------------------------------------|:-----------------------------------| +| `-authorityID` | The authority ID of the JWT authority to revoke | | +| `-output` | Desired output format (`pretty`, `json`) | `pretty` | +| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock | + +### `spire-server localauthority jwt show` + +Shows the local JWT authorities. + +| Command | Action | Default | +|:---------------|:----------------------------------------------------|:-----------------------------------| +| `-output` | Desired output format (`pretty`, `json`) | `pretty` | +| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock | + +### `spire-server localauthority jwt taint` + +Marks the previously active JWT authority as being tainted. + +| Command | Action | Default | +|:---------------|:----------------------------------------------------|:-----------------------------------| +| `-authorityID` | The authority ID of the JWT authority to taint | | +| `-output` | Desired output format (`pretty`, `json`) | `pretty` | +| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock | + +### `spire-server localauthority x509 activate` + +Activates a prepared X.509 authority for use, which will cause it to be used for all X.509 signing operations serviced by this server going forward. + +| Command | Action | Default | +|:---------------|:----------------------------------------------------|:-----------------------------------| +| `-authorityID` | The authority ID of the X.509 authority to activate | | +| `-output` | Desired output format (`pretty`, `json`) | `pretty` | +| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock | + +### `spire-server localauthority x509 prepare` + +Prepares a new X.509 authority for use by generating a new key and injecting the resulting CA certificate into the bundle. + +| Command | Action | Default | +|:---------------|:----------------------------------------------------|:-----------------------------------| +| `-output` | Desired output format (`pretty`, `json`) | `pretty` | +| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock | + +### `spire-server localauthority x509 revoke` + +Revokes the previously active X.509 authority by removing it from the bundle and propagating this update throughout the cluster. + +| Command | Action | Default | +|:---------------|:----------------------------------------------------|:-----------------------------------| +| `-authorityID` | The authority ID of the X.509 authority to revoke | | +| `-output` | Desired output format (`pretty`, `json`) | `pretty` | +| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock | + +### `spire-server localauthority x509 show` + +Shows the local X.509 authorities. + +| Command | Action | Default | +|:---------------|:----------------------------------------------------|:-----------------------------------| +| `-output` | Desired output format (`pretty`, `json`) | `pretty` | +| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock | + +### `spire-server localauthority x509 taint` + +Marks the previously active X.509 authority as being tainted. + +| Command | Action | Default | +|:---------------|:----------------------------------------------------|:-----------------------------------| +| `-authorityID` | The authority ID of the X.509 authority to taint | | +| `-output` | Desired output format (`pretty`, `json`) | `pretty` | +| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock | + +### `spire-server upstreamauthority revoke` + +Revokes the previously active X.509 upstream authority by removing it from the bundle and propagating this update throughout the cluster. + +| Command | Action | Default | +|:----------------|:-----------------------------------------------------------------------------------------------------------------------|:-----------------------------------| +| `-output` | Desired output format (`pretty`, `json`) | `pretty` | +| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock | +| `-subjectKeyID` | The X.509 Subject Key Identifier (or SKID) of the authority's CA certificate of the X.509 upstream authority to revoke | | + +### `spire-server upstreamauthority taint` + +Marks the provided X.509 upstream authority as being tainted. + +| Command | Action | Default | +|:----------------|:-----------------------------------------------------------------------------------------------------------------------|:-----------------------------------| +| `-output` | Desired output format (`pretty`, `json`) | `pretty` | +| `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock | +| `-subjectKeyID` | The X.509 Subject Key Identifier (or SKID) of the authority's CA certificate of the upstream X.509 authority to taint | | + ## JSON object for `-data` A JSON object passed to `-data` for `entry create/update` expects the following form: