Expand description
§spiffe-rustls
spiffe-rustls integrates rustls with SPIFFE/SPIRE using a live
spiffe::X509Source (SPIFFE Workload API).
It provides builders for rustls::ClientConfig and
rustls::ServerConfig that are backed by an X509Source. When the SPIRE
agent rotates X.509 SVIDs or trust bundles, new TLS handshakes automatically
use the updated material, without restarting the application.
The crate focuses on TLS authentication and connection-level authorization
via SPIFFE IDs, while delegating all cryptography and TLS mechanics to
rustls.
When SPIFFE federation is configured, the crate automatically selects the correct trust domain bundle based on the peer’s SPIFFE ID. Authorization is applied after cryptographic verification succeeds.
§Feature flags
Exactly one rustls crypto provider must be enabled:
ring(default)aws-lc-rs
Enabling more than one provider results in a compile-time error.
Re-exports§
pub use authorizer::any;pub use authorizer::exact;pub use authorizer::trust_domains;pub use authorizer::Authorizer;pub use policy::TrustDomainPolicy::AllowList;pub use policy::TrustDomainPolicy::AnyInBundleSet;pub use policy::TrustDomainPolicy::LocalOnly;
Modules§
- authorizer
- Authorization abstractions for SPIFFE ID-based access control.
Structs§
- Client
Config Builder - Builds a
rustls::ClientConfigbacked by a live SPIFFEX509Source. - Server
Config Builder - Builds a
rustls::ServerConfigbacked by a live SPIFFEX509Source. - Spiffe
Id - A validated [SPIFFE ID].
- Trust
Domain - A validated SPIFFE trust domain.
Enums§
- Error
- Errors returned by
spiffe-rustls. - Trust
Domain Policy - Policy for selecting which trust domains to trust during certificate verification.
Functions§
- mtls_
client - Constructor for the mTLS client builder.
- mtls_
server - Constructor for the mTLS server builder.
Type Aliases§
- Result
- Result type used by this crate.