Add Windows instance flag support for named pipes

cmd/spire-server/cli/agent/agent_windows_test.go

@@ -8,6 +8,8 @@ var (
     	Indicates that the command will not perform any action, but will print the agents that would be purged.
   -expiredFor duration
     	Amount of time that has passed since the agent's SVID has expired. It is used to determine which agents to purge. (default 720h0m0s)
+  -instance string
+        Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE).
   -namedPipeName string
     	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
   -output value
@@ -24,6 +26,8 @@ var (
     	Filter by expiration time (format: "2006-01-02 15:04:05 -0700 -07")
   -matchSelectorsOn string
     	The match mode used when filtering by selectors. Options: exact, any, superset and subset (default "superset")
+  -instance string
+        Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE).	
   -namedPipeName string
     	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
   -output value
@@ -32,6 +36,8 @@ var (
     	A colon-delimited type:value selector. Can be used more than once
 `
 	banUsage = `Usage of agent ban:
+  -instance string
+        Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE).
   -namedPipeName string
     	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
   -output value
@@ -40,6 +46,8 @@ var (
     	The SPIFFE ID of the agent to ban (agent identity)
 `
 	evictUsage = `Usage of agent evict:
+  -instance string
+        Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE).
   -namedPipeName string
     	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
   -output value
@@ -58,6 +66,8 @@ var (
     	Filter by expiration time (format: "2006-01-02 15:04:05 -0700 -07")
   -matchSelectorsOn string
     	The match mode used when filtering by selectors. Options: exact, any, superset and subset (default "superset")
+  -instance string
+        Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE).
   -namedPipeName string
     	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
   -output value
@@ -66,6 +76,8 @@ var (
     	A colon-delimited type:value selector. Can be used more than once
 `
 	showUsage = `Usage of agent show:
+  -instance string
+        Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE).
   -namedPipeName string
     	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
   -output value

cmd/spire-server/cli/bundle/bundle_windows_test.go

@@ -8,6 +8,8 @@ var (
     	The format of the bundle data. Either "pem" or "spiffe". (default "pem")
   -id string
     	SPIFFE ID of the trust domain
+  -instance string
+        Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE).
   -namedPipeName string
     	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
   -output value
@@ -18,12 +20,16 @@ var (
 	showUsage = `Usage of bundle show:
   -format string
     	The format to show the bundle (only pretty output format supports this flag). Either "pem" or "spiffe". (default "pem")
+  -instance string
+        Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE).
   -namedPipeName string
     	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
   -output value
     	Desired output format (pretty, json); default: pretty.
 `
 	countUsage = `Usage of bundle count:
+  -instance string
+        Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE).
   -namedPipeName string
     	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
   -output value
@@ -34,6 +40,8 @@ var (
     	The format to list federated bundles (only pretty output format supports this flag). Either "pem" or "spiffe". (default "pem")
   -id string
     	SPIFFE ID of the trust domain
+  -instance string
+        Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE).
   -namedPipeName string
     	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
   -output value
@@ -42,6 +50,8 @@ var (
 	deleteUsage = `Usage of bundle delete:
   -id string
     	SPIFFE ID of the trust domain
+  -instance string
+        Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE).
   -mode string
     	Deletion mode: one of restrict, delete, or dissociate (default "restrict")
   -namedPipeName string

cmd/spire-server/cli/entry/util_windows_test.go

@@ -24,6 +24,8 @@ const (
     	The entry hint, used to disambiguate entries with the same SPIFFE ID
   -jwtSVIDTTL int
     	The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry.
+  -instance string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE).
   -namedPipeName string
     	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
   -node
@@ -54,6 +56,8 @@ const (
     	The match mode used when filtering by federates with. Options: exact, any, superset and subset (default "superset")
   -matchSelectorsOn string
     	The match mode used when filtering by selectors. Options: exact, any, superset and subset (default "superset")
+  -instance string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE).
   -namedPipeName string
     	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
   -output value
@@ -86,6 +90,8 @@ const (
     	The entry hint, used to disambiguate entries with the same SPIFFE ID
   -jwtSVIDTTL int
     	The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry.
+  -instance string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE).		
   -namedPipeName string
     	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
   -output value
@@ -106,6 +112,8 @@ const (
     	The Registration Entry ID of the record to delete.
   -file string
     	Path to a file containing a JSON structure for batch deletion (optional). If set to '-', read from stdin.
+  -instance string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE).
   -namedPipeName string
     	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
   -output value
@@ -122,6 +130,8 @@ const (
     	The match mode used when filtering by federates with. Options: exact, any, superset and subset (default "superset")
   -matchSelectorsOn string
     	The match mode used when filtering by selectors. Options: exact, any, superset and subset (default "superset")
+  -instance string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE).		
   -namedPipeName string
     	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
   -output value

cmd/spire-server/cli/federation/util_windows_test.go

@@ -12,6 +12,8 @@ const (
     	Path to a file containing federation relationships in JSON format (optional). If set to '-', read the JSON from stdin.
   -endpointSpiffeID string
     	SPIFFE ID of the SPIFFE bundle endpoint server. Only used for 'spiffe' profile.
+  -instance string
+        Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE).
   -namedPipeName string
     	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
   -output value
@@ -26,12 +28,16 @@ const (
 	deleteUsage = `Usage of federation delete:
   -id string
     	SPIFFE ID of the trust domain
+  -instance string
+        Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE).
   -namedPipeName string
     	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
   -output value
     	Desired output format (pretty, json); default: pretty.
 `
 	listUsage = `Usage of federation list:
+  -instance string
+        Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE).
   -namedPipeName string
     	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
   -output value
@@ -40,12 +46,16 @@ const (
 	refreshUsage = `Usage of federation refresh:
   -id string
     	SPIFFE ID of the trust domain
+  -instance string
+        Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE).
   -namedPipeName string
     	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
   -output value
     	Desired output format (pretty, json); default: pretty.
 `
 	showUsage = `Usage of federation show:
+  -instance string
+        Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE).
   -namedPipeName string
     	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
   -output value

cmd/spire-server/cli/healthcheck/healthcheck_windows_test.go

@@ -4,6 +4,8 @@ package healthcheck
 
 var (
 	healthcheckUsage = `Usage of healthcheck:
+  -instance string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE).
   -namedPipeName string
     	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
   -shallow

cmd/spire-server/cli/logger/get_windows_test.go

@@ -4,6 +4,9 @@ package logger_test
 
 var (
 	getUsage = `Usage of logger get:
+   -instance string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE).
+  -namedPipeName string
   -namedPipeName string
     	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
   -output value

cmd/spire-server/cli/logger/reset_windows_test.go

@@ -4,6 +4,8 @@ package logger_test
 
 var (
 	resetUsage = `Usage of logger reset:
+  -instance string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE).
   -namedPipeName string
     	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
   -output value

cmd/spire-server/cli/logger/set_windows_test.go

@@ -4,6 +4,9 @@ package logger_test
 
 var (
 	setUsage = `Usage of logger set:
+  -instance string
+    	Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE).
+
   -level string
     	The new log level, one of (panic, fatal, error, warn, info, debug, trace)
   -namedPipeName string

cmd/spire-server/cli/upstreamauthority/revoke_windows_test.go

@@ -4,6 +4,8 @@ package upstreamauthority_test
 
 var (
 	revokeUsage = `Usage of upstreamauthority revoke:
+  -instance string
+        Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE).
   -namedPipeName string
     	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
   -output value

cmd/spire-server/cli/upstreamauthority/taint_windows_test.go

@@ -4,6 +4,8 @@ package upstreamauthority_test
 
 var (
 	taintUsage = `Usage of upstreamauthority taint:
+  -instance string
+        Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE).
   -namedPipeName string
     	Pipe name of the SPIRE Server API named pipe (default "\\spire-server\\private\\api")
   -output value

cmd/spire-server/util/util_windows.go

@@ -8,16 +8,21 @@ import (
 	"net"
 	"strings"
 
+	"fmt"
+	"os"
+
 	"github.com/Microsoft/go-winio"
 	"github.com/spiffe/spire/pkg/common/namedpipe"
 )
 
 type adapterOS struct {
 	namedPipeName string
+	instance      string
 }
 
 func (a *Adapter) addOSFlags(flags *flag.FlagSet) {
 	flags.StringVar(&a.namedPipeName, "namedPipeName", DefaultNamedPipeName, "Pipe name of the SPIRE Server API named pipe")
+	flags.StringVar(&a.instance, "instance", "", "Instance name to substitute into socket templates (env SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE).")
 }
 
 func dialer(ctx context.Context, addr string) (net.Conn, error) {
@@ -28,14 +33,41 @@ func dialer(ctx context.Context, addr string) (net.Conn, error) {
 }
 
 func (a *Adapter) getGRPCAddr() (string, error) {
-	if a.namedPipeName == "" {
-		a.namedPipeName = DefaultNamedPipeName
+	tpl := os.Getenv("SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE")
+	pipe := os.Getenv("SPIRE_SERVER_PRIVATE_SOCKET")
+
+	if a.instance != "" {
+		if tpl == "" {
+			return "", fmt.Errorf(
+				"you must define %s to use the instance flag",
+				"SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE",
+			)
+		}
+
+		if !strings.Contains(tpl, "%i") {
+			return "", fmt.Errorf(
+				"failed to find %%i in %s",
+				"SPIRE_SERVER_PRIVATE_SOCKET_TEMPLATE",
+			)
+		}
 	}
 
+	namedPipeName := DefaultNamedPipeName
+
+	switch {
+	case a.namedPipeName != DefaultNamedPipeName:
+		namedPipeName = a.namedPipeName
+
+	case a.instance != "":
+		namedPipeName = strings.ReplaceAll(tpl, "%i", a.instance)
+
+	case pipe != "":
+		namedPipeName = pipe
+	}
 	// When grpc-go deprecated grpc.DialContext() in favor of grpc.NewClient(),
 	// they made a breaking change to always use the DNS resolver, even when overriding the context dialer.
 	// This is problematic for clients that do not use DNS for address resolution and don't set a resolver in the address.
 	// As a workaround, use the passthrough resolver to prevent using the DNS resolver.
 	// More context can be found in this issue: https://github.com/grpc/grpc-go/issues/1786#issuecomment-2114124036
-	return "passthrough:" + namedpipe.AddrFromName(a.namedPipeName).String(), nil
+	return "passthrough:" + namedpipe.AddrFromName(namedPipeName).String(), nil
 }