mirror of
https://github.com/status-im/consul.git
synced 2025-01-09 13:26:07 +00:00
77917b6b5d
These are used in various bits of the wire format (for gRPC) and internally with Go’s registry so we want to namespace things properly.
90 lines
3.0 KiB
Protocol Buffer
90 lines
3.0 KiB
Protocol Buffer
syntax = "proto3";
|
|
|
|
package hashicorp.consul.connectca;
|
|
|
|
import "google/protobuf/timestamp.proto";
|
|
|
|
service ConnectCAService {
|
|
// WatchRoots provides a stream on which you can receive the list of active
|
|
// Connect CA roots. Current roots are sent immediately at the start of the
|
|
// stream, and new lists will be sent whenever the roots are rotated.
|
|
rpc WatchRoots(WatchRootsRequest) returns (stream WatchRootsResponse) {}
|
|
|
|
// Sign a leaf certificate for the service or agent identified by the SPIFFE
|
|
// ID in the given CSR's SAN.
|
|
rpc Sign(SignRequest) returns (SignResponse) {}
|
|
}
|
|
|
|
message WatchRootsRequest {}
|
|
|
|
message WatchRootsResponse {
|
|
// active_root_id is the ID of a root in Roots that is the active CA root.
|
|
// Other roots are still valid if they're in the Roots list but are in the
|
|
// process of being rotated out.
|
|
string active_root_id = 1;
|
|
|
|
// trust_domain is the identification root for this Consul cluster. All
|
|
// certificates signed by the cluster's CA must have their identifying URI
|
|
// in this domain.
|
|
//
|
|
// This does not include the protocol (currently spiffe://) since we may
|
|
// implement other protocols in future with equivalent semantics. It should
|
|
// be compared against the "authority" section of a URI (i.e. host:port).
|
|
string trust_domain = 2;
|
|
|
|
// roots is a list of root CA certs to trust.
|
|
repeated CARoot roots = 3;
|
|
}
|
|
|
|
message CARoot {
|
|
// id is a globally unique ID (UUID) representing this CA root.
|
|
string id = 1;
|
|
|
|
// name is a human-friendly name for this CA root. This value is opaque to
|
|
// Consul and is not used for anything internally.
|
|
string name = 2;
|
|
|
|
// serial_number is the x509 serial number of the certificate.
|
|
uint64 serial_number = 3;
|
|
|
|
// signing_key_id is the connect.HexString encoded id of the public key that
|
|
// corresponds to the private key used to sign leaf certificates in the
|
|
// local datacenter.
|
|
//
|
|
// The value comes from x509.Certificate.SubjectKeyId of the local leaf
|
|
// signing cert.
|
|
//
|
|
// See https://www.rfc-editor.org/rfc/rfc3280#section-4.2.1.1 for more detail.
|
|
string signing_key_id = 4;
|
|
|
|
// root_cert is the PEM-encoded public certificate.
|
|
string root_cert = 5;
|
|
|
|
// intermediate_certs is a list of PEM-encoded intermediate certs to
|
|
// attach to any leaf certs signed by this CA.
|
|
repeated string intermediate_certs = 6;
|
|
|
|
// active is true if this is the current active CA. This must only
|
|
// be true for exactly one CA.
|
|
bool active = 7;
|
|
|
|
// rotated_out_at is the time at which this CA was removed from the state.
|
|
// This will only be set on roots that have been rotated out from being the
|
|
// active root.
|
|
google.protobuf.Timestamp rotated_out_at = 8;
|
|
}
|
|
|
|
message SignRequest {
|
|
// csr is the PEM-encoded Certificate Signing Request (CSR).
|
|
//
|
|
// The CSR's SAN must include a SPIFFE ID that identifies a service or agent
|
|
// to which the ACL token provided in the `x-consul-token` metadata has write
|
|
// access.
|
|
string csr = 1;
|
|
}
|
|
|
|
message SignResponse {
|
|
// cert_pem is the PEM-encoded leaf certificate.
|
|
string cert_pem = 2;
|
|
}
|