consul/proto-public/pbconnectca/ca.proto

104 lines
3.5 KiB
Protocol Buffer

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
syntax = "proto3";
package hashicorp.consul.connectca;
import "annotations/ratelimit/ratelimit.proto";
import "google/protobuf/timestamp.proto";
service ConnectCAService {
// WatchRoots provides a stream on which you can receive the list of active
// Connect CA roots. Current roots are sent immediately at the start of the
// stream, and new lists will be sent whenever the roots are rotated.
rpc WatchRoots(WatchRootsRequest) returns (stream WatchRootsResponse) {
option (hashicorp.consul.internal.ratelimit.spec) = {
operation_type: OPERATION_TYPE_READ,
operation_category: OPERATION_CATEGORY_CONNECT_CA
};
}
// Sign a leaf certificate for the service or agent identified by the SPIFFE
// ID in the given CSR's SAN.
rpc Sign(SignRequest) returns (SignResponse) {
option (hashicorp.consul.internal.ratelimit.spec) = {
operation_type: OPERATION_TYPE_WRITE,
operation_category: OPERATION_CATEGORY_CONNECT_CA
};
}
}
message WatchRootsRequest {}
message WatchRootsResponse {
// active_root_id is the ID of a root in Roots that is the active CA root.
// Other roots are still valid if they're in the Roots list but are in the
// process of being rotated out.
string active_root_id = 1;
// trust_domain is the identification root for this Consul cluster. All
// certificates signed by the cluster's CA must have their identifying URI
// in this domain.
//
// This does not include the protocol (currently spiffe://) since we may
// implement other protocols in future with equivalent semantics. It should
// be compared against the "authority" section of a URI (i.e. host:port).
string trust_domain = 2;
// roots is a list of root CA certs to trust.
repeated CARoot roots = 3;
}
message CARoot {
// id is a globally unique ID (UUID) representing this CA root.
string id = 1;
// name is a human-friendly name for this CA root. This value is opaque to
// Consul and is not used for anything internally.
string name = 2;
// serial_number is the x509 serial number of the certificate.
uint64 serial_number = 3;
// signing_key_id is the connect.HexString encoded id of the public key that
// corresponds to the private key used to sign leaf certificates in the
// local datacenter.
//
// The value comes from x509.Certificate.SubjectKeyId of the local leaf
// signing cert.
//
// See https://www.rfc-editor.org/rfc/rfc3280#section-4.2.1.1 for more detail.
string signing_key_id = 4;
// root_cert is the PEM-encoded public certificate.
string root_cert = 5;
// intermediate_certs is a list of PEM-encoded intermediate certs to
// attach to any leaf certs signed by this CA.
repeated string intermediate_certs = 6;
// active is true if this is the current active CA. This must only
// be true for exactly one CA.
bool active = 7;
// rotated_out_at is the time at which this CA was removed from the state.
// This will only be set on roots that have been rotated out from being the
// active root.
google.protobuf.Timestamp rotated_out_at = 8;
}
message SignRequest {
// csr is the PEM-encoded Certificate Signing Request (CSR).
//
// The CSR's SAN must include a SPIFFE ID that identifies a service or agent
// to which the ACL token provided in the `x-consul-token` metadata has write
// access.
string csr = 1;
}
message SignResponse {
// cert_pem is the PEM-encoded leaf certificate.
string cert_pem = 2;
}