status-im/consul
2
0
Fork 0
mirror of https://github.com/status-im/consul.git synced 2025-02-10 12:46:32 +00:00
Code Issues Projects Releases Wiki Activity
consul/proto-public/pbconnectca/ca.proto
Dan Upton d4c435856b
grpc: protoc plugin for generating gRPC rate limit specifications (#15564) 
Adds automation for generating the map of `gRPC Method Name → Rate Limit Type`
used by the middleware introduced in #15550, and will ensure we don't forget
to add new endpoints.

Engineers must annotate their RPCs in the proto file like so:

```
rpc Foo(FooRequest) returns (FooResponse) {
  option (consul.internal.ratelimit.spec) = {
    operation_type: READ,
  };
}
```

When they run `make proto` a protoc plugin `protoc-gen-consul-rate-limit` will
be installed that writes rate-limit specs as a JSON array to a file called
`.ratelimit.tmp` (one per protobuf package/directory).

After running Buf, `make proto` will execute a post-process script that will
ingest all of the `.ratelimit.tmp` files and generate a Go file containing the
mappings in the `agent/grpc-middleware` package. In the enterprise repository,
it will write an additional file with the enterprise-only endpoints.

If an engineer forgets to add the annotation to a new RPC, the plugin will
return an error like so:

```
RPC Foo is missing rate-limit specification, fix it with:

	import "proto-public/annotations/ratelimit/ratelimit.proto";

	service Bar {
	  rpc Foo(...) returns (...) {
	    option (hashicorp.consul.internal.ratelimit.spec) = {
	      operation_type: OPERATION_READ | OPERATION_WRITE | OPERATION_EXEMPT,
	    };
	  }
	}
```

In the future, this annotation can be extended to support rate-limit
category (e.g. KV vs Catalog) and to determine the retry policy.
2023-01-04 16:07:02 +00:00

99 lines
3.3 KiB
Protocol Buffer
Raw Blame History

syntax = "proto3";
package hashicorp.consul.connectca;
import "google/protobuf/timestamp.proto";
import "proto-public/annotations/ratelimit/ratelimit.proto";
service ConnectCAService {
// WatchRoots provides a stream on which you can receive the list of active
// Connect CA roots. Current roots are sent immediately at the start of the
// stream, and new lists will be sent whenever the roots are rotated.
rpc WatchRoots(WatchRootsRequest) returns (stream WatchRootsResponse) {
option (hashicorp.consul.internal.ratelimit.spec) = {
operation_type: OPERATION_TYPE_READ,
};
}
// Sign a leaf certificate for the service or agent identified by the SPIFFE
// ID in the given CSR's SAN.
rpc Sign(SignRequest) returns (SignResponse) {
option (hashicorp.consul.internal.ratelimit.spec) = {
operation_type: OPERATION_TYPE_WRITE,
};
}
}
message WatchRootsRequest {}
message WatchRootsResponse {
// active_root_id is the ID of a root in Roots that is the active CA root.
// Other roots are still valid if they're in the Roots list but are in the
// process of being rotated out.
string active_root_id = 1;
// trust_domain is the identification root for this Consul cluster. All
// certificates signed by the cluster's CA must have their identifying URI
// in this domain.
//
// This does not include the protocol (currently spiffe://) since we may
// implement other protocols in future with equivalent semantics. It should
// be compared against the "authority" section of a URI (i.e. host:port).
string trust_domain = 2;
// roots is a list of root CA certs to trust.
repeated CARoot roots = 3;
}
message CARoot {
// id is a globally unique ID (UUID) representing this CA root.
string id = 1;
// name is a human-friendly name for this CA root. This value is opaque to
// Consul and is not used for anything internally.
string name = 2;
// serial_number is the x509 serial number of the certificate.
uint64 serial_number = 3;
// signing_key_id is the connect.HexString encoded id of the public key that
// corresponds to the private key used to sign leaf certificates in the
// local datacenter.
//
// The value comes from x509.Certificate.SubjectKeyId of the local leaf
// signing cert.
//
// See https://www.rfc-editor.org/rfc/rfc3280#section-4.2.1.1 for more detail.
string signing_key_id = 4;
// root_cert is the PEM-encoded public certificate.
string root_cert = 5;
// intermediate_certs is a list of PEM-encoded intermediate certs to
// attach to any leaf certs signed by this CA.
repeated string intermediate_certs = 6;
// active is true if this is the current active CA. This must only
// be true for exactly one CA.
bool active = 7;
// rotated_out_at is the time at which this CA was removed from the state.
// This will only be set on roots that have been rotated out from being the
// active root.
google.protobuf.Timestamp rotated_out_at = 8;
}
message SignRequest {
// csr is the PEM-encoded Certificate Signing Request (CSR).
//
// The CSR's SAN must include a SPIFFE ID that identifies a service or agent
// to which the ACL token provided in the `x-consul-token` metadata has write
// access.
string csr = 1;
}
message SignResponse {
// cert_pem is the PEM-encoded leaf certificate.
string cert_pem = 2;
}
Reference in New Issue View Git Blame Copy Permalink