open-consul/proto-public/pbconnectca/ca.proto

syntax = "proto3";

package hashicorp.consul.connectca;

import "google/protobuf/timestamp.proto";

service ConnectCAService {
  // WatchRoots provides a stream on which you can receive the list of active
  // Connect CA roots. Current roots are sent immediately at the start of the
  // stream, and new lists will be sent whenever the roots are rotated.
  rpc WatchRoots(WatchRootsRequest) returns (stream WatchRootsResponse) {}

  // Sign a leaf certificate for the service or agent identified by the SPIFFE
  // ID in the given CSR's SAN.
  rpc Sign(SignRequest) returns (SignResponse) {}
}

message WatchRootsRequest {}

message WatchRootsResponse {
  // active_root_id is the ID of a root in Roots that is the active CA root.
  // Other roots are still valid if they're in the Roots list but are in the
  // process of being rotated out.
  string active_root_id = 1;

  // trust_domain is the identification root for this Consul cluster. All
  // certificates signed by the cluster's CA must have their identifying URI
  // in this domain.
  //
  // This does not include the protocol (currently spiffe://) since we may
  // implement other protocols in future with equivalent semantics. It should
  // be compared against the "authority" section of a URI (i.e. host:port).
  string trust_domain = 2;

  // roots is a list of root CA certs to trust.
  repeated CARoot roots = 3;
}

message CARoot {
  // id is a globally unique ID (UUID) representing this CA root.
  string id = 1;

  // name is a human-friendly name for this CA root. This value is opaque to
  // Consul and is not used for anything internally.
  string name = 2;

  // serial_number is the x509 serial number of the certificate.
  uint64 serial_number = 3;

  // signing_key_id is the connect.HexString encoded id of the public key that
  // corresponds to the private key used to sign leaf certificates in the
  // local datacenter.
  //
  // The value comes from x509.Certificate.SubjectKeyId of the local leaf
  // signing cert.
  //
  // See https://www.rfc-editor.org/rfc/rfc3280#section-4.2.1.1 for more detail.
  string signing_key_id = 4;

  // root_cert is the PEM-encoded public certificate.
  string root_cert = 5;

  // intermediate_certs is a list of PEM-encoded intermediate certs to
  // attach to any leaf certs signed by this CA.
  repeated string intermediate_certs = 6;

  // active is true if this is the current active CA. This must only
  // be true for exactly one CA.
  bool active = 7;

  // rotated_out_at is the time at which this CA was removed from the state.
  // This will only be set on roots that have been rotated out from being the
  // active root.
  google.protobuf.Timestamp rotated_out_at = 8;
}

message SignRequest {
  // csr is the PEM-encoded Certificate Signing Request (CSR).
  //
  // The CSR's SAN must include a SPIFFE ID that identifies a service or agent
  // to which the ACL token provided in the `x-consul-token` metadata has write
  // access.
  string csr = 1;
}

message SignResponse {
  // cert_pem is the PEM-encoded leaf certificate.
  string cert_pem = 2;
}
WatchRoots gRPC endpoint (#12678) Adds a new gRPC streaming endpoint (WatchRoots) that dataplane clients will use to fetch the current list of active Connect CA roots and receive new lists whenever the roots are rotated. 2022-04-05 14:26:14 +00:00			`syntax = "proto3";`

Rename some protobuf package names to be fqdn like (#13861) These are used in various bits of the wire format (for gRPC) and internally with Go’s registry so we want to namespace things properly. 2022-07-22 18:59:34 +00:00			`package hashicorp.consul.connectca;`
WatchRoots gRPC endpoint (#12678) Adds a new gRPC streaming endpoint (WatchRoots) that dataplane clients will use to fetch the current list of active Connect CA roots and receive new lists whenever the roots are rotated. 2022-04-05 14:26:14 +00:00
			`import "google/protobuf/timestamp.proto";`

			`service ConnectCAService {`
			`// WatchRoots provides a stream on which you can receive the list of active`
			`// Connect CA roots. Current roots are sent immediately at the start of the`
			`// stream, and new lists will be sent whenever the roots are rotated.`
Migrate from `protoc` to `buf` (#12841) * Install `buf` instead of `protoc` * Created `buf.yaml` and `buf.gen.yaml` files in the two proto directories to control how `buf` generates/lints proto code. * Invoke `buf` instead of `protoc` * Added a `proto-format` make target. * Committed the reformatted proto files. * Added a `proto-lint` make target. * Integrated proto linting with CI * Fixed tons of proto linter warnings. * Got rid of deprecated builtin protoc-gen-go grpc plugin usage. Moved to direct usage of protoc-gen-go-grpc. * Unified all proto directories / go packages around using pb prefixes but ensuring all proto packages do not have the prefix. 2022-05-23 14:37:52 +00:00			`rpc WatchRoots(WatchRootsRequest) returns (stream WatchRootsResponse) {}`
ConnectCA.Sign gRPC Endpoint (#12787) Introduces a gRPC endpoint for signing Connect leaf certificates. It's also the first of the public gRPC endpoints to perform leader-forwarding, so establishes the pattern of forwarding over the multiplexed internal RPC port. 2022-04-14 13:26:14 +00:00
			`// Sign a leaf certificate for the service or agent identified by the SPIFFE`
			`// ID in the given CSR's SAN.`
[OSS] gRPC call to get envoy bootstrap params (#12825) Adds a new gRPC endpoint to get envoy bootstrap params. The new consul-dataplane service will use this endpoint to generate an envoy bootstrap configuration. 2022-04-20 00:24:21 +00:00			`rpc Sign(SignRequest) returns (SignResponse) {}`
WatchRoots gRPC endpoint (#12678) Adds a new gRPC streaming endpoint (WatchRoots) that dataplane clients will use to fetch the current list of active Connect CA roots and receive new lists whenever the roots are rotated. 2022-04-05 14:26:14 +00:00			`}`

Migrate from `protoc` to `buf` (#12841) * Install `buf` instead of `protoc` * Created `buf.yaml` and `buf.gen.yaml` files in the two proto directories to control how `buf` generates/lints proto code. * Invoke `buf` instead of `protoc` * Added a `proto-format` make target. * Committed the reformatted proto files. * Added a `proto-lint` make target. * Integrated proto linting with CI * Fixed tons of proto linter warnings. * Got rid of deprecated builtin protoc-gen-go grpc plugin usage. Moved to direct usage of protoc-gen-go-grpc. * Unified all proto directories / go packages around using pb prefixes but ensuring all proto packages do not have the prefix. 2022-05-23 14:37:52 +00:00			`message WatchRootsRequest {}`

WatchRoots gRPC endpoint (#12678) Adds a new gRPC streaming endpoint (WatchRoots) that dataplane clients will use to fetch the current list of active Connect CA roots and receive new lists whenever the roots are rotated. 2022-04-05 14:26:14 +00:00			`message WatchRootsResponse {`
			`// active_root_id is the ID of a root in Roots that is the active CA root.`
			`// Other roots are still valid if they're in the Roots list but are in the`
			`// process of being rotated out.`
			`string active_root_id = 1;`

			`// trust_domain is the identification root for this Consul cluster. All`
			`// certificates signed by the cluster's CA must have their identifying URI`
			`// in this domain.`
			`//`
			`// This does not include the protocol (currently spiffe://) since we may`
			`// implement other protocols in future with equivalent semantics. It should`
			`// be compared against the "authority" section of a URI (i.e. host:port).`
			`string trust_domain = 2;`

			`// roots is a list of root CA certs to trust.`
			`repeated CARoot roots = 3;`
			`}`

			`message CARoot {`
[OSS] gRPC call to get envoy bootstrap params (#12825) Adds a new gRPC endpoint to get envoy bootstrap params. The new consul-dataplane service will use this endpoint to generate an envoy bootstrap configuration. 2022-04-20 00:24:21 +00:00			`// id is a globally unique ID (UUID) representing this CA root.`
			`string id = 1;`

			`// name is a human-friendly name for this CA root. This value is opaque to`
			`// Consul and is not used for anything internally.`
			`string name = 2;`

			`// serial_number is the x509 serial number of the certificate.`
			`uint64 serial_number = 3;`

			`// signing_key_id is the connect.HexString encoded id of the public key that`
			`// corresponds to the private key used to sign leaf certificates in the`
			`// local datacenter.`
			`//`
			`// The value comes from x509.Certificate.SubjectKeyId of the local leaf`
			`// signing cert.`
			`//`
			`// See https://www.rfc-editor.org/rfc/rfc3280#section-4.2.1.1 for more detail.`
			`string signing_key_id = 4;`

			`// root_cert is the PEM-encoded public certificate.`
			`string root_cert = 5;`

			`// intermediate_certs is a list of PEM-encoded intermediate certs to`
			`// attach to any leaf certs signed by this CA.`
			`repeated string intermediate_certs = 6;`

			`// active is true if this is the current active CA. This must only`
			`// be true for exactly one CA.`
			`bool active = 7;`

			`// rotated_out_at is the time at which this CA was removed from the state.`
			`// This will only be set on roots that have been rotated out from being the`
			`// active root.`
			`google.protobuf.Timestamp rotated_out_at = 8;`
WatchRoots gRPC endpoint (#12678) Adds a new gRPC streaming endpoint (WatchRoots) that dataplane clients will use to fetch the current list of active Connect CA roots and receive new lists whenever the roots are rotated. 2022-04-05 14:26:14 +00:00			`}`
ConnectCA.Sign gRPC Endpoint (#12787) Introduces a gRPC endpoint for signing Connect leaf certificates. It's also the first of the public gRPC endpoints to perform leader-forwarding, so establishes the pattern of forwarding over the multiplexed internal RPC port. 2022-04-14 13:26:14 +00:00
			`message SignRequest {`
			`// csr is the PEM-encoded Certificate Signing Request (CSR).`
			`//`
			`// The CSR's SAN must include a SPIFFE ID that identifies a service or agent`
			// to which the ACL token provided in the `x-consul-token` metadata has write
			`// access.`
			`string csr = 1;`
			`}`

			`message SignResponse {`
			`// cert_pem is the PEM-encoded leaf certificate.`
			`string cert_pem = 2;`
			`}`