open-consul/proto-public/pbconnectca/ca.proto

104 lines
3.5 KiB
Protocol Buffer
Raw Normal View History

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
syntax = "proto3";
package hashicorp.consul.connectca;
Protobuf Refactoring for Multi-Module Cleanliness (#16302) Protobuf Refactoring for Multi-Module Cleanliness This commit includes the following: Moves all packages that were within proto/ to proto/private Rewrites imports to account for the packages being moved Adds in buf.work.yaml to enable buf workspaces Names the proto-public buf module so that we can override the Go package imports within proto/buf.yaml Bumps the buf version dependency to 1.14.0 (I was trying out the version to see if it would get around an issue - it didn't but it also doesn't break things and it seemed best to keep up with the toolchain changes) Why: In the future we will need to consume other protobuf dependencies such as the Google HTTP annotations for openapi generation or grpc-gateway usage. There were some recent changes to have our own ratelimiting annotations. The two combined were not working when I was trying to use them together (attempting to rebase another branch) Buf workspaces should be the solution to the problem Buf workspaces means that each module will have generated Go code that embeds proto file names relative to the proto dir and not the top level repo root. This resulted in proto file name conflicts in the Go global protobuf type registry. The solution to that was to add in a private/ directory into the path within the proto/ directory. That then required rewriting all the imports. Is this safe? AFAICT yes The gRPC wire protocol doesn't seem to care about the proto file names (although the Go grpc code does tack on the proto file name as Metadata in the ServiceDesc) Other than imports, there were no changes to any generated code as a result of this.
2023-02-17 21:14:46 +00:00
import "annotations/ratelimit/ratelimit.proto";
import "google/protobuf/timestamp.proto";
service ConnectCAService {
// WatchRoots provides a stream on which you can receive the list of active
// Connect CA roots. Current roots are sent immediately at the start of the
// stream, and new lists will be sent whenever the roots are rotated.
2023-01-04 16:07:02 +00:00
rpc WatchRoots(WatchRootsRequest) returns (stream WatchRootsResponse) {
option (hashicorp.consul.internal.ratelimit.spec) = {
operation_type: OPERATION_TYPE_READ,
operation_category: OPERATION_CATEGORY_CONNECT_CA
};
2023-01-04 16:07:02 +00:00
}
// Sign a leaf certificate for the service or agent identified by the SPIFFE
// ID in the given CSR's SAN.
2023-01-04 16:07:02 +00:00
rpc Sign(SignRequest) returns (SignResponse) {
option (hashicorp.consul.internal.ratelimit.spec) = {
operation_type: OPERATION_TYPE_WRITE,
operation_category: OPERATION_CATEGORY_CONNECT_CA
};
2023-01-04 16:07:02 +00:00
}
}
message WatchRootsRequest {}
message WatchRootsResponse {
// active_root_id is the ID of a root in Roots that is the active CA root.
// Other roots are still valid if they're in the Roots list but are in the
// process of being rotated out.
string active_root_id = 1;
// trust_domain is the identification root for this Consul cluster. All
// certificates signed by the cluster's CA must have their identifying URI
// in this domain.
//
// This does not include the protocol (currently spiffe://) since we may
// implement other protocols in future with equivalent semantics. It should
// be compared against the "authority" section of a URI (i.e. host:port).
string trust_domain = 2;
// roots is a list of root CA certs to trust.
repeated CARoot roots = 3;
}
message CARoot {
// id is a globally unique ID (UUID) representing this CA root.
string id = 1;
// name is a human-friendly name for this CA root. This value is opaque to
// Consul and is not used for anything internally.
string name = 2;
// serial_number is the x509 serial number of the certificate.
uint64 serial_number = 3;
// signing_key_id is the connect.HexString encoded id of the public key that
// corresponds to the private key used to sign leaf certificates in the
// local datacenter.
//
// The value comes from x509.Certificate.SubjectKeyId of the local leaf
// signing cert.
//
// See https://www.rfc-editor.org/rfc/rfc3280#section-4.2.1.1 for more detail.
string signing_key_id = 4;
// root_cert is the PEM-encoded public certificate.
string root_cert = 5;
// intermediate_certs is a list of PEM-encoded intermediate certs to
// attach to any leaf certs signed by this CA.
repeated string intermediate_certs = 6;
// active is true if this is the current active CA. This must only
// be true for exactly one CA.
bool active = 7;
// rotated_out_at is the time at which this CA was removed from the state.
// This will only be set on roots that have been rotated out from being the
// active root.
google.protobuf.Timestamp rotated_out_at = 8;
}
message SignRequest {
// csr is the PEM-encoded Certificate Signing Request (CSR).
//
// The CSR's SAN must include a SPIFFE ID that identifies a service or agent
// to which the ACL token provided in the `x-consul-token` metadata has write
// access.
string csr = 1;
}
message SignResponse {
// cert_pem is the PEM-encoded leaf certificate.
string cert_pem = 2;
}