104 lines
3.5 KiB
Protocol Buffer
104 lines
3.5 KiB
Protocol Buffer
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
syntax = "proto3";
|
|
|
|
package hashicorp.consul.connectca;
|
|
|
|
import "annotations/ratelimit/ratelimit.proto";
|
|
import "google/protobuf/timestamp.proto";
|
|
|
|
service ConnectCAService {
|
|
// WatchRoots provides a stream on which you can receive the list of active
|
|
// Connect CA roots. Current roots are sent immediately at the start of the
|
|
// stream, and new lists will be sent whenever the roots are rotated.
|
|
rpc WatchRoots(WatchRootsRequest) returns (stream WatchRootsResponse) {
|
|
option (hashicorp.consul.internal.ratelimit.spec) = {
|
|
operation_type: OPERATION_TYPE_READ,
|
|
operation_category: OPERATION_CATEGORY_CONNECT_CA
|
|
};
|
|
}
|
|
|
|
// Sign a leaf certificate for the service or agent identified by the SPIFFE
|
|
// ID in the given CSR's SAN.
|
|
rpc Sign(SignRequest) returns (SignResponse) {
|
|
option (hashicorp.consul.internal.ratelimit.spec) = {
|
|
operation_type: OPERATION_TYPE_WRITE,
|
|
operation_category: OPERATION_CATEGORY_CONNECT_CA
|
|
};
|
|
}
|
|
}
|
|
|
|
message WatchRootsRequest {}
|
|
|
|
message WatchRootsResponse {
|
|
// active_root_id is the ID of a root in Roots that is the active CA root.
|
|
// Other roots are still valid if they're in the Roots list but are in the
|
|
// process of being rotated out.
|
|
string active_root_id = 1;
|
|
|
|
// trust_domain is the identification root for this Consul cluster. All
|
|
// certificates signed by the cluster's CA must have their identifying URI
|
|
// in this domain.
|
|
//
|
|
// This does not include the protocol (currently spiffe://) since we may
|
|
// implement other protocols in future with equivalent semantics. It should
|
|
// be compared against the "authority" section of a URI (i.e. host:port).
|
|
string trust_domain = 2;
|
|
|
|
// roots is a list of root CA certs to trust.
|
|
repeated CARoot roots = 3;
|
|
}
|
|
|
|
message CARoot {
|
|
// id is a globally unique ID (UUID) representing this CA root.
|
|
string id = 1;
|
|
|
|
// name is a human-friendly name for this CA root. This value is opaque to
|
|
// Consul and is not used for anything internally.
|
|
string name = 2;
|
|
|
|
// serial_number is the x509 serial number of the certificate.
|
|
uint64 serial_number = 3;
|
|
|
|
// signing_key_id is the connect.HexString encoded id of the public key that
|
|
// corresponds to the private key used to sign leaf certificates in the
|
|
// local datacenter.
|
|
//
|
|
// The value comes from x509.Certificate.SubjectKeyId of the local leaf
|
|
// signing cert.
|
|
//
|
|
// See https://www.rfc-editor.org/rfc/rfc3280#section-4.2.1.1 for more detail.
|
|
string signing_key_id = 4;
|
|
|
|
// root_cert is the PEM-encoded public certificate.
|
|
string root_cert = 5;
|
|
|
|
// intermediate_certs is a list of PEM-encoded intermediate certs to
|
|
// attach to any leaf certs signed by this CA.
|
|
repeated string intermediate_certs = 6;
|
|
|
|
// active is true if this is the current active CA. This must only
|
|
// be true for exactly one CA.
|
|
bool active = 7;
|
|
|
|
// rotated_out_at is the time at which this CA was removed from the state.
|
|
// This will only be set on roots that have been rotated out from being the
|
|
// active root.
|
|
google.protobuf.Timestamp rotated_out_at = 8;
|
|
}
|
|
|
|
message SignRequest {
|
|
// csr is the PEM-encoded Certificate Signing Request (CSR).
|
|
//
|
|
// The CSR's SAN must include a SPIFFE ID that identifies a service or agent
|
|
// to which the ACL token provided in the `x-consul-token` metadata has write
|
|
// access.
|
|
string csr = 1;
|
|
}
|
|
|
|
message SignResponse {
|
|
// cert_pem is the PEM-encoded leaf certificate.
|
|
string cert_pem = 2;
|
|
}
|