luxolus/open-consul
2
0
Fork 0
Code Issues 1 Pull requests Packages Releases Wiki Activity
open-consul/proto/pbconnect/connect.proto
R.B. Boyer c8c6484905
proto: add package prefixes for all proto files where it is safe (#13735) 
We cannot do this for "subscribe" and "partition" this easily without
breakage so those are omitted.

Any protobuf message passed around via an Any construct will have the
fully qualified package name embedded in the protobuf as a string. Also
RPC method dispatch will include the package of the service during
serialization.

- We will be passing pbservice and pbpeering through an Any as part of
  peer stream replication.

- We will be exposing two new gRPC services via pbpeering and
  pbpeerstream.
2022-07-13 11:03:27 -05:00

182 lines
7 KiB
Protocol Buffer
Raw Blame History

syntax = "proto3";
package hashicorp.consul.internal.connect;
import "google/protobuf/timestamp.proto";
import "proto/pbcommon/common.proto";
// CARoots is the list of all currently trusted CA Roots.
//
// mog annotation:
//
// target=github.com/hashicorp/consul/agent/structs.IndexedCARoots
// output=connect.gen.go
// name=StructsIndexedCARoots
message CARoots {
// ActiveRootID is the ID of a root in Roots that is the active CA root.
// Other roots are still valid if they're in the Roots list but are in
// the process of being rotated out.
string ActiveRootID = 1;
// TrustDomain is the identification root for this Consul cluster. All
// certificates signed by the cluster's CA must have their identifying URI in
// this domain.
//
// This does not include the protocol (currently spiffe://) since we may
// implement other protocols in future with equivalent semantics. It should be
// compared against the "authority" section of a URI (i.e. host:port).
//
// We need to support migrating a cluster between trust domains to support
// Multi-DC migration in Enterprise. In this case the current trust domain is
// here but entries in Roots may also have ExternalTrustDomain set to a
// non-empty value implying they were previous roots that are still trusted
// but under a different trust domain.
//
// Note that we DON'T validate trust domain during AuthZ since it causes
// issues of loss of connectivity during migration between trust domains. The
// only time the additional validation adds value is where the cluster shares
// an external root (e.g. organization-wide root) with another distinct Consul
// cluster or PKI system. In this case, x509 Name Constraints can be added to
// enforce that Consul's CA can only validly sign or trust certs within the
// same trust-domain. Name constraints as enforced by TLS handshake also allow
// seamless rotation between trust domains thanks to cross-signing.
string TrustDomain = 2;
// Roots is a list of root CA certs to trust.
repeated CARoot Roots = 3;
// QueryMeta here is mainly used to contain the latest Raft Index that could
// be used to perform a blocking query.
// mog: func-to=QueryMetaTo func-from=QueryMetaFrom
common.QueryMeta QueryMeta = 4;
}
// CARoot is the trusted CA Root.
//
// mog annotation:
//
// target=github.com/hashicorp/consul/agent/structs.CARoot
// output=connect.gen.go
// name=StructsCARoot
message CARoot {
// ID is a globally unique ID (UUID) representing this CA root.
string ID = 1;
// Name is a human-friendly name for this CA root. This value is
// opaque to Consul and is not used for anything internally.
string Name = 2;
// SerialNumber is the x509 serial number of the certificate.
uint64 SerialNumber = 3;
// SigningKeyID is the ID of the public key that corresponds to the private
// key used to sign leaf certificates. Is is the HexString format of the
// raw AuthorityKeyID bytes.
string SigningKeyID = 4;
// ExternalTrustDomain is the trust domain this root was generated under. It
// is usually empty implying "the current cluster trust-domain". It is set
// only in the case that a cluster changes trust domain and then all old roots
// that are still trusted have the old trust domain set here.
//
// We currently DON'T validate these trust domains explicitly anywhere, see
// IndexedRoots.TrustDomain doc. We retain this information for debugging and
// future flexibility.
string ExternalTrustDomain = 5;
// Time validity bounds.
// mog: func-to=structs.TimeFromProto func-from=structs.TimeToProto
google.protobuf.Timestamp NotBefore = 6;
// mog: func-to=structs.TimeFromProto func-from=structs.TimeToProto
google.protobuf.Timestamp NotAfter = 7;
// RootCert is the PEM-encoded public certificate.
string RootCert = 8;
// IntermediateCerts is a list of PEM-encoded intermediate certs to
// attach to any leaf certs signed by this CA.
repeated string IntermediateCerts = 9;
// SigningCert is the PEM-encoded signing certificate and SigningKey
// is the PEM-encoded private key for the signing certificate. These
// may actually be empty if the CA plugin in use manages these for us.
string SigningCert = 10;
string SigningKey = 11;
// Active is true if this is the current active CA. This must only
// be true for exactly one CA. For any method that modifies roots in the
// state store, tests should be written to verify that multiple roots
// cannot be active.
bool Active = 12;
// RotatedOutAt is the time at which this CA was removed from the state.
// This will only be set on roots that have been rotated out from being the
// active root.
// mog: func-to=structs.TimeFromProto func-from=structs.TimeToProto
google.protobuf.Timestamp RotatedOutAt = 13;
// PrivateKeyType is the type of the private key used to sign certificates. It
// may be "rsa" or "ec". This is provided as a convenience to avoid parsing
// the public key to from the certificate to infer the type.
string PrivateKeyType = 14;
// PrivateKeyBits is the length of the private key used to sign certificates.
// This is provided as a convenience to avoid parsing the public key from the
// certificate to infer the type.
// mog: func-to=int func-from=int32
int32 PrivateKeyBits = 15;
// mog: func-to=RaftIndexTo func-from=RaftIndexFrom
common.RaftIndex RaftIndex = 16;
}
// RaftIndex is used to track the index used while creating
// or modifying a given struct type.
//
// mog annotation:
//
// target=github.com/hashicorp/consul/agent/structs.IssuedCert
// output=connect.gen.go
// name=StructsIssuedCert
message IssuedCert {
// SerialNumber is the unique serial number for this certificate.
// This is encoded in standard hex separated by :.
string SerialNumber = 1;
// CertPEM and PrivateKeyPEM are the PEM-encoded certificate and private
// key for that cert, respectively. This should not be stored in the
// state store, but is present in the sign API response.
string CertPEM = 2;
string PrivateKeyPEM = 3;
// Service is the name of the service for which the cert was issued.
string Service = 4;
// ServiceURI is the cert URI value.
string ServiceURI = 5;
// Agent is the name of the node for which the cert was issued.
string Agent = 6;
// AgentURI is the cert URI value.
string AgentURI = 7;
// Kind is the kind of service for which the cert was issued.
// mog: func-to=structs.ServiceKind func-from=string
string Kind = 12;
// KindURI is the cert URI value.
string KindURI = 13;
// ValidAfter and ValidBefore are the validity periods for the
// certificate.
// mog: func-to=structs.TimeFromProto func-from=structs.TimeToProto
google.protobuf.Timestamp ValidAfter = 8;
// mog: func-to=structs.TimeFromProto func-from=structs.TimeToProto
google.protobuf.Timestamp ValidBefore = 9;
// EnterpriseMeta is the Consul Enterprise specific metadata
// mog: func-to=EnterpriseMetaTo func-from=EnterpriseMetaFrom
common.EnterpriseMeta EnterpriseMeta = 10;
// mog: func-to=RaftIndexTo func-from=RaftIndexFrom
common.RaftIndex RaftIndex = 11;
}
Reference in a new issue View git blame Copy permalink