forked from spiffe/spire-plugin-sdk
-
Notifications
You must be signed in to change notification settings - Fork 0
/
upstreamauthority.proto
63 lines (54 loc) · 2.8 KB
/
upstreamauthority.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
syntax = "proto3";
package spire.plugin.server.upstreamauthority.v1;
option go_package = "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/server/upstreamauthority/v1;upstreamauthorityv1";
import "spire/plugin/types/jwtkey.proto";
import "spire/plugin/types/x509certificate.proto";
service UpstreamAuthority {
// Mints an X.509 CA and responds with the signed X.509 CA certificate
// chain and upstream X.509 roots. If supported by the implementation,
// subsequent responses on the stream contain upstream X.509 root updates,
// otherwise the stream is closed after the initial response.
//
// Implementation note:
// The stream should be kept open in the face of transient errors
// encountered while tracking changes to the upstream X.509 roots as SPIRE
// Server will not reopen a closed stream until the next X.509 CA rotation.
rpc MintX509CAAndSubscribe(MintX509CARequest) returns (stream MintX509CAResponse);
// Publishes a JWT signing key upstream and responds with the upstream JWT
// keys. If supported by the implementation, subsequent responses on the
// stream contain upstream JWT key updates, otherwise the stream is closed
// after the initial response.
//
// This RPC is optional and will return NotImplemented if unsupported.
//
// Implementation note:
// The stream should be kept open in the face of transient errors
// encountered while tracking changes to the upstream JWT keys as SPIRE
// Server will not reopen a closed stream until the next JWT key rotation.
rpc PublishJWTKeyAndSubscribe(PublishJWTKeyRequest) returns (stream PublishJWTKeyResponse);
}
message MintX509CARequest {
// Required. Certificate signing request (PKCS#10)
bytes csr = 1;
// Optional. Preferred TTL is the TTL preferred by SPIRE Server for signed CA. If
// zero, the plugin should determine its own TTL value. Plugins are free to
// ignore this and use their own policies around TTLs.
int32 preferred_ttl = 2;
}
message MintX509CAResponse {
// Required on the first response. Contains ASN.1 encoded certificates
// representing the X.509 CA along with any intermediates necessary to
// chain back to a certificate present in the upstream_x509_roots. The
// first certificate in the chain is the newly minted X509 CA certificate.
repeated spire.plugin.types.X509Certificate x509_ca_chain = 1;
// Required. The trusted X.509 root authorities for the upstream authority.
repeated spire.plugin.types.X509Certificate upstream_x509_roots = 2;
}
message PublishJWTKeyRequest {
// Required. The JWT signing key to publish upstream.
spire.plugin.types.JWTKey jwt_key = 1;
}
message PublishJWTKeyResponse {
// Required. The upstream JWT signing keys.
repeated spire.plugin.types.JWTKey upstream_jwt_keys = 1;
}