feat: add security proto (#8)

Signed-off-by: Jim Ma <majinjing3@gmail.com> Signed-off-by: Jim Ma <majinjing3@gmail.com>
2022-08-17 16:37:05 +08:00 · 2022-08-17 16:37:05 +08:00 · 6c569c1187
parent a84927c4d5
commit 6c569c1187
4 changed files with 650 additions and 2 deletions
--- a/hack/protoc.sh
+++ b/hack/protoc.sh
@ -4,7 +4,7 @@ PROTOC_ALL_IMAGE=${PROTOC_ALL_IMAGE:-"namely/protoc-all:1.47_2"}
 PROTO_PATH=pkg/apis
 LANGUAGE=go

-proto_modules="common/v1 cdnsystem/v1 dfdaemon/v1 errordetails/v1 manager/v1 scheduler/v1"
+proto_modules="common/v1 cdnsystem/v1 dfdaemon/v1 errordetails/v1 manager/v1 scheduler/v1 security/v1"

 echo "generate protos..."

@ -20,4 +20,3 @@ for module in ${proto_modules}; do
    echo "generate protos ${module} failed"
  fi
 done
-
--- a/pkg/apis/security/v1/security.pb.go
+++ b/pkg/apis/security/v1/security.pb.go
@ -0,0 +1,350 @@
+//
+//     Copyright 2022 The Dragonfly Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.28.0
+// 	protoc        v3.19.4
+// source: pkg/apis/security/v1/security.proto
+
+package v1
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+// Certificate request type.
+// Dragonfly supports peers authentication with Mutual TLS(mTLS)
+// For mTLS, all peers need to request TLS certificates for communicating
+// The server side may overwrite ant requested certificate filed based on its policies.
+type CertificateRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// PEM-encoded certificate request.
+	// The public key in the CSR is used to generate the certificate,
+	// and other fields in the generated certificate may be overwritten by the CA.
+	Csr string `protobuf:"bytes,1,opt,name=csr,proto3" json:"csr,omitempty"`
+	// Optional: requested certificate validity period, in seconds.
+	ValidityDuration int64 `protobuf:"varint,2,opt,name=validity_duration,json=validityDuration,proto3" json:"validity_duration,omitempty"`
+}
+
+func (x *CertificateRequest) Reset() {
+	*x = CertificateRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_pkg_apis_security_v1_security_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *CertificateRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*CertificateRequest) ProtoMessage() {}
+
+func (x *CertificateRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_pkg_apis_security_v1_security_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use CertificateRequest.ProtoReflect.Descriptor instead.
+func (*CertificateRequest) Descriptor() ([]byte, []int) {
+	return file_pkg_apis_security_v1_security_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *CertificateRequest) GetCsr() string {
+	if x != nil {
+		return x.Csr
+	}
+	return ""
+}
+
+func (x *CertificateRequest) GetValidityDuration() int64 {
+	if x != nil {
+		return x.ValidityDuration
+	}
+	return 0
+}
+
+// Certificate response type.
+type CertificateResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// PEM-encoded certificate key.
+	PrivateKey string `protobuf:"bytes,1,opt,name=private_key,json=privateKey,proto3" json:"private_key,omitempty"`
+	// PEM-encoded certificate chain.
+	CertificateChain []string `protobuf:"bytes,2,rep,name=certificate_chain,json=certificateChain,proto3" json:"certificate_chain,omitempty"`
+}
+
+func (x *CertificateResponse) Reset() {
+	*x = CertificateResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_pkg_apis_security_v1_security_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *CertificateResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*CertificateResponse) ProtoMessage() {}
+
+func (x *CertificateResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_pkg_apis_security_v1_security_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use CertificateResponse.ProtoReflect.Descriptor instead.
+func (*CertificateResponse) Descriptor() ([]byte, []int) {
+	return file_pkg_apis_security_v1_security_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *CertificateResponse) GetPrivateKey() string {
+	if x != nil {
+		return x.PrivateKey
+	}
+	return ""
+}
+
+func (x *CertificateResponse) GetCertificateChain() []string {
+	if x != nil {
+		return x.CertificateChain
+	}
+	return nil
+}
+
+var File_pkg_apis_security_v1_security_proto protoreflect.FileDescriptor
+
+var file_pkg_apis_security_v1_security_proto_rawDesc = []byte{
+	0x0a, 0x23, 0x70, 0x6b, 0x67, 0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72,
+	0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x08, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x22,
+	0x53, 0x0a, 0x12, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x63, 0x73, 0x72, 0x18, 0x01, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x03, 0x63, 0x73, 0x72, 0x12, 0x2b, 0x0a, 0x11, 0x76, 0x61, 0x6c, 0x69, 0x64,
+	0x69, 0x74, 0x79, 0x5f, 0x64, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x03, 0x52, 0x10, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x69, 0x74, 0x79, 0x44, 0x75, 0x72, 0x61,
+	0x74, 0x69, 0x6f, 0x6e, 0x22, 0x63, 0x0a, 0x13, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
+	0x61, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x70,
+	0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x0a, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x2b, 0x0a, 0x11,
+	0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x63, 0x68, 0x61, 0x69,
+	0x6e, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x10, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
+	0x63, 0x61, 0x74, 0x65, 0x43, 0x68, 0x61, 0x69, 0x6e, 0x32, 0x67, 0x0a, 0x12, 0x43, 0x65, 0x72,
+	0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12,
+	0x51, 0x0a, 0x10, 0x49, 0x73, 0x73, 0x75, 0x65, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
+	0x61, 0x74, 0x65, 0x12, 0x1c, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x43,
+	0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x1a, 0x1d, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x43, 0x65, 0x72,
+	0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+	0x22, 0x00, 0x42, 0x21, 0x5a, 0x1f, 0x64, 0x37, 0x79, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69,
+	0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69,
+	0x74, 0x79, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_pkg_apis_security_v1_security_proto_rawDescOnce sync.Once
+	file_pkg_apis_security_v1_security_proto_rawDescData = file_pkg_apis_security_v1_security_proto_rawDesc
+)
+
+func file_pkg_apis_security_v1_security_proto_rawDescGZIP() []byte {
+	file_pkg_apis_security_v1_security_proto_rawDescOnce.Do(func() {
+		file_pkg_apis_security_v1_security_proto_rawDescData = protoimpl.X.CompressGZIP(file_pkg_apis_security_v1_security_proto_rawDescData)
+	})
+	return file_pkg_apis_security_v1_security_proto_rawDescData
+}
+
+var file_pkg_apis_security_v1_security_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
+var file_pkg_apis_security_v1_security_proto_goTypes = []interface{}{
+	(*CertificateRequest)(nil),  // 0: security.CertificateRequest
+	(*CertificateResponse)(nil), // 1: security.CertificateResponse
+}
+var file_pkg_apis_security_v1_security_proto_depIdxs = []int32{
+	0, // 0: security.CertificateService.IssueCertificate:input_type -> security.CertificateRequest
+	1, // 1: security.CertificateService.IssueCertificate:output_type -> security.CertificateResponse
+	1, // [1:2] is the sub-list for method output_type
+	0, // [0:1] is the sub-list for method input_type
+	0, // [0:0] is the sub-list for extension type_name
+	0, // [0:0] is the sub-list for extension extendee
+	0, // [0:0] is the sub-list for field type_name
+}
+
+func init() { file_pkg_apis_security_v1_security_proto_init() }
+func file_pkg_apis_security_v1_security_proto_init() {
+	if File_pkg_apis_security_v1_security_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_pkg_apis_security_v1_security_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*CertificateRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_pkg_apis_security_v1_security_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*CertificateResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_pkg_apis_security_v1_security_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   2,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_pkg_apis_security_v1_security_proto_goTypes,
+		DependencyIndexes: file_pkg_apis_security_v1_security_proto_depIdxs,
+		MessageInfos:      file_pkg_apis_security_v1_security_proto_msgTypes,
+	}.Build()
+	File_pkg_apis_security_v1_security_proto = out.File
+	file_pkg_apis_security_v1_security_proto_rawDesc = nil
+	file_pkg_apis_security_v1_security_proto_goTypes = nil
+	file_pkg_apis_security_v1_security_proto_depIdxs = nil
+}
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ context.Context
+var _ grpc.ClientConnInterface
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+const _ = grpc.SupportPackageIsVersion6
+
+// CertificateServiceClient is the client API for CertificateService service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://godoc.org/google.golang.org/grpc#ClientConn.NewStream.
+type CertificateServiceClient interface {
+	// Using provided CSR, returns a signed certificate.
+	IssueCertificate(ctx context.Context, in *CertificateRequest, opts ...grpc.CallOption) (*CertificateResponse, error)
+}
+
+type certificateServiceClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewCertificateServiceClient(cc grpc.ClientConnInterface) CertificateServiceClient {
+	return &certificateServiceClient{cc}
+}
+
+func (c *certificateServiceClient) IssueCertificate(ctx context.Context, in *CertificateRequest, opts ...grpc.CallOption) (*CertificateResponse, error) {
+	out := new(CertificateResponse)
+	err := c.cc.Invoke(ctx, "/security.CertificateService/IssueCertificate", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// CertificateServiceServer is the server API for CertificateService service.
+type CertificateServiceServer interface {
+	// Using provided CSR, returns a signed certificate.
+	IssueCertificate(context.Context, *CertificateRequest) (*CertificateResponse, error)
+}
+
+// UnimplementedCertificateServiceServer can be embedded to have forward compatible implementations.
+type UnimplementedCertificateServiceServer struct {
+}
+
+func (*UnimplementedCertificateServiceServer) IssueCertificate(context.Context, *CertificateRequest) (*CertificateResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method IssueCertificate not implemented")
+}
+
+func RegisterCertificateServiceServer(s *grpc.Server, srv CertificateServiceServer) {
+	s.RegisterService(&_CertificateService_serviceDesc, srv)
+}
+
+func _CertificateService_IssueCertificate_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(CertificateRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(CertificateServiceServer).IssueCertificate(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/security.CertificateService/IssueCertificate",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(CertificateServiceServer).IssueCertificate(ctx, req.(*CertificateRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+var _CertificateService_serviceDesc = grpc.ServiceDesc{
+	ServiceName: "security.CertificateService",
+	HandlerType: (*CertificateServiceServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "IssueCertificate",
+			Handler:    _CertificateService_IssueCertificate_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "pkg/apis/security/v1/security.proto",
+}
--- a/pkg/apis/security/v1/security.pb.validate.go
+++ b/pkg/apis/security/v1/security.pb.validate.go
@ -0,0 +1,246 @@
+// Code generated by protoc-gen-validate. DO NOT EDIT.
+// source: pkg/apis/security/v1/security.proto
+
+package v1
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"net"
+	"net/mail"
+	"net/url"
+	"regexp"
+	"sort"
+	"strings"
+	"time"
+	"unicode/utf8"
+
+	"google.golang.org/protobuf/types/known/anypb"
+)
+
+// ensure the imports are used
+var (
+	_ = bytes.MinRead
+	_ = errors.New("")
+	_ = fmt.Print
+	_ = utf8.UTFMax
+	_ = (*regexp.Regexp)(nil)
+	_ = (*strings.Reader)(nil)
+	_ = net.IPv4len
+	_ = time.Duration(0)
+	_ = (*url.URL)(nil)
+	_ = (*mail.Address)(nil)
+	_ = anypb.Any{}
+	_ = sort.Sort
+)
+
+// Validate checks the field values on CertificateRequest with the rules
+// defined in the proto definition for this message. If any rules are
+// violated, the first error encountered is returned, or nil if there are no violations.
+func (m *CertificateRequest) Validate() error {
+	return m.validate(false)
+}
+
+// ValidateAll checks the field values on CertificateRequest with the rules
+// defined in the proto definition for this message. If any rules are
+// violated, the result is a list of violation errors wrapped in
+// CertificateRequestMultiError, or nil if none found.
+func (m *CertificateRequest) ValidateAll() error {
+	return m.validate(true)
+}
+
+func (m *CertificateRequest) validate(all bool) error {
+	if m == nil {
+		return nil
+	}
+
+	var errors []error
+
+	// no validation rules for Csr
+
+	// no validation rules for ValidityDuration
+
+	if len(errors) > 0 {
+		return CertificateRequestMultiError(errors)
+	}
+
+	return nil
+}
+
+// CertificateRequestMultiError is an error wrapping multiple validation errors
+// returned by CertificateRequest.ValidateAll() if the designated constraints
+// aren't met.
+type CertificateRequestMultiError []error
+
+// Error returns a concatenation of all the error messages it wraps.
+func (m CertificateRequestMultiError) Error() string {
+	var msgs []string
+	for _, err := range m {
+		msgs = append(msgs, err.Error())
+	}
+	return strings.Join(msgs, "; ")
+}
+
+// AllErrors returns a list of validation violation errors.
+func (m CertificateRequestMultiError) AllErrors() []error { return m }
+
+// CertificateRequestValidationError is the validation error returned by
+// CertificateRequest.Validate if the designated constraints aren't met.
+type CertificateRequestValidationError struct {
+	field  string
+	reason string
+	cause  error
+	key    bool
+}
+
+// Field function returns field value.
+func (e CertificateRequestValidationError) Field() string { return e.field }
+
+// Reason function returns reason value.
+func (e CertificateRequestValidationError) Reason() string { return e.reason }
+
+// Cause function returns cause value.
+func (e CertificateRequestValidationError) Cause() error { return e.cause }
+
+// Key function returns key value.
+func (e CertificateRequestValidationError) Key() bool { return e.key }
+
+// ErrorName returns error name.
+func (e CertificateRequestValidationError) ErrorName() string {
+	return "CertificateRequestValidationError"
+}
+
+// Error satisfies the builtin error interface
+func (e CertificateRequestValidationError) Error() string {
+	cause := ""
+	if e.cause != nil {
+		cause = fmt.Sprintf(" | caused by: %v", e.cause)
+	}
+
+	key := ""
+	if e.key {
+		key = "key for "
+	}
+
+	return fmt.Sprintf(
+		"invalid %sCertificateRequest.%s: %s%s",
+		key,
+		e.field,
+		e.reason,
+		cause)
+}
+
+var _ error = CertificateRequestValidationError{}
+
+var _ interface {
+	Field() string
+	Reason() string
+	Key() bool
+	Cause() error
+	ErrorName() string
+} = CertificateRequestValidationError{}
+
+// Validate checks the field values on CertificateResponse with the rules
+// defined in the proto definition for this message. If any rules are
+// violated, the first error encountered is returned, or nil if there are no violations.
+func (m *CertificateResponse) Validate() error {
+	return m.validate(false)
+}
+
+// ValidateAll checks the field values on CertificateResponse with the rules
+// defined in the proto definition for this message. If any rules are
+// violated, the result is a list of violation errors wrapped in
+// CertificateResponseMultiError, or nil if none found.
+func (m *CertificateResponse) ValidateAll() error {
+	return m.validate(true)
+}
+
+func (m *CertificateResponse) validate(all bool) error {
+	if m == nil {
+		return nil
+	}
+
+	var errors []error
+
+	// no validation rules for PrivateKey
+
+	if len(errors) > 0 {
+		return CertificateResponseMultiError(errors)
+	}
+
+	return nil
+}
+
+// CertificateResponseMultiError is an error wrapping multiple validation
+// errors returned by CertificateResponse.ValidateAll() if the designated
+// constraints aren't met.
+type CertificateResponseMultiError []error
+
+// Error returns a concatenation of all the error messages it wraps.
+func (m CertificateResponseMultiError) Error() string {
+	var msgs []string
+	for _, err := range m {
+		msgs = append(msgs, err.Error())
+	}
+	return strings.Join(msgs, "; ")
+}
+
+// AllErrors returns a list of validation violation errors.
+func (m CertificateResponseMultiError) AllErrors() []error { return m }
+
+// CertificateResponseValidationError is the validation error returned by
+// CertificateResponse.Validate if the designated constraints aren't met.
+type CertificateResponseValidationError struct {
+	field  string
+	reason string
+	cause  error
+	key    bool
+}
+
+// Field function returns field value.
+func (e CertificateResponseValidationError) Field() string { return e.field }
+
+// Reason function returns reason value.
+func (e CertificateResponseValidationError) Reason() string { return e.reason }
+
+// Cause function returns cause value.
+func (e CertificateResponseValidationError) Cause() error { return e.cause }
+
+// Key function returns key value.
+func (e CertificateResponseValidationError) Key() bool { return e.key }
+
+// ErrorName returns error name.
+func (e CertificateResponseValidationError) ErrorName() string {
+	return "CertificateResponseValidationError"
+}
+
+// Error satisfies the builtin error interface
+func (e CertificateResponseValidationError) Error() string {
+	cause := ""
+	if e.cause != nil {
+		cause = fmt.Sprintf(" | caused by: %v", e.cause)
+	}
+
+	key := ""
+	if e.key {
+		key = "key for "
+	}
+
+	return fmt.Sprintf(
+		"invalid %sCertificateResponse.%s: %s%s",
+		key,
+		e.field,
+		e.reason,
+		cause)
+}
+
+var _ error = CertificateResponseValidationError{}
+
+var _ interface {
+	Field() string
+	Reason() string
+	Key() bool
+	Cause() error
+	ErrorName() string
+} = CertificateResponseValidationError{}
--- a/pkg/apis/security/v1/security.proto
+++ b/pkg/apis/security/v1/security.proto
@ -0,0 +1,53 @@
+/*
+ *     Copyright 2022 The Dragonfly Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+syntax = "proto3";
+
+package security;
+
+option go_package = "d7y.io/api/pkg/apis/security/v1";
+
+// Refer: https://github.com/istio/api/blob/master/security/v1alpha1/ca.proto
+// Istio defines similar api for signing certificate, but it's not applicable in Dragonfly.
+
+// Certificate request type.
+// Dragonfly supports peers authentication with Mutual TLS(mTLS)
+// For mTLS, all peers need to request TLS certificates for communicating
+// The server side may overwrite ant requested certificate filed based on its policies.
+message CertificateRequest {
+  // PEM-encoded certificate request.
+  // The public key in the CSR is used to generate the certificate,
+  // and other fields in the generated certificate may be overwritten by the CA.
+  string csr = 1;
+  // Optional: requested certificate validity period, in seconds.
+  int64 validity_duration = 2;
+}
+
+// Certificate response type.
+message CertificateResponse {
+  // PEM-encoded certificate key.
+  string private_key = 1;
+  // PEM-encoded certificate chain.
+  repeated string certificate_chain = 2;
+}
+
+// Service for managing certificates issued by the CA.
+service CertificateService {
+  // Using provided CSR, returns a signed certificate.
+  rpc IssueCertificate(CertificateRequest)
+      returns (CertificateResponse) {
+  }
+}