83 lines
3.7 KiB
Protocol Buffer
83 lines
3.7 KiB
Protocol Buffer
syntax = "proto3";
|
|
package spire.plugin.server.upstreamauthority.v1;
|
|
option go_package = "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/server/upstreamauthority/v1;upstreamauthorityv1";
|
|
|
|
import "spire/plugin/types/jwtkey.proto";
|
|
import "spire/plugin/types/x509certificate.proto";
|
|
|
|
service UpstreamAuthority {
|
|
// Mints an X.509 CA and responds with the signed X.509 CA certificate
|
|
// chain and upstream X.509 roots. If supported by the implementation,
|
|
// subsequent responses on the stream contain upstream X.509 root updates,
|
|
// otherwise the stream is closed after the initial response.
|
|
//
|
|
// Implementation note:
|
|
// The stream should be kept open in the face of transient errors
|
|
// encountered while tracking changes to the upstream X.509 roots as SPIRE
|
|
// Server will not reopen a closed stream until the next X.509 CA rotation.
|
|
rpc MintX509CAAndSubscribe(MintX509CARequest) returns (stream MintX509CAResponse);
|
|
|
|
// Publishes a JWT signing key upstream and responds with the upstream JWT
|
|
// keys. If supported by the implementation, subsequent responses on the
|
|
// stream contain upstream JWT key updates, otherwise the stream is closed
|
|
// after the initial response.
|
|
//
|
|
// This RPC is optional and will return NotImplemented if unsupported.
|
|
//
|
|
// Implementation note:
|
|
// The stream should be kept open in the face of transient errors
|
|
// encountered while tracking changes to the upstream JWT keys as SPIRE
|
|
// Server will not reopen a closed stream until the next JWT key rotation.
|
|
rpc PublishJWTKeyAndSubscribe(PublishJWTKeyRequest) returns (stream PublishJWTKeyResponse);
|
|
|
|
// Returns the trust bundle of the local trust domain as seen by the upstream
|
|
// authority. Returns the current set of X.509 roots and JWT public keys
|
|
// that make up the trust bundle of the trust domain. If supported by the
|
|
// implementation, subsequent responses on the stream contain trust bundle
|
|
// updates, otherwise the stream is closed after the initial response.
|
|
//
|
|
// This RPC is optional and will return NotImplemented if unsupported.
|
|
rpc SubscribeToLocalBundle(SubscribeToLocalBundleRequest) returns (stream SubscribeToLocalBundleResponse);
|
|
}
|
|
|
|
message MintX509CARequest {
|
|
// Required. Certificate signing request (PKCS#10)
|
|
bytes csr = 1;
|
|
|
|
// Optional. Preferred TTL is the TTL preferred by SPIRE Server for signed CA. If
|
|
// zero, the plugin should determine its own TTL value. Plugins are free to
|
|
// ignore this and use their own policies around TTLs.
|
|
int32 preferred_ttl = 2;
|
|
}
|
|
|
|
message MintX509CAResponse {
|
|
// Required on the first response. Contains ASN.1 encoded certificates
|
|
// representing the X.509 CA along with any intermediates necessary to
|
|
// chain back to a certificate present in the upstream_x509_roots. The
|
|
// first certificate in the chain is the newly minted X509 CA certificate.
|
|
repeated spire.plugin.types.X509Certificate x509_ca_chain = 1;
|
|
|
|
// Required. The trusted X.509 root authorities for the upstream authority.
|
|
repeated spire.plugin.types.X509Certificate upstream_x509_roots = 2;
|
|
}
|
|
|
|
message PublishJWTKeyRequest {
|
|
// Required. The JWT signing key to publish upstream.
|
|
spire.plugin.types.JWTKey jwt_key = 1;
|
|
}
|
|
|
|
message PublishJWTKeyResponse {
|
|
// Required. The upstream JWT signing keys.
|
|
repeated spire.plugin.types.JWTKey upstream_jwt_keys = 1;
|
|
}
|
|
|
|
message SubscribeToLocalBundleRequest {
|
|
}
|
|
|
|
message SubscribeToLocalBundleResponse {
|
|
// Required. The trusted X.509 root authorities for the upstream authority.
|
|
repeated spire.plugin.types.X509Certificate upstream_x509_roots = 1;
|
|
// Required. The upstream JWT signing keys.
|
|
repeated spire.plugin.types.JWTKey upstream_jwt_keys = 2;
|
|
}
|