1syntax = "proto3";
2
3package io.linkerd.proxy.identity;
4
5option go_package = "github.com/linkerd/linkerd2-proxy-api/go/identity";
6
7import "google/protobuf/timestamp/timestamp.proto";
8
9service Identity {
10 // Requests that a time-bounded certificate be signed.
11 //
12 // The requester must provide a token that verifies the client's identity and
13 // a Certificate Signing Request that adheres to the service naming rules.
14 //
15 // Errors are returned when the provided request is invalid or when
16 // authentication cannot be performed.
17 rpc Certify(CertifyRequest) returns (CertifyResponse) {}
18}
19
20message CertifyRequest {
21 string identity = 1;
22
23 // Proof of the requester's identity.
24 //
25 // In Kubernetes, for instance, this is the contents of a service account
26 // token.
27 bytes token = 2;
28
29 // A PEM-encoded x509 Certificate Signing Request.
30 bytes certificate_signing_request = 3;
31}
32
33message CertifyResponse {
34 // A PEM-encoded x509 Certificate.
35 bytes leaf_certificate = 1;
36
37 // A list of PEM-encoded x509 Certificates that establish the trust chain
38 // between the leaf_certificate and the well-known trust anchors.
39 repeated bytes intermediate_certificates = 2;
40
41 google.protobuf.Timestamp valid_until = 3;
42}
View as plain text