From c5f214b71e18a4f9df41c928975dd3ec4cb97902 Mon Sep 17 00:00:00 2001 From: Oliver Liu Date: Mon, 27 Jan 2020 11:39:02 -0800 Subject: [PATCH] Modify the proto message to work with Google CA. --- .../nodeagent/cache/mock/secretcache_mock.go | 2 +- security/pkg/nodeagent/cache/secretcache.go | 6 +- .../nodeagent/caclient/interface/iclient.go | 2 +- .../caclient/providers/citadel/client.go | 2 +- .../caclient/providers/citadel/client_test.go | 2 +- .../caclient/providers/google/client.go | 8 +- .../caclient/providers/google/client_test.go | 2 +- .../caclient/providers/vault/client.go | 2 +- .../caclient/providers/vault/client_test.go | 3 +- security/proto/providers/google/meshca.pb.go | 102 ++++++++++-------- security/proto/providers/google/meshca.proto | 18 ++-- 11 files changed, 87 insertions(+), 62 deletions(-) diff --git a/security/pkg/nodeagent/cache/mock/secretcache_mock.go b/security/pkg/nodeagent/cache/mock/secretcache_mock.go index 37a2b1df98a6..84bd07a7d009 100644 --- a/security/pkg/nodeagent/cache/mock/secretcache_mock.go +++ b/security/pkg/nodeagent/cache/mock/secretcache_mock.go @@ -49,7 +49,7 @@ func NewMockCAClient(mockCertChain1st, mockCertChainRemain []string, failureRate return &cl } -func (c *CAClient) CSRSign(ctx context.Context, csrPEM []byte, exchangedToken string, +func (c *CAClient) CSRSign(ctx context.Context, reqID string, csrPEM []byte, exchangedToken string, certValidTTLInSec int64) ([]string /*PEM-encoded certificate chain*/, error) { // Mock CSRSign failure errors to force Citadel agent to retry. // 50% chance of failure. diff --git a/security/pkg/nodeagent/cache/secretcache.go b/security/pkg/nodeagent/cache/secretcache.go index 6632d77b5ae6..80206f7c2dd5 100644 --- a/security/pkg/nodeagent/cache/secretcache.go +++ b/security/pkg/nodeagent/cache/secretcache.go @@ -27,6 +27,7 @@ import ( "sync/atomic" "time" + "github.com/google/uuid" "istio.io/istio/pkg/mcp/status" "istio.io/istio/security/pkg/nodeagent/model" "istio.io/istio/security/pkg/nodeagent/plugin" @@ -830,13 +831,16 @@ func (sc *SecretCache) sendRetriableRequest(ctx context.Context, csrPEM []byte, var requestErrorString string var err error + // Assign a unique request ID for all the retries. + reqID := uuid.New().String() + // Keep trying until no error or timeout. for { var httpRespCode int if isCSR { requestErrorString = fmt.Sprintf("%s CSR", conIDresourceNamePrefix) certChainPEM, err = sc.fetcher.CaClient.CSRSign( - ctx, csrPEM, exchangedToken, int64(sc.configOptions.SecretTTL.Seconds())) + ctx, reqID, csrPEM, exchangedToken, int64(sc.configOptions.SecretTTL.Seconds())) } else { requestErrorString = fmt.Sprintf("%s token exchange", conIDresourceNamePrefix) p := sc.configOptions.Plugins[0] diff --git a/security/pkg/nodeagent/caclient/interface/iclient.go b/security/pkg/nodeagent/caclient/interface/iclient.go index eb317e117fde..d96a93564543 100644 --- a/security/pkg/nodeagent/caclient/interface/iclient.go +++ b/security/pkg/nodeagent/caclient/interface/iclient.go @@ -20,6 +20,6 @@ import ( // Client interface defines the clients need to implement to talk to CA for CSR. type Client interface { - CSRSign(ctx context.Context, csrPEM []byte, subjectID string, + CSRSign(ctx context.Context, reqID string, csrPEM []byte, subjectID string, certValidTTLInSec int64) ([]string /*PEM-encoded certificate chain*/, error) } diff --git a/security/pkg/nodeagent/caclient/providers/citadel/client.go b/security/pkg/nodeagent/caclient/providers/citadel/client.go index ee20179b3b67..a117a090c551 100644 --- a/security/pkg/nodeagent/caclient/providers/citadel/client.go +++ b/security/pkg/nodeagent/caclient/providers/citadel/client.go @@ -79,7 +79,7 @@ func NewCitadelClient(endpoint string, tls bool, rootCert []byte) (caClientInter } // CSR Sign calls Citadel to sign a CSR. -func (c *citadelClient) CSRSign(ctx context.Context, csrPEM []byte, token string, +func (c *citadelClient) CSRSign(ctx context.Context, reqID string, csrPEM []byte, token string, certValidTTLInSec int64) ([]string /*PEM-encoded certificate chain*/, error) { req := &pb.IstioCertificateRequest{ Csr: string(csrPEM), diff --git a/security/pkg/nodeagent/caclient/providers/citadel/client_test.go b/security/pkg/nodeagent/caclient/providers/citadel/client_test.go index db26822dd962..502ed6153496 100644 --- a/security/pkg/nodeagent/caclient/providers/citadel/client_test.go +++ b/security/pkg/nodeagent/caclient/providers/citadel/client_test.go @@ -93,7 +93,7 @@ func TestCitadelClient(t *testing.T) { t.Errorf("Test case [%s]: failed to create ca client: %v", id, err) } - resp, err := cli.CSRSign(context.Background(), []byte{01}, fakeToken, 1) + resp, err := cli.CSRSign(context.Background(), "12345678-1234-1234-1234-123456789012", []byte{01}, fakeToken, 1) if err != nil { if err.Error() != tc.expectedErr { t.Errorf("Test case [%s]: error (%s) does not match expected error (%s)", id, err.Error(), tc.expectedErr) diff --git a/security/pkg/nodeagent/caclient/providers/google/client.go b/security/pkg/nodeagent/caclient/providers/google/client.go index 6167cbf85874..e070545e488b 100644 --- a/security/pkg/nodeagent/caclient/providers/google/client.go +++ b/security/pkg/nodeagent/caclient/providers/google/client.go @@ -22,6 +22,7 @@ import ( "regexp" "strings" + "github.com/golang/protobuf/ptypes/duration" "google.golang.org/grpc" "google.golang.org/grpc/credentials" "google.golang.org/grpc/metadata" @@ -76,11 +77,12 @@ func NewGoogleCAClient(endpoint string, tls bool) (caClientInterface.Client, err } // CSR Sign calls Google CA to sign a CSR. -func (cl *googleCAClient) CSRSign(ctx context.Context, csrPEM []byte, token string, +func (cl *googleCAClient) CSRSign(ctx context.Context, reqID string, csrPEM []byte, token string, certValidTTLInSec int64) ([]string /*PEM-encoded certificate chain*/, error) { req := &gcapb.MeshCertificateRequest{ - Csr: string(csrPEM), - ValidityDuration: certValidTTLInSec, + RequestId: reqID, + Csr: string(csrPEM), + Validity: &duration.Duration{Seconds: certValidTTLInSec}, } // If the token doesn't have "Bearer " prefix, add it. diff --git a/security/pkg/nodeagent/caclient/providers/google/client_test.go b/security/pkg/nodeagent/caclient/providers/google/client_test.go index f7df51b9d59d..477492dcf91e 100644 --- a/security/pkg/nodeagent/caclient/providers/google/client_test.go +++ b/security/pkg/nodeagent/caclient/providers/google/client_test.go @@ -72,7 +72,7 @@ func TestGoogleCAClient(t *testing.T) { t.Errorf("Test case [%s]: failed to create ca client: %v", id, err) } - resp, err := cli.CSRSign(context.Background(), []byte{01}, fakeToken, 1) + resp, err := cli.CSRSign(context.Background(), "12345678-1234-1234-1234-123456789012", []byte{01}, fakeToken, 1) if err != nil { if err.Error() != tc.expectedErr { t.Errorf("Test case [%s]: error (%s) does not match expected error (%s)", id, err.Error(), tc.expectedErr) diff --git a/security/pkg/nodeagent/caclient/providers/vault/client.go b/security/pkg/nodeagent/caclient/providers/vault/client.go index 3a0a75185b18..ab390958c61b 100644 --- a/security/pkg/nodeagent/caclient/providers/vault/client.go +++ b/security/pkg/nodeagent/caclient/providers/vault/client.go @@ -73,7 +73,7 @@ func NewVaultClient(tls bool, tlsRootCert []byte, } // CSR Sign calls Vault to sign a CSR. -func (c *vaultClient) CSRSign(ctx context.Context, csrPEM []byte, saToken string, +func (c *vaultClient) CSRSign(ctx context.Context, reqID string, csrPEM []byte, saToken string, certValidTTLInSec int64) ([]string /*PEM-encoded certificate chain*/, error) { token, err := loginVaultK8sAuthMethod(c.client, c.vaultLoginPath, c.vaultLoginRole, saToken) if err != nil { diff --git a/security/pkg/nodeagent/caclient/providers/vault/client_test.go b/security/pkg/nodeagent/caclient/providers/vault/client_test.go index e38e958473f5..f2d78e71c4d3 100644 --- a/security/pkg/nodeagent/caclient/providers/vault/client_test.go +++ b/security/pkg/nodeagent/caclient/providers/vault/client_test.go @@ -160,7 +160,8 @@ func TestClientOnMockVaultCA(t *testing.T) { t.Errorf("Test case [%s]: failed to create ca client: %v", id, err) } - resp, err := cli.CSRSign(context.Background(), tc.cliConfig.csr, tc.cliConfig.clientToken, 1) + resp, err := cli.CSRSign(context.Background(), "12345678-1234-1234-1234-123456789012", + tc.cliConfig.csr, tc.cliConfig.clientToken, 1) if err != nil { match, _ := regexp.MatchString(tc.expectedErr+".+", err.Error()) if !match { diff --git a/security/proto/providers/google/meshca.pb.go b/security/proto/providers/google/meshca.pb.go index 870301522bc6..cd778821bd52 100644 --- a/security/proto/providers/google/meshca.pb.go +++ b/security/proto/providers/google/meshca.pb.go @@ -1,12 +1,13 @@ // Code generated by protoc-gen-go. DO NOT EDIT. -// source: security/proto/providers/google/meshca.proto +// source: meshca.proto -package google_security_meshca_v1beta1 +package google_security_meshca_v1 import ( context "context" fmt "fmt" proto "github.com/golang/protobuf/proto" + duration "github.com/golang/protobuf/ptypes/duration" grpc "google.golang.org/grpc" codes "google.golang.org/grpc/codes" status "google.golang.org/grpc/status" @@ -26,12 +27,16 @@ const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package // Certificate request message. type MeshCertificateRequest struct { + // The request ID must be a valid UUID with the exception that zero UUID is + // not supported (00000000-0000-0000-0000-000000000000). + RequestId string `protobuf:"bytes,1,opt,name=request_id,json=requestId,proto3" json:"request_id,omitempty"` // PEM-encoded certificate request. - Csr string `protobuf:"bytes,1,opt,name=csr,proto3" json:"csr,omitempty"` - // Optional subject ID field. - SubjectId string `protobuf:"bytes,2,opt,name=subject_id,json=subjectId,proto3" json:"subject_id,omitempty"` - // Optional: requested certificate validity period, in seconds. - ValidityDuration int64 `protobuf:"varint,3,opt,name=validity_duration,json=validityDuration,proto3" json:"validity_duration,omitempty"` + Csr string `protobuf:"bytes,2,opt,name=csr,proto3" json:"csr,omitempty"` + // Optional: requested certificate validity period. + Validity *duration.Duration `protobuf:"bytes,3,opt,name=validity,proto3" json:"validity,omitempty"` + // A path to a Private CA CertificateAuthority resource, in the format + // `projects/*/locations/*/certificateAuthorities/*`. + CertificateAuthority string `protobuf:"bytes,4,opt,name=certificate_authority,json=certificateAuthority,proto3" json:"certificate_authority,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -41,7 +46,7 @@ func (m *MeshCertificateRequest) Reset() { *m = MeshCertificateRequest{} func (m *MeshCertificateRequest) String() string { return proto.CompactTextString(m) } func (*MeshCertificateRequest) ProtoMessage() {} func (*MeshCertificateRequest) Descriptor() ([]byte, []int) { - return fileDescriptor_c0b192e3de918f2a, []int{0} + return fileDescriptor_5692c9cb61f5c10e, []int{0} } func (m *MeshCertificateRequest) XXX_Unmarshal(b []byte) error { @@ -62,6 +67,13 @@ func (m *MeshCertificateRequest) XXX_DiscardUnknown() { var xxx_messageInfo_MeshCertificateRequest proto.InternalMessageInfo +func (m *MeshCertificateRequest) GetRequestId() string { + if m != nil { + return m.RequestId + } + return "" +} + func (m *MeshCertificateRequest) GetCsr() string { if m != nil { return m.Csr @@ -69,18 +81,18 @@ func (m *MeshCertificateRequest) GetCsr() string { return "" } -func (m *MeshCertificateRequest) GetSubjectId() string { +func (m *MeshCertificateRequest) GetValidity() *duration.Duration { if m != nil { - return m.SubjectId + return m.Validity } - return "" + return nil } -func (m *MeshCertificateRequest) GetValidityDuration() int64 { +func (m *MeshCertificateRequest) GetCertificateAuthority() string { if m != nil { - return m.ValidityDuration + return m.CertificateAuthority } - return 0 + return "" } // Certificate response message. @@ -97,7 +109,7 @@ func (m *MeshCertificateResponse) Reset() { *m = MeshCertificateResponse func (m *MeshCertificateResponse) String() string { return proto.CompactTextString(m) } func (*MeshCertificateResponse) ProtoMessage() {} func (*MeshCertificateResponse) Descriptor() ([]byte, []int) { - return fileDescriptor_c0b192e3de918f2a, []int{1} + return fileDescriptor_5692c9cb61f5c10e, []int{1} } func (m *MeshCertificateResponse) XXX_Unmarshal(b []byte) error { @@ -126,32 +138,32 @@ func (m *MeshCertificateResponse) GetCertChain() []string { } func init() { - proto.RegisterType((*MeshCertificateRequest)(nil), "google.security.meshca.v1beta1.MeshCertificateRequest") - proto.RegisterType((*MeshCertificateResponse)(nil), "google.security.meshca.v1beta1.MeshCertificateResponse") -} - -func init() { - proto.RegisterFile("security/proto/providers/google/meshca.proto", fileDescriptor_c0b192e3de918f2a) -} - -var fileDescriptor_c0b192e3de918f2a = []byte{ - // 255 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x90, 0xc1, 0x4a, 0xc4, 0x30, - 0x14, 0x45, 0x8d, 0x05, 0x61, 0xb2, 0x9a, 0xc9, 0x42, 0x8b, 0xa0, 0x94, 0xae, 0x06, 0x94, 0x94, - 0x51, 0x50, 0xf7, 0x75, 0xe3, 0xc2, 0x4d, 0xfd, 0x80, 0x92, 0x26, 0xcf, 0xe9, 0x93, 0xb1, 0x19, - 0x93, 0xd7, 0xc0, 0xfc, 0x80, 0xff, 0xe1, 0x9f, 0x4a, 0x3a, 0x1d, 0x10, 0x2a, 0x82, 0x9b, 0x10, - 0xce, 0xe1, 0x72, 0x93, 0xcb, 0xaf, 0x3d, 0xe8, 0xde, 0x21, 0xed, 0x8a, 0xad, 0xb3, 0x64, 0xe3, - 0x19, 0xd0, 0x80, 0xf3, 0xc5, 0xda, 0xda, 0xf5, 0x06, 0x8a, 0x77, 0xf0, 0xad, 0x56, 0x72, 0xb0, - 0xe2, 0x72, 0x0f, 0xe5, 0x21, 0x24, 0x47, 0x1b, 0x56, 0x0d, 0x90, 0x5a, 0xe5, 0x81, 0x9f, 0x3e, - 0x83, 0x6f, 0x4b, 0x70, 0x84, 0xaf, 0xa8, 0x15, 0x41, 0x05, 0x1f, 0x3d, 0x78, 0x12, 0x73, 0x9e, - 0x68, 0xef, 0x52, 0x96, 0xb1, 0xe5, 0xac, 0x8a, 0x57, 0x71, 0xc1, 0xb9, 0xef, 0x9b, 0x37, 0xd0, - 0x54, 0xa3, 0x49, 0x8f, 0x07, 0x31, 0x1b, 0xc9, 0x93, 0x11, 0x57, 0x7c, 0x11, 0xd4, 0x06, 0x0d, - 0xd2, 0xae, 0x36, 0xbd, 0x53, 0x84, 0xb6, 0x4b, 0x93, 0x8c, 0x2d, 0x93, 0x6a, 0x7e, 0x10, 0x8f, - 0x23, 0xcf, 0x1f, 0xf8, 0xd9, 0xa4, 0xd7, 0x6f, 0x6d, 0xe7, 0x21, 0xd6, 0x68, 0x70, 0x54, 0xeb, - 0x56, 0x61, 0x97, 0xb2, 0x2c, 0x89, 0x35, 0x91, 0x94, 0x11, 0xdc, 0x7c, 0xb1, 0xc9, 0x93, 0x5f, - 0xc0, 0x05, 0xd4, 0x20, 0x3e, 0x19, 0x5f, 0x94, 0x0e, 0x14, 0xc1, 0x0f, 0x29, 0xee, 0xe4, 0xdf, - 0x1b, 0xc8, 0xdf, 0x07, 0x38, 0xbf, 0xff, 0x77, 0x6e, 0xff, 0x81, 0xfc, 0xa8, 0x39, 0x19, 0xc6, - 0xbf, 0xfd, 0x0e, 0x00, 0x00, 0xff, 0xff, 0x1d, 0x10, 0xa5, 0x3b, 0xac, 0x01, 0x00, 0x00, + proto.RegisterType((*MeshCertificateRequest)(nil), "google.security.meshca.v1.MeshCertificateRequest") + proto.RegisterType((*MeshCertificateResponse)(nil), "google.security.meshca.v1.MeshCertificateResponse") +} + +func init() { proto.RegisterFile("meshca.proto", fileDescriptor_5692c9cb61f5c10e) } + +var fileDescriptor_5692c9cb61f5c10e = []byte{ + // 278 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x50, 0xcd, 0x4e, 0xf3, 0x30, + 0x10, 0xfc, 0xfc, 0x05, 0x21, 0x6a, 0x38, 0x80, 0xc5, 0x8f, 0x5b, 0x09, 0x14, 0xe5, 0xd4, 0x93, + 0xab, 0xa6, 0x42, 0xe2, 0x8a, 0xc2, 0x85, 0x03, 0x97, 0xf0, 0x00, 0x91, 0xeb, 0x6c, 0x1b, 0x4b, + 0x25, 0x2e, 0xf6, 0x3a, 0x52, 0x25, 0x9e, 0x83, 0x37, 0xe1, 0xfd, 0x90, 0x93, 0x14, 0x2a, 0x15, + 0x0e, 0xdc, 0x56, 0x33, 0x3b, 0x3b, 0xb3, 0x43, 0x4f, 0x5e, 0xc0, 0x55, 0x4a, 0x8a, 0xb5, 0x35, + 0x68, 0xd8, 0x70, 0x69, 0xcc, 0x72, 0x05, 0xc2, 0x81, 0xf2, 0x56, 0xe3, 0x46, 0xf4, 0x6c, 0x33, + 0x1d, 0xdd, 0x74, 0xd4, 0xa4, 0x5d, 0x9c, 0xfb, 0xc5, 0xa4, 0xf4, 0x56, 0xa2, 0x36, 0x75, 0x27, + 0x4d, 0x3e, 0x08, 0xbd, 0x7c, 0x02, 0x57, 0x65, 0x60, 0x51, 0x2f, 0xb4, 0x92, 0x08, 0x39, 0xbc, + 0x7a, 0x70, 0xc8, 0xae, 0x29, 0xb5, 0xdd, 0x58, 0xe8, 0x92, 0x93, 0x98, 0x8c, 0x07, 0xf9, 0xa0, + 0x47, 0x1e, 0x4b, 0x76, 0x4a, 0x23, 0xe5, 0x2c, 0xff, 0xdf, 0xe2, 0x61, 0x64, 0xb7, 0xf4, 0xa8, + 0x91, 0x2b, 0x5d, 0x6a, 0xdc, 0xf0, 0x28, 0x26, 0xe3, 0xe3, 0x74, 0x28, 0xfa, 0x64, 0x5b, 0x7b, + 0xf1, 0xd0, 0xdb, 0xe7, 0x5f, 0xab, 0x6c, 0x46, 0x2f, 0xd4, 0xb7, 0x7b, 0x21, 0x3d, 0x56, 0x26, + 0x7c, 0xc1, 0x0f, 0xda, 0xd3, 0xe7, 0x3b, 0xe4, 0xfd, 0x96, 0x4b, 0xee, 0xe8, 0xd5, 0x5e, 0x6c, + 0xb7, 0x36, 0xb5, 0x83, 0x90, 0x3b, 0x48, 0x0a, 0x55, 0x49, 0x5d, 0x73, 0x12, 0x47, 0x21, 0x77, + 0x40, 0xb2, 0x00, 0xa4, 0xef, 0xfb, 0x1f, 0x3f, 0x83, 0x6d, 0xb4, 0x02, 0xf6, 0x46, 0xcf, 0x32, + 0x0b, 0x12, 0x61, 0x87, 0x63, 0x53, 0xf1, 0x6b, 0xbb, 0xe2, 0xe7, 0xe6, 0x46, 0xe9, 0x5f, 0x24, + 0x5d, 0xea, 0xe4, 0xdf, 0xfc, 0xb0, 0x2d, 0x69, 0xf6, 0x19, 0x00, 0x00, 0xff, 0xff, 0x4a, 0x75, + 0xd3, 0x24, 0xdc, 0x01, 0x00, 0x00, } // Reference imports to suppress errors if they are not otherwise used. @@ -181,7 +193,7 @@ func NewMeshCertificateServiceClient(cc *grpc.ClientConn) MeshCertificateService func (c *meshCertificateServiceClient) CreateCertificate(ctx context.Context, in *MeshCertificateRequest, opts ...grpc.CallOption) (*MeshCertificateResponse, error) { out := new(MeshCertificateResponse) - err := c.cc.Invoke(ctx, "/google.security.meshca.v1beta1.MeshCertificateService/CreateCertificate", in, out, opts...) + err := c.cc.Invoke(ctx, "/google.security.meshca.v1.MeshCertificateService/CreateCertificate", in, out, opts...) if err != nil { return nil, err } @@ -217,7 +229,7 @@ func _MeshCertificateService_CreateCertificate_Handler(srv interface{}, ctx cont } info := &grpc.UnaryServerInfo{ Server: srv, - FullMethod: "/google.security.meshca.v1beta1.MeshCertificateService/CreateCertificate", + FullMethod: "/google.security.meshca.v1.MeshCertificateService/CreateCertificate", } handler := func(ctx context.Context, req interface{}) (interface{}, error) { return srv.(MeshCertificateServiceServer).CreateCertificate(ctx, req.(*MeshCertificateRequest)) @@ -226,7 +238,7 @@ func _MeshCertificateService_CreateCertificate_Handler(srv interface{}, ctx cont } var _MeshCertificateService_serviceDesc = grpc.ServiceDesc{ - ServiceName: "google.security.meshca.v1beta1.MeshCertificateService", + ServiceName: "google.security.meshca.v1.MeshCertificateService", HandlerType: (*MeshCertificateServiceServer)(nil), Methods: []grpc.MethodDesc{ { @@ -235,5 +247,5 @@ var _MeshCertificateService_serviceDesc = grpc.ServiceDesc{ }, }, Streams: []grpc.StreamDesc{}, - Metadata: "security/proto/providers/google/meshca.proto", + Metadata: "meshca.proto", } diff --git a/security/proto/providers/google/meshca.proto b/security/proto/providers/google/meshca.proto index 97cdc4084f17..b571940c13cd 100644 --- a/security/proto/providers/google/meshca.proto +++ b/security/proto/providers/google/meshca.proto @@ -14,16 +14,22 @@ syntax = "proto3"; -package google.security.meshca.v1beta1; +package google.security.meshca.v1; + +import "google/protobuf/duration.proto"; // Certificate request message. message MeshCertificateRequest { + // The request ID must be a valid UUID with the exception that zero UUID is + // not supported (00000000-0000-0000-0000-000000000000). + string request_id = 1; // PEM-encoded certificate request. - string csr = 1; - // Optional subject ID field. - string subject_id = 2; - // Optional: requested certificate validity period, in seconds. - int64 validity_duration = 3; + string csr = 2; + // Optional: requested certificate validity period. + google.protobuf.Duration validity = 3; + // A path to a Private CA CertificateAuthority resource, in the format + // `projects/*/locations/*/certificateAuthorities/*`. + string certificate_authority = 4; } // Certificate response message.