Created
February 5, 2021 18:11
-
-
Save micahhausler/90cc451e91ede5c4605c3d7592c42033 to your computer and use it in GitHub Desktop.
k8s external token generator
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
syntax = "proto3"; | |
import "github.com/gogo/protobuf/gogoproto/gogo.proto"; | |
package v1alpha1; | |
service TokenGeneratorService { | |
// Generate a token with the provided claims | |
rpc GenerateToken(GenerateTokenRequest) returns (GenerateTokenResponse) {} | |
// List all active public keys | |
rpc ListPublicKeys(ListPublicKeysRequest) returns (ListPublicKeysResponse) {} | |
} | |
message JWTClaims { | |
string issuer = 1 [(gogoproto.jsontag) = "iss"]; | |
string subject = 2 [(gogoproto.jsontag)="sub"]; | |
repeated string audience = 3 [(gogoproto.jsontag)="aud"]; | |
int64 expiry= 4 [(gogoproto.jsontag)="exp"]; | |
int64 not_before= 5 [(gogoproto.jsontag)="nbf"]; | |
int64 issued_at= 6 [(gogoproto.jsontag)="iat"]; | |
string id = 7 [(gogoproto.jsontag)="jti"]; | |
} | |
message RefClaim { | |
// name is the bound object name | |
string name = 1 [(gogoproto.jsontag)="name"]; | |
// uid is the bound object uid | |
string uid = 2 [(gogoproto.jsontag)="uid"]; | |
} | |
message KubernetesClaim { | |
// namespace is the service account namespace | |
string namespace = 1 [(gogoproto.jsontag)="namespace"]; | |
// service_account is the name of the service account | |
RefClaim service_account = 2 [(gogoproto.jsontag)="serviceaccount"]; | |
// pod is the bound object reference | |
RefClaim pod = 3 [(gogoproto.jsontag)="pod"]; | |
// secret is the bound object reference | |
RefClaim secret = 4 [(gogoproto.jsontag)="secret"]; | |
// warn_after is the warn after time | |
int64 warn_after = 5 [(gogoproto.jsontag)="warnafter"]; | |
} | |
message PrivateClaims { | |
// kubernetes are the private kubernetes claims | |
KubernetesClaim kubernetes = 1 [(gogoproto.jsontag)="kubernetes.io"]; | |
} | |
message GenerateTokenRequest { | |
// jwt_claims are the standard claims to put in a token | |
JWTClaims jwt_claims = 1; | |
// private_claims are the Kubernetes claims to put in a token | |
PrivateClaims private_claims = 2; | |
} | |
message GenerateTokenResponse { | |
// token is the signed token | |
string token = 1; | |
} | |
message PublicKey { | |
// public_key is a PEM encoded public key | |
bytes public_key = 1; | |
// certificate is a concatenated list of PEM encoded x509 certificates | |
bytes certificates = 2; | |
// key_id is the key's ID | |
string key_id = 3; | |
// algorithm states the algorithm the key uses | |
string algorithm = 4; | |
} | |
message ListPublicKeysRequest {} | |
message ListPublicKeysResponse { | |
// public_keys is a list of public verifying keys | |
repeated PublicKey public_keys = 2; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment