certificates.proto

Package : security.smh.solo.io

Top

certificates.proto

Table of Contents

VirtualMeshCertificateSigningRequestSpec

Field Type Label Description
csrData bytes Base64-encoded PKCS#10 CSR data
certConfig VirtualMeshCertificateSigningRequestSpec.CertConfig
virtualMeshRef core.smh.solo.io.ResourceRef Reference to the virtual mesh which this CSR corresponds to. This is important as it allows the virtual mesh operator to know which trust bundle to use when signing the new certificates.
When the CSR is first created by the Virtual Mesh operator, this data will be added by it. However, during a cert rotation scenario this is not possible. Therefore, the csr-agent will write this data to the secret so that it can be retrieved when the cert is going to expire. TODO: Decide how exactly we want to store this data.

VirtualMeshCertificateSigningRequestSpec.CertConfig

Field Type Label Description
hosts []string repeated list of hostnames and IPs to generate a certificate for. This can also be set to the identity running the workload, like kubernetes service account.
Generally for an Istio CA this will take the form spiffe://cluster.local/ns/istio-system/sa/citadel.
"cluster.local” may be replaced by the root of trust domain for the mesh.
org string Organization for this certificate.
meshType core.smh.solo.io.MeshType In the future, the type of mesh, and level of trust will need to be specified here, but for the time being we are only supporting shared trust in Istio.

VirtualMeshCertificateSigningRequestStatus

Field Type Label Description
response VirtualMeshCertificateSigningRequestStatus.Response Response from the certificate authority
thirdPartyApproval VirtualMeshCertificateSigningRequestStatus.ThirdPartyApprovalWorkflow Workflow for approving Certificate Signing Requests
computedStatus core.smh.solo.io.Status

VirtualMeshCertificateSigningRequestStatus.Response

Field Type Label Description
caCertificate bytes If request was approved, the controller will place the issued certificate here.
rootCertificate bytes root cert shared by all clusters, safe to send over the wire

VirtualMeshCertificateSigningRequestStatus.ThirdPartyApprovalWorkflow

Field Type Label Description
lastUpdatedTime google.protobuf.Timestamp time when the status was last updated
message string a user readable message regarding the status of the CSR
approvalStatus VirtualMeshCertificateSigningRequestStatus.ThirdPartyApprovalWorkflow.ApprovalStatus

VirtualMeshCertificateSigningRequestStatus.ThirdPartyApprovalWorkflow.ApprovalStatus

Name Number Description
PENDING 0 have a default value which represents not being set as proto enums require a default 0th value
APPROVED 1
DENIED 2