diff --git a/security/v1alpha1/ca.pb.go b/security/v1alpha1/ca.pb.go
index 3591b6b5d7..157ac68f92 100644
--- a/security/v1alpha1/ca.pb.go
+++ b/security/v1alpha1/ca.pb.go
@@ -116,7 +116,14 @@ type IstioCertificateResponse struct {
state protoimpl.MessageState `protogen:"open.v1"`
// PEM-encoded certificate chain.
// The leaf cert is the first element, and the root cert is the last element.
- CertChain []string `protobuf:"bytes,1,rep,name=cert_chain,json=certChain,proto3" json:"cert_chain,omitempty"`
+ CertChain []string `protobuf:"bytes,1,rep,name=cert_chain,json=certChain,proto3" json:"cert_chain,omitempty"`
+ // Root certificates. This field is newer, and therefor is optional with the following semantics:
+ // - if root_cert is specified, cert_chain contains [leaf, intermediate1, intermediate2] (intermediates are optional).
+ // root_cert contains [root1, root2].
+ // - if root_cert is not specified, cert_chain contains [leaf, intermediate1, intermediate2, root1+root2] concatenated into one entry.
+ //
+ // Note that the individual cert_chain is only signed by a single root. The roots provided here is the full bundle of trusted roots.
+ RootCert *Roots `protobuf:"bytes,2,opt,name=root_cert,json=rootCert,proto3" json:"root_cert,omitempty"`
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache
}
@@ -158,6 +165,57 @@ func (x *IstioCertificateResponse) GetCertChain() []string {
return nil
}
+func (x *IstioCertificateResponse) GetRootCert() *Roots {
+ if x != nil {
+ return x.RootCert
+ }
+ return nil
+}
+
+type Roots struct {
+ state protoimpl.MessageState `protogen:"open.v1"`
+ CaCert []string `protobuf:"bytes,1,rep,name=ca_cert,json=caCert,proto3" json:"ca_cert,omitempty"`
+ unknownFields protoimpl.UnknownFields
+ sizeCache protoimpl.SizeCache
+}
+
+func (x *Roots) Reset() {
+ *x = Roots{}
+ mi := &file_security_v1alpha1_ca_proto_msgTypes[2]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+}
+
+func (x *Roots) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Roots) ProtoMessage() {}
+
+func (x *Roots) ProtoReflect() protoreflect.Message {
+ mi := &file_security_v1alpha1_ca_proto_msgTypes[2]
+ if x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use Roots.ProtoReflect.Descriptor instead.
+func (*Roots) Descriptor() ([]byte, []int) {
+ return file_security_v1alpha1_ca_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *Roots) GetCaCert() []string {
+ if x != nil {
+ return x.CaCert
+ }
+ return nil
+}
+
var File_security_v1alpha1_ca_proto protoreflect.FileDescriptor
const file_security_v1alpha1_ca_proto_rawDesc = "" +
@@ -166,10 +224,13 @@ const file_security_v1alpha1_ca_proto_rawDesc = "" +
"\x17IstioCertificateRequest\x12\x10\n" +
"\x03csr\x18\x01 \x01(\tR\x03csr\x12+\n" +
"\x11validity_duration\x18\x03 \x01(\x03R\x10validityDuration\x123\n" +
- "\bmetadata\x18\x04 \x01(\v2\x17.google.protobuf.StructR\bmetadata\"9\n" +
+ "\bmetadata\x18\x04 \x01(\v2\x17.google.protobuf.StructR\bmetadata\"l\n" +
"\x18IstioCertificateResponse\x12\x1d\n" +
"\n" +
- "cert_chain\x18\x01 \x03(\tR\tcertChain2\x81\x01\n" +
+ "cert_chain\x18\x01 \x03(\tR\tcertChain\x121\n" +
+ "\troot_cert\x18\x02 \x01(\v2\x14.istio.v1.auth.RootsR\brootCert\" \n" +
+ "\x05Roots\x12\x17\n" +
+ "\aca_cert\x18\x01 \x03(\tR\x06caCert2\x81\x01\n" +
"\x17IstioCertificateService\x12f\n" +
"\x11CreateCertificate\x12&.istio.v1.auth.IstioCertificateRequest\x1a'.istio.v1.auth.IstioCertificateResponse\"\x00B Z\x1eistio.io/api/security/v1alpha1b\x06proto3"
@@ -185,21 +246,23 @@ func file_security_v1alpha1_ca_proto_rawDescGZIP() []byte {
return file_security_v1alpha1_ca_proto_rawDescData
}
-var file_security_v1alpha1_ca_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
+var file_security_v1alpha1_ca_proto_msgTypes = make([]protoimpl.MessageInfo, 3)
var file_security_v1alpha1_ca_proto_goTypes = []any{
(*IstioCertificateRequest)(nil), // 0: istio.v1.auth.IstioCertificateRequest
(*IstioCertificateResponse)(nil), // 1: istio.v1.auth.IstioCertificateResponse
- (*_struct.Struct)(nil), // 2: google.protobuf.Struct
+ (*Roots)(nil), // 2: istio.v1.auth.Roots
+ (*_struct.Struct)(nil), // 3: google.protobuf.Struct
}
var file_security_v1alpha1_ca_proto_depIdxs = []int32{
- 2, // 0: istio.v1.auth.IstioCertificateRequest.metadata:type_name -> google.protobuf.Struct
- 0, // 1: istio.v1.auth.IstioCertificateService.CreateCertificate:input_type -> istio.v1.auth.IstioCertificateRequest
- 1, // 2: istio.v1.auth.IstioCertificateService.CreateCertificate:output_type -> istio.v1.auth.IstioCertificateResponse
- 2, // [2:3] is the sub-list for method output_type
- 1, // [1:2] is the sub-list for method input_type
- 1, // [1:1] is the sub-list for extension type_name
- 1, // [1:1] is the sub-list for extension extendee
- 0, // [0:1] is the sub-list for field type_name
+ 3, // 0: istio.v1.auth.IstioCertificateRequest.metadata:type_name -> google.protobuf.Struct
+ 2, // 1: istio.v1.auth.IstioCertificateResponse.root_cert:type_name -> istio.v1.auth.Roots
+ 0, // 2: istio.v1.auth.IstioCertificateService.CreateCertificate:input_type -> istio.v1.auth.IstioCertificateRequest
+ 1, // 3: istio.v1.auth.IstioCertificateService.CreateCertificate:output_type -> istio.v1.auth.IstioCertificateResponse
+ 3, // [3:4] is the sub-list for method output_type
+ 2, // [2:3] is the sub-list for method input_type
+ 2, // [2:2] is the sub-list for extension type_name
+ 2, // [2:2] is the sub-list for extension extendee
+ 0, // [0:2] is the sub-list for field type_name
}
func init() { file_security_v1alpha1_ca_proto_init() }
@@ -213,7 +276,7 @@ func file_security_v1alpha1_ca_proto_init() {
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: unsafe.Slice(unsafe.StringData(file_security_v1alpha1_ca_proto_rawDesc), len(file_security_v1alpha1_ca_proto_rawDesc)),
NumEnums: 0,
- NumMessages: 2,
+ NumMessages: 3,
NumExtensions: 0,
NumServices: 1,
},
diff --git a/security/v1alpha1/ca.pb.html b/security/v1alpha1/ca.pb.html
index 8933fd813b..12e8e97a29 100644
--- a/security/v1alpha1/ca.pb.html
+++ b/security/v1alpha1/ca.pb.html
@@ -2,7 +2,7 @@
title: istio.v1.auth
layout: protoc-gen-docs
generator: protoc-gen-docs
-number_of_entries: 3
+number_of_entries: 4
---
Services
IstioCertificateService
@@ -77,6 +77,41 @@ IstioCertificateResponse
PEM-encoded certificate chain.
The leaf cert is the first element, and the root cert is the last element.
+
+
+
+ |
+
+ Root certificates. This field is newer, and therefor is optional with the following semantics:
+
+- if root_cert is specified, cert_chain contains [leaf, intermediate1, intermediate2] (intermediates are optional).
+root_cert contains [root1, root2].
+- if root_cert is not specified, cert_chain contains [leaf, intermediate1, intermediate2, root1+root2] concatenated into one entry.
+Note that the individual cert_chain is only signed by a single root. The roots provided here is the full bundle of trusted roots.
+
+
+ |
+
+
+
+
+Roots
+
+
+
+
+| Field |
+Description |
+
+
+
+
+ |
+
|
diff --git a/security/v1alpha1/ca.proto b/security/v1alpha1/ca.proto
index ea6e7cd51a..76dc7f779b 100644
--- a/security/v1alpha1/ca.proto
+++ b/security/v1alpha1/ca.proto
@@ -46,6 +46,15 @@ message IstioCertificateResponse {
// PEM-encoded certificate chain.
// The leaf cert is the first element, and the root cert is the last element.
repeated string cert_chain = 1;
+ // Root certificates. This field is newer, and therefor is optional with the following semantics:
+ // * if root_cert is specified, cert_chain contains [leaf, intermediate1, intermediate2] (intermediates are optional).
+ // root_cert contains [root1, root2].
+ // * if root_cert is not specified, cert_chain contains [leaf, intermediate1, intermediate2, root1+root2] concatenated into one entry.
+ // Note that the individual cert_chain is only signed by a single root. The roots provided here is the full bundle of trusted roots.
+ Roots root_cert = 2;
+}
+message Roots {
+ repeated string ca_cert = 1;
}
// Service for managing certificates issued by the CA.
diff --git a/security/v1alpha1/ca_deepcopy.gen.go b/security/v1alpha1/ca_deepcopy.gen.go
index 4d4dbdc510..3eb37621fa 100644
--- a/security/v1alpha1/ca_deepcopy.gen.go
+++ b/security/v1alpha1/ca_deepcopy.gen.go
@@ -46,3 +46,24 @@ func (in *IstioCertificateResponse) DeepCopy() *IstioCertificateResponse {
func (in *IstioCertificateResponse) DeepCopyInterface() interface{} {
return in.DeepCopy()
}
+
+// DeepCopyInto supports using Roots within kubernetes types, where deepcopy-gen is used.
+func (in *Roots) DeepCopyInto(out *Roots) {
+ p := proto.Clone(in).(*Roots)
+ *out = *p
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Roots. Required by controller-gen.
+func (in *Roots) DeepCopy() *Roots {
+ if in == nil {
+ return nil
+ }
+ out := new(Roots)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Roots. Required by controller-gen.
+func (in *Roots) DeepCopyInterface() interface{} {
+ return in.DeepCopy()
+}
diff --git a/security/v1alpha1/ca_json.gen.go b/security/v1alpha1/ca_json.gen.go
index 628065d164..c5e7b1ee88 100644
--- a/security/v1alpha1/ca_json.gen.go
+++ b/security/v1alpha1/ca_json.gen.go
@@ -28,6 +28,17 @@ func (this *IstioCertificateResponse) UnmarshalJSON(b []byte) error {
return CaUnmarshaler.Unmarshal(bytes.NewReader(b), this)
}
+// MarshalJSON is a custom marshaler for Roots
+func (this *Roots) MarshalJSON() ([]byte, error) {
+ str, err := CaMarshaler.MarshalToString(this)
+ return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for Roots
+func (this *Roots) UnmarshalJSON(b []byte) error {
+ return CaUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
var (
CaMarshaler = &jsonpb.Marshaler{}
CaUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true}