Skip to content

Instantly share code, notes, and snippets.

@micahhausler
Created February 5, 2021 18:11
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save micahhausler/90cc451e91ede5c4605c3d7592c42033 to your computer and use it in GitHub Desktop.
Save micahhausler/90cc451e91ede5c4605c3d7592c42033 to your computer and use it in GitHub Desktop.
k8s external token generator
syntax = "proto3";
import "github.com/gogo/protobuf/gogoproto/gogo.proto";
package v1alpha1;
service TokenGeneratorService {
// Generate a token with the provided claims
rpc GenerateToken(GenerateTokenRequest) returns (GenerateTokenResponse) {}
// List all active public keys
rpc ListPublicKeys(ListPublicKeysRequest) returns (ListPublicKeysResponse) {}
}
message JWTClaims {
string issuer = 1 [(gogoproto.jsontag) = "iss"];
string subject = 2 [(gogoproto.jsontag)="sub"];
repeated string audience = 3 [(gogoproto.jsontag)="aud"];
int64 expiry= 4 [(gogoproto.jsontag)="exp"];
int64 not_before= 5 [(gogoproto.jsontag)="nbf"];
int64 issued_at= 6 [(gogoproto.jsontag)="iat"];
string id = 7 [(gogoproto.jsontag)="jti"];
}
message RefClaim {
// name is the bound object name
string name = 1 [(gogoproto.jsontag)="name"];
// uid is the bound object uid
string uid = 2 [(gogoproto.jsontag)="uid"];
}
message KubernetesClaim {
// namespace is the service account namespace
string namespace = 1 [(gogoproto.jsontag)="namespace"];
// service_account is the name of the service account
RefClaim service_account = 2 [(gogoproto.jsontag)="serviceaccount"];
// pod is the bound object reference
RefClaim pod = 3 [(gogoproto.jsontag)="pod"];
// secret is the bound object reference
RefClaim secret = 4 [(gogoproto.jsontag)="secret"];
// warn_after is the warn after time
int64 warn_after = 5 [(gogoproto.jsontag)="warnafter"];
}
message PrivateClaims {
// kubernetes are the private kubernetes claims
KubernetesClaim kubernetes = 1 [(gogoproto.jsontag)="kubernetes.io"];
}
message GenerateTokenRequest {
// jwt_claims are the standard claims to put in a token
JWTClaims jwt_claims = 1;
// private_claims are the Kubernetes claims to put in a token
PrivateClaims private_claims = 2;
}
message GenerateTokenResponse {
// token is the signed token
string token = 1;
}
message PublicKey {
// public_key is a PEM encoded public key
bytes public_key = 1;
// certificate is a concatenated list of PEM encoded x509 certificates
bytes certificates = 2;
// key_id is the key's ID
string key_id = 3;
// algorithm states the algorithm the key uses
string algorithm = 4;
}
message ListPublicKeysRequest {}
message ListPublicKeysResponse {
// public_keys is a list of public verifying keys
repeated PublicKey public_keys = 2;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment