Skip to content

Introduce AttestReference API in workloadattestor #74

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
matheuscscp wants to merge 1 commit into
base: main
Choose a base branch
from
+204 −15
Open

Introduce AttestReference API in workloadattestor #74

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
134 changes: 120 additions & 14 deletions proto/spire/plugin/agent/workloadattestor/v1/workloadattestor.pb.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

27 changes: 27 additions & 0 deletions proto/spire/plugin/agent/workloadattestor/v1/workloadattestor.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ syntax = "proto3";
package spire.plugin.agent.workloadattestor.v1;
option go_package = "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/agent/workloadattestor/v1";

import "google/protobuf/any.proto";

service WorkloadAttestor {
// Attests the specified workload process. If the process is not one the
// attestor is in a position to attest (e.g. k8s attestor attesting a
Expand All @@ -10,6 +12,17 @@ service WorkloadAttestor {
// fails to gather all selectors related to that workload, the call will
// fail. Otherwise the attestor will return one or more workload selectors.
rpc Attest(AttestRequest) returns (AttestResponse);

// Attests a workload identified by an opaque reference (e.g. a process
// ID, a Kubernetes object reference, etc.). The reference's type URL is
// taken from the SPIFFE Broker API specification's WorkloadReference and
// delivered verbatim. Plugins that do not understand the supplied
// reference type SHOULD return Unimplemented; the host will fall back to
// Attest(pid) when the reference is a WorkloadPIDReference. Likewise,
// plugins that have not yet implemented this RPC will return Unimplemented
// automatically (via UnimplementedWorkloadAttestorServer or unknown-method
// dispatch in older binaries), allowing the host to fall back to Attest.
rpc AttestReference(AttestReferenceRequest) returns (AttestReferenceResponse);
}

message AttestRequest {
Expand All @@ -22,3 +35,17 @@ message AttestResponse {
// of the selector is inferred from the plugin name.
repeated string selector_values = 1;
}

message AttestReferenceRequest {
// Required. Reference to the workload to be attested. The packed message
// is one of the WorkloadReference reference types defined by the SPIFFE
// Broker API specification (e.g. WorkloadPIDReference,
// KubernetesObjectReference) or a vendor-specific extension type.
google.protobuf.Any reference = 1;
}

message AttestReferenceResponse {
// Optional. Selector values related to the attested workload. The type
// of the selector is inferred from the plugin name.
repeated string selector_values = 1;
}
58 changes: 57 additions & 1 deletion proto/spire/plugin/agent/workloadattestor/v1/workloadattestor_grpc.pb.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.