syntax = "proto3";

package docker.swarmkit.v1;

import "github.com/docker/swarmkit/api/types.proto";
import "github.com/docker/swarmkit/api/specs.proto";
import "gogoproto/gogo.proto";
import "github.com/docker/swarmkit/protobuf/plugin/plugin.proto";

// CA defines the RPC methods for requesting certificates from a CA.

service CA {
	rpc GetRootCACertificate(GetRootCACertificateRequest) returns (GetRootCACertificateResponse) {
		option (docker.protobuf.plugin.tls_authorization) = { insecure: true };
	};
	// GetUnlockKey returns the current unlock key for the cluster for the role of the client
	// asking.
	rpc GetUnlockKey(GetUnlockKeyRequest) returns (GetUnlockKeyResponse) {
		option (docker.protobuf.plugin.tls_authorization) = { roles: ["swarm-manager"] };
	};
}

service NodeCA {
	rpc IssueNodeCertificate(IssueNodeCertificateRequest) returns (IssueNodeCertificateResponse) {
		option (docker.protobuf.plugin.tls_authorization) = { insecure: true };
	};
	rpc NodeCertificateStatus(NodeCertificateStatusRequest) returns (NodeCertificateStatusResponse) {
		option (docker.protobuf.plugin.tls_authorization) = { insecure: true };
	};
}

message NodeCertificateStatusRequest {
	string node_id = 1;
}

message NodeCertificateStatusResponse {
	IssuanceStatus status = 1;
	Certificate certificate = 2;
}

message IssueNodeCertificateRequest {
	// DEPRECATED: Role is now selected based on which secret is matched.
	NodeRole role = 1 [deprecated=true];

	// CSR is the certificate signing request.
	bytes csr = 2 [(gogoproto.customname) = "CSR"];

	// Token represents a user-provided string that is necessary for new
	// nodes to join the cluster
	string token = 3;

	// Availability allows a user to control the current scheduling status of a node
	NodeSpec.Availability availability = 4;
}

message IssueNodeCertificateResponse {
	string node_id = 1;
	NodeSpec.Membership node_membership = 2;
}

message GetRootCACertificateRequest {}

message GetRootCACertificateResponse {
	bytes certificate = 1;
}

message GetUnlockKeyRequest {}

message GetUnlockKeyResponse {
	bytes unlock_key = 1;
	Version version = 2 [(gogoproto.nullable) = false];
}