package v1

const (
	ExternalJWTSigner_Sign_FullMethodName      = "/v1.ExternalJWTSigner/Sign"
	ExternalJWTSigner_FetchKeys_FullMethodName = "/v1.ExternalJWTSigner/FetchKeys"
	ExternalJWTSigner_Metadata_FullMethodName  = "/v1.ExternalJWTSigner/Metadata"
)

Variables ¶

var ExternalJWTSigner_ServiceDesc = grpc.ServiceDesc{
	ServiceName: "v1.ExternalJWTSigner",
	HandlerType: (*ExternalJWTSignerServer)(nil),
	Methods: []grpc.MethodDesc{
		{
			MethodName: "Sign",
			Handler:    _ExternalJWTSigner_Sign_Handler,
		},
		{
			MethodName: "FetchKeys",
			Handler:    _ExternalJWTSigner_FetchKeys_Handler,
		},
		{
			MethodName: "Metadata",
			Handler:    _ExternalJWTSigner_Metadata_Handler,
		},
	},
	Streams:  []grpc.StreamDesc{},
	Metadata: "staging/src/k8s.io/externaljwt/apis/v1/api.proto",
}

ExternalJWTSigner_ServiceDesc is the grpc.ServiceDesc for ExternalJWTSigner service. It's only intended for direct use with grpc.RegisterService, and not to be introspected or modified (even as a copy)

var File_staging_src_k8s_io_externaljwt_apis_v1_api_proto protoreflect.FileDescriptor

Functions ¶

func RegisterExternalJWTSignerServer ¶

func RegisterExternalJWTSignerServer(s grpc.ServiceRegistrar, srv ExternalJWTSignerServer)

Types ¶

type ExternalJWTSignerClient ¶

type ExternalJWTSignerClient interface {
	// Sign takes a serialized JWT payload, and returns the serialized header and
	// signature. The caller can then assemble the JWT from the header, payload,
	// and signature. Signature can be generated by signing
	// `base64url(header) + "." + base64url(payload)` with signing key.
	//
	// The plugin MUST set a key id in the returned JWT header.
	Sign(ctx context.Context, in *SignJWTRequest, opts ...grpc.CallOption) (*SignJWTResponse, error)
	// FetchKeys returns the set of public keys that are trusted to sign
	// Kubernetes service account tokens. Kube-apiserver will call this RPC:
	//
	// * Every time it tries to validate a JWT from the service account issuer with an unknown key ID, and
	//
	//   - Periodically, so it can serve reasonably-up-to-date keys from the OIDC
	//     JWKs endpoint.
	FetchKeys(ctx context.Context, in *FetchKeysRequest, opts ...grpc.CallOption) (*FetchKeysResponse, error)
	// Metadata is meant to be called once on startup.
	// Enables sharing metadata with kube-apiserver (eg: the max token lifetime that signer supports)
	Metadata(ctx context.Context, in *MetadataRequest, opts ...grpc.CallOption) (*MetadataResponse, error)
}

ExternalJWTSignerClient is the client API for ExternalJWTSigner service.

For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.

This service is served by a process on a local Unix Domain Socket.

func NewExternalJWTSignerClient ¶

func NewExternalJWTSignerClient(cc grpc.ClientConnInterface) ExternalJWTSignerClient

type ExternalJWTSignerServer ¶

type ExternalJWTSignerServer interface {
	// Sign takes a serialized JWT payload, and returns the serialized header and
	// signature. The caller can then assemble the JWT from the header, payload,
	// and signature. Signature can be generated by signing
	// `base64url(header) + "." + base64url(payload)` with signing key.
	//
	// The plugin MUST set a key id in the returned JWT header.
	Sign(context.Context, *SignJWTRequest) (*SignJWTResponse, error)
	// FetchKeys returns the set of public keys that are trusted to sign
	// Kubernetes service account tokens. Kube-apiserver will call this RPC:
	//
	// * Every time it tries to validate a JWT from the service account issuer with an unknown key ID, and
	//
	//   - Periodically, so it can serve reasonably-up-to-date keys from the OIDC
	//     JWKs endpoint.
	FetchKeys(context.Context, *FetchKeysRequest) (*FetchKeysResponse, error)
	// Metadata is meant to be called once on startup.
	// Enables sharing metadata with kube-apiserver (eg: the max token lifetime that signer supports)
	Metadata(context.Context, *MetadataRequest) (*MetadataResponse, error)
	// contains filtered or unexported methods
}

ExternalJWTSignerServer is the server API for ExternalJWTSigner service. All implementations must embed UnimplementedExternalJWTSignerServer for forward compatibility.

This service is served by a process on a local Unix Domain Socket.

type FetchKeysRequest ¶

type FetchKeysRequest struct {
	// contains filtered or unexported fields
}

func (*FetchKeysRequest) Descriptor ¶

func (*FetchKeysRequest) Descriptor() ([]byte, []int)

Deprecated: Use FetchKeysRequest.ProtoReflect.Descriptor instead.

func (*FetchKeysRequest) ProtoMessage ¶

func (*FetchKeysRequest) ProtoMessage()

func (*FetchKeysRequest) ProtoReflect ¶

func (x *FetchKeysRequest) ProtoReflect() protoreflect.Message

func (*FetchKeysRequest) Reset ¶

func (x *FetchKeysRequest) Reset()

func (*FetchKeysRequest) String ¶

func (x *FetchKeysRequest) String() string

type FetchKeysResponse ¶

type FetchKeysResponse struct {
	Keys []*Key `protobuf:"bytes,1,rep,name=keys,proto3" json:"keys,omitempty"`
	// The timestamp when this data was pulled from the authoritative source of
	// truth for verification keys.
	// kube-apiserver can export this from metrics, to enable end-to-end SLOs.
	DataTimestamp *timestamppb.Timestamp `protobuf:"bytes,2,opt,name=data_timestamp,json=dataTimestamp,proto3" json:"data_timestamp,omitempty"`
	// refresh interval for verification keys to pick changes if any.
	// any value <= 0 is considered a misconfiguration.
	RefreshHintSeconds int64 `protobuf:"varint,3,opt,name=refresh_hint_seconds,json=refreshHintSeconds,proto3" json:"refresh_hint_seconds,omitempty"`
	// contains filtered or unexported fields
}

func (*FetchKeysResponse) Descriptor ¶

func (*FetchKeysResponse) Descriptor() ([]byte, []int)

Deprecated: Use FetchKeysResponse.ProtoReflect.Descriptor instead.

func (*FetchKeysResponse) GetDataTimestamp ¶

func (x *FetchKeysResponse) GetDataTimestamp() *timestamppb.Timestamp

func (*FetchKeysResponse) GetKeys ¶

func (x *FetchKeysResponse) GetKeys() []*Key

func (*FetchKeysResponse) GetRefreshHintSeconds ¶

func (x *FetchKeysResponse) GetRefreshHintSeconds() int64

func (*FetchKeysResponse) ProtoMessage ¶

func (*FetchKeysResponse) ProtoMessage()

func (*FetchKeysResponse) ProtoReflect ¶

func (x *FetchKeysResponse) ProtoReflect() protoreflect.Message

func (*FetchKeysResponse) Reset ¶

func (x *FetchKeysResponse) Reset()

func (*FetchKeysResponse) String ¶

func (x *FetchKeysResponse) String() string

type Key ¶

type Key struct {

	// A unique identifier for this key.
	// Length must be <=1024.
	KeyId string `protobuf:"bytes,1,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"`
	// The public key, PKIX-serialized.
	// must be a public key supported by kube-apiserver (currently RSA 256 or ECDSA 256/384/521)
	Key []byte `protobuf:"bytes,2,opt,name=key,proto3" json:"key,omitempty"`
	// Set only for keys that are not used to sign bound tokens.
	// eg: supported keys for legacy tokens.
	// If set, key is used for verification but excluded from OIDC discovery docs.
	// if set, external signer should not use this key to sign a JWT.
	ExcludeFromOidcDiscovery bool `protobuf:"varint,3,opt,name=exclude_from_oidc_discovery,json=excludeFromOidcDiscovery,proto3" json:"exclude_from_oidc_discovery,omitempty"`
	// contains filtered or unexported fields
}

func (*Key) Descriptor ¶

func (*Key) Descriptor() ([]byte, []int)

Deprecated: Use Key.ProtoReflect.Descriptor instead.

func (*Key) GetExcludeFromOidcDiscovery ¶

func (x *Key) GetExcludeFromOidcDiscovery() bool

func (*Key) GetKey ¶

func (x *Key) GetKey() []byte

func (*Key) GetKeyId ¶

func (x *Key) GetKeyId() string

func (*Key) ProtoMessage ¶

func (*Key) ProtoMessage()

func (*Key) ProtoReflect ¶

func (x *Key) ProtoReflect() protoreflect.Message

func (*Key) Reset ¶

func (x *Key) Reset()

func (*Key) String ¶

func (x *Key) String() string

type MetadataRequest ¶

type MetadataRequest struct {
	// contains filtered or unexported fields
}

func (*MetadataRequest) Descriptor ¶

func (*MetadataRequest) Descriptor() ([]byte, []int)

Deprecated: Use MetadataRequest.ProtoReflect.Descriptor instead.

func (*MetadataRequest) ProtoMessage ¶

func (*MetadataRequest) ProtoMessage()

func (*MetadataRequest) ProtoReflect ¶

func (x *MetadataRequest) ProtoReflect() protoreflect.Message

func (*MetadataRequest) Reset ¶

func (x *MetadataRequest) Reset()

func (*MetadataRequest) String ¶

func (x *MetadataRequest) String() string

type MetadataResponse ¶

type MetadataResponse struct {

	// used by kube-apiserver for defaulting/validation of JWT lifetime while accounting for configuration flag values:
	// 1. `--service-account-max-token-expiration`
	// 2. `--service-account-extend-token-expiration`
	//
	// * If `--service-account-max-token-expiration` is greater than `max_token_expiration_seconds`, kube-apiserver treats that as misconfiguration and exits.
	// * If `--service-account-max-token-expiration` is not explicitly set, kube-apiserver defaults to `max_token_expiration_seconds`.
	// * If `--service-account-extend-token-expiration` is true, the extended expiration is `min(1 year, max_token_expiration_seconds)`.
	//
	// `max_token_expiration_seconds` must be at least 600s.
	MaxTokenExpirationSeconds int64 `protobuf:"varint,1,opt,name=max_token_expiration_seconds,json=maxTokenExpirationSeconds,proto3" json:"max_token_expiration_seconds,omitempty"`
	// contains filtered or unexported fields
}

func (*MetadataResponse) Descriptor ¶

func (*MetadataResponse) Descriptor() ([]byte, []int)

Deprecated: Use MetadataResponse.ProtoReflect.Descriptor instead.

func (*MetadataResponse) GetMaxTokenExpirationSeconds ¶

func (x *MetadataResponse) GetMaxTokenExpirationSeconds() int64

func (*MetadataResponse) ProtoMessage ¶

func (*MetadataResponse) ProtoMessage()

func (*MetadataResponse) ProtoReflect ¶

func (x *MetadataResponse) ProtoReflect() protoreflect.Message

func (*MetadataResponse) Reset ¶

func (x *MetadataResponse) Reset()

func (*MetadataResponse) String ¶

func (x *MetadataResponse) String() string

type SignJWTRequest ¶

type SignJWTRequest struct {

	// URL-safe base64 wrapped payload to be signed.
	// Exactly as it appears in the second segment of the JWT
	Claims string `protobuf:"bytes,1,opt,name=claims,proto3" json:"claims,omitempty"`
	// contains filtered or unexported fields
}

func (*SignJWTRequest) Descriptor ¶

func (*SignJWTRequest) Descriptor() ([]byte, []int)

Deprecated: Use SignJWTRequest.ProtoReflect.Descriptor instead.

func (*SignJWTRequest) GetClaims ¶

func (x *SignJWTRequest) GetClaims() string

func (*SignJWTRequest) ProtoMessage ¶

func (*SignJWTRequest) ProtoMessage()

func (*SignJWTRequest) ProtoReflect ¶

func (x *SignJWTRequest) ProtoReflect() protoreflect.Message

func (*SignJWTRequest) Reset ¶

func (x *SignJWTRequest) Reset()

func (*SignJWTRequest) String ¶

func (x *SignJWTRequest) String() string

type SignJWTResponse ¶

type SignJWTResponse struct {

	// header must contain only alg, kid, typ claims.
	// typ must be “JWT”.
	// kid must be non-empty, <=1024 characters, and its corresponding public key should not be excluded from OIDC discovery.
	// alg must be one of the algorithms supported by kube-apiserver (currently RS256, ES256, ES384, ES512).
	// header cannot have any additional data that kube-apiserver does not recognize.
	// Already wrapped in URL-safe base64, exactly as it appears in the first segment of the JWT.
	Header string `protobuf:"bytes,1,opt,name=header,proto3" json:"header,omitempty"`
	// The signature for the JWT.
	// Already wrapped in URL-safe base64, exactly as it appears in the final segment of the JWT.
	Signature string `protobuf:"bytes,2,opt,name=signature,proto3" json:"signature,omitempty"`
	// contains filtered or unexported fields
}

func (*SignJWTResponse) Descriptor ¶

func (*SignJWTResponse) Descriptor() ([]byte, []int)

Deprecated: Use SignJWTResponse.ProtoReflect.Descriptor instead.

func (*SignJWTResponse) GetHeader ¶

func (x *SignJWTResponse) GetHeader() string

func (*SignJWTResponse) GetSignature ¶

func (x *SignJWTResponse) GetSignature() string

func (*SignJWTResponse) ProtoMessage ¶

func (*SignJWTResponse) ProtoMessage()

func (*SignJWTResponse) ProtoReflect ¶

func (x *SignJWTResponse) ProtoReflect() protoreflect.Message

func (*SignJWTResponse) Reset ¶

func (x *SignJWTResponse) Reset()

func (*SignJWTResponse) String ¶

func (x *SignJWTResponse) String() string

type UnimplementedExternalJWTSignerServer ¶

type UnimplementedExternalJWTSignerServer struct{}

UnimplementedExternalJWTSignerServer must be embedded to have forward compatible implementations.

NOTE: this should be embedded by value instead of pointer to avoid a nil pointer dereference when methods are called.

func (UnimplementedExternalJWTSignerServer) FetchKeys ¶

func (UnimplementedExternalJWTSignerServer) FetchKeys(context.Context, *FetchKeysRequest) (*FetchKeysResponse, error)

func (UnimplementedExternalJWTSignerServer) Metadata ¶

func (UnimplementedExternalJWTSignerServer) Metadata(context.Context, *MetadataRequest) (*MetadataResponse, error)

func (UnimplementedExternalJWTSignerServer) Sign ¶

func (UnimplementedExternalJWTSignerServer) Sign(context.Context, *SignJWTRequest) (*SignJWTResponse, error)

type UnsafeExternalJWTSignerServer ¶

type UnsafeExternalJWTSignerServer interface {
	// contains filtered or unexported methods
}

UnsafeExternalJWTSignerServer may be embedded to opt out of forward compatibility for this service. Use of this interface is not recommended, as added methods to ExternalJWTSignerServer will result in compilation errors.

Source Files ¶

api.pb.go api_grpc.pb.go

Version: v0.36.0 (latest)
Published: Apr 14, 2026
Platform: linux/amd64
Imports: 10 packages
Last checked: now –

Tools for package owners.

?	: This menu
/	: Search site
f	: Jump to identifier
g then g	: Go to top of page
g then b	: Go to end of page
G	: Go to end of page
g then i	: Go to index
g then e	: Go to examples