User Request
Add RequestServiceIdentity and ExtendIdentityLease RPCs to the ZitiManagementService proto. These RPCs support the service identity self-enrollment pattern described in the architecture docs, where infrastructure services (Gateway, Orchestrator, Runner) obtain ephemeral OpenZiti identities at runtime.
Specification
Changes to proto/agynio/api/ziti_management/v1/ziti_management.proto
New enum: ServiceType
Identifies which infrastructure service is requesting an identity. Used for role attribute assignment and lease tracking.
enum ServiceType {
SERVICE_TYPE_UNSPECIFIED = 0;
SERVICE_TYPE_GATEWAY = 1;
SERVICE_TYPE_ORCHESTRATOR = 2;
SERVICE_TYPE_RUNNER = 3;
}New RPCs
Add to the existing ZitiManagementService:
// Infrastructure services (Gateway, Orchestrator, Runner) → request an enrolled
// OpenZiti identity for the calling service. Ziti Management creates the identity
// on the Controller, enrolls it (generates key pair, submits CSR, receives cert),
// and returns the enrolled identity to the caller.
rpc RequestServiceIdentity(RequestServiceIdentityRequest) returns (RequestServiceIdentityResponse);
// Infrastructure services → extend the lease on a service identity.
// Called periodically by the service to prevent GC from deleting the identity.
rpc ExtendIdentityLease(ExtendIdentityLeaseRequest) returns (ExtendIdentityLeaseResponse);
New messages
message RequestServiceIdentityRequest {
// Which infrastructure service is requesting the identity.
ServiceType service_type = 1;
}
message RequestServiceIdentityResponse {
// The OpenZiti identity ID (for lease extension and cleanup).
string ziti_identity_id = 1;
// The full enrolled identity JSON (contains cert, key, CA, controller URL).
// The caller writes this to ephemeral disk and loads it via the OpenZiti SDK.
bytes identity_json = 2;
}
message ExtendIdentityLeaseRequest {
// The OpenZiti identity ID whose lease should be extended.
string ziti_identity_id = 1;
}
message ExtendIdentityLeaseResponse {}Conventions
- Follows existing proto style:
snake_case fields, UPPER_SNAKE enum values with _UNSPECIFIED = 0
- New enum uses
SERVICE_TYPE_ prefix (not IDENTITY_TYPE_) to distinguish from the existing IdentityType enum which covers agent/runner/channel
identity_json is bytes (not string) because it contains an opaque JSON blob with embedded PEM data- No new file — all additions go into the existing
ziti_management.proto
User Request
Add
RequestServiceIdentityandExtendIdentityLeaseRPCs to theZitiManagementServiceproto. These RPCs support the service identity self-enrollment pattern described in the architecture docs, where infrastructure services (Gateway, Orchestrator, Runner) obtain ephemeral OpenZiti identities at runtime.Specification
Changes to
proto/agynio/api/ziti_management/v1/ziti_management.protoNew enum:
ServiceTypeIdentifies which infrastructure service is requesting an identity. Used for role attribute assignment and lease tracking.
New RPCs
Add to the existing
ZitiManagementService:New messages
Conventions
snake_casefields,UPPER_SNAKEenum values with_UNSPECIFIED = 0SERVICE_TYPE_prefix (notIDENTITY_TYPE_) to distinguish from the existingIdentityTypeenum which covers agent/runner/channelidentity_jsonisbytes(notstring) because it contains an opaque JSON blob with embedded PEM dataziti_management.proto