expose x509/ssh key id for instance register/refresh operations

[havetisyan]

Description

The ZTS server has the capability to enforce a specific x509/ssh keyid to be used when issuing certificates for a specific service and/or domain. However, this requires the system administrator to set this value. If the service admin wants to run some tests they have no capability to request with a specific id. They have to ask the system admin to enable the option for a service, run some tests and then disable it if this was only for testing. Now, we're exposing the key id parameters for instance register and refresh and role certificate requests. With this requirement, the caller must specify the correct value.

Contribution Checklist:

• The pull request does not introduce any breaking changes
• I have read the contribution guidelines.
• Create an issue and link to the pull request.

Attach Screenshots (Optional)

[gemini-code-assist]

Summary of Changes

Hello @havetisyan, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces significant enhancements to the ZTS server's certificate issuance process by exposing X.509 and SSH key ID parameters in various instance and role certificate request operations. This change empowers service administrators to directly control which key ID is used for signing their certificates, thereby streamlining development and testing workflows that previously required manual intervention from system administrators. The updated logic ensures that the requested key ID is honored, while maintaining a robust fallback mechanism to existing service and domain-level configurations.

Highlights

• Enhanced Certificate Request Control: Service administrators can now specify X.509 and SSH key IDs directly when requesting certificates, removing the need for system administrator intervention for testing or specific configurations.
• API Expansion: New optional fields X509CertSignerKeyId and SshCertSignerKeyId have been added to RoleCertificateRequest, InstanceRefreshRequest, InstanceRegisterInformation, and InstanceRefreshInformation data models across Go and Java clients, and RDL definitions.
• Key ID Resolution Logic: The ZTS server's logic for determining the certificate signer key ID has been updated to consider the requested key ID, falling back to service-specific, then domain-specific configurations if the requested ID is not provided or empty.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request successfully exposes x509/ssh key IDs for instance register/refresh and role certificate operations, enhancing testing capabilities for service admins. The changes across the Go and Java codebases are mostly well-implemented and consistent. I've identified a few opportunities for improvement, primarily around reducing code duplication in both Go validation logic and the new Java tests. Additionally, I've found a minor bug in one of the new tests that should be addressed.