xref: /aosp_15_r20/external/grpc-grpc-java/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/grpc_service.proto (revision e07d83d3ffcef9ecfc9f7f475418ec639ff0e5fe) 
1syntax = "proto3";
2
3package envoy.api.v2.core;
4
5import "envoy/api/v2/core/base.proto";
6
7import "google/protobuf/any.proto";
8import "google/protobuf/duration.proto";
9import "google/protobuf/empty.proto";
10import "google/protobuf/struct.proto";
11
12import "udpa/annotations/migrate.proto";
13import "udpa/annotations/sensitive.proto";
14import "udpa/annotations/status.proto";
15import "validate/validate.proto";
16
17option java_package = "io.envoyproxy.envoy.api.v2.core";
18option java_outer_classname = "GrpcServiceProto";
19option java_multiple_files = true;
20option go_package = "github.com/envoyproxy/go-control-plane/envoy/api/v2/core";
21option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3";
22option (udpa.annotations.file_status).package_version_status = FROZEN;
23
24// [#protodoc-title: gRPC services]
25
26// gRPC service configuration. This is used by :ref:`ApiConfigSource
27// <envoy_api_msg_core.ApiConfigSource>` and filter configurations.
28// [#next-free-field: 6]
29message GrpcService {
30  message EnvoyGrpc {
31    // The name of the upstream gRPC cluster. SSL credentials will be supplied
32    // in the :ref:`Cluster <envoy_api_msg_Cluster>` :ref:`transport_socket
33    // <envoy_api_field_Cluster.transport_socket>`.
34    string cluster_name = 1 [(validate.rules).string = {min_bytes: 1}];
35  }
36
37  // [#next-free-field: 7]
38  message GoogleGrpc {
39    // See https://grpc.io/grpc/cpp/structgrpc_1_1_ssl_credentials_options.html.
40    message SslCredentials {
41      // PEM encoded server root certificates.
42      DataSource root_certs = 1;
43
44      // PEM encoded client private key.
45      DataSource private_key = 2 [(udpa.annotations.sensitive) = true];
46
47      // PEM encoded client certificate chain.
48      DataSource cert_chain = 3;
49    }
50
51    // Local channel credentials. Only UDS is supported for now.
52    // See https://github.com/grpc/grpc/pull/15909.
53    message GoogleLocalCredentials {
54    }
55
56    // See https://grpc.io/docs/guides/auth.html#credential-types to understand Channel and Call
57    // credential types.
58    message ChannelCredentials {
59      oneof credential_specifier {
60        option (validate.required) = true;
61
62        SslCredentials ssl_credentials = 1;
63
64        // https://grpc.io/grpc/cpp/namespacegrpc.html#a6beb3ac70ff94bd2ebbd89b8f21d1f61
65        google.protobuf.Empty google_default = 2;
66
67        GoogleLocalCredentials local_credentials = 3;
68      }
69    }
70
71    // [#next-free-field: 8]
72    message CallCredentials {
73      message ServiceAccountJWTAccessCredentials {
74        string json_key = 1;
75
76        uint64 token_lifetime_seconds = 2;
77      }
78
79      message GoogleIAMCredentials {
80        string authorization_token = 1;
81
82        string authority_selector = 2;
83      }
84
85      message MetadataCredentialsFromPlugin {
86        string name = 1;
87
88        oneof config_type {
89          google.protobuf.Struct config = 2 [deprecated = true];
90
91          google.protobuf.Any typed_config = 3;
92        }
93      }
94
95      // Security token service configuration that allows Google gRPC to
96      // fetch security token from an OAuth 2.0 authorization server.
97      // See https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 and
98      // https://github.com/grpc/grpc/pull/19587.
99      // [#next-free-field: 10]
100      message StsService {
101        // URI of the token exchange service that handles token exchange requests.
102        // [#comment:TODO(asraa): Add URI validation when implemented. Tracked by
103        // https://github.com/bufbuild/protoc-gen-validate/issues/303]
104        string token_exchange_service_uri = 1;
105
106        // Location of the target service or resource where the client
107        // intends to use the requested security token.
108        string resource = 2;
109
110        // Logical name of the target service where the client intends to
111        // use the requested security token.
112        string audience = 3;
113
114        // The desired scope of the requested security token in the
115        // context of the service or resource where the token will be used.
116        string scope = 4;
117
118        // Type of the requested security token.
119        string requested_token_type = 5;
120
121        // The path of subject token, a security token that represents the
122        // identity of the party on behalf of whom the request is being made.
123        string subject_token_path = 6 [(validate.rules).string = {min_bytes: 1}];
124
125        // Type of the subject token.
126        string subject_token_type = 7 [(validate.rules).string = {min_bytes: 1}];
127
128        // The path of actor token, a security token that represents the identity
129        // of the acting party. The acting party is authorized to use the
130        // requested security token and act on behalf of the subject.
131        string actor_token_path = 8;
132
133        // Type of the actor token.
134        string actor_token_type = 9;
135      }
136
137      oneof credential_specifier {
138        option (validate.required) = true;
139
140        // Access token credentials.
141        // https://grpc.io/grpc/cpp/namespacegrpc.html#ad3a80da696ffdaea943f0f858d7a360d.
142        string access_token = 1;
143
144        // Google Compute Engine credentials.
145        // https://grpc.io/grpc/cpp/namespacegrpc.html#a6beb3ac70ff94bd2ebbd89b8f21d1f61
146        google.protobuf.Empty google_compute_engine = 2;
147
148        // Google refresh token credentials.
149        // https://grpc.io/grpc/cpp/namespacegrpc.html#a96901c997b91bc6513b08491e0dca37c.
150        string google_refresh_token = 3;
151
152        // Service Account JWT Access credentials.
153        // https://grpc.io/grpc/cpp/namespacegrpc.html#a92a9f959d6102461f66ee973d8e9d3aa.
154        ServiceAccountJWTAccessCredentials service_account_jwt_access = 4;
155
156        // Google IAM credentials.
157        // https://grpc.io/grpc/cpp/namespacegrpc.html#a9fc1fc101b41e680d47028166e76f9d0.
158        GoogleIAMCredentials google_iam = 5;
159
160        // Custom authenticator credentials.
161        // https://grpc.io/grpc/cpp/namespacegrpc.html#a823c6a4b19ffc71fb33e90154ee2ad07.
162        // https://grpc.io/docs/guides/auth.html#extending-grpc-to-support-other-authentication-mechanisms.
163        MetadataCredentialsFromPlugin from_plugin = 6;
164
165        // Custom security token service which implements OAuth 2.0 token exchange.
166        // https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16
167        // See https://github.com/grpc/grpc/pull/19587.
168        StsService sts_service = 7;
169      }
170    }
171
172    // The target URI when using the `Google C++ gRPC client
173    // <https://github.com/grpc/grpc>`_. SSL credentials will be supplied in
174    // :ref:`channel_credentials <envoy_api_field_core.GrpcService.GoogleGrpc.channel_credentials>`.
175    string target_uri = 1 [(validate.rules).string = {min_bytes: 1}];
176
177    ChannelCredentials channel_credentials = 2;
178
179    // A set of call credentials that can be composed with `channel credentials
180    // <https://grpc.io/docs/guides/auth.html#credential-types>`_.
181    repeated CallCredentials call_credentials = 3;
182
183    // The human readable prefix to use when emitting statistics for the gRPC
184    // service.
185    //
186    // .. csv-table::
187    //    :header: Name, Type, Description
188    //    :widths: 1, 1, 2
189    //
190    //    streams_total, Counter, Total number of streams opened
191    //    streams_closed_<gRPC status code>, Counter, Total streams closed with <gRPC status code>
192    string stat_prefix = 4 [(validate.rules).string = {min_bytes: 1}];
193
194    // The name of the Google gRPC credentials factory to use. This must have been registered with
195    // Envoy. If this is empty, a default credentials factory will be used that sets up channel
196    // credentials based on other configuration parameters.
197    string credentials_factory_name = 5;
198
199    // Additional configuration for site-specific customizations of the Google
200    // gRPC library.
201    google.protobuf.Struct config = 6;
202  }
203
204  reserved 4;
205
206  oneof target_specifier {
207    option (validate.required) = true;
208
209    // Envoy's in-built gRPC client.
210    // See the :ref:`gRPC services overview <arch_overview_grpc_services>`
211    // documentation for discussion on gRPC client selection.
212    EnvoyGrpc envoy_grpc = 1;
213
214    // `Google C++ gRPC client <https://github.com/grpc/grpc>`_
215    // See the :ref:`gRPC services overview <arch_overview_grpc_services>`
216    // documentation for discussion on gRPC client selection.
217    GoogleGrpc google_grpc = 2;
218  }
219
220  // The timeout for the gRPC request. This is the timeout for a specific
221  // request.
222  google.protobuf.Duration timeout = 3;
223
224  // Additional metadata to include in streams initiated to the GrpcService.
225  // This can be used for scenarios in which additional ad hoc authorization
226  // headers (e.g. ``x-foo-bar: baz-key``) are to be injected.
227  repeated HeaderValue initial_metadata = 5;
228}
229