xref: /aosp_15_r20/external/googleapis/google/cloud/gkehub/v1/membership.proto (revision d5c09012810ac0c9f33fe448fb6da8260d444cc9) 
1// Copyright 2023 Google LLC
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15syntax = "proto3";
16
17package google.cloud.gkehub.v1;
18
19import "google/api/field_behavior.proto";
20import "google/api/resource.proto";
21import "google/protobuf/timestamp.proto";
22
23option csharp_namespace = "Google.Cloud.GkeHub.V1";
24option go_package = "cloud.google.com/go/gkehub/apiv1/gkehubpb;gkehubpb";
25option java_multiple_files = true;
26option java_outer_classname = "MembershipProto";
27option java_package = "com.google.cloud.gkehub.v1";
28option php_namespace = "Google\\Cloud\\GkeHub\\V1";
29option ruby_package = "Google::Cloud::GkeHub::V1";
30
31// Membership contains information about a member cluster.
32message Membership {
33  option (google.api.resource) = {
34    type: "gkehub.googleapis.com/Membership"
35    pattern: "projects/{project}/locations/{location}/memberships/{membership}"
36  };
37
38  // Type of resource represented by this Membership
39  oneof type {
40    // Optional. Endpoint information to reach this member.
41    MembershipEndpoint endpoint = 4 [(google.api.field_behavior) = OPTIONAL];
42  }
43
44  // Output only. The full, unique name of this Membership resource in the
45  // format `projects/*/locations/*/memberships/{membership_id}`, set during
46  // creation.
47  //
48  // `membership_id` must be a valid RFC 1123 compliant DNS label:
49  //
50  //   1. At most 63 characters in length
51  //   2. It must consist of lower case alphanumeric characters or `-`
52  //   3. It must start and end with an alphanumeric character
53  //
54  // Which can be expressed as the regex: `[a-z0-9]([-a-z0-9]*[a-z0-9])?`,
55  // with a maximum length of 63 characters.
56  string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
57
58  // Optional. Labels for this membership.
59  map<string, string> labels = 2 [(google.api.field_behavior) = OPTIONAL];
60
61  // Output only. Description of this membership, limited to 63 characters.
62  // Must match the regex: `[a-zA-Z0-9][a-zA-Z0-9_\-\.\ ]*`
63  //
64  // This field is present for legacy purposes.
65  string description = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
66
67  // Output only. State of the Membership resource.
68  MembershipState state = 5 [(google.api.field_behavior) = OUTPUT_ONLY];
69
70  // Output only. When the Membership was created.
71  google.protobuf.Timestamp create_time = 6
72      [(google.api.field_behavior) = OUTPUT_ONLY];
73
74  // Output only. When the Membership was last updated.
75  google.protobuf.Timestamp update_time = 7
76      [(google.api.field_behavior) = OUTPUT_ONLY];
77
78  // Output only. When the Membership was deleted.
79  google.protobuf.Timestamp delete_time = 8
80      [(google.api.field_behavior) = OUTPUT_ONLY];
81
82  // Optional. An externally-generated and managed ID for this Membership. This
83  // ID may be modified after creation, but this is not recommended.
84  //
85  // The ID must match the regex: `[a-zA-Z0-9][a-zA-Z0-9_\-\.]*`
86  //
87  // If this Membership represents a Kubernetes cluster, this value should be
88  // set to the UID of the `kube-system` namespace object.
89  string external_id = 9 [(google.api.field_behavior) = OPTIONAL];
90
91  // Output only. For clusters using Connect, the timestamp of the most recent
92  // connection established with Google Cloud. This time is updated every
93  // several minutes, not continuously. For clusters that do not use GKE
94  // Connect, or that have never connected successfully, this field will be
95  // unset.
96  google.protobuf.Timestamp last_connection_time = 10
97      [(google.api.field_behavior) = OUTPUT_ONLY];
98
99  // Output only. Google-generated UUID for this resource. This is unique across
100  // all Membership resources. If a Membership resource is deleted and another
101  // resource with the same name is created, it gets a different unique_id.
102  string unique_id = 11 [(google.api.field_behavior) = OUTPUT_ONLY];
103
104  // Optional. How to identify workloads from this Membership.
105  // See the documentation on Workload Identity for more details:
106  // https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
107  Authority authority = 12 [(google.api.field_behavior) = OPTIONAL];
108
109  // Optional. The monitoring config information for this membership.
110  MonitoringConfig monitoring_config = 14
111      [(google.api.field_behavior) = OPTIONAL];
112}
113
114// MembershipEndpoint contains information needed to contact a Kubernetes API,
115// endpoint and any additional Kubernetes metadata.
116message MembershipEndpoint {
117  // Optional. GKE-specific information. Only present if this Membership is a GKE cluster.
118    GkeCluster gke_cluster = 1 [(google.api.field_behavior) = OPTIONAL];
119
120  // Output only. Useful Kubernetes-specific metadata.
121  KubernetesMetadata kubernetes_metadata = 2
122      [(google.api.field_behavior) = OUTPUT_ONLY];
123
124  // Optional. The in-cluster Kubernetes Resources that should be applied for a
125  // correctly registered cluster, in the steady state. These resources:
126  //
127  //   * Ensure that the cluster is exclusively registered to one and only one
128  //     Hub Membership.
129  //   * Propagate Workload Pool Information available in the Membership
130  //     Authority field.
131  //   * Ensure proper initial configuration of default Hub Features.
132  KubernetesResource kubernetes_resource = 3
133      [(google.api.field_behavior) = OPTIONAL];
134
135  // Output only. Whether the lifecycle of this membership is managed by a
136  // google cluster platform service.
137  bool google_managed = 8 [(google.api.field_behavior) = OUTPUT_ONLY];
138}
139
140// KubernetesResource contains the YAML manifests and configuration for
141// Membership Kubernetes resources in the cluster. After CreateMembership or
142// UpdateMembership, these resources should be re-applied in the cluster.
143message KubernetesResource {
144  // Input only. The YAML representation of the Membership CR. This field is
145  // ignored for GKE clusters where Hub can read the CR directly.
146  //
147  // Callers should provide the CR that is currently present in the cluster
148  // during CreateMembership or UpdateMembership, or leave this field empty if
149  // none exists. The CR manifest is used to validate the cluster has not been
150  // registered with another Membership.
151  string membership_cr_manifest = 1 [(google.api.field_behavior) = INPUT_ONLY];
152
153  // Output only. Additional Kubernetes resources that need to be applied to the
154  // cluster after Membership creation, and after every update.
155  //
156  // This field is only populated in the Membership returned from a successful
157  // long-running operation from CreateMembership or UpdateMembership. It is not
158  // populated during normal GetMembership or ListMemberships requests. To get
159  // the resource manifest after the initial registration, the caller should
160  // make a UpdateMembership call with an empty field mask.
161  repeated ResourceManifest membership_resources = 2
162      [(google.api.field_behavior) = OUTPUT_ONLY];
163
164  // Output only. The Kubernetes resources for installing the GKE Connect agent
165  //
166  // This field is only populated in the Membership returned from a successful
167  // long-running operation from CreateMembership or UpdateMembership. It is not
168  // populated during normal GetMembership or ListMemberships requests. To get
169  // the resource manifest after the initial registration, the caller should
170  // make a UpdateMembership call with an empty field mask.
171  repeated ResourceManifest connect_resources = 3
172      [(google.api.field_behavior) = OUTPUT_ONLY];
173
174  // Optional. Options for Kubernetes resource generation.
175  ResourceOptions resource_options = 4 [(google.api.field_behavior) = OPTIONAL];
176}
177
178// ResourceOptions represent options for Kubernetes resource generation.
179message ResourceOptions {
180  // Optional. The Connect agent version to use for connect_resources. Defaults
181  // to the latest GKE Connect version. The version must be a currently
182  // supported version, obsolete versions will be rejected.
183  string connect_version = 1 [(google.api.field_behavior) = OPTIONAL];
184
185  // Optional. Use `apiextensions/v1beta1` instead of `apiextensions/v1` for
186  // CustomResourceDefinition resources.
187  // This option should be set for clusters with Kubernetes apiserver versions
188  // <1.16.
189  bool v1beta1_crd = 2 [(google.api.field_behavior) = OPTIONAL];
190
191  // Optional. Major version of the Kubernetes cluster. This is only used to
192  // determine which version to use for the CustomResourceDefinition resources,
193  // `apiextensions/v1beta1` or`apiextensions/v1`.
194  string k8s_version = 3 [(google.api.field_behavior) = OPTIONAL];
195}
196
197// ResourceManifest represents a single Kubernetes resource to be applied to
198// the cluster.
199message ResourceManifest {
200  // YAML manifest of the resource.
201  string manifest = 1;
202
203  // Whether the resource provided in the manifest is `cluster_scoped`.
204  // If unset, the manifest is assumed to be namespace scoped.
205  //
206  // This field is used for REST mapping when applying the resource in a
207  // cluster.
208  bool cluster_scoped = 2;
209}
210
211// GkeCluster contains information specific to GKE clusters.
212message GkeCluster {
213  // Immutable. Self-link of the Google Cloud resource for the GKE cluster. For
214  // example:
215  //
216  // //container.googleapis.com/projects/my-project/locations/us-west1-a/clusters/my-cluster
217  //
218  // Zonal clusters are also supported.
219  string resource_link = 1 [(google.api.field_behavior) = IMMUTABLE];
220
221  // Output only. If cluster_missing is set then it denotes that the GKE cluster
222  // no longer exists in the GKE Control Plane.
223  bool cluster_missing = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
224}
225
226// KubernetesMetadata provides informational metadata for Memberships
227// representing Kubernetes clusters.
228message KubernetesMetadata {
229  // Output only. Kubernetes API server version string as reported by
230  // `/version`.
231  string kubernetes_api_server_version = 1
232      [(google.api.field_behavior) = OUTPUT_ONLY];
233
234  // Output only. Node providerID as reported by the first node in the list of
235  // nodes on the Kubernetes endpoint. On Kubernetes platforms that support
236  // zero-node clusters (like GKE-on-GCP), the node_count will be zero and the
237  // node_provider_id will be empty.
238  string node_provider_id = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
239
240  // Output only. Node count as reported by Kubernetes nodes resources.
241  int32 node_count = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
242
243  // Output only. vCPU count as reported by Kubernetes nodes resources.
244  int32 vcpu_count = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
245
246  // Output only. The total memory capacity as reported by the sum of all
247  // Kubernetes nodes resources, defined in MB.
248  int32 memory_mb = 5 [(google.api.field_behavior) = OUTPUT_ONLY];
249
250  // Output only. The time at which these details were last updated. This
251  // update_time is different from the Membership-level update_time since
252  // EndpointDetails are updated internally for API consumers.
253  google.protobuf.Timestamp update_time = 100
254      [(google.api.field_behavior) = OUTPUT_ONLY];
255}
256
257// This field informs Fleet-based applications/services/UIs with the necessary
258// information for where each underlying Cluster reports its metrics.
259message MonitoringConfig {
260  // Immutable. Project used to report Metrics
261  string project_id = 1 [(google.api.field_behavior) = IMMUTABLE];
262
263  // Immutable. Location used to report Metrics
264  string location = 2 [(google.api.field_behavior) = IMMUTABLE];
265
266  // Immutable. Cluster name used to report metrics.
267  // For Anthos on VMWare/Baremetal, it would be in format
268  // `memberClusters/cluster_name`; And for Anthos on MultiCloud, it would be in
269  // format
270  // `{azureClusters, awsClusters}/cluster_name`.
271  string cluster = 3 [(google.api.field_behavior) = IMMUTABLE];
272
273  // Kubernetes system metrics, if available, are written to this prefix.
274  // This defaults to kubernetes.io for GKE, and kubernetes.io/anthos for Anthos
275  // eventually. Noted: Anthos MultiCloud will have kubernetes.io prefix today
276  // but will migration to be under kubernetes.io/anthos
277  string kubernetes_metrics_prefix = 4;
278
279  // Immutable. Cluster hash, this is a unique string generated by google code,
280  // which does not contain any PII, which we can use to reference the cluster.
281  // This is expected to be created by the monitoring stack and persisted into
282  // the Cluster object as well as to GKE-Hub.
283  string cluster_hash = 5 [(google.api.field_behavior) = IMMUTABLE];
284}
285
286// MembershipState describes the state of a Membership resource.
287message MembershipState {
288  // Code describes the state of a Membership resource.
289  enum Code {
290    // The code is not set.
291    CODE_UNSPECIFIED = 0;
292
293    // The cluster is being registered.
294    CREATING = 1;
295
296    // The cluster is registered.
297    READY = 2;
298
299    // The cluster is being unregistered.
300    DELETING = 3;
301
302    // The Membership is being updated.
303    UPDATING = 4;
304
305    // The Membership is being updated by the Hub Service.
306    SERVICE_UPDATING = 5;
307  }
308
309  // Output only. The current state of the Membership resource.
310  Code code = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
311}
312
313// Authority encodes how Google will recognize identities from this Membership.
314// See the workload identity documentation for more details:
315// https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
316message Authority {
317  // Optional. A JSON Web Token (JWT) issuer URI. `issuer` must start with
318  // `https://` and be a valid URL with length <2000 characters.
319  //
320  // If set, then Google will allow valid OIDC tokens from this issuer to
321  // authenticate within the workload_identity_pool. OIDC discovery will be
322  // performed on this URI to validate tokens from the issuer.
323  //
324  // Clearing `issuer` disables Workload Identity. `issuer` cannot be directly
325  // modified; it must be cleared (and Workload Identity disabled) before using
326  // a new issuer (and re-enabling Workload Identity).
327  string issuer = 1 [(google.api.field_behavior) = OPTIONAL];
328
329  // Output only. The name of the workload identity pool in which `issuer` will
330  // be recognized.
331  //
332  // There is a single Workload Identity Pool per Hub that is shared
333  // between all Memberships that belong to that Hub. For a Hub hosted in
334  // {PROJECT_ID}, the workload pool format is `{PROJECT_ID}.hub.id.goog`,
335  // although this is subject to change in newer versions of this API.
336  string workload_identity_pool = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
337
338  // Output only. An identity provider that reflects the `issuer` in the
339  // workload identity pool.
340  string identity_provider = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
341
342  // Optional. OIDC verification keys for this Membership in JWKS format (RFC
343  // 7517).
344  //
345  // When this field is set, OIDC discovery will NOT be performed on `issuer`,
346  // and instead OIDC tokens will be validated using this field.
347  bytes oidc_jwks = 4 [(google.api.field_behavior) = OPTIONAL];
348}
349