1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.gkemulticloud.v1; 18 19import "google/api/field_behavior.proto"; 20import "google/api/resource.proto"; 21import "google/cloud/gkemulticloud/v1/common_resources.proto"; 22import "google/protobuf/timestamp.proto"; 23 24option csharp_namespace = "Google.Cloud.GkeMultiCloud.V1"; 25option go_package = "cloud.google.com/go/gkemulticloud/apiv1/gkemulticloudpb;gkemulticloudpb"; 26option java_multiple_files = true; 27option java_outer_classname = "AttachedResourcesProto"; 28option java_package = "com.google.cloud.gkemulticloud.v1"; 29option php_namespace = "Google\\Cloud\\GkeMultiCloud\\V1"; 30option ruby_package = "Google::Cloud::GkeMultiCloud::V1"; 31 32// An Anthos cluster running on customer own infrastructure. 33message AttachedCluster { 34 option (google.api.resource) = { 35 type: "gkemulticloud.googleapis.com/AttachedCluster" 36 pattern: "projects/{project}/locations/{location}/attachedClusters/{attached_cluster}" 37 }; 38 39 // The lifecycle state of the cluster. 40 enum State { 41 // Not set. 42 STATE_UNSPECIFIED = 0; 43 44 // The PROVISIONING state indicates the cluster is being registered. 45 PROVISIONING = 1; 46 47 // The RUNNING state indicates the cluster has been register and is fully 48 // usable. 49 RUNNING = 2; 50 51 // The RECONCILING state indicates that some work is actively being done on 52 // the cluster, such as upgrading software components. 53 RECONCILING = 3; 54 55 // The STOPPING state indicates the cluster is being de-registered. 56 STOPPING = 4; 57 58 // The ERROR state indicates the cluster is in a broken unrecoverable 59 // state. 60 ERROR = 5; 61 62 // The DEGRADED state indicates the cluster requires user action to 63 // restore full functionality. 64 DEGRADED = 6; 65 } 66 67 // The name of this resource. 68 // 69 // Cluster names are formatted as 70 // `projects/<project-number>/locations/<region>/attachedClusters/<cluster-id>`. 71 // 72 // See [Resource Names](https://cloud.google.com/apis/design/resource_names) 73 // for more details on Google Cloud Platform resource names. 74 string name = 1; 75 76 // Optional. A human readable description of this cluster. 77 // Cannot be longer than 255 UTF-8 encoded bytes. 78 string description = 2 [(google.api.field_behavior) = OPTIONAL]; 79 80 // Required. OpenID Connect (OIDC) configuration for the cluster. 81 AttachedOidcConfig oidc_config = 3 [(google.api.field_behavior) = REQUIRED]; 82 83 // Required. The platform version for the cluster (e.g. `1.19.0-gke.1000`). 84 // 85 // You can list all supported versions on a given Google Cloud region by 86 // calling 87 // [GetAttachedServerConfig][google.cloud.gkemulticloud.v1.AttachedClusters.GetAttachedServerConfig]. 88 string platform_version = 4 [(google.api.field_behavior) = REQUIRED]; 89 90 // Required. The Kubernetes distribution of the underlying attached cluster. 91 // 92 // Supported values: ["eks", "aks", "generic"]. 93 string distribution = 16 [(google.api.field_behavior) = REQUIRED]; 94 95 // Output only. The region where this cluster runs. 96 // 97 // For EKS clusters, this is a AWS region. For AKS clusters, 98 // this is an Azure region. 99 string cluster_region = 22 [(google.api.field_behavior) = OUTPUT_ONLY]; 100 101 // Required. Fleet configuration. 102 Fleet fleet = 5 [(google.api.field_behavior) = REQUIRED]; 103 104 // Output only. The current state of the cluster. 105 State state = 6 [(google.api.field_behavior) = OUTPUT_ONLY]; 106 107 // Output only. A globally unique identifier for the cluster. 108 string uid = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; 109 110 // Output only. If set, there are currently changes in flight to the cluster. 111 bool reconciling = 8 [(google.api.field_behavior) = OUTPUT_ONLY]; 112 113 // Output only. The time at which this cluster was registered. 114 google.protobuf.Timestamp create_time = 9 115 [(google.api.field_behavior) = OUTPUT_ONLY]; 116 117 // Output only. The time at which this cluster was last updated. 118 google.protobuf.Timestamp update_time = 10 119 [(google.api.field_behavior) = OUTPUT_ONLY]; 120 121 // Allows clients to perform consistent read-modify-writes 122 // through optimistic concurrency control. 123 // 124 // Can be sent on update and delete requests to ensure the 125 // client has an up-to-date value before proceeding. 126 string etag = 11; 127 128 // Output only. The Kubernetes version of the cluster. 129 string kubernetes_version = 12 [(google.api.field_behavior) = OUTPUT_ONLY]; 130 131 // Optional. Annotations on the cluster. 132 // 133 // This field has the same restrictions as Kubernetes annotations. 134 // The total size of all keys and values combined is limited to 256k. 135 // Key can have 2 segments: prefix (optional) and name (required), 136 // separated by a slash (/). 137 // Prefix must be a DNS subdomain. 138 // Name must be 63 characters or less, begin and end with alphanumerics, 139 // with dashes (-), underscores (_), dots (.), and alphanumerics between. 140 map<string, string> annotations = 13 [(google.api.field_behavior) = OPTIONAL]; 141 142 // Output only. Workload Identity settings. 143 WorkloadIdentityConfig workload_identity_config = 14 144 [(google.api.field_behavior) = OUTPUT_ONLY]; 145 146 // Optional. Logging configuration for this cluster. 147 LoggingConfig logging_config = 15 [(google.api.field_behavior) = OPTIONAL]; 148 149 // Output only. A set of errors found in the cluster. 150 repeated AttachedClusterError errors = 20 151 [(google.api.field_behavior) = OUTPUT_ONLY]; 152 153 // Optional. Configuration related to the cluster RBAC settings. 154 AttachedClustersAuthorization authorization = 21 155 [(google.api.field_behavior) = OPTIONAL]; 156 157 // Optional. Monitoring configuration for this cluster. 158 MonitoringConfig monitoring_config = 23 159 [(google.api.field_behavior) = OPTIONAL]; 160 161 // Optional. Proxy configuration for outbound HTTP(S) traffic. 162 AttachedProxyConfig proxy_config = 24 163 [(google.api.field_behavior) = OPTIONAL]; 164 165 // Optional. Binary Authorization configuration for this cluster. 166 BinaryAuthorization binary_authorization = 25 167 [(google.api.field_behavior) = OPTIONAL]; 168} 169 170// Configuration related to the cluster RBAC settings. 171message AttachedClustersAuthorization { 172 // Optional. Users that can perform operations as a cluster admin. A managed 173 // ClusterRoleBinding will be created to grant the `cluster-admin` ClusterRole 174 // to the users. Up to ten admin users can be provided. 175 // 176 // For more info on RBAC, see 177 // https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles 178 repeated AttachedClusterUser admin_users = 1 179 [(google.api.field_behavior) = OPTIONAL]; 180 181 // Optional. Groups of users that can perform operations as a cluster admin. A 182 // managed ClusterRoleBinding will be created to grant the `cluster-admin` 183 // ClusterRole to the groups. Up to ten admin groups can be provided. 184 // 185 // For more info on RBAC, see 186 // https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles 187 repeated AttachedClusterGroup admin_groups = 2 188 [(google.api.field_behavior) = OPTIONAL]; 189} 190 191// Identities of a user-type subject for Attached clusters. 192message AttachedClusterUser { 193 // Required. The name of the user, e.g. `[email protected]`. 194 string username = 1 [(google.api.field_behavior) = REQUIRED]; 195} 196 197// Identities of a group-type subject for Attached clusters. 198message AttachedClusterGroup { 199 // Required. The name of the group, e.g. `[email protected]`. 200 string group = 1 [(google.api.field_behavior) = REQUIRED]; 201} 202 203// OIDC discovery information of the target cluster. 204// 205// Kubernetes Service Account (KSA) tokens are JWT tokens signed by the cluster 206// API server. This fields indicates how Google Cloud Platform services 207// validate KSA tokens in order to allow system workloads (such as GKE Connect 208// and telemetry agents) to authenticate back to Google Cloud Platform. 209// 210// Both clusters with public and private issuer URLs are supported. 211// Clusters with public issuers only need to specify the `issuer_url` field 212// while clusters with private issuers need to provide both 213// `issuer_url` and `oidc_jwks`. 214message AttachedOidcConfig { 215 // A JSON Web Token (JWT) issuer URI. `issuer` must start with `https://`. 216 string issuer_url = 1; 217 218 // Optional. OIDC verification keys in JWKS format (RFC 7517). 219 // It contains a list of OIDC verification keys that can be used to verify 220 // OIDC JWTs. 221 // 222 // This field is required for cluster that doesn't have a publicly available 223 // discovery endpoint. When provided, it will be directly used 224 // to verify the OIDC JWT asserted by the IDP. 225 bytes jwks = 2 [(google.api.field_behavior) = OPTIONAL]; 226} 227 228// AttachedServerConfig provides information about supported 229// Kubernetes versions 230message AttachedServerConfig { 231 option (google.api.resource) = { 232 type: "gkemulticloud.googleapis.com/AttachedServerConfig" 233 pattern: "projects/{project}/locations/{location}/attachedServerConfig" 234 }; 235 236 // The resource name of the config. 237 string name = 1; 238 239 // List of valid platform versions. 240 repeated AttachedPlatformVersionInfo valid_versions = 2; 241} 242 243// Information about a supported Attached Clusters platform version. 244message AttachedPlatformVersionInfo { 245 // Platform version name. 246 string version = 1; 247} 248 249// AttachedClusterError describes errors found on attached clusters. 250message AttachedClusterError { 251 // Human-friendly description of the error. 252 string message = 1; 253} 254 255// Details of a proxy config. 256message AttachedProxyConfig { 257 // The Kubernetes Secret resource that contains the HTTP(S) proxy 258 // configuration. The secret must be a JSON encoded proxy configuration 259 // as described in 260 KubernetesSecret kubernetes_secret = 1; 261} 262 263// Information about a Kubernetes Secret 264message KubernetesSecret { 265 // Name of the kubernetes secret. 266 string name = 1; 267 268 // Namespace in which the kubernetes secret is stored. 269 string namespace = 2; 270} 271