1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.gkemulticloud.v1; 18 19import "google/api/field_behavior.proto"; 20import "google/api/resource.proto"; 21import "google/cloud/gkemulticloud/v1/common_resources.proto"; 22import "google/protobuf/timestamp.proto"; 23import "google/type/date.proto"; 24 25option csharp_namespace = "Google.Cloud.GkeMultiCloud.V1"; 26option go_package = "cloud.google.com/go/gkemulticloud/apiv1/gkemulticloudpb;gkemulticloudpb"; 27option java_multiple_files = true; 28option java_outer_classname = "AwsResourcesProto"; 29option java_package = "com.google.cloud.gkemulticloud.v1"; 30option php_namespace = "Google\\Cloud\\GkeMultiCloud\\V1"; 31option ruby_package = "Google::Cloud::GkeMultiCloud::V1"; 32 33// An Anthos cluster running on AWS. 34message AwsCluster { 35 option (google.api.resource) = { 36 type: "gkemulticloud.googleapis.com/AwsCluster" 37 pattern: "projects/{project}/locations/{location}/awsClusters/{aws_cluster}" 38 }; 39 40 // The lifecycle state of the cluster. 41 enum State { 42 // Not set. 43 STATE_UNSPECIFIED = 0; 44 45 // The PROVISIONING state indicates the cluster is being created. 46 PROVISIONING = 1; 47 48 // The RUNNING state indicates the cluster has been created and is fully 49 // usable. 50 RUNNING = 2; 51 52 // The RECONCILING state indicates that some work is actively being done on 53 // the cluster, such as upgrading the control plane replicas. 54 RECONCILING = 3; 55 56 // The STOPPING state indicates the cluster is being deleted. 57 STOPPING = 4; 58 59 // The ERROR state indicates the cluster is in a broken unrecoverable 60 // state. 61 ERROR = 5; 62 63 // The DEGRADED state indicates the cluster requires user action to 64 // restore full functionality. 65 DEGRADED = 6; 66 } 67 68 // The name of this resource. 69 // 70 // Cluster names are formatted as 71 // `projects/<project-number>/locations/<region>/awsClusters/<cluster-id>`. 72 // 73 // See [Resource Names](https://cloud.google.com/apis/design/resource_names) 74 // for more details on Google Cloud Platform resource names. 75 string name = 1; 76 77 // Optional. A human readable description of this cluster. 78 // Cannot be longer than 255 UTF-8 encoded bytes. 79 string description = 2 [(google.api.field_behavior) = OPTIONAL]; 80 81 // Required. Cluster-wide networking configuration. 82 AwsClusterNetworking networking = 3 [(google.api.field_behavior) = REQUIRED]; 83 84 // Required. The AWS region where the cluster runs. 85 // 86 // Each Google Cloud region supports a subset of nearby AWS regions. 87 // You can call 88 // [GetAwsServerConfig][google.cloud.gkemulticloud.v1.AwsClusters.GetAwsServerConfig] 89 // to list all supported AWS regions within a given Google Cloud region. 90 string aws_region = 4 [(google.api.field_behavior) = REQUIRED]; 91 92 // Required. Configuration related to the cluster control plane. 93 AwsControlPlane control_plane = 5 [(google.api.field_behavior) = REQUIRED]; 94 95 // Required. Configuration related to the cluster RBAC settings. 96 AwsAuthorization authorization = 15 [(google.api.field_behavior) = REQUIRED]; 97 98 // Output only. The current state of the cluster. 99 State state = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; 100 101 // Output only. The endpoint of the cluster's API server. 102 string endpoint = 8 [(google.api.field_behavior) = OUTPUT_ONLY]; 103 104 // Output only. A globally unique identifier for the cluster. 105 string uid = 9 [(google.api.field_behavior) = OUTPUT_ONLY]; 106 107 // Output only. If set, there are currently changes in flight to the cluster. 108 bool reconciling = 10 [(google.api.field_behavior) = OUTPUT_ONLY]; 109 110 // Output only. The time at which this cluster was created. 111 google.protobuf.Timestamp create_time = 11 112 [(google.api.field_behavior) = OUTPUT_ONLY]; 113 114 // Output only. The time at which this cluster was last updated. 115 google.protobuf.Timestamp update_time = 12 116 [(google.api.field_behavior) = OUTPUT_ONLY]; 117 118 // Allows clients to perform consistent read-modify-writes 119 // through optimistic concurrency control. 120 // 121 // Can be sent on update and delete requests to ensure the 122 // client has an up-to-date value before proceeding. 123 string etag = 13; 124 125 // Optional. Annotations on the cluster. 126 // 127 // This field has the same restrictions as Kubernetes annotations. 128 // The total size of all keys and values combined is limited to 256k. 129 // Key can have 2 segments: prefix (optional) and name (required), 130 // separated by a slash (/). 131 // Prefix must be a DNS subdomain. 132 // Name must be 63 characters or less, begin and end with alphanumerics, 133 // with dashes (-), underscores (_), dots (.), and alphanumerics between. 134 map<string, string> annotations = 14 [(google.api.field_behavior) = OPTIONAL]; 135 136 // Output only. Workload Identity settings. 137 WorkloadIdentityConfig workload_identity_config = 16 138 [(google.api.field_behavior) = OUTPUT_ONLY]; 139 140 // Output only. PEM encoded x509 certificate of the cluster root of trust. 141 string cluster_ca_certificate = 17 142 [(google.api.field_behavior) = OUTPUT_ONLY]; 143 144 // Required. Fleet configuration. 145 Fleet fleet = 18 [(google.api.field_behavior) = REQUIRED]; 146 147 // Optional. Logging configuration for this cluster. 148 LoggingConfig logging_config = 19 [(google.api.field_behavior) = OPTIONAL]; 149 150 // Output only. A set of errors found in the cluster. 151 repeated AwsClusterError errors = 20 152 [(google.api.field_behavior) = OUTPUT_ONLY]; 153 154 // Optional. Monitoring configuration for this cluster. 155 MonitoringConfig monitoring_config = 21 156 [(google.api.field_behavior) = OPTIONAL]; 157 158 // Optional. Binary Authorization configuration for this cluster. 159 BinaryAuthorization binary_authorization = 22 160 [(google.api.field_behavior) = OPTIONAL]; 161} 162 163// ControlPlane defines common parameters between control plane nodes. 164message AwsControlPlane { 165 // Required. The Kubernetes version to run on control plane replicas 166 // (e.g. `1.19.10-gke.1000`). 167 // 168 // You can list all supported versions on a given Google Cloud region by 169 // calling 170 // [GetAwsServerConfig][google.cloud.gkemulticloud.v1.AwsClusters.GetAwsServerConfig]. 171 string version = 1 [(google.api.field_behavior) = REQUIRED]; 172 173 // Optional. The AWS instance type. 174 // 175 // When unspecified, it uses a default based on the cluster's version. 176 string instance_type = 2 [(google.api.field_behavior) = OPTIONAL]; 177 178 // Optional. SSH configuration for how to access the underlying control plane 179 // machines. 180 AwsSshConfig ssh_config = 14 [(google.api.field_behavior) = OPTIONAL]; 181 182 // Required. The list of subnets where control plane replicas will run. 183 // A replica will be provisioned on each subnet and up to three values 184 // can be provided. 185 // Each subnet must be in a different AWS Availability Zone (AZ). 186 repeated string subnet_ids = 4 [(google.api.field_behavior) = REQUIRED]; 187 188 // Optional. The IDs of additional security groups to add to control plane 189 // replicas. The Anthos Multi-Cloud API will automatically create and manage 190 // security groups with the minimum rules needed for a functioning cluster. 191 repeated string security_group_ids = 5 192 [(google.api.field_behavior) = OPTIONAL]; 193 194 // Required. The name or ARN of the AWS IAM instance profile to assign to each 195 // control plane replica. 196 string iam_instance_profile = 7 [(google.api.field_behavior) = REQUIRED]; 197 198 // Optional. Configuration related to the root volume provisioned for each 199 // control plane replica. 200 // 201 // Volumes will be provisioned in the availability zone associated 202 // with the corresponding subnet. 203 // 204 // When unspecified, it defaults to 32 GiB with the GP2 volume type. 205 AwsVolumeTemplate root_volume = 8 [(google.api.field_behavior) = OPTIONAL]; 206 207 // Optional. Configuration related to the main volume provisioned for each 208 // control plane replica. 209 // The main volume is in charge of storing all of the cluster's etcd state. 210 // 211 // Volumes will be provisioned in the availability zone associated 212 // with the corresponding subnet. 213 // 214 // When unspecified, it defaults to 8 GiB with the GP2 volume type. 215 AwsVolumeTemplate main_volume = 9 [(google.api.field_behavior) = OPTIONAL]; 216 217 // Required. The ARN of the AWS KMS key used to encrypt cluster secrets. 218 AwsDatabaseEncryption database_encryption = 10 219 [(google.api.field_behavior) = REQUIRED]; 220 221 // Optional. A set of AWS resource tags to propagate to all underlying managed 222 // AWS resources. 223 // 224 // Specify at most 50 pairs containing alphanumerics, spaces, and symbols 225 // (.+-=_:@/). Keys can be up to 127 Unicode characters. Values can be up to 226 // 255 Unicode characters. 227 map<string, string> tags = 11 [(google.api.field_behavior) = OPTIONAL]; 228 229 // Required. Authentication configuration for management of AWS resources. 230 AwsServicesAuthentication aws_services_authentication = 12 231 [(google.api.field_behavior) = REQUIRED]; 232 233 // Optional. Proxy configuration for outbound HTTP(S) traffic. 234 AwsProxyConfig proxy_config = 16 [(google.api.field_behavior) = OPTIONAL]; 235 236 // Required. Config encryption for user data. 237 AwsConfigEncryption config_encryption = 17 238 [(google.api.field_behavior) = REQUIRED]; 239 240 // Optional. The placement to use on control plane instances. 241 // When unspecified, the VPC's default tenancy will be used. 242 AwsInstancePlacement instance_placement = 18 243 [(google.api.field_behavior) = OPTIONAL]; 244} 245 246// Authentication configuration for the management of AWS resources. 247message AwsServicesAuthentication { 248 // Required. The Amazon Resource Name (ARN) of the role that the Anthos 249 // Multi-Cloud API will assume when managing AWS resources on your account. 250 string role_arn = 1 [(google.api.field_behavior) = REQUIRED]; 251 252 // Optional. An identifier for the assumed role session. 253 // 254 // When unspecified, it defaults to `multicloud-service-agent`. 255 string role_session_name = 2 [(google.api.field_behavior) = OPTIONAL]; 256} 257 258// Configuration related to the cluster RBAC settings. 259message AwsAuthorization { 260 // Optional. Users that can perform operations as a cluster admin. A managed 261 // ClusterRoleBinding will be created to grant the `cluster-admin` ClusterRole 262 // to the users. Up to ten admin users can be provided. 263 // 264 // For more info on RBAC, see 265 // https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles 266 repeated AwsClusterUser admin_users = 1 267 [(google.api.field_behavior) = OPTIONAL]; 268 269 // Optional. Groups of users that can perform operations as a cluster admin. A 270 // managed ClusterRoleBinding will be created to grant the `cluster-admin` 271 // ClusterRole to the groups. Up to ten admin groups can be provided. 272 // 273 // For more info on RBAC, see 274 // https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles 275 repeated AwsClusterGroup admin_groups = 2 276 [(google.api.field_behavior) = OPTIONAL]; 277} 278 279// Identities of a user-type subject for AWS clusters. 280message AwsClusterUser { 281 // Required. The name of the user, e.g. `[email protected]`. 282 string username = 1 [(google.api.field_behavior) = REQUIRED]; 283} 284 285// Identities of a group-type subject for AWS clusters. 286message AwsClusterGroup { 287 // Required. The name of the group, e.g. `[email protected]`. 288 string group = 1 [(google.api.field_behavior) = REQUIRED]; 289} 290 291// Configuration related to application-layer secrets encryption. 292message AwsDatabaseEncryption { 293 // Required. The ARN of the AWS KMS key used to encrypt cluster secrets. 294 string kms_key_arn = 1 [(google.api.field_behavior) = REQUIRED]; 295} 296 297// Configuration template for AWS EBS volumes. 298message AwsVolumeTemplate { 299 // Types of supported EBS volumes. We currently only support GP2 or GP3 300 // volumes. 301 // See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html 302 // for more information. 303 enum VolumeType { 304 // Not set. 305 VOLUME_TYPE_UNSPECIFIED = 0; 306 307 // GP2 (General Purpose SSD volume type). 308 GP2 = 1; 309 310 // GP3 (General Purpose SSD volume type). 311 GP3 = 2; 312 } 313 314 // Optional. The size of the volume, in GiBs. 315 // 316 // When unspecified, a default value is provided. See the specific reference 317 // in the parent resource. 318 int32 size_gib = 1 [(google.api.field_behavior) = OPTIONAL]; 319 320 // Optional. Type of the EBS volume. 321 // 322 // When unspecified, it defaults to GP2 volume. 323 VolumeType volume_type = 2 [(google.api.field_behavior) = OPTIONAL]; 324 325 // Optional. The number of I/O operations per second (IOPS) to provision for 326 // GP3 volume. 327 int32 iops = 3 [(google.api.field_behavior) = OPTIONAL]; 328 329 // Optional. The throughput that the volume supports, in MiB/s. Only valid if 330 // volume_type is GP3. 331 // 332 // If the volume_type is GP3 and this is not speficied, it defaults to 125. 333 int32 throughput = 5 [(google.api.field_behavior) = OPTIONAL]; 334 335 // Optional. The Amazon Resource Name (ARN) of the Customer Managed Key (CMK) 336 // used to encrypt AWS EBS volumes. 337 // 338 // If not specified, the default Amazon managed key associated to 339 // the AWS region where this cluster runs will be used. 340 string kms_key_arn = 4 [(google.api.field_behavior) = OPTIONAL]; 341} 342 343// ClusterNetworking defines cluster-wide networking configuration. 344// 345// Anthos clusters on AWS run on a single VPC. This includes control 346// plane replicas and node pool nodes. 347message AwsClusterNetworking { 348 // Required. The VPC associated with the cluster. All component clusters 349 // (i.e. control plane and node pools) run on a single VPC. 350 // 351 // This field cannot be changed after creation. 352 string vpc_id = 1 [(google.api.field_behavior) = REQUIRED]; 353 354 // Required. All pods in the cluster are assigned an IPv4 address from these 355 // ranges. Only a single range is supported. This field cannot be changed 356 // after creation. 357 repeated string pod_address_cidr_blocks = 2 358 [(google.api.field_behavior) = REQUIRED]; 359 360 // Required. All services in the cluster are assigned an IPv4 address from 361 // these ranges. Only a single range is supported. This field cannot be 362 // changed after creation. 363 repeated string service_address_cidr_blocks = 3 364 [(google.api.field_behavior) = REQUIRED]; 365 366 // Optional. Disable the per node pool subnet security group rules on the 367 // control plane security group. When set to true, you must also provide one 368 // or more security groups that ensure node pools are able to send requests to 369 // the control plane on TCP/443 and TCP/8132. Failure to do so may result in 370 // unavailable node pools. 371 bool per_node_pool_sg_rules_disabled = 5 372 [(google.api.field_behavior) = OPTIONAL]; 373} 374 375// An Anthos node pool running on AWS. 376message AwsNodePool { 377 option (google.api.resource) = { 378 type: "gkemulticloud.googleapis.com/AwsNodePool" 379 pattern: "projects/{project}/locations/{location}/awsClusters/{aws_cluster}/awsNodePools/{aws_node_pool}" 380 }; 381 382 // The lifecycle state of the node pool. 383 enum State { 384 // Not set. 385 STATE_UNSPECIFIED = 0; 386 387 // The PROVISIONING state indicates the node pool is being created. 388 PROVISIONING = 1; 389 390 // The RUNNING state indicates the node pool has been created 391 // and is fully usable. 392 RUNNING = 2; 393 394 // The RECONCILING state indicates that the node pool is being reconciled. 395 RECONCILING = 3; 396 397 // The STOPPING state indicates the node pool is being deleted. 398 STOPPING = 4; 399 400 // The ERROR state indicates the node pool is in a broken unrecoverable 401 // state. 402 ERROR = 5; 403 404 // The DEGRADED state indicates the node pool requires user action to 405 // restore full functionality. 406 DEGRADED = 6; 407 } 408 409 // The name of this resource. 410 // 411 // Node pool names are formatted as 412 // `projects/<project-number>/locations/<region>/awsClusters/<cluster-id>/awsNodePools/<node-pool-id>`. 413 // 414 // For more details on Google Cloud resource names, 415 // see [Resource Names](https://cloud.google.com/apis/design/resource_names) 416 string name = 1; 417 418 // Required. The Kubernetes version to run on this node pool (e.g. 419 // `1.19.10-gke.1000`). 420 // 421 // You can list all supported versions on a given Google Cloud region by 422 // calling 423 // [GetAwsServerConfig][google.cloud.gkemulticloud.v1.AwsClusters.GetAwsServerConfig]. 424 string version = 3 [(google.api.field_behavior) = REQUIRED]; 425 426 // Required. The configuration of the node pool. 427 AwsNodeConfig config = 28 [(google.api.field_behavior) = REQUIRED]; 428 429 // Required. Autoscaler configuration for this node pool. 430 AwsNodePoolAutoscaling autoscaling = 25 431 [(google.api.field_behavior) = REQUIRED]; 432 433 // Required. The subnet where the node pool node run. 434 string subnet_id = 6 [(google.api.field_behavior) = REQUIRED]; 435 436 // Output only. The lifecycle state of the node pool. 437 State state = 16 [(google.api.field_behavior) = OUTPUT_ONLY]; 438 439 // Output only. A globally unique identifier for the node pool. 440 string uid = 17 [(google.api.field_behavior) = OUTPUT_ONLY]; 441 442 // Output only. If set, there are currently changes in flight to the node 443 // pool. 444 bool reconciling = 18 [(google.api.field_behavior) = OUTPUT_ONLY]; 445 446 // Output only. The time at which this node pool was created. 447 google.protobuf.Timestamp create_time = 19 448 [(google.api.field_behavior) = OUTPUT_ONLY]; 449 450 // Output only. The time at which this node pool was last updated. 451 google.protobuf.Timestamp update_time = 20 452 [(google.api.field_behavior) = OUTPUT_ONLY]; 453 454 // Allows clients to perform consistent read-modify-writes 455 // through optimistic concurrency control. 456 // 457 // Can be sent on update and delete requests to ensure the 458 // client has an up-to-date value before proceeding. 459 string etag = 21; 460 461 // Optional. Annotations on the node pool. 462 // 463 // This field has the same restrictions as Kubernetes annotations. 464 // The total size of all keys and values combined is limited to 256k. 465 // Key can have 2 segments: prefix (optional) and name (required), 466 // separated by a slash (/). 467 // Prefix must be a DNS subdomain. 468 // Name must be 63 characters or less, begin and end with alphanumerics, 469 // with dashes (-), underscores (_), dots (.), and alphanumerics between. 470 map<string, string> annotations = 22 [(google.api.field_behavior) = OPTIONAL]; 471 472 // Required. The constraint on the maximum number of pods that can be run 473 // simultaneously on a node in the node pool. 474 MaxPodsConstraint max_pods_constraint = 27 475 [(google.api.field_behavior) = REQUIRED]; 476 477 // Output only. A set of errors found in the node pool. 478 repeated AwsNodePoolError errors = 29 479 [(google.api.field_behavior) = OUTPUT_ONLY]; 480 481 // Optional. The Management configuration for this node pool. 482 AwsNodeManagement management = 30 [(google.api.field_behavior) = OPTIONAL]; 483 484 // Optional. Update settings control the speed and disruption of the update. 485 UpdateSettings update_settings = 32 [(google.api.field_behavior) = OPTIONAL]; 486} 487 488// UpdateSettings control the level of parallelism and the level of 489// disruption caused during the update of a node pool. 490// 491// These settings are applicable when the node pool update requires replacing 492// the existing node pool nodes with the updated ones. 493// 494// UpdateSettings are optional. When UpdateSettings are not specified during the 495// node pool creation, a default is chosen based on the parent cluster's 496// version. For clusters with minor version 1.27 and later, a default 497// surge_settings configuration with max_surge = 1 and max_unavailable = 0 is 498// used. For clusters with older versions, node pool updates use the traditional 499// rolling update mechanism of updating one node at a time in a 500// "terminate before create" fashion and update_settings is not applicable. 501// 502// Set the surge_settings parameter to use the Surge Update mechanism for 503// the rolling update of node pool nodes. 504// 1. max_surge controls the number of additional nodes that can be created 505// beyond the current size of the node pool temporarily for the time of the 506// update to increase the number of available nodes. 507// 2. max_unavailable controls the number of nodes that can be simultaneously 508// unavailable during the update. 509// 3. (max_surge + max_unavailable) determines the level of parallelism (i.e., 510// the number of nodes being updated at the same time). 511message UpdateSettings { 512 // Optional. Settings for surge update. 513 SurgeSettings surge_settings = 1 [(google.api.field_behavior) = OPTIONAL]; 514} 515 516// SurgeSettings contains the parameters for Surge update. 517message SurgeSettings { 518 // Optional. The maximum number of nodes that can be created beyond the 519 // current size of the node pool during the update process. 520 int32 max_surge = 1 [(google.api.field_behavior) = OPTIONAL]; 521 522 // Optional. The maximum number of nodes that can be simultaneously 523 // unavailable during the update process. A node is considered unavailable if 524 // its status is not Ready. 525 int32 max_unavailable = 2 [(google.api.field_behavior) = OPTIONAL]; 526} 527 528// AwsNodeManagement defines the set of node management features turned on for 529// an AWS node pool. 530message AwsNodeManagement { 531 // Optional. Whether or not the nodes will be automatically repaired. When set 532 // to true, the nodes in this node pool will be monitored and if they fail 533 // health checks consistently over a period of time, an automatic repair 534 // action will be triggered to replace them with new nodes. 535 bool auto_repair = 1 [(google.api.field_behavior) = OPTIONAL]; 536} 537 538// Parameters that describe the nodes in a cluster. 539message AwsNodeConfig { 540 // Optional. The EC2 instance type when creating on-Demand instances. 541 // 542 // If unspecified during node pool creation, a default will be chosen based on 543 // the node pool version, and assigned to this field. 544 string instance_type = 1 [(google.api.field_behavior) = OPTIONAL]; 545 546 // Optional. Template for the root volume provisioned for node pool nodes. 547 // Volumes will be provisioned in the availability zone assigned 548 // to the node pool subnet. 549 // 550 // When unspecified, it defaults to 32 GiB with the GP2 volume type. 551 AwsVolumeTemplate root_volume = 2 [(google.api.field_behavior) = OPTIONAL]; 552 553 // Optional. The initial taints assigned to nodes of this node pool. 554 repeated NodeTaint taints = 3 [(google.api.field_behavior) = OPTIONAL]; 555 556 // Optional. The initial labels assigned to nodes of this node pool. An object 557 // containing a list of "key": value pairs. Example: { "name": "wrench", 558 // "mass": "1.3kg", "count": "3" }. 559 map<string, string> labels = 4 [(google.api.field_behavior) = OPTIONAL]; 560 561 // Optional. Key/value metadata to assign to each underlying AWS resource. 562 // Specify at most 50 pairs containing alphanumerics, spaces, and symbols 563 // (.+-=_:@/). Keys can be up to 127 Unicode characters. Values can be up to 564 // 255 Unicode characters. 565 map<string, string> tags = 5 [(google.api.field_behavior) = OPTIONAL]; 566 567 // Required. The name or ARN of the AWS IAM role assigned to nodes in the 568 // pool. 569 string iam_instance_profile = 6 [(google.api.field_behavior) = REQUIRED]; 570 571 // Optional. The OS image type to use on node pool instances. 572 // Can be unspecified, or have a value of `ubuntu`. 573 // 574 // When unspecified, it defaults to `ubuntu`. 575 string image_type = 11 [(google.api.field_behavior) = OPTIONAL]; 576 577 // Optional. The SSH configuration. 578 AwsSshConfig ssh_config = 9 [(google.api.field_behavior) = OPTIONAL]; 579 580 // Optional. The IDs of additional security groups to add to nodes in this 581 // pool. The manager will automatically create security groups with minimum 582 // rules needed for a functioning cluster. 583 repeated string security_group_ids = 10 584 [(google.api.field_behavior) = OPTIONAL]; 585 586 // Optional. Proxy configuration for outbound HTTP(S) traffic. 587 AwsProxyConfig proxy_config = 12 [(google.api.field_behavior) = OPTIONAL]; 588 589 // Required. Config encryption for user data. 590 AwsConfigEncryption config_encryption = 13 591 [(google.api.field_behavior) = REQUIRED]; 592 593 // Optional. Placement related info for this node. 594 // When unspecified, the VPC's default tenancy will be used. 595 AwsInstancePlacement instance_placement = 14 596 [(google.api.field_behavior) = OPTIONAL]; 597 598 // Optional. Configuration related to CloudWatch metrics collection on the 599 // Auto Scaling group of the node pool. 600 // 601 // When unspecified, metrics collection is disabled. 602 AwsAutoscalingGroupMetricsCollection autoscaling_metrics_collection = 15 603 [(google.api.field_behavior) = OPTIONAL]; 604 605 // Optional. Configuration for provisioning EC2 Spot instances 606 // 607 // When specified, the node pool will provision Spot instances from the set 608 // of spot_config.instance_types. 609 // This field is mutually exclusive with `instance_type`. 610 SpotConfig spot_config = 16 [(google.api.field_behavior) = OPTIONAL]; 611} 612 613// AwsNodePoolAutoscaling contains information required by cluster autoscaler 614// to adjust the size of the node pool to the current cluster usage. 615message AwsNodePoolAutoscaling { 616 // Required. Minimum number of nodes in the node pool. Must be greater than or 617 // equal to 1 and less than or equal to max_node_count. 618 int32 min_node_count = 1 [(google.api.field_behavior) = REQUIRED]; 619 620 // Required. Maximum number of nodes in the node pool. Must be greater than or 621 // equal to min_node_count and less than or equal to 50. 622 int32 max_node_count = 2 [(google.api.field_behavior) = REQUIRED]; 623} 624 625// AwsOpenIdConfig is an OIDC discovery document for the cluster. 626// See the OpenID Connect Discovery 1.0 specification for details. 627message AwsOpenIdConfig { 628 // OIDC Issuer. 629 string issuer = 1; 630 631 // JSON Web Key uri. 632 string jwks_uri = 2; 633 634 // Supported response types. 635 repeated string response_types_supported = 3; 636 637 // Supported subject types. 638 repeated string subject_types_supported = 4; 639 640 // supported ID Token signing Algorithms. 641 repeated string id_token_signing_alg_values_supported = 5; 642 643 // Supported claims. 644 repeated string claims_supported = 6; 645 646 // Supported grant types. 647 repeated string grant_types = 7; 648} 649 650// AwsJsonWebKeys is a valid JSON Web Key Set as specififed in RFC 7517. 651message AwsJsonWebKeys { 652 // The public component of the keys used by the cluster to sign token 653 // requests. 654 repeated Jwk keys = 1; 655} 656 657// AwsServerConfig is the configuration of GKE cluster on AWS. 658message AwsServerConfig { 659 option (google.api.resource) = { 660 type: "gkemulticloud.googleapis.com/AwsServerConfig" 661 pattern: "projects/{project}/locations/{location}/awsServerConfig" 662 }; 663 664 // The resource name of the config. 665 string name = 1; 666 667 // List of all released Kubernetes versions, including ones which are end of 668 // life and can no longer be used. Filter by the `enabled` 669 // property to limit to currently available versions. 670 // Valid versions supported for both create and update operations 671 repeated AwsK8sVersionInfo valid_versions = 2; 672 673 // The list of supported AWS regions. 674 repeated string supported_aws_regions = 3; 675} 676 677// Kubernetes version information of GKE cluster on AWS. 678message AwsK8sVersionInfo { 679 // Kubernetes version name. 680 string version = 1; 681 682 // Optional. True if the version is available for cluster creation. If a 683 // version is enabled for creation, it can be used to create new clusters. 684 // Otherwise, cluster creation will fail. However, cluster upgrade operations 685 // may succeed, even if the version is not enabled. 686 bool enabled = 3 [(google.api.field_behavior) = OPTIONAL]; 687 688 // Optional. True if this cluster version belongs to a minor version that has 689 // reached its end of life and is no longer in scope to receive security and 690 // bug fixes. 691 bool end_of_life = 4 [(google.api.field_behavior) = OPTIONAL]; 692 693 // Optional. The estimated date (in Pacific Time) when this cluster version 694 // will reach its end of life. Or if this version is no longer supported (the 695 // `end_of_life` field is true), this is the actual date (in Pacific time) 696 // when the version reached its end of life. 697 google.type.Date end_of_life_date = 5 698 [(google.api.field_behavior) = OPTIONAL]; 699 700 // Optional. The date (in Pacific Time) when the cluster version was released. 701 google.type.Date release_date = 6 [(google.api.field_behavior) = OPTIONAL]; 702} 703 704// SSH configuration for AWS resources. 705message AwsSshConfig { 706 // Required. The name of the EC2 key pair used to login into cluster machines. 707 string ec2_key_pair = 1 [(google.api.field_behavior) = REQUIRED]; 708} 709 710// Details of a proxy config stored in AWS Secret Manager. 711message AwsProxyConfig { 712 // The ARN of the AWS Secret Manager secret that contains the HTTP(S) proxy 713 // configuration. 714 // 715 // The secret must be a JSON encoded proxy configuration 716 // as described in 717 // https://cloud.google.com/anthos/clusters/docs/multi-cloud/aws/how-to/use-a-proxy#create_a_proxy_configuration_file 718 string secret_arn = 1; 719 720 // The version string of the AWS Secret Manager secret that contains the 721 // HTTP(S) proxy configuration. 722 string secret_version = 2; 723} 724 725// Config encryption for user data. 726message AwsConfigEncryption { 727 // Required. The ARN of the AWS KMS key used to encrypt user data. 728 string kms_key_arn = 1 [(google.api.field_behavior) = REQUIRED]; 729} 730 731// Details of placement information for an instance. 732// Limitations for using the `host` tenancy: 733// 734// * T3 instances that use the unlimited CPU credit option don't support host 735// tenancy. 736message AwsInstancePlacement { 737 // Tenancy defines how EC2 instances are distributed across physical hardware. 738 enum Tenancy { 739 // Not set. 740 TENANCY_UNSPECIFIED = 0; 741 742 // Use default VPC tenancy. 743 DEFAULT = 1; 744 745 // Run a dedicated instance. 746 DEDICATED = 2; 747 748 // Launch this instance to a dedicated host. 749 HOST = 3; 750 } 751 752 // Required. The tenancy for instance. 753 Tenancy tenancy = 1 [(google.api.field_behavior) = REQUIRED]; 754} 755 756// Configuration related to CloudWatch metrics collection in an AWS 757// Auto Scaling group. 758message AwsAutoscalingGroupMetricsCollection { 759 // Required. The frequency at which EC2 Auto Scaling sends aggregated data to 760 // AWS CloudWatch. The only valid value is "1Minute". 761 string granularity = 1 [(google.api.field_behavior) = REQUIRED]; 762 763 // Optional. The metrics to enable. For a list of valid metrics, see 764 // https://docs.aws.amazon.com/autoscaling/ec2/APIReference/API_EnableMetricsCollection.html. 765 // If you specify Granularity and don't specify any metrics, all metrics are 766 // enabled. 767 repeated string metrics = 2 [(google.api.field_behavior) = OPTIONAL]; 768} 769 770// SpotConfig has configuration info for Spot node. 771message SpotConfig { 772 // Required. A list of instance types for creating spot node pool. 773 repeated string instance_types = 1 [(google.api.field_behavior) = REQUIRED]; 774} 775 776// AwsClusterError describes errors found on AWS clusters. 777message AwsClusterError { 778 // Human-friendly description of the error. 779 string message = 1; 780} 781 782// AwsNodePoolError describes errors found on AWS node pools. 783message AwsNodePoolError { 784 // Human-friendly description of the error. 785 string message = 1; 786} 787