1// Copyright 2023 Google LLC 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14 15syntax = "proto3"; 16 17package google.cloud.run.v2; 18 19import "google/api/field_behavior.proto"; 20import "google/api/resource.proto"; 21 22option go_package = "cloud.google.com/go/run/apiv2/runpb;runpb"; 23option java_multiple_files = true; 24option java_outer_classname = "K8sMinProto"; 25option java_package = "com.google.cloud.run.v2"; 26option (google.api.resource_definition) = { 27 type: "cloudkms.googleapis.com/CryptoKey" 28 pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}" 29}; 30option (google.api.resource_definition) = { 31 type: "secretmanager.googleapis.com/Secret" 32 pattern: "projects/{project}/secrets/{secret}" 33}; 34option (google.api.resource_definition) = { 35 type: "secretmanager.googleapis.com/SecretVersion" 36 pattern: "projects/{project}/secrets/{secret}/versions/{version}" 37}; 38option (google.api.resource_definition) = { 39 type: "vpcaccess.googleapis.com/Connector" 40 pattern: "projects/{project}/locations/{location}/connectors/{connector}" 41}; 42 43// A single application container. 44// This specifies both the container to run, the command to run in the container 45// and the arguments to supply to it. 46// Note that additional arguments can be supplied by the system to the container 47// at runtime. 48message Container { 49 // Name of the container specified as a DNS_LABEL (RFC 1123). 50 string name = 1; 51 52 // Required. Name of the container image in Dockerhub, Google Artifact 53 // Registry, or Google Container Registry. If the host is not provided, 54 // Dockerhub is assumed. 55 string image = 2 [(google.api.field_behavior) = REQUIRED]; 56 57 // Entrypoint array. Not executed within a shell. 58 // The docker image's ENTRYPOINT is used if this is not provided. 59 repeated string command = 3; 60 61 // Arguments to the entrypoint. 62 // The docker image's CMD is used if this is not provided. 63 repeated string args = 4; 64 65 // List of environment variables to set in the container. 66 repeated EnvVar env = 5; 67 68 // Compute Resource requirements by this container. 69 ResourceRequirements resources = 6; 70 71 // List of ports to expose from the container. Only a single port can be 72 // specified. The specified ports must be listening on all interfaces 73 // (0.0.0.0) within the container to be accessible. 74 // 75 // If omitted, a port number will be chosen and passed to the container 76 // through the PORT environment variable for the container to listen on. 77 repeated ContainerPort ports = 7; 78 79 // Volume to mount into the container's filesystem. 80 repeated VolumeMount volume_mounts = 8; 81 82 // Container's working directory. 83 // If not specified, the container runtime's default will be used, which 84 // might be configured in the container image. 85 string working_dir = 9; 86 87 // Periodic probe of container liveness. 88 // Container will be restarted if the probe fails. 89 Probe liveness_probe = 10; 90 91 // Startup probe of application within the container. 92 // All other probes are disabled if a startup probe is provided, until it 93 // succeeds. Container will not be added to service endpoints if the probe 94 // fails. 95 Probe startup_probe = 11; 96 97 // Names of the containers that must start before this container. 98 repeated string depends_on = 12; 99} 100 101// ResourceRequirements describes the compute resource requirements. 102message ResourceRequirements { 103 // Only `memory` and `cpu` keys in the map are supported. 104 // 105 // <p>Notes: 106 // * The only supported values for CPU are '1', '2', '4', and '8'. Setting 4 107 // CPU requires at least 2Gi of memory. For more information, go to 108 // https://cloud.google.com/run/docs/configuring/cpu. 109 // * For supported 'memory' values and syntax, go to 110 // https://cloud.google.com/run/docs/configuring/memory-limits 111 map<string, string> limits = 1; 112 113 // Determines whether CPU is only allocated during requests (true by default). 114 // However, if ResourceRequirements is set, the caller must explicitly 115 // set this field to true to preserve the default behavior. 116 bool cpu_idle = 2; 117 118 // Determines whether CPU should be boosted on startup of a new container 119 // instance above the requested CPU threshold, this can help reduce cold-start 120 // latency. 121 bool startup_cpu_boost = 3; 122} 123 124// EnvVar represents an environment variable present in a Container. 125message EnvVar { 126 // Required. Name of the environment variable. Must not exceed 32768 127 // characters. 128 string name = 1 [(google.api.field_behavior) = REQUIRED]; 129 130 oneof values { 131 // Variable references $(VAR_NAME) are expanded 132 // using the previous defined environment variables in the container and 133 // any route environment variables. If a variable cannot be resolved, 134 // the reference in the input string will be unchanged. The $(VAR_NAME) 135 // syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped 136 // references will never be expanded, regardless of whether the variable 137 // exists or not. 138 // Defaults to "", and the maximum length is 32768 bytes. 139 string value = 2; 140 141 // Source for the environment variable's value. 142 EnvVarSource value_source = 3; 143 } 144} 145 146// EnvVarSource represents a source for the value of an EnvVar. 147message EnvVarSource { 148 // Selects a secret and a specific version from Cloud Secret Manager. 149 SecretKeySelector secret_key_ref = 1; 150} 151 152// SecretEnvVarSource represents a source for the value of an EnvVar. 153message SecretKeySelector { 154 // Required. The name of the secret in Cloud Secret Manager. 155 // Format: {secret_name} if the secret is in the same project. 156 // projects/{project}/secrets/{secret_name} if the secret is 157 // in a different project. 158 string secret = 1 [ 159 (google.api.field_behavior) = REQUIRED, 160 (google.api.resource_reference) = { 161 type: "secretmanager.googleapis.com/Secret" 162 } 163 ]; 164 165 // The Cloud Secret Manager secret version. 166 // Can be 'latest' for the latest version, an integer for a specific version, 167 // or a version alias. 168 string version = 2 [(google.api.resource_reference) = { 169 type: "secretmanager.googleapis.com/SecretVersion" 170 }]; 171} 172 173// ContainerPort represents a network port in a single container. 174message ContainerPort { 175 // If specified, used to specify which protocol to use. 176 // Allowed values are "http1" and "h2c". 177 string name = 1; 178 179 // Port number the container listens on. 180 // This must be a valid TCP port number, 0 < container_port < 65536. 181 int32 container_port = 3; 182} 183 184// VolumeMount describes a mounting of a Volume within a container. 185message VolumeMount { 186 // Required. This must match the Name of a Volume. 187 string name = 1 [(google.api.field_behavior) = REQUIRED]; 188 189 // Required. Path within the container at which the volume should be mounted. 190 // Must not contain ':'. For Cloud SQL volumes, it can be left empty, or must 191 // otherwise be `/cloudsql`. All instances defined in the Volume will be 192 // available as `/cloudsql/[instance]`. For more information on Cloud SQL 193 // volumes, visit https://cloud.google.com/sql/docs/mysql/connect-run 194 string mount_path = 3 [(google.api.field_behavior) = REQUIRED]; 195} 196 197// Volume represents a named volume in a container. 198message Volume { 199 // Required. Volume's name. 200 string name = 1 [(google.api.field_behavior) = REQUIRED]; 201 202 oneof volume_type { 203 // Secret represents a secret that should populate this volume. 204 SecretVolumeSource secret = 2; 205 206 // For Cloud SQL volumes, contains the specific instances that should be 207 // mounted. Visit https://cloud.google.com/sql/docs/mysql/connect-run for 208 // more information on how to connect Cloud SQL and Cloud Run. 209 CloudSqlInstance cloud_sql_instance = 3; 210 211 // Ephemeral storage used as a shared volume. 212 EmptyDirVolumeSource empty_dir = 4; 213 214 // For NFS Voumes, contains the path to the nfs Volume 215 NFSVolumeSource nfs = 5; 216 217 // Persistent storage backed by a Google Cloud Storage bucket. 218 GCSVolumeSource gcs = 6; 219 } 220} 221 222// The secret's value will be presented as the content of a file whose 223// name is defined in the item path. If no items are defined, the name of 224// the file is the secret. 225message SecretVolumeSource { 226 // Required. The name of the secret in Cloud Secret Manager. 227 // Format: {secret} if the secret is in the same project. 228 // projects/{project}/secrets/{secret} if the secret is 229 // in a different project. 230 string secret = 1 [(google.api.field_behavior) = REQUIRED]; 231 232 // If unspecified, the volume will expose a file whose name is the 233 // secret, relative to VolumeMount.mount_path. 234 // If specified, the key will be used as the version to fetch from Cloud 235 // Secret Manager and the path will be the name of the file exposed in the 236 // volume. When items are defined, they must specify a path and a version. 237 repeated VersionToPath items = 2; 238 239 // Integer representation of mode bits to use on created files by default. 240 // Must be a value between 0000 and 0777 (octal), defaulting to 0444. 241 // Directories within the path are not affected by this setting. 242 // 243 // Notes 244 // 245 // * Internally, a umask of 0222 will be applied to any non-zero value. 246 // * This is an integer representation of the mode bits. So, the octal 247 // integer value should look exactly as the chmod numeric notation with a 248 // leading zero. Some examples: for chmod 777 (a=rwx), set to 0777 (octal) or 249 // 511 (base-10). For chmod 640 (u=rw,g=r), set to 0640 (octal) or 250 // 416 (base-10). For chmod 755 (u=rwx,g=rx,o=rx), set to 0755 (octal) or 493 251 // (base-10). 252 // * This might be in conflict with other options that affect the 253 // file mode, like fsGroup, and the result can be other mode bits set. 254 // 255 // This might be in conflict with other options that affect the 256 // file mode, like fsGroup, and as a result, other mode bits could be set. 257 int32 default_mode = 3; 258} 259 260// VersionToPath maps a specific version of a secret to a relative file to mount 261// to, relative to VolumeMount's mount_path. 262message VersionToPath { 263 // Required. The relative path of the secret in the container. 264 string path = 1 [(google.api.field_behavior) = REQUIRED]; 265 266 // The Cloud Secret Manager secret version. 267 // Can be 'latest' for the latest value, or an integer or a secret alias for a 268 // specific version. 269 string version = 2; 270 271 // Integer octal mode bits to use on this file, must be a value between 272 // 01 and 0777 (octal). If 0 or not set, the Volume's default mode will be 273 // used. 274 // 275 // Notes 276 // 277 // * Internally, a umask of 0222 will be applied to any non-zero value. 278 // * This is an integer representation of the mode bits. So, the octal 279 // integer value should look exactly as the chmod numeric notation with a 280 // leading zero. Some examples: for chmod 777 (a=rwx), set to 0777 (octal) or 281 // 511 (base-10). For chmod 640 (u=rw,g=r), set to 0640 (octal) or 282 // 416 (base-10). For chmod 755 (u=rwx,g=rx,o=rx), set to 0755 (octal) or 493 283 // (base-10). 284 // * This might be in conflict with other options that affect the 285 // file mode, like fsGroup, and the result can be other mode bits set. 286 int32 mode = 3; 287} 288 289// Represents a set of Cloud SQL instances. Each one will be available under 290// /cloudsql/[instance]. Visit 291// https://cloud.google.com/sql/docs/mysql/connect-run for more information on 292// how to connect Cloud SQL and Cloud Run. 293message CloudSqlInstance { 294 // The Cloud SQL instance connection names, as can be found in 295 // https://console.cloud.google.com/sql/instances. Visit 296 // https://cloud.google.com/sql/docs/mysql/connect-run for more information on 297 // how to connect Cloud SQL and Cloud Run. Format: 298 // {project}:{location}:{instance} 299 repeated string instances = 1; 300} 301 302// In memory (tmpfs) ephemeral storage. 303// It is ephemeral in the sense that when the sandbox is taken down, the data is 304// destroyed with it (it does not persist across sandbox runs). 305message EmptyDirVolumeSource { 306 // The different types of medium supported for EmptyDir. 307 enum Medium { 308 // When not specified, falls back to the default implementation which 309 // is currently in memory (this may change over time). 310 MEDIUM_UNSPECIFIED = 0; 311 312 // Explicitly set the EmptyDir to be in memory. Uses tmpfs. 313 MEMORY = 1; 314 } 315 316 // The medium on which the data is stored. Acceptable values today is only 317 // MEMORY or none. When none, the default will currently be backed by memory 318 // but could change over time. +optional 319 Medium medium = 1; 320 321 // Limit on the storage usable by this EmptyDir volume. 322 // The size limit is also applicable for memory medium. 323 // The maximum usage on memory medium EmptyDir would be the minimum value 324 // between the SizeLimit specified here and the sum of memory limits of all 325 // containers. The default is nil which means that the limit is undefined. 326 // More info: 327 // https://cloud.google.com/run/docs/configuring/in-memory-volumes#configure-volume. 328 // Info in Kubernetes: 329 // https://kubernetes.io/docs/concepts/storage/volumes/#emptydir 330 string size_limit = 2; 331} 332 333// Represents an NFS mount. 334message NFSVolumeSource { 335 // Hostname or IP address of the NFS server 336 string server = 1; 337 338 // Path that is exported by the NFS server. 339 string path = 2; 340 341 // If true, mount the NFS volume as read only 342 bool read_only = 3; 343} 344 345// Represents a GCS Bucket mounted as a volume. 346message GCSVolumeSource { 347 // GCS Bucket name 348 string bucket = 1; 349 350 // If true, mount the GCS bucket as read-only 351 bool read_only = 2; 352} 353 354// Probe describes a health check to be performed against a container to 355// determine whether it is alive or ready to receive traffic. 356message Probe { 357 // Number of seconds after the container has started before the probe is 358 // initiated. 359 // Defaults to 0 seconds. Minimum value is 0. Maximum value for liveness probe 360 // is 3600. Maximum value for startup probe is 240. 361 int32 initial_delay_seconds = 1; 362 363 // Number of seconds after which the probe times out. 364 // Defaults to 1 second. Minimum value is 1. Maximum value is 3600. 365 // Must be smaller than period_seconds. 366 int32 timeout_seconds = 2; 367 368 // How often (in seconds) to perform the probe. 369 // Default to 10 seconds. Minimum value is 1. Maximum value for liveness probe 370 // is 3600. Maximum value for startup probe is 240. 371 // Must be greater or equal than timeout_seconds. 372 int32 period_seconds = 3; 373 374 // Minimum consecutive failures for the probe to be considered failed after 375 // having succeeded. Defaults to 3. Minimum value is 1. 376 int32 failure_threshold = 4; 377 378 oneof probe_type { 379 // HTTPGet specifies the http request to perform. 380 // Exactly one of httpGet, tcpSocket, or grpc must be specified. 381 HTTPGetAction http_get = 5; 382 383 // TCPSocket specifies an action involving a TCP port. 384 // Exactly one of httpGet, tcpSocket, or grpc must be specified. 385 TCPSocketAction tcp_socket = 6; 386 387 // GRPC specifies an action involving a gRPC port. 388 // Exactly one of httpGet, tcpSocket, or grpc must be specified. 389 GRPCAction grpc = 7; 390 } 391} 392 393// HTTPGetAction describes an action based on HTTP Get requests. 394message HTTPGetAction { 395 // Path to access on the HTTP server. Defaults to '/'. 396 string path = 1; 397 398 // Custom headers to set in the request. HTTP allows repeated headers. 399 repeated HTTPHeader http_headers = 4; 400 401 // Port number to access on the container. Must be in the range 1 to 65535. 402 // If not specified, defaults to the exposed port of the container, which is 403 // the value of container.ports[0].containerPort. 404 int32 port = 5; 405} 406 407// HTTPHeader describes a custom header to be used in HTTP probes 408message HTTPHeader { 409 // Required. The header field name 410 string name = 1 [(google.api.field_behavior) = REQUIRED]; 411 412 // The header field value 413 string value = 2; 414} 415 416// TCPSocketAction describes an action based on opening a socket 417message TCPSocketAction { 418 // Port number to access on the container. Must be in the range 1 to 65535. 419 // If not specified, defaults to the exposed port of the container, which is 420 // the value of container.ports[0].containerPort. 421 int32 port = 1; 422} 423 424// GRPCAction describes an action involving a GRPC port. 425message GRPCAction { 426 // Port number of the gRPC service. Number must be in the range 1 to 65535. 427 // If not specified, defaults to the exposed port of the container, which is 428 // the value of container.ports[0].containerPort. 429 int32 port = 1; 430 431 // Service is the name of the service to place in the gRPC HealthCheckRequest 432 // (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md ). If 433 // this is not specified, the default behavior is defined by gRPC. 434 string service = 2; 435} 436