xref: /aosp_15_r20/external/google-cloud-java/java-gkehub/proto-google-cloud-gkehub-v1alpha2/src/main/proto/google/cloud/gkehub/v1alpha2/membership.proto (revision 55e87721aa1bc457b326496a7ca40f3ea1a63287)

// Copyright 2022 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.cloud.gkehub.v1alpha2;

import "google/api/annotations.proto";
import "google/api/client.proto";
import "google/api/field_behavior.proto";
import "google/api/resource.proto";
import "google/longrunning/operations.proto";
import "google/protobuf/field_mask.proto";
import "google/protobuf/timestamp.proto";

option csharp_namespace = "Google.Cloud.GkeHub.V1Alpha2";
option go_package = "cloud.google.com/go/gkehub/apiv1alpha2/gkehubpb;gkehubpb";
option java_multiple_files = true;
option java_outer_classname = "MembershipProto";
option java_package = "com.google.cloud.gkehub.v1alpha2";
option php_namespace = "Google\\Cloud\\GkeHub\\V1alpha2";
option ruby_package = "Google::Cloud::GkeHub::V1alpha2";

// The GKE Hub service handles the registration of many Kubernetes
// clusters to Google Cloud, represented with the [Membership][google.cloud.gkehub.v1alpha2.Membership] resource.
//
// GKE Hub is currently only available in the global region.
//
// **Membership management may be non-trivial:** it is recommended to use one
// of the Google-provided client libraries or tools where possible when working
// with Membership resources.
service GkeHub {
  option (google.api.default_host) = "gkehub.googleapis.com";
  option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";

  // Lists Memberships in a given project and location.
  rpc ListMemberships(ListMembershipsRequest) returns (ListMembershipsResponse) {
    option (google.api.http) = {
      get: "/v1alpha2/{parent=projects/*/locations/*}/memberships"
    };
    option (google.api.method_signature) = "parent";
  }

  // Gets the details of a Membership.
  rpc GetMembership(GetMembershipRequest) returns (Membership) {
    option (google.api.http) = {
      get: "/v1alpha2/{name=projects/*/locations/*/memberships/*}"
    };
    option (google.api.method_signature) = "name";
  }

  // Creates a new Membership.
  //
  // **This is currently only supported for GKE clusters on Google Cloud**.
  // To register other clusters, follow the instructions at
  // https://cloud.google.com/anthos/multicluster-management/connect/registering-a-cluster.
  rpc CreateMembership(CreateMembershipRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      post: "/v1alpha2/{parent=projects/*/locations/*}/memberships"
      body: "resource"
    };
    option (google.api.method_signature) = "parent,resource,membership_id";
    option (google.longrunning.operation_info) = {
      response_type: "Membership"
      metadata_type: "OperationMetadata"
    };
  }

  // Removes a Membership.
  //
  // **This is currently only supported for GKE clusters on Google Cloud**.
  // To unregister other clusters, follow the instructions at
  // https://cloud.google.com/anthos/multicluster-management/connect/unregistering-a-cluster.
  rpc DeleteMembership(DeleteMembershipRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      delete: "/v1alpha2/{name=projects/*/locations/*/memberships/*}"
    };
    option (google.api.method_signature) = "name";
    option (google.longrunning.operation_info) = {
      response_type: "google.protobuf.Empty"
      metadata_type: "OperationMetadata"
    };
  }

  // Updates an existing Membership.
  rpc UpdateMembership(UpdateMembershipRequest) returns (google.longrunning.Operation) {
    option (google.api.http) = {
      patch: "/v1alpha2/{name=projects/*/locations/*/memberships/*}"
      body: "resource"
    };
    option (google.api.method_signature) = "name,resource,update_mask";
    option (google.longrunning.operation_info) = {
      response_type: "Membership"
      metadata_type: "OperationMetadata"
    };
  }

  // Generates the manifest for deployment of the GKE connect agent.
  //
  // **This method is used internally by Google-provided libraries.**
  // Most clients should not need to call this method directly.
  rpc GenerateConnectManifest(GenerateConnectManifestRequest) returns (GenerateConnectManifestResponse) {
    option (google.api.http) = {
      get: "/v1alpha2/{name=projects/*/locations/*/memberships/*}:generateConnectManifest"
    };
  }

  // Initializes the Hub in this project, which includes creating the default
  // Hub Service Account and the Hub Workload Identity Pool. Initialization is
  // optional, and happens automatically when the first Membership is created.
  //
  // InitializeHub should be called when the first Membership cannot be
  // registered without these resources. A common example is granting the Hub
  // Service Account access to another project, which requires the account to
  // exist first.
  rpc InitializeHub(InitializeHubRequest) returns (InitializeHubResponse) {
    option (google.api.http) = {
      post: "/v1alpha2/{project=projects/*/locations/global/memberships}:initializeHub"
      body: "*"
    };
  }
}

// Membership contains information about a member cluster.
message Membership {
  option (google.api.resource) = {
    type: "gkehub.googleapis.com/Membership"
    pattern: "projects/{project}/locations/{location}/memberships/{membership}"
  };

  // Specifies the infrastructure type of a Membership. Infrastructure type is
  // used by Hub to control infrastructure-specific behavior, including pricing.
  //
  // Each GKE distribution (on-GCP, on-Prem, on-X,...) will set this field
  // automatically, but Attached Clusters customers should specify a type
  // during registration.
  enum InfrastructureType {
    // No type was specified. Some Hub functionality may require a type be
    // specified, and will not support Memberships with this value.
    INFRASTRUCTURE_TYPE_UNSPECIFIED = 0;

    // Private infrastructure that is owned or operated by customer. This
    // includes GKE distributions such as GKE-OnPrem and GKE-OnBareMetal.
    ON_PREM = 1;

    // Public cloud infrastructure.
    MULTI_CLOUD = 2;
  }

  // Output only. The full, unique name of this Membership resource in the format
  // `projects/*/locations/*/memberships/{membership_id}`, set during creation.
  //
  // `membership_id` must be a valid RFC 1123 compliant DNS label:
  //
  //   1. At most 63 characters in length
  //   2. It must consist of lower case alphanumeric characters or `-`
  //   3. It must start and end with an alphanumeric character
  //
  // Which can be expressed as the regex: `[a-z0-9]([-a-z0-9]*[a-z0-9])?`,
  // with a maximum length of 63 characters.
  string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Optional. GCP labels for this membership.
  map<string, string> labels = 2 [(google.api.field_behavior) = OPTIONAL];

  // Output only. Description of this membership, limited to 63 characters.
  // Must match the regex: `[a-zA-Z0-9][a-zA-Z0-9_\-\.\ ]*`
  //
  // This field is present for legacy purposes.
  string description = 3 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Type of resource represented by this Membership
  oneof type {
    // Optional. Endpoint information to reach this member.
    MembershipEndpoint endpoint = 4 [(google.api.field_behavior) = OPTIONAL];
  }

  // Output only. State of the Membership resource.
  MembershipState state = 5 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. When the Membership was created.
  google.protobuf.Timestamp create_time = 6 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. When the Membership was last updated.
  google.protobuf.Timestamp update_time = 7 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. When the Membership was deleted.
  google.protobuf.Timestamp delete_time = 8 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Optional. An externally-generated and managed ID for this Membership. This ID may
  // be modified after creation, but this is not recommended. For GKE clusters,
  // external_id is managed by the Hub API and updates will be ignored.
  //
  // The ID must match the regex: `[a-zA-Z0-9][a-zA-Z0-9_\-\.]*`
  //
  // If this Membership represents a Kubernetes cluster, this value should be
  // set to the UID of the `kube-system` namespace object.
  string external_id = 9 [(google.api.field_behavior) = OPTIONAL];

  // Optional. How to identify workloads from this Membership.
  // See the documentation on Workload Identity for more details:
  // https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
  Authority authority = 10 [(google.api.field_behavior) = OPTIONAL];

  // Output only. For clusters using Connect, the timestamp of the most recent connection
  // established with Google Cloud. This time is updated every several minutes,
  // not continuously. For clusters that do not use GKE Connect, or that have
  // never connected successfully, this field will be unset.
  google.protobuf.Timestamp last_connection_time = 11 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Google-generated UUID for this resource. This is unique across all
  // Membership resources. If a Membership resource is deleted and another
  // resource with the same name is created, it gets a different unique_id.
  string unique_id = 12 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Optional. The infrastructure type this Membership is running on.
  InfrastructureType infrastructure_type = 13 [(google.api.field_behavior) = OPTIONAL];
}

// MembershipEndpoint contains information needed to contact a Kubernetes API,
// endpoint and any additional Kubernetes metadata.
message MembershipEndpoint {
  // Cluster information of the registered cluster.
  oneof type {
    // Optional. Specific information for a GKE-on-GCP cluster.
    GkeCluster gke_cluster = 1 [(google.api.field_behavior) = OPTIONAL];

    // Optional. Specific information for a GKE On-Prem cluster.
    OnPremCluster on_prem_cluster = 4 [(google.api.field_behavior) = OPTIONAL];

    // Optional. Specific information for a GKE Multi-Cloud cluster.
    MultiCloudCluster multi_cloud_cluster = 5 [(google.api.field_behavior) = OPTIONAL];
  }

  // Output only. Useful Kubernetes-specific metadata.
  KubernetesMetadata kubernetes_metadata = 2 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Optional. The in-cluster Kubernetes Resources that should be applied for a correctly
  // registered cluster, in the steady state. These resources:
  //
  //   * Ensure that the cluster is exclusively registered to one and only one
  //     Hub Membership.
  //   * Propagate Workload Pool Information available in the Membership
  //     Authority field.
  //   * Ensure proper initial configuration of default Hub Features.
  KubernetesResource kubernetes_resource = 3 [(google.api.field_behavior) = OPTIONAL];
}

// KubernetesResource contains the YAML manifests and configuration for
// Membership Kubernetes resources in the cluster. After CreateMembership or
// UpdateMembership, these resources should be re-applied in the cluster.
message KubernetesResource {
  // Input only. The YAML representation of the Membership CR. This field is ignored for GKE
  // clusters where Hub can read the CR directly.
  //
  // Callers should provide the CR that is currently present in the cluster
  // during Create or Update, or leave this field empty if none exists. The CR
  // manifest is used to validate the cluster has not been registered with
  // another Membership.
  string membership_cr_manifest = 1 [(google.api.field_behavior) = INPUT_ONLY];

  // Output only. Additional Kubernetes resources that need to be applied to the cluster
  // after Membership creation, and after every update.
  //
  // This field is only populated in the Membership returned from a successful
  // long-running operation from CreateMembership or UpdateMembership. It is not
  // populated during normal GetMembership or ListMemberships requests. To get
  // the resource manifest after the initial registration, the caller should
  // make a UpdateMembership call with an empty field mask.
  repeated ResourceManifest membership_resources = 3 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The Kubernetes resources for installing the GKE Connect agent.
  //
  // This field is only populated in the Membership returned from a successful
  // long-running operation from CreateMembership or UpdateMembership. It is not
  // populated during normal GetMembership or ListMemberships requests. To get
  // the resource manifest after the initial registration, the caller should
  // make a UpdateMembership call with an empty field mask.
  repeated ResourceManifest connect_resources = 4 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Optional. Options for Kubernetes resource generation.
  ResourceOptions resource_options = 5 [(google.api.field_behavior) = OPTIONAL];
}

// ResourceOptions represent options for Kubernetes resource generation.
message ResourceOptions {
  // Optional. The Connect agent version to use for connect_resources. Defaults to the
  // latest GKE Connect version. The version must be a currently supported
  // version, obsolete versions will be rejected.
  string connect_version = 1 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Use `apiextensions/v1beta1` instead of `apiextensions/v1` for
  // CustomResourceDefinition resources.
  // This option should be set for clusters with Kubernetes apiserver versions
  // <1.16.
  bool v1beta1_crd = 2 [(google.api.field_behavior) = OPTIONAL];

  // Major version of the Kubernetes cluster. This is only used to determine
  // which version to use for the CustomResourceDefinition resources,
  // `apiextensions/v1beta1` or`apiextensions/v1`.
  string k8s_version = 3 [(google.api.field_behavior) = OPTIONAL];
}

// GkeCluster contains information specific to GKE clusters.
message GkeCluster {
  // Immutable. Self-link of the GCP resource for the GKE cluster. For example:
  //
  //     //container.googleapis.com/projects/my-project/locations/us-west1-a/clusters/my-cluster
  //
  // Zonal clusters are also supported.
  string resource_link = 1 [(google.api.field_behavior) = IMMUTABLE];

  // Output only. If cluster_missing is set then it denotes that the GKE cluster no longer
  // exists in the GKE Control Plane.
  bool cluster_missing = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
}

// OnPremCluster contains information specific to GKE On-Prem clusters.
message OnPremCluster {
  // Immutable. Self-link of the GCP resource for the GKE On-Prem cluster. For example:
  //
  //  //gkeonprem.googleapis.com/projects/my-project/locations/us-west1-a/vmwareClusters/my-cluster
  //  //gkeonprem.googleapis.com/projects/my-project/locations/us-west1-a/bareMetalClusters/my-cluster
  string resource_link = 1 [(google.api.field_behavior) = IMMUTABLE];

  // Output only. If cluster_missing is set then it denotes that
  // API(gkeonprem.googleapis.com) resource for this GKE On-Prem cluster no
  // longer exists.
  bool cluster_missing = 2 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Immutable. Whether the cluster is an admin cluster.
  bool admin_cluster = 3 [(google.api.field_behavior) = IMMUTABLE];
}

// MultiCloudCluster contains information specific to GKE Multi-Cloud clusters.
message MultiCloudCluster {
  // Immutable. Self-link of the GCP resource for the GKE Multi-Cloud cluster. For
  // example:
  //
  //  //gkemulticloud.googleapis.com/projects/my-project/locations/us-west1-a/awsClusters/my-cluster
  //  //gkemulticloud.googleapis.com/projects/my-project/locations/us-west1-a/azureClusters/my-cluster
  string resource_link = 1 [(google.api.field_behavior) = IMMUTABLE];

  // Output only. If cluster_missing is set then it denotes that
  // API(gkemulticloud.googleapis.com) resource for this GKE Multi-Cloud cluster
  // no longer exists.
  bool cluster_missing = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
}

// KubernetesMetadata provides informational metadata for Memberships
// that are created from Kubernetes Endpoints (currently, these are equivalent
// to Kubernetes clusters).
message KubernetesMetadata {
  // Output only. Kubernetes API server version string as reported by '/version'.
  string kubernetes_api_server_version = 1 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Node providerID as reported by the first node in the list of nodes on
  // the Kubernetes endpoint. On Kubernetes platforms that support zero-node
  // clusters (like GKE-on-GCP), the node_count will be zero and the
  // node_provider_id will be empty.
  string node_provider_id = 2 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Node count as reported by Kubernetes nodes resources.
  int32 node_count = 3 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. vCPU count as reported by Kubernetes nodes resources.
  int32 vcpu_count = 4 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The total memory capacity as reported by the sum of all Kubernetes nodes
  // resources, defined in MB.
  int32 memory_mb = 5 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The time at which these details were last updated. This update_time is
  // different from the Membership-level update_time since EndpointDetails are
  // updated internally for API consumers.
  google.protobuf.Timestamp update_time = 100 [(google.api.field_behavior) = OUTPUT_ONLY];
}

// Authority encodes how Google will recognize identities from this Membership.
// See the workload identity documentation for more details:
// https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
message Authority {
  // Optional. A JSON Web Token (JWT) issuer URI. `issuer` must start with `https://` and
  // be a valid URL with length <2000 characters.
  //
  // If set, then Google will allow valid OIDC tokens from this issuer to
  // authenticate within the workload_identity_pool. OIDC discovery will be
  // performed on this URI to validate tokens from the issuer, unless
  // `oidc_jwks` is set.
  //
  // Clearing `issuer` disables Workload Identity. `issuer` cannot be directly
  // modified; it must be cleared (and Workload Identity disabled) before using
  // a new issuer (and re-enabling Workload Identity).
  string issuer = 1 [(google.api.field_behavior) = OPTIONAL];

  // Optional. OIDC verification keys for this Membership in JWKS format (RFC 7517).
  //
  // When this field is set, OIDC discovery will NOT be performed on `issuer`,
  // and instead OIDC tokens will be validated using this field.
  bytes oidc_jwks = 5 [(google.api.field_behavior) = OPTIONAL];

  // Output only. An identity provider that reflects the `issuer` in the workload identity
  // pool.
  string identity_provider = 3 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The name of the workload identity pool in which `issuer` will be
  // recognized.
  //
  // There is a single Workload Identity Pool per Hub that is shared
  // between all Memberships that belong to that Hub. For a Hub hosted in
  // {PROJECT_ID}, the workload pool format is `{PROJECT_ID}.hub.id.goog`,
  // although this is subject to change in newer versions of this API.
  string workload_identity_pool = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
}

// MembershipState describes the state of a Membership resource.
message MembershipState {
  // Code describes the state of a Membership resource.
  enum Code {
    // The code is not set.
    CODE_UNSPECIFIED = 0;

    // The cluster is being registered.
    CREATING = 1;

    // The cluster is registered.
    READY = 2;

    // The cluster is being unregistered.
    DELETING = 3;

    // The Membership is being updated.
    UPDATING = 4;

    // The Membership is being updated by the Hub Service.
    SERVICE_UPDATING = 5;
  }

  // Output only. The current state of the Membership resource.
  Code code = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
}

// Request message for `GkeHub.ListMemberships` method.
message ListMembershipsRequest {
  // Required. The parent (project and location) where the Memberships will be listed.
  // Specified in the format `projects/*/locations/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      child_type: "gkehub.googleapis.com/Membership"
    }
  ];

  // Optional. When requesting a 'page' of resources, `page_size` specifies number of
  // resources to return. If unspecified or set to 0, all resources will
  // be returned.
  int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Token returned by previous call to `ListMemberships` which
  // specifies the position in the list from where to continue listing the
  // resources.
  string page_token = 3 [(google.api.field_behavior) = OPTIONAL];

  // Optional. Lists Memberships that match the filter expression, following the syntax
  // outlined in https://google.aip.dev/160.
  //
  // Examples:
  //
  //   - Name is `bar` in project `foo-proj` and location `global`:
  //
  //       name = "projects/foo-proj/locations/global/membership/bar"
  //
  //   - Memberships that have a label called `foo`:
  //
  //       labels.foo:*
  //
  //   - Memberships that have a label called `foo` whose value is `bar`:
  //
  //       labels.foo = bar
  //
  //   - Memberships in the CREATING state:
  //
  //       state = CREATING
  string filter = 4 [(google.api.field_behavior) = OPTIONAL];

  // Optional. One or more fields to compare and use to sort the output.
  // See https://google.aip.dev/132#ordering.
  string order_by = 5 [(google.api.field_behavior) = OPTIONAL];
}

// Response message for the `GkeHub.ListMemberships` method.
message ListMembershipsResponse {
  // The list of matching Memberships.
  repeated Membership resources = 1;

  // A token to request the next page of resources from the
  // `ListMemberships` method. The value of an empty string means that
  // there are no more resources to return.
  string next_page_token = 2;

  // List of locations that could not be reached while fetching this list.
  repeated string unreachable = 3;
}

// Request message for `GkeHub.GetMembership` method.
message GetMembershipRequest {
  // Required. The Membership resource name in the format
  // `projects/*/locations/*/memberships/*`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "gkehub.googleapis.com/Membership"
    }
  ];
}

// Request message for the `GkeHub.CreateMembership` method.
message CreateMembershipRequest {
  // Required. The parent (project and location) where the Memberships will be created.
  // Specified in the format `projects/*/locations/*`.
  string parent = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      child_type: "gkehub.googleapis.com/Membership"
    }
  ];

  // Required. Client chosen ID for the membership. `membership_id` must be a valid RFC
  // 1123 compliant DNS label:
  //
  //   1. At most 63 characters in length
  //   2. It must consist of lower case alphanumeric characters or `-`
  //   3. It must start and end with an alphanumeric character
  //
  // Which can be expressed as the regex: `[a-z0-9]([-a-z0-9]*[a-z0-9])?`,
  // with a maximum length of 63 characters.
  string membership_id = 2 [(google.api.field_behavior) = REQUIRED];

  // Required. The membership to create.
  Membership resource = 3 [(google.api.field_behavior) = REQUIRED];
}

// Request message for `GkeHub.DeleteMembership` method.
message DeleteMembershipRequest {
  // Required. The Membership resource name in the format
  // `projects/*/locations/*/memberships/*`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED,
    (google.api.resource_reference) = {
      type: "gkehub.googleapis.com/Membership"
    }
  ];
}

// Request message for `GkeHub.UpdateMembership` method.
message UpdateMembershipRequest {
  // Required. The Membership resource name in the format
  // `projects/*/locations/*/memberships/*`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED];

  // Required. Mask of fields to update.
  google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];

  // Required. Only fields specified in update_mask are updated.
  // If you specify a field in the update_mask but don't specify its value here
  // that field will be deleted.
  // If you are updating a map field, set the value of a key to null or empty
  // string to delete the key from the map. It's not possible to update a key's
  // value to the empty string.
  // If you specify the update_mask to be a special path "*", fully replaces all
  // user-modifiable fields to match `resource`.
  Membership resource = 3 [(google.api.field_behavior) = REQUIRED];
}

// Request message for `GkeHub.GenerateConnectManifest`
// method.
// .
message GenerateConnectManifestRequest {
  // Required. The Membership resource name the Agent will associate with, in the format
  // `projects/*/locations/*/memberships/*`.
  string name = 1 [
    (google.api.field_behavior) = REQUIRED];

  // Optional. Namespace for GKE Connect agent resources. Defaults to `gke-connect`.
  //
  // The Connect Agent is authorized automatically when run in the default
  // namespace. Otherwise, explicit authorization must be granted with an
  // additional IAM binding.
  string namespace = 2 [(google.api.field_behavior) = OPTIONAL];

  // Optional. URI of a proxy if connectivity from the agent to gkeconnect.googleapis.com
  // requires the use of a proxy. Format must be in the form
  // `http(s)://{proxy_address}`, depending on the HTTP/HTTPS protocol
  // supported by the proxy. This will direct the connect agent's outbound
  // traffic through a HTTP(S) proxy.
  bytes proxy = 3 [(google.api.field_behavior) = OPTIONAL];

  // Optional. The Connect agent version to use. Defaults to the most current version.
  string version = 4 [(google.api.field_behavior) = OPTIONAL];

  // Optional. If true, generate the resources for upgrade only. Some resources
  // generated only for installation (e.g. secrets) will be excluded.
  bool is_upgrade = 5 [(google.api.field_behavior) = OPTIONAL];

  // Optional. The registry to fetch the connect agent image from. Defaults to
  // gcr.io/gkeconnect.
  string registry = 6 [(google.api.field_behavior) = OPTIONAL];

  // Optional. The image pull secret content for the registry, if not public.
  bytes image_pull_secret_content = 7 [(google.api.field_behavior) = OPTIONAL];
}

// GenerateConnectManifestResponse contains manifest information for
// installing/upgrading a Connect agent.
message GenerateConnectManifestResponse {
  // The ordered list of Kubernetes resources that need to be applied to the
  // cluster for GKE Connect agent installation/upgrade.
  repeated ConnectAgentResource manifest = 1;
}

// ConnectAgentResource represents a Kubernetes resource manifest for Connect
// Agent deployment.
message ConnectAgentResource {
  // Kubernetes type of the resource.
  TypeMeta type = 1;

  // YAML manifest of the resource.
  string manifest = 2;
}

// ResourceManifest represents a single Kubernetes resource to be applied to
// the cluster.
message ResourceManifest {
  // YAML manifest of the resource.
  string manifest = 1;

  // Whether the resource provided in the manifest is `cluster_scoped`.
  // If unset, the manifest is assumed to be namespace scoped.
  //
  // This field is used for REST mapping when applying the resource in a
  // cluster.
  bool cluster_scoped = 2;
}

// TypeMeta is the type information needed for content unmarshalling of
// Kubernetes resources in the manifest.
message TypeMeta {
  // Kind of the resource (e.g. Deployment).
  string kind = 1;

  // APIVersion of the resource (e.g. v1).
  string api_version = 2;
}

// Request message for the InitializeHub method.
message InitializeHubRequest {
  // Required. The Hub to initialize, in the format
  // `projects/*/locations/*/memberships/*`.
  string project = 1 [(google.api.field_behavior) = REQUIRED];
}

// Response message for the InitializeHub method.
message InitializeHubResponse {
  // Name of the Hub default service identity, in the format:
  //
  //     service-<project-number>@gcp-sa-gkehub.iam.gserviceaccount.com
  //
  // The service account has `roles/gkehub.serviceAgent` in the Hub project.
  string service_identity = 1;

  // The Workload Identity Pool used for Workload Identity-enabled clusters
  // registered with this Hub. Format: `<project-id>.hub.id.goog`
  string workload_identity_pool = 2;
}

// Represents the metadata of the long-running operation.
message OperationMetadata {
  // Output only. The time the operation was created.
  google.protobuf.Timestamp create_time = 1 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. The time the operation finished running.
  google.protobuf.Timestamp end_time = 2 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Server-defined resource path for the target of the operation.
  string target = 3 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Name of the verb executed by the operation.
  string verb = 4 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Human-readable status of the operation, if any.
  string status_detail = 5 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. Identifies whether the user has requested cancellation
  // of the operation. Operations that have successfully been cancelled
  // have [Operation.error][] value with a [google.rpc.Status.code][google.rpc.Status.code] of 1,
  // corresponding to `Code.CANCELLED`.
  bool cancel_requested = 6 [(google.api.field_behavior) = OUTPUT_ONLY];

  // Output only. API version used to start the operation.
  string api_version = 7 [(google.api.field_behavior) = OUTPUT_ONLY];
}