syntax = "proto3"; package envoy.api.v2.core; import "envoy/api/v2/core/base.proto"; import "google/protobuf/any.proto"; import "google/protobuf/duration.proto"; import "google/protobuf/empty.proto"; import "google/protobuf/struct.proto"; import "udpa/annotations/migrate.proto"; import "udpa/annotations/sensitive.proto"; import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.api.v2.core"; option java_outer_classname = "GrpcServiceProto"; option java_multiple_files = true; option go_package = "github.com/envoyproxy/go-control-plane/envoy/api/v2/core"; option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3"; option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: gRPC services] // gRPC service configuration. This is used by :ref:`ApiConfigSource // ` and filter configurations. // [#next-free-field: 6] message GrpcService { message EnvoyGrpc { // The name of the upstream gRPC cluster. SSL credentials will be supplied // in the :ref:`Cluster ` :ref:`transport_socket // `. string cluster_name = 1 [(validate.rules).string = {min_bytes: 1}]; } // [#next-free-field: 7] message GoogleGrpc { // See https://grpc.io/grpc/cpp/structgrpc_1_1_ssl_credentials_options.html. message SslCredentials { // PEM encoded server root certificates. DataSource root_certs = 1; // PEM encoded client private key. DataSource private_key = 2 [(udpa.annotations.sensitive) = true]; // PEM encoded client certificate chain. DataSource cert_chain = 3; } // Local channel credentials. Only UDS is supported for now. // See https://github.com/grpc/grpc/pull/15909. message GoogleLocalCredentials { } // See https://grpc.io/docs/guides/auth.html#credential-types to understand Channel and Call // credential types. message ChannelCredentials { oneof credential_specifier { option (validate.required) = true; SslCredentials ssl_credentials = 1; // https://grpc.io/grpc/cpp/namespacegrpc.html#a6beb3ac70ff94bd2ebbd89b8f21d1f61 google.protobuf.Empty google_default = 2; GoogleLocalCredentials local_credentials = 3; } } // [#next-free-field: 8] message CallCredentials { message ServiceAccountJWTAccessCredentials { string json_key = 1; uint64 token_lifetime_seconds = 2; } message GoogleIAMCredentials { string authorization_token = 1; string authority_selector = 2; } message MetadataCredentialsFromPlugin { string name = 1; oneof config_type { google.protobuf.Struct config = 2 [deprecated = true]; google.protobuf.Any typed_config = 3; } } // Security token service configuration that allows Google gRPC to // fetch security token from an OAuth 2.0 authorization server. // See https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 and // https://github.com/grpc/grpc/pull/19587. // [#next-free-field: 10] message StsService { // URI of the token exchange service that handles token exchange requests. // [#comment:TODO(asraa): Add URI validation when implemented. Tracked by // https://github.com/bufbuild/protoc-gen-validate/issues/303] string token_exchange_service_uri = 1; // Location of the target service or resource where the client // intends to use the requested security token. string resource = 2; // Logical name of the target service where the client intends to // use the requested security token. string audience = 3; // The desired scope of the requested security token in the // context of the service or resource where the token will be used. string scope = 4; // Type of the requested security token. string requested_token_type = 5; // The path of subject token, a security token that represents the // identity of the party on behalf of whom the request is being made. string subject_token_path = 6 [(validate.rules).string = {min_bytes: 1}]; // Type of the subject token. string subject_token_type = 7 [(validate.rules).string = {min_bytes: 1}]; // The path of actor token, a security token that represents the identity // of the acting party. The acting party is authorized to use the // requested security token and act on behalf of the subject. string actor_token_path = 8; // Type of the actor token. string actor_token_type = 9; } oneof credential_specifier { option (validate.required) = true; // Access token credentials. // https://grpc.io/grpc/cpp/namespacegrpc.html#ad3a80da696ffdaea943f0f858d7a360d. string access_token = 1; // Google Compute Engine credentials. // https://grpc.io/grpc/cpp/namespacegrpc.html#a6beb3ac70ff94bd2ebbd89b8f21d1f61 google.protobuf.Empty google_compute_engine = 2; // Google refresh token credentials. // https://grpc.io/grpc/cpp/namespacegrpc.html#a96901c997b91bc6513b08491e0dca37c. string google_refresh_token = 3; // Service Account JWT Access credentials. // https://grpc.io/grpc/cpp/namespacegrpc.html#a92a9f959d6102461f66ee973d8e9d3aa. ServiceAccountJWTAccessCredentials service_account_jwt_access = 4; // Google IAM credentials. // https://grpc.io/grpc/cpp/namespacegrpc.html#a9fc1fc101b41e680d47028166e76f9d0. GoogleIAMCredentials google_iam = 5; // Custom authenticator credentials. // https://grpc.io/grpc/cpp/namespacegrpc.html#a823c6a4b19ffc71fb33e90154ee2ad07. // https://grpc.io/docs/guides/auth.html#extending-grpc-to-support-other-authentication-mechanisms. MetadataCredentialsFromPlugin from_plugin = 6; // Custom security token service which implements OAuth 2.0 token exchange. // https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 // See https://github.com/grpc/grpc/pull/19587. StsService sts_service = 7; } } // The target URI when using the `Google C++ gRPC client // `_. SSL credentials will be supplied in // :ref:`channel_credentials `. string target_uri = 1 [(validate.rules).string = {min_bytes: 1}]; ChannelCredentials channel_credentials = 2; // A set of call credentials that can be composed with `channel credentials // `_. repeated CallCredentials call_credentials = 3; // The human readable prefix to use when emitting statistics for the gRPC // service. // // .. csv-table:: // :header: Name, Type, Description // :widths: 1, 1, 2 // // streams_total, Counter, Total number of streams opened // streams_closed_, Counter, Total streams closed with string stat_prefix = 4 [(validate.rules).string = {min_bytes: 1}]; // The name of the Google gRPC credentials factory to use. This must have been registered with // Envoy. If this is empty, a default credentials factory will be used that sets up channel // credentials based on other configuration parameters. string credentials_factory_name = 5; // Additional configuration for site-specific customizations of the Google // gRPC library. google.protobuf.Struct config = 6; } reserved 4; oneof target_specifier { option (validate.required) = true; // Envoy's in-built gRPC client. // See the :ref:`gRPC services overview ` // documentation for discussion on gRPC client selection. EnvoyGrpc envoy_grpc = 1; // `Google C++ gRPC client `_ // See the :ref:`gRPC services overview ` // documentation for discussion on gRPC client selection. GoogleGrpc google_grpc = 2; } // The timeout for the gRPC request. This is the timeout for a specific // request. google.protobuf.Duration timeout = 3; // Additional metadata to include in streams initiated to the GrpcService. // This can be used for scenarios in which additional ad hoc authorization // headers (e.g. ``x-foo-bar: baz-key``) are to be injected. repeated HeaderValue initial_metadata = 5; }