syntax = "proto3";

package envoy.extensions.transport_sockets.alts.v3;

import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";

option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.alts.v3";
option java_outer_classname = "AltsProto";
option java_multiple_files = true;
option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/alts/v3;altsv3";
option (udpa.annotations.file_status).package_version_status = ACTIVE;

// [#protodoc-title: ALTS]
// [#extension: envoy.transport_sockets.alts]

// Configuration for ALTS transport socket. This provides Google's ALTS protocol to Envoy.
// Store the peer identity in dynamic metadata, namespace is "envoy.transport_socket.peer_information", key is "peer_identity".
// https://cloud.google.com/security/encryption-in-transit/application-layer-transport-security/
message Alts {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.config.transport_socket.alts.v2alpha.Alts";

  // The location of a handshaker service, this is usually 169.254.169.254:8080
  // on GCE.
  string handshaker_service = 1 [(validate.rules).string = {min_len: 1}];

  // The acceptable service accounts from peer, peers not in the list will be rejected in the
  // handshake validation step. If empty, no validation will be performed.
  repeated string peer_service_accounts = 2;
}