syntax = "proto3";

package envoy.extensions.transport_sockets.tls.v3;

import "envoy/config/core/v3/base.proto";
import "envoy/config/core/v3/config_source.proto";
import "envoy/extensions/transport_sockets/tls/v3/common.proto";

import "udpa/annotations/sensitive.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";

option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3";
option java_outer_classname = "SecretProto";
option java_multiple_files = true;
option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3;tlsv3";
option (udpa.annotations.file_status).package_version_status = ACTIVE;

// [#protodoc-title: Secrets configuration]

message GenericSecret {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.GenericSecret";

  // Secret of generic type and is available to filters.
  config.core.v3.DataSource secret = 1 [(udpa.annotations.sensitive) = true];
}

message SdsSecretConfig {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.SdsSecretConfig";

  // Name by which the secret can be uniquely referred to. When both name and config are specified,
  // then secret can be fetched and/or reloaded via SDS. When only name is specified, then secret
  // will be loaded from static resources.
  string name = 1 [(validate.rules).string = {min_len: 1}];

  config.core.v3.ConfigSource sds_config = 2;
}

// [#next-free-field: 6]
message Secret {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.Secret";

  // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
  string name = 1;

  oneof type {
    TlsCertificate tls_certificate = 2;

    TlsSessionTicketKeys session_ticket_keys = 3;

    CertificateValidationContext validation_context = 4;

    GenericSecret generic_secret = 5;
  }
}