// Copyright 2022 Google LLC // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. syntax = "proto3"; package google.cloud.gkemulticloud.v1; import "google/api/field_behavior.proto"; import "google/api/resource.proto"; import "google/cloud/gkemulticloud/v1/common_resources.proto"; import "google/protobuf/timestamp.proto"; option csharp_namespace = "Google.Cloud.GkeMultiCloud.V1"; option go_package = "google.golang.org/genproto/googleapis/cloud/gkemulticloud/v1;gkemulticloud"; option java_multiple_files = true; option java_outer_classname = "AwsResourcesProto"; option java_package = "com.google.cloud.gkemulticloud.v1"; option php_namespace = "Google\\Cloud\\GkeMultiCloud\\V1"; option ruby_package = "Google::Cloud::GkeMultiCloud::V1"; // An Anthos cluster running on AWS. message AwsCluster { option (google.api.resource) = { type: "gkemulticloud.googleapis.com/AwsCluster" pattern: "projects/{project}/locations/{location}/awsClusters/{aws_cluster}" }; // The lifecycle state of the cluster. enum State { // Not set. STATE_UNSPECIFIED = 0; // The PROVISIONING state indicates the cluster is being created. PROVISIONING = 1; // The RUNNING state indicates the cluster has been created and is fully // usable. RUNNING = 2; // The RECONCILING state indicates that some work is actively being done on // the cluster, such as upgrading the control plane replicas. RECONCILING = 3; // The STOPPING state indicates the cluster is being deleted. STOPPING = 4; // The ERROR state indicates the cluster is in a broken unrecoverable // state. ERROR = 5; // The DEGRADED state indicates the cluster requires user action to // restore full functionality. DEGRADED = 6; } // The name of this resource. // // Cluster names are formatted as // `projects//locations//awsClusters/`. // // See [Resource Names](https://cloud.google.com/apis/design/resource_names) // for more details on GCP resource names. string name = 1; // Optional. A human readable description of this cluster. // Cannot be longer than 255 UTF-8 encoded bytes. string description = 2 [(google.api.field_behavior) = OPTIONAL]; // Required. Cluster-wide networking configuration. AwsClusterNetworking networking = 3 [(google.api.field_behavior) = REQUIRED]; // Required. The AWS region where the cluster runs. // // Each Google Cloud region supports a subset of nearby AWS regions. // You can call // [GetAwsServerConfig][google.cloud.gkemulticloud.v1.AwsClusters.GetAwsServerConfig] // to list all supported AWS regions within a given Google Cloud region. string aws_region = 4 [(google.api.field_behavior) = REQUIRED]; // Required. Configuration related to the cluster control plane. AwsControlPlane control_plane = 5 [(google.api.field_behavior) = REQUIRED]; // Required. Configuration related to the cluster RBAC settings. AwsAuthorization authorization = 15 [(google.api.field_behavior) = REQUIRED]; // Output only. The current state of the cluster. State state = 7 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The endpoint of the cluster's API server. string endpoint = 8 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. A globally unique identifier for the cluster. string uid = 9 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. If set, there are currently changes in flight to the cluster. bool reconciling = 10 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The time at which this cluster was created. google.protobuf.Timestamp create_time = 11 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The time at which this cluster was last updated. google.protobuf.Timestamp update_time = 12 [(google.api.field_behavior) = OUTPUT_ONLY]; // Allows clients to perform consistent read-modify-writes // through optimistic concurrency control. // // Can be sent on update and delete requests to ensure the // client has an up-to-date value before proceeding. string etag = 13; // Optional. Annotations on the cluster. // // This field has the same restrictions as Kubernetes annotations. // The total size of all keys and values combined is limited to 256k. // Key can have 2 segments: prefix (optional) and name (required), // separated by a slash (/). // Prefix must be a DNS subdomain. // Name must be 63 characters or less, begin and end with alphanumerics, // with dashes (-), underscores (_), dots (.), and alphanumerics between. map annotations = 14 [(google.api.field_behavior) = OPTIONAL]; // Output only. Workload Identity settings. WorkloadIdentityConfig workload_identity_config = 16 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. PEM encoded x509 certificate of the cluster root of trust. string cluster_ca_certificate = 17 [(google.api.field_behavior) = OUTPUT_ONLY]; // Optional. Fleet configuration. Fleet fleet = 18 [(google.api.field_behavior) = OPTIONAL]; // Optional. Logging configuration for this cluster. LoggingConfig logging_config = 19 [(google.api.field_behavior) = OPTIONAL]; } // ControlPlane defines common parameters between control plane nodes. message AwsControlPlane { // Required. The Kubernetes version to run on control plane replicas // (e.g. `1.19.10-gke.1000`). // // You can list all supported versions on a given Google Cloud region by // calling // [GetAwsServerConfig][google.cloud.gkemulticloud.v1.AwsClusters.GetAwsServerConfig]. string version = 1 [(google.api.field_behavior) = REQUIRED]; // Optional. The AWS instance type. // // When unspecified, it uses a default based on the cluster's version. string instance_type = 2 [(google.api.field_behavior) = OPTIONAL]; // Optional. SSH configuration for how to access the underlying control plane // machines. AwsSshConfig ssh_config = 14 [(google.api.field_behavior) = OPTIONAL]; // Required. The list of subnets where control plane replicas will run. // A replica will be provisioned on each subnet and up to three values // can be provided. // Each subnet must be in a different AWS Availability Zone (AZ). repeated string subnet_ids = 4 [(google.api.field_behavior) = REQUIRED]; // Optional. The IDs of additional security groups to add to control plane // replicas. The Anthos Multi-Cloud API will automatically create and manage // security groups with the minimum rules needed for a functioning cluster. repeated string security_group_ids = 5 [(google.api.field_behavior) = OPTIONAL]; // Required. The name or ARN of the AWS IAM instance profile to assign to each control // plane replica. string iam_instance_profile = 7 [(google.api.field_behavior) = REQUIRED]; // Optional. Configuration related to the root volume provisioned for each // control plane replica. // // Volumes will be provisioned in the availability zone associated // with the corresponding subnet. // // When unspecified, it defaults to 32 GiB with the GP2 volume type. AwsVolumeTemplate root_volume = 8 [(google.api.field_behavior) = OPTIONAL]; // Optional. Configuration related to the main volume provisioned for each // control plane replica. // The main volume is in charge of storing all of the cluster's etcd state. // // Volumes will be provisioned in the availability zone associated // with the corresponding subnet. // // When unspecified, it defaults to 8 GiB with the GP2 volume type. AwsVolumeTemplate main_volume = 9 [(google.api.field_behavior) = OPTIONAL]; // Required. The ARN of the AWS KMS key used to encrypt cluster secrets. AwsDatabaseEncryption database_encryption = 10 [(google.api.field_behavior) = REQUIRED]; // Optional. A set of AWS resource tags to propagate to all underlying managed AWS // resources. // // Specify at most 50 pairs containing alphanumerics, spaces, and symbols // (.+-=_:@/). Keys can be up to 127 Unicode characters. Values can be up to // 255 Unicode characters. map tags = 11 [(google.api.field_behavior) = OPTIONAL]; // Required. Authentication configuration for management of AWS resources. AwsServicesAuthentication aws_services_authentication = 12 [(google.api.field_behavior) = REQUIRED]; // Optional. Proxy configuration for outbound HTTP(S) traffic. AwsProxyConfig proxy_config = 16 [(google.api.field_behavior) = OPTIONAL]; // Required. Config encryption for user data. AwsConfigEncryption config_encryption = 17 [(google.api.field_behavior) = REQUIRED]; // Optional. The placement to use on control plane instances. // When unspecified, the VPC's default tenancy will be used. AwsInstancePlacement instance_placement = 18 [(google.api.field_behavior) = OPTIONAL]; } // Authentication configuration for the management of AWS resources. message AwsServicesAuthentication { // Required. The Amazon Resource Name (ARN) of the role that the Anthos Multi-Cloud API // will assume when managing AWS resources on your account. string role_arn = 1 [(google.api.field_behavior) = REQUIRED]; // Optional. An identifier for the assumed role session. // // When unspecified, it defaults to `multicloud-service-agent`. string role_session_name = 2 [(google.api.field_behavior) = OPTIONAL]; } // Configuration related to the cluster RBAC settings. message AwsAuthorization { // Required. Users that can perform operations as a cluster admin. A managed // ClusterRoleBinding will be created to grant the `cluster-admin` ClusterRole // to the users. Up to ten admin users can be provided. // // For more info on RBAC, see // https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles repeated AwsClusterUser admin_users = 1 [(google.api.field_behavior) = REQUIRED]; } // Identities of a user-type subject for AWS clusters. message AwsClusterUser { // Required. The name of the user, e.g. `my-gcp-id@gmail.com`. string username = 1 [(google.api.field_behavior) = REQUIRED]; } // Configuration related to application-layer secrets encryption. message AwsDatabaseEncryption { // Required. The ARN of the AWS KMS key used to encrypt cluster secrets. string kms_key_arn = 1 [(google.api.field_behavior) = REQUIRED]; } // Configuration template for AWS EBS volumes. message AwsVolumeTemplate { // Types of supported EBS volumes. We currently only support GP2 or GP3 // volumes. // See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html // for more information. enum VolumeType { // Not set. VOLUME_TYPE_UNSPECIFIED = 0; // GP2 (General Purpose SSD volume type). GP2 = 1; // GP3 (General Purpose SSD volume type). GP3 = 2; } // Optional. The size of the volume, in GiBs. // // When unspecified, a default value is provided. See the specific reference // in the parent resource. int32 size_gib = 1 [(google.api.field_behavior) = OPTIONAL]; // Optional. Type of the EBS volume. // // When unspecified, it defaults to GP2 volume. VolumeType volume_type = 2 [(google.api.field_behavior) = OPTIONAL]; // Optional. The number of I/O operations per second (IOPS) to provision for GP3 volume. int32 iops = 3 [(google.api.field_behavior) = OPTIONAL]; // Optional. The Amazon Resource Name (ARN) of the Customer Managed Key (CMK) used to // encrypt AWS EBS volumes. // // If not specified, the default Amazon managed key associated to // the AWS region where this cluster runs will be used. string kms_key_arn = 4 [(google.api.field_behavior) = OPTIONAL]; } // ClusterNetworking defines cluster-wide networking configuration. // // Anthos clusters on AWS run on a single VPC. This includes control // plane replicas and node pool nodes. message AwsClusterNetworking { // Required. The VPC associated with the cluster. All component clusters // (i.e. control plane and node pools) run on a single VPC. // // This field cannot be changed after creation. string vpc_id = 1 [(google.api.field_behavior) = REQUIRED]; // Required. All pods in the cluster are assigned an IPv4 address from these ranges. // Only a single range is supported. // This field cannot be changed after creation. repeated string pod_address_cidr_blocks = 2 [(google.api.field_behavior) = REQUIRED]; // Required. All services in the cluster are assigned an IPv4 address from these ranges. // Only a single range is supported. // This field cannot be changed after creation. repeated string service_address_cidr_blocks = 3 [(google.api.field_behavior) = REQUIRED]; } // An Anthos node pool running on AWS. message AwsNodePool { option (google.api.resource) = { type: "gkemulticloud.googleapis.com/AwsNodePool" pattern: "projects/{project}/locations/{location}/awsClusters/{aws_cluster}/awsNodePools/{aws_node_pool}" }; // The lifecycle state of the node pool. enum State { // Not set. STATE_UNSPECIFIED = 0; // The PROVISIONING state indicates the node pool is being created. PROVISIONING = 1; // The RUNNING state indicates the node pool has been created // and is fully usable. RUNNING = 2; // The RECONCILING state indicates that the node pool is being reconciled. RECONCILING = 3; // The STOPPING state indicates the node pool is being deleted. STOPPING = 4; // The ERROR state indicates the node pool is in a broken unrecoverable // state. ERROR = 5; // The DEGRADED state indicates the node pool requires user action to // restore full functionality. DEGRADED = 6; } // The name of this resource. // // Node pool names are formatted as // `projects//locations//awsClusters//awsNodePools/`. // // For more details on Google Cloud resource names, // see [Resource Names](https://cloud.google.com/apis/design/resource_names) string name = 1; // Required. The Kubernetes version to run on this node pool (e.g. `1.19.10-gke.1000`). // // You can list all supported versions on a given Google Cloud region by // calling // [GetAwsServerConfig][google.cloud.gkemulticloud.v1.AwsClusters.GetAwsServerConfig]. string version = 3 [(google.api.field_behavior) = REQUIRED]; // Required. The configuration of the node pool. AwsNodeConfig config = 28 [(google.api.field_behavior) = REQUIRED]; // Required. Autoscaler configuration for this node pool. AwsNodePoolAutoscaling autoscaling = 25 [(google.api.field_behavior) = REQUIRED]; // Required. The subnet where the node pool node run. string subnet_id = 6 [(google.api.field_behavior) = REQUIRED]; // Output only. The lifecycle state of the node pool. State state = 16 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. A globally unique identifier for the node pool. string uid = 17 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. If set, there are currently changes in flight to the node // pool. bool reconciling = 18 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The time at which this node pool was created. google.protobuf.Timestamp create_time = 19 [(google.api.field_behavior) = OUTPUT_ONLY]; // Output only. The time at which this node pool was last updated. google.protobuf.Timestamp update_time = 20 [(google.api.field_behavior) = OUTPUT_ONLY]; // Allows clients to perform consistent read-modify-writes // through optimistic concurrency control. // // Can be sent on update and delete requests to ensure the // client has an up-to-date value before proceeding. string etag = 21; // Optional. Annotations on the node pool. // // This field has the same restrictions as Kubernetes annotations. // The total size of all keys and values combined is limited to 256k. // Key can have 2 segments: prefix (optional) and name (required), // separated by a slash (/). // Prefix must be a DNS subdomain. // Name must be 63 characters or less, begin and end with alphanumerics, // with dashes (-), underscores (_), dots (.), and alphanumerics between. map annotations = 22 [(google.api.field_behavior) = OPTIONAL]; // Required. The constraint on the maximum number of pods that can be run // simultaneously on a node in the node pool. MaxPodsConstraint max_pods_constraint = 27 [(google.api.field_behavior) = REQUIRED]; } // Parameters that describe the nodes in a cluster. message AwsNodeConfig { // Optional. The AWS instance type. // // When unspecified, it uses a default based on the node pool's version. string instance_type = 1 [(google.api.field_behavior) = OPTIONAL]; // Optional. Template for the root volume provisioned for node pool nodes. // Volumes will be provisioned in the availability zone assigned // to the node pool subnet. // // When unspecified, it defaults to 32 GiB with the GP2 volume type. AwsVolumeTemplate root_volume = 2 [(google.api.field_behavior) = OPTIONAL]; // Optional. The initial taints assigned to nodes of this node pool. repeated NodeTaint taints = 3 [(google.api.field_behavior) = OPTIONAL]; // Optional. The initial labels assigned to nodes of this node pool. An object // containing a list of "key": value pairs. Example: { "name": "wrench", // "mass": "1.3kg", "count": "3" }. map labels = 4 [(google.api.field_behavior) = OPTIONAL]; // Optional. Key/value metadata to assign to each underlying AWS resource. Specify at // most 50 pairs containing alphanumerics, spaces, and symbols (.+-=_:@/). // Keys can be up to 127 Unicode characters. // Values can be up to 255 Unicode characters. map tags = 5 [(google.api.field_behavior) = OPTIONAL]; // Required. The name or ARN of the AWS IAM role assigned to nodes in the pool. string iam_instance_profile = 6 [(google.api.field_behavior) = REQUIRED]; // Optional. The OS image type to use on node pool instances. // Can have a value of `ubuntu`, or `windows` if the cluster enables // the Windows node pool preview feature. // // When unspecified, it defaults to `ubuntu`. string image_type = 11 [(google.api.field_behavior) = OPTIONAL]; // Optional. The SSH configuration. AwsSshConfig ssh_config = 9 [(google.api.field_behavior) = OPTIONAL]; // Optional. The IDs of additional security groups to add to nodes in this pool. The // manager will automatically create security groups with minimum rules // needed for a functioning cluster. repeated string security_group_ids = 10 [(google.api.field_behavior) = OPTIONAL]; // Optional. Proxy configuration for outbound HTTP(S) traffic. AwsProxyConfig proxy_config = 12 [(google.api.field_behavior) = OPTIONAL]; // Required. Config encryption for user data. AwsConfigEncryption config_encryption = 13 [(google.api.field_behavior) = REQUIRED]; // Optional. Placement related info for this node. // When unspecified, the VPC's default tenancy will be used. AwsInstancePlacement instance_placement = 14 [(google.api.field_behavior) = OPTIONAL]; } // AwsNodePoolAutoscaling contains information required by cluster autoscaler // to adjust the size of the node pool to the current cluster usage. message AwsNodePoolAutoscaling { // Required. Minimum number of nodes in the node pool. Must be greater than or equal to // 1 and less than or equal to max_node_count. int32 min_node_count = 1 [(google.api.field_behavior) = REQUIRED]; // Required. Maximum number of nodes in the node pool. Must be greater than or equal to // min_node_count and less than or equal to 50. int32 max_node_count = 2 [(google.api.field_behavior) = REQUIRED]; } // AwsServerConfig is the configuration of GKE cluster on AWS. message AwsServerConfig { option (google.api.resource) = { type: "gkemulticloud.googleapis.com/AwsServerConfig" pattern: "projects/{project}/locations/{location}/awsServerConfig" }; // The resource name of the config. string name = 1; // List of valid Kubernetes versions. repeated AwsK8sVersionInfo valid_versions = 2; // The list of supported AWS regions. repeated string supported_aws_regions = 3; } // Kubernetes version information of GKE cluster on AWS. message AwsK8sVersionInfo { // Kubernetes version name. string version = 1; } // SSH configuration for AWS resources. message AwsSshConfig { // Required. The name of the EC2 key pair used to login into cluster machines. string ec2_key_pair = 1 [(google.api.field_behavior) = REQUIRED]; } // Details of a proxy config stored in AWS Secret Manager. message AwsProxyConfig { // The ARN of the AWS Secret Manager secret that contains the HTTP(S) proxy // configuration. string secret_arn = 1; // The version string of the AWS Secret Manager secret that contains the // HTTP(S) proxy configuration. string secret_version = 2; } // Config encryption for user data. message AwsConfigEncryption { // Required. The ARN of the AWS KMS key used to encrypt user data. string kms_key_arn = 1 [(google.api.field_behavior) = REQUIRED]; } // Details of placement information for an instance. // Limitations for using the `host` tenancy: // // * T3 instances that use the unlimited CPU credit option don't support host // tenancy. message AwsInstancePlacement { // Tenancy defines how EC2 instances are distributed across physical hardware. enum Tenancy { // Not set. TENANCY_UNSPECIFIED = 0; // Use default VPC tenancy. DEFAULT = 1; // Run a dedicated instance. DEDICATED = 2; // Launch this instance to a dedicated host. HOST = 3; } // Required. The tenancy for instance. Tenancy tenancy = 1 [(google.api.field_behavior) = REQUIRED]; }