syntax = "proto3";

package envoy.api.v2.auth;

import "envoy/api/v2/auth/common.proto";
import "envoy/api/v2/core/base.proto";
import "envoy/api/v2/core/config_source.proto";

import "udpa/annotations/migrate.proto";
import "udpa/annotations/sensitive.proto";
import "udpa/annotations/status.proto";

option java_package = "io.envoyproxy.envoy.api.v2.auth";
option java_outer_classname = "SecretProto";
option java_multiple_files = true;
option go_package = "github.com/envoyproxy/go-control-plane/envoy/api/v2/auth";
option (udpa.annotations.file_migrate).move_to_package =
    "envoy.extensions.transport_sockets.tls.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;

// [#protodoc-title: Secrets configuration]

message GenericSecret {
  // Secret of generic type and is available to filters.
  core.DataSource secret = 1 [(udpa.annotations.sensitive) = true];
}

message SdsSecretConfig {
  // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
  // When both name and config are specified, then secret can be fetched and/or reloaded via
  // SDS. When only name is specified, then secret will be loaded from static resources.
  string name = 1;

  core.ConfigSource sds_config = 2;
}

// [#next-free-field: 6]
message Secret {
  // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
  string name = 1;

  oneof type {
    TlsCertificate tls_certificate = 2;

    TlsSessionTicketKeys session_ticket_keys = 3;

    CertificateValidationContext validation_context = 4;

    GenericSecret generic_secret = 5;
  }
}