kpt-grpc-demo/google/cloud/gkehub/v1beta/configmanagement/configmanagement.proto

// Copyright 2021 Google LLC
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package google.cloud.gkehub.configmanagement.v1beta;

import "google/protobuf/timestamp.proto";

option csharp_namespace = "Google.Cloud.GkeHub.ConfigManagement.V1Beta";
option go_package = "google.golang.org/genproto/googleapis/cloud/gkehub/configmanagement/v1beta;configmanagement";
option java_multiple_files = true;
option java_outer_classname = "ConfigManagementProto";
option java_package = "com.google.cloud.gkehub.configmanagement.v1beta";
option php_namespace = "Google\\Cloud\\GkeHub\\ConfigManagement\\V1beta";
option ruby_package = "Google::Cloud::GkeHub::ConfigManagement::V1beta";

// Enum representing the state of an ACM's deployment on a cluster
enum DeploymentState {
  // Deployment's state cannot be determined
  DEPLOYMENT_STATE_UNSPECIFIED = 0;

  // Deployment is not installed
  NOT_INSTALLED = 1;

  // Deployment is installed
  INSTALLED = 2;

  // Deployment was attempted to be installed, but has errors
  ERROR = 3;
}

// **Anthos Config Management**: State for a single cluster.
message MembershipState {
  // The user-defined name for the cluster used by ClusterSelectors to group
  // clusters together. This should match Membership's membership_name,
  // unless the user installed ACM on the cluster manually prior to enabling
  // the ACM hub feature.
  // Unique within a Anthos Config Management installation.
  string cluster_name = 1;

  // Membership configuration in the cluster. This represents the actual state
  // in the cluster, while the MembershipSpec in the FeatureSpec represents
  // the intended state
  MembershipSpec membership_spec = 2;

  // Current install status of ACM's Operator
  OperatorState operator_state = 3;

  // Current sync status
  ConfigSyncState config_sync_state = 4;

  // PolicyController status
  PolicyControllerState policy_controller_state = 5;

  // Binauthz status
  BinauthzState binauthz_state = 6;

  // Hierarchy Controller status
  HierarchyControllerState hierarchy_controller_state = 7;
}

// **Anthos Config Management**: Configuration for a single cluster.
// Intended to parallel the ConfigManagement CR.
message MembershipSpec {
  // Config Sync configuration for the cluster.
  ConfigSync config_sync = 1;

  // Policy Controller configuration for the cluster.
  PolicyController policy_controller = 2;

  // Binauthz conifguration for the cluster.
  BinauthzConfig binauthz = 3;

  // Hierarchy Controller configuration for the cluster.
  HierarchyControllerConfig hierarchy_controller = 4;

  // Version of ACM installed.
  string version = 10;
}

// Configuration for Config Sync
message ConfigSync {
  // Git repo configuration for the cluster.
  GitConfig git = 7;

  // Specifies whether the Config Sync Repo is
  // in “hierarchical” or “unstructured” mode.
  string source_format = 8;
}

// Git repo configuration for a single cluster.
message GitConfig {
  // The URL of the Git repository to use as the source of truth.
  string sync_repo = 1;

  // The branch of the repository to sync from. Default: master.
  string sync_branch = 2;

  // The path within the Git repository that represents the top level of the
  // repo to sync. Default: the root directory of the repository.
  string policy_dir = 3;

  // Period in seconds between consecutive syncs. Default: 15.
  int64 sync_wait_secs = 4;

  // Git revision (tag or hash) to check out. Default HEAD.
  string sync_rev = 5;

  // Type of secret configured for access to the Git repo.
  string secret_type = 6;

  // URL for the HTTPS proxy to be used when communicating with the Git repo.
  string https_proxy = 7;

  // The GCP Service Account Email used for auth when secret_type is
  // gcpServiceAccount.
  string gcp_service_account_email = 8;
}

// Configuration for Policy Controller
message PolicyController {
  // Enables the installation of Policy Controller.
  // If false, the rest of PolicyController fields take no
  // effect.
  bool enabled = 1;

  // Installs the default template library along with Policy Controller.
  optional bool template_library_installed = 2;

  // Sets the interval for Policy Controller Audit Scans (in seconds).
  // When set to 0, this disables audit functionality altogether.
  optional int64 audit_interval_seconds = 3;

  // The set of namespaces that are excluded from Policy Controller checks.
  // Namespaces do not need to currently exist on the cluster.
  repeated string exemptable_namespaces = 4;

  // Enables the ability to use Constraint Templates that reference to objects
  // other than the object currently being evaluated.
  bool referential_rules_enabled = 5;

  // Logs all denies and dry run failures.
  bool log_denies_enabled = 6;
}

// Configuration for Binauthz
message BinauthzConfig {
  // Whether binauthz is enabled in this cluster.
  bool enabled = 1;
}

// Configuration for Hierarchy Controller
message HierarchyControllerConfig {
  // Whether Hierarchy Controller is enabled in this cluster.
  bool enabled = 1;

  // Whether pod tree labels are enabled in this cluster.
  bool enable_pod_tree_labels = 2;

  // Whether hierarchical resource quota is enabled in this cluster.
  bool enable_hierarchical_resource_quota = 3;
}

// Deployment state for Hierarchy Controller
message HierarchyControllerDeploymentState {
  // The deployment state for open source HNC (e.g. v0.7.0-hc.0)
  DeploymentState hnc = 1;

  // The deployment state for Hierarchy Controller extension (e.g. v0.7.0-hc.1)
  DeploymentState extension = 2;
}

// Version for Hierarchy Controller
message HierarchyControllerVersion {
  // Version for open source HNC
  string hnc = 1;

  // Version for Hierarchy Controller extension
  string extension = 2;
}

// State for Hierarchy Controller
message HierarchyControllerState {
  // The version for Hierarchy Controller
  HierarchyControllerVersion version = 1;

  // The deployment state for Hierarchy Controller
  HierarchyControllerDeploymentState state = 2;
}

// State information for an ACM's Operator
message OperatorState {
  // The semenatic version number of the operator
  string version = 1;

  // The state of the Operator's deployment
  DeploymentState deployment_state = 2;

  // Install errors.
  repeated InstallError errors = 3;
}

// Errors pertaining to the installation of ACM
message InstallError {
  // A string representing the user facing error message
  string error_message = 1;
}

// State information for ConfigSync
message ConfigSyncState {
  // The version of ConfigSync deployed
  ConfigSyncVersion version = 1;

  // Information about the deployment of ConfigSync, including the version
  // of the various Pods deployed
  ConfigSyncDeploymentState deployment_state = 2;

  // The state of ConfigSync's process to sync configs to a cluster
  SyncState sync_state = 3;
}

// Specific versioning information pertaining to ConfigSync's Pods
message ConfigSyncVersion {
  // Version of the deployed importer pod
  string importer = 1;

  // Version of the deployed syncer pod
  string syncer = 2;

  // Version of the deployed git-sync pod
  string git_sync = 3;

  // Version of the deployed monitor pod
  string monitor = 4;

  // Version of the deployed reconciler-manager pod
  string reconciler_manager = 5;

  // Version of the deployed reconciler container in root-reconciler pod
  string root_reconciler = 6;
}

// The state of ConfigSync's deployment on a cluster
message ConfigSyncDeploymentState {
  // Deployment state of the importer pod
  DeploymentState importer = 1;

  // Deployment state of the syncer pod
  DeploymentState syncer = 2;

  // Deployment state of the git-sync pod
  DeploymentState git_sync = 3;

  // Deployment state of the monitor pod
  DeploymentState monitor = 4;

  // Deployment state of reconciler-manager pod
  DeploymentState reconciler_manager = 5;

  // Deployment state of root-reconciler
  DeploymentState root_reconciler = 6;
}

// State indicating an ACM's progress syncing configurations to a cluster
message SyncState {
  // An enum representing an ACM's status syncing configs to a cluster
  enum SyncCode {
    // ACM cannot determine a sync code
    SYNC_CODE_UNSPECIFIED = 0;

    // ACM successfully synced the git Repo with the cluster
    SYNCED = 1;

    // ACM is in the progress of syncing a new change
    PENDING = 2;

    // Indicates an error configuring ACM, and user action is required
    ERROR = 3;

    // ACM has been installed (operator manifest deployed),
    // but not configured.
    NOT_CONFIGURED = 4;

    // ACM has not been installed (no operator pod found)
    NOT_INSTALLED = 5;

    // Error authorizing with the cluster
    UNAUTHORIZED = 6;

    // Cluster could not be reached
    UNREACHABLE = 7;
  }

  // Token indicating the state of the repo.
  string source_token = 1;

  // Token indicating the state of the importer.
  string import_token = 2;

  // Token indicating the state of the syncer.
  string sync_token = 3;

  // Deprecated: use last_sync_time instead.
  // Timestamp of when ACM last successfully synced the repo
  // The time format is specified in https://golang.org/pkg/time/#Time.String
  string last_sync = 4 [deprecated = true];

  // Timestamp type of when ACM last successfully synced the repo
  google.protobuf.Timestamp last_sync_time = 7;

  // Sync status code
  SyncCode code = 5;

  // A list of errors resulting from problematic configs.
  // This list will be truncated after 100 errors, although it is
  // unlikely for that many errors to simultaneously exist.
  repeated SyncError errors = 6;
}

// An ACM created error representing a problem syncing configurations
message SyncError {
  // An ACM defined error code
  string code = 1;

  // A description of the error
  string error_message = 2;

  // A list of config(s) associated with the error, if any
  repeated ErrorResource error_resources = 3;
}

// Model for a config file in the git repo with an associated Sync error
message ErrorResource {
  // Path in the git repo of the erroneous config
  string source_path = 1;

  // Metadata name of the resource that is causing an error
  string resource_name = 2;

  // Namespace of the resource that is causing an error
  string resource_namespace = 3;

  // Group/version/kind of the resource that is causing an error
  GroupVersionKind resource_gvk = 4;
}

// A Kubernetes object's GVK
message GroupVersionKind {
  // Kubernetes Group
  string group = 1;

  // Kubernetes Version
  string version = 2;

  // Kubernetes Kind
  string kind = 3;
}

// State for PolicyControllerState.
message PolicyControllerState {
  // The version of Gatekeeper Policy Controller deployed.
  PolicyControllerVersion version = 1;

  // The state about the policy controller installation.
  GatekeeperDeploymentState deployment_state = 2;
}

// The build version of Gatekeeper Policy Controller is using.
message PolicyControllerVersion {
  // The gatekeeper image tag that is composed of ACM version, git tag, build
  // number.
  string version = 1;
}

// State for Binauthz
message BinauthzState {
  // The state of the binauthz webhook.
  DeploymentState webhook = 1;

  // The version of binauthz that is installed.
  BinauthzVersion version = 2;
}

// The version of binauthz.
message BinauthzVersion {
  // The version of the binauthz webhook.
  string webhook_version = 1;
}

// State of Policy Controller installation.
message GatekeeperDeploymentState {
  // Status of gatekeeper-controller-manager pod.
  DeploymentState gatekeeper_controller_manager_state = 1;

  // Status of gatekeeper-audit deployment.
  DeploymentState gatekeeper_audit = 2;
}