@flyteorg/flyteidl2

// @generated by protoc-gen-es v2.2.5 with parameter "target=ts,import_extension=.ts" // @generated from file flyteidl2/core/security.proto (package flyteidl2.core, syntax proto3) /* eslint-disable */ import type { GenEnum, GenFile, GenMessage } from "@bufbuild/protobuf/codegenv1"; import { enumDesc, fileDesc, messageDesc } from "@bufbuild/protobuf/codegenv1"; import type { Message } from "@bufbuild/protobuf"; /** * Describes the file flyteidl2/core/security.proto. */ export const file_flyteidl2_core_security: GenFile = /*@__PURE__*/ fileDesc("Ch1mbHl0ZWlkbDIvY29yZS9zZWN1cml0eS5wcm90bxIOZmx5dGVpZGwyLmNvcmUitgEKBlNlY3JldBINCgVncm91cBgBIAEoCRIVCg1ncm91cF92ZXJzaW9uGAIgASgJEgsKA2tleRgDIAEoCRI7ChFtb3VudF9yZXF1aXJlbWVudBgEIAEoDjIgLmZseXRlaWRsMi5jb3JlLlNlY3JldC5Nb3VudFR5cGUSDwoHZW52X3ZhchgFIAEoCSIrCglNb3VudFR5cGUSBwoDQU5ZEAASCwoHRU5WX1ZBUhABEggKBEZJTEUQAiJQCgxPQXV0aDJDbGllbnQSEQoJY2xpZW50X2lkGAEgASgJEi0KDWNsaWVudF9zZWNyZXQYAiABKAsyFi5mbHl0ZWlkbDIuY29yZS5TZWNyZXQiigEKCElkZW50aXR5EhAKCGlhbV9yb2xlGAEgASgJEhsKE2s4c19zZXJ2aWNlX2FjY291bnQYAiABKAkSMwoNb2F1dGgyX2NsaWVudBgDIAEoCzIcLmZseXRlaWRsMi5jb3JlLk9BdXRoMkNsaWVudBIaChJleGVjdXRpb25faWRlbnRpdHkYBCABKAki3wEKEk9BdXRoMlRva2VuUmVxdWVzdBIMCgRuYW1lGAEgASgJEjUKBHR5cGUYAiABKA4yJy5mbHl0ZWlkbDIuY29yZS5PQXV0aDJUb2tlblJlcXVlc3QuVHlwZRIsCgZjbGllbnQYAyABKAsyHC5mbHl0ZWlkbDIuY29yZS5PQXV0aDJDbGllbnQSHgoWaWRwX2Rpc2NvdmVyeV9lbmRwb2ludBgEIAEoCRIWCg50b2tlbl9lbmRwb2ludBgFIAEoCSIeCgRUeXBlEhYKEkNMSUVOVF9DUkVERU5USUFMUxAAIpgBCg9TZWN1cml0eUNvbnRleHQSKAoGcnVuX2FzGAEgASgLMhguZmx5dGVpZGwyLmNvcmUuSWRlbnRpdHkSJwoHc2VjcmV0cxgCIAMoCzIWLmZseXRlaWRsMi5jb3JlLlNlY3JldBIyCgZ0b2tlbnMYAyADKAsyIi5mbHl0ZWlkbDIuY29yZS5PQXV0aDJUb2tlblJlcXVlc3RCsgEKEmNvbS5mbHl0ZWlkbDIuY29yZUINU2VjdXJpdHlQcm90b0gCUAFaMmdpdGh1Yi5jb20vZmx5dGVvcmcvZmx5dGUvdjIvZ2VuL2dvL2ZseXRlaWRsMi9jb3JlogIDRkNYqgIORmx5dGVpZGwyLkNvcmXKAg5GbHl0ZWlkbDJcQ29yZeICGkZseXRlaWRsMlxDb3JlXEdQQk1ldGFkYXRh6gIPRmx5dGVpZGwyOjpDb3JlYgZwcm90bzM"); /** * Secret encapsulates information about the secret a task needs to proceed. An environment variable * FLYTE_SECRETS_ENV_PREFIX will be passed to indicate the prefix of the environment variables that will be present if * secrets are passed through environment variables. * FLYTE_SECRETS_DEFAULT_DIR will be passed to indicate the prefix of the path where secrets will be mounted if secrets * are passed through file mounts. * * @generated from message flyteidl2.core.Secret */ export type Secret = Message<"flyteidl2.core.Secret"> & { /** * The name of the secret group where to find the key referenced below. For K8s secrets, this should be the name of * the v1/secret object. For Confidant, this should be the Credential name. For Vault, this should be the secret name. * For AWS Secret Manager, this should be the name of the secret. * +required * * @generated from field: string group = 1; */ group: string; /** * The group version to fetch. This is not supported in all secret management systems. It'll be ignored for the ones * that do not support it. * +optional * * @generated from field: string group_version = 2; */ groupVersion: string; /** * The name of the secret to mount. This has to match an existing secret in the system. It's up to the implementation * of the secret management system to require case sensitivity. For K8s secrets, Confidant and Vault, this should * match one of the keys inside the secret. For AWS Secret Manager, it's ignored. * +optional * * @generated from field: string key = 3; */ key: string; /** * mount_requirement is optional. Indicates where the secret has to be mounted. If provided, the execution will fail * if the underlying key management system cannot satisfy that requirement. If not provided, the default location * will depend on the key management system. * +optional * * @generated from field: flyteidl2.core.Secret.MountType mount_requirement = 4; */ mountRequirement: Secret_MountType; /** * env_var is optional. Custom environment variable to set the value of the secret. If mount_requirement is ENV_VAR, * then the value is the secret itself. If mount_requirement is FILE, then the value is the path to the secret file. * +optional * * @generated from field: string env_var = 5; */ envVar: string; }; /** * Describes the message flyteidl2.core.Secret. * Use `create(SecretSchema)` to create a new message. */ export const SecretSchema: GenMessage<Secret> = /*@__PURE__*/ messageDesc(file_flyteidl2_core_security, 0); /** * @generated from enum flyteidl2.core.Secret.MountType */ export enum Secret_MountType { /** * Default case, indicates the client can tolerate either mounting options. * * @generated from enum value: ANY = 0; */ ANY = 0, /** * ENV_VAR indicates the secret needs to be mounted as an environment variable. * * @generated from enum value: ENV_VAR = 1; */ ENV_VAR = 1, /** * FILE indicates the secret needs to be mounted as a file. * * @generated from enum value: FILE = 2; */ FILE = 2, } /** * Describes the enum flyteidl2.core.Secret.MountType. */ export const Secret_MountTypeSchema: GenEnum<Secret_MountType> = /*@__PURE__*/ enumDesc(file_flyteidl2_core_security, 0, 0); /** * OAuth2Client encapsulates OAuth2 Client Credentials to be used when making calls on behalf of that task. * * @generated from message flyteidl2.core.OAuth2Client */ export type OAuth2Client = Message<"flyteidl2.core.OAuth2Client"> & { /** * client_id is the public id for the client to use. The system will not perform any pre-auth validation that the * secret requested matches the client_id indicated here. * +required * * @generated from field: string client_id = 1; */ clientId: string; /** * client_secret is a reference to the secret used to authenticate the OAuth2 client. * +required * * @generated from field: flyteidl2.core.Secret client_secret = 2; */ clientSecret?: Secret; }; /** * Describes the message flyteidl2.core.OAuth2Client. * Use `create(OAuth2ClientSchema)` to create a new message. */ export const OAuth2ClientSchema: GenMessage<OAuth2Client> = /*@__PURE__*/ messageDesc(file_flyteidl2_core_security, 1); /** * Identity encapsulates the various security identities a task can run as. It's up to the underlying plugin to pick the * right identity for the execution environment. * * @generated from message flyteidl2.core.Identity */ export type Identity = Message<"flyteidl2.core.Identity"> & { /** * iam_role references the fully qualified name of Identity & Access Management role to impersonate. * * @generated from field: string iam_role = 1; */ iamRole: string; /** * k8s_service_account references a kubernetes service account to impersonate. * * @generated from field: string k8s_service_account = 2; */ k8sServiceAccount: string; /** * oauth2_client references an oauth2 client. Backend plugins can use this information to impersonate the client when * making external calls. * * @generated from field: flyteidl2.core.OAuth2Client oauth2_client = 3; */ oauth2Client?: OAuth2Client; /** * execution_identity references the subject who makes the execution * * @generated from field: string execution_identity = 4; */ executionIdentity: string; }; /** * Describes the message flyteidl2.core.Identity. * Use `create(IdentitySchema)` to create a new message. */ export const IdentitySchema: GenMessage<Identity> = /*@__PURE__*/ messageDesc(file_flyteidl2_core_security, 2); /** * OAuth2TokenRequest encapsulates information needed to request an OAuth2 token. * FLYTE_TOKENS_ENV_PREFIX will be passed to indicate the prefix of the environment variables that will be present if * tokens are passed through environment variables. * FLYTE_TOKENS_PATH_PREFIX will be passed to indicate the prefix of the path where secrets will be mounted if tokens * are passed through file mounts. * * @generated from message flyteidl2.core.OAuth2TokenRequest */ export type OAuth2TokenRequest = Message<"flyteidl2.core.OAuth2TokenRequest"> & { /** * name indicates a unique id for the token request within this task token requests. It'll be used as a suffix for * environment variables and as a filename for mounting tokens as files. * +required * * @generated from field: string name = 1; */ name: string; /** * type indicates the type of the request to make. Defaults to CLIENT_CREDENTIALS. * +required * * @generated from field: flyteidl2.core.OAuth2TokenRequest.Type type = 2; */ type: OAuth2TokenRequest_Type; /** * client references the client_id/secret to use to request the OAuth2 token. * +required * * @generated from field: flyteidl2.core.OAuth2Client client = 3; */ client?: OAuth2Client; /** * idp_discovery_endpoint references the discovery endpoint used to retrieve token endpoint and other related * information. * +optional * * @generated from field: string idp_discovery_endpoint = 4; */ idpDiscoveryEndpoint: string; /** * token_endpoint references the token issuance endpoint. If idp_discovery_endpoint is not provided, this parameter is * mandatory. * +optional * * @generated from field: string token_endpoint = 5; */ tokenEndpoint: string; }; /** * Describes the message flyteidl2.core.OAuth2TokenRequest. * Use `create(OAuth2TokenRequestSchema)` to create a new message. */ export const OAuth2TokenRequestSchema: GenMessage<OAuth2TokenRequest> = /*@__PURE__*/ messageDesc(file_flyteidl2_core_security, 3); /** * Type of the token requested. * * @generated from enum flyteidl2.core.OAuth2TokenRequest.Type */ export enum OAuth2TokenRequest_Type { /** * CLIENT_CREDENTIALS indicates a 2-legged OAuth token requested using client credentials. * * @generated from enum value: CLIENT_CREDENTIALS = 0; */ CLIENT_CREDENTIALS = 0, } /** * Describes the enum flyteidl2.core.OAuth2TokenRequest.Type. */ export const OAuth2TokenRequest_TypeSchema: GenEnum<OAuth2TokenRequest_Type> = /*@__PURE__*/ enumDesc(file_flyteidl2_core_security, 3, 0); /** * SecurityContext holds security attributes that apply to tasks. * * @generated from message flyteidl2.core.SecurityContext */ export type SecurityContext = Message<"flyteidl2.core.SecurityContext"> & { /** * run_as encapsulates the identity a pod should run as. If the task fills in multiple fields here, it'll be up to the * backend plugin to choose the appropriate identity for the execution engine the task will run on. * * @generated from field: flyteidl2.core.Identity run_as = 1; */ runAs?: Identity; /** * secrets indicate the list of secrets the task needs in order to proceed. Secrets will be mounted/passed to the * pod as it starts. If the plugin responsible for kicking of the task will not run it on a flyte cluster (e.g. AWS * Batch), it's the responsibility of the plugin to fetch the secret (which means propeller identity will need access * to the secret) and to pass it to the remote execution engine. * * @generated from field: repeated flyteidl2.core.Secret secrets = 2; */ secrets: Secret[]; /** * tokens indicate the list of token requests the task needs in order to proceed. Tokens will be mounted/passed to the * pod as it starts. If the plugin responsible for kicking of the task will not run it on a flyte cluster (e.g. AWS * Batch), it's the responsibility of the plugin to fetch the secret (which means propeller identity will need access * to the secret) and to pass it to the remote execution engine. * * @generated from field: repeated flyteidl2.core.OAuth2TokenRequest tokens = 3; */ tokens: OAuth2TokenRequest[]; }; /** * Describes the message flyteidl2.core.SecurityContext. * Use `create(SecurityContextSchema)` to create a new message. */ export const SecurityContextSchema: GenMessage<SecurityContext> = /*@__PURE__*/ messageDesc(file_flyteidl2_core_security, 4);