googleapis

import { OAuth2Client, JWT, Compute, UserRefreshClient, BaseExternalAccountClient, GaxiosResponseWithHTTP2, GoogleConfigurable, MethodOptions, StreamMethodOptions, GlobalOptions, GoogleAuth, BodyResponseCallback, APIRequestContext } from 'googleapis-common'; import { Readable } from 'stream'; export declare namespace gkehub_v2 { export interface Options extends GlobalOptions { version: 'v2'; } interface StandardParameters { /** * Auth client or API Key for the request */ auth?: string | OAuth2Client | JWT | Compute | UserRefreshClient | BaseExternalAccountClient | GoogleAuth; /** * V1 error format. */ '$.xgafv'?: string; /** * OAuth access token. */ access_token?: string; /** * Data format for response. */ alt?: string; /** * JSONP */ callback?: string; /** * Selector specifying which fields to include in a partial response. */ fields?: string; /** * API key. Your API key identifies your project and provides you with API access, quota, and reports. Required unless you provide an OAuth 2.0 token. */ key?: string; /** * OAuth 2.0 token for the current user. */ oauth_token?: string; /** * Returns response with indentations and line breaks. */ prettyPrint?: boolean; /** * Available to use for quota purposes for server-side applications. Can be any arbitrary string assigned to a user, but should not exceed 40 characters. */ quotaUser?: string; /** * Legacy upload protocol for media (e.g. "media", "multipart"). */ uploadType?: string; /** * Upload protocol for media (e.g. "raw", "multipart"). */ upload_protocol?: string; } /** * GKE Hub API * * * * @example * ```js * const {google} = require('googleapis'); * const gkehub = google.gkehub('v2'); * ``` */ export class Gkehub { context: APIRequestContext; projects: Resource$Projects; constructor(options: GlobalOptions, google?: GoogleConfigurable); } /** * State for App Dev Exp Feature. */ export interface Schema$AppDevExperienceState { /** * Status of subcomponent that detects configured Service Mesh resources. */ networkingInstallSucceeded?: Schema$AppDevExperienceStatus; } /** * Status specifies state for the subcomponent. */ export interface Schema$AppDevExperienceStatus { /** * Code specifies AppDevExperienceFeature's subcomponent ready state. */ code?: string | null; /** * Description is populated if Code is Failed, explaining why it has failed. */ description?: string | null; } /** * The request message for Operations.CancelOperation. */ export interface Schema$CancelOperationRequest { } /** * **Cloud Build**: Configurations for each Cloud Build enabled cluster. */ export interface Schema$CloudBuildSpec { /** * Whether it is allowed to run the privileged builds on the cluster or not. */ securityPolicy?: string | null; /** * Version of the cloud build software on the cluster. */ version?: string | null; } /** * GKEUpgrade represents a GKE provided upgrade, e.g., control plane upgrade. */ export interface Schema$ClusterUpgradeGKEUpgrade { /** * Name of the upgrade, e.g., "k8s_control_plane". */ name?: string | null; /** * Version of the upgrade, e.g., "1.22.1-gke.100". */ version?: string | null; } /** * IgnoredMembership represents a membership ignored by the feature. A membership can be ignored because it was manually upgraded to a newer version than RC default. */ export interface Schema$ClusterUpgradeIgnoredMembership { /** * Time when the membership was first set to ignored. */ ignoredTime?: string | null; /** * Reason why the membership is ignored. */ reason?: string | null; } /** * MembershipGKEUpgradeState is a GKEUpgrade and its state per-membership. */ export interface Schema$ClusterUpgradeMembershipGKEUpgradeState { /** * Status of the upgrade. */ status?: Schema$ClusterUpgradeUpgradeStatus; /** * Which upgrade to track the state. */ upgrade?: Schema$ClusterUpgradeGKEUpgrade; } /** * Per-membership state for this feature. */ export interface Schema$ClusterUpgradeState { /** * Whether this membership is ignored by the feature. For example, manually upgraded clusters can be ignored if they are newer than the default versions of its release channel. */ ignored?: Schema$ClusterUpgradeIgnoredMembership; /** * Actual upgrade state against desired. */ upgrades?: Schema$ClusterUpgradeMembershipGKEUpgradeState[]; } /** * UpgradeStatus provides status information for each upgrade. */ export interface Schema$ClusterUpgradeUpgradeStatus { /** * Status code of the upgrade. */ code?: string | null; /** * Reason for this status. */ reason?: string | null; /** * Last timestamp the status was updated. */ updateTime?: string | null; } /** * Configuration for Binauthz. */ export interface Schema$ConfigManagementBinauthzConfig { /** * Whether binauthz is enabled in this cluster. */ enabled?: boolean | null; } /** * State for Binauthz. */ export interface Schema$ConfigManagementBinauthzState { /** * The version of binauthz that is installed. */ version?: Schema$ConfigManagementBinauthzVersion; /** * The state of the binauthz webhook. */ webhook?: string | null; } /** * The version of binauthz. */ export interface Schema$ConfigManagementBinauthzVersion { /** * The version of the binauthz webhook. */ webhookVersion?: string | null; } /** * Configuration for Config Sync */ export interface Schema$ConfigManagementConfigSync { /** * Optional. Configuration for deployment overrides. Applies only to Config Sync deployments with containers that are not a root or namespace reconciler: `reconciler-manager`, `otel-collector`, `resource-group-controller-manager`, `admission-webhook`. To override a root or namespace reconciler, use the rootsync or reposync fields at https://docs.cloud.google.com/kubernetes-engine/config-sync/docs/reference/rootsync-reposync-fields#override-resources instead. */ deploymentOverrides?: Schema$ConfigManagementDeploymentOverride[]; /** * Optional. Enables the installation of Config Sync. If set to true, the Feature will manage Config Sync resources, and apply the other ConfigSync fields if they exist. If set to false, the Feature will ignore all other ConfigSync fields and delete the Config Sync resources. If omitted, ConfigSync is considered enabled if the git or oci field is present. */ enabled?: boolean | null; /** * Optional. Git repo configuration for the cluster. */ git?: Schema$ConfigManagementGitConfig; /** * Optional. The Email of the Google Cloud Service Account (GSA) used for exporting Config Sync metrics to Cloud Monitoring and Cloud Monarch when Workload Identity is enabled. The GSA should have the Monitoring Metric Writer (roles/monitoring.metricWriter) IAM role. The Kubernetes ServiceAccount `default` in the namespace `config-management-monitoring` should be bound to the GSA. Deprecated: If Workload Identity Federation for GKE is enabled, Google Cloud Service Account is no longer needed for exporting Config Sync metrics: https://cloud.google.com/kubernetes-engine/enterprise/config-sync/docs/how-to/monitor-config-sync-cloud-monitoring#custom-monitoring. */ metricsGcpServiceAccountEmail?: string | null; /** * Optional. OCI repo configuration for the cluster. */ oci?: Schema$ConfigManagementOciConfig; /** * Optional. Set to true to enable the Config Sync admission webhook to prevent drifts. If set to false, disables the Config Sync admission webhook and does not prevent drifts. Defaults to false. See https://docs.cloud.google.com/kubernetes-engine/config-sync/docs/how-to/prevent-config-drift for details. */ preventDrift?: boolean | null; /** * Optional. Specifies whether the Config Sync repo is in `hierarchical` or `unstructured` mode. Defaults to `hierarchical`. See https://docs.cloud.google.com/kubernetes-engine/config-sync/docs/concepts/configs#organize-configs for an explanation. */ sourceFormat?: string | null; /** * Optional. Set to true to stop syncing configs for a single cluster. Default to false. */ stopSyncing?: boolean | null; } /** * The state of ConfigSync's deployment on a cluster. */ export interface Schema$ConfigManagementConfigSyncDeploymentState { /** * Deployment state of admission-webhook. */ admissionWebhook?: string | null; /** * Deployment state of the git-sync pod. */ gitSync?: string | null; /** * Deployment state of the importer pod. */ importer?: string | null; /** * Deployment state of the monitor pod. */ monitor?: string | null; /** * Deployment state of otel-collector */ otelCollector?: string | null; /** * Deployment state of reconciler-manager pod. */ reconcilerManager?: string | null; /** * Deployment state of resource-group-controller-manager */ resourceGroupControllerManager?: string | null; /** * Deployment state of root-reconciler. */ rootReconciler?: string | null; /** * Deployment state of the syncer pod. */ syncer?: string | null; } /** * Errors pertaining to the installation of Config Sync */ export interface Schema$ConfigManagementConfigSyncError { /** * A string representing the user facing error message */ errorMessage?: string | null; } /** * State information for ConfigSync. */ export interface Schema$ConfigManagementConfigSyncState { /** * Output only. Whether syncing resources to the cluster is stopped at the cluster level. */ clusterLevelStopSyncingState?: string | null; /** * Output only. The number of RootSync and RepoSync CRs in the cluster. */ crCount?: number | null; /** * Output only. Information about the deployment of ConfigSync, including the version. of the various Pods deployed */ deploymentState?: Schema$ConfigManagementConfigSyncDeploymentState; /** * Output only. Errors pertaining to the installation of Config Sync. */ errors?: Schema$ConfigManagementConfigSyncError[]; /** * Output only. The state of the Reposync CRD */ reposyncCrd?: string | null; /** * Output only. The state of the RootSync CRD */ rootsyncCrd?: string | null; /** * Output only. The state of CS This field summarizes the other fields in this message. */ state?: string | null; /** * Output only. The state of ConfigSync's process to sync configs to a cluster. */ syncState?: Schema$ConfigManagementSyncState; /** * Output only. The version of ConfigSync deployed. */ version?: Schema$ConfigManagementConfigSyncVersion; } /** * Specific versioning information pertaining to ConfigSync's Pods. */ export interface Schema$ConfigManagementConfigSyncVersion { /** * Version of the deployed admission-webhook pod. */ admissionWebhook?: string | null; /** * Version of the deployed git-sync pod. */ gitSync?: string | null; /** * Version of the deployed importer pod. */ importer?: string | null; /** * Version of the deployed monitor pod. */ monitor?: string | null; /** * Version of the deployed otel-collector pod */ otelCollector?: string | null; /** * Version of the deployed reconciler-manager pod. */ reconcilerManager?: string | null; /** * Version of the deployed resource-group-controller-manager pod */ resourceGroupControllerManager?: string | null; /** * Version of the deployed reconciler container in root-reconciler pod. */ rootReconciler?: string | null; /** * Version of the deployed syncer pod. */ syncer?: string | null; } /** * Configuration for a container override. */ export interface Schema$ConfigManagementContainerOverride { /** * Required. The name of the container. */ containerName?: string | null; /** * Optional. The cpu limit of the container. Use the following CPU resource units: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-cpu. */ cpuLimit?: string | null; /** * Optional. The cpu request of the container. Use the following CPU resource units: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-cpu. */ cpuRequest?: string | null; /** * Optional. The memory limit of the container. Use the following memory resource units: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-memory. */ memoryLimit?: string | null; /** * Optional. The memory request of the container. Use the following memory resource units: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#meaning-of-memory. */ memoryRequest?: string | null; } /** * Configuration for a deployment override. */ export interface Schema$ConfigManagementDeploymentOverride { /** * Optional. The containers of the deployment resource to be overridden. */ containers?: Schema$ConfigManagementContainerOverride[]; /** * Required. The name of the deployment resource to be overridden. */ deploymentName?: string | null; /** * Required. The namespace of the deployment resource to be overridden. */ deploymentNamespace?: string | null; } /** * Model for a config file in the git repo with an associated Sync error. */ export interface Schema$ConfigManagementErrorResource { /** * Group/version/kind of the resource that is causing an error */ resourceGvk?: Schema$ConfigManagementGroupVersionKind; /** * Metadata name of the resource that is causing an error */ resourceName?: string | null; /** * Namespace of the resource that is causing an error */ resourceNamespace?: string | null; /** * Path in the git repo of the erroneous config */ sourcePath?: string | null; } /** * State of Policy Controller installation. */ export interface Schema$ConfigManagementGatekeeperDeploymentState { /** * Status of gatekeeper-audit deployment. */ gatekeeperAudit?: string | null; /** * Status of gatekeeper-controller-manager pod. */ gatekeeperControllerManagerState?: string | null; /** * Status of the pod serving the mutation webhook. */ gatekeeperMutation?: string | null; } /** * Git repo configuration for a single cluster. */ export interface Schema$ConfigManagementGitConfig { /** * Optional. The Google Cloud Service Account Email used for auth when secret_type is `gcpserviceaccount`. */ gcpServiceAccountEmail?: string | null; /** * Optional. URL for the HTTPS proxy to be used when communicating with the Git repo. Only specify when secret_type is `cookiefile`, `token`, or `none`. */ httpsProxy?: string | null; /** * Optional. The path within the Git repository that represents the top level of the repo to sync. Default: the root directory of the repository. */ policyDir?: string | null; /** * Required. Type of secret configured for access to the Git repo. Must be one of `ssh`, `cookiefile`, `gcenode`, `token`, `gcpserviceaccount`, `githubapp` or `none`. The validation of this is case-sensitive. */ secretType?: string | null; /** * Optional. The branch of the repository to sync from. Default: master. */ syncBranch?: string | null; /** * Required. The URL of the Git repository to use as the source of truth. */ syncRepo?: string | null; /** * Optional. Git revision (tag or hash) to check out. Default HEAD. */ syncRev?: string | null; /** * Optional. Period in seconds between consecutive syncs. Default: 15. */ syncWaitSecs?: string | null; } /** * A Kubernetes object's GVK. */ export interface Schema$ConfigManagementGroupVersionKind { /** * Kubernetes Group */ group?: string | null; /** * Kubernetes Kind */ kind?: string | null; /** * Kubernetes Version */ version?: string | null; } /** * Configuration for Hierarchy Controller. */ export interface Schema$ConfigManagementHierarchyControllerConfig { /** * Whether Hierarchy Controller is enabled in this cluster. */ enabled?: boolean | null; /** * Whether hierarchical resource quota is enabled in this cluster. */ enableHierarchicalResourceQuota?: boolean | null; /** * Whether pod tree labels are enabled in this cluster. */ enablePodTreeLabels?: boolean | null; } /** * Deployment state for Hierarchy Controller */ export interface Schema$ConfigManagementHierarchyControllerDeploymentState { /** * The deployment state for Hierarchy Controller extension (e.g. v0.7.0-hc.1). */ extension?: string | null; /** * The deployment state for open source HNC (e.g. v0.7.0-hc.0). */ hnc?: string | null; } /** * State for Hierarchy Controller. */ export interface Schema$ConfigManagementHierarchyControllerState { /** * The deployment state for Hierarchy Controller. */ state?: Schema$ConfigManagementHierarchyControllerDeploymentState; /** * The version for Hierarchy Controller. */ version?: Schema$ConfigManagementHierarchyControllerVersion; } /** * Version for Hierarchy Controller. */ export interface Schema$ConfigManagementHierarchyControllerVersion { /** * Version for Hierarchy Controller extension. */ extension?: string | null; /** * Version for open source HNC. */ hnc?: string | null; } /** * Errors pertaining to the installation of ACM. */ export interface Schema$ConfigManagementInstallError { /** * A string representing the user facing error message. */ errorMessage?: string | null; } /** * OCI repo configuration for a single cluster. */ export interface Schema$ConfigManagementOciConfig { /** * Optional. The Google Cloud Service Account Email used for auth when secret_type is `gcpserviceaccount`. */ gcpServiceAccountEmail?: string | null; /** * Optional. The absolute path of the directory that contains the local resources. Default: the root directory of the image. */ policyDir?: string | null; /** * Required. Type of secret configured for access to the OCI repo. Must be one of `gcenode`, `gcpserviceaccount`, `k8sserviceaccount` or `none`. The validation of this is case-sensitive. */ secretType?: string | null; /** * Required. The OCI image repository URL for the package to sync from. e.g. `LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY_NAME/PACKAGE_NAME`. */ syncRepo?: string | null; /** * Optional. Period in seconds between consecutive syncs. Default: 15. */ syncWaitSecs?: string | null; } /** * State information for an ACM's Operator. */ export interface Schema$ConfigManagementOperatorState { /** * The state of the Operator's deployment. */ deploymentState?: string | null; /** * Install errors. */ errors?: Schema$ConfigManagementInstallError[]; /** * The semenatic version number of the operator. */ version?: string | null; } /** * Configuration for Policy Controller */ export interface Schema$ConfigManagementPolicyController { /** * Sets the interval for Policy Controller Audit Scans (in seconds). When set to 0, this disables audit functionality altogether. */ auditIntervalSeconds?: string | null; /** * Enables the installation of Policy Controller. If false, the rest of PolicyController fields take no effect. */ enabled?: boolean | null; /** * The set of namespaces that are excluded from Policy Controller checks. Namespaces do not need to currently exist on the cluster. */ exemptableNamespaces?: string[] | null; /** * Logs all denies and dry run failures. */ logDeniesEnabled?: boolean | null; /** * Monitoring specifies the configuration of monitoring. */ monitoring?: Schema$ConfigManagementPolicyControllerMonitoring; /** * Enable or disable mutation in policy controller. If true, mutation CRDs, webhook and controller deployment will be deployed to the cluster. */ mutationEnabled?: boolean | null; /** * Enables the ability to use Constraint Templates that reference to objects other than the object currently being evaluated. */ referentialRulesEnabled?: boolean | null; /** * Installs the default template library along with Policy Controller. */ templateLibraryInstalled?: boolean | null; /** * Output only. Last time this membership spec was updated. */ updateTime?: string | null; } /** * State for the migration of PolicyController from ACM -\> PoCo Hub. */ export interface Schema$ConfigManagementPolicyControllerMigration { /** * Last time this membership spec was copied to PoCo feature. */ copyTime?: string | null; /** * Stage of the migration. */ stage?: string | null; } /** * PolicyControllerMonitoring specifies the backends Policy Controller should export metrics to. For example, to specify metrics should be exported to Cloud Monitoring and Prometheus, specify backends: ["cloudmonitoring", "prometheus"] */ export interface Schema$ConfigManagementPolicyControllerMonitoring { /** * Specifies the list of backends Policy Controller will export to. An empty list would effectively disable metrics export. */ backends?: string[] | null; } /** * State for PolicyControllerState. */ export interface Schema$ConfigManagementPolicyControllerState { /** * The state about the policy controller installation. */ deploymentState?: Schema$ConfigManagementGatekeeperDeploymentState; /** * Record state of ACM -\> PoCo Hub migration for this feature. */ migration?: Schema$ConfigManagementPolicyControllerMigration; /** * The version of Gatekeeper Policy Controller deployed. */ version?: Schema$ConfigManagementPolicyControllerVersion; } /** * The build version of Gatekeeper Policy Controller is using. */ export interface Schema$ConfigManagementPolicyControllerVersion { /** * The gatekeeper image tag that is composed of ACM version, git tag, build number. */ version?: string | null; } /** * **Anthos Config Management**: Configuration for a single cluster. Intended to parallel the ConfigManagement CR. */ export interface Schema$ConfigManagementSpec { /** * Optional. Deprecated: Binauthz configuration will be ignored and should not be set. */ binauthz?: Schema$ConfigManagementBinauthzConfig; /** * Optional. User-specified cluster name used by the Config Sync cluster-name-selector annotation or ClusterSelector object, for applying configs to only a subset of clusters. Read more about the cluster-name-selector annotation and ClusterSelector object at https://docs.cloud.google.com/kubernetes-engine/config-sync/docs/how-to/cluster-scoped-objects#limiting-configs. Only set this field if a name different from the cluster's fleet membership name is used by the Config Sync cluster-name-selector annotation or ClusterSelector. */ cluster?: string | null; /** * Optional. Config Sync configuration for the cluster. */ configSync?: Schema$ConfigManagementConfigSync; /** * Optional. Hierarchy Controller configuration for the cluster. Deprecated: Configuring Hierarchy Controller through the configmanagement feature is no longer recommended. Use https://github.com/kubernetes-sigs/hierarchical-namespaces instead. */ hierarchyController?: Schema$ConfigManagementHierarchyControllerConfig; /** * Optional. Deprecated: From version 1.21.0, automatic Feature management is unavailable, and Config Sync only supports manual upgrades. */ management?: string | null; /** * Optional. Policy Controller configuration for the cluster. Deprecated: Configuring Policy Controller through the configmanagement feature is no longer recommended. Use the policycontroller feature instead. */ policyController?: Schema$ConfigManagementPolicyController; /** * Optional. Version of Config Sync to install. Defaults to the latest supported Config Sync version if the config_sync field is enabled. See supported versions at https://cloud.google.com/kubernetes-engine/config-sync/docs/get-support-config-sync#version_support_policy. */ version?: string | null; } /** * **Anthos Config Management**: State for a single cluster. */ export interface Schema$ConfigManagementState { /** * Output only. Binauthz status. */ binauthzState?: Schema$ConfigManagementBinauthzState; /** * Output only. This field is set to the `cluster_name` field of the Membership Spec if it is not empty. Otherwise, it is set to the cluster's fleet membership name. */ clusterName?: string | null; /** * Output only. Current sync status. */ configSyncState?: Schema$ConfigManagementConfigSyncState; /** * Output only. Hierarchy Controller status. */ hierarchyControllerState?: Schema$ConfigManagementHierarchyControllerState; /** * Output only. The Kubernetes API server version of the cluster. */ kubernetesApiServerVersion?: string | null; /** * Output only. Membership configuration in the cluster. This represents the actual state in the cluster, while the MembershipSpec in the FeatureSpec represents the intended state. */ membershipSpec?: Schema$ConfigManagementSpec; /** * Output only. Current install status of ACM's Operator. */ operatorState?: Schema$ConfigManagementOperatorState; /** * Output only. PolicyController status. */ policyControllerState?: Schema$ConfigManagementPolicyControllerState; } /** * An ACM created error representing a problem syncing configurations. */ export interface Schema$ConfigManagementSyncError { /** * An ACM defined error code */ code?: string | null; /** * A description of the error */ errorMessage?: string | null; /** * A list of config(s) associated with the error, if any */ errorResources?: Schema$ConfigManagementErrorResource[]; } /** * State indicating an ACM's progress syncing configurations to a cluster. */ export interface Schema$ConfigManagementSyncState { /** * Sync status code. */ code?: string | null; /** * A list of errors resulting from problematic configs. This list will be truncated after 100 errors, although it is unlikely for that many errors to simultaneously exist. */ errors?: Schema$ConfigManagementSyncError[]; /** * Token indicating the state of the importer. */ importToken?: string | null; /** * Deprecated: use last_sync_time instead. Timestamp of when ACM last successfully synced the repo. The time format is specified in https://golang.org/pkg/time/#Time.String */ lastSync?: string | null; /** * Timestamp type of when ACM last successfully synced the repo. */ lastSyncTime?: string | null; /** * Token indicating the state of the repo. */ sourceToken?: string | null; /** * Token indicating the state of the syncer. */ syncToken?: string | null; } /** * A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance: service Foo { rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty); \} */ export interface Schema$Empty { } /** * FeatureSpec contains user input per-feature spec information. */ export interface Schema$FeatureSpec { /** * Cloudbuild-specific FeatureSpec. */ cloudbuild?: Schema$CloudBuildSpec; /** * Config Management FeatureSpec. */ configmanagement?: Schema$ConfigManagementSpec; /** * IdentityService FeatureSpec. */ identityservice?: Schema$IdentityServiceSpec; /** * Whether this per-Feature spec was inherited from a fleet-level default. This field can be updated by users by either overriding a Feature config (updated to USER implicitly) or setting to FLEET explicitly. */ origin?: Schema$Origin; /** * Policycontroller-specific FeatureSpec. */ policycontroller?: Schema$PolicyControllerSpec; /** * Rbacrolebindingactuation-specific FeatureSpec. */ rbacrolebindingactuation?: Schema$RBACRoleBindingActuationSpec; /** * ServiceMesh Feature Spec. */ servicemesh?: Schema$ServiceMeshSpec; /** * Workloadcertificate-specific FeatureSpec. */ workloadcertificate?: Schema$WorkloadCertificateSpec; } /** * FeatureState contains high-level state information and per-feature state information for this MembershipFeature. */ export interface Schema$FeatureState { /** * Appdevexperience specific state. */ appdevexperience?: Schema$AppDevExperienceState; /** * Cluster upgrade state. */ clusterupgrade?: Schema$ClusterUpgradeState; /** * Config Management state */ configmanagement?: Schema$ConfigManagementState; /** * Identity service state */ identityservice?: Schema$IdentityServiceState; /** * Metering state */ metering?: Schema$MeteringState; /** * Policy Controller state */ policycontroller?: Schema$PolicyControllerState; /** * RBAC Role Binding Actuation state */ rbacrolebindingactuation?: Schema$RBACRoleBindingActuationState; /** * Service mesh state */ servicemesh?: Schema$ServiceMeshState; /** * The high-level state of this MembershipFeature. */ state?: Schema$State; /** * Workload Identity state */ workloadidentity?: Schema$WorkloadIdentityState; } /** * The `Status` type defines a logical error model that is suitable for different programming environments, including REST APIs and RPC APIs. It is used by [gRPC](https://github.com/grpc). Each `Status` message contains three pieces of data: error code, error message, and error details. You can find out more about this error model and how to work with it in the [API Design Guide](https://cloud.google.com/apis/design/errors). */ export interface Schema$GoogleRpcStatus { /** * The status code, which should be an enum value of google.rpc.Code. */ code?: number | null; /** * A list of messages that carry the error details. There is a common set of message types for APIs to use. */ details?: Array<{ [key: string]: any; }> | null; /** * A developer-facing error message, which should be in English. Any user-facing error message should be localized and sent in the google.rpc.Status.details field, or localized by the client. */ message?: string | null; } /** * Configuration of an auth method for a member/cluster. Only one authentication method (e.g., OIDC and LDAP) can be set per AuthMethod. */ export interface Schema$IdentityServiceAuthMethod { /** * AzureAD specific Configuration. */ azureadConfig?: Schema$IdentityServiceAzureADConfig; /** * GoogleConfig specific configuration */ googleConfig?: Schema$IdentityServiceGoogleConfig; /** * LDAP specific configuration. */ ldapConfig?: Schema$IdentityServiceLdapConfig; /** * Identifier for auth config. */ name?: string | null; /** * OIDC specific configuration. */ oidcConfig?: Schema$IdentityServiceOidcConfig; /** * Proxy server address to use for auth method. */ proxy?: string | null; /** * SAML specific configuration. */ samlConfig?: Schema$IdentityServiceSamlConfig; } /** * Configuration for the AzureAD Auth flow. */ export interface Schema$IdentityServiceAzureADConfig { /** * ID for the registered client application that makes authentication requests to the Azure AD identity provider. */ clientId?: string | null; /** * Input only. Unencrypted AzureAD client secret will be passed to the GKE Hub CLH. */ clientSecret?: string | null; /** * Output only. Encrypted AzureAD client secret. */ encryptedClientSecret?: string | null; /** * Optional. Format of the AzureAD groups that the client wants for auth. */ groupFormat?: string | null; /** * The redirect URL that kubectl uses for authorization. */ kubectlRedirectUri?: string | null; /** * Kind of Azure AD account to be authenticated. Supported values are or for accounts belonging to a specific tenant. */ tenant?: string | null; /** * Optional. Claim in the AzureAD ID Token that holds the user details. */ userClaim?: string | null; } /** * Configuration options for the AIS diagnostic interface. */ export interface Schema$IdentityServiceDiagnosticInterface { /** * Determines whether to enable the diagnostic interface. */ enabled?: boolean | null; /** * Determines the expiration time of the diagnostic interface enablement. When reached, requests to the interface would be automatically rejected. */ expirationTime?: string | null; } /** * Configuration for the Google Plugin Auth flow. */ export interface Schema$IdentityServiceGoogleConfig { /** * Disable automatic configuration of Google Plugin on supported platforms. */ disable?: boolean | null; } /** * Contains the properties for locating and authenticating groups in the directory. */ export interface Schema$IdentityServiceGroupConfig { /** * Required. The location of the subtree in the LDAP directory to search for group entries. */ baseDn?: string | null; /** * Optional. Optional filter to be used when searching for groups a user belongs to. This can be used to explicitly match only certain groups in order to reduce the amount of groups returned for each user. This defaults to "(objectClass=Group)". */ filter?: string | null; /** * Optional. The identifying name of each group a user belongs to. For example, if this is set to "distinguishedName" then RBACs and other group expectations should be written as full DNs. This defaults to "distinguishedName". */ idAttribute?: string | null; } /** * Holds non-protocol-related configuration options. */ export interface Schema$IdentityServiceIdentityServiceOptions { /** * Configuration options for the AIS diagnostic interface. */ diagnosticInterface?: Schema$IdentityServiceDiagnosticInterface; /** * Determines the lifespan of STS tokens issued by Anthos Identity Service. */ sessionDuration?: string | null; } /** * Configuration for the LDAP Auth flow. */ export interface Schema$IdentityServiceLdapConfig { /** * Optional. Contains the properties for locating and authenticating groups in the directory. */ group?: Schema$IdentityServiceGroupConfig; /** * Required. Server settings for the external LDAP server. */ server?: Schema$IdentityServiceServerConfig; /** * Required. Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. */ serviceAccount?: Schema$IdentityServiceServiceAccountConfig; /** * Required. Defines where users exist in the LDAP directory. */ user?: Schema$IdentityServiceUserConfig; } /** * Configuration for OIDC Auth flow. */ export interface Schema$IdentityServiceOidcConfig { /** * PEM-encoded CA for OIDC provider. */ certificateAuthorityData?: string | null; /** * ID for OIDC client application. */ clientId?: string | null; /** * Input only. Unencrypted OIDC client secret will be passed to the GKE Hub CLH. */ clientSecret?: string | null; /** * Flag to denote if reverse proxy is used to connect to auth provider. This flag should be set to true when provider is not reachable by Google Cloud Console. */ deployCloudConsoleProxy?: boolean | null; /** * Enable access token. */ enableAccessToken?: boolean | null; /** * Output only. Encrypted OIDC Client secret */ encryptedClientSecret?: string | null; /** * Comma-separated list of key-value pairs. */ extraParams?: string | null; /** * Prefix to prepend to group name. */ groupPrefix?: string | null; /** * Claim in OIDC ID token that holds group information. */ groupsClaim?: string | null; /** * URI for the OIDC provider. This should point to the level below .well-known/openid-configuration. */ issuerUri?: string | null; /** * Registered redirect uri to redirect users going through OAuth flow using kubectl plugin. */ kubectlRedirectUri?: string | null; /** * Comma-separated list of identifiers. */ scopes?: string | null; /** * Claim in OIDC ID token that holds username. */ userClaim?: string | null; /** * Prefix to prepend to user name. */ userPrefix?: string | null; } /** * Configuration for the SAML Auth flow. */ export interface Schema$IdentityServiceSamlConfig { /** * Optional. The mapping of additional user attributes like nickname, birthday and address etc.. `key` is the name of this additional attribute. `value` is a string presenting as CEL(common expression language, go/cel) used for getting the value from the resources. Take nickname as an example, in this case, `key` is "attribute.nickname" and `value` is "assertion.nickname". */ attributeMapping?: { [key: string]: string; } | null; /** * Optional. Prefix to prepend to group name. */ groupPrefix?: string | null; /** * Optional. The SAML attribute to read groups from. This value is expected to be a string and will be passed along as-is (with the option of being prefixed by the `group_prefix`). */ groupsAttribute?: string | null; /** * Required. The list of IdP certificates to validate the SAML response against. */ identityProviderCertificates?: string[] | null; /** * Required. The entity ID of the SAML IdP. */ identityProviderId?: string | null; /** * Required. The URI where the SAML IdP exposes the SSO service. */ identityProviderSsoUri?: string | null; /** * Optional. The SAML attribute to read username from. If unspecified, the username will be read from the NameID element of the assertion in SAML response. This value is expected to be a string and will be passed along as-is (with the option of being prefixed by the `user_prefix`). */ userAttribute?: string | null; /** * Optional. Prefix to prepend to user name. */ userPrefix?: string | null; } /** * Server settings for the external LDAP server. */ export interface Schema$IdentityServiceServerConfig { /** * Optional. Contains a Base64 encoded, PEM formatted certificate authority certificate for the LDAP server. This must be provided for the "ldaps" and "startTLS" connections. */ certificateAuthorityData?: string | null; /** * Optional. Defines the connection type to communicate with the LDAP server. If `starttls` or `ldaps` is specified, the certificate_authority_data should not be empty. */ connectionType?: string | null; /** * Required. Defines the hostname or IP of the LDAP server. Port is optional and will default to 389, if unspecified. For example, "ldap.server.example" or "10.10.10.10:389". */ host?: string | null; } /** * Contains the credentials of the service account which is authorized to perform the LDAP search in the directory. The credentials can be supplied by the combination of the DN and password or the client certificate. */ export interface Schema$IdentityServiceServiceAccountConfig { /** * Credentials for basic auth. */ simpleBindCredentials?: Schema$IdentityServiceSimpleBindCredentials; } /** * The structure holds the LDAP simple binding credential. */ export interface Schema$IdentityServiceSimpleBindCredentials { /** * Required. The distinguished name(DN) of the service account object/user. */ dn?: string | null; /** * Output only. The encrypted password of the service account object/user. */ encryptedPassword?: string | null; /** * Required. Input only. The password of the service account object/user. */ password?: string | null; } /** * **IdentityService**: Configuration for a single membership. */ export interface Schema$IdentityServiceSpec { /** * A member may support multiple auth methods. */ authMethods?: Schema$IdentityServiceAuthMethod[]; /** * Optional. non-protocol-related configuration options. */ identityServiceOptions?: Schema$IdentityServiceIdentityServiceOptions; } /** * **IdentityService**: State for a single membership, analyzed and reported by feature controller. */ export interface Schema$IdentityServiceState { /** * The reason of the failure. */ failureReason?: string | null; /** * Installed AIS version. This is the AIS version installed on this member. The values makes sense iff state is OK. */ installedVersion?: string | null; /** * Last reconciled membership configuration */ memberConfig?: Schema$IdentityServiceSpec; /** * Deployment state on this member */ state?: string | null; } /** * Defines where users exist in the LDAP directory. */ export interface Schema$IdentityServiceUserConfig { /** * Required. The location of the subtree in the LDAP directory to search for user entries. */ baseDn?: string | null; /** * Optional. Filter to apply when searching for the user. This can be used to further restrict the user accounts which are allowed to login. This defaults to "(objectClass=User)". */ filter?: string | null; /** * Optional. Determines which attribute to use as the user's identity after they are authenticated. This is distinct from the loginAttribute field to allow users to login with a username, but then have their actual identifier be an email address or full Distinguished Name (DN). For example, setting loginAttribute to "sAMAccountName" and identifierAttribute to "userPrincipalName" would allow a user to login as "bsmith", but actual RBAC policies for the user would be written as "bsmith@example.com". Using "userPrincipalName" is recommended since this will be unique for each user. This defaults to "userPrincipalName". */ idAttribute?: string | null; /** * Optional. The name of the attribute which matches against the input username. This is used to find the user in the LDAP database e.g. "(=)" and is combined with the optional filter field. This defaults to "userPrincipalName". */ loginAttribute?: string | null; } /** * LifecycleState describes the state of a MembershipFeature *resource* in the GkeHub API. See `FeatureState` for the "running state" of the MembershipFeature. */ export interface Schema$LifecycleState { /** * Output only. The current state of the Feature resource in the Hub API. */ state?: string | null; } /** * The response message for Locations.ListLocations. */ export interface Schema$ListLocationsResponse { /** * A list of locations that matches the specified filter in the request. */ locations?: Schema$Location[]; /** * The standard List next-page token. */ nextPag