feat: Add support to generate client certificate and get connection info for auth proxy in AlloyDB v1

Google APIs · copybara-github · commit 5601ad3a999d · 2023-09-27T08:39:57.000-07:00
PiperOrigin-RevId: 568860878
diff --git a/google/cloud/alloydb/v1/alloydb_v1_grpc_service_config.json b/google/cloud/alloydb/v1/alloydb_v1_grpc_service_config.json
@@ -7,7 +7,9 @@
       { "service": "google.cloud.alloydb.v1.AlloyDBAdmin", "method": "GetInstance" },
       { "service": "google.cloud.alloydb.v1.AlloyDBAdmin", "method": "ListBackups" },
       { "service": "google.cloud.alloydb.v1.AlloyDBAdmin", "method": "GetBackup" },
-      { "service": "google.cloud.alloydb.v1.AlloyDBAdmin", "method": "ListSupportedDatabaseFlags" }
+      { "service": "google.cloud.alloydb.v1.AlloyDBAdmin", "method": "ListSupportedDatabaseFlags" },
+      { "service": "google.cloud.alloydb.v1.AlloyDBAdmin", "method": "GenerateClientCertificate" },
+      { "service": "google.cloud.alloydb.v1.AlloyDBAdmin", "method": "GetConnectionInfo" }
     ],
     "timeout": "60s",
     "retryPolicy": {
diff --git a/google/cloud/alloydb/v1/resources.proto b/google/cloud/alloydb/v1/resources.proto
@@ -862,6 +862,28 @@ message Instance {
       [(google.api.field_behavior) = OPTIONAL];
 }
 
+// ConnectionInfo singleton resource.
+// https://google.aip.dev/156
+message ConnectionInfo {
+  option (google.api.resource) = {
+    type: "alloydb.googleapis.com/ConnectionInfo"
+    pattern: "projects/{project}/locations/{location}/clusters/{cluster}/instances/{instance}/connectionInfo"
+  };
+
+  // The name of the ConnectionInfo singleton resource, e.g.:
+  // projects/{project}/locations/{location}/clusters/*/instances/*/connectionInfo
+  // This field currently has no semantic meaning.
+  string name = 1;
+
+  // Output only. The private network IP address for the Instance. This is the
+  // default IP for the instance and is always created (even if enable_public_ip
+  // is set). This is the connection endpoint for an end-user application.
+  string ip_address = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. The unique ID of the Instance.
+  string instance_uid = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
+}
+
 // Message describing Backup object
 message Backup {
   option (google.api.resource) = {
diff --git a/google/cloud/alloydb/v1/service.proto b/google/cloud/alloydb/v1/service.proto
@@ -22,6 +22,7 @@ import "google/api/field_behavior.proto";
 import "google/api/resource.proto";
 import "google/cloud/alloydb/v1/resources.proto";
 import "google/longrunning/operations.proto";
+import "google/protobuf/duration.proto";
 import "google/protobuf/empty.proto";
 import "google/protobuf/field_mask.proto";
 import "google/protobuf/timestamp.proto";
@@ -346,6 +347,28 @@ service AlloyDBAdmin {
     option (google.api.method_signature) = "parent";
   }
 
+  // Generate a client certificate signed by a Cluster CA.
+  // The sole purpose of this endpoint is to support AlloyDB connectors and the
+  // Auth Proxy client. The endpoint's behavior is subject to change without
+  // notice, so do not rely on its behavior remaining constant. Future changes
+  // will not break AlloyDB connectors or the Auth Proxy client.
+  rpc GenerateClientCertificate(GenerateClientCertificateRequest)
+      returns (GenerateClientCertificateResponse) {
+    option (google.api.http) = {
+      post: "/v1/{parent=projects/*/locations/*/clusters/*}:generateClientCertificate"
+      body: "*"
+    };
+    option (google.api.method_signature) = "parent";
+  }
+
+  // Get instance metadata used for a connection.
+  rpc GetConnectionInfo(GetConnectionInfoRequest) returns (ConnectionInfo) {
+    option (google.api.http) = {
+      get: "/v1/{parent=projects/*/locations/*/clusters/*/instances/*}/connectionInfo"
+    };
+    option (google.api.method_signature) = "parent";
+  }
+
   // Lists Users in a given project and location.
   rpc ListUsers(ListUsersRequest) returns (ListUsersResponse) {
     option (google.api.http) = {
@@ -1300,6 +1323,81 @@ message ListSupportedDatabaseFlagsResponse {
   string next_page_token = 2;
 }
 
+// Message for requests to generate a client certificate signed by the Cluster
+// CA.
+message GenerateClientCertificateRequest {
+  // Required. The name of the parent resource. The required format is:
+  //  * projects/{project}/locations/{location}/clusters/{cluster}
+  string parent = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = { type: "alloydb.googleapis.com/Cluster" }
+  ];
+
+  // Optional. An optional request ID to identify requests. Specify a unique
+  // request ID so that if you must retry your request, the server will know to
+  // ignore the request if it has already been completed. The server will
+  // guarantee that for at least 60 minutes after the first request.
+  //
+  // For example, consider a situation where you make an initial request and
+  // the request times out. If you make the request again with the same request
+  // ID, the server can check if original operation with the same request ID
+  // was received, and if so, will ignore the second request. This prevents
+  // clients from accidentally creating duplicate commitments.
+  //
+  // The request ID must be a valid UUID with the exception that zero UUID is
+  // not supported (00000000-0000-0000-0000-000000000000).
+  string request_id = 2 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. An optional hint to the endpoint to generate the client
+  // certificate with the requested duration. The duration can be from 1 hour to
+  // 24 hours. The endpoint may or may not honor the hint. If the hint is left
+  // unspecified or is not honored, then the endpoint will pick an appropriate
+  // default duration.
+  google.protobuf.Duration cert_duration = 4
+      [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. The public key from the client.
+  string public_key = 5 [(google.api.field_behavior) = OPTIONAL];
+}
+
+// Message returned by a GenerateClientCertificate operation.
+message GenerateClientCertificateResponse {
+  // Output only. The pem-encoded chain that may be used to verify the X.509
+  // certificate. Expected to be in issuer-to-root order according to RFC 5246.
+  repeated string pem_certificate_chain = 2
+      [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Optional. The pem-encoded cluster ca X.509 certificate.
+  string ca_cert = 3 [(google.api.field_behavior) = OPTIONAL];
+}
+
+// Request message for GetConnectionInfo.
+message GetConnectionInfoRequest {
+  // Required. The name of the parent resource. The required format is:
+  // projects/{project}/locations/{location}/clusters/{cluster}/instances/{instance}
+  string parent = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "alloydb.googleapis.com/Instance"
+    }
+  ];
+
+  // Optional. An optional request ID to identify requests. Specify a unique
+  // request ID so that if you must retry your request, the server will know to
+  // ignore the request if it has already been completed. The server will
+  // guarantee that for at least 60 minutes after the first request.
+  //
+  // For example, consider a situation where you make an initial request and
+  // the request times out. If you make the request again with the same request
+  // ID, the server can check if original operation with the same request ID
+  // was received, and if so, will ignore the second request. This prevents
+  // clients from accidentally creating duplicate commitments.
+  //
+  // The request ID must be a valid UUID with the exception that zero UUID is
+  // not supported (00000000-0000-0000-0000-000000000000).
+  string request_id = 2 [(google.api.field_behavior) = OPTIONAL];
+}
+
 // Represents the metadata of the long-running operation.
 message OperationMetadata {
   // Request specific metadata, if any.
