feat: [Memorystore for Valkey] Add support for Flexible CA feature

Google APIs · copybara-github · commit 15681782525d · 2026-04-01T18:31:30.000-07:00
PiperOrigin-RevId: 893211666
diff --git a/google/cloud/memorystore/v1beta/memorystore.proto b/google/cloud/memorystore/v1beta/memorystore.proto
@@ -1,4 +1,4 @@
-// Copyright 2025 Google LLC
+// Copyright 2026 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -45,6 +45,10 @@ option (google.api.resource_definition) = {
   type: "compute.googleapis.com/ServiceAttachment"
   pattern: "projects/{project}/regions/{region}/serviceAttachments/{service_attachment}"
 };
+option (google.api.resource_definition) = {
+  type: "privateca.googleapis.com/CaPool"
+  pattern: "projects/{project}/locations/{location}/caPools/{ca_pool}"
+};
 
 // Service describing handlers for resources
 service Memorystore {
@@ -117,6 +121,17 @@ service Memorystore {
     };
     option (google.api.method_signature) = "name";
   }
+
+  // Gets the details of shared regional certificate authority information for
+  // Memorystore instance.
+  rpc GetSharedRegionalCertificateAuthority(
+      GetSharedRegionalCertificateAuthorityRequest)
+      returns (SharedRegionalCertificateAuthority) {
+    option (google.api.http) = {
+      get: "/v1beta/{name=projects/*/locations/*/sharedRegionalCertificateAuthority}"
+    };
+    option (google.api.method_signature) = "name";
+  }
 }
 
 // Status of the PSC connection.
@@ -276,6 +291,32 @@ message Instance {
     CLUSTER_DISABLED = 4;
   }
 
+  // The Server CA mode for the instance.
+  enum ServerCaMode {
+    option allow_alias = true;
+
+    // Server CA mode not specified.
+    SERVER_CA_MODE_UNSPECIFIED = 0;
+
+    // Each instance has its own Google-managed CA.
+    GOOGLE_MANAGED_PER_INSTANCE_CA = 1;
+
+    // The instance uses a Google-managed shared CA for the instance's region.
+    GOOGLE_MANAGED_SHARED_CA = 2;
+
+    // The instance uses a customer-managed CA from CAS.
+    CUSTOMER_MANAGED_CAS_CA = 3;
+
+    // Deprecated: Use GOOGLE_MANAGED_PER_INSTANCE_CA instead.
+    SERVER_CA_MODE_GOOGLE_MANAGED_PER_INSTANCE_CA = 1 [deprecated = true];
+
+    // Deprecated: Use GOOGLE_MANAGED_SHARED_CA instead.
+    SERVER_CA_MODE_GOOGLE_MANAGED_SHARED_CA = 2 [deprecated = true];
+
+    // Deprecated: Use CUSTOMER_MANAGED_CAS_CA instead.
+    SERVER_CA_MODE_CUSTOMER_MANAGED_CAS_CA = 3 [deprecated = true];
+  }
+
   // Identifier. Unique name of the instance.
   // Format: projects/{project}/locations/{location}/instances/{instance}
   string name = 1 [(google.api.field_behavior) = IDENTIFIER];
@@ -374,6 +415,29 @@ message Instance {
 
   // Optional. The mode config for the instance.
   Mode mode = 26 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Immutable. The Server CA mode for the instance.
+  optional ServerCaMode server_ca_mode = 56 [
+    (google.api.field_behavior) = OPTIONAL,
+    (google.api.field_behavior) = IMMUTABLE
+  ];
+
+  // Optional. Immutable. The customer-managed CA pool for the instance. Only
+  // applicable if the Server CA mode is CUSTOMER_MANAGED_CAS_CA. Format:
+  // "projects/{project}/locations/{region}/caPools/{ca_pool}".
+  optional string server_ca_pool = 57 [
+    (google.api.field_behavior) = OPTIONAL,
+    (google.api.field_behavior) = IMMUTABLE,
+    (google.api.resource_reference) = {
+      type: "privateca.googleapis.com/CaPool"
+    }
+  ];
+
+  // Optional. Input only. Rotate the server certificates.
+  optional bool rotate_server_certificate = 58 [
+    (google.api.field_behavior) = OPTIONAL,
+    (google.api.field_behavior) = INPUT_ONLY
+  ];
 }
 
 // Details of consumer resources in a PSC connection.
@@ -829,6 +893,54 @@ message CertificateAuthority {
   string name = 1 [(google.api.field_behavior) = IDENTIFIER];
 }
 
+// Shared regional certificate authority for an instance.
+message SharedRegionalCertificateAuthority {
+  option (google.api.resource) = {
+    type: "memorystore.googleapis.com/SharedRegionalCertificateAuthority"
+    pattern: "projects/{project}/locations/{location}/sharedRegionalCertificateAuthority"
+    plural: "sharedRegionalCertificateAuthorities"
+    singular: "sharedRegionalCertificateAuthority"
+  };
+
+  // CA certificate chains for memorystore managed server authentication.
+  message RegionalManagedCertificateAuthority {
+    // The certificates that form the CA chain, from leaf to root order.
+    message RegionalCertChain {
+      // The certificates that form the CA chain, from leaf to root order.
+      repeated string certificates = 1;
+    }
+
+    // The PEM encoded CA certificate chains for memorystore managed
+    // server authentication
+    repeated RegionalCertChain ca_certs = 1;
+  }
+
+  // Server ca information.
+  oneof server_ca {
+    // CA certificate chains for memorystore managed server authentication.
+    RegionalManagedCertificateAuthority managed_server_ca = 2;
+  }
+
+  // Identifier. Unique name of the resource in this scope including project and
+  // location using the form:
+  //     `projects/{project}/locations/{location}/sharedRegionalCertificateAuthority`
+  string name = 1 [(google.api.field_behavior) = IDENTIFIER];
+}
+
+// Request for
+// [GetSharedRegionalCertificateAuthority][google.cloud.memorystore.v1beta.Memorystore.GetSharedRegionalCertificateAuthority].
+message GetSharedRegionalCertificateAuthorityRequest {
+  // Required. Regional certificate authority resource name using the form:
+  //     `projects/{project}/locations/{location}/sharedRegionalCertificateAuthority`
+  // where `location_id` refers to a Google Cloud region.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "memorystore.googleapis.com/SharedRegionalCertificateAuthority"
+    }
+  ];
+}
+
 // Represents the metadata of a long-running operation.
 message OperationMetadata {
   // Output only. The time the operation was created.
