feat: [Memorystore for Redis Cluster] Add support for Flexible CA feature

Google APIs · copybara-github · commit 96eea0c3ab6e · 2026-03-31T15:13:53.000-07:00
PiperOrigin-RevId: 891891848
diff --git a/google/cloud/redis/cluster/v1/cloud_redis_cluster.proto b/google/cloud/redis/cluster/v1/cloud_redis_cluster.proto
@@ -1,4 +1,4 @@
-// Copyright 2025 Google LLC
+// Copyright 2026 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -55,6 +55,10 @@ option (google.api.resource_definition) = {
   type: "cloudkms.googleapis.com/CryptoKeyVersion"
   pattern: "projects/{project}/locations/{location}/keyRings/{key_ring}/cryptoKeys/{crypto_key}/cryptoKeyVersions/{crypto_key_version}"
 };
+option (google.api.resource_definition) = {
+  type: "privateca.googleapis.com/CaPool"
+  pattern: "projects/{project}/locations/{location}/caPools/{ca_pool}"
+};
 
 // Configures and manages Cloud Memorystore for Redis clusters
 //
@@ -162,6 +166,17 @@ service CloudRedisCluster {
     option (google.api.method_signature) = "name";
   }
 
+  // Gets the details of regional certificate authority information for Redis
+  // cluster.
+  rpc GetSharedRegionalCertificateAuthority(
+      GetSharedRegionalCertificateAuthorityRequest)
+      returns (SharedRegionalCertificateAuthority) {
+    option (google.api.http) = {
+      get: "/v1/{name=projects/*/locations/*/sharedRegionalCertificateAuthority}"
+    };
+    option (google.api.method_signature) = "name";
+  }
+
   // Reschedules upcoming maintenance event.
   rpc RescheduleClusterMaintenance(RescheduleClusterMaintenanceRequest)
       returns (google.longrunning.Operation) {
@@ -318,6 +333,21 @@ enum TransitEncryptionMode {
   TRANSIT_ENCRYPTION_MODE_SERVER_AUTHENTICATION = 2;
 }
 
+// Server CA mode for the cluster.
+enum ServerCaMode {
+  // Server CA mode not specified.
+  SERVER_CA_MODE_UNSPECIFIED = 0;
+
+  // Each cluster has its own Google managed CA.
+  SERVER_CA_MODE_GOOGLE_MANAGED_PER_INSTANCE_CA = 1;
+
+  // The cluster uses Google managed shared CA in the region.
+  SERVER_CA_MODE_GOOGLE_MANAGED_SHARED_CA = 2;
+
+  // The cluster uses customer managed CA from CAS.
+  SERVER_CA_MODE_CUSTOMER_MANAGED_CAS_CA = 3;
+}
+
 // Type of a PSC connection, for cluster access purpose.
 enum ConnectionType {
   // Cluster endpoint Type is not set
@@ -836,6 +866,26 @@ message Cluster {
   // Output only. Encryption information of the data at rest of the cluster.
   EncryptionInfo encryption_info = 43
       [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Optional. Server CA mode for the cluster.
+  optional ServerCaMode server_ca_mode = 53
+      [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Customer-managed CA pool for the cluster. Only applicable for
+  // BYOCA i.e. if server_ca_mode is SERVER_CA_MODE_CUSTOMER_MANAGED_CAS_CA.
+  // Format: "projects/{project}/locations/{region}/caPools/{ca_pool}".
+  optional string server_ca_pool = 54 [
+    (google.api.field_behavior) = OPTIONAL,
+    (google.api.resource_reference) = {
+      type: "privateca.googleapis.com/CaPool"
+    }
+  ];
+
+  // Optional. Input only. Rotate the server certificates.
+  optional bool rotate_server_certificate = 55 [
+    (google.api.field_behavior) = OPTIONAL,
+    (google.api.field_behavior) = INPUT_ONLY
+  ];
 }
 
 // The automated backup config for a cluster.
@@ -1327,6 +1377,54 @@ message PscAutoConnection {
       [(google.api.field_behavior) = OUTPUT_ONLY];
 }
 
+// Shared regional certificate authority
+message SharedRegionalCertificateAuthority {
+  option (google.api.resource) = {
+    type: "redis.googleapis.com/SharedRegionalCertificateAuthority"
+    pattern: "projects/{project}/locations/{location}/sharedRegionalCertificateAuthority"
+    plural: "sharedRegionalCertificateAuthorities"
+    singular: "sharedRegionalCertificateAuthority"
+  };
+
+  // CA certificate chains for redis managed server authentication.
+  message RegionalManagedCertificateAuthority {
+    // The certificates that form the CA chain, from leaf to root order.
+    message RegionalCertChain {
+      // The certificates that form the CA chain, from leaf to root order.
+      repeated string certificates = 1;
+    }
+
+    // The PEM encoded CA certificate chains for redis managed
+    // server authentication
+    repeated RegionalCertChain ca_certs = 1;
+  }
+
+  // Server ca information.
+  oneof server_ca {
+    // CA certificate chains for redis managed server authentication.
+    RegionalManagedCertificateAuthority managed_server_ca = 2;
+  }
+
+  // Identifier. Unique name of the resource in this scope including project and
+  // location using the form:
+  //     `projects/{project}/locations/{location}/sharedRegionalCertificateAuthority`
+  string name = 1 [(google.api.field_behavior) = IDENTIFIER];
+}
+
+// Request for
+// [GetSharedRegionalCertificateAuthority][CloudRedis.GetSharedRegionalCertificateAuthority].
+message GetSharedRegionalCertificateAuthorityRequest {
+  // Required. Regional certificate authority resource name using the form:
+  //     `projects/{project_id}/locations/{location_id}/sharedRegionalCertificateAuthority`
+  // where `location_id` refers to a Google Cloud region.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "redis.googleapis.com/SharedRegionalCertificateAuthority"
+    }
+  ];
+}
+
 // Pre-defined metadata fields.
 message OperationMetadata {
   // Output only. The time the operation was created.
