feat: Added support for Azure workload identity federation

Google APIs · copybara-github · commit db56b146aebb · 2023-02-02T00:00:25.000-08:00
feat: Added `reconciling` and `update_time` output fields to Azure Client resource.

Added support for Azure workload identity federation to replace Azure client when creating clusters to manage Azure resources.

PiperOrigin-RevId: 506534887
diff --git a/google/cloud/gkemulticloud/v1/BUILD.bazel b/google/cloud/gkemulticloud/v1/BUILD.bazel
@@ -142,6 +142,7 @@ go_gapic_library(
     grpc_service_config = "gkemulticloud_grpc_service_config.json",
     importpath = "cloud.google.com/go/gkemulticloud/apiv1;gkemulticloud",
     metadata = True,
+    release_level = "beta",
     rest_numeric_enums = False,
     service_yaml = "gkemulticloud_v1.yaml",
     transport = "grpc",
diff --git a/google/cloud/gkemulticloud/v1/attached_resources.proto b/google/cloud/gkemulticloud/v1/attached_resources.proto
@@ -70,7 +70,7 @@ message AttachedCluster {
   // `projects/<project-number>/locations/<region>/attachedClusters/<cluster-id>`.
   //
   // See [Resource Names](https://cloud.google.com/apis/design/resource_names)
-  // for more details on GCP resource names.
+  // for more details on Google Cloud Platform resource names.
   string name = 1;
 
   // Optional. A human readable description of this cluster.
@@ -180,9 +180,9 @@ message AttachedClusterUser {
 // OIDC discovery information of the target cluster.
 //
 // Kubernetes Service Account (KSA) tokens are JWT tokens signed by the cluster
-// API server. This fields indicates how GCP services
+// API server. This fields indicates how Google Cloud Platform services
 // validate KSA tokens in order to allow system workloads (such as GKE Connect
-// and telemetry agents) to authenticate back to GCP.
+// and telemetry agents) to authenticate back to Google Cloud Platform.
 //
 // Both clusters with public and private issuer URLs are supported.
 // Clusters with public issuers only need to specify the `issuer_url` field
diff --git a/google/cloud/gkemulticloud/v1/attached_service.proto b/google/cloud/gkemulticloud/v1/attached_service.proto
@@ -42,7 +42,7 @@ service AttachedClusters {
 
   // Creates a new
   // [AttachedCluster][google.cloud.gkemulticloud.v1.AttachedCluster] resource
-  // on a given GCP project and region.
+  // on a given Google Cloud Platform project and region.
   //
   // If successful, the response contains a newly created
   // [Operation][google.longrunning.Operation] resource that can be
@@ -175,7 +175,7 @@ message GenerateAttachedClusterInstallManifestRequest {
     }
   ];
 
-  // Required. A client provided ID the resource. Must be unique within the
+  // Required. A client provided ID of the resource. Must be unique within the
   // parent resource.
   //
   // The provided ID will be part of the
@@ -188,7 +188,7 @@ message GenerateAttachedClusterInstallManifestRequest {
   // When generating an install manifest for importing an existing Membership
   // resource, the attached_cluster_id field must be the Membership id.
   //
-  // Membership names are formatted as `resource name formatted as
+  // Membership names are formatted as
   // `projects/<project-id>/locations/<region>/memberships/<membership-id>`.
   string attached_cluster_id = 2 [(google.api.field_behavior) = REQUIRED];
 
@@ -315,7 +315,7 @@ message GetAttachedClusterRequest {
   // `projects/<project-id>/locations/<region>/attachedClusters/<cluster-id>`.
   //
   // See [Resource Names](https://cloud.google.com/apis/design/resource_names)
-  // for more details on GCP resource names.
+  // for more details on Google Cloud Platform resource names.
   string name = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
@@ -332,7 +332,7 @@ message ListAttachedClustersRequest {
   // Location names are formatted as `projects/<project-id>/locations/<region>`.
   //
   // See [Resource Names](https://cloud.google.com/apis/design/resource_names)
-  // for more details on GCP resource names.
+  // for more details on Google Cloud Platform resource names.
   string parent = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
@@ -358,7 +358,7 @@ message ListAttachedClustersRequest {
 // Response message for `AttachedClusters.ListAttachedClusters` method.
 message ListAttachedClustersResponse {
   // A list of [AttachedCluster][google.cloud.gkemulticloud.v1.AttachedCluster]
-  // resources in the specified GCP project and region region.
+  // resources in the specified Google Cloud Platform project and region region.
   repeated AttachedCluster attached_clusters = 1;
 
   // Token to retrieve the next page of results, or empty if there are no more
@@ -375,7 +375,7 @@ message DeleteAttachedClusterRequest {
   // `projects/<project-id>/locations/<region>/attachedClusters/<cluster-id>`.
   //
   // See [Resource Names](https://cloud.google.com/apis/design/resource_names)
-  // for more details on GCP resource names.
+  // for more details on Google Cloud Platform resource names.
   string name = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
diff --git a/google/cloud/gkemulticloud/v1/aws_resources.proto b/google/cloud/gkemulticloud/v1/aws_resources.proto
@@ -70,7 +70,7 @@ message AwsCluster {
   // `projects/<project-number>/locations/<region>/awsClusters/<cluster-id>`.
   //
   // See [Resource Names](https://cloud.google.com/apis/design/resource_names)
-  // for more details on GCP resource names.
+  // for more details on Google Cloud Platform resource names.
   string name = 1;
 
   // Optional. A human readable description of this cluster.
diff --git a/google/cloud/gkemulticloud/v1/aws_service.proto b/google/cloud/gkemulticloud/v1/aws_service.proto
@@ -41,7 +41,7 @@ service AwsClusters {
       "https://www.googleapis.com/auth/cloud-platform";
 
   // Creates a new [AwsCluster][google.cloud.gkemulticloud.v1.AwsCluster]
-  // resource on a given GCP project and region.
+  // resource on a given Google Cloud Platform project and region.
   //
   // If successful, the response contains a newly created
   // [Operation][google.longrunning.Operation] resource that can be
@@ -290,7 +290,7 @@ message GetAwsClusterRequest {
   // `projects/<project-id>/locations/<region>/awsClusters/<cluster-id>`.
   //
   // See [Resource Names](https://cloud.google.com/apis/design/resource_names)
-  // for more details on GCP resource names.
+  // for more details on Google Cloud Platform resource names.
   string name = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
@@ -307,7 +307,7 @@ message ListAwsClustersRequest {
   // Location names are formatted as `projects/<project-id>/locations/<region>`.
   //
   // See [Resource Names](https://cloud.google.com/apis/design/resource_names)
-  // for more details on GCP resource names.
+  // for more details on Google Cloud Platform resource names.
   string parent = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
@@ -333,7 +333,7 @@ message ListAwsClustersRequest {
 // Response message for `AwsClusters.ListAwsClusters` method.
 message ListAwsClustersResponse {
   // A list of [AwsCluster][google.cloud.gkemulticloud.v1.AwsCluster] resources
-  // in the specified GCP project and region region.
+  // in the specified Google Cloud Platform project and region region.
   repeated AwsCluster aws_clusters = 1;
 
   // Token to retrieve the next page of results, or empty if there are no more
@@ -350,7 +350,7 @@ message DeleteAwsClusterRequest {
   // `projects/<project-id>/locations/<region>/awsClusters/<cluster-id>`.
   //
   // See [Resource Names](https://cloud.google.com/apis/design/resource_names)
-  // for more details on GCP resource names.
+  // for more details on Google Cloud Platform resource names.
   string name = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
diff --git a/google/cloud/gkemulticloud/v1/azure_resources.proto b/google/cloud/gkemulticloud/v1/azure_resources.proto
@@ -70,7 +70,7 @@ message AzureCluster {
   // `projects/<project-number>/locations/<region>/azureClusters/<cluster-id>`.
   //
   // See [Resource Names](https://cloud.google.com/apis/design/resource_names)
-  // for more details on GCP resource names.
+  // for more details on Google Cloud Platform resource names.
   string name = 1;
 
   // Optional. A human readable description of this cluster.
@@ -90,20 +90,20 @@ message AzureCluster {
   // `/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>`
   string resource_group_id = 17 [(google.api.field_behavior) = REQUIRED];
 
-  // Required. Name of the
+  // Optional. Name of the
   // [AzureClient][google.cloud.gkemulticloud.v1.AzureClient] that contains
   // authentication configuration for how the Anthos Multi-Cloud API connects to
   // Azure APIs.
   //
-  // The `AzureClient` resource must reside on the same GCP project and region
-  // as the `AzureCluster`.
+  // The `AzureClient` resource must reside on the same Google Cloud Platform
+  // project and region as the `AzureCluster`.
   //
   // `AzureClient` names are formatted as
   // `projects/<project-number>/locations/<region>/azureClients/<client-id>`.
   //
   // See [Resource Names](https://cloud.google.com/apis/design/resource_names)
   // for more details on Google Cloud resource names.
-  string azure_client = 16 [(google.api.field_behavior) = REQUIRED];
+  string azure_client = 16 [(google.api.field_behavior) = OPTIONAL];
 
   // Required. Cluster-wide networking configuration.
   AzureClusterNetworking networking = 4
@@ -115,6 +115,10 @@ message AzureCluster {
   // Required. Configuration related to the cluster RBAC settings.
   AzureAuthorization authorization = 6 [(google.api.field_behavior) = REQUIRED];
 
+  // Optional. Authentication configuration for management of Azure resources.
+  AzureServicesAuthentication azure_services_authentication = 22
+      [(google.api.field_behavior) = OPTIONAL];
+
   // Output only. The current state of the cluster.
   State state = 7 [(google.api.field_behavior) = OUTPUT_ONLY];
 
@@ -410,6 +414,9 @@ message AzureClient {
   // Required. The Azure Active Directory Application ID.
   string application_id = 3 [(google.api.field_behavior) = REQUIRED];
 
+  // Output only. If set, there are currently pending changes to the client.
+  bool reconciling = 9 [(google.api.field_behavior) = OUTPUT_ONLY];
+
   // Optional. Annotations on the resource.
   //
   // This field has the same restrictions as Kubernetes annotations.
@@ -430,6 +437,10 @@ message AzureClient {
   // Output only. The time at which this resource was created.
   google.protobuf.Timestamp create_time = 6
       [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. The time at which this client was last updated.
+  google.protobuf.Timestamp update_time = 10
+      [(google.api.field_behavior) = OUTPUT_ONLY];
 }
 
 // Configuration related to the cluster RBAC settings.
@@ -444,6 +455,15 @@ message AzureAuthorization {
       [(google.api.field_behavior) = REQUIRED];
 }
 
+// Authentication configuration for the management of Azure resources.
+message AzureServicesAuthentication {
+  // Required. The Azure Active Directory Tenant ID.
+  string tenant_id = 1 [(google.api.field_behavior) = REQUIRED];
+
+  // Required. The Azure Active Directory Application ID.
+  string application_id = 2 [(google.api.field_behavior) = REQUIRED];
+}
+
 // Identities of a user-type subject for Azure clusters.
 message AzureClusterUser {
   // Required. The name of the user, e.g. `my-gcp-id@gmail.com`.
@@ -638,7 +658,7 @@ message AzureServerConfig {
   // `projects/<project-number>/locations/<region>/azureServerConfig`.
   //
   // See [Resource Names](https://cloud.google.com/apis/design/resource_names)
-  // for more details on GCP resource names.
+  // for more details on Google Cloud Platform resource names.
   string name = 1;
 
   // List of valid Kubernetes versions.
diff --git a/google/cloud/gkemulticloud/v1/azure_service.proto b/google/cloud/gkemulticloud/v1/azure_service.proto
@@ -105,7 +105,7 @@ service AzureClusters {
   }
 
   // Creates a new [AzureCluster][google.cloud.gkemulticloud.v1.AzureCluster]
-  // resource on a given GCP project and region.
+  // resource on a given Google Cloud Platform project and region.
   //
   // If successful, the response contains a newly created
   // [Operation][google.longrunning.Operation] resource that can be
@@ -327,6 +327,9 @@ message UpdateAzureClusterRequest {
   //  *   `annotations`.
   //  *   `authorization.admin_users`.
   //  *   `control_plane.root_volume.size_gib`.
+  //  *   `azure_services_authentication`.
+  //  *   `azure_services_authentication.tenant_id`.
+  //  *   `azure_services_authentication.application_id`.
   //  *   `control_plane.proxy_config`.
   //  *   `control_plane.proxy_config.resource_group_id`.
   //  *   `control_plane.proxy_config.secret_id`.
@@ -347,7 +350,7 @@ message GetAzureClusterRequest {
   // `projects/<project-id>/locations/<region>/azureClusters/<cluster-id>`.
   //
   // See [Resource Names](https://cloud.google.com/apis/design/resource_names)
-  // for more details on GCP resource names.
+  // for more details on Google Cloud Platform resource names.
   string name = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
@@ -364,7 +367,7 @@ message ListAzureClustersRequest {
   // Location names are formatted as `projects/<project-id>/locations/<region>`.
   //
   // See [Resource Names](https://cloud.google.com/apis/design/resource_names)
-  // for more details on GCP resource names.
+  // for more details on Google Cloud Platform resource names.
   string parent = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
@@ -390,7 +393,7 @@ message ListAzureClustersRequest {
 // Response message for `AzureClusters.ListAzureClusters` method.
 message ListAzureClustersResponse {
   // A list of [AzureCluster][google.cloud.gkemulticloud.v1.AzureCluster]
-  // resources in the specified GCP project and region region.
+  // resources in the specified Google Cloud Platform project and region region.
   repeated AzureCluster azure_clusters = 1;
 
   // Token to retrieve the next page of results, or empty if there are no more
@@ -407,7 +410,7 @@ message DeleteAzureClusterRequest {
   // `projects/<project-id>/locations/<region>/azureClusters/<cluster-id>`.
   //
   // See [Resource Names](https://cloud.google.com/apis/design/resource_names)
-  // for more details on GCP resource names.
+  // for more details on Google Cloud Platform resource names.
   string name = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
@@ -679,7 +682,7 @@ message ListAzureClientsRequest {
   // Location names are formatted as `projects/<project-id>/locations/<region>`.
   //
   // See [Resource Names](https://cloud.google.com/apis/design/resource_names)
-  // for more details on GCP resource names.
+  // for more details on Google Cloud Platform resource names.
   string parent = 1 [
     (google.api.field_behavior) = REQUIRED,
     (google.api.resource_reference) = {
diff --git a/google/cloud/gkemulticloud/v1/gkemulticloud_v1.yaml b/google/cloud/gkemulticloud/v1/gkemulticloud_v1.yaml
@@ -68,3 +68,10 @@ authentication:
 
 publishing:
   organization: CLIENT_LIBRARY_ORGANIZATION_UNSPECIFIED
+  new_issue_uri: ''
+  documentation_uri: ''
+  api_short_name: ''
+  github_label: ''
+  doc_tag_prefix: ''
+  codeowner_github_teams:
+  library_settings:
