From 753387400864b66236e218fca741228345ceb8ad Mon Sep 17 00:00:00 2001
From: "data-plane-api(CircleCI)" <data-plane-api@users.noreply.github.com>
Date: Mon, 29 Oct 2018 02:44:43 +0000
Subject: [PATCH] alts: add ALTS config and integration test (#4559)

Last one for #3429, introduce ALTS config and add integration test.

Risk Level: Low (extension)
Testing: manual test, integration test, CI
Docs Changes: Done
Release Notes:
Fixes #3429.

Signed-off-by: JimmyCYJ <jimmychen.0102@gmail.com>

Mirrored from https://github.com/envoyproxy/envoy @ f9edb521ce641ee16cd59e756604d201a8ad3526
---
 .../transport_socket/alts/v2alpha/BUILD       | 11 ++++++++++
 .../transport_socket/alts/v2alpha/alts.proto  | 20 +++++++++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100644 envoy/config/transport_socket/alts/v2alpha/BUILD
 create mode 100644 envoy/config/transport_socket/alts/v2alpha/alts.proto

diff --git a/envoy/config/transport_socket/alts/v2alpha/BUILD b/envoy/config/transport_socket/alts/v2alpha/BUILD
new file mode 100644
index 00000000..03934075
--- /dev/null
+++ b/envoy/config/transport_socket/alts/v2alpha/BUILD
@@ -0,0 +1,11 @@
+load("//bazel:api_build_system.bzl", "api_proto_library")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_library(
+    name = "alts",
+    srcs = ["alts.proto"],
+    deps = [
+        "//envoy/api/v2/core:base",
+    ],
+)
diff --git a/envoy/config/transport_socket/alts/v2alpha/alts.proto b/envoy/config/transport_socket/alts/v2alpha/alts.proto
new file mode 100644
index 00000000..a4d414c0
--- /dev/null
+++ b/envoy/config/transport_socket/alts/v2alpha/alts.proto
@@ -0,0 +1,20 @@
+syntax = "proto3";
+
+package envoy.config.transport_socket.alts.v2alpha;
+option go_package = "v2";
+
+// [#protodoc-title: ALTS]
+
+import "validate/validate.proto";
+
+// Configuration for ALTS transport socket. This provides Google's ALTS protocol to Envoy.
+// https://cloud.google.com/security/encryption-in-transit/application-layer-transport-security/
+message Alts {
+  // The location of a handshaker service, this is usually 169.254.169.254:8080
+  // on GCE.
+  string handshaker_service = 1 [(validate.rules).string.min_bytes = 1];
+
+  // The acceptable service accounts from peer, peers not in the list will be rejected in the
+  // handshake validation step. If empty, no validation will be performed.
+  repeated string peer_service_accounts = 2;
+}