syntax = "proto3";

package envoy.extensions.transport_sockets.tls.v3;

import "envoy/config/core/v3/base.proto";
import "envoy/config/core/v3/config_source.proto";
import "envoy/extensions/transport_sockets/tls/v3/common.proto";

import "udpa/core/v1/resource_locator.proto";

import "udpa/annotations/migrate.proto";
import "udpa/annotations/sensitive.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";

option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3";
option java_outer_classname = "SecretProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;

// [#protodoc-title: Secrets configuration]

message GenericSecret {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.GenericSecret";

  // Secret of generic type and is available to filters.
  config.core.v3.DataSource secret = 1 [(udpa.annotations.sensitive) = true];
}

message SdsSecretConfig {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.SdsSecretConfig";

  // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
  // When both name and config are specified, then secret can be fetched and/or reloaded via
  // SDS. When only name is specified, then secret will be loaded from static resources.
  string name = 1 [(udpa.annotations.field_migrate).oneof_promotion = "name_specifier"];

  // Resource locator for SDS. This is mutually exclusive to *name*.
  // [#not-implemented-hide:]
  udpa.core.v1.ResourceLocator sds_resource_locator = 3
      [(udpa.annotations.field_migrate).oneof_promotion = "name_specifier"];

  config.core.v3.ConfigSource sds_config = 2;
}

// [#next-free-field: 6]
message Secret {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.Secret";

  // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
  string name = 1;

  oneof type {
    TlsCertificate tls_certificate = 2;

    TlsSessionTicketKeys session_ticket_keys = 3;

    CertificateValidationContext validation_context = 4;

    GenericSecret generic_secret = 5;
  }
}