feat: IntroduceMembership API v1alpha2 proto

PiperOrigin-RevId: 350654259

google/cloud/gkehub/v1alpha2/BUILD.bazel

@@ -0,0 +1,175 @@
+# This file was automatically generated by BuildFileGenerator
+
+# This is an API workspace, having public visibility by default makes perfect sense.
+package(default_visibility = ["//visibility:public"])
+
+##############################################################################
+# Common
+##############################################################################
+load("@rules_proto//proto:defs.bzl", "proto_library")
+
+proto_library(
+    name = "gkehub_proto",
+    srcs = [
+        "membership.proto",
+    ],
+    deps = [
+        "//google/api:annotations_proto",
+        "//google/api:client_proto",
+        "//google/api:field_behavior_proto",
+        "//google/api:resource_proto",
+        "//google/longrunning:operations_proto",
+        "@com_google_protobuf//:field_mask_proto",
+        "@com_google_protobuf//:timestamp_proto",
+    ],
+)
+
+##############################################################################
+# Java
+##############################################################################
+load(
+    "@com_google_googleapis_imports//:imports.bzl",
+    "java_grpc_library",
+    "java_proto_library",
+)
+
+java_proto_library(
+    name = "gkehub_java_proto",
+    deps = [":gkehub_proto"],
+)
+
+java_grpc_library(
+    name = "gkehub_java_grpc",
+    srcs = [":gkehub_proto"],
+    deps = [":gkehub_java_proto"],
+)
+
+##############################################################################
+# Go
+##############################################################################
+load(
+    "@com_google_googleapis_imports//:imports.bzl",
+    "go_proto_library",
+)
+
+go_proto_library(
+    name = "gkehub_go_proto",
+    compilers = ["@io_bazel_rules_go//proto:go_grpc"],
+    importpath = "google.golang.org/genproto/googleapis/cloud/gkehub/v1alpha2",
+    protos = [":gkehub_proto"],
+    deps = [
+        "//google/api:annotations_go_proto",
+        "//google/longrunning:longrunning_go_proto",
+    ],
+)
+
+##############################################################################
+# Python
+##############################################################################
+load(
+    "@com_google_googleapis_imports//:imports.bzl",
+    "moved_proto_library",
+    "py_grpc_library",
+    "py_proto_library",
+)
+
+moved_proto_library(
+    name = "gkehub_moved_proto",
+    srcs = [":gkehub_proto"],
+    deps = [
+        "//google/api:annotations_proto",
+        "//google/api:client_proto",
+        "//google/api:field_behavior_proto",
+        "//google/api:resource_proto",
+        "//google/longrunning:operations_proto",
+        "@com_google_protobuf//:field_mask_proto",
+        "@com_google_protobuf//:timestamp_proto",
+    ],
+)
+
+py_proto_library(
+    name = "gkehub_py_proto",
+    plugin = "@protoc_docs_plugin//:docs_plugin",
+    deps = [":gkehub_moved_proto"],
+)
+
+py_grpc_library(
+    name = "gkehub_py_grpc",
+    srcs = [":gkehub_moved_proto"],
+    deps = [":gkehub_py_proto"],
+)
+
+##############################################################################
+# PHP
+##############################################################################
+load(
+    "@com_google_googleapis_imports//:imports.bzl",
+    "php_grpc_library",
+    "php_proto_library",
+)
+
+php_proto_library(
+    name = "gkehub_php_proto",
+    deps = [":gkehub_proto"],
+)
+
+php_grpc_library(
+    name = "gkehub_php_grpc",
+    srcs = [":gkehub_proto"],
+    deps = [":gkehub_php_proto"],
+)
+
+##############################################################################
+# Node.js
+##############################################################################
+load(
+    "@com_google_googleapis_imports//:imports.bzl",
+    "nodejs_gapic_assembly_pkg",
+    "nodejs_gapic_library",
+)
+
+
+##############################################################################
+# Ruby
+##############################################################################
+load(
+    "@com_google_googleapis_imports//:imports.bzl",
+    "ruby_grpc_library",
+    "ruby_proto_library",
+)
+
+ruby_proto_library(
+    name = "gkehub_ruby_proto",
+    deps = [":gkehub_proto"],
+)
+
+ruby_grpc_library(
+    name = "gkehub_ruby_grpc",
+    srcs = [":gkehub_proto"],
+    deps = [":gkehub_ruby_proto"],
+)
+
+##############################################################################
+# C#
+##############################################################################
+load(
+    "@com_google_googleapis_imports//:imports.bzl",
+    "csharp_grpc_library",
+    "csharp_proto_library",
+)
+
+csharp_proto_library(
+    name = "gkehub_csharp_proto",
+    deps = [":gkehub_proto"],
+)
+
+csharp_grpc_library(
+    name = "gkehub_csharp_grpc",
+    srcs = [":gkehub_proto"],
+    deps = [":gkehub_csharp_proto"],
+)
+
+##############################################################################
+# C++
+##############################################################################
+# Put your C++ code here

google/cloud/gkehub/v1alpha2/gkehub_v1alpha2.yaml

@@ -0,0 +1,61 @@
+type: google.api.Service
+config_version: 3
+name: gkehub.googleapis.com
+title: GKE Hub
+
+apis:
+- name: google.cloud.gkehub.v1alpha2.GkeHub
+
+types:
+- name: google.cloud.gkehub.v1alpha2.OperationMetadata
+
+documentation:
+  rules:
+  - selector: google.iam.v1.IAMPolicy.GetIamPolicy
+    description: |-
+      Gets the access control policy for a resource. Returns an empty policy
+      if the resource exists and does not have a policy set.
+
+  - selector: google.iam.v1.IAMPolicy.SetIamPolicy
+    description: |-
+      Sets the access control policy on the specified resource. Replaces
+      any existing policy.
+
+      Can return `NOT_FOUND`, `INVALID_ARGUMENT`, and `PERMISSION_DENIED`
+      errors.
+
+  - selector: google.iam.v1.IAMPolicy.TestIamPermissions
+    description: |-
+      Returns permissions that a caller has on the specified resource. If the
+      resource does not exist, this will return an empty set of
+      permissions, not a `NOT_FOUND` error.
+
+      Note: This operation is designed to be used for building
+      permission-aware UIs and command-line tools, not for authorization
+      checking. This operation may "fail open" without warning.
+
+backend:
+  rules:
+  - selector: 'google.cloud.gkehub.v1alpha2.GkeHub.*'
+    deadline: 60.0
+  - selector: 'google.iam.v1.IAMPolicy.*'
+    deadline: 60.0
+  - selector: 'google.longrunning.Operations.*'
+    deadline: 60.0
+  - selector: google.longrunning.Operations.GetOperation
+    deadline: 5.0
+
+authentication:
+  rules:
+  - selector: 'google.cloud.gkehub.v1alpha2.GkeHub.*'
+    oauth:
+      canonical_scopes: |-
+        https://www.googleapis.com/auth/cloud-platform
+  - selector: 'google.iam.v1.IAMPolicy.*'
+    oauth:
+      canonical_scopes: |-
+        https://www.googleapis.com/auth/cloud-platform
+  - selector: 'google.longrunning.Operations.*'
+    oauth:
+      canonical_scopes: |-
+        https://www.googleapis.com/auth/cloud-platform

google/cloud/gkehub/v1alpha2/membership.proto

@@ -0,0 +1,633 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.cloud.gkehub.v1alpha2;
+
+import "google/api/annotations.proto";
+import "google/api/client.proto";
+import "google/api/field_behavior.proto";
+import "google/api/resource.proto";
+import "google/longrunning/operations.proto";
+import "google/protobuf/field_mask.proto";
+import "google/protobuf/timestamp.proto";
+
+option go_package = "google.golang.org/genproto/googleapis/cloud/gkehub/v1alpha2;gkehub";
+option java_multiple_files = true;
+option java_outer_classname = "MembershipProto";
+option java_package = "com.google.cloud.gkehub.v1alpha2";
+
+// GKE Hub CRUD API for the Membership resource.
+// The Membership service is currently only available in the global location.
+service GkeHub {
+  option (google.api.default_host) = "gkehub.googleapis.com";
+  option (google.api.oauth_scopes) = "https://www.googleapis.com/auth/cloud-platform";
+
+  // Lists Memberships in a given project and location.
+  rpc ListMemberships(ListMembershipsRequest) returns (ListMembershipsResponse) {
+    option (google.api.http) = {
+      get: "/v1alpha2/{parent=projects/*/locations/*}/memberships"
+    };
+    option (google.api.method_signature) = "parent";
+  }
+
+  // Gets the details of a Membership.
+  rpc GetMembership(GetMembershipRequest) returns (Membership) {
+    option (google.api.http) = {
+      get: "/v1alpha2/{name=projects/*/locations/*/memberships/*}"
+    };
+    option (google.api.method_signature) = "name";
+  }
+
+  // Adds a new Membership.
+  rpc CreateMembership(CreateMembershipRequest) returns (google.longrunning.Operation) {
+    option (google.api.http) = {
+      post: "/v1alpha2/{parent=projects/*/locations/*}/memberships"
+      body: "resource"
+    };
+    option (google.api.method_signature) = "parent,resource,membership_id";
+    option (google.longrunning.operation_info) = {
+      response_type: "Membership"
+      metadata_type: "OperationMetadata"
+    };
+  }
+
+  // Removes a Membership.
+  rpc DeleteMembership(DeleteMembershipRequest) returns (google.longrunning.Operation) {
+    option (google.api.http) = {
+      delete: "/v1alpha2/{name=projects/*/locations/*/memberships/*}"
+    };
+    option (google.api.method_signature) = "name";
+    option (google.longrunning.operation_info) = {
+      response_type: "google.protobuf.Empty"
+      metadata_type: "OperationMetadata"
+    };
+  }
+
+  // Updates an existing Membership.
+  rpc UpdateMembership(UpdateMembershipRequest) returns (google.longrunning.Operation) {
+    option (google.api.http) = {
+      patch: "/v1alpha2/{name=projects/*/locations/*/memberships/*}"
+      body: "resource"
+    };
+    option (google.api.method_signature) = "name,resource,update_mask";
+    option (google.longrunning.operation_info) = {
+      response_type: "Membership"
+      metadata_type: "OperationMetadata"
+    };
+  }
+
+  // Generates the manifest for deployment of the GKE connect agent.
+  rpc GenerateConnectManifest(GenerateConnectManifestRequest) returns (GenerateConnectManifestResponse) {
+    option (google.api.http) = {
+      get: "/v1alpha2/{name=projects/*/locations/*/memberships/*}:generateConnectManifest"
+    };
+  }
+
+  // Initializes the Hub in this project, which includes creating the default
+  // Hub Service Account and the Hub Workload Identity Pool. Initialization is
+  // optional, and happens automatically when the first Membership is created.
+  //
+  // InitializeHub should be called when the first Membership cannot be
+  // registered without these resources. A common example is granting the Hub
+  // Service Account access to another project, which requires the account to
+  // exist first.
+  rpc InitializeHub(InitializeHubRequest) returns (InitializeHubResponse) {
+    option (google.api.http) = {
+      post: "/v1alpha2/{project=projects/*/locations/global/memberships}:initializeHub"
+      body: "*"
+    };
+  }
+}
+
+// Membership contains information about a member cluster.
+message Membership {
+  option (google.api.resource) = {
+    type: "gkehub.googleapis.com/Membership"
+    pattern: "projects/{project}/locations/{location}/memberships/{membership}"
+  };
+
+  // Specifies the infrastructure type of a Membership. Infrastructure type is
+  // used by Hub to control infrastructure-specific behavior, including pricing.
+  //
+  // Each GKE distribution (on-GCP, on-Prem, on-X,...) will set this field
+  // automatically, but Attached Clusters customers should specify a type
+  // during registration.
+  enum InfrastructureType {
+    // No type was specified. Some Hub functionality may require a type be
+    // specified, and will not support Memberships with this value.
+    INFRASTRUCTURE_TYPE_UNSPECIFIED = 0;
+
+    // Private infrastructure that is owned or operated by customer. This
+    // includes GKE distributions such as GKE-OnPrem and GKE-OnBareMetal.
+    ON_PREM = 1;
+
+    // Public cloud infrastructure.
+    MULTI_CLOUD = 2;
+  }
+
+  // Output only. The full, unique name of this Membership resource in the format
+  // `projects/*/locations/*/memberships/{membership_id}`, set during creation.
+  //
+  // `membership_id` must be a valid RFC 1123 compliant DNS label:
+  //
+  //   1. At most 63 characters in length
+  //   2. It must consist of lower case alphanumeric characters or `-`
+  //   3. It must start and end with an alphanumeric character
+  //
+  // Which can be expressed as the regex: `[a-z0-9]([-a-z0-9]*[a-z0-9])?`,
+  // with a maximum length of 63 characters.
+  string name = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Optional. GCP labels for this membership.
+  map<string, string> labels = 2 [(google.api.field_behavior) = OPTIONAL];
+
+  // Output only. Description of this membership, limited to 63 characters.
+  // Must match the regex: `[a-zA-Z0-9][a-zA-Z0-9_\-\.\ ]*`
+  //
+  // This field is present for legacy purposes.
+  string description = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Type of resource represented by this Membership
+  oneof type {
+    // Optional. Endpoint information to reach this member.
+    MembershipEndpoint endpoint = 4 [(google.api.field_behavior) = OPTIONAL];
+  }
+
+  // Output only. State of the Membership resource.
+  MembershipState state = 5 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. When the Membership was created.
+  google.protobuf.Timestamp create_time = 6 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. When the Membership was last updated.
+  google.protobuf.Timestamp update_time = 7 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. When the Membership was deleted.
+  google.protobuf.Timestamp delete_time = 8 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Optional. An externally-generated and managed ID for this Membership. This ID may
+  // be modified after creation, but this is not recommended. For GKE clusters,
+  // external_id is managed by the Hub API and updates will be ignored.
+  //
+  // The ID must match the regex: `[a-zA-Z0-9][a-zA-Z0-9_\-\.]*`
+  //
+  // If this Membership represents a Kubernetes cluster, this value should be
+  // set to the UID of the `kube-system` namespace object.
+  string external_id = 9 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. How to identify workloads from this Membership.
+  // See the documentation on Workload Identity for more details:
+  // https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
+  Authority authority = 10 [(google.api.field_behavior) = OPTIONAL];
+
+  // Output only. For clusters using Connect, the timestamp of the most recent connection
+  // established with Google Cloud. This time is updated every several minutes,
+  // not continuously. For clusters that do not use GKE Connect, or that have
+  // never connected successfully, this field will be unset.
+  google.protobuf.Timestamp last_connection_time = 11 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. Google-generated UUID for this resource. This is unique across all
+  // Membership resources. If a Membership resource is deleted and another
+  // resource with the same name is created, it gets a different unique_id.
+  string unique_id = 12 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Optional. The infrastructure type this Membership is running on.
+  InfrastructureType infrastructure_type = 13 [(google.api.field_behavior) = OPTIONAL];
+}
+
+// MembershipEndpoint contains information needed to contact a Kubernetes API,
+// endpoint and any additional Kubernetes metadata.
+message MembershipEndpoint {
+  // Optional. GKE-specific information. Only present if this Membership is a GKE cluster.
+  GkeCluster gke_cluster = 1 [(google.api.field_behavior) = OPTIONAL];
+
+  // Output only. Useful Kubernetes-specific metadata.
+  KubernetesMetadata kubernetes_metadata = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Optional. The in-cluster Kubernetes Resources that should be applied for a correctly
+  // registered cluster, in the steady state. These resources:
+  //
+  //   * Ensure that the cluster is exclusively registered to one and only one
+  //     Hub Membership.
+  //   * Propagate Workload Pool Information available in the Membership
+  //     Authority field.
+  //   * Ensure proper initial configuration of default Hub Features.
+  KubernetesResource kubernetes_resource = 3 [(google.api.field_behavior) = OPTIONAL];
+}
+
+// KubernetesResource contains the YAML manifests and configuration for
+// Membership Kubernetes resources in the cluster. After CreateMembership or
+// UpdateMembership, these resources should be re-applied in the cluster.
+message KubernetesResource {
+  // Input only. The YAML representation of the Membership CR. This field is ignored for GKE
+  // clusters where Hub can read the CR directly.
+  //
+  // Callers should provide the CR that is currently present in the cluster
+  // during Create or Update, or leave this field empty if none exists. The CR
+  // manifest is used to validate the cluster has not been registered with
+  // another Membership.
+  string membership_cr_manifest = 1 [(google.api.field_behavior) = INPUT_ONLY];
+
+  // Output only. Additional Kubernetes resources that need to be applied to the cluster
+  // after Membership creation, and after every update.
+  //
+  // This field is only populated in the Membership returned from a successful
+  // long-running operation from CreateMembership or UpdateMembership. It is not
+  // populated during normal GetMembership or ListMemberships requests. To get
+  // the resource manifest after the initial registration, the caller should
+  // make a UpdateMembership call with an empty field mask.
+  repeated ResourceManifest membership_resources = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. The Kubernetes resources for installing the GKE Connect agent.
+  //
+  // This field is only populated in the Membership returned from a successful
+  // long-running operation from CreateMembership or UpdateMembership. It is not
+  // populated during normal GetMembership or ListMemberships requests. To get
+  // the resource manifest after the initial registration, the caller should
+  // make a UpdateMembership call with an empty field mask.
+  repeated ResourceManifest connect_resources = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Optional. Options for Kubernetes resource generation.
+  ResourceOptions resource_options = 5 [(google.api.field_behavior) = OPTIONAL];
+}
+
+// ResourceOptions represent options for Kubernetes resource generation.
+message ResourceOptions {
+  // Optional. The Connect agent version to use for connect_resources. Defaults to the
+  // latest GKE Connect version. The version must be a currently supported
+  // version, obsolete versions will be rejected.
+  string connect_version = 1 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Use `apiextensions/v1beta1` instead of `apiextensions/v1` for
+  // CustomResourceDefinition resources.
+  // This option should be set for clusters with Kubernetes apiserver versions
+  // <1.16.
+  bool v1beta1_crd = 2 [(google.api.field_behavior) = OPTIONAL];
+}
+
+// GkeCluster contains information specific to GKE clusters.
+message GkeCluster {
+  // Immutable. Self-link of the GCP resource for the GKE cluster. For example:
+  //
+  //     //container.googleapis.com/projects/my-project/locations/us-west1-a/clusters/my-cluster
+  //
+  // Zonal clusters are also supported.
+  string resource_link = 1 [(google.api.field_behavior) = IMMUTABLE];
+}
+
+// KubernetesMetadata provides informational metadata for Memberships
+// that are created from Kubernetes Endpoints (currently, these are equivalent
+// to Kubernetes clusters).
+message KubernetesMetadata {
+  // Output only. Kubernetes API server version string as reported by '/version'.
+  string kubernetes_api_server_version = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. Node providerID as reported by the first node in the list of nodes on
+  // the Kubernetes endpoint. On Kubernetes platforms that support zero-node
+  // clusters (like GKE-on-GCP), the node_count will be zero and the
+  // node_provider_id will be empty.
+  string node_provider_id = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. Node count as reported by Kubernetes nodes resources.
+  int32 node_count = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. vCPU count as reported by Kubernetes nodes resources.
+  int32 vcpu_count = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. The total memory capacity as reported by the sum of all Kubernetes nodes
+  // resources, defined in MB.
+  int32 memory_mb = 5 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. The time at which these details were last updated. This update_time is
+  // different from the Membership-level update_time since EndpointDetails are
+  // updated internally for API consumers.
+  google.protobuf.Timestamp update_time = 100 [(google.api.field_behavior) = OUTPUT_ONLY];
+}
+
+// Authority encodes how Google will recognize identities from this Membership.
+// See the workload identity documentation for more details:
+// https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
+message Authority {
+  // Optional. A JSON Web Token (JWT) issuer URI. `issuer` must start with `https://` and
+  // be a valid URL with length <2000 characters.
+  //
+  // If set, then Google will allow valid OIDC tokens from this issuer to
+  // authenticate within the workload_identity_pool. OIDC discovery will be
+  // performed on this URI to validate tokens from the issuer, unless
+  // `oidc_jwks` is set.
+  //
+  // Clearing `issuer` disables Workload Identity. `issuer` cannot be directly
+  // modified; it must be cleared (and Workload Identity disabled) before using
+  // a new issuer (and re-enabling Workload Identity).
+  string issuer = 1 [(google.api.field_behavior) = OPTIONAL];
+
+  // Output only. An identity provider that reflects the `issuer` in the workload identity
+  // pool.
+  string identity_provider = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. The name of the workload identity pool in which `issuer` will be
+  // recognized.
+  //
+  // There is a single Workload Identity Pool per Hub that is shared
+  // between all Memberships that belong to that Hub. For a Hub hosted in
+  // {PROJECT_ID}, the workload pool format is `{PROJECT_ID}.hub.id.goog`,
+  // although this is subject to change in newer versions of this API.
+  string workload_identity_pool = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
+}
+
+// MembershipState describes the state of a Membership resource.
+message MembershipState {
+  // Code describes the state of a Membership resource.
+  enum Code {
+    // The code is not set.
+    CODE_UNSPECIFIED = 0;
+
+    // The cluster is being registered.
+    CREATING = 1;
+
+    // The cluster is registered.
+    READY = 2;
+
+    // The cluster is being unregistered.
+    DELETING = 3;
+
+    // The Membership is being updated.
+    UPDATING = 4;
+
+    // The Membership is being updated by the Hub Service.
+    SERVICE_UPDATING = 5;
+  }
+
+  // Output only. The current state of the Membership resource.
+  Code code = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
+}
+
+// Request message for `GkeHub.ListMemberships` method.
+message ListMembershipsRequest {
+  // Required. The parent (project and location) where the Memberships will be listed.
+  // Specified in the format `projects/*/locations/*`.
+  string parent = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      child_type: "gkehub.googleapis.com/Membership"
+    }
+  ];
+
+  // Optional. When requesting a 'page' of resources, `page_size` specifies number of
+  // resources to return. If unspecified or set to 0, all resources will
+  // be returned.
+  int32 page_size = 2 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Token returned by previous call to `ListMemberships` which
+  // specifies the position in the list from where to continue listing the
+  // resources.
+  string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. Lists Memberships that match the filter expression, following the syntax
+  // outlined in https://google.aip.dev/160.
+  //
+  // Examples:
+  //
+  //   - Name is `bar` in project `foo-proj` and location `global`:
+  //
+  //       name = "projects/foo-proj/locations/global/membership/bar"
+  //
+  //   - Memberships that have a label called `foo`:
+  //
+  //       labels.foo:*
+  //
+  //   - Memberships that have a label called `foo` whose value is `bar`:
+  //
+  //       labels.foo = bar
+  //
+  //   - Memberships in the CREATING state:
+  //
+  //       state = CREATING
+  string filter = 4 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. One or more fields to compare and use to sort the output.
+  // See https://google.aip.dev/132#ordering.
+  string order_by = 5 [(google.api.field_behavior) = OPTIONAL];
+}
+
+// Response message for the `GkeHub.ListMemberships` method.
+message ListMembershipsResponse {
+  // The list of matching Memberships.
+  repeated Membership resources = 1;
+
+  // A token to request the next page of resources from the
+  // `ListMemberships` method. The value of an empty string means that
+  // there are no more resources to return.
+  string next_page_token = 2;
+
+  // List of locations that could not be reached while fetching this list.
+  repeated string unreachable = 3;
+}
+
+// Request message for `GkeHub.GetMembership` method.
+message GetMembershipRequest {
+  // Required. The Membership resource name in the format
+  // `projects/*/locations/*/memberships/*`.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "gkehub.googleapis.com/Membership"
+    }
+  ];
+}
+
+// Request message for the `GkeHub.CreateMembership` method.
+message CreateMembershipRequest {
+  // Required. The parent (project and location) where the Memberships will be created.
+  // Specified in the format `projects/*/locations/*`.
+  string parent = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      child_type: "gkehub.googleapis.com/Membership"
+    }
+  ];
+
+  // Required. Client chosen ID for the membership. `membership_id` must be a valid RFC
+  // 1123 compliant DNS label:
+  //
+  //   1. At most 63 characters in length
+  //   2. It must consist of lower case alphanumeric characters or `-`
+  //   3. It must start and end with an alphanumeric character
+  //
+  // Which can be expressed as the regex: `[a-z0-9]([-a-z0-9]*[a-z0-9])?`,
+  // with a maximum length of 63 characters.
+  string membership_id = 2 [(google.api.field_behavior) = REQUIRED];
+
+  // Required. The membership to create.
+  Membership resource = 3 [(google.api.field_behavior) = REQUIRED];
+}
+
+// Request message for `GkeHub.DeleteMembership` method.
+message DeleteMembershipRequest {
+  // Required. The Membership resource name in the format
+  // `projects/*/locations/*/memberships/*`.
+  string name = 1 [
+    (google.api.field_behavior) = REQUIRED,
+    (google.api.resource_reference) = {
+      type: "gkehub.googleapis.com/Membership"
+    }
+  ];
+}
+
+// Request message for `GkeHub.UpdateMembership` method.
+message UpdateMembershipRequest {
+  // Required. The Membership resource name in the format
+  // `projects/*/locations/*/memberships/*`.
+  string name = 1 [(google.api.field_behavior) = REQUIRED];
+
+  // Required. Mask of fields to update.
+  google.protobuf.FieldMask update_mask = 2 [(google.api.field_behavior) = REQUIRED];
+
+  // Required. Only fields specified in update_mask are updated.
+  // If you specify a field in the update_mask but don't specify its value here
+  // that field will be deleted.
+  // If you are updating a map field, set the value of a key to null or empty
+  // string to delete the key from the map. It's not possible to update a key's
+  // value to the empty string.
+  Membership resource = 3 [(google.api.field_behavior) = REQUIRED];
+}
+
+// Request message for `GkeHub.GenerateConnectManifest`
+// method.
+// .
+message GenerateConnectManifestRequest {
+  // Required. The Membership resource name the Agent will associate with, in the format
+  // `projects/*/locations/*/memberships/*`.
+  string name = 1 [(google.api.field_behavior) = REQUIRED];
+
+  // Optional. Namespace for GKE Connect agent resources. Defaults to `gke-connect`.
+  //
+  // The Connect Agent is authorized automatically when run in the default
+  // namespace. Otherwise, explicit authorization must be granted with an
+  // additional IAM binding.
+  string namespace = 2 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. URI of a proxy if connectivity from the agent to gkeconnect.googleapis.com
+  // requires the use of a proxy. Format must be in the form
+  // `http(s)://{proxy_address}`, depending on the HTTP/HTTPS protocol
+  // supported by the proxy. This will direct the connect agent's outbound
+  // traffic through a HTTP(S) proxy.
+  bytes proxy = 3 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. The Connect agent version to use. Defaults to the most current version.
+  string version = 4 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. If true, generate the resources for upgrade only. Some resources
+  // generated only for installation (e.g. secrets) will be excluded.
+  bool is_upgrade = 5 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. The registry to fetch the connect agent image from. Defaults to
+  // gcr.io/gkeconnect.
+  string registry = 6 [(google.api.field_behavior) = OPTIONAL];
+
+  // Optional. The image pull secret content for the registry, if not public.
+  bytes image_pull_secret_content = 7 [(google.api.field_behavior) = OPTIONAL];
+}
+
+// GenerateConnectManifestResponse contains manifest information for
+// installing/upgrading a Connect agent.
+message GenerateConnectManifestResponse {
+  // The ordered list of Kubernetes resources that need to be applied to the
+  // cluster for GKE Connect agent installation/upgrade.
+  repeated ConnectAgentResource manifest = 1;
+}
+
+// ConnectAgentResource represents a Kubernetes resource manifest for Connect
+// Agent deployment.
+message ConnectAgentResource {
+  // Kubernetes type of the resource.
+  TypeMeta type = 1;
+
+  // YAML manifest of the resource.
+  string manifest = 2;
+}
+
+// ResourceManifest represents a single Kubernetes resource to be applied to
+// the cluster.
+message ResourceManifest {
+  // YAML manifest of the resource.
+  string manifest = 1;
+
+  // Whether the resource provided in the manifest is `cluster_scoped`.
+  // If unset, the manifest is assumed to be namespace scoped.
+  //
+  // This field is used for REST mapping when applying the resource in a
+  // cluster.
+  bool cluster_scoped = 2;
+}
+
+// TypeMeta is the type information needed for content unmarshalling of
+// Kubernetes resources in the manifest.
+message TypeMeta {
+  // Kind of the resource (e.g. Deployment).
+  string kind = 1;
+
+  // APIVersion of the resource (e.g. v1).
+  string api_version = 2;
+}
+
+// Request message for the InitializeHub method.
+message InitializeHubRequest {
+  // Required. The Hub to initialize, in the format
+  // `projects/*/locations/*/memberships/*`.
+  string project = 1 [(google.api.field_behavior) = REQUIRED];
+}
+
+// Response message for the InitializeHub method.
+message InitializeHubResponse {
+  // Name of the Hub default service identity, in the format:
+  //
+  //     service-<project-number>@gcp-sa-gkehub.iam.gserviceaccount.com
+  //
+  // The service account has `roles/gkehub.serviceAgent` in the Hub project.
+  string service_identity = 1;
+
+  // The Workload Identity Pool used for Workload Identity-enabled clusters
+  // registered with this Hub. Format: `<project-id>.hub.id.goog`
+  string workload_identity_pool = 2;
+}
+
+// Represents the metadata of the long-running operation.
+message OperationMetadata {
+  // Output only. The time the operation was created.
+  google.protobuf.Timestamp create_time = 1 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. The time the operation finished running.
+  google.protobuf.Timestamp end_time = 2 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. Server-defined resource path for the target of the operation.
+  string target = 3 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. Name of the verb executed by the operation.
+  string verb = 4 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. Human-readable status of the operation, if any.
+  string status_detail = 5 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. Identifies whether the user has requested cancellation
+  // of the operation. Operations that have successfully been cancelled
+  // have [Operation.error][] value with a [google.rpc.Status.code][google.rpc.Status.code] of 1,
+  // corresponding to `Code.CANCELLED`.
+  bool cancel_requested = 6 [(google.api.field_behavior) = OUTPUT_ONLY];
+
+  // Output only. API version used to start the operation.
+  string api_version = 7 [(google.api.field_behavior) = OUTPUT_ONLY];
+}

google/cloud/gkehub/v1alpha2/membership_grpc_service_config.json

@@ -0,0 +1,13 @@
+{
+  "methodConfig": [{
+    "name": [{ "service": "google.cloud.gkehub.v1alpha2.GkeHub" }],
+    "timeout": "60s",
+    "retryPolicy": {
+      "maxAttempts": 5,
+      "initialBackoff": "1s",
+      "maxBackoff": "10s",
+      "backoffMultiplier": 1.3,
+      "retryableStatusCodes": ["UNAVAILABLE"]
+    }
+  }]
+}