api: Add config message for MeshCA certificateProvider plugin.

This is a follow up from envoyproxy#11061
which added support for sending arbitrary certificateProvider plugin
configuration.

Signed-off-by: Easwar Swaminathan <easwars@google.com>

api/bazel/repository_locations.bzl

@@ -33,7 +33,7 @@ REPOSITORY_LOCATIONS = dict(
         urls = ["https://github.com/envoyproxy/protoc-gen-validate/archive/" + PGV_GIT_SHA + ".tar.gz"],
     ),
     com_google_googleapis = dict(
-        # TODO(dio): Consider writing a Skylark macro for importing Google API proto.
+        # TODO(dio): Consider writing a Starlark macro for importing Google API proto.
         sha256 = GOOGLEAPIS_SHA,
         strip_prefix = "googleapis-" + GOOGLEAPIS_GIT_SHA,
         urls = ["https://github.com/googleapis/googleapis/archive/" + GOOGLEAPIS_GIT_SHA + ".tar.gz"],

api/envoy/extensions/transport_sockets/tls/v3/meshca.proto

@@ -0,0 +1,56 @@
+syntax = "proto3";
+
+package envoy.extensions.transport_sockets.tls.v3;
+
+import "envoy/config/core/v3/config_source.proto";
+
+import "google/protobuf/duration.proto";
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3";
+option java_outer_classname = "MeshcaProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: GoogleMeshCA Configuration]
+// GoogleMeshCaConfig contains all configuration parameters required by the
+// MeshCA CertificateProvider plugin implementation.
+// [#next-free-field: 7]
+message GoogleMeshCaConfig {
+  // Type of key to be embedded in CSRs sent to the MeshCA.
+  enum KeyType {
+    KEY_TYPE_UNKNOWN = 0;
+    KEY_TYPE_RSA = 1;
+  }
+
+  // GoogleMeshCA server endpoint to get CSRs signed via the *CreateCertificate*
+  // unary call. This must have :ref:`api_type
+  // <envoy_api_field_config.core.v3.ApiConfigSource.api_type>` :ref:`GRPC
+  // <envoy_api_enum_value_config.core.v3.ApiConfigSource.ApiType.GRPC>`.
+  // STS based call credentials need to be supplied in :ref:`call_credentials
+  // <envoy_api_field_config.core.v3.GrpcService.GoogleGrpc.call_credentials>`.
+  // If :ref:`timeout envoy_api_field_config.core.v3.GrpcService.timeout` is
+  // left unspecified, a default value of 10s will be used.
+  config.core.v3.ApiConfigSource server = 1;
+
+  // Certificate lifetime to request in CSRs sent to the MeshCA.
+  // A default value of 24h will be used if left unspecified.
+  google.protobuf.Duration certificate_lifetime = 2;
+
+  // How long before certificate expiration to renew the certificate.
+  // A default value of 12h will be used if left unspecified.
+  google.protobuf.Duration renewal_grace_period = 3;
+
+  // Type of key.
+  // RSA keys will be used if left unspecified.
+  KeyType key_type = 4;
+
+  // Size of the key in bits.
+  // 2048 bit keys will be used if left unspecified.
+  uint32 key_size = 5;
+
+  // GCE zone where the workload is located.
+  // GCE/GKE Metadata Server will be contacted if left unspecified.
+  string gce_compute_zone = 6;
+}

api/envoy/extensions/transport_sockets/tls/v4alpha/meshca.proto

@@ -0,0 +1,60 @@
+syntax = "proto3";
+
+package envoy.extensions.transport_sockets.tls.v4alpha;
+
+import "envoy/config/core/v4alpha/config_source.proto";
+
+import "google/protobuf/duration.proto";
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v4alpha";
+option java_outer_classname = "MeshcaProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE;
+
+// [#protodoc-title: GoogleMeshCA Configuration]
+// GoogleMeshCaConfig contains all configuration parameters required by the
+// MeshCA CertificateProvider plugin implementation.
+// [#next-free-field: 7]
+message GoogleMeshCaConfig {
+  option (udpa.annotations.versioning).previous_message_type =
+      "envoy.extensions.transport_sockets.tls.v3.GoogleMeshCaConfig";
+
+  // Type of key to be embedded in CSRs sent to the MeshCA.
+  enum KeyType {
+    KEY_TYPE_UNKNOWN = 0;
+    KEY_TYPE_RSA = 1;
+  }
+
+  // GoogleMeshCA server endpoint to get CSRs signed via the *CreateCertificate*
+  // unary call. This must have :ref:`api_type
+  // <envoy_api_field_config.core.v4alpha.ApiConfigSource.api_type>` :ref:`GRPC
+  // <envoy_api_enum_value_config.core.v4alpha.ApiConfigSource.ApiType.GRPC>`.
+  // STS based call credentials need to be supplied in :ref:`call_credentials
+  // <envoy_api_field_config.core.v4alpha.GrpcService.GoogleGrpc.call_credentials>`.
+  // If :ref:`timeout envoy_api_field_config.core.v3.GrpcService.timeout` is
+  // left unspecified, a default value of 10s will be used.
+  config.core.v4alpha.ApiConfigSource server = 1;
+
+  // Certificate lifetime to request in CSRs sent to the MeshCA.
+  // A default value of 24h will be used if left unspecified.
+  google.protobuf.Duration certificate_lifetime = 2;
+
+  // How long before certificate expiration to renew the certificate.
+  // A default value of 12h will be used if left unspecified.
+  google.protobuf.Duration renewal_grace_period = 3;
+
+  // Type of key.
+  // RSA keys will be used if left unspecified.
+  KeyType key_type = 4;
+
+  // Size of the key in bits.
+  // 2048 bit keys will be used if left unspecified.
+  uint32 key_size = 5;
+
+  // GCE zone where the workload is located.
+  // GCE/GKE Metadata Server will be contacted if left unspecified.
+  string gce_compute_zone = 6;
+}

bazel/envoy_library.bzl

@@ -21,7 +21,7 @@ def tcmalloc_external_deps(repository):
 
 # Envoy C++ library targets that need no transformations or additional dependencies before being
 # passed to cc_library should be specified with this function. Note: this exists to ensure that
-# all envoy targets pass through an envoy-declared skylark function where they can be modified
+# all envoy targets pass through an envoy-declared starlark function where they can be modified
 # before being passed to a native bazel function.
 def envoy_basic_cc_library(name, deps = [], external_deps = [], **kargs):
     cc_library(

bazel/genrule_repository.bzl

@@ -68,7 +68,7 @@ def _genrule_cc_deps(ctx):
 genrule_cc_deps = rule(
     attrs = {
         "deps": attr.label_list(
-            providers = [],  # CcSkylarkApiProvider
+            providers = [],  # CcStarlarkApiProvider
             mandatory = True,
             allow_empty = False,
         ),

tools/protodoc/protodoc.bzl

@@ -3,7 +3,7 @@ load("//tools/api_proto_plugin:plugin.bzl", "api_proto_plugin_aspect", "api_prot
 def _protodoc_impl(target, ctx):
     return api_proto_plugin_impl(target, ctx, "rst", "protodoc", [".rst"])
 
-# Bazel aspect (https://docs.bazel.build/versions/master/skylark/aspects.html)
+# Bazel aspect (https://docs.bazel.build/versions/master/starlark/aspects.html)
 # that can be invoked from the CLI to produce docs via //tools/protodoc for
 # proto_library targets. Example use:
 #

tools/protoxform/protoxform.bzl

@@ -13,7 +13,7 @@ def _protoxform_impl(target, ctx):
         ],
     )
 
-# Bazel aspect (https://docs.bazel.build/versions/master/skylark/aspects.html)
+# Bazel aspect (https://docs.bazel.build/versions/master/starlark/aspects.html)
 # that can be invoked from the CLI to perform API transforms via //tools/protoxform for
 # proto_library targets. Example use:
 #

tools/spelling/spelling_dictionary.txt

@@ -116,6 +116,7 @@ GCM
 GCOVR
 GCP
 GETting
+GKE
 GLB
 GOAWAY
 GRPC

tools/type_whisperer/type_whisperer.bzl

@@ -3,7 +3,7 @@ load("//tools/api_proto_plugin:plugin.bzl", "api_proto_plugin_aspect", "api_prot
 def _type_whisperer_impl(target, ctx):
     return api_proto_plugin_impl(target, ctx, "types_pb_text", "TypeWhisperer", [".types.pb_text"])
 
-# Bazel aspect (https://docs.bazel.build/versions/master/skylark/aspects.html)
+# Bazel aspect (https://docs.bazel.build/versions/master/starlark/aspects.html)
 # that can be invoked from the CLI to perform API type analysis via //tools/type_whisperer for
 # proto_library targets. Example use:
 #