const (
    // SecretType is used for secret discovery service to construct response.
    SecretTypeV2 = "type.googleapis.com/envoy.api.v2.auth.Secret"
    SecretTypeV3 = "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
)

type ClientDebug struct {
    ConnectionID string `json:"connection_id"`
    ProxyID      string `json:"proxy"`
    ResourceName string `json:"resource_name"`

    // fields from secret item
    CertificateChain string `json:"certificate_chain"`
    RootCert         string `json:"root_cert"`
    CreatedTime      string `json:"created_time"`
    ExpireTime       string `json:"expire_time"`
}

type Debug struct {
    Clients []ClientDebug `json:"clients"`
}

type Options struct {
    // PluginNames is plugins' name for certain authentication provider.
    PluginNames []string

    // WorkloadUDSPath is the unix domain socket through which SDS server communicates with workload proxies.
    WorkloadUDSPath string

    // IngressGatewayUDSPath is the unix domain socket through which SDS server communicates with
    // ingress gateway proxies.
    IngressGatewayUDSPath string

    // CertFile is the path of Cert File for gRPC server TLS settings.
    CertFile string

    // KeyFile is the path of Key File for gRPC server TLS settings.
    KeyFile string

    // CAEndpoint is the CA endpoint to which node agent sends CSR request.
    CAEndpoint string

    // The CA provider name.
    CAProviderName string

    // TrustDomain corresponds to the trust root of a system.
    // https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
    TrustDomain string

    // The Vault CA address.
    VaultAddress string

    // The Vault auth path.
    VaultAuthPath string

    // The Vault role.
    VaultRole string

    // The Vault sign CSR path.
    VaultSignCsrPath string

    // The Vault TLS root certificate.
    VaultTLSRootCert string

    // GrpcServer is an already configured (shared) grpc server. If set, the agent will just register on the server.
    GrpcServer *grpc.Server

    // Recycle job running interval (to clean up staled sds client connections).
    RecycleInterval time.Duration

    // Debug server port from which node_agent serves SDS configuration dumps
    DebugPort int

    // EnableWorkloadSDS indicates whether node agent works as SDS server for workload proxies.
    EnableWorkloadSDS bool

    // EnableIngressGatewaySDS indicates whether node agent works as ingress gateway agent.
    EnableIngressGatewaySDS bool

    // AlwaysValidTokenFlag is set to true for if token used is always valid(ex, normal k8s JWT)
    AlwaysValidTokenFlag bool

    // UseLocalJWT is set when the sds server should use its own local JWT, and not expect one
    // from the UDS caller. Used when it runs in the same container with Envoy.
    UseLocalJWT bool

    // Whether to generate PKCS#8 private keys.
    Pkcs8Keys bool

    // JWTPath is the path for the JWT token
    JWTPath string

    // OutputKeyCertToDir is the directory for output the key and certificate
    OutputKeyCertToDir string

    // Existing certs, for VM or existing certificates
    CertsDir string

    // whether  ControlPlaneAuthPolicy is MUTUAL_TLS
    TLSEnabled bool

    // ClusterID is the cluster ID
    ClusterID string

    // The type of Elliptical Signature algorithm to use
    // when generating private keys. Currently only ECDSA is supported.
    ECCSigAlg string

    // FileMountedCerts indicates file mounted certs.
    FileMountedCerts bool
}

type Server struct {
    // contains filtered or unexported fields
}