2023-09-13 13:03:42 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
2024-01-10 17:05:12 +00:00
|
|
|
// SPDX-License-Identifier: MPL-2.0
|
2023-09-13 13:03:42 +00:00
|
|
|
|
|
|
|
|
syntax = "proto3";
|
|
|
|
|
|
2023-09-22 16:51:15 +00:00
|
|
|
package hashicorp.consul.mesh.v2beta1.pbproxystate;
|
2023-09-13 13:03:42 +00:00
|
|
|
|
2023-09-15 16:31:22 +00:00
|
|
|
message TrafficPermissions {
|
|
|
|
|
repeated Permission allow_permissions = 1;
|
|
|
|
|
repeated Permission deny_permissions = 2;
|
2023-10-04 13:58:28 +00:00
|
|
|
// default_allow determines if the workload is in default allow mode. This is determined
|
|
|
|
|
// by combining the cluster's default allow setting with the is_default property on
|
|
|
|
|
// computed traffic permissions.
|
|
|
|
|
bool default_allow = 4;
|
2023-09-13 13:03:42 +00:00
|
|
|
}
|
|
|
|
|
|
2023-09-15 16:31:22 +00:00
|
|
|
message Permission {
|
|
|
|
|
repeated Principal principals = 1;
|
2023-09-13 13:03:42 +00:00
|
|
|
|
|
|
|
|
// In the case of multiple ports, the sidecar proxy controller is responsible for filtering
|
|
|
|
|
// per-port permissions.
|
2024-01-24 02:07:58 +00:00
|
|
|
repeated DestinationRule destination_rules = 2;
|
2023-09-13 13:03:42 +00:00
|
|
|
}
|
|
|
|
|
|
2023-09-15 16:31:22 +00:00
|
|
|
message Principal {
|
2023-09-13 13:03:42 +00:00
|
|
|
Spiffe spiffe = 1;
|
|
|
|
|
repeated Spiffe exclude_spiffes = 2;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
message Spiffe {
|
|
|
|
|
// regex is the regular expression for matching spiffe ids.
|
|
|
|
|
string regex = 1;
|
|
|
|
|
|
|
|
|
|
// xfcc_regex specifies that Envoy needs to find the spiffe id in an xfcc header.
|
|
|
|
|
// It is currently unused, but considering this is important for to avoid breaking changes.
|
|
|
|
|
string xfcc_regex = 2;
|
|
|
|
|
}
|
2024-01-24 02:07:58 +00:00
|
|
|
|
|
|
|
|
message DestinationRule {
|
|
|
|
|
string path_exact = 1;
|
|
|
|
|
string path_prefix = 2;
|
|
|
|
|
string path_regex = 3;
|
|
|
|
|
repeated string methods = 4;
|
|
|
|
|
repeated DestinationRuleHeader destination_rule_header = 5;
|
2024-02-07 20:21:44 +00:00
|
|
|
repeated ExcludePermissionRule exclude = 6;
|
2024-01-24 02:07:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
message DestinationRuleHeader {
|
|
|
|
|
string name = 1;
|
|
|
|
|
bool present = 2;
|
|
|
|
|
string exact = 3;
|
|
|
|
|
string prefix = 4;
|
|
|
|
|
string suffix = 5;
|
|
|
|
|
string regex = 6;
|
|
|
|
|
bool invert = 7;
|
|
|
|
|
}
|
2024-02-07 20:21:44 +00:00
|
|
|
|
|
|
|
|
message ExcludePermissionRule {
|
|
|
|
|
string path_exact = 1;
|
|
|
|
|
string path_prefix = 2;
|
|
|
|
|
string path_regex = 3;
|
|
|
|
|
repeated string methods = 4;
|
|
|
|
|
repeated DestinationRuleHeader headers = 5;
|
|
|
|
|
}
|
