diff --git a/agent/xds/proxystateconverter/listeners.go b/agent/xds/proxystateconverter/listeners.go index 0d74a709c1..3b9c5e5139 100644 --- a/agent/xds/proxystateconverter/listeners.go +++ b/agent/xds/proxystateconverter/listeners.go @@ -1051,7 +1051,7 @@ func (s *Converter) makeInboundListener(cfgSnap *proxycfg.ConfigSnapshot, name s l4Dest.MaxInboundConnections = uint64(cfg.MaxInboundConnections) } - l4Dest.TrafficPermissions = &pbproxystate.L4TrafficPermissions{} + l4Dest.TrafficPermissions = &pbproxystate.TrafficPermissions{} } l.Routers = append(l.Routers, localAppRouter) @@ -1576,7 +1576,7 @@ func (g *Converter) makeL7Destination(opts destinationOpts) (*pbproxystate.L7Des // access and that every filter chain uses our TLS certs. if len(opts.httpAuthzFilters) > 0 { // TODO(proxystate) support intentions in the future - dest.TrafficPermissions = &pbproxystate.L7TrafficPermissions{} + dest.TrafficPermissions = &pbproxystate.TrafficPermissions{} //cfg.HttpFilters = append(opts.httpAuthzFilters, cfg.HttpFilters...) } diff --git a/agent/xds/rbac_test.go b/agent/xds/rbac_test.go index 2170f26649..2e979fb440 100644 --- a/agent/xds/rbac_test.go +++ b/agent/xds/rbac_test.go @@ -556,25 +556,25 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) { } ) - makeL4Spiffe := func(name string, entMeta *acl.EnterpriseMeta) string { + makeSpiffe := func(name string, entMeta *acl.EnterpriseMeta) *pbproxystate.Spiffe { em := *acl.DefaultEnterpriseMeta() if entMeta != nil { em = *entMeta } - spiffe := makeSpiffePattern(rbacService{ + regex := makeSpiffePattern(rbacService{ ServiceName: structs.ServiceName{ Name: name, EnterpriseMeta: em, }, TrustDomain: testTrustDomain, }) - return spiffe + return &pbproxystate.Spiffe{Regex: regex} } tests := map[string]struct { intentionDefaultAllow bool v1Intentions structs.SimplifiedIntentions - v2L4TrafficPermissions *pbproxystate.L4TrafficPermissions + v2L4TrafficPermissions *pbproxystate.TrafficPermissions }{ "default-deny-mixed-precedence": { intentionDefaultAllow: false, @@ -583,12 +583,12 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) { testIntention(t, "*", "api", structs.IntentionActionDeny), testIntention(t, "web", "*", structs.IntentionActionDeny), ), - v2L4TrafficPermissions: &pbproxystate.L4TrafficPermissions{ - AllowPermissions: []*pbproxystate.L4Permission{ + v2L4TrafficPermissions: &pbproxystate.TrafficPermissions{ + AllowPermissions: []*pbproxystate.Permission{ { - Principals: []*pbproxystate.L4Principal{ + Principals: []*pbproxystate.Principal{ { - SpiffeRegex: makeL4Spiffe("web", nil), + Spiffe: makeSpiffe("web", nil), }, }, }, @@ -600,12 +600,12 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) { v1Intentions: sorted( testSourceIntention("*", structs.IntentionActionAllow), ), - v2L4TrafficPermissions: &pbproxystate.L4TrafficPermissions{ - AllowPermissions: []*pbproxystate.L4Permission{ + v2L4TrafficPermissions: &pbproxystate.TrafficPermissions{ + AllowPermissions: []*pbproxystate.Permission{ { - Principals: []*pbproxystate.L4Principal{ + Principals: []*pbproxystate.Principal{ { - SpiffeRegex: makeL4Spiffe("*", nil), + Spiffe: makeSpiffe("*", nil), }, }, }, @@ -623,12 +623,12 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) { v1Intentions: sorted( testSourceIntention("web", structs.IntentionActionAllow), ), - v2L4TrafficPermissions: &pbproxystate.L4TrafficPermissions{ - AllowPermissions: []*pbproxystate.L4Permission{ + v2L4TrafficPermissions: &pbproxystate.TrafficPermissions{ + AllowPermissions: []*pbproxystate.Permission{ { - Principals: []*pbproxystate.L4Principal{ + Principals: []*pbproxystate.Principal{ { - SpiffeRegex: makeL4Spiffe("web", nil), + Spiffe: makeSpiffe("web", nil), }, }, }, @@ -647,13 +647,13 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) { testSourceIntention("web", structs.IntentionActionDeny), testSourceIntention("*", structs.IntentionActionAllow), ), - v2L4TrafficPermissions: &pbproxystate.L4TrafficPermissions{ - AllowPermissions: []*pbproxystate.L4Permission{ + v2L4TrafficPermissions: &pbproxystate.TrafficPermissions{ + AllowPermissions: []*pbproxystate.Permission{ { - Principals: []*pbproxystate.L4Principal{ + Principals: []*pbproxystate.Principal{ { - SpiffeRegex: makeL4Spiffe("*", nil), - ExcludeSpiffeRegexes: []string{makeL4Spiffe("web", nil)}, + Spiffe: makeSpiffe("*", nil), + ExcludeSpiffes: []*pbproxystate.Spiffe{makeSpiffe("web", nil)}, }, }, }, @@ -669,22 +669,22 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) { testSourceIntention("cron", structs.IntentionActionAllow), testSourceIntention("*", structs.IntentionActionAllow), ), - v2L4TrafficPermissions: &pbproxystate.L4TrafficPermissions{ - AllowPermissions: []*pbproxystate.L4Permission{ + v2L4TrafficPermissions: &pbproxystate.TrafficPermissions{ + AllowPermissions: []*pbproxystate.Permission{ { - Principals: []*pbproxystate.L4Principal{ + Principals: []*pbproxystate.Principal{ { - SpiffeRegex: makeL4Spiffe("cron", nil), + Spiffe: makeSpiffe("cron", nil), }, { - SpiffeRegex: makeL4Spiffe("web", nil), + Spiffe: makeSpiffe("web", nil), }, { - SpiffeRegex: makeL4Spiffe("*", nil), - ExcludeSpiffeRegexes: []string{ - makeL4Spiffe("web", nil), - makeL4Spiffe("unsafe", nil), - makeL4Spiffe("cron", nil), + Spiffe: makeSpiffe("*", nil), + ExcludeSpiffes: []*pbproxystate.Spiffe{ + makeSpiffe("web", nil), + makeSpiffe("unsafe", nil), + makeSpiffe("cron", nil), }, }, }, @@ -694,37 +694,37 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) { }, "v2-kitchen-sink": { intentionDefaultAllow: false, - v2L4TrafficPermissions: &pbproxystate.L4TrafficPermissions{ - AllowPermissions: []*pbproxystate.L4Permission{ + v2L4TrafficPermissions: &pbproxystate.TrafficPermissions{ + AllowPermissions: []*pbproxystate.Permission{ { - Principals: []*pbproxystate.L4Principal{ + Principals: []*pbproxystate.Principal{ { - SpiffeRegex: makeL4Spiffe("api", nil), + Spiffe: makeSpiffe("api", nil), }, { - SpiffeRegex: makeL4Spiffe("*", nil), - ExcludeSpiffeRegexes: []string{ - makeL4Spiffe("unsafe", nil), + Spiffe: makeSpiffe("*", nil), + ExcludeSpiffes: []*pbproxystate.Spiffe{ + makeSpiffe("unsafe", nil), }, }, }, }, { - Principals: []*pbproxystate.L4Principal{ + Principals: []*pbproxystate.Principal{ { - SpiffeRegex: makeL4Spiffe("web", nil), + Spiffe: makeSpiffe("web", nil), }, }, }, }, - DenyPermissions: []*pbproxystate.L4Permission{ + DenyPermissions: []*pbproxystate.Permission{ { - Principals: []*pbproxystate.L4Principal{ + Principals: []*pbproxystate.Principal{ { - SpiffeRegex: makeL4Spiffe("db", nil), + Spiffe: makeSpiffe("db", nil), }, { - SpiffeRegex: makeL4Spiffe("cron", nil), + Spiffe: makeSpiffe("cron", nil), }, }, }, @@ -733,20 +733,20 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) { }, "v2-default-deny": { intentionDefaultAllow: false, - v2L4TrafficPermissions: &pbproxystate.L4TrafficPermissions{}, + v2L4TrafficPermissions: &pbproxystate.TrafficPermissions{}, }, "v2-default-allow": { intentionDefaultAllow: true, - v2L4TrafficPermissions: &pbproxystate.L4TrafficPermissions{}, + v2L4TrafficPermissions: &pbproxystate.TrafficPermissions{}, }, "v2-default-allow-one-allow": { intentionDefaultAllow: true, - v2L4TrafficPermissions: &pbproxystate.L4TrafficPermissions{ - AllowPermissions: []*pbproxystate.L4Permission{ + v2L4TrafficPermissions: &pbproxystate.TrafficPermissions{ + AllowPermissions: []*pbproxystate.Permission{ { - Principals: []*pbproxystate.L4Principal{ + Principals: []*pbproxystate.Principal{ { - SpiffeRegex: makeL4Spiffe("web", nil), + Spiffe: makeSpiffe("web", nil), }, }, }, @@ -756,12 +756,12 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) { // In v2, having a single permission turns on default deny. "v2-default-allow-one-deny": { intentionDefaultAllow: true, - v2L4TrafficPermissions: &pbproxystate.L4TrafficPermissions{ - DenyPermissions: []*pbproxystate.L4Permission{ + v2L4TrafficPermissions: &pbproxystate.TrafficPermissions{ + DenyPermissions: []*pbproxystate.Permission{ { - Principals: []*pbproxystate.L4Principal{ + Principals: []*pbproxystate.Principal{ { - SpiffeRegex: makeL4Spiffe("web", nil), + Spiffe: makeSpiffe("web", nil), }, }, }, diff --git a/agent/xdsv2/rbac_resources.go b/agent/xdsv2/rbac_resources.go index ee7e906691..6cc43224d7 100644 --- a/agent/xdsv2/rbac_resources.go +++ b/agent/xdsv2/rbac_resources.go @@ -20,7 +20,7 @@ const ( baseL4PermissionKey = "consul-intentions-layer4" ) -func MakeL4RBAC(defaultAllow bool, trafficPermissions *pbproxystate.L4TrafficPermissions) ([]*envoy_listener_v3.Filter, error) { +func MakeL4RBAC(defaultAllow bool, trafficPermissions *pbproxystate.TrafficPermissions) ([]*envoy_listener_v3.Filter, error) { var filters []*envoy_listener_v3.Filter if trafficPermissions == nil { @@ -60,7 +60,7 @@ func MakeL4RBAC(defaultAllow bool, trafficPermissions *pbproxystate.L4TrafficPer // includeAllowFilter determines if an Envoy RBAC allow filter will be included in the filter chain. // We include this filter with default deny or whenever any permissions are configured. -func includeAllowFilter(defaultAllow bool, trafficPermissions *pbproxystate.L4TrafficPermissions) bool { +func includeAllowFilter(defaultAllow bool, trafficPermissions *pbproxystate.TrafficPermissions) bool { hasPermissions := len(trafficPermissions.DenyPermissions)+len(trafficPermissions.AllowPermissions) > 0 return !defaultAllow || hasPermissions } @@ -73,7 +73,7 @@ func makeRBACFilter(rbac *envoy_rbac_v3.RBAC) (*envoy_listener_v3.Filter, error) return makeEnvoyFilter("envoy.filters.network.rbac", cfg) } -func makeRBACPolicies(l4Permissions []*pbproxystate.L4Permission) map[string]*envoy_rbac_v3.Policy { +func makeRBACPolicies(l4Permissions []*pbproxystate.Permission) map[string]*envoy_rbac_v3.Policy { policyLabel := func(i int) string { if len(l4Permissions) == 1 { return baseL4PermissionKey @@ -90,11 +90,11 @@ func makeRBACPolicies(l4Permissions []*pbproxystate.L4Permission) map[string]*en return policies } -func makeRBACPolicy(p *pbproxystate.L4Permission) *envoy_rbac_v3.Policy { +func makeRBACPolicy(p *pbproxystate.Permission) *envoy_rbac_v3.Policy { var principals []*envoy_rbac_v3.Principal - for _, l4Principal := range p.Principals { - principals = append(principals, toEnvoyPrincipal(l4Principal.ToL7Principal())) + for _, p := range p.Principals { + principals = append(principals, toEnvoyPrincipal(p)) } return &envoy_rbac_v3.Policy{ @@ -103,7 +103,7 @@ func makeRBACPolicy(p *pbproxystate.L4Permission) *envoy_rbac_v3.Policy { } } -func toEnvoyPrincipal(p *pbproxystate.L7Principal) *envoy_rbac_v3.Principal { +func toEnvoyPrincipal(p *pbproxystate.Principal) *envoy_rbac_v3.Principal { includePrincipal := principal(p.Spiffe) if len(p.ExcludeSpiffes) == 0 { diff --git a/internal/mesh/internal/cache/sidecarproxycache/identities_cache.go b/internal/mesh/internal/cache/sidecarproxycache/identities_cache.go new file mode 100644 index 0000000000..a7d9ba692c --- /dev/null +++ b/internal/mesh/internal/cache/sidecarproxycache/identities_cache.go @@ -0,0 +1,38 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: BUSL-1.1 + +package sidecarproxycache + +import ( + auth "github.com/hashicorp/consul/internal/auth" + "github.com/hashicorp/consul/internal/mesh/internal/types" + "github.com/hashicorp/consul/internal/resource" + "github.com/hashicorp/consul/internal/resource/mappers/bimapper" + "github.com/hashicorp/consul/proto-public/pbresource" +) + +// IdentitiesCache tracks mappings between workload identities and proxy IDs +// that a configuration applies to. It is the responsibility of the controller to +// keep this cache up-to-date. +type IdentitiesCache struct { + mapper *bimapper.Mapper +} + +func NewIdentitiesCache() *IdentitiesCache { + return &IdentitiesCache{ + mapper: bimapper.New(types.ProxyStateTemplateType, auth.WorkloadIdentityType), + } +} + +func (c *IdentitiesCache) ProxyIDsByWorkloadIdentity(id *pbresource.ID) []*pbresource.ID { + return c.mapper.ItemIDsForLink(id) +} + +func (c *IdentitiesCache) TrackPair(identityID *pbresource.ID, proxyID *pbresource.ID) { + c.mapper.TrackItem(proxyID, []resource.ReferenceOrID{identityID}) +} + +// UntrackProxyID removes tracking for the given proxy state template ID. +func (c *IdentitiesCache) UntrackProxyID(proxyID *pbresource.ID) { + c.mapper.UntrackItem(proxyID) +} diff --git a/internal/mesh/internal/cache/sidecarproxycache/identities_cache_test.go b/internal/mesh/internal/cache/sidecarproxycache/identities_cache_test.go new file mode 100644 index 0000000000..f3b5e3067a --- /dev/null +++ b/internal/mesh/internal/cache/sidecarproxycache/identities_cache_test.go @@ -0,0 +1,59 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: BUSL-1.1 + +package sidecarproxycache + +import ( + "testing" + + "github.com/stretchr/testify/require" + + "github.com/hashicorp/consul/internal/auth" + "github.com/hashicorp/consul/internal/mesh/internal/types" + "github.com/hashicorp/consul/internal/resource" + "github.com/hashicorp/consul/internal/resource/resourcetest" + "github.com/hashicorp/consul/proto-public/pbresource" +) + +func TestIdentitiesCache(t *testing.T) { + cache := NewIdentitiesCache() + + identityID1 := resourcetest.Resource(auth.WorkloadIdentityType, "workload-identity-1"). + WithTenancy(resource.DefaultNamespacedTenancy()).ID() + identityID2 := resourcetest.Resource(auth.WorkloadIdentityType, "workload-identity-2"). + WithTenancy(resource.DefaultNamespacedTenancy()).ID() + + proxyID1 := resourcetest.Resource(types.ProxyStateTemplateType, "service-workload-1"). + WithTenancy(resource.DefaultNamespacedTenancy()).ID() + proxyID2 := resourcetest.Resource(types.ProxyStateTemplateType, "service-workload-2"). + WithTenancy(resource.DefaultNamespacedTenancy()).ID() + + // Empty cache + require.Nil(t, cache.ProxyIDsByWorkloadIdentity(identityID1)) + require.Nil(t, cache.ProxyIDsByWorkloadIdentity(identityID2)) + + // Insert value and fetch it. + cache.TrackPair(identityID1, proxyID1) + require.Equal(t, []*pbresource.ID{proxyID1}, cache.ProxyIDsByWorkloadIdentity(identityID1)) + require.Nil(t, cache.ProxyIDsByWorkloadIdentity(identityID2)) + + // Insert another value referencing the same identity. + cache.TrackPair(identityID1, proxyID2) + require.ElementsMatch(t, []*pbresource.ID{proxyID1, proxyID2}, cache.ProxyIDsByWorkloadIdentity(identityID1)) + require.Nil(t, cache.ProxyIDsByWorkloadIdentity(identityID2)) + + // Now proxy 1 uses identity 2 + cache.TrackPair(identityID2, proxyID1) + require.Equal(t, []*pbresource.ID{proxyID1}, cache.ProxyIDsByWorkloadIdentity(identityID2)) + require.Equal(t, []*pbresource.ID{proxyID2}, cache.ProxyIDsByWorkloadIdentity(identityID1)) + + // Untrack proxy 2 + cache.UntrackProxyID(proxyID2) + require.Equal(t, []*pbresource.ID{proxyID1}, cache.ProxyIDsByWorkloadIdentity(identityID2)) + require.Nil(t, cache.ProxyIDsByWorkloadIdentity(identityID1)) + + // Untrack proxy 1 + cache.UntrackProxyID(proxyID1) + require.Nil(t, cache.ProxyIDsByWorkloadIdentity(identityID2)) + require.Nil(t, cache.ProxyIDsByWorkloadIdentity(identityID1)) +} diff --git a/internal/mesh/internal/controllers/register.go b/internal/mesh/internal/controllers/register.go index c98f02b963..cc62da83de 100644 --- a/internal/mesh/internal/controllers/register.go +++ b/internal/mesh/internal/controllers/register.go @@ -40,10 +40,11 @@ func Register(mgr *controller.Manager, deps Dependencies) { destinationsCache = sidecarproxycache.NewDestinationsCache() proxyCfgCache = sidecarproxycache.NewProxyConfigurationCache() computedRoutesCache = sidecarproxycache.NewComputedRoutesCache() - m = sidecarproxymapper.New(destinationsCache, proxyCfgCache, computedRoutesCache) + identitiesCache = sidecarproxycache.NewIdentitiesCache() + m = sidecarproxymapper.New(destinationsCache, proxyCfgCache, computedRoutesCache, identitiesCache) ) mgr.Register( - sidecarproxy.Controller(destinationsCache, proxyCfgCache, computedRoutesCache, m, deps.TrustDomainFetcher, deps.LocalDatacenter), + sidecarproxy.Controller(destinationsCache, proxyCfgCache, computedRoutesCache, identitiesCache, m, deps.TrustDomainFetcher, deps.LocalDatacenter), ) mgr.Register(routes.Controller()) diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go b/internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go index 409f503638..2a34e366dc 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go @@ -6,16 +6,21 @@ package builder import ( "fmt" + "github.com/hashicorp/consul/agent/connect" "github.com/hashicorp/consul/envoyextensions/xdscommon" + pbauth "github.com/hashicorp/consul/proto-public/pbauth/v1alpha1" pbcatalog "github.com/hashicorp/consul/proto-public/pbcatalog/v1alpha1" "github.com/hashicorp/consul/proto-public/pbmesh/v1alpha1/pbproxystate" + "github.com/hashicorp/consul/proto-public/pbresource" ) -func (b *Builder) BuildLocalApp(workload *pbcatalog.Workload) *Builder { +func (b *Builder) BuildLocalApp(workload *pbcatalog.Workload, ctp *pbauth.ComputedTrafficPermissions) *Builder { // Add the public listener. lb := b.addInboundListener(xdscommon.PublicListenerName, workload) lb.buildListener() + trafficPermissions := buildTrafficPermissions(b.trustDomain, workload, ctp) + // Go through workload ports and add the routers, clusters, endpoints, and TLS. // Note that the order of ports is non-deterministic here but the xds generation // code should make sure to send it in the same order to Envoy to avoid unnecessary @@ -24,7 +29,7 @@ func (b *Builder) BuildLocalApp(workload *pbcatalog.Workload) *Builder { clusterName := fmt.Sprintf("%s:%s", xdscommon.LocalAppClusterName, portName) if port.Protocol != pbcatalog.Protocol_PROTOCOL_MESH { - lb.addInboundRouter(clusterName, port, portName). + lb.addInboundRouter(clusterName, port, portName, trafficPermissions[portName]). addInboundTLS() b.addLocalAppCluster(clusterName). @@ -35,6 +40,162 @@ func (b *Builder) BuildLocalApp(workload *pbcatalog.Workload) *Builder { return b } +func buildTrafficPermissions(trustDomain string, workload *pbcatalog.Workload, computed *pbauth.ComputedTrafficPermissions) map[string]*pbproxystate.TrafficPermissions { + portsWithProtocol := workload.GetPortsByProtocol() + + out := make(map[string]*pbproxystate.TrafficPermissions) + portToProtocol := make(map[string]pbcatalog.Protocol) + var allPorts []string + for protocol, ports := range portsWithProtocol { + if protocol == pbcatalog.Protocol_PROTOCOL_MESH { + continue + } + + for _, p := range ports { + allPorts = append(allPorts, p) + portToProtocol[p] = protocol + out[p] = &pbproxystate.TrafficPermissions{} + } + } + + if computed == nil { + return out + } + + for _, p := range computed.DenyPermissions { + drsByPort := destinationRulesByPort(allPorts, p.DestinationRules) + principals := makePrincipals(trustDomain, p) + for port := range drsByPort { + out[port].DenyPermissions = append(out[port].DenyPermissions, &pbproxystate.Permission{ + Principals: principals, + }) + } + } + + for _, p := range computed.AllowPermissions { + drsByPort := destinationRulesByPort(allPorts, p.DestinationRules) + principals := makePrincipals(trustDomain, p) + for port := range drsByPort { + out[port].AllowPermissions = append(out[port].AllowPermissions, &pbproxystate.Permission{ + Principals: principals, + }) + } + } + + return out +} + +// TODO this is a placeholder until we add them to the IR. +type DestinationRule struct{} + +func destinationRulesByPort(allPorts []string, destinationRules []*pbauth.DestinationRule) map[string][]DestinationRule { + out := make(map[string][]DestinationRule) + + if len(destinationRules) == 0 { + for _, p := range allPorts { + out[p] = nil + } + + return out + } + + for _, destinationRule := range destinationRules { + ports, dr := convertDestinationRule(allPorts, destinationRule) + for _, p := range ports { + out[p] = append(out[p], dr) + } + } + + return out +} + +func convertDestinationRule(allPorts []string, dr *pbauth.DestinationRule) ([]string, DestinationRule) { + ports := make(map[string]struct{}) + if len(dr.PortNames) > 0 { + for _, p := range dr.PortNames { + ports[p] = struct{}{} + } + } else { + for _, p := range allPorts { + ports[p] = struct{}{} + } + } + + for _, exclude := range dr.Exclude { + for _, p := range exclude.PortNames { + delete(ports, p) + } + } + + var out []string + for p := range ports { + out = append(out, p) + } + + return out, DestinationRule{} +} + +func makePrincipals(trustDomain string, perm *pbauth.Permission) []*pbproxystate.Principal { + var principals []*pbproxystate.Principal + for _, s := range perm.Sources { + principals = append(principals, makePrincipal(trustDomain, s)) + } + + return principals +} + +func makePrincipal(trustDomain string, s *pbauth.Source) *pbproxystate.Principal { + excludes := make([]*pbproxystate.Spiffe, 0, len(s.Exclude)) + for _, es := range s.Exclude { + excludes = append(excludes, sourceToSpiffe(trustDomain, es)) + } + + return &pbproxystate.Principal{ + Spiffe: sourceToSpiffe(trustDomain, s), + ExcludeSpiffes: excludes, + } +} + +const ( + anyPath = `[^/]+` +) + +func sourceToSpiffe(trustDomain string, s pbauth.SourceToSpiffe) *pbproxystate.Spiffe { + var ( + name = s.GetIdentityName() + ns = s.GetNamespace() + ap = s.GetPartition() + ) + + if ns == "" && name != "" { + panic(fmt.Sprintf("not possible to have a wildcarded namespace %q but an exact identity %q", ns, name)) + } + + if ap == "" { + panic("not possible to have a wildcarded source partition") + } + + if ns == "" { + ns = anyPath + } + if name == "" { + name = anyPath + } + + spiffeMatcher := connect.SpiffeIDFromIdentityRef(trustDomain, &pbresource.Reference{ + Name: name, + Tenancy: &pbresource.Tenancy{ + Partition: ap, + Namespace: ns, + PeerName: s.GetPeer(), + }, + }) + + return &pbproxystate.Spiffe{ + Regex: fmt.Sprintf(`^%s$`, spiffeMatcher), + } +} + func (b *Builder) addInboundListener(name string, workload *pbcatalog.Workload) *ListenerBuilder { listener := &pbproxystate.Listener{ Name: name, @@ -77,7 +238,7 @@ func (b *Builder) addInboundListener(name string, workload *pbcatalog.Workload) return b.NewListenerBuilder(listener) } -func (l *ListenerBuilder) addInboundRouter(clusterName string, port *pbcatalog.WorkloadPort, portName string) *ListenerBuilder { +func (l *ListenerBuilder) addInboundRouter(clusterName string, port *pbcatalog.WorkloadPort, portName string, tp *pbproxystate.TrafficPermissions) *ListenerBuilder { if l.listener == nil { return l } @@ -91,7 +252,8 @@ func (l *ListenerBuilder) addInboundRouter(clusterName string, port *pbcatalog.W Name: clusterName, }, }, - StatPrefix: l.listener.Name, + StatPrefix: l.listener.Name, + TrafficPermissions: tp, }, }, Match: &pbproxystate.Match{ diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/local_app_multiport_test.go b/internal/mesh/internal/controllers/sidecarproxy/builder/local_app_multiport_test.go index 5637703360..816e01236a 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/local_app_multiport_test.go +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/local_app_multiport_test.go @@ -76,7 +76,7 @@ func TestBuildLocalApp_Multiport(t *testing.T) { for name, c := range cases { t.Run(name, func(t *testing.T) { proxyTmpl := New(testProxyStateTemplateID(), testIdentityRef(), "foo.consul", "dc1", nil). - BuildLocalApp(c.workload). + BuildLocalApp(c.workload, nil). Build() // sort routers because of test flakes where order was flip flopping. diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/local_app_test.go b/internal/mesh/internal/controllers/sidecarproxy/builder/local_app_test.go index 658142647b..66985c74b4 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/local_app_test.go +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/local_app_test.go @@ -12,13 +12,17 @@ import ( "github.com/hashicorp/consul/internal/resource" "github.com/hashicorp/consul/internal/resource/resourcetest" "github.com/hashicorp/consul/internal/testing/golden" + pbauth "github.com/hashicorp/consul/proto-public/pbauth/v1alpha1" pbcatalog "github.com/hashicorp/consul/proto-public/pbcatalog/v1alpha1" + pbproxystate "github.com/hashicorp/consul/proto-public/pbmesh/v1alpha1/pbproxystate" "github.com/hashicorp/consul/proto-public/pbresource" + "github.com/hashicorp/consul/proto/private/prototest" ) func TestBuildLocalApp(t *testing.T) { cases := map[string]struct { workload *pbcatalog.Workload + ctp *pbauth.ComputedTrafficPermissions }{ "source/l4-single-workload-address-without-ports": { workload: &pbcatalog.Workload{ @@ -66,13 +70,26 @@ func TestBuildLocalApp(t *testing.T) { "port2": {Port: 20000, Protocol: pbcatalog.Protocol_PROTOCOL_MESH}, }, }, + ctp: &pbauth.ComputedTrafficPermissions{ + AllowPermissions: []*pbauth.Permission{ + { + Sources: []*pbauth.Source{ + { + IdentityName: "foo", + Namespace: "default", + Partition: "default", + }, + }, + }, + }, + }, }, } for name, c := range cases { t.Run(name, func(t *testing.T) { proxyTmpl := New(testProxyStateTemplateID(), testIdentityRef(), "foo.consul", "dc1", nil). - BuildLocalApp(c.workload). + BuildLocalApp(c.workload, c.ctp). Build() actual := protoToJSON(t, proxyTmpl) expected := golden.Get(t, actual, name+".golden") @@ -98,3 +115,200 @@ func testIdentityRef() *pbresource.Reference { }, } } + +func TestBuildL4TrafficPermissions(t *testing.T) { + testTrustDomain := "test.consul" + + cases := map[string]struct { + workloadPorts map[string]*pbcatalog.WorkloadPort + ctp *pbauth.ComputedTrafficPermissions + expected map[string]*pbproxystate.TrafficPermissions + }{ + "empty": { + workloadPorts: map[string]*pbcatalog.WorkloadPort{ + "p1": { + Protocol: pbcatalog.Protocol_PROTOCOL_TCP, + }, + "p2": { + Protocol: pbcatalog.Protocol_PROTOCOL_HTTP, + }, + "p3": {}, + "mesh": { + Protocol: pbcatalog.Protocol_PROTOCOL_MESH, + }, + }, + expected: map[string]*pbproxystate.TrafficPermissions{ + "p1": {}, + "p2": {}, + "p3": {}, + }, + }, + "kitchen sink": { + workloadPorts: map[string]*pbcatalog.WorkloadPort{ + "p1": { + Protocol: pbcatalog.Protocol_PROTOCOL_TCP, + }, + "p2": { + Protocol: pbcatalog.Protocol_PROTOCOL_HTTP, + }, + }, + ctp: &pbauth.ComputedTrafficPermissions{ + AllowPermissions: []*pbauth.Permission{ + { + Sources: []*pbauth.Source{ + { + IdentityName: "foo", + Partition: "default", + Namespace: "default", + }, + { + IdentityName: "", + Partition: "default", + Namespace: "default", + Exclude: []*pbauth.ExcludeSource{ + { + IdentityName: "bar", + Namespace: "default", + Partition: "default", + }, + }, + }, + }, + DestinationRules: []*pbauth.DestinationRule{ + // This should be p2. + { + Exclude: []*pbauth.ExcludePermissionRule{ + { + PortNames: []string{"p1"}, + }, + }, + }, + }, + }, + { + Sources: []*pbauth.Source{ + { + IdentityName: "baz", + Partition: "default", + Namespace: "default", + }, + }, + DestinationRules: []*pbauth.DestinationRule{ + { + PortNames: []string{"p1"}, + }, + }, + }, + }, + DenyPermissions: []*pbauth.Permission{ + { + Sources: []*pbauth.Source{ + { + IdentityName: "qux", + Partition: "default", + Namespace: "default", + }, + }, + }, + { + Sources: []*pbauth.Source{ + { + IdentityName: "", + Namespace: "default", + Partition: "default", + Exclude: []*pbauth.ExcludeSource{ + { + IdentityName: "quux", + Partition: "default", + Namespace: "default", + }, + }, + }, + }, + }, + }, + }, + expected: map[string]*pbproxystate.TrafficPermissions{ + "p1": { + DenyPermissions: []*pbproxystate.Permission{ + { + Principals: []*pbproxystate.Principal{ + { + Spiffe: &pbproxystate.Spiffe{Regex: "^spiffe://test.consul/ap/default/ns/default/identity/qux$"}, + }, + }, + }, + { + Principals: []*pbproxystate.Principal{ + { + Spiffe: &pbproxystate.Spiffe{Regex: `^spiffe://test.consul/ap/default/ns/default/identity/%5B%5E/%5D+$`}, + ExcludeSpiffes: []*pbproxystate.Spiffe{ + {Regex: "^spiffe://test.consul/ap/default/ns/default/identity/quux$"}, + }, + }, + }, + }, + }, + AllowPermissions: []*pbproxystate.Permission{ + { + Principals: []*pbproxystate.Principal{ + { + Spiffe: &pbproxystate.Spiffe{Regex: "^spiffe://test.consul/ap/default/ns/default/identity/baz$"}, + }, + }, + }, + }, + }, + "p2": { + DenyPermissions: []*pbproxystate.Permission{ + { + Principals: []*pbproxystate.Principal{ + { + Spiffe: &pbproxystate.Spiffe{Regex: "^spiffe://test.consul/ap/default/ns/default/identity/qux$"}, + }, + }, + }, + { + Principals: []*pbproxystate.Principal{ + { + Spiffe: &pbproxystate.Spiffe{Regex: `^spiffe://test.consul/ap/default/ns/default/identity/%5B%5E/%5D+$`}, + ExcludeSpiffes: []*pbproxystate.Spiffe{ + {Regex: "^spiffe://test.consul/ap/default/ns/default/identity/quux$"}, + }, + }, + }, + }, + }, + AllowPermissions: []*pbproxystate.Permission{ + { + Principals: []*pbproxystate.Principal{ + { + Spiffe: &pbproxystate.Spiffe{Regex: "^spiffe://test.consul/ap/default/ns/default/identity/foo$"}, + }, + { + Spiffe: &pbproxystate.Spiffe{Regex: `^spiffe://test.consul/ap/default/ns/default/identity/%5B%5E/%5D+$`}, + ExcludeSpiffes: []*pbproxystate.Spiffe{ + {Regex: "^spiffe://test.consul/ap/default/ns/default/identity/bar$"}, + }, + }, + }, + }, + }, + }, + }, + }, + } + + for name, tc := range cases { + t.Run(name, func(t *testing.T) { + workload := &pbcatalog.Workload{ + Ports: tc.workloadPorts, + } + permissions := buildTrafficPermissions(testTrustDomain, workload, tc.ctp) + require.Equal(t, len(tc.expected), len(permissions)) + for k, v := range tc.expected { + prototest.AssertDeepEqual(t, v, permissions[k]) + } + }) + } +} diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-multiple-workload-addresses-with-specific-ports.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-multiple-workload-addresses-with-specific-ports.golden index 9d331630a5..d9320a445a 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-multiple-workload-addresses-with-specific-ports.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-multiple-workload-addresses-with-specific-ports.golden @@ -51,7 +51,20 @@ "cluster": { "name": "local_app:port1" }, - "statPrefix": "public_listener" + "statPrefix": "public_listener", + "trafficPermissions": { + "allowPermissions": [ + { + "principals": [ + { + "spiffe": { + "regex": "^spiffe://foo.consul/ap/default/ns/default/identity/foo$" + } + } + ] + } + ] + } }, "match": { "alpnProtocols": [ diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-multiple-workload-addresses-without-ports.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-multiple-workload-addresses-without-ports.golden index 6269f9b3b9..f9136e89d3 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-multiple-workload-addresses-without-ports.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-multiple-workload-addresses-without-ports.golden @@ -51,7 +51,8 @@ "cluster": { "name": "local_app:port1" }, - "statPrefix": "public_listener" + "statPrefix": "public_listener", + "trafficPermissions": {} }, "match": { "alpnProtocols": [ diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-single-workload-address-without-ports.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-single-workload-address-without-ports.golden index 6269f9b3b9..f9136e89d3 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-single-workload-address-without-ports.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-single-workload-address-without-ports.golden @@ -51,7 +51,8 @@ "cluster": { "name": "local_app:port1" }, - "statPrefix": "public_listener" + "statPrefix": "public_listener", + "trafficPermissions": {} }, "match": { "alpnProtocols": [ diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-multiple-workload-addresses-with-specific-ports.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-multiple-workload-addresses-with-specific-ports.golden index cd5e8c1252..f7240ea256 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-multiple-workload-addresses-with-specific-ports.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-multiple-workload-addresses-with-specific-ports.golden @@ -66,7 +66,8 @@ "cluster": { "name": "local_app:admin-port" }, - "statPrefix": "public_listener" + "statPrefix": "public_listener", + "trafficPermissions": {} }, "match": { "alpnProtocols": [ @@ -89,7 +90,8 @@ "cluster": { "name": "local_app:api-port" }, - "statPrefix": "public_listener" + "statPrefix": "public_listener", + "trafficPermissions": {} }, "match": { "alpnProtocols": [ diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-multiple-workload-addresses-without-ports.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-multiple-workload-addresses-without-ports.golden index 170f72cb35..e66f1e13d3 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-multiple-workload-addresses-without-ports.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-multiple-workload-addresses-without-ports.golden @@ -66,7 +66,8 @@ "cluster": { "name": "local_app:admin-port" }, - "statPrefix": "public_listener" + "statPrefix": "public_listener", + "trafficPermissions": {} }, "match": { "alpnProtocols": [ @@ -89,7 +90,8 @@ "cluster": { "name": "local_app:api-port" }, - "statPrefix": "public_listener" + "statPrefix": "public_listener", + "trafficPermissions": {} }, "match": { "alpnProtocols": [ diff --git a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-single-workload-address-without-ports.golden b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-single-workload-address-without-ports.golden index 170f72cb35..e66f1e13d3 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-single-workload-address-without-ports.golden +++ b/internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/multiport-l4-single-workload-address-without-ports.golden @@ -66,7 +66,8 @@ "cluster": { "name": "local_app:admin-port" }, - "statPrefix": "public_listener" + "statPrefix": "public_listener", + "trafficPermissions": {} }, "match": { "alpnProtocols": [ @@ -89,7 +90,8 @@ "cluster": { "name": "local_app:api-port" }, - "statPrefix": "public_listener" + "statPrefix": "public_listener", + "trafficPermissions": {} }, "match": { "alpnProtocols": [ diff --git a/internal/mesh/internal/controllers/sidecarproxy/controller.go b/internal/mesh/internal/controllers/sidecarproxy/controller.go index 2e3649cbcf..416d772610 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/controller.go +++ b/internal/mesh/internal/controllers/sidecarproxy/controller.go @@ -9,6 +9,7 @@ import ( "google.golang.org/protobuf/proto" "google.golang.org/protobuf/types/known/anypb" + "github.com/hashicorp/consul/internal/auth" "github.com/hashicorp/consul/internal/catalog" "github.com/hashicorp/consul/internal/controller" "github.com/hashicorp/consul/internal/mesh/internal/cache/sidecarproxycache" @@ -17,6 +18,7 @@ import ( "github.com/hashicorp/consul/internal/mesh/internal/mappers/sidecarproxymapper" "github.com/hashicorp/consul/internal/mesh/internal/types" "github.com/hashicorp/consul/internal/resource" + pbauth "github.com/hashicorp/consul/proto-public/pbauth/v1alpha1" "github.com/hashicorp/consul/proto-public/pbresource" ) @@ -29,12 +31,13 @@ func Controller( destinationsCache *sidecarproxycache.DestinationsCache, proxyCfgCache *sidecarproxycache.ProxyConfigurationCache, computedRoutesCache *sidecarproxycache.ComputedRoutesCache, + identitiesCache *sidecarproxycache.IdentitiesCache, mapper *sidecarproxymapper.Mapper, trustDomainFetcher TrustDomainFetcher, dc string, ) controller.Controller { - if destinationsCache == nil || proxyCfgCache == nil || computedRoutesCache == nil || mapper == nil || trustDomainFetcher == nil { - panic("destinations cache, proxy configuration cache, computed routes cache, mapper, and trust domain fetcher are required") + if destinationsCache == nil || proxyCfgCache == nil || computedRoutesCache == nil || identitiesCache == nil || mapper == nil || trustDomainFetcher == nil { + panic("destinations cache, proxy configuration cache, computed routes cache, identities cache, mapper, and trust domain fetcher are required") } /* @@ -88,10 +91,12 @@ func Controller( WithWatch(types.UpstreamsType, mapper.MapDestinationsToProxyStateTemplate). WithWatch(types.ProxyConfigurationType, mapper.MapProxyConfigurationToProxyStateTemplate). WithWatch(types.ComputedRoutesType, mapper.MapComputedRoutesToProxyStateTemplate). + WithWatch(auth.ComputedTrafficPermissionsType, mapper.MapComputedTrafficPermissionsToProxyStateTemplate). WithReconciler(&reconciler{ destinationsCache: destinationsCache, proxyCfgCache: proxyCfgCache, computedRoutesCache: computedRoutesCache, + identitiesCache: identitiesCache, getTrustDomain: trustDomainFetcher, dc: dc, }) @@ -101,6 +106,7 @@ type reconciler struct { destinationsCache *sidecarproxycache.DestinationsCache proxyCfgCache *sidecarproxycache.ProxyConfigurationCache computedRoutesCache *sidecarproxycache.ComputedRoutesCache + identitiesCache *sidecarproxycache.IdentitiesCache getTrustDomain TrustDomainFetcher dc string } @@ -116,6 +122,7 @@ func (r *reconciler) Reconcile(ctx context.Context, rt controller.Runtime, req c r.destinationsCache, r.proxyCfgCache, r.computedRoutesCache, + r.identitiesCache, ) // Check if the workload exists. @@ -175,8 +182,20 @@ func (r *reconciler) Reconcile(ctx context.Context, rt controller.Runtime, req c rt.Logger.Error("error fetching proxy and merging proxy configurations", "error", err) return err } + + trafficPermissions, err := dataFetcher.FetchComputedTrafficPermissions(ctx, computedTrafficPermissionsIDFromWorkload(workload)) + if err != nil { + rt.Logger.Error("error fetching computed traffic permissions to compute proxy state template", "error", err) + return err + } + + var ctp *pbauth.ComputedTrafficPermissions + if trafficPermissions != nil { + ctp = trafficPermissions.Data + } + b := builder.New(req.ID, identityRefFromWorkload(workload), trustDomain, r.dc, proxyCfg). - BuildLocalApp(workload.Data) + BuildLocalApp(workload.Data, ctp) // Get all destinationsData. destinationsRefs := r.destinationsCache.DestinationsBySourceProxy(req.ID) @@ -252,3 +271,11 @@ func identityRefFromWorkload(w *types.DecodedWorkload) *pbresource.Reference { Tenancy: w.Resource.Id.Tenancy, } } + +func computedTrafficPermissionsIDFromWorkload(w *types.DecodedWorkload) *pbresource.ID { + return &pbresource.ID{ + Type: auth.ComputedTrafficPermissionsType, + Name: w.Data.Identity, + Tenancy: w.Resource.Id.Tenancy, + } +} diff --git a/internal/mesh/internal/controllers/sidecarproxy/controller_test.go b/internal/mesh/internal/controllers/sidecarproxy/controller_test.go index d972fd8d79..902c9f47de 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/controller_test.go +++ b/internal/mesh/internal/controllers/sidecarproxy/controller_test.go @@ -13,6 +13,7 @@ import ( svctest "github.com/hashicorp/consul/agent/grpc-external/services/resource/testing" "github.com/hashicorp/consul/envoyextensions/xdscommon" + "github.com/hashicorp/consul/internal/auth" "github.com/hashicorp/consul/internal/catalog" "github.com/hashicorp/consul/internal/controller" "github.com/hashicorp/consul/internal/mesh/internal/cache/sidecarproxycache" @@ -23,6 +24,7 @@ import ( "github.com/hashicorp/consul/internal/mesh/internal/types" "github.com/hashicorp/consul/internal/resource" "github.com/hashicorp/consul/internal/resource/resourcetest" + pbauth "github.com/hashicorp/consul/proto-public/pbauth/v1alpha1" pbcatalog "github.com/hashicorp/consul/proto-public/pbcatalog/v1alpha1" pbmesh "github.com/hashicorp/consul/proto-public/pbmesh/v1alpha1" "github.com/hashicorp/consul/proto-public/pbmesh/v1alpha1/pbproxystate" @@ -41,13 +43,15 @@ type meshControllerTestSuite struct { ctl *reconciler ctx context.Context - apiWorkloadID *pbresource.ID - apiWorkload *pbcatalog.Workload - apiService *pbresource.Resource - apiServiceData *pbcatalog.Service - apiEndpoints *pbresource.Resource - apiEndpointsData *pbcatalog.ServiceEndpoints - webWorkload *pbresource.Resource + apiWorkloadID *pbresource.ID + apiWorkload *pbcatalog.Workload + computedTrafficPermissions *pbresource.Resource + computedTrafficPermissionsData *pbauth.ComputedTrafficPermissions + apiService *pbresource.Resource + apiServiceData *pbcatalog.Service + apiEndpoints *pbresource.Resource + apiEndpointsData *pbcatalog.ServiceEndpoints + webWorkload *pbresource.Resource dbWorkloadID *pbresource.ID dbWorkload *pbcatalog.Workload @@ -59,7 +63,7 @@ type meshControllerTestSuite struct { } func (suite *meshControllerTestSuite) SetupTest() { - resourceClient := svctest.RunResourceService(suite.T(), types.Register, catalog.RegisterTypes) + resourceClient := svctest.RunResourceService(suite.T(), types.Register, catalog.RegisterTypes, auth.RegisterTypes) suite.client = resourcetest.NewClient(resourceClient) suite.runtime = controller.Runtime{Client: resourceClient, Logger: testutil.Logger(suite.T())} suite.ctx = testutil.TestContext(suite.T()) @@ -67,6 +71,7 @@ func (suite *meshControllerTestSuite) SetupTest() { suite.ctl = &reconciler{ destinationsCache: sidecarproxycache.NewDestinationsCache(), proxyCfgCache: sidecarproxycache.NewProxyConfigurationCache(), + identitiesCache: sidecarproxycache.NewIdentitiesCache(), getTrustDomain: func() (string, error) { return "test.consul", nil }, @@ -142,6 +147,25 @@ func (suite *meshControllerTestSuite) SetupTest() { }, } + suite.computedTrafficPermissionsData = &pbauth.ComputedTrafficPermissions{ + AllowPermissions: []*pbauth.Permission{ + { + Sources: []*pbauth.Source{ + { + IdentityName: "foo", + Namespace: "default", + Partition: "default", + Peer: "local", + }, + }, + }, + }, + } + + suite.computedTrafficPermissions = resourcetest.Resource(auth.ComputedTrafficPermissionsType, suite.apiWorkload.Identity). + WithData(suite.T(), suite.computedTrafficPermissionsData). + Write(suite.T(), resourceClient) + suite.apiService = resourcetest.Resource(catalog.ServiceType, "api-service"). WithData(suite.T(), suite.apiServiceData). Write(suite.T(), suite.client.ResourceServiceClient) @@ -203,7 +227,7 @@ func (suite *meshControllerTestSuite) SetupTest() { } suite.proxyStateTemplate = builder.New(suite.apiWorkloadID, identityRef, "test.consul", "dc1", nil). - BuildLocalApp(suite.apiWorkload). + BuildLocalApp(suite.apiWorkload, suite.computedTrafficPermissionsData). Build() } @@ -328,11 +352,12 @@ func (suite *meshControllerTestSuite) TestController() { destinationsCache = sidecarproxycache.NewDestinationsCache() proxyCfgCache = sidecarproxycache.NewProxyConfigurationCache() computedRoutesCache = sidecarproxycache.NewComputedRoutesCache() - m = sidecarproxymapper.New(destinationsCache, proxyCfgCache, computedRoutesCache) + identitiesCache = sidecarproxycache.NewIdentitiesCache() + m = sidecarproxymapper.New(destinationsCache, proxyCfgCache, computedRoutesCache, identitiesCache) ) trustDomainFetcher := func() (string, error) { return "test.consul", nil } - mgr.Register(Controller(destinationsCache, proxyCfgCache, computedRoutesCache, m, trustDomainFetcher, "dc1")) + mgr.Register(Controller(destinationsCache, proxyCfgCache, computedRoutesCache, identitiesCache, m, trustDomainFetcher, "dc1")) mgr.SetRaftLeader(true) go mgr.Run(suite.ctx) @@ -344,6 +369,7 @@ func (suite *meshControllerTestSuite) TestController() { apiComputedRoutesID = resource.ReplaceType(types.ComputedRoutesType, suite.apiService.Id) dbComputedRoutesID = resource.ReplaceType(types.ComputedRoutesType, suite.dbService.Id) + apiProxyStateTemplate *pbresource.Resource webProxyStateTemplate *pbresource.Resource webDestinations *pbresource.Resource ) @@ -353,6 +379,7 @@ func (suite *meshControllerTestSuite) TestController() { retry.Run(t, func(r *retry.R) { suite.client.RequireResourceExists(r, apiProxyStateTemplateID) webProxyStateTemplate = suite.client.RequireResourceExists(r, webProxyStateTemplateID) + apiProxyStateTemplate = suite.client.RequireResourceExists(r, apiProxyStateTemplateID) }) }) @@ -521,11 +548,28 @@ func (suite *meshControllerTestSuite) TestController() { }).Write(suite.T(), suite.client) webProxyStateTemplate = suite.client.WaitForNewVersion(suite.T(), webProxyStateTemplateID, webProxyStateTemplate.Version) + apiProxyStateTemplate = suite.client.WaitForNewVersion(t, apiProxyStateTemplateID, apiProxyStateTemplate.Version) requireImplicitDestinationsFound(t, "api", webProxyStateTemplate) requireImplicitDestinationsFound(t, "db", webProxyStateTemplate) }) + testutil.RunStep(suite.T(), "computed traffic permissions force regeneration", func(t *testing.T) { + suite.runtime.Logger.Trace("deleting computed traffic permissions") + _, err := suite.client.Delete(suite.ctx, &pbresource.DeleteRequest{Id: suite.computedTrafficPermissions.Id}) + require.NoError(t, err) + suite.client.WaitForDeletion(t, suite.computedTrafficPermissions.Id) + + apiProxyStateTemplate = suite.client.WaitForNewVersion(t, apiProxyStateTemplateID, apiProxyStateTemplate.Version) + + suite.runtime.Logger.Trace("creating computed traffic permissions") + resourcetest.Resource(auth.ComputedTrafficPermissionsType, suite.apiWorkload.Identity). + WithData(t, suite.computedTrafficPermissionsData). + Write(t, suite.client) + + suite.client.WaitForNewVersion(t, apiProxyStateTemplateID, apiProxyStateTemplate.Version) + }) + testutil.RunStep(suite.T(), "add an HTTPRoute with a simple split on the tcp port", func(t *testing.T) { // NOTE: because at this point we have tproxy in all-to-all mode, we will get an // implicit upstream on 'db' diff --git a/internal/mesh/internal/controllers/sidecarproxy/fetcher/data_fetcher.go b/internal/mesh/internal/controllers/sidecarproxy/fetcher/data_fetcher.go index a61c74a2db..4bf5df4827 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/fetcher/data_fetcher.go +++ b/internal/mesh/internal/controllers/sidecarproxy/fetcher/data_fetcher.go @@ -12,6 +12,7 @@ import ( "google.golang.org/grpc/status" "google.golang.org/protobuf/proto" + "github.com/hashicorp/consul/internal/auth" "github.com/hashicorp/consul/internal/catalog" "github.com/hashicorp/consul/internal/mesh/internal/cache/sidecarproxycache" ctrlStatus "github.com/hashicorp/consul/internal/mesh/internal/controllers/sidecarproxy/status" @@ -19,6 +20,7 @@ import ( intermediateTypes "github.com/hashicorp/consul/internal/mesh/internal/types/intermediate" "github.com/hashicorp/consul/internal/resource" "github.com/hashicorp/consul/internal/storage" + pbauth "github.com/hashicorp/consul/proto-public/pbauth/v1alpha1" pbcatalog "github.com/hashicorp/consul/proto-public/pbcatalog/v1alpha1" pbmesh "github.com/hashicorp/consul/proto-public/pbmesh/v1alpha1" "github.com/hashicorp/consul/proto-public/pbresource" @@ -29,6 +31,7 @@ type Fetcher struct { DestinationsCache *sidecarproxycache.DestinationsCache ProxyCfgCache *sidecarproxycache.ProxyConfigurationCache ComputedRoutesCache *sidecarproxycache.ComputedRoutesCache + IdentitiesCache *sidecarproxycache.IdentitiesCache } func New( @@ -36,28 +39,39 @@ func New( dCache *sidecarproxycache.DestinationsCache, pcfgCache *sidecarproxycache.ProxyConfigurationCache, computedRoutesCache *sidecarproxycache.ComputedRoutesCache, + iCache *sidecarproxycache.IdentitiesCache, ) *Fetcher { return &Fetcher{ Client: client, DestinationsCache: dCache, ProxyCfgCache: pcfgCache, ComputedRoutesCache: computedRoutesCache, + IdentitiesCache: iCache, } } func (f *Fetcher) FetchWorkload(ctx context.Context, id *pbresource.ID) (*types.DecodedWorkload, error) { + proxyID := resource.ReplaceType(types.ProxyStateTemplateType, id) dec, err := resource.GetDecodedResource[*pbcatalog.Workload](ctx, f.Client, id) if err != nil { return nil, err } else if dec == nil { // We also need to make sure to delete the associated proxy from cache. // We are ignoring errors from cache here as this deletion is best effort. - proxyID := resource.ReplaceType(types.ProxyStateTemplateType, id) f.DestinationsCache.DeleteSourceProxy(proxyID) f.ProxyCfgCache.UntrackProxyID(proxyID) + f.IdentitiesCache.UntrackProxyID(proxyID) return nil, nil } + identityID := &pbresource.ID{ + Name: dec.Data.Identity, + Tenancy: dec.Resource.Id.Tenancy, + Type: auth.WorkloadIdentityType, + } + + f.IdentitiesCache.TrackPair(identityID, proxyID) + return dec, err } @@ -65,6 +79,10 @@ func (f *Fetcher) FetchProxyStateTemplate(ctx context.Context, id *pbresource.ID return resource.GetDecodedResource[*pbmesh.ProxyStateTemplate](ctx, f.Client, id) } +func (f *Fetcher) FetchComputedTrafficPermissions(ctx context.Context, id *pbresource.ID) (*types.DecodedComputedTrafficPermissions, error) { + return resource.GetDecodedResource[*pbauth.ComputedTrafficPermissions](ctx, f.Client, id) +} + func (f *Fetcher) FetchServiceEndpoints(ctx context.Context, id *pbresource.ID) (*types.DecodedServiceEndpoints, error) { return resource.GetDecodedResource[*pbcatalog.ServiceEndpoints](ctx, f.Client, id) } diff --git a/internal/mesh/internal/controllers/sidecarproxy/fetcher/data_fetcher_test.go b/internal/mesh/internal/controllers/sidecarproxy/fetcher/data_fetcher_test.go index adbf431e14..fb73b93c2a 100644 --- a/internal/mesh/internal/controllers/sidecarproxy/fetcher/data_fetcher_test.go +++ b/internal/mesh/internal/controllers/sidecarproxy/fetcher/data_fetcher_test.go @@ -13,6 +13,7 @@ import ( "google.golang.org/grpc/status" svctest "github.com/hashicorp/consul/agent/grpc-external/services/resource/testing" + "github.com/hashicorp/consul/internal/auth" "github.com/hashicorp/consul/internal/catalog" "github.com/hashicorp/consul/internal/controller" "github.com/hashicorp/consul/internal/mesh/internal/cache/sidecarproxycache" @@ -238,16 +239,28 @@ func (suite *dataFetcherSuite) SetupTest() { } func (suite *dataFetcherSuite) TestFetcher_FetchWorkload_WorkloadNotFound() { - // Test that when workload is not found, we remove it from cache. - - proxyID := resourcetest.Resource(types.ProxyStateTemplateType, "service-workload-abc").ID() + proxyID := resourcetest.Resource(types.ProxyStateTemplateType, "service-workload-abc"). + WithTenancy(resource.DefaultNamespacedTenancy()). + ID() + identityID := resourcetest.Resource(auth.WorkloadIdentityType, "workload-identity-abc").ID() // Create cache and pre-populate it. var ( destCache = sidecarproxycache.NewDestinationsCache() proxyCfgCache = sidecarproxycache.NewProxyConfigurationCache() computedRoutesCache = sidecarproxycache.NewComputedRoutesCache() + identitiesCache = sidecarproxycache.NewIdentitiesCache() ) + + f := Fetcher{ + DestinationsCache: destCache, + ProxyCfgCache: proxyCfgCache, + ComputedRoutesCache: computedRoutesCache, + IdentitiesCache: identitiesCache, + Client: suite.client, + } + + // Prepopulate the cache. dest1 := intermediate.CombinedDestinationRef{ ServiceRef: resourcetest.Resource(catalog.ServiceType, "test-service-1").ReferenceNoSection(), Port: "tcp", @@ -264,21 +277,45 @@ func (suite *dataFetcherSuite) TestFetcher_FetchWorkload_WorkloadNotFound() { resource.NewReferenceKey(proxyID): {}, }, } + destCache.WriteDestination(dest1) destCache.WriteDestination(dest2) suite.syncDestinations(dest1, dest2) + workload := resourcetest.Resource(catalog.WorkloadType, "service-workload-abc"). + WithTenancy(resource.DefaultNamespacedTenancy()). + WithData(suite.T(), &pbcatalog.Workload{ + Identity: identityID.Name, + Ports: map[string]*pbcatalog.WorkloadPort{ + "foo": {Port: 8080, Protocol: pbcatalog.Protocol_PROTOCOL_HTTP}, + }, + Addresses: []*pbcatalog.WorkloadAddress{ + { + Host: "10.0.0.1", + Ports: []string{"foo"}, + }, + }, + }).Write(suite.T(), suite.client) + + // Track the workload's identity + _, err := f.FetchWorkload(context.Background(), workload.Id) + require.NoError(suite.T(), err) + require.NotNil(suite.T(), destCache.DestinationsBySourceProxy(proxyID)) + require.Nil(suite.T(), proxyCfgCache.ProxyConfigurationsByProxyID(proxyID)) + require.Nil(suite.T(), proxyCfgCache.ProxyConfigurationsByProxyID(proxyID)) + require.Equal(suite.T(), []*pbresource.ID{proxyID}, identitiesCache.ProxyIDsByWorkloadIdentity(identityID)) + proxyCfgID := resourcetest.Resource(types.ProxyConfigurationType, "proxy-config").ID() proxyCfgCache.TrackProxyConfiguration(proxyCfgID, []resource.ReferenceOrID{proxyID}) - f := New(suite.client, destCache, proxyCfgCache, computedRoutesCache) - - _, err := f.FetchWorkload(context.Background(), proxyID) + _, err = f.FetchWorkload(context.Background(), proxyID) require.NoError(suite.T(), err) // Check that cache is updated to remove proxy id. require.Nil(suite.T(), destCache.DestinationsBySourceProxy(proxyID)) require.Nil(suite.T(), proxyCfgCache.ProxyConfigurationsByProxyID(proxyID)) + require.Nil(suite.T(), proxyCfgCache.ProxyConfigurationsByProxyID(proxyID)) + require.Nil(suite.T(), identitiesCache.ProxyIDsByWorkloadIdentity(identityID)) } func (suite *dataFetcherSuite) TestFetcher_NotFound() { diff --git a/internal/mesh/internal/mappers/sidecarproxymapper/mapper.go b/internal/mesh/internal/mappers/sidecarproxymapper/mapper.go index 1faf74ebb9..23b762ff59 100644 --- a/internal/mesh/internal/mappers/sidecarproxymapper/mapper.go +++ b/internal/mesh/internal/mappers/sidecarproxymapper/mapper.go @@ -19,17 +19,20 @@ type Mapper struct { destinationsCache *sidecarproxycache.DestinationsCache proxyCfgCache *sidecarproxycache.ProxyConfigurationCache computedRoutesCache *sidecarproxycache.ComputedRoutesCache + identitiesCache *sidecarproxycache.IdentitiesCache } func New( destinationsCache *sidecarproxycache.DestinationsCache, proxyCfgCache *sidecarproxycache.ProxyConfigurationCache, computedRoutesCache *sidecarproxycache.ComputedRoutesCache, + identitiesCache *sidecarproxycache.IdentitiesCache, ) *Mapper { return &Mapper{ destinationsCache: destinationsCache, proxyCfgCache: proxyCfgCache, computedRoutesCache: computedRoutesCache, + identitiesCache: identitiesCache, } } diff --git a/internal/mesh/internal/mappers/sidecarproxymapper/traffic_permissions_mapper.go b/internal/mesh/internal/mappers/sidecarproxymapper/traffic_permissions_mapper.go new file mode 100644 index 0000000000..5f1010811e --- /dev/null +++ b/internal/mesh/internal/mappers/sidecarproxymapper/traffic_permissions_mapper.go @@ -0,0 +1,35 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: BUSL-1.1 + +package sidecarproxymapper + +import ( + "context" + + "github.com/hashicorp/consul/internal/auth" + "github.com/hashicorp/consul/internal/controller" + "github.com/hashicorp/consul/internal/mesh/internal/types" + "github.com/hashicorp/consul/internal/resource" + pbauth "github.com/hashicorp/consul/proto-public/pbauth/v1alpha1" + "github.com/hashicorp/consul/proto-public/pbresource" +) + +func (m *Mapper) MapComputedTrafficPermissionsToProxyStateTemplate(ctx context.Context, rt controller.Runtime, res *pbresource.Resource) ([]controller.Request, error) { + var ctp pbauth.ComputedTrafficPermissions + err := res.Data.UnmarshalTo(&ctp) + if err != nil { + return nil, err + } + + pid := resource.ReplaceType(auth.WorkloadIdentityType, res.Id) + ids := m.identitiesCache.ProxyIDsByWorkloadIdentity(pid) + + requests := make([]controller.Request, 0, len(ids)) + for _, id := range ids { + requests = append(requests, controller.Request{ + ID: resource.ReplaceType(types.ProxyStateTemplateType, id)}, + ) + } + + return requests, nil +} diff --git a/internal/mesh/internal/mappers/sidecarproxymapper/traffic_permissions_mapper_test.go b/internal/mesh/internal/mappers/sidecarproxymapper/traffic_permissions_mapper_test.go new file mode 100644 index 0000000000..e5e87e6f11 --- /dev/null +++ b/internal/mesh/internal/mappers/sidecarproxymapper/traffic_permissions_mapper_test.go @@ -0,0 +1,63 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: BUSL-1.1 + +package sidecarproxymapper + +import ( + "context" + "testing" + + "github.com/stretchr/testify/require" + + svctest "github.com/hashicorp/consul/agent/grpc-external/services/resource/testing" + "github.com/hashicorp/consul/internal/auth" + "github.com/hashicorp/consul/internal/catalog" + "github.com/hashicorp/consul/internal/controller" + "github.com/hashicorp/consul/internal/mesh/internal/cache/sidecarproxycache" + "github.com/hashicorp/consul/internal/mesh/internal/types" + "github.com/hashicorp/consul/internal/resource" + "github.com/hashicorp/consul/internal/resource/resourcetest" + pbauth "github.com/hashicorp/consul/proto-public/pbauth/v1alpha1" + "github.com/hashicorp/consul/proto/private/prototest" +) + +func TestMapComputedTrafficPermissionsToProxyStateTemplate(t *testing.T) { + client := svctest.RunResourceService(t, types.Register, catalog.RegisterTypes) + ctp := resourcetest.Resource(auth.ComputedTrafficPermissionsType, "workload-identity-1"). + WithTenancy(resource.DefaultNamespacedTenancy()). + WithData(t, &pbauth.ComputedTrafficPermissions{}). + Build() + + i := sidecarproxycache.NewIdentitiesCache() + mapper := &Mapper{identitiesCache: i} + + // Empty results when the cache isn't populated. + requests, err := mapper.MapComputedTrafficPermissionsToProxyStateTemplate(context.Background(), controller.Runtime{Client: client}, ctp) + require.NoError(t, err) + require.Len(t, requests, 0) + + identityID1 := resourcetest.Resource(auth.WorkloadIdentityType, "workload-identity-1"). + WithTenancy(resource.DefaultNamespacedTenancy()).ID() + + proxyID1 := resourcetest.Resource(types.ProxyStateTemplateType, "service-workload-1"). + WithTenancy(resource.DefaultNamespacedTenancy()).ID() + proxyID2 := resourcetest.Resource(types.ProxyStateTemplateType, "service-workload-2"). + WithTenancy(resource.DefaultNamespacedTenancy()).ID() + + i.TrackPair(identityID1, proxyID1) + + // Empty results when the cache isn't populated. + requests, err = mapper.MapComputedTrafficPermissionsToProxyStateTemplate(context.Background(), controller.Runtime{Client: client}, ctp) + require.NoError(t, err) + prototest.AssertElementsMatch(t, []controller.Request{{ID: proxyID1}}, requests) + + i.TrackPair(identityID1, proxyID2) + + // Empty results when the cache isn't populated. + requests, err = mapper.MapComputedTrafficPermissionsToProxyStateTemplate(context.Background(), controller.Runtime{Client: client}, ctp) + require.NoError(t, err) + prototest.AssertElementsMatch(t, []controller.Request{ + {ID: proxyID1}, + {ID: proxyID2}, + }, requests) +} diff --git a/internal/mesh/internal/mappers/sidecarproxymapper/unified_mapper_test.go b/internal/mesh/internal/mappers/sidecarproxymapper/unified_mapper_test.go index e0a37a6358..b0b1cd465d 100644 --- a/internal/mesh/internal/mappers/sidecarproxymapper/unified_mapper_test.go +++ b/internal/mesh/internal/mappers/sidecarproxymapper/unified_mapper_test.go @@ -29,7 +29,7 @@ func TestUnified_AllMappingsToProxyStateTemplate(t *testing.T) { destCache = sidecarproxycache.NewDestinationsCache() // proxyCfgCache = sidecarproxycache.NewProxyConfigurationCache() routesCache = sidecarproxycache.NewComputedRoutesCache() - mapper = New(destCache, nil, routesCache) + mapper = New(destCache, nil, routesCache, nil) client = svctest.RunResourceService(t, types.Register, catalog.RegisterTypes) ) diff --git a/internal/mesh/internal/types/decoded.go b/internal/mesh/internal/types/decoded.go index 50fb4d04b4..2e89fef7b5 100644 --- a/internal/mesh/internal/types/decoded.go +++ b/internal/mesh/internal/types/decoded.go @@ -5,21 +5,23 @@ package types import ( "github.com/hashicorp/consul/internal/resource" + pbauth "github.com/hashicorp/consul/proto-public/pbauth/v1alpha1" pbcatalog "github.com/hashicorp/consul/proto-public/pbcatalog/v1alpha1" pbmesh "github.com/hashicorp/consul/proto-public/pbmesh/v1alpha1" ) type ( - DecodedHTTPRoute = resource.DecodedResource[*pbmesh.HTTPRoute] - DecodedGRPCRoute = resource.DecodedResource[*pbmesh.GRPCRoute] - DecodedTCPRoute = resource.DecodedResource[*pbmesh.TCPRoute] - DecodedDestinationPolicy = resource.DecodedResource[*pbmesh.DestinationPolicy] - DecodedComputedRoutes = resource.DecodedResource[*pbmesh.ComputedRoutes] - DecodedFailoverPolicy = resource.DecodedResource[*pbcatalog.FailoverPolicy] - DecodedService = resource.DecodedResource[*pbcatalog.Service] - DecodedServiceEndpoints = resource.DecodedResource[*pbcatalog.ServiceEndpoints] - DecodedWorkload = resource.DecodedResource[*pbcatalog.Workload] - DecodedProxyConfiguration = resource.DecodedResource[*pbmesh.ProxyConfiguration] - DecodedDestinations = resource.DecodedResource[*pbmesh.Upstreams] - DecodedProxyStateTemplate = resource.DecodedResource[*pbmesh.ProxyStateTemplate] + DecodedHTTPRoute = resource.DecodedResource[*pbmesh.HTTPRoute] + DecodedGRPCRoute = resource.DecodedResource[*pbmesh.GRPCRoute] + DecodedTCPRoute = resource.DecodedResource[*pbmesh.TCPRoute] + DecodedDestinationPolicy = resource.DecodedResource[*pbmesh.DestinationPolicy] + DecodedComputedRoutes = resource.DecodedResource[*pbmesh.ComputedRoutes] + DecodedComputedTrafficPermissions = resource.DecodedResource[*pbauth.ComputedTrafficPermissions] + DecodedFailoverPolicy = resource.DecodedResource[*pbcatalog.FailoverPolicy] + DecodedService = resource.DecodedResource[*pbcatalog.Service] + DecodedServiceEndpoints = resource.DecodedResource[*pbcatalog.ServiceEndpoints] + DecodedWorkload = resource.DecodedResource[*pbcatalog.Workload] + DecodedProxyConfiguration = resource.DecodedResource[*pbmesh.ProxyConfiguration] + DecodedDestinations = resource.DecodedResource[*pbmesh.Upstreams] + DecodedProxyStateTemplate = resource.DecodedResource[*pbmesh.ProxyStateTemplate] ) diff --git a/proto-public/pbauth/v1alpha1/traffic_permissions_addon.go b/proto-public/pbauth/v1alpha1/traffic_permissions_addon.go new file mode 100644 index 0000000000..402cc83ee0 --- /dev/null +++ b/proto-public/pbauth/v1alpha1/traffic_permissions_addon.go @@ -0,0 +1,14 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: BUSL-1.1 + +package authv1alpha1 + +type SourceToSpiffe interface { + GetIdentityName() string + GetPartition() string + GetNamespace() string + GetPeer() string +} + +var _ SourceToSpiffe = (*Source)(nil) +var _ SourceToSpiffe = (*ExcludeSource)(nil) diff --git a/proto-public/pbcatalog/v1alpha1/workload_addon.go b/proto-public/pbcatalog/v1alpha1/workload_addon.go index e26bca3af7..ac62b2cb0c 100644 --- a/proto-public/pbcatalog/v1alpha1/workload_addon.go +++ b/proto-public/pbcatalog/v1alpha1/workload_addon.go @@ -38,3 +38,16 @@ func (w *Workload) GetNonExternalAddressesForPort(portName string) []*WorkloadAd return addresses } + +func (w *Workload) GetPortsByProtocol() map[Protocol][]string { + if w == nil { + return nil + } + + out := make(map[Protocol][]string, len(w.Ports)) + for name, port := range w.Ports { + out[port.GetProtocol()] = append(out[port.GetProtocol()], name) + } + + return out +} diff --git a/proto-public/pbmesh/v1alpha1/pbproxystate/listener.pb.go b/proto-public/pbmesh/v1alpha1/pbproxystate/listener.pb.go index b50d47d746..9ee5bc6167 100644 --- a/proto-public/pbmesh/v1alpha1/pbproxystate/listener.pb.go +++ b/proto-public/pbmesh/v1alpha1/pbproxystate/listener.pb.go @@ -645,7 +645,7 @@ type L4Destination struct { // stat_prefix is for compatibility with v1 xds configuration, so it is generated in exactly the same way. StatPrefix string `protobuf:"bytes,3,opt,name=stat_prefix,json=statPrefix,proto3" json:"stat_prefix,omitempty"` // traffic_permissions is a list of traffic permissions for this destination. - TrafficPermissions *L4TrafficPermissions `protobuf:"bytes,4,opt,name=traffic_permissions,json=trafficPermissions,proto3" json:"traffic_permissions,omitempty"` + TrafficPermissions *TrafficPermissions `protobuf:"bytes,4,opt,name=traffic_permissions,json=trafficPermissions,proto3" json:"traffic_permissions,omitempty"` // max_inbound_connections specifies how many connections this destination can accept. MaxInboundConnections uint64 `protobuf:"varint,5,opt,name=max_inbound_connections,json=maxInboundConnections,proto3" json:"max_inbound_connections,omitempty"` } @@ -710,7 +710,7 @@ func (x *L4Destination) GetStatPrefix() string { return "" } -func (x *L4Destination) GetTrafficPermissions() *L4TrafficPermissions { +func (x *L4Destination) GetTrafficPermissions() *TrafficPermissions { if x != nil { return x.TrafficPermissions } @@ -752,7 +752,7 @@ type L7Destination struct { // protocol for the destination. Protocol L7Protocol `protobuf:"varint,3,opt,name=protocol,proto3,enum=hashicorp.consul.mesh.v1alpha1.pbproxystate.L7Protocol" json:"protocol,omitempty"` // traffic_permissions is a list of intentions for this destination. - TrafficPermissions *L7TrafficPermissions `protobuf:"bytes,4,opt,name=traffic_permissions,json=trafficPermissions,proto3" json:"traffic_permissions,omitempty"` + TrafficPermissions *TrafficPermissions `protobuf:"bytes,4,opt,name=traffic_permissions,json=trafficPermissions,proto3" json:"traffic_permissions,omitempty"` // include_xfcc specifies whether to add xfcc header. IncludeXfcc bool `protobuf:"varint,5,opt,name=include_xfcc,json=includeXfcc,proto3" json:"include_xfcc,omitempty"` // static_route specifies whether this is a static route that is inlined in the listener filter. This is required to @@ -815,7 +815,7 @@ func (x *L7Destination) GetProtocol() L7Protocol { return L7Protocol_L7_PROTOCOL_HTTP } -func (x *L7Destination) GetTrafficPermissions() *L7TrafficPermissions { +func (x *L7Destination) GetTrafficPermissions() *TrafficPermissions { if x != nil { return x.TrafficPermissions } @@ -1021,7 +1021,7 @@ var file_pbmesh_v1alpha1_pbproxystate_listener_proto_rawDesc = []byte{ 0x6c, 0x65, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x55, 0x49, 0x6e, 0x74, 0x33, 0x32, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x09, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x4c, - 0x65, 0x6e, 0x22, 0xbc, 0x03, 0x0a, 0x0d, 0x4c, 0x34, 0x44, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, + 0x65, 0x6e, 0x22, 0xba, 0x03, 0x0a, 0x0d, 0x4c, 0x34, 0x44, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x5b, 0x0a, 0x07, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3f, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, @@ -1037,92 +1037,92 @@ var file_pbmesh_v1alpha1_pbproxystate_listener_proto_rawDesc = []byte{ 0x70, 0x48, 0x00, 0x52, 0x10, 0x77, 0x65, 0x69, 0x67, 0x68, 0x74, 0x65, 0x64, 0x43, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x74, 0x61, 0x74, 0x5f, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x73, 0x74, 0x61, 0x74, - 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x12, 0x72, 0x0a, 0x13, 0x74, 0x72, 0x61, 0x66, 0x66, 0x69, + 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x12, 0x70, 0x0a, 0x13, 0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x5f, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x04, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x41, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, + 0x01, 0x28, 0x0b, 0x32, 0x3f, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, - 0x65, 0x2e, 0x4c, 0x34, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, - 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x12, 0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, - 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x36, 0x0a, 0x17, 0x6d, 0x61, - 0x78, 0x5f, 0x69, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, - 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x04, 0x52, 0x15, 0x6d, 0x61, 0x78, - 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, - 0x6e, 0x73, 0x42, 0x0d, 0x0a, 0x0b, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x22, 0x8b, 0x03, 0x0a, 0x0d, 0x4c, 0x37, 0x44, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, - 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x74, 0x61, 0x74, 0x5f, - 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x73, 0x74, - 0x61, 0x74, 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x12, 0x53, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x37, 0x2e, 0x68, 0x61, 0x73, - 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, - 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, - 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x4c, 0x37, 0x50, 0x72, 0x6f, 0x74, 0x6f, - 0x63, 0x6f, 0x6c, 0x52, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x72, 0x0a, - 0x13, 0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x5f, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, - 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x41, 0x2e, 0x68, 0x61, 0x73, - 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, - 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, - 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x4c, 0x37, 0x54, 0x72, 0x61, 0x66, 0x66, - 0x69, 0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x12, 0x74, - 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, - 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x5f, 0x78, 0x66, 0x63, - 0x63, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0b, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, - 0x58, 0x66, 0x63, 0x63, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x74, 0x61, 0x74, 0x69, 0x63, 0x5f, 0x72, - 0x6f, 0x75, 0x74, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0b, 0x73, 0x74, 0x61, 0x74, - 0x69, 0x63, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x12, 0x36, 0x0a, 0x17, 0x6d, 0x61, 0x78, 0x5f, 0x69, - 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, - 0x6e, 0x73, 0x18, 0x07, 0x20, 0x01, 0x28, 0x04, 0x52, 0x15, 0x6d, 0x61, 0x78, 0x49, 0x6e, 0x62, - 0x6f, 0x75, 0x6e, 0x64, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x22, - 0x31, 0x0a, 0x0e, 0x53, 0x4e, 0x49, 0x44, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x74, 0x61, 0x74, 0x5f, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x73, 0x74, 0x61, 0x74, 0x50, 0x72, 0x65, 0x66, - 0x69, 0x78, 0x2a, 0x55, 0x0a, 0x09, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, - 0x19, 0x0a, 0x15, 0x44, 0x49, 0x52, 0x45, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x53, - 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x15, 0x0a, 0x11, 0x44, 0x49, - 0x52, 0x45, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x49, 0x4e, 0x42, 0x4f, 0x55, 0x4e, 0x44, 0x10, - 0x01, 0x12, 0x16, 0x0a, 0x12, 0x44, 0x49, 0x52, 0x45, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x4f, - 0x55, 0x54, 0x42, 0x4f, 0x55, 0x4e, 0x44, 0x10, 0x02, 0x2a, 0x54, 0x0a, 0x12, 0x42, 0x61, 0x6c, - 0x61, 0x6e, 0x63, 0x65, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, - 0x1f, 0x0a, 0x1b, 0x42, 0x41, 0x4c, 0x41, 0x4e, 0x43, 0x45, 0x5f, 0x43, 0x4f, 0x4e, 0x4e, 0x45, - 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x53, 0x5f, 0x44, 0x45, 0x46, 0x41, 0x55, 0x4c, 0x54, 0x10, 0x00, - 0x12, 0x1d, 0x0a, 0x19, 0x42, 0x41, 0x4c, 0x41, 0x4e, 0x43, 0x45, 0x5f, 0x43, 0x4f, 0x4e, 0x4e, - 0x45, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x53, 0x5f, 0x45, 0x58, 0x41, 0x43, 0x54, 0x10, 0x01, 0x2a, - 0x71, 0x0a, 0x0a, 0x43, 0x61, 0x70, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x12, 0x1a, 0x0a, - 0x16, 0x43, 0x41, 0x50, 0x41, 0x42, 0x49, 0x4c, 0x49, 0x54, 0x59, 0x5f, 0x54, 0x52, 0x41, 0x4e, - 0x53, 0x50, 0x41, 0x52, 0x45, 0x4e, 0x54, 0x10, 0x00, 0x12, 0x25, 0x0a, 0x21, 0x43, 0x41, 0x50, - 0x41, 0x42, 0x49, 0x4c, 0x49, 0x54, 0x59, 0x5f, 0x4c, 0x37, 0x5f, 0x50, 0x52, 0x4f, 0x54, 0x4f, - 0x43, 0x4f, 0x4c, 0x5f, 0x49, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x10, 0x01, - 0x12, 0x20, 0x0a, 0x1c, 0x43, 0x41, 0x50, 0x41, 0x42, 0x49, 0x4c, 0x49, 0x54, 0x59, 0x5f, 0x4c, - 0x34, 0x5f, 0x54, 0x4c, 0x53, 0x5f, 0x49, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x54, 0x49, 0x4f, 0x4e, - 0x10, 0x02, 0x2a, 0x4f, 0x0a, 0x0a, 0x4c, 0x37, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, - 0x12, 0x14, 0x0a, 0x10, 0x4c, 0x37, 0x5f, 0x50, 0x52, 0x4f, 0x54, 0x4f, 0x43, 0x4f, 0x4c, 0x5f, - 0x48, 0x54, 0x54, 0x50, 0x10, 0x00, 0x12, 0x15, 0x0a, 0x11, 0x4c, 0x37, 0x5f, 0x50, 0x52, 0x4f, - 0x54, 0x4f, 0x43, 0x4f, 0x4c, 0x5f, 0x48, 0x54, 0x54, 0x50, 0x32, 0x10, 0x01, 0x12, 0x14, 0x0a, - 0x10, 0x4c, 0x37, 0x5f, 0x50, 0x52, 0x4f, 0x54, 0x4f, 0x43, 0x4f, 0x4c, 0x5f, 0x47, 0x52, 0x50, - 0x43, 0x10, 0x02, 0x42, 0xd9, 0x02, 0x0a, 0x2f, 0x63, 0x6f, 0x6d, 0x2e, 0x68, 0x61, 0x73, 0x68, - 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, - 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, - 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x42, 0x0d, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, - 0x72, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x45, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, - 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x63, - 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2d, 0x70, 0x75, 0x62, 0x6c, - 0x69, 0x63, 0x2f, 0x70, 0x62, 0x6d, 0x65, 0x73, 0x68, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, - 0x61, 0x31, 0x2f, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0xa2, - 0x02, 0x05, 0x48, 0x43, 0x4d, 0x56, 0x50, 0xaa, 0x02, 0x2b, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, - 0x6f, 0x72, 0x70, 0x2e, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x4d, 0x65, 0x73, 0x68, 0x2e, - 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, - 0x73, 0x74, 0x61, 0x74, 0x65, 0xca, 0x02, 0x2b, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, - 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x4d, 0x65, 0x73, 0x68, 0x5c, 0x56, 0x31, - 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x5c, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, - 0x61, 0x74, 0x65, 0xe2, 0x02, 0x37, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, - 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x4d, 0x65, 0x73, 0x68, 0x5c, 0x56, 0x31, 0x61, 0x6c, - 0x70, 0x68, 0x61, 0x31, 0x5c, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, - 0x65, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x2f, - 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x3a, 0x3a, 0x43, 0x6f, 0x6e, 0x73, 0x75, - 0x6c, 0x3a, 0x3a, 0x4d, 0x65, 0x73, 0x68, 0x3a, 0x3a, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, - 0x31, 0x3a, 0x3a, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x62, - 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x65, 0x2e, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, + 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x12, 0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x65, 0x72, + 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x36, 0x0a, 0x17, 0x6d, 0x61, 0x78, 0x5f, + 0x69, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, + 0x6f, 0x6e, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x04, 0x52, 0x15, 0x6d, 0x61, 0x78, 0x49, 0x6e, + 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, + 0x42, 0x0d, 0x0a, 0x0b, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, + 0x89, 0x03, 0x0a, 0x0d, 0x4c, 0x37, 0x44, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, + 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x74, 0x61, 0x74, 0x5f, 0x70, 0x72, + 0x65, 0x66, 0x69, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x73, 0x74, 0x61, 0x74, + 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x12, 0x53, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, + 0x6f, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x37, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, + 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, + 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, + 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x4c, 0x37, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, + 0x6c, 0x52, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x70, 0x0a, 0x13, 0x74, + 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x5f, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, + 0x6e, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3f, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, + 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, + 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, + 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x65, + 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x12, 0x74, 0x72, 0x61, 0x66, 0x66, + 0x69, 0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x21, 0x0a, + 0x0c, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x5f, 0x78, 0x66, 0x63, 0x63, 0x18, 0x05, 0x20, + 0x01, 0x28, 0x08, 0x52, 0x0b, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x58, 0x66, 0x63, 0x63, + 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x74, 0x61, 0x74, 0x69, 0x63, 0x5f, 0x72, 0x6f, 0x75, 0x74, 0x65, + 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0b, 0x73, 0x74, 0x61, 0x74, 0x69, 0x63, 0x52, 0x6f, + 0x75, 0x74, 0x65, 0x12, 0x36, 0x0a, 0x17, 0x6d, 0x61, 0x78, 0x5f, 0x69, 0x6e, 0x62, 0x6f, 0x75, + 0x6e, 0x64, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x07, + 0x20, 0x01, 0x28, 0x04, 0x52, 0x15, 0x6d, 0x61, 0x78, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, + 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x22, 0x31, 0x0a, 0x0e, 0x53, + 0x4e, 0x49, 0x44, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1f, 0x0a, + 0x0b, 0x73, 0x74, 0x61, 0x74, 0x5f, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x09, 0x52, 0x0a, 0x73, 0x74, 0x61, 0x74, 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x2a, 0x55, + 0x0a, 0x09, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x19, 0x0a, 0x15, 0x44, + 0x49, 0x52, 0x45, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, + 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x15, 0x0a, 0x11, 0x44, 0x49, 0x52, 0x45, 0x43, 0x54, + 0x49, 0x4f, 0x4e, 0x5f, 0x49, 0x4e, 0x42, 0x4f, 0x55, 0x4e, 0x44, 0x10, 0x01, 0x12, 0x16, 0x0a, + 0x12, 0x44, 0x49, 0x52, 0x45, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x4f, 0x55, 0x54, 0x42, 0x4f, + 0x55, 0x4e, 0x44, 0x10, 0x02, 0x2a, 0x54, 0x0a, 0x12, 0x42, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, + 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1f, 0x0a, 0x1b, 0x42, + 0x41, 0x4c, 0x41, 0x4e, 0x43, 0x45, 0x5f, 0x43, 0x4f, 0x4e, 0x4e, 0x45, 0x43, 0x54, 0x49, 0x4f, + 0x4e, 0x53, 0x5f, 0x44, 0x45, 0x46, 0x41, 0x55, 0x4c, 0x54, 0x10, 0x00, 0x12, 0x1d, 0x0a, 0x19, + 0x42, 0x41, 0x4c, 0x41, 0x4e, 0x43, 0x45, 0x5f, 0x43, 0x4f, 0x4e, 0x4e, 0x45, 0x43, 0x54, 0x49, + 0x4f, 0x4e, 0x53, 0x5f, 0x45, 0x58, 0x41, 0x43, 0x54, 0x10, 0x01, 0x2a, 0x71, 0x0a, 0x0a, 0x43, + 0x61, 0x70, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x12, 0x1a, 0x0a, 0x16, 0x43, 0x41, 0x50, + 0x41, 0x42, 0x49, 0x4c, 0x49, 0x54, 0x59, 0x5f, 0x54, 0x52, 0x41, 0x4e, 0x53, 0x50, 0x41, 0x52, + 0x45, 0x4e, 0x54, 0x10, 0x00, 0x12, 0x25, 0x0a, 0x21, 0x43, 0x41, 0x50, 0x41, 0x42, 0x49, 0x4c, + 0x49, 0x54, 0x59, 0x5f, 0x4c, 0x37, 0x5f, 0x50, 0x52, 0x4f, 0x54, 0x4f, 0x43, 0x4f, 0x4c, 0x5f, + 0x49, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x10, 0x01, 0x12, 0x20, 0x0a, 0x1c, + 0x43, 0x41, 0x50, 0x41, 0x42, 0x49, 0x4c, 0x49, 0x54, 0x59, 0x5f, 0x4c, 0x34, 0x5f, 0x54, 0x4c, + 0x53, 0x5f, 0x49, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x10, 0x02, 0x2a, 0x4f, + 0x0a, 0x0a, 0x4c, 0x37, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x14, 0x0a, 0x10, + 0x4c, 0x37, 0x5f, 0x50, 0x52, 0x4f, 0x54, 0x4f, 0x43, 0x4f, 0x4c, 0x5f, 0x48, 0x54, 0x54, 0x50, + 0x10, 0x00, 0x12, 0x15, 0x0a, 0x11, 0x4c, 0x37, 0x5f, 0x50, 0x52, 0x4f, 0x54, 0x4f, 0x43, 0x4f, + 0x4c, 0x5f, 0x48, 0x54, 0x54, 0x50, 0x32, 0x10, 0x01, 0x12, 0x14, 0x0a, 0x10, 0x4c, 0x37, 0x5f, + 0x50, 0x52, 0x4f, 0x54, 0x4f, 0x43, 0x4f, 0x4c, 0x5f, 0x47, 0x52, 0x50, 0x43, 0x10, 0x02, 0x42, + 0xd9, 0x02, 0x0a, 0x2f, 0x63, 0x6f, 0x6d, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, + 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, + 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, + 0x61, 0x74, 0x65, 0x42, 0x0d, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x50, 0x72, 0x6f, + 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x45, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, + 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x75, + 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2d, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2f, 0x70, + 0x62, 0x6d, 0x65, 0x73, 0x68, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x70, + 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0xa2, 0x02, 0x05, 0x48, 0x43, + 0x4d, 0x56, 0x50, 0xaa, 0x02, 0x2b, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, + 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x4d, 0x65, 0x73, 0x68, 0x2e, 0x56, 0x31, 0x61, 0x6c, + 0x70, 0x68, 0x61, 0x31, 0x2e, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, + 0x65, 0xca, 0x02, 0x2b, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, + 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x4d, 0x65, 0x73, 0x68, 0x5c, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, + 0x61, 0x31, 0x5c, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0xe2, + 0x02, 0x37, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, + 0x75, 0x6c, 0x5c, 0x4d, 0x65, 0x73, 0x68, 0x5c, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, + 0x5c, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x5c, 0x47, 0x50, + 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x2f, 0x48, 0x61, 0x73, 0x68, + 0x69, 0x63, 0x6f, 0x72, 0x70, 0x3a, 0x3a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x3a, 0x3a, 0x4d, + 0x65, 0x73, 0x68, 0x3a, 0x3a, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3a, 0x3a, 0x50, + 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x62, 0x06, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x33, } var ( @@ -1157,8 +1157,7 @@ var file_pbmesh_v1alpha1_pbproxystate_listener_proto_goTypes = []interface{}{ (*wrapperspb.UInt32Value)(nil), // 14: google.protobuf.UInt32Value (*DestinationCluster)(nil), // 15: hashicorp.consul.mesh.v1alpha1.pbproxystate.DestinationCluster (*L4WeightedClusterGroup)(nil), // 16: hashicorp.consul.mesh.v1alpha1.pbproxystate.L4WeightedClusterGroup - (*L4TrafficPermissions)(nil), // 17: hashicorp.consul.mesh.v1alpha1.pbproxystate.L4TrafficPermissions - (*L7TrafficPermissions)(nil), // 18: hashicorp.consul.mesh.v1alpha1.pbproxystate.L7TrafficPermissions + (*TrafficPermissions)(nil), // 17: hashicorp.consul.mesh.v1alpha1.pbproxystate.TrafficPermissions } var file_pbmesh_v1alpha1_pbproxystate_listener_proto_depIdxs = []int32{ 0, // 0: hashicorp.consul.mesh.v1alpha1.pbproxystate.Listener.direction:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.Direction @@ -1179,9 +1178,9 @@ var file_pbmesh_v1alpha1_pbproxystate_listener_proto_depIdxs = []int32{ 14, // 15: hashicorp.consul.mesh.v1alpha1.pbproxystate.CidrRange.prefix_len:type_name -> google.protobuf.UInt32Value 15, // 16: hashicorp.consul.mesh.v1alpha1.pbproxystate.L4Destination.cluster:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.DestinationCluster 16, // 17: hashicorp.consul.mesh.v1alpha1.pbproxystate.L4Destination.weighted_clusters:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.L4WeightedClusterGroup - 17, // 18: hashicorp.consul.mesh.v1alpha1.pbproxystate.L4Destination.traffic_permissions:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.L4TrafficPermissions + 17, // 18: hashicorp.consul.mesh.v1alpha1.pbproxystate.L4Destination.traffic_permissions:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.TrafficPermissions 3, // 19: hashicorp.consul.mesh.v1alpha1.pbproxystate.L7Destination.protocol:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.L7Protocol - 18, // 20: hashicorp.consul.mesh.v1alpha1.pbproxystate.L7Destination.traffic_permissions:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.L7TrafficPermissions + 17, // 20: hashicorp.consul.mesh.v1alpha1.pbproxystate.L7Destination.traffic_permissions:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.TrafficPermissions 21, // [21:21] is the sub-list for method output_type 21, // [21:21] is the sub-list for method input_type 21, // [21:21] is the sub-list for extension type_name diff --git a/proto-public/pbmesh/v1alpha1/pbproxystate/listener.proto b/proto-public/pbmesh/v1alpha1/pbproxystate/listener.proto index 0582197638..e1ee56cafb 100644 --- a/proto-public/pbmesh/v1alpha1/pbproxystate/listener.proto +++ b/proto-public/pbmesh/v1alpha1/pbproxystate/listener.proto @@ -97,7 +97,7 @@ message L4Destination { // stat_prefix is for compatibility with v1 xds configuration, so it is generated in exactly the same way. string stat_prefix = 3; // traffic_permissions is a list of traffic permissions for this destination. - L4TrafficPermissions traffic_permissions = 4; + TrafficPermissions traffic_permissions = 4; // max_inbound_connections specifies how many connections this destination can accept. uint64 max_inbound_connections = 5; } @@ -110,7 +110,7 @@ message L7Destination { // protocol for the destination. L7Protocol protocol = 3; // traffic_permissions is a list of intentions for this destination. - L7TrafficPermissions traffic_permissions = 4; + TrafficPermissions traffic_permissions = 4; // include_xfcc specifies whether to add xfcc header. bool include_xfcc = 5; // static_route specifies whether this is a static route that is inlined in the listener filter. This is required to diff --git a/proto-public/pbmesh/v1alpha1/pbproxystate/traffic_permissions.go b/proto-public/pbmesh/v1alpha1/pbproxystate/traffic_permissions.go deleted file mode 100644 index 299a236522..0000000000 --- a/proto-public/pbmesh/v1alpha1/pbproxystate/traffic_permissions.go +++ /dev/null @@ -1,20 +0,0 @@ -// Copyright (c) HashiCorp, Inc. -// SPDX-License-Identifier: BUSL-1.1 - -package pbproxystate - -func (s *L4Principal) ToL7Principal() *L7Principal { - out := &L7Principal{ - Spiffe: &Spiffe{ - Regex: s.SpiffeRegex, - }, - } - - for _, regex := range s.ExcludeSpiffeRegexes { - out.ExcludeSpiffes = append(out.ExcludeSpiffes, &Spiffe{ - Regex: regex, - }) - } - - return out -} diff --git a/proto-public/pbmesh/v1alpha1/pbproxystate/traffic_permissions.pb.binary.go b/proto-public/pbmesh/v1alpha1/pbproxystate/traffic_permissions.pb.binary.go index e34686a6cf..9c9e70a29f 100644 --- a/proto-public/pbmesh/v1alpha1/pbproxystate/traffic_permissions.pb.binary.go +++ b/proto-public/pbmesh/v1alpha1/pbproxystate/traffic_permissions.pb.binary.go @@ -8,52 +8,32 @@ import ( ) // MarshalBinary implements encoding.BinaryMarshaler -func (msg *L7TrafficPermissions) MarshalBinary() ([]byte, error) { +func (msg *TrafficPermissions) MarshalBinary() ([]byte, error) { return proto.Marshal(msg) } // UnmarshalBinary implements encoding.BinaryUnmarshaler -func (msg *L7TrafficPermissions) UnmarshalBinary(b []byte) error { +func (msg *TrafficPermissions) UnmarshalBinary(b []byte) error { return proto.Unmarshal(b, msg) } // MarshalBinary implements encoding.BinaryMarshaler -func (msg *L4TrafficPermissions) MarshalBinary() ([]byte, error) { +func (msg *Permission) MarshalBinary() ([]byte, error) { return proto.Marshal(msg) } // UnmarshalBinary implements encoding.BinaryUnmarshaler -func (msg *L4TrafficPermissions) UnmarshalBinary(b []byte) error { +func (msg *Permission) UnmarshalBinary(b []byte) error { return proto.Unmarshal(b, msg) } // MarshalBinary implements encoding.BinaryMarshaler -func (msg *L4Permission) MarshalBinary() ([]byte, error) { +func (msg *Principal) MarshalBinary() ([]byte, error) { return proto.Marshal(msg) } // UnmarshalBinary implements encoding.BinaryUnmarshaler -func (msg *L4Permission) UnmarshalBinary(b []byte) error { - return proto.Unmarshal(b, msg) -} - -// MarshalBinary implements encoding.BinaryMarshaler -func (msg *L4Principal) MarshalBinary() ([]byte, error) { - return proto.Marshal(msg) -} - -// UnmarshalBinary implements encoding.BinaryUnmarshaler -func (msg *L4Principal) UnmarshalBinary(b []byte) error { - return proto.Unmarshal(b, msg) -} - -// MarshalBinary implements encoding.BinaryMarshaler -func (msg *L7Principal) MarshalBinary() ([]byte, error) { - return proto.Marshal(msg) -} - -// UnmarshalBinary implements encoding.BinaryUnmarshaler -func (msg *L7Principal) UnmarshalBinary(b []byte) error { +func (msg *Principal) UnmarshalBinary(b []byte) error { return proto.Unmarshal(b, msg) } diff --git a/proto-public/pbmesh/v1alpha1/pbproxystate/traffic_permissions.pb.go b/proto-public/pbmesh/v1alpha1/pbproxystate/traffic_permissions.pb.go index c2bc8a7209..46ebdc6752 100644 --- a/proto-public/pbmesh/v1alpha1/pbproxystate/traffic_permissions.pb.go +++ b/proto-public/pbmesh/v1alpha1/pbproxystate/traffic_permissions.pb.go @@ -23,14 +23,17 @@ const ( _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) ) -type L7TrafficPermissions struct { +type TrafficPermissions struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields + + AllowPermissions []*Permission `protobuf:"bytes,1,rep,name=allow_permissions,json=allowPermissions,proto3" json:"allow_permissions,omitempty"` + DenyPermissions []*Permission `protobuf:"bytes,2,rep,name=deny_permissions,json=denyPermissions,proto3" json:"deny_permissions,omitempty"` } -func (x *L7TrafficPermissions) Reset() { - *x = L7TrafficPermissions{} +func (x *TrafficPermissions) Reset() { + *x = TrafficPermissions{} if protoimpl.UnsafeEnabled { mi := &file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[0] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -38,13 +41,13 @@ func (x *L7TrafficPermissions) Reset() { } } -func (x *L7TrafficPermissions) String() string { +func (x *TrafficPermissions) String() string { return protoimpl.X.MessageStringOf(x) } -func (*L7TrafficPermissions) ProtoMessage() {} +func (*TrafficPermissions) ProtoMessage() {} -func (x *L7TrafficPermissions) ProtoReflect() protoreflect.Message { +func (x *TrafficPermissions) ProtoReflect() protoreflect.Message { mi := &file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[0] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -56,22 +59,35 @@ func (x *L7TrafficPermissions) ProtoReflect() protoreflect.Message { return mi.MessageOf(x) } -// Deprecated: Use L7TrafficPermissions.ProtoReflect.Descriptor instead. -func (*L7TrafficPermissions) Descriptor() ([]byte, []int) { +// Deprecated: Use TrafficPermissions.ProtoReflect.Descriptor instead. +func (*TrafficPermissions) Descriptor() ([]byte, []int) { return file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_rawDescGZIP(), []int{0} } -type L4TrafficPermissions struct { +func (x *TrafficPermissions) GetAllowPermissions() []*Permission { + if x != nil { + return x.AllowPermissions + } + return nil +} + +func (x *TrafficPermissions) GetDenyPermissions() []*Permission { + if x != nil { + return x.DenyPermissions + } + return nil +} + +type Permission struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - AllowPermissions []*L4Permission `protobuf:"bytes,1,rep,name=allow_permissions,json=allowPermissions,proto3" json:"allow_permissions,omitempty"` - DenyPermissions []*L4Permission `protobuf:"bytes,2,rep,name=deny_permissions,json=denyPermissions,proto3" json:"deny_permissions,omitempty"` + Principals []*Principal `protobuf:"bytes,1,rep,name=principals,proto3" json:"principals,omitempty"` } -func (x *L4TrafficPermissions) Reset() { - *x = L4TrafficPermissions{} +func (x *Permission) Reset() { + *x = Permission{} if protoimpl.UnsafeEnabled { mi := &file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[1] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -79,13 +95,13 @@ func (x *L4TrafficPermissions) Reset() { } } -func (x *L4TrafficPermissions) String() string { +func (x *Permission) String() string { return protoimpl.X.MessageStringOf(x) } -func (*L4TrafficPermissions) ProtoMessage() {} +func (*Permission) ProtoMessage() {} -func (x *L4TrafficPermissions) ProtoReflect() protoreflect.Message { +func (x *Permission) ProtoReflect() protoreflect.Message { mi := &file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[1] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -97,35 +113,29 @@ func (x *L4TrafficPermissions) ProtoReflect() protoreflect.Message { return mi.MessageOf(x) } -// Deprecated: Use L4TrafficPermissions.ProtoReflect.Descriptor instead. -func (*L4TrafficPermissions) Descriptor() ([]byte, []int) { +// Deprecated: Use Permission.ProtoReflect.Descriptor instead. +func (*Permission) Descriptor() ([]byte, []int) { return file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_rawDescGZIP(), []int{1} } -func (x *L4TrafficPermissions) GetAllowPermissions() []*L4Permission { +func (x *Permission) GetPrincipals() []*Principal { if x != nil { - return x.AllowPermissions + return x.Principals } return nil } -func (x *L4TrafficPermissions) GetDenyPermissions() []*L4Permission { - if x != nil { - return x.DenyPermissions - } - return nil -} - -type L4Permission struct { +type Principal struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - Principals []*L4Principal `protobuf:"bytes,1,rep,name=principals,proto3" json:"principals,omitempty"` + Spiffe *Spiffe `protobuf:"bytes,1,opt,name=spiffe,proto3" json:"spiffe,omitempty"` + ExcludeSpiffes []*Spiffe `protobuf:"bytes,2,rep,name=exclude_spiffes,json=excludeSpiffes,proto3" json:"exclude_spiffes,omitempty"` } -func (x *L4Permission) Reset() { - *x = L4Permission{} +func (x *Principal) Reset() { + *x = Principal{} if protoimpl.UnsafeEnabled { mi := &file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[2] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -133,13 +143,13 @@ func (x *L4Permission) Reset() { } } -func (x *L4Permission) String() string { +func (x *Principal) String() string { return protoimpl.X.MessageStringOf(x) } -func (*L4Permission) ProtoMessage() {} +func (*Principal) ProtoMessage() {} -func (x *L4Permission) ProtoReflect() protoreflect.Message { +func (x *Principal) ProtoReflect() protoreflect.Message { mi := &file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[2] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) @@ -151,123 +161,19 @@ func (x *L4Permission) ProtoReflect() protoreflect.Message { return mi.MessageOf(x) } -// Deprecated: Use L4Permission.ProtoReflect.Descriptor instead. -func (*L4Permission) Descriptor() ([]byte, []int) { +// Deprecated: Use Principal.ProtoReflect.Descriptor instead. +func (*Principal) Descriptor() ([]byte, []int) { return file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_rawDescGZIP(), []int{2} } -func (x *L4Permission) GetPrincipals() []*L4Principal { - if x != nil { - return x.Principals - } - return nil -} - -// L4Principal maps into Source. We first convert this to Source before generating Envoy resources. -type L4Principal struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - SpiffeRegex string `protobuf:"bytes,1,opt,name=spiffe_regex,json=spiffeRegex,proto3" json:"spiffe_regex,omitempty"` - ExcludeSpiffeRegexes []string `protobuf:"bytes,2,rep,name=exclude_spiffe_regexes,json=excludeSpiffeRegexes,proto3" json:"exclude_spiffe_regexes,omitempty"` -} - -func (x *L4Principal) Reset() { - *x = L4Principal{} - if protoimpl.UnsafeEnabled { - mi := &file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[3] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *L4Principal) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*L4Principal) ProtoMessage() {} - -func (x *L4Principal) ProtoReflect() protoreflect.Message { - mi := &file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[3] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use L4Principal.ProtoReflect.Descriptor instead. -func (*L4Principal) Descriptor() ([]byte, []int) { - return file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_rawDescGZIP(), []int{3} -} - -func (x *L4Principal) GetSpiffeRegex() string { - if x != nil { - return x.SpiffeRegex - } - return "" -} - -func (x *L4Principal) GetExcludeSpiffeRegexes() []string { - if x != nil { - return x.ExcludeSpiffeRegexes - } - return nil -} - -type L7Principal struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Spiffe *Spiffe `protobuf:"bytes,1,opt,name=spiffe,proto3" json:"spiffe,omitempty"` - ExcludeSpiffes []*Spiffe `protobuf:"bytes,2,rep,name=exclude_spiffes,json=excludeSpiffes,proto3" json:"exclude_spiffes,omitempty"` -} - -func (x *L7Principal) Reset() { - *x = L7Principal{} - if protoimpl.UnsafeEnabled { - mi := &file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[4] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *L7Principal) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*L7Principal) ProtoMessage() {} - -func (x *L7Principal) ProtoReflect() protoreflect.Message { - mi := &file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[4] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use L7Principal.ProtoReflect.Descriptor instead. -func (*L7Principal) Descriptor() ([]byte, []int) { - return file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_rawDescGZIP(), []int{4} -} - -func (x *L7Principal) GetSpiffe() *Spiffe { +func (x *Principal) GetSpiffe() *Spiffe { if x != nil { return x.Spiffe } return nil } -func (x *L7Principal) GetExcludeSpiffes() []*Spiffe { +func (x *Principal) GetExcludeSpiffes() []*Spiffe { if x != nil { return x.ExcludeSpiffes } @@ -289,7 +195,7 @@ type Spiffe struct { func (x *Spiffe) Reset() { *x = Spiffe{} if protoimpl.UnsafeEnabled { - mi := &file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[5] + mi := &file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[3] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -302,7 +208,7 @@ func (x *Spiffe) String() string { func (*Spiffe) ProtoMessage() {} func (x *Spiffe) ProtoReflect() protoreflect.Message { - mi := &file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[5] + mi := &file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[3] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -315,7 +221,7 @@ func (x *Spiffe) ProtoReflect() protoreflect.Message { // Deprecated: Use Spiffe.ProtoReflect.Descriptor instead. func (*Spiffe) Descriptor() ([]byte, []int) { - return file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_rawDescGZIP(), []int{5} + return file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_rawDescGZIP(), []int{3} } func (x *Spiffe) GetRegex() string { @@ -341,74 +247,66 @@ var file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_rawDesc = []byte 0x6e, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x2b, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, - 0x73, 0x74, 0x61, 0x74, 0x65, 0x22, 0x16, 0x0a, 0x14, 0x4c, 0x37, 0x54, 0x72, 0x61, 0x66, 0x66, - 0x69, 0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x22, 0xe4, 0x01, - 0x0a, 0x14, 0x4c, 0x34, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, - 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x66, 0x0a, 0x11, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x5f, - 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, - 0x0b, 0x32, 0x39, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, - 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, - 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, - 0x4c, 0x34, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x10, 0x61, 0x6c, - 0x6c, 0x6f, 0x77, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x64, - 0x0a, 0x10, 0x64, 0x65, 0x6e, 0x79, 0x5f, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, - 0x6e, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x39, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, - 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, - 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, - 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x4c, 0x34, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, - 0x69, 0x6f, 0x6e, 0x52, 0x0f, 0x64, 0x65, 0x6e, 0x79, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, - 0x69, 0x6f, 0x6e, 0x73, 0x22, 0x68, 0x0a, 0x0c, 0x4c, 0x34, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, - 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x58, 0x0a, 0x0a, 0x70, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, - 0x6c, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x38, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, - 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, - 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, - 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x4c, 0x34, 0x50, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, - 0x61, 0x6c, 0x52, 0x0a, 0x70, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x73, 0x22, 0x66, - 0x0a, 0x0b, 0x4c, 0x34, 0x50, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x12, 0x21, 0x0a, - 0x0c, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x5f, 0x72, 0x65, 0x67, 0x65, 0x78, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x0b, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x52, 0x65, 0x67, 0x65, 0x78, - 0x12, 0x34, 0x0a, 0x16, 0x65, 0x78, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x5f, 0x73, 0x70, 0x69, 0x66, - 0x66, 0x65, 0x5f, 0x72, 0x65, 0x67, 0x65, 0x78, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, - 0x52, 0x14, 0x65, 0x78, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x53, 0x70, 0x69, 0x66, 0x66, 0x65, 0x52, - 0x65, 0x67, 0x65, 0x78, 0x65, 0x73, 0x22, 0xb8, 0x01, 0x0a, 0x0b, 0x4c, 0x37, 0x50, 0x72, 0x69, - 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x12, 0x4b, 0x0a, 0x06, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x33, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, - 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, - 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, - 0x74, 0x61, 0x74, 0x65, 0x2e, 0x53, 0x70, 0x69, 0x66, 0x66, 0x65, 0x52, 0x06, 0x73, 0x70, 0x69, - 0x66, 0x66, 0x65, 0x12, 0x5c, 0x0a, 0x0f, 0x65, 0x78, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x5f, 0x73, - 0x70, 0x69, 0x66, 0x66, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x33, 0x2e, 0x68, + 0x73, 0x74, 0x61, 0x74, 0x65, 0x22, 0xde, 0x01, 0x0a, 0x12, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, + 0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x64, 0x0a, 0x11, + 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x5f, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, + 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x37, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, + 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, + 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, + 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, + 0x52, 0x10, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, + 0x6e, 0x73, 0x12, 0x62, 0x0a, 0x10, 0x64, 0x65, 0x6e, 0x79, 0x5f, 0x70, 0x65, 0x72, 0x6d, 0x69, + 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x37, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, - 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x53, 0x70, 0x69, 0x66, 0x66, - 0x65, 0x52, 0x0e, 0x65, 0x78, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x53, 0x70, 0x69, 0x66, 0x66, 0x65, - 0x73, 0x22, 0x3d, 0x0a, 0x06, 0x53, 0x70, 0x69, 0x66, 0x66, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x72, - 0x65, 0x67, 0x65, 0x78, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x72, 0x65, 0x67, 0x65, - 0x78, 0x12, 0x1d, 0x0a, 0x0a, 0x78, 0x66, 0x63, 0x63, 0x5f, 0x72, 0x65, 0x67, 0x65, 0x78, 0x18, - 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x78, 0x66, 0x63, 0x63, 0x52, 0x65, 0x67, 0x65, 0x78, - 0x42, 0xe3, 0x02, 0x0a, 0x2f, 0x63, 0x6f, 0x6d, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, - 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, - 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, - 0x74, 0x61, 0x74, 0x65, 0x42, 0x17, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x65, 0x72, - 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, - 0x45, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, - 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2f, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x2d, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2f, 0x70, 0x62, 0x6d, 0x65, 0x73, 0x68, - 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, - 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0xa2, 0x02, 0x05, 0x48, 0x43, 0x4d, 0x56, 0x50, 0xaa, 0x02, - 0x2b, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x43, 0x6f, 0x6e, 0x73, 0x75, - 0x6c, 0x2e, 0x4d, 0x65, 0x73, 0x68, 0x2e, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, - 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0xca, 0x02, 0x2b, 0x48, - 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, - 0x4d, 0x65, 0x73, 0x68, 0x5c, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x5c, 0x50, 0x62, - 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0xe2, 0x02, 0x37, 0x48, 0x61, 0x73, - 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x4d, 0x65, - 0x73, 0x68, 0x5c, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x5c, 0x50, 0x62, 0x70, 0x72, - 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, - 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x2f, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, - 0x3a, 0x3a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x3a, 0x3a, 0x4d, 0x65, 0x73, 0x68, 0x3a, 0x3a, - 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3a, 0x3a, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, - 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x50, 0x65, 0x72, 0x6d, 0x69, + 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x0f, 0x64, 0x65, 0x6e, 0x79, 0x50, 0x65, 0x72, 0x6d, 0x69, + 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x22, 0x64, 0x0a, 0x0a, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, + 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x56, 0x0a, 0x0a, 0x70, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, + 0x6c, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x36, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, + 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, + 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, + 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x50, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, + 0x52, 0x0a, 0x70, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x73, 0x22, 0xb6, 0x01, 0x0a, + 0x09, 0x50, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x12, 0x4b, 0x0a, 0x06, 0x73, 0x70, + 0x69, 0x66, 0x66, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x33, 0x2e, 0x68, 0x61, 0x73, + 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, + 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, + 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x53, 0x70, 0x69, 0x66, 0x66, 0x65, 0x52, + 0x06, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x12, 0x5c, 0x0a, 0x0f, 0x65, 0x78, 0x63, 0x6c, 0x75, + 0x64, 0x65, 0x5f, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, + 0x32, 0x33, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, + 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, + 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x53, + 0x70, 0x69, 0x66, 0x66, 0x65, 0x52, 0x0e, 0x65, 0x78, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x53, 0x70, + 0x69, 0x66, 0x66, 0x65, 0x73, 0x22, 0x3d, 0x0a, 0x06, 0x53, 0x70, 0x69, 0x66, 0x66, 0x65, 0x12, + 0x14, 0x0a, 0x05, 0x72, 0x65, 0x67, 0x65, 0x78, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, + 0x72, 0x65, 0x67, 0x65, 0x78, 0x12, 0x1d, 0x0a, 0x0a, 0x78, 0x66, 0x63, 0x63, 0x5f, 0x72, 0x65, + 0x67, 0x65, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x78, 0x66, 0x63, 0x63, 0x52, + 0x65, 0x67, 0x65, 0x78, 0x42, 0xe3, 0x02, 0x0a, 0x2f, 0x63, 0x6f, 0x6d, 0x2e, 0x68, 0x61, 0x73, + 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, + 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, + 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x42, 0x17, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, + 0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x50, 0x72, 0x6f, 0x74, + 0x6f, 0x50, 0x01, 0x5a, 0x45, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, + 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, + 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2d, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2f, 0x70, 0x62, + 0x6d, 0x65, 0x73, 0x68, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x70, 0x62, + 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0xa2, 0x02, 0x05, 0x48, 0x43, 0x4d, + 0x56, 0x50, 0xaa, 0x02, 0x2b, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x43, + 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x4d, 0x65, 0x73, 0x68, 0x2e, 0x56, 0x31, 0x61, 0x6c, 0x70, + 0x68, 0x61, 0x31, 0x2e, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, + 0xca, 0x02, 0x2b, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, + 0x73, 0x75, 0x6c, 0x5c, 0x4d, 0x65, 0x73, 0x68, 0x5c, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, + 0x31, 0x5c, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0xe2, 0x02, + 0x37, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, + 0x6c, 0x5c, 0x4d, 0x65, 0x73, 0x68, 0x5c, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x5c, + 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x5c, 0x47, 0x50, 0x42, + 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x2f, 0x48, 0x61, 0x73, 0x68, 0x69, + 0x63, 0x6f, 0x72, 0x70, 0x3a, 0x3a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x3a, 0x3a, 0x4d, 0x65, + 0x73, 0x68, 0x3a, 0x3a, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3a, 0x3a, 0x50, 0x62, + 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x33, } var ( @@ -423,21 +321,19 @@ func file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_rawDescGZIP() [ return file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_rawDescData } -var file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes = make([]protoimpl.MessageInfo, 6) +var file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes = make([]protoimpl.MessageInfo, 4) var file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_goTypes = []interface{}{ - (*L7TrafficPermissions)(nil), // 0: hashicorp.consul.mesh.v1alpha1.pbproxystate.L7TrafficPermissions - (*L4TrafficPermissions)(nil), // 1: hashicorp.consul.mesh.v1alpha1.pbproxystate.L4TrafficPermissions - (*L4Permission)(nil), // 2: hashicorp.consul.mesh.v1alpha1.pbproxystate.L4Permission - (*L4Principal)(nil), // 3: hashicorp.consul.mesh.v1alpha1.pbproxystate.L4Principal - (*L7Principal)(nil), // 4: hashicorp.consul.mesh.v1alpha1.pbproxystate.L7Principal - (*Spiffe)(nil), // 5: hashicorp.consul.mesh.v1alpha1.pbproxystate.Spiffe + (*TrafficPermissions)(nil), // 0: hashicorp.consul.mesh.v1alpha1.pbproxystate.TrafficPermissions + (*Permission)(nil), // 1: hashicorp.consul.mesh.v1alpha1.pbproxystate.Permission + (*Principal)(nil), // 2: hashicorp.consul.mesh.v1alpha1.pbproxystate.Principal + (*Spiffe)(nil), // 3: hashicorp.consul.mesh.v1alpha1.pbproxystate.Spiffe } var file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_depIdxs = []int32{ - 2, // 0: hashicorp.consul.mesh.v1alpha1.pbproxystate.L4TrafficPermissions.allow_permissions:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.L4Permission - 2, // 1: hashicorp.consul.mesh.v1alpha1.pbproxystate.L4TrafficPermissions.deny_permissions:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.L4Permission - 3, // 2: hashicorp.consul.mesh.v1alpha1.pbproxystate.L4Permission.principals:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.L4Principal - 5, // 3: hashicorp.consul.mesh.v1alpha1.pbproxystate.L7Principal.spiffe:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.Spiffe - 5, // 4: hashicorp.consul.mesh.v1alpha1.pbproxystate.L7Principal.exclude_spiffes:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.Spiffe + 1, // 0: hashicorp.consul.mesh.v1alpha1.pbproxystate.TrafficPermissions.allow_permissions:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.Permission + 1, // 1: hashicorp.consul.mesh.v1alpha1.pbproxystate.TrafficPermissions.deny_permissions:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.Permission + 2, // 2: hashicorp.consul.mesh.v1alpha1.pbproxystate.Permission.principals:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.Principal + 3, // 3: hashicorp.consul.mesh.v1alpha1.pbproxystate.Principal.spiffe:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.Spiffe + 3, // 4: hashicorp.consul.mesh.v1alpha1.pbproxystate.Principal.exclude_spiffes:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.Spiffe 5, // [5:5] is the sub-list for method output_type 5, // [5:5] is the sub-list for method input_type 5, // [5:5] is the sub-list for extension type_name @@ -452,7 +348,7 @@ func file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_init() { } if !protoimpl.UnsafeEnabled { file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*L7TrafficPermissions); i { + switch v := v.(*TrafficPermissions); i { case 0: return &v.state case 1: @@ -464,7 +360,7 @@ func file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_init() { } } file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*L4TrafficPermissions); i { + switch v := v.(*Permission); i { case 0: return &v.state case 1: @@ -476,7 +372,7 @@ func file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_init() { } } file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*L4Permission); i { + switch v := v.(*Principal); i { case 0: return &v.state case 1: @@ -488,30 +384,6 @@ func file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_init() { } } file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*L4Principal); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*L7Principal); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*Spiffe); i { case 0: return &v.state @@ -530,7 +402,7 @@ func file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_rawDesc, NumEnums: 0, - NumMessages: 6, + NumMessages: 4, NumExtensions: 0, NumServices: 0, }, diff --git a/proto-public/pbmesh/v1alpha1/pbproxystate/traffic_permissions.proto b/proto-public/pbmesh/v1alpha1/pbproxystate/traffic_permissions.proto index d1397ceebb..1c327e93b8 100644 --- a/proto-public/pbmesh/v1alpha1/pbproxystate/traffic_permissions.proto +++ b/proto-public/pbmesh/v1alpha1/pbproxystate/traffic_permissions.proto @@ -5,28 +5,20 @@ syntax = "proto3"; package hashicorp.consul.mesh.v1alpha1.pbproxystate; -message L7TrafficPermissions {} - -message L4TrafficPermissions { - repeated L4Permission allow_permissions = 1; - repeated L4Permission deny_permissions = 2; +message TrafficPermissions { + repeated Permission allow_permissions = 1; + repeated Permission deny_permissions = 2; } -message L4Permission { - repeated L4Principal principals = 1; +message Permission { + repeated Principal principals = 1; - // We don't need destination rules here because they either apply to L7 features or multi-ports. + // We don't need destination rules here yet because they either apply to L7 features or multi-ports. // In the case of multiple ports, the sidecar proxy controller is responsible for filtering // per-port permissions. } -// L4Principal maps into Source. We first convert this to Source before generating Envoy resources. -message L4Principal { - string spiffe_regex = 1; - repeated string exclude_spiffe_regexes = 2; -} - -message L7Principal { +message Principal { Spiffe spiffe = 1; repeated Spiffe exclude_spiffes = 2; }