Wire up traffic permissions (#18812)

Wire up traffic permissions
pull/19632/head
Eric Haberkorn 2023-09-15 12:31:22 -04:00 committed by GitHub
parent d3dad14030
commit 21fdbbabbc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
32 changed files with 1094 additions and 520 deletions

View File

@ -1051,7 +1051,7 @@ func (s *Converter) makeInboundListener(cfgSnap *proxycfg.ConfigSnapshot, name s
l4Dest.MaxInboundConnections = uint64(cfg.MaxInboundConnections)
}
l4Dest.TrafficPermissions = &pbproxystate.L4TrafficPermissions{}
l4Dest.TrafficPermissions = &pbproxystate.TrafficPermissions{}
}
l.Routers = append(l.Routers, localAppRouter)
@ -1576,7 +1576,7 @@ func (g *Converter) makeL7Destination(opts destinationOpts) (*pbproxystate.L7Des
// access and that every filter chain uses our TLS certs.
if len(opts.httpAuthzFilters) > 0 {
// TODO(proxystate) support intentions in the future
dest.TrafficPermissions = &pbproxystate.L7TrafficPermissions{}
dest.TrafficPermissions = &pbproxystate.TrafficPermissions{}
//cfg.HttpFilters = append(opts.httpAuthzFilters, cfg.HttpFilters...)
}

View File

@ -556,25 +556,25 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
}
)
makeL4Spiffe := func(name string, entMeta *acl.EnterpriseMeta) string {
makeSpiffe := func(name string, entMeta *acl.EnterpriseMeta) *pbproxystate.Spiffe {
em := *acl.DefaultEnterpriseMeta()
if entMeta != nil {
em = *entMeta
}
spiffe := makeSpiffePattern(rbacService{
regex := makeSpiffePattern(rbacService{
ServiceName: structs.ServiceName{
Name: name,
EnterpriseMeta: em,
},
TrustDomain: testTrustDomain,
})
return spiffe
return &pbproxystate.Spiffe{Regex: regex}
}
tests := map[string]struct {
intentionDefaultAllow bool
v1Intentions structs.SimplifiedIntentions
v2L4TrafficPermissions *pbproxystate.L4TrafficPermissions
v2L4TrafficPermissions *pbproxystate.TrafficPermissions
}{
"default-deny-mixed-precedence": {
intentionDefaultAllow: false,
@ -583,12 +583,12 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
testIntention(t, "*", "api", structs.IntentionActionDeny),
testIntention(t, "web", "*", structs.IntentionActionDeny),
),
v2L4TrafficPermissions: &pbproxystate.L4TrafficPermissions{
AllowPermissions: []*pbproxystate.L4Permission{
v2L4TrafficPermissions: &pbproxystate.TrafficPermissions{
AllowPermissions: []*pbproxystate.Permission{
{
Principals: []*pbproxystate.L4Principal{
Principals: []*pbproxystate.Principal{
{
SpiffeRegex: makeL4Spiffe("web", nil),
Spiffe: makeSpiffe("web", nil),
},
},
},
@ -600,12 +600,12 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
v1Intentions: sorted(
testSourceIntention("*", structs.IntentionActionAllow),
),
v2L4TrafficPermissions: &pbproxystate.L4TrafficPermissions{
AllowPermissions: []*pbproxystate.L4Permission{
v2L4TrafficPermissions: &pbproxystate.TrafficPermissions{
AllowPermissions: []*pbproxystate.Permission{
{
Principals: []*pbproxystate.L4Principal{
Principals: []*pbproxystate.Principal{
{
SpiffeRegex: makeL4Spiffe("*", nil),
Spiffe: makeSpiffe("*", nil),
},
},
},
@ -623,12 +623,12 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
v1Intentions: sorted(
testSourceIntention("web", structs.IntentionActionAllow),
),
v2L4TrafficPermissions: &pbproxystate.L4TrafficPermissions{
AllowPermissions: []*pbproxystate.L4Permission{
v2L4TrafficPermissions: &pbproxystate.TrafficPermissions{
AllowPermissions: []*pbproxystate.Permission{
{
Principals: []*pbproxystate.L4Principal{
Principals: []*pbproxystate.Principal{
{
SpiffeRegex: makeL4Spiffe("web", nil),
Spiffe: makeSpiffe("web", nil),
},
},
},
@ -647,13 +647,13 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
testSourceIntention("web", structs.IntentionActionDeny),
testSourceIntention("*", structs.IntentionActionAllow),
),
v2L4TrafficPermissions: &pbproxystate.L4TrafficPermissions{
AllowPermissions: []*pbproxystate.L4Permission{
v2L4TrafficPermissions: &pbproxystate.TrafficPermissions{
AllowPermissions: []*pbproxystate.Permission{
{
Principals: []*pbproxystate.L4Principal{
Principals: []*pbproxystate.Principal{
{
SpiffeRegex: makeL4Spiffe("*", nil),
ExcludeSpiffeRegexes: []string{makeL4Spiffe("web", nil)},
Spiffe: makeSpiffe("*", nil),
ExcludeSpiffes: []*pbproxystate.Spiffe{makeSpiffe("web", nil)},
},
},
},
@ -669,22 +669,22 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
testSourceIntention("cron", structs.IntentionActionAllow),
testSourceIntention("*", structs.IntentionActionAllow),
),
v2L4TrafficPermissions: &pbproxystate.L4TrafficPermissions{
AllowPermissions: []*pbproxystate.L4Permission{
v2L4TrafficPermissions: &pbproxystate.TrafficPermissions{
AllowPermissions: []*pbproxystate.Permission{
{
Principals: []*pbproxystate.L4Principal{
Principals: []*pbproxystate.Principal{
{
SpiffeRegex: makeL4Spiffe("cron", nil),
Spiffe: makeSpiffe("cron", nil),
},
{
SpiffeRegex: makeL4Spiffe("web", nil),
Spiffe: makeSpiffe("web", nil),
},
{
SpiffeRegex: makeL4Spiffe("*", nil),
ExcludeSpiffeRegexes: []string{
makeL4Spiffe("web", nil),
makeL4Spiffe("unsafe", nil),
makeL4Spiffe("cron", nil),
Spiffe: makeSpiffe("*", nil),
ExcludeSpiffes: []*pbproxystate.Spiffe{
makeSpiffe("web", nil),
makeSpiffe("unsafe", nil),
makeSpiffe("cron", nil),
},
},
},
@ -694,37 +694,37 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
},
"v2-kitchen-sink": {
intentionDefaultAllow: false,
v2L4TrafficPermissions: &pbproxystate.L4TrafficPermissions{
AllowPermissions: []*pbproxystate.L4Permission{
v2L4TrafficPermissions: &pbproxystate.TrafficPermissions{
AllowPermissions: []*pbproxystate.Permission{
{
Principals: []*pbproxystate.L4Principal{
Principals: []*pbproxystate.Principal{
{
SpiffeRegex: makeL4Spiffe("api", nil),
Spiffe: makeSpiffe("api", nil),
},
{
SpiffeRegex: makeL4Spiffe("*", nil),
ExcludeSpiffeRegexes: []string{
makeL4Spiffe("unsafe", nil),
Spiffe: makeSpiffe("*", nil),
ExcludeSpiffes: []*pbproxystate.Spiffe{
makeSpiffe("unsafe", nil),
},
},
},
},
{
Principals: []*pbproxystate.L4Principal{
Principals: []*pbproxystate.Principal{
{
SpiffeRegex: makeL4Spiffe("web", nil),
Spiffe: makeSpiffe("web", nil),
},
},
},
},
DenyPermissions: []*pbproxystate.L4Permission{
DenyPermissions: []*pbproxystate.Permission{
{
Principals: []*pbproxystate.L4Principal{
Principals: []*pbproxystate.Principal{
{
SpiffeRegex: makeL4Spiffe("db", nil),
Spiffe: makeSpiffe("db", nil),
},
{
SpiffeRegex: makeL4Spiffe("cron", nil),
Spiffe: makeSpiffe("cron", nil),
},
},
},
@ -733,20 +733,20 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
},
"v2-default-deny": {
intentionDefaultAllow: false,
v2L4TrafficPermissions: &pbproxystate.L4TrafficPermissions{},
v2L4TrafficPermissions: &pbproxystate.TrafficPermissions{},
},
"v2-default-allow": {
intentionDefaultAllow: true,
v2L4TrafficPermissions: &pbproxystate.L4TrafficPermissions{},
v2L4TrafficPermissions: &pbproxystate.TrafficPermissions{},
},
"v2-default-allow-one-allow": {
intentionDefaultAllow: true,
v2L4TrafficPermissions: &pbproxystate.L4TrafficPermissions{
AllowPermissions: []*pbproxystate.L4Permission{
v2L4TrafficPermissions: &pbproxystate.TrafficPermissions{
AllowPermissions: []*pbproxystate.Permission{
{
Principals: []*pbproxystate.L4Principal{
Principals: []*pbproxystate.Principal{
{
SpiffeRegex: makeL4Spiffe("web", nil),
Spiffe: makeSpiffe("web", nil),
},
},
},
@ -756,12 +756,12 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
// In v2, having a single permission turns on default deny.
"v2-default-allow-one-deny": {
intentionDefaultAllow: true,
v2L4TrafficPermissions: &pbproxystate.L4TrafficPermissions{
DenyPermissions: []*pbproxystate.L4Permission{
v2L4TrafficPermissions: &pbproxystate.TrafficPermissions{
DenyPermissions: []*pbproxystate.Permission{
{
Principals: []*pbproxystate.L4Principal{
Principals: []*pbproxystate.Principal{
{
SpiffeRegex: makeL4Spiffe("web", nil),
Spiffe: makeSpiffe("web", nil),
},
},
},

View File

@ -20,7 +20,7 @@ const (
baseL4PermissionKey = "consul-intentions-layer4"
)
func MakeL4RBAC(defaultAllow bool, trafficPermissions *pbproxystate.L4TrafficPermissions) ([]*envoy_listener_v3.Filter, error) {
func MakeL4RBAC(defaultAllow bool, trafficPermissions *pbproxystate.TrafficPermissions) ([]*envoy_listener_v3.Filter, error) {
var filters []*envoy_listener_v3.Filter
if trafficPermissions == nil {
@ -60,7 +60,7 @@ func MakeL4RBAC(defaultAllow bool, trafficPermissions *pbproxystate.L4TrafficPer
// includeAllowFilter determines if an Envoy RBAC allow filter will be included in the filter chain.
// We include this filter with default deny or whenever any permissions are configured.
func includeAllowFilter(defaultAllow bool, trafficPermissions *pbproxystate.L4TrafficPermissions) bool {
func includeAllowFilter(defaultAllow bool, trafficPermissions *pbproxystate.TrafficPermissions) bool {
hasPermissions := len(trafficPermissions.DenyPermissions)+len(trafficPermissions.AllowPermissions) > 0
return !defaultAllow || hasPermissions
}
@ -73,7 +73,7 @@ func makeRBACFilter(rbac *envoy_rbac_v3.RBAC) (*envoy_listener_v3.Filter, error)
return makeEnvoyFilter("envoy.filters.network.rbac", cfg)
}
func makeRBACPolicies(l4Permissions []*pbproxystate.L4Permission) map[string]*envoy_rbac_v3.Policy {
func makeRBACPolicies(l4Permissions []*pbproxystate.Permission) map[string]*envoy_rbac_v3.Policy {
policyLabel := func(i int) string {
if len(l4Permissions) == 1 {
return baseL4PermissionKey
@ -90,11 +90,11 @@ func makeRBACPolicies(l4Permissions []*pbproxystate.L4Permission) map[string]*en
return policies
}
func makeRBACPolicy(p *pbproxystate.L4Permission) *envoy_rbac_v3.Policy {
func makeRBACPolicy(p *pbproxystate.Permission) *envoy_rbac_v3.Policy {
var principals []*envoy_rbac_v3.Principal
for _, l4Principal := range p.Principals {
principals = append(principals, toEnvoyPrincipal(l4Principal.ToL7Principal()))
for _, p := range p.Principals {
principals = append(principals, toEnvoyPrincipal(p))
}
return &envoy_rbac_v3.Policy{
@ -103,7 +103,7 @@ func makeRBACPolicy(p *pbproxystate.L4Permission) *envoy_rbac_v3.Policy {
}
}
func toEnvoyPrincipal(p *pbproxystate.L7Principal) *envoy_rbac_v3.Principal {
func toEnvoyPrincipal(p *pbproxystate.Principal) *envoy_rbac_v3.Principal {
includePrincipal := principal(p.Spiffe)
if len(p.ExcludeSpiffes) == 0 {

View File

@ -0,0 +1,38 @@
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package sidecarproxycache
import (
auth "github.com/hashicorp/consul/internal/auth"
"github.com/hashicorp/consul/internal/mesh/internal/types"
"github.com/hashicorp/consul/internal/resource"
"github.com/hashicorp/consul/internal/resource/mappers/bimapper"
"github.com/hashicorp/consul/proto-public/pbresource"
)
// IdentitiesCache tracks mappings between workload identities and proxy IDs
// that a configuration applies to. It is the responsibility of the controller to
// keep this cache up-to-date.
type IdentitiesCache struct {
mapper *bimapper.Mapper
}
func NewIdentitiesCache() *IdentitiesCache {
return &IdentitiesCache{
mapper: bimapper.New(types.ProxyStateTemplateType, auth.WorkloadIdentityType),
}
}
func (c *IdentitiesCache) ProxyIDsByWorkloadIdentity(id *pbresource.ID) []*pbresource.ID {
return c.mapper.ItemIDsForLink(id)
}
func (c *IdentitiesCache) TrackPair(identityID *pbresource.ID, proxyID *pbresource.ID) {
c.mapper.TrackItem(proxyID, []resource.ReferenceOrID{identityID})
}
// UntrackProxyID removes tracking for the given proxy state template ID.
func (c *IdentitiesCache) UntrackProxyID(proxyID *pbresource.ID) {
c.mapper.UntrackItem(proxyID)
}

View File

@ -0,0 +1,59 @@
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package sidecarproxycache
import (
"testing"
"github.com/stretchr/testify/require"
"github.com/hashicorp/consul/internal/auth"
"github.com/hashicorp/consul/internal/mesh/internal/types"
"github.com/hashicorp/consul/internal/resource"
"github.com/hashicorp/consul/internal/resource/resourcetest"
"github.com/hashicorp/consul/proto-public/pbresource"
)
func TestIdentitiesCache(t *testing.T) {
cache := NewIdentitiesCache()
identityID1 := resourcetest.Resource(auth.WorkloadIdentityType, "workload-identity-1").
WithTenancy(resource.DefaultNamespacedTenancy()).ID()
identityID2 := resourcetest.Resource(auth.WorkloadIdentityType, "workload-identity-2").
WithTenancy(resource.DefaultNamespacedTenancy()).ID()
proxyID1 := resourcetest.Resource(types.ProxyStateTemplateType, "service-workload-1").
WithTenancy(resource.DefaultNamespacedTenancy()).ID()
proxyID2 := resourcetest.Resource(types.ProxyStateTemplateType, "service-workload-2").
WithTenancy(resource.DefaultNamespacedTenancy()).ID()
// Empty cache
require.Nil(t, cache.ProxyIDsByWorkloadIdentity(identityID1))
require.Nil(t, cache.ProxyIDsByWorkloadIdentity(identityID2))
// Insert value and fetch it.
cache.TrackPair(identityID1, proxyID1)
require.Equal(t, []*pbresource.ID{proxyID1}, cache.ProxyIDsByWorkloadIdentity(identityID1))
require.Nil(t, cache.ProxyIDsByWorkloadIdentity(identityID2))
// Insert another value referencing the same identity.
cache.TrackPair(identityID1, proxyID2)
require.ElementsMatch(t, []*pbresource.ID{proxyID1, proxyID2}, cache.ProxyIDsByWorkloadIdentity(identityID1))
require.Nil(t, cache.ProxyIDsByWorkloadIdentity(identityID2))
// Now proxy 1 uses identity 2
cache.TrackPair(identityID2, proxyID1)
require.Equal(t, []*pbresource.ID{proxyID1}, cache.ProxyIDsByWorkloadIdentity(identityID2))
require.Equal(t, []*pbresource.ID{proxyID2}, cache.ProxyIDsByWorkloadIdentity(identityID1))
// Untrack proxy 2
cache.UntrackProxyID(proxyID2)
require.Equal(t, []*pbresource.ID{proxyID1}, cache.ProxyIDsByWorkloadIdentity(identityID2))
require.Nil(t, cache.ProxyIDsByWorkloadIdentity(identityID1))
// Untrack proxy 1
cache.UntrackProxyID(proxyID1)
require.Nil(t, cache.ProxyIDsByWorkloadIdentity(identityID2))
require.Nil(t, cache.ProxyIDsByWorkloadIdentity(identityID1))
}

View File

@ -40,10 +40,11 @@ func Register(mgr *controller.Manager, deps Dependencies) {
destinationsCache = sidecarproxycache.NewDestinationsCache()
proxyCfgCache = sidecarproxycache.NewProxyConfigurationCache()
computedRoutesCache = sidecarproxycache.NewComputedRoutesCache()
m = sidecarproxymapper.New(destinationsCache, proxyCfgCache, computedRoutesCache)
identitiesCache = sidecarproxycache.NewIdentitiesCache()
m = sidecarproxymapper.New(destinationsCache, proxyCfgCache, computedRoutesCache, identitiesCache)
)
mgr.Register(
sidecarproxy.Controller(destinationsCache, proxyCfgCache, computedRoutesCache, m, deps.TrustDomainFetcher, deps.LocalDatacenter),
sidecarproxy.Controller(destinationsCache, proxyCfgCache, computedRoutesCache, identitiesCache, m, deps.TrustDomainFetcher, deps.LocalDatacenter),
)
mgr.Register(routes.Controller())

View File

@ -6,16 +6,21 @@ package builder
import (
"fmt"
"github.com/hashicorp/consul/agent/connect"
"github.com/hashicorp/consul/envoyextensions/xdscommon"
pbauth "github.com/hashicorp/consul/proto-public/pbauth/v1alpha1"
pbcatalog "github.com/hashicorp/consul/proto-public/pbcatalog/v1alpha1"
"github.com/hashicorp/consul/proto-public/pbmesh/v1alpha1/pbproxystate"
"github.com/hashicorp/consul/proto-public/pbresource"
)
func (b *Builder) BuildLocalApp(workload *pbcatalog.Workload) *Builder {
func (b *Builder) BuildLocalApp(workload *pbcatalog.Workload, ctp *pbauth.ComputedTrafficPermissions) *Builder {
// Add the public listener.
lb := b.addInboundListener(xdscommon.PublicListenerName, workload)
lb.buildListener()
trafficPermissions := buildTrafficPermissions(b.trustDomain, workload, ctp)
// Go through workload ports and add the routers, clusters, endpoints, and TLS.
// Note that the order of ports is non-deterministic here but the xds generation
// code should make sure to send it in the same order to Envoy to avoid unnecessary
@ -24,7 +29,7 @@ func (b *Builder) BuildLocalApp(workload *pbcatalog.Workload) *Builder {
clusterName := fmt.Sprintf("%s:%s", xdscommon.LocalAppClusterName, portName)
if port.Protocol != pbcatalog.Protocol_PROTOCOL_MESH {
lb.addInboundRouter(clusterName, port, portName).
lb.addInboundRouter(clusterName, port, portName, trafficPermissions[portName]).
addInboundTLS()
b.addLocalAppCluster(clusterName).
@ -35,6 +40,162 @@ func (b *Builder) BuildLocalApp(workload *pbcatalog.Workload) *Builder {
return b
}
func buildTrafficPermissions(trustDomain string, workload *pbcatalog.Workload, computed *pbauth.ComputedTrafficPermissions) map[string]*pbproxystate.TrafficPermissions {
portsWithProtocol := workload.GetPortsByProtocol()
out := make(map[string]*pbproxystate.TrafficPermissions)
portToProtocol := make(map[string]pbcatalog.Protocol)
var allPorts []string
for protocol, ports := range portsWithProtocol {
if protocol == pbcatalog.Protocol_PROTOCOL_MESH {
continue
}
for _, p := range ports {
allPorts = append(allPorts, p)
portToProtocol[p] = protocol
out[p] = &pbproxystate.TrafficPermissions{}
}
}
if computed == nil {
return out
}
for _, p := range computed.DenyPermissions {
drsByPort := destinationRulesByPort(allPorts, p.DestinationRules)
principals := makePrincipals(trustDomain, p)
for port := range drsByPort {
out[port].DenyPermissions = append(out[port].DenyPermissions, &pbproxystate.Permission{
Principals: principals,
})
}
}
for _, p := range computed.AllowPermissions {
drsByPort := destinationRulesByPort(allPorts, p.DestinationRules)
principals := makePrincipals(trustDomain, p)
for port := range drsByPort {
out[port].AllowPermissions = append(out[port].AllowPermissions, &pbproxystate.Permission{
Principals: principals,
})
}
}
return out
}
// TODO this is a placeholder until we add them to the IR.
type DestinationRule struct{}
func destinationRulesByPort(allPorts []string, destinationRules []*pbauth.DestinationRule) map[string][]DestinationRule {
out := make(map[string][]DestinationRule)
if len(destinationRules) == 0 {
for _, p := range allPorts {
out[p] = nil
}
return out
}
for _, destinationRule := range destinationRules {
ports, dr := convertDestinationRule(allPorts, destinationRule)
for _, p := range ports {
out[p] = append(out[p], dr)
}
}
return out
}
func convertDestinationRule(allPorts []string, dr *pbauth.DestinationRule) ([]string, DestinationRule) {
ports := make(map[string]struct{})
if len(dr.PortNames) > 0 {
for _, p := range dr.PortNames {
ports[p] = struct{}{}
}
} else {
for _, p := range allPorts {
ports[p] = struct{}{}
}
}
for _, exclude := range dr.Exclude {
for _, p := range exclude.PortNames {
delete(ports, p)
}
}
var out []string
for p := range ports {
out = append(out, p)
}
return out, DestinationRule{}
}
func makePrincipals(trustDomain string, perm *pbauth.Permission) []*pbproxystate.Principal {
var principals []*pbproxystate.Principal
for _, s := range perm.Sources {
principals = append(principals, makePrincipal(trustDomain, s))
}
return principals
}
func makePrincipal(trustDomain string, s *pbauth.Source) *pbproxystate.Principal {
excludes := make([]*pbproxystate.Spiffe, 0, len(s.Exclude))
for _, es := range s.Exclude {
excludes = append(excludes, sourceToSpiffe(trustDomain, es))
}
return &pbproxystate.Principal{
Spiffe: sourceToSpiffe(trustDomain, s),
ExcludeSpiffes: excludes,
}
}
const (
anyPath = `[^/]+`
)
func sourceToSpiffe(trustDomain string, s pbauth.SourceToSpiffe) *pbproxystate.Spiffe {
var (
name = s.GetIdentityName()
ns = s.GetNamespace()
ap = s.GetPartition()
)
if ns == "" && name != "" {
panic(fmt.Sprintf("not possible to have a wildcarded namespace %q but an exact identity %q", ns, name))
}
if ap == "" {
panic("not possible to have a wildcarded source partition")
}
if ns == "" {
ns = anyPath
}
if name == "" {
name = anyPath
}
spiffeMatcher := connect.SpiffeIDFromIdentityRef(trustDomain, &pbresource.Reference{
Name: name,
Tenancy: &pbresource.Tenancy{
Partition: ap,
Namespace: ns,
PeerName: s.GetPeer(),
},
})
return &pbproxystate.Spiffe{
Regex: fmt.Sprintf(`^%s$`, spiffeMatcher),
}
}
func (b *Builder) addInboundListener(name string, workload *pbcatalog.Workload) *ListenerBuilder {
listener := &pbproxystate.Listener{
Name: name,
@ -77,7 +238,7 @@ func (b *Builder) addInboundListener(name string, workload *pbcatalog.Workload)
return b.NewListenerBuilder(listener)
}
func (l *ListenerBuilder) addInboundRouter(clusterName string, port *pbcatalog.WorkloadPort, portName string) *ListenerBuilder {
func (l *ListenerBuilder) addInboundRouter(clusterName string, port *pbcatalog.WorkloadPort, portName string, tp *pbproxystate.TrafficPermissions) *ListenerBuilder {
if l.listener == nil {
return l
}
@ -91,7 +252,8 @@ func (l *ListenerBuilder) addInboundRouter(clusterName string, port *pbcatalog.W
Name: clusterName,
},
},
StatPrefix: l.listener.Name,
StatPrefix: l.listener.Name,
TrafficPermissions: tp,
},
},
Match: &pbproxystate.Match{

View File

@ -76,7 +76,7 @@ func TestBuildLocalApp_Multiport(t *testing.T) {
for name, c := range cases {
t.Run(name, func(t *testing.T) {
proxyTmpl := New(testProxyStateTemplateID(), testIdentityRef(), "foo.consul", "dc1", nil).
BuildLocalApp(c.workload).
BuildLocalApp(c.workload, nil).
Build()
// sort routers because of test flakes where order was flip flopping.

View File

@ -12,13 +12,17 @@ import (
"github.com/hashicorp/consul/internal/resource"
"github.com/hashicorp/consul/internal/resource/resourcetest"
"github.com/hashicorp/consul/internal/testing/golden"
pbauth "github.com/hashicorp/consul/proto-public/pbauth/v1alpha1"
pbcatalog "github.com/hashicorp/consul/proto-public/pbcatalog/v1alpha1"
pbproxystate "github.com/hashicorp/consul/proto-public/pbmesh/v1alpha1/pbproxystate"
"github.com/hashicorp/consul/proto-public/pbresource"
"github.com/hashicorp/consul/proto/private/prototest"
)
func TestBuildLocalApp(t *testing.T) {
cases := map[string]struct {
workload *pbcatalog.Workload
ctp *pbauth.ComputedTrafficPermissions
}{
"source/l4-single-workload-address-without-ports": {
workload: &pbcatalog.Workload{
@ -66,13 +70,26 @@ func TestBuildLocalApp(t *testing.T) {
"port2": {Port: 20000, Protocol: pbcatalog.Protocol_PROTOCOL_MESH},
},
},
ctp: &pbauth.ComputedTrafficPermissions{
AllowPermissions: []*pbauth.Permission{
{
Sources: []*pbauth.Source{
{
IdentityName: "foo",
Namespace: "default",
Partition: "default",
},
},
},
},
},
},
}
for name, c := range cases {
t.Run(name, func(t *testing.T) {
proxyTmpl := New(testProxyStateTemplateID(), testIdentityRef(), "foo.consul", "dc1", nil).
BuildLocalApp(c.workload).
BuildLocalApp(c.workload, c.ctp).
Build()
actual := protoToJSON(t, proxyTmpl)
expected := golden.Get(t, actual, name+".golden")
@ -98,3 +115,200 @@ func testIdentityRef() *pbresource.Reference {
},
}
}
func TestBuildL4TrafficPermissions(t *testing.T) {
testTrustDomain := "test.consul"
cases := map[string]struct {
workloadPorts map[string]*pbcatalog.WorkloadPort
ctp *pbauth.ComputedTrafficPermissions
expected map[string]*pbproxystate.TrafficPermissions
}{
"empty": {
workloadPorts: map[string]*pbcatalog.WorkloadPort{
"p1": {
Protocol: pbcatalog.Protocol_PROTOCOL_TCP,
},
"p2": {
Protocol: pbcatalog.Protocol_PROTOCOL_HTTP,
},
"p3": {},
"mesh": {
Protocol: pbcatalog.Protocol_PROTOCOL_MESH,
},
},
expected: map[string]*pbproxystate.TrafficPermissions{
"p1": {},
"p2": {},
"p3": {},
},
},
"kitchen sink": {
workloadPorts: map[string]*pbcatalog.WorkloadPort{
"p1": {
Protocol: pbcatalog.Protocol_PROTOCOL_TCP,
},
"p2": {
Protocol: pbcatalog.Protocol_PROTOCOL_HTTP,
},
},
ctp: &pbauth.ComputedTrafficPermissions{
AllowPermissions: []*pbauth.Permission{
{
Sources: []*pbauth.Source{
{
IdentityName: "foo",
Partition: "default",
Namespace: "default",
},
{
IdentityName: "",
Partition: "default",
Namespace: "default",
Exclude: []*pbauth.ExcludeSource{
{
IdentityName: "bar",
Namespace: "default",
Partition: "default",
},
},
},
},
DestinationRules: []*pbauth.DestinationRule{
// This should be p2.
{
Exclude: []*pbauth.ExcludePermissionRule{
{
PortNames: []string{"p1"},
},
},
},
},
},
{
Sources: []*pbauth.Source{
{
IdentityName: "baz",
Partition: "default",
Namespace: "default",
},
},
DestinationRules: []*pbauth.DestinationRule{
{
PortNames: []string{"p1"},
},
},
},
},
DenyPermissions: []*pbauth.Permission{
{
Sources: []*pbauth.Source{
{
IdentityName: "qux",
Partition: "default",
Namespace: "default",
},
},
},
{
Sources: []*pbauth.Source{
{
IdentityName: "",
Namespace: "default",
Partition: "default",
Exclude: []*pbauth.ExcludeSource{
{
IdentityName: "quux",
Partition: "default",
Namespace: "default",
},
},
},
},
},
},
},
expected: map[string]*pbproxystate.TrafficPermissions{
"p1": {
DenyPermissions: []*pbproxystate.Permission{
{
Principals: []*pbproxystate.Principal{
{
Spiffe: &pbproxystate.Spiffe{Regex: "^spiffe://test.consul/ap/default/ns/default/identity/qux$"},
},
},
},
{
Principals: []*pbproxystate.Principal{
{
Spiffe: &pbproxystate.Spiffe{Regex: `^spiffe://test.consul/ap/default/ns/default/identity/%5B%5E/%5D+$`},
ExcludeSpiffes: []*pbproxystate.Spiffe{
{Regex: "^spiffe://test.consul/ap/default/ns/default/identity/quux$"},
},
},
},
},
},
AllowPermissions: []*pbproxystate.Permission{
{
Principals: []*pbproxystate.Principal{
{
Spiffe: &pbproxystate.Spiffe{Regex: "^spiffe://test.consul/ap/default/ns/default/identity/baz$"},
},
},
},
},
},
"p2": {
DenyPermissions: []*pbproxystate.Permission{
{
Principals: []*pbproxystate.Principal{
{
Spiffe: &pbproxystate.Spiffe{Regex: "^spiffe://test.consul/ap/default/ns/default/identity/qux$"},
},
},
},
{
Principals: []*pbproxystate.Principal{
{
Spiffe: &pbproxystate.Spiffe{Regex: `^spiffe://test.consul/ap/default/ns/default/identity/%5B%5E/%5D+$`},
ExcludeSpiffes: []*pbproxystate.Spiffe{
{Regex: "^spiffe://test.consul/ap/default/ns/default/identity/quux$"},
},
},
},
},
},
AllowPermissions: []*pbproxystate.Permission{
{
Principals: []*pbproxystate.Principal{
{
Spiffe: &pbproxystate.Spiffe{Regex: "^spiffe://test.consul/ap/default/ns/default/identity/foo$"},
},
{
Spiffe: &pbproxystate.Spiffe{Regex: `^spiffe://test.consul/ap/default/ns/default/identity/%5B%5E/%5D+$`},
ExcludeSpiffes: []*pbproxystate.Spiffe{
{Regex: "^spiffe://test.consul/ap/default/ns/default/identity/bar$"},
},
},
},
},
},
},
},
},
}
for name, tc := range cases {
t.Run(name, func(t *testing.T) {
workload := &pbcatalog.Workload{
Ports: tc.workloadPorts,
}
permissions := buildTrafficPermissions(testTrustDomain, workload, tc.ctp)
require.Equal(t, len(tc.expected), len(permissions))
for k, v := range tc.expected {
prototest.AssertDeepEqual(t, v, permissions[k])
}
})
}
}

View File

@ -51,7 +51,20 @@
"cluster": {
"name": "local_app:port1"
},
"statPrefix": "public_listener"
"statPrefix": "public_listener",
"trafficPermissions": {
"allowPermissions": [
{
"principals": [
{
"spiffe": {
"regex": "^spiffe://foo.consul/ap/default/ns/default/identity/foo$"
}
}
]
}
]
}
},
"match": {
"alpnProtocols": [

View File

@ -51,7 +51,8 @@
"cluster": {
"name": "local_app:port1"
},
"statPrefix": "public_listener"
"statPrefix": "public_listener",
"trafficPermissions": {}
},
"match": {
"alpnProtocols": [

View File

@ -51,7 +51,8 @@
"cluster": {
"name": "local_app:port1"
},
"statPrefix": "public_listener"
"statPrefix": "public_listener",
"trafficPermissions": {}
},
"match": {
"alpnProtocols": [

View File

@ -66,7 +66,8 @@
"cluster": {
"name": "local_app:admin-port"
},
"statPrefix": "public_listener"
"statPrefix": "public_listener",
"trafficPermissions": {}
},
"match": {
"alpnProtocols": [
@ -89,7 +90,8 @@
"cluster": {
"name": "local_app:api-port"
},
"statPrefix": "public_listener"
"statPrefix": "public_listener",
"trafficPermissions": {}
},
"match": {
"alpnProtocols": [

View File

@ -66,7 +66,8 @@
"cluster": {
"name": "local_app:admin-port"
},
"statPrefix": "public_listener"
"statPrefix": "public_listener",
"trafficPermissions": {}
},
"match": {
"alpnProtocols": [
@ -89,7 +90,8 @@
"cluster": {
"name": "local_app:api-port"
},
"statPrefix": "public_listener"
"statPrefix": "public_listener",
"trafficPermissions": {}
},
"match": {
"alpnProtocols": [

View File

@ -66,7 +66,8 @@
"cluster": {
"name": "local_app:admin-port"
},
"statPrefix": "public_listener"
"statPrefix": "public_listener",
"trafficPermissions": {}
},
"match": {
"alpnProtocols": [
@ -89,7 +90,8 @@
"cluster": {
"name": "local_app:api-port"
},
"statPrefix": "public_listener"
"statPrefix": "public_listener",
"trafficPermissions": {}
},
"match": {
"alpnProtocols": [

View File

@ -9,6 +9,7 @@ import (
"google.golang.org/protobuf/proto"
"google.golang.org/protobuf/types/known/anypb"
"github.com/hashicorp/consul/internal/auth"
"github.com/hashicorp/consul/internal/catalog"
"github.com/hashicorp/consul/internal/controller"
"github.com/hashicorp/consul/internal/mesh/internal/cache/sidecarproxycache"
@ -17,6 +18,7 @@ import (
"github.com/hashicorp/consul/internal/mesh/internal/mappers/sidecarproxymapper"
"github.com/hashicorp/consul/internal/mesh/internal/types"
"github.com/hashicorp/consul/internal/resource"
pbauth "github.com/hashicorp/consul/proto-public/pbauth/v1alpha1"
"github.com/hashicorp/consul/proto-public/pbresource"
)
@ -29,12 +31,13 @@ func Controller(
destinationsCache *sidecarproxycache.DestinationsCache,
proxyCfgCache *sidecarproxycache.ProxyConfigurationCache,
computedRoutesCache *sidecarproxycache.ComputedRoutesCache,
identitiesCache *sidecarproxycache.IdentitiesCache,
mapper *sidecarproxymapper.Mapper,
trustDomainFetcher TrustDomainFetcher,
dc string,
) controller.Controller {
if destinationsCache == nil || proxyCfgCache == nil || computedRoutesCache == nil || mapper == nil || trustDomainFetcher == nil {
panic("destinations cache, proxy configuration cache, computed routes cache, mapper, and trust domain fetcher are required")
if destinationsCache == nil || proxyCfgCache == nil || computedRoutesCache == nil || identitiesCache == nil || mapper == nil || trustDomainFetcher == nil {
panic("destinations cache, proxy configuration cache, computed routes cache, identities cache, mapper, and trust domain fetcher are required")
}
/*
@ -88,10 +91,12 @@ func Controller(
WithWatch(types.UpstreamsType, mapper.MapDestinationsToProxyStateTemplate).
WithWatch(types.ProxyConfigurationType, mapper.MapProxyConfigurationToProxyStateTemplate).
WithWatch(types.ComputedRoutesType, mapper.MapComputedRoutesToProxyStateTemplate).
WithWatch(auth.ComputedTrafficPermissionsType, mapper.MapComputedTrafficPermissionsToProxyStateTemplate).
WithReconciler(&reconciler{
destinationsCache: destinationsCache,
proxyCfgCache: proxyCfgCache,
computedRoutesCache: computedRoutesCache,
identitiesCache: identitiesCache,
getTrustDomain: trustDomainFetcher,
dc: dc,
})
@ -101,6 +106,7 @@ type reconciler struct {
destinationsCache *sidecarproxycache.DestinationsCache
proxyCfgCache *sidecarproxycache.ProxyConfigurationCache
computedRoutesCache *sidecarproxycache.ComputedRoutesCache
identitiesCache *sidecarproxycache.IdentitiesCache
getTrustDomain TrustDomainFetcher
dc string
}
@ -116,6 +122,7 @@ func (r *reconciler) Reconcile(ctx context.Context, rt controller.Runtime, req c
r.destinationsCache,
r.proxyCfgCache,
r.computedRoutesCache,
r.identitiesCache,
)
// Check if the workload exists.
@ -175,8 +182,20 @@ func (r *reconciler) Reconcile(ctx context.Context, rt controller.Runtime, req c
rt.Logger.Error("error fetching proxy and merging proxy configurations", "error", err)
return err
}
trafficPermissions, err := dataFetcher.FetchComputedTrafficPermissions(ctx, computedTrafficPermissionsIDFromWorkload(workload))
if err != nil {
rt.Logger.Error("error fetching computed traffic permissions to compute proxy state template", "error", err)
return err
}
var ctp *pbauth.ComputedTrafficPermissions
if trafficPermissions != nil {
ctp = trafficPermissions.Data
}
b := builder.New(req.ID, identityRefFromWorkload(workload), trustDomain, r.dc, proxyCfg).
BuildLocalApp(workload.Data)
BuildLocalApp(workload.Data, ctp)
// Get all destinationsData.
destinationsRefs := r.destinationsCache.DestinationsBySourceProxy(req.ID)
@ -252,3 +271,11 @@ func identityRefFromWorkload(w *types.DecodedWorkload) *pbresource.Reference {
Tenancy: w.Resource.Id.Tenancy,
}
}
func computedTrafficPermissionsIDFromWorkload(w *types.DecodedWorkload) *pbresource.ID {
return &pbresource.ID{
Type: auth.ComputedTrafficPermissionsType,
Name: w.Data.Identity,
Tenancy: w.Resource.Id.Tenancy,
}
}

View File

@ -13,6 +13,7 @@ import (
svctest "github.com/hashicorp/consul/agent/grpc-external/services/resource/testing"
"github.com/hashicorp/consul/envoyextensions/xdscommon"
"github.com/hashicorp/consul/internal/auth"
"github.com/hashicorp/consul/internal/catalog"
"github.com/hashicorp/consul/internal/controller"
"github.com/hashicorp/consul/internal/mesh/internal/cache/sidecarproxycache"
@ -23,6 +24,7 @@ import (
"github.com/hashicorp/consul/internal/mesh/internal/types"
"github.com/hashicorp/consul/internal/resource"
"github.com/hashicorp/consul/internal/resource/resourcetest"
pbauth "github.com/hashicorp/consul/proto-public/pbauth/v1alpha1"
pbcatalog "github.com/hashicorp/consul/proto-public/pbcatalog/v1alpha1"
pbmesh "github.com/hashicorp/consul/proto-public/pbmesh/v1alpha1"
"github.com/hashicorp/consul/proto-public/pbmesh/v1alpha1/pbproxystate"
@ -41,13 +43,15 @@ type meshControllerTestSuite struct {
ctl *reconciler
ctx context.Context
apiWorkloadID *pbresource.ID
apiWorkload *pbcatalog.Workload
apiService *pbresource.Resource
apiServiceData *pbcatalog.Service
apiEndpoints *pbresource.Resource
apiEndpointsData *pbcatalog.ServiceEndpoints
webWorkload *pbresource.Resource
apiWorkloadID *pbresource.ID
apiWorkload *pbcatalog.Workload
computedTrafficPermissions *pbresource.Resource
computedTrafficPermissionsData *pbauth.ComputedTrafficPermissions
apiService *pbresource.Resource
apiServiceData *pbcatalog.Service
apiEndpoints *pbresource.Resource
apiEndpointsData *pbcatalog.ServiceEndpoints
webWorkload *pbresource.Resource
dbWorkloadID *pbresource.ID
dbWorkload *pbcatalog.Workload
@ -59,7 +63,7 @@ type meshControllerTestSuite struct {
}
func (suite *meshControllerTestSuite) SetupTest() {
resourceClient := svctest.RunResourceService(suite.T(), types.Register, catalog.RegisterTypes)
resourceClient := svctest.RunResourceService(suite.T(), types.Register, catalog.RegisterTypes, auth.RegisterTypes)
suite.client = resourcetest.NewClient(resourceClient)
suite.runtime = controller.Runtime{Client: resourceClient, Logger: testutil.Logger(suite.T())}
suite.ctx = testutil.TestContext(suite.T())
@ -67,6 +71,7 @@ func (suite *meshControllerTestSuite) SetupTest() {
suite.ctl = &reconciler{
destinationsCache: sidecarproxycache.NewDestinationsCache(),
proxyCfgCache: sidecarproxycache.NewProxyConfigurationCache(),
identitiesCache: sidecarproxycache.NewIdentitiesCache(),
getTrustDomain: func() (string, error) {
return "test.consul", nil
},
@ -142,6 +147,25 @@ func (suite *meshControllerTestSuite) SetupTest() {
},
}
suite.computedTrafficPermissionsData = &pbauth.ComputedTrafficPermissions{
AllowPermissions: []*pbauth.Permission{
{
Sources: []*pbauth.Source{
{
IdentityName: "foo",
Namespace: "default",
Partition: "default",
Peer: "local",
},
},
},
},
}
suite.computedTrafficPermissions = resourcetest.Resource(auth.ComputedTrafficPermissionsType, suite.apiWorkload.Identity).
WithData(suite.T(), suite.computedTrafficPermissionsData).
Write(suite.T(), resourceClient)
suite.apiService = resourcetest.Resource(catalog.ServiceType, "api-service").
WithData(suite.T(), suite.apiServiceData).
Write(suite.T(), suite.client.ResourceServiceClient)
@ -203,7 +227,7 @@ func (suite *meshControllerTestSuite) SetupTest() {
}
suite.proxyStateTemplate = builder.New(suite.apiWorkloadID, identityRef, "test.consul", "dc1", nil).
BuildLocalApp(suite.apiWorkload).
BuildLocalApp(suite.apiWorkload, suite.computedTrafficPermissionsData).
Build()
}
@ -328,11 +352,12 @@ func (suite *meshControllerTestSuite) TestController() {
destinationsCache = sidecarproxycache.NewDestinationsCache()
proxyCfgCache = sidecarproxycache.NewProxyConfigurationCache()
computedRoutesCache = sidecarproxycache.NewComputedRoutesCache()
m = sidecarproxymapper.New(destinationsCache, proxyCfgCache, computedRoutesCache)
identitiesCache = sidecarproxycache.NewIdentitiesCache()
m = sidecarproxymapper.New(destinationsCache, proxyCfgCache, computedRoutesCache, identitiesCache)
)
trustDomainFetcher := func() (string, error) { return "test.consul", nil }
mgr.Register(Controller(destinationsCache, proxyCfgCache, computedRoutesCache, m, trustDomainFetcher, "dc1"))
mgr.Register(Controller(destinationsCache, proxyCfgCache, computedRoutesCache, identitiesCache, m, trustDomainFetcher, "dc1"))
mgr.SetRaftLeader(true)
go mgr.Run(suite.ctx)
@ -344,6 +369,7 @@ func (suite *meshControllerTestSuite) TestController() {
apiComputedRoutesID = resource.ReplaceType(types.ComputedRoutesType, suite.apiService.Id)
dbComputedRoutesID = resource.ReplaceType(types.ComputedRoutesType, suite.dbService.Id)
apiProxyStateTemplate *pbresource.Resource
webProxyStateTemplate *pbresource.Resource
webDestinations *pbresource.Resource
)
@ -353,6 +379,7 @@ func (suite *meshControllerTestSuite) TestController() {
retry.Run(t, func(r *retry.R) {
suite.client.RequireResourceExists(r, apiProxyStateTemplateID)
webProxyStateTemplate = suite.client.RequireResourceExists(r, webProxyStateTemplateID)
apiProxyStateTemplate = suite.client.RequireResourceExists(r, apiProxyStateTemplateID)
})
})
@ -521,11 +548,28 @@ func (suite *meshControllerTestSuite) TestController() {
}).Write(suite.T(), suite.client)
webProxyStateTemplate = suite.client.WaitForNewVersion(suite.T(), webProxyStateTemplateID, webProxyStateTemplate.Version)
apiProxyStateTemplate = suite.client.WaitForNewVersion(t, apiProxyStateTemplateID, apiProxyStateTemplate.Version)
requireImplicitDestinationsFound(t, "api", webProxyStateTemplate)
requireImplicitDestinationsFound(t, "db", webProxyStateTemplate)
})
testutil.RunStep(suite.T(), "computed traffic permissions force regeneration", func(t *testing.T) {
suite.runtime.Logger.Trace("deleting computed traffic permissions")
_, err := suite.client.Delete(suite.ctx, &pbresource.DeleteRequest{Id: suite.computedTrafficPermissions.Id})
require.NoError(t, err)
suite.client.WaitForDeletion(t, suite.computedTrafficPermissions.Id)
apiProxyStateTemplate = suite.client.WaitForNewVersion(t, apiProxyStateTemplateID, apiProxyStateTemplate.Version)
suite.runtime.Logger.Trace("creating computed traffic permissions")
resourcetest.Resource(auth.ComputedTrafficPermissionsType, suite.apiWorkload.Identity).
WithData(t, suite.computedTrafficPermissionsData).
Write(t, suite.client)
suite.client.WaitForNewVersion(t, apiProxyStateTemplateID, apiProxyStateTemplate.Version)
})
testutil.RunStep(suite.T(), "add an HTTPRoute with a simple split on the tcp port", func(t *testing.T) {
// NOTE: because at this point we have tproxy in all-to-all mode, we will get an
// implicit upstream on 'db'

View File

@ -12,6 +12,7 @@ import (
"google.golang.org/grpc/status"
"google.golang.org/protobuf/proto"
"github.com/hashicorp/consul/internal/auth"
"github.com/hashicorp/consul/internal/catalog"
"github.com/hashicorp/consul/internal/mesh/internal/cache/sidecarproxycache"
ctrlStatus "github.com/hashicorp/consul/internal/mesh/internal/controllers/sidecarproxy/status"
@ -19,6 +20,7 @@ import (
intermediateTypes "github.com/hashicorp/consul/internal/mesh/internal/types/intermediate"
"github.com/hashicorp/consul/internal/resource"
"github.com/hashicorp/consul/internal/storage"
pbauth "github.com/hashicorp/consul/proto-public/pbauth/v1alpha1"
pbcatalog "github.com/hashicorp/consul/proto-public/pbcatalog/v1alpha1"
pbmesh "github.com/hashicorp/consul/proto-public/pbmesh/v1alpha1"
"github.com/hashicorp/consul/proto-public/pbresource"
@ -29,6 +31,7 @@ type Fetcher struct {
DestinationsCache *sidecarproxycache.DestinationsCache
ProxyCfgCache *sidecarproxycache.ProxyConfigurationCache
ComputedRoutesCache *sidecarproxycache.ComputedRoutesCache
IdentitiesCache *sidecarproxycache.IdentitiesCache
}
func New(
@ -36,28 +39,39 @@ func New(
dCache *sidecarproxycache.DestinationsCache,
pcfgCache *sidecarproxycache.ProxyConfigurationCache,
computedRoutesCache *sidecarproxycache.ComputedRoutesCache,
iCache *sidecarproxycache.IdentitiesCache,
) *Fetcher {
return &Fetcher{
Client: client,
DestinationsCache: dCache,
ProxyCfgCache: pcfgCache,
ComputedRoutesCache: computedRoutesCache,
IdentitiesCache: iCache,
}
}
func (f *Fetcher) FetchWorkload(ctx context.Context, id *pbresource.ID) (*types.DecodedWorkload, error) {
proxyID := resource.ReplaceType(types.ProxyStateTemplateType, id)
dec, err := resource.GetDecodedResource[*pbcatalog.Workload](ctx, f.Client, id)
if err != nil {
return nil, err
} else if dec == nil {
// We also need to make sure to delete the associated proxy from cache.
// We are ignoring errors from cache here as this deletion is best effort.
proxyID := resource.ReplaceType(types.ProxyStateTemplateType, id)
f.DestinationsCache.DeleteSourceProxy(proxyID)
f.ProxyCfgCache.UntrackProxyID(proxyID)
f.IdentitiesCache.UntrackProxyID(proxyID)
return nil, nil
}
identityID := &pbresource.ID{
Name: dec.Data.Identity,
Tenancy: dec.Resource.Id.Tenancy,
Type: auth.WorkloadIdentityType,
}
f.IdentitiesCache.TrackPair(identityID, proxyID)
return dec, err
}
@ -65,6 +79,10 @@ func (f *Fetcher) FetchProxyStateTemplate(ctx context.Context, id *pbresource.ID
return resource.GetDecodedResource[*pbmesh.ProxyStateTemplate](ctx, f.Client, id)
}
func (f *Fetcher) FetchComputedTrafficPermissions(ctx context.Context, id *pbresource.ID) (*types.DecodedComputedTrafficPermissions, error) {
return resource.GetDecodedResource[*pbauth.ComputedTrafficPermissions](ctx, f.Client, id)
}
func (f *Fetcher) FetchServiceEndpoints(ctx context.Context, id *pbresource.ID) (*types.DecodedServiceEndpoints, error) {
return resource.GetDecodedResource[*pbcatalog.ServiceEndpoints](ctx, f.Client, id)
}

View File

@ -13,6 +13,7 @@ import (
"google.golang.org/grpc/status"
svctest "github.com/hashicorp/consul/agent/grpc-external/services/resource/testing"
"github.com/hashicorp/consul/internal/auth"
"github.com/hashicorp/consul/internal/catalog"
"github.com/hashicorp/consul/internal/controller"
"github.com/hashicorp/consul/internal/mesh/internal/cache/sidecarproxycache"
@ -238,16 +239,28 @@ func (suite *dataFetcherSuite) SetupTest() {
}
func (suite *dataFetcherSuite) TestFetcher_FetchWorkload_WorkloadNotFound() {
// Test that when workload is not found, we remove it from cache.
proxyID := resourcetest.Resource(types.ProxyStateTemplateType, "service-workload-abc").ID()
proxyID := resourcetest.Resource(types.ProxyStateTemplateType, "service-workload-abc").
WithTenancy(resource.DefaultNamespacedTenancy()).
ID()
identityID := resourcetest.Resource(auth.WorkloadIdentityType, "workload-identity-abc").ID()
// Create cache and pre-populate it.
var (
destCache = sidecarproxycache.NewDestinationsCache()
proxyCfgCache = sidecarproxycache.NewProxyConfigurationCache()
computedRoutesCache = sidecarproxycache.NewComputedRoutesCache()
identitiesCache = sidecarproxycache.NewIdentitiesCache()
)
f := Fetcher{
DestinationsCache: destCache,
ProxyCfgCache: proxyCfgCache,
ComputedRoutesCache: computedRoutesCache,
IdentitiesCache: identitiesCache,
Client: suite.client,
}
// Prepopulate the cache.
dest1 := intermediate.CombinedDestinationRef{
ServiceRef: resourcetest.Resource(catalog.ServiceType, "test-service-1").ReferenceNoSection(),
Port: "tcp",
@ -264,21 +277,45 @@ func (suite *dataFetcherSuite) TestFetcher_FetchWorkload_WorkloadNotFound() {
resource.NewReferenceKey(proxyID): {},
},
}
destCache.WriteDestination(dest1)
destCache.WriteDestination(dest2)
suite.syncDestinations(dest1, dest2)
workload := resourcetest.Resource(catalog.WorkloadType, "service-workload-abc").
WithTenancy(resource.DefaultNamespacedTenancy()).
WithData(suite.T(), &pbcatalog.Workload{
Identity: identityID.Name,
Ports: map[string]*pbcatalog.WorkloadPort{
"foo": {Port: 8080, Protocol: pbcatalog.Protocol_PROTOCOL_HTTP},
},
Addresses: []*pbcatalog.WorkloadAddress{
{
Host: "10.0.0.1",
Ports: []string{"foo"},
},
},
}).Write(suite.T(), suite.client)
// Track the workload's identity
_, err := f.FetchWorkload(context.Background(), workload.Id)
require.NoError(suite.T(), err)
require.NotNil(suite.T(), destCache.DestinationsBySourceProxy(proxyID))
require.Nil(suite.T(), proxyCfgCache.ProxyConfigurationsByProxyID(proxyID))
require.Nil(suite.T(), proxyCfgCache.ProxyConfigurationsByProxyID(proxyID))
require.Equal(suite.T(), []*pbresource.ID{proxyID}, identitiesCache.ProxyIDsByWorkloadIdentity(identityID))
proxyCfgID := resourcetest.Resource(types.ProxyConfigurationType, "proxy-config").ID()
proxyCfgCache.TrackProxyConfiguration(proxyCfgID, []resource.ReferenceOrID{proxyID})
f := New(suite.client, destCache, proxyCfgCache, computedRoutesCache)
_, err := f.FetchWorkload(context.Background(), proxyID)
_, err = f.FetchWorkload(context.Background(), proxyID)
require.NoError(suite.T(), err)
// Check that cache is updated to remove proxy id.
require.Nil(suite.T(), destCache.DestinationsBySourceProxy(proxyID))
require.Nil(suite.T(), proxyCfgCache.ProxyConfigurationsByProxyID(proxyID))
require.Nil(suite.T(), proxyCfgCache.ProxyConfigurationsByProxyID(proxyID))
require.Nil(suite.T(), identitiesCache.ProxyIDsByWorkloadIdentity(identityID))
}
func (suite *dataFetcherSuite) TestFetcher_NotFound() {

View File

@ -19,17 +19,20 @@ type Mapper struct {
destinationsCache *sidecarproxycache.DestinationsCache
proxyCfgCache *sidecarproxycache.ProxyConfigurationCache
computedRoutesCache *sidecarproxycache.ComputedRoutesCache
identitiesCache *sidecarproxycache.IdentitiesCache
}
func New(
destinationsCache *sidecarproxycache.DestinationsCache,
proxyCfgCache *sidecarproxycache.ProxyConfigurationCache,
computedRoutesCache *sidecarproxycache.ComputedRoutesCache,
identitiesCache *sidecarproxycache.IdentitiesCache,
) *Mapper {
return &Mapper{
destinationsCache: destinationsCache,
proxyCfgCache: proxyCfgCache,
computedRoutesCache: computedRoutesCache,
identitiesCache: identitiesCache,
}
}

View File

@ -0,0 +1,35 @@
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package sidecarproxymapper
import (
"context"
"github.com/hashicorp/consul/internal/auth"
"github.com/hashicorp/consul/internal/controller"
"github.com/hashicorp/consul/internal/mesh/internal/types"
"github.com/hashicorp/consul/internal/resource"
pbauth "github.com/hashicorp/consul/proto-public/pbauth/v1alpha1"
"github.com/hashicorp/consul/proto-public/pbresource"
)
func (m *Mapper) MapComputedTrafficPermissionsToProxyStateTemplate(ctx context.Context, rt controller.Runtime, res *pbresource.Resource) ([]controller.Request, error) {
var ctp pbauth.ComputedTrafficPermissions
err := res.Data.UnmarshalTo(&ctp)
if err != nil {
return nil, err
}
pid := resource.ReplaceType(auth.WorkloadIdentityType, res.Id)
ids := m.identitiesCache.ProxyIDsByWorkloadIdentity(pid)
requests := make([]controller.Request, 0, len(ids))
for _, id := range ids {
requests = append(requests, controller.Request{
ID: resource.ReplaceType(types.ProxyStateTemplateType, id)},
)
}
return requests, nil
}

View File

@ -0,0 +1,63 @@
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package sidecarproxymapper
import (
"context"
"testing"
"github.com/stretchr/testify/require"
svctest "github.com/hashicorp/consul/agent/grpc-external/services/resource/testing"
"github.com/hashicorp/consul/internal/auth"
"github.com/hashicorp/consul/internal/catalog"
"github.com/hashicorp/consul/internal/controller"
"github.com/hashicorp/consul/internal/mesh/internal/cache/sidecarproxycache"
"github.com/hashicorp/consul/internal/mesh/internal/types"
"github.com/hashicorp/consul/internal/resource"
"github.com/hashicorp/consul/internal/resource/resourcetest"
pbauth "github.com/hashicorp/consul/proto-public/pbauth/v1alpha1"
"github.com/hashicorp/consul/proto/private/prototest"
)
func TestMapComputedTrafficPermissionsToProxyStateTemplate(t *testing.T) {
client := svctest.RunResourceService(t, types.Register, catalog.RegisterTypes)
ctp := resourcetest.Resource(auth.ComputedTrafficPermissionsType, "workload-identity-1").
WithTenancy(resource.DefaultNamespacedTenancy()).
WithData(t, &pbauth.ComputedTrafficPermissions{}).
Build()
i := sidecarproxycache.NewIdentitiesCache()
mapper := &Mapper{identitiesCache: i}
// Empty results when the cache isn't populated.
requests, err := mapper.MapComputedTrafficPermissionsToProxyStateTemplate(context.Background(), controller.Runtime{Client: client}, ctp)
require.NoError(t, err)
require.Len(t, requests, 0)
identityID1 := resourcetest.Resource(auth.WorkloadIdentityType, "workload-identity-1").
WithTenancy(resource.DefaultNamespacedTenancy()).ID()
proxyID1 := resourcetest.Resource(types.ProxyStateTemplateType, "service-workload-1").
WithTenancy(resource.DefaultNamespacedTenancy()).ID()
proxyID2 := resourcetest.Resource(types.ProxyStateTemplateType, "service-workload-2").
WithTenancy(resource.DefaultNamespacedTenancy()).ID()
i.TrackPair(identityID1, proxyID1)
// Empty results when the cache isn't populated.
requests, err = mapper.MapComputedTrafficPermissionsToProxyStateTemplate(context.Background(), controller.Runtime{Client: client}, ctp)
require.NoError(t, err)
prototest.AssertElementsMatch(t, []controller.Request{{ID: proxyID1}}, requests)
i.TrackPair(identityID1, proxyID2)
// Empty results when the cache isn't populated.
requests, err = mapper.MapComputedTrafficPermissionsToProxyStateTemplate(context.Background(), controller.Runtime{Client: client}, ctp)
require.NoError(t, err)
prototest.AssertElementsMatch(t, []controller.Request{
{ID: proxyID1},
{ID: proxyID2},
}, requests)
}

View File

@ -29,7 +29,7 @@ func TestUnified_AllMappingsToProxyStateTemplate(t *testing.T) {
destCache = sidecarproxycache.NewDestinationsCache()
// proxyCfgCache = sidecarproxycache.NewProxyConfigurationCache()
routesCache = sidecarproxycache.NewComputedRoutesCache()
mapper = New(destCache, nil, routesCache)
mapper = New(destCache, nil, routesCache, nil)
client = svctest.RunResourceService(t, types.Register, catalog.RegisterTypes)
)

View File

@ -5,21 +5,23 @@ package types
import (
"github.com/hashicorp/consul/internal/resource"
pbauth "github.com/hashicorp/consul/proto-public/pbauth/v1alpha1"
pbcatalog "github.com/hashicorp/consul/proto-public/pbcatalog/v1alpha1"
pbmesh "github.com/hashicorp/consul/proto-public/pbmesh/v1alpha1"
)
type (
DecodedHTTPRoute = resource.DecodedResource[*pbmesh.HTTPRoute]
DecodedGRPCRoute = resource.DecodedResource[*pbmesh.GRPCRoute]
DecodedTCPRoute = resource.DecodedResource[*pbmesh.TCPRoute]
DecodedDestinationPolicy = resource.DecodedResource[*pbmesh.DestinationPolicy]
DecodedComputedRoutes = resource.DecodedResource[*pbmesh.ComputedRoutes]
DecodedFailoverPolicy = resource.DecodedResource[*pbcatalog.FailoverPolicy]
DecodedService = resource.DecodedResource[*pbcatalog.Service]
DecodedServiceEndpoints = resource.DecodedResource[*pbcatalog.ServiceEndpoints]
DecodedWorkload = resource.DecodedResource[*pbcatalog.Workload]
DecodedProxyConfiguration = resource.DecodedResource[*pbmesh.ProxyConfiguration]
DecodedDestinations = resource.DecodedResource[*pbmesh.Upstreams]
DecodedProxyStateTemplate = resource.DecodedResource[*pbmesh.ProxyStateTemplate]
DecodedHTTPRoute = resource.DecodedResource[*pbmesh.HTTPRoute]
DecodedGRPCRoute = resource.DecodedResource[*pbmesh.GRPCRoute]
DecodedTCPRoute = resource.DecodedResource[*pbmesh.TCPRoute]
DecodedDestinationPolicy = resource.DecodedResource[*pbmesh.DestinationPolicy]
DecodedComputedRoutes = resource.DecodedResource[*pbmesh.ComputedRoutes]
DecodedComputedTrafficPermissions = resource.DecodedResource[*pbauth.ComputedTrafficPermissions]
DecodedFailoverPolicy = resource.DecodedResource[*pbcatalog.FailoverPolicy]
DecodedService = resource.DecodedResource[*pbcatalog.Service]
DecodedServiceEndpoints = resource.DecodedResource[*pbcatalog.ServiceEndpoints]
DecodedWorkload = resource.DecodedResource[*pbcatalog.Workload]
DecodedProxyConfiguration = resource.DecodedResource[*pbmesh.ProxyConfiguration]
DecodedDestinations = resource.DecodedResource[*pbmesh.Upstreams]
DecodedProxyStateTemplate = resource.DecodedResource[*pbmesh.ProxyStateTemplate]
)

View File

@ -0,0 +1,14 @@
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package authv1alpha1
type SourceToSpiffe interface {
GetIdentityName() string
GetPartition() string
GetNamespace() string
GetPeer() string
}
var _ SourceToSpiffe = (*Source)(nil)
var _ SourceToSpiffe = (*ExcludeSource)(nil)

View File

@ -38,3 +38,16 @@ func (w *Workload) GetNonExternalAddressesForPort(portName string) []*WorkloadAd
return addresses
}
func (w *Workload) GetPortsByProtocol() map[Protocol][]string {
if w == nil {
return nil
}
out := make(map[Protocol][]string, len(w.Ports))
for name, port := range w.Ports {
out[port.GetProtocol()] = append(out[port.GetProtocol()], name)
}
return out
}

View File

@ -645,7 +645,7 @@ type L4Destination struct {
// stat_prefix is for compatibility with v1 xds configuration, so it is generated in exactly the same way.
StatPrefix string `protobuf:"bytes,3,opt,name=stat_prefix,json=statPrefix,proto3" json:"stat_prefix,omitempty"`
// traffic_permissions is a list of traffic permissions for this destination.
TrafficPermissions *L4TrafficPermissions `protobuf:"bytes,4,opt,name=traffic_permissions,json=trafficPermissions,proto3" json:"traffic_permissions,omitempty"`
TrafficPermissions *TrafficPermissions `protobuf:"bytes,4,opt,name=traffic_permissions,json=trafficPermissions,proto3" json:"traffic_permissions,omitempty"`
// max_inbound_connections specifies how many connections this destination can accept.
MaxInboundConnections uint64 `protobuf:"varint,5,opt,name=max_inbound_connections,json=maxInboundConnections,proto3" json:"max_inbound_connections,omitempty"`
}
@ -710,7 +710,7 @@ func (x *L4Destination) GetStatPrefix() string {
return ""
}
func (x *L4Destination) GetTrafficPermissions() *L4TrafficPermissions {
func (x *L4Destination) GetTrafficPermissions() *TrafficPermissions {
if x != nil {
return x.TrafficPermissions
}
@ -752,7 +752,7 @@ type L7Destination struct {
// protocol for the destination.
Protocol L7Protocol `protobuf:"varint,3,opt,name=protocol,proto3,enum=hashicorp.consul.mesh.v1alpha1.pbproxystate.L7Protocol" json:"protocol,omitempty"`
// traffic_permissions is a list of intentions for this destination.
TrafficPermissions *L7TrafficPermissions `protobuf:"bytes,4,opt,name=traffic_permissions,json=trafficPermissions,proto3" json:"traffic_permissions,omitempty"`
TrafficPermissions *TrafficPermissions `protobuf:"bytes,4,opt,name=traffic_permissions,json=trafficPermissions,proto3" json:"traffic_permissions,omitempty"`
// include_xfcc specifies whether to add xfcc header.
IncludeXfcc bool `protobuf:"varint,5,opt,name=include_xfcc,json=includeXfcc,proto3" json:"include_xfcc,omitempty"`
// static_route specifies whether this is a static route that is inlined in the listener filter. This is required to
@ -815,7 +815,7 @@ func (x *L7Destination) GetProtocol() L7Protocol {
return L7Protocol_L7_PROTOCOL_HTTP
}
func (x *L7Destination) GetTrafficPermissions() *L7TrafficPermissions {
func (x *L7Destination) GetTrafficPermissions() *TrafficPermissions {
if x != nil {
return x.TrafficPermissions
}
@ -1021,7 +1021,7 @@ var file_pbmesh_v1alpha1_pbproxystate_listener_proto_rawDesc = []byte{
0x6c, 0x65, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x67, 0x6f, 0x6f, 0x67,
0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x55, 0x49, 0x6e, 0x74,
0x33, 0x32, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x09, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x4c,
0x65, 0x6e, 0x22, 0xbc, 0x03, 0x0a, 0x0d, 0x4c, 0x34, 0x44, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61,
0x65, 0x6e, 0x22, 0xba, 0x03, 0x0a, 0x0d, 0x4c, 0x34, 0x44, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61,
0x74, 0x69, 0x6f, 0x6e, 0x12, 0x5b, 0x0a, 0x07, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x18,
0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3f, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72,
0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31,
@ -1037,92 +1037,92 @@ var file_pbmesh_v1alpha1_pbproxystate_listener_proto_rawDesc = []byte{
0x70, 0x48, 0x00, 0x52, 0x10, 0x77, 0x65, 0x69, 0x67, 0x68, 0x74, 0x65, 0x64, 0x43, 0x6c, 0x75,
0x73, 0x74, 0x65, 0x72, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x74, 0x61, 0x74, 0x5f, 0x70, 0x72,
0x65, 0x66, 0x69, 0x78, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x73, 0x74, 0x61, 0x74,
0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x12, 0x72, 0x0a, 0x13, 0x74, 0x72, 0x61, 0x66, 0x66, 0x69,
0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x12, 0x70, 0x0a, 0x13, 0x74, 0x72, 0x61, 0x66, 0x66, 0x69,
0x63, 0x5f, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x04, 0x20,
0x01, 0x28, 0x0b, 0x32, 0x41, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e,
0x01, 0x28, 0x0b, 0x32, 0x3f, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e,
0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c,
0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74,
0x65, 0x2e, 0x4c, 0x34, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x65, 0x72, 0x6d, 0x69,
0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x12, 0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50,
0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x36, 0x0a, 0x17, 0x6d, 0x61,
0x78, 0x5f, 0x69, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63,
0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x04, 0x52, 0x15, 0x6d, 0x61, 0x78,
0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f,
0x6e, 0x73, 0x42, 0x0d, 0x0a, 0x0b, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f,
0x6e, 0x22, 0x8b, 0x03, 0x0a, 0x0d, 0x4c, 0x37, 0x44, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74,
0x69, 0x6f, 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28,
0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x74, 0x61, 0x74, 0x5f,
0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x73, 0x74,
0x61, 0x74, 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x12, 0x53, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74,
0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x37, 0x2e, 0x68, 0x61, 0x73,
0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65,
0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72,
0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x4c, 0x37, 0x50, 0x72, 0x6f, 0x74, 0x6f,
0x63, 0x6f, 0x6c, 0x52, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x72, 0x0a,
0x13, 0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x5f, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73,
0x69, 0x6f, 0x6e, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x41, 0x2e, 0x68, 0x61, 0x73,
0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65,
0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72,
0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x4c, 0x37, 0x54, 0x72, 0x61, 0x66, 0x66,
0x69, 0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x12, 0x74,
0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e,
0x73, 0x12, 0x21, 0x0a, 0x0c, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x5f, 0x78, 0x66, 0x63,
0x63, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0b, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65,
0x58, 0x66, 0x63, 0x63, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x74, 0x61, 0x74, 0x69, 0x63, 0x5f, 0x72,
0x6f, 0x75, 0x74, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0b, 0x73, 0x74, 0x61, 0x74,
0x69, 0x63, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x12, 0x36, 0x0a, 0x17, 0x6d, 0x61, 0x78, 0x5f, 0x69,
0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f,
0x6e, 0x73, 0x18, 0x07, 0x20, 0x01, 0x28, 0x04, 0x52, 0x15, 0x6d, 0x61, 0x78, 0x49, 0x6e, 0x62,
0x6f, 0x75, 0x6e, 0x64, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x22,
0x31, 0x0a, 0x0e, 0x53, 0x4e, 0x49, 0x44, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f,
0x6e, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x74, 0x61, 0x74, 0x5f, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78,
0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x73, 0x74, 0x61, 0x74, 0x50, 0x72, 0x65, 0x66,
0x69, 0x78, 0x2a, 0x55, 0x0a, 0x09, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12,
0x19, 0x0a, 0x15, 0x44, 0x49, 0x52, 0x45, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x53,
0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x15, 0x0a, 0x11, 0x44, 0x49,
0x52, 0x45, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x49, 0x4e, 0x42, 0x4f, 0x55, 0x4e, 0x44, 0x10,
0x01, 0x12, 0x16, 0x0a, 0x12, 0x44, 0x49, 0x52, 0x45, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x4f,
0x55, 0x54, 0x42, 0x4f, 0x55, 0x4e, 0x44, 0x10, 0x02, 0x2a, 0x54, 0x0a, 0x12, 0x42, 0x61, 0x6c,
0x61, 0x6e, 0x63, 0x65, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12,
0x1f, 0x0a, 0x1b, 0x42, 0x41, 0x4c, 0x41, 0x4e, 0x43, 0x45, 0x5f, 0x43, 0x4f, 0x4e, 0x4e, 0x45,
0x43, 0x54, 0x49, 0x4f, 0x4e, 0x53, 0x5f, 0x44, 0x45, 0x46, 0x41, 0x55, 0x4c, 0x54, 0x10, 0x00,
0x12, 0x1d, 0x0a, 0x19, 0x42, 0x41, 0x4c, 0x41, 0x4e, 0x43, 0x45, 0x5f, 0x43, 0x4f, 0x4e, 0x4e,
0x45, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x53, 0x5f, 0x45, 0x58, 0x41, 0x43, 0x54, 0x10, 0x01, 0x2a,
0x71, 0x0a, 0x0a, 0x43, 0x61, 0x70, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x12, 0x1a, 0x0a,
0x16, 0x43, 0x41, 0x50, 0x41, 0x42, 0x49, 0x4c, 0x49, 0x54, 0x59, 0x5f, 0x54, 0x52, 0x41, 0x4e,
0x53, 0x50, 0x41, 0x52, 0x45, 0x4e, 0x54, 0x10, 0x00, 0x12, 0x25, 0x0a, 0x21, 0x43, 0x41, 0x50,
0x41, 0x42, 0x49, 0x4c, 0x49, 0x54, 0x59, 0x5f, 0x4c, 0x37, 0x5f, 0x50, 0x52, 0x4f, 0x54, 0x4f,
0x43, 0x4f, 0x4c, 0x5f, 0x49, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x10, 0x01,
0x12, 0x20, 0x0a, 0x1c, 0x43, 0x41, 0x50, 0x41, 0x42, 0x49, 0x4c, 0x49, 0x54, 0x59, 0x5f, 0x4c,
0x34, 0x5f, 0x54, 0x4c, 0x53, 0x5f, 0x49, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x54, 0x49, 0x4f, 0x4e,
0x10, 0x02, 0x2a, 0x4f, 0x0a, 0x0a, 0x4c, 0x37, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c,
0x12, 0x14, 0x0a, 0x10, 0x4c, 0x37, 0x5f, 0x50, 0x52, 0x4f, 0x54, 0x4f, 0x43, 0x4f, 0x4c, 0x5f,
0x48, 0x54, 0x54, 0x50, 0x10, 0x00, 0x12, 0x15, 0x0a, 0x11, 0x4c, 0x37, 0x5f, 0x50, 0x52, 0x4f,
0x54, 0x4f, 0x43, 0x4f, 0x4c, 0x5f, 0x48, 0x54, 0x54, 0x50, 0x32, 0x10, 0x01, 0x12, 0x14, 0x0a,
0x10, 0x4c, 0x37, 0x5f, 0x50, 0x52, 0x4f, 0x54, 0x4f, 0x43, 0x4f, 0x4c, 0x5f, 0x47, 0x52, 0x50,
0x43, 0x10, 0x02, 0x42, 0xd9, 0x02, 0x0a, 0x2f, 0x63, 0x6f, 0x6d, 0x2e, 0x68, 0x61, 0x73, 0x68,
0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73,
0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f,
0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x42, 0x0d, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65,
0x72, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x45, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62,
0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x63,
0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2d, 0x70, 0x75, 0x62, 0x6c,
0x69, 0x63, 0x2f, 0x70, 0x62, 0x6d, 0x65, 0x73, 0x68, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68,
0x61, 0x31, 0x2f, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0xa2,
0x02, 0x05, 0x48, 0x43, 0x4d, 0x56, 0x50, 0xaa, 0x02, 0x2b, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63,
0x6f, 0x72, 0x70, 0x2e, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x4d, 0x65, 0x73, 0x68, 0x2e,
0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79,
0x73, 0x74, 0x61, 0x74, 0x65, 0xca, 0x02, 0x2b, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72,
0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x4d, 0x65, 0x73, 0x68, 0x5c, 0x56, 0x31,
0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x5c, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74,
0x61, 0x74, 0x65, 0xe2, 0x02, 0x37, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c,
0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x4d, 0x65, 0x73, 0x68, 0x5c, 0x56, 0x31, 0x61, 0x6c,
0x70, 0x68, 0x61, 0x31, 0x5c, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74,
0x65, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x2f,
0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x3a, 0x3a, 0x43, 0x6f, 0x6e, 0x73, 0x75,
0x6c, 0x3a, 0x3a, 0x4d, 0x65, 0x73, 0x68, 0x3a, 0x3a, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61,
0x31, 0x3a, 0x3a, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x62,
0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
0x65, 0x2e, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73,
0x69, 0x6f, 0x6e, 0x73, 0x52, 0x12, 0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x65, 0x72,
0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x36, 0x0a, 0x17, 0x6d, 0x61, 0x78, 0x5f,
0x69, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69,
0x6f, 0x6e, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x04, 0x52, 0x15, 0x6d, 0x61, 0x78, 0x49, 0x6e,
0x62, 0x6f, 0x75, 0x6e, 0x64, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73,
0x42, 0x0d, 0x0a, 0x0b, 0x64, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22,
0x89, 0x03, 0x0a, 0x0d, 0x4c, 0x37, 0x44, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f,
0x6e, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x74, 0x61, 0x74, 0x5f, 0x70, 0x72,
0x65, 0x66, 0x69, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x73, 0x74, 0x61, 0x74,
0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x12, 0x53, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63,
0x6f, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x37, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69,
0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68,
0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78,
0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x4c, 0x37, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f,
0x6c, 0x52, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x70, 0x0a, 0x13, 0x74,
0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x5f, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f,
0x6e, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3f, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69,
0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68,
0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78,
0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x65,
0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x52, 0x12, 0x74, 0x72, 0x61, 0x66, 0x66,
0x69, 0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x21, 0x0a,
0x0c, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x5f, 0x78, 0x66, 0x63, 0x63, 0x18, 0x05, 0x20,
0x01, 0x28, 0x08, 0x52, 0x0b, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x58, 0x66, 0x63, 0x63,
0x12, 0x21, 0x0a, 0x0c, 0x73, 0x74, 0x61, 0x74, 0x69, 0x63, 0x5f, 0x72, 0x6f, 0x75, 0x74, 0x65,
0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0b, 0x73, 0x74, 0x61, 0x74, 0x69, 0x63, 0x52, 0x6f,
0x75, 0x74, 0x65, 0x12, 0x36, 0x0a, 0x17, 0x6d, 0x61, 0x78, 0x5f, 0x69, 0x6e, 0x62, 0x6f, 0x75,
0x6e, 0x64, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x07,
0x20, 0x01, 0x28, 0x04, 0x52, 0x15, 0x6d, 0x61, 0x78, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64,
0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x22, 0x31, 0x0a, 0x0e, 0x53,
0x4e, 0x49, 0x44, 0x65, 0x73, 0x74, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1f, 0x0a,
0x0b, 0x73, 0x74, 0x61, 0x74, 0x5f, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x01, 0x20, 0x01,
0x28, 0x09, 0x52, 0x0a, 0x73, 0x74, 0x61, 0x74, 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x2a, 0x55,
0x0a, 0x09, 0x44, 0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x19, 0x0a, 0x15, 0x44,
0x49, 0x52, 0x45, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49,
0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x15, 0x0a, 0x11, 0x44, 0x49, 0x52, 0x45, 0x43, 0x54,
0x49, 0x4f, 0x4e, 0x5f, 0x49, 0x4e, 0x42, 0x4f, 0x55, 0x4e, 0x44, 0x10, 0x01, 0x12, 0x16, 0x0a,
0x12, 0x44, 0x49, 0x52, 0x45, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x4f, 0x55, 0x54, 0x42, 0x4f,
0x55, 0x4e, 0x44, 0x10, 0x02, 0x2a, 0x54, 0x0a, 0x12, 0x42, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65,
0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1f, 0x0a, 0x1b, 0x42,
0x41, 0x4c, 0x41, 0x4e, 0x43, 0x45, 0x5f, 0x43, 0x4f, 0x4e, 0x4e, 0x45, 0x43, 0x54, 0x49, 0x4f,
0x4e, 0x53, 0x5f, 0x44, 0x45, 0x46, 0x41, 0x55, 0x4c, 0x54, 0x10, 0x00, 0x12, 0x1d, 0x0a, 0x19,
0x42, 0x41, 0x4c, 0x41, 0x4e, 0x43, 0x45, 0x5f, 0x43, 0x4f, 0x4e, 0x4e, 0x45, 0x43, 0x54, 0x49,
0x4f, 0x4e, 0x53, 0x5f, 0x45, 0x58, 0x41, 0x43, 0x54, 0x10, 0x01, 0x2a, 0x71, 0x0a, 0x0a, 0x43,
0x61, 0x70, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x12, 0x1a, 0x0a, 0x16, 0x43, 0x41, 0x50,
0x41, 0x42, 0x49, 0x4c, 0x49, 0x54, 0x59, 0x5f, 0x54, 0x52, 0x41, 0x4e, 0x53, 0x50, 0x41, 0x52,
0x45, 0x4e, 0x54, 0x10, 0x00, 0x12, 0x25, 0x0a, 0x21, 0x43, 0x41, 0x50, 0x41, 0x42, 0x49, 0x4c,
0x49, 0x54, 0x59, 0x5f, 0x4c, 0x37, 0x5f, 0x50, 0x52, 0x4f, 0x54, 0x4f, 0x43, 0x4f, 0x4c, 0x5f,
0x49, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x10, 0x01, 0x12, 0x20, 0x0a, 0x1c,
0x43, 0x41, 0x50, 0x41, 0x42, 0x49, 0x4c, 0x49, 0x54, 0x59, 0x5f, 0x4c, 0x34, 0x5f, 0x54, 0x4c,
0x53, 0x5f, 0x49, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x54, 0x49, 0x4f, 0x4e, 0x10, 0x02, 0x2a, 0x4f,
0x0a, 0x0a, 0x4c, 0x37, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x14, 0x0a, 0x10,
0x4c, 0x37, 0x5f, 0x50, 0x52, 0x4f, 0x54, 0x4f, 0x43, 0x4f, 0x4c, 0x5f, 0x48, 0x54, 0x54, 0x50,
0x10, 0x00, 0x12, 0x15, 0x0a, 0x11, 0x4c, 0x37, 0x5f, 0x50, 0x52, 0x4f, 0x54, 0x4f, 0x43, 0x4f,
0x4c, 0x5f, 0x48, 0x54, 0x54, 0x50, 0x32, 0x10, 0x01, 0x12, 0x14, 0x0a, 0x10, 0x4c, 0x37, 0x5f,
0x50, 0x52, 0x4f, 0x54, 0x4f, 0x43, 0x4f, 0x4c, 0x5f, 0x47, 0x52, 0x50, 0x43, 0x10, 0x02, 0x42,
0xd9, 0x02, 0x0a, 0x2f, 0x63, 0x6f, 0x6d, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72,
0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31,
0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74,
0x61, 0x74, 0x65, 0x42, 0x0d, 0x4c, 0x69, 0x73, 0x74, 0x65, 0x6e, 0x65, 0x72, 0x50, 0x72, 0x6f,
0x74, 0x6f, 0x50, 0x01, 0x5a, 0x45, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d,
0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x75,
0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2d, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2f, 0x70,
0x62, 0x6d, 0x65, 0x73, 0x68, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x70,
0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0xa2, 0x02, 0x05, 0x48, 0x43,
0x4d, 0x56, 0x50, 0xaa, 0x02, 0x2b, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e,
0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x4d, 0x65, 0x73, 0x68, 0x2e, 0x56, 0x31, 0x61, 0x6c,
0x70, 0x68, 0x61, 0x31, 0x2e, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74,
0x65, 0xca, 0x02, 0x2b, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f,
0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x4d, 0x65, 0x73, 0x68, 0x5c, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68,
0x61, 0x31, 0x5c, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0xe2,
0x02, 0x37, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73,
0x75, 0x6c, 0x5c, 0x4d, 0x65, 0x73, 0x68, 0x5c, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31,
0x5c, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x5c, 0x47, 0x50,
0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x2f, 0x48, 0x61, 0x73, 0x68,
0x69, 0x63, 0x6f, 0x72, 0x70, 0x3a, 0x3a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x3a, 0x3a, 0x4d,
0x65, 0x73, 0x68, 0x3a, 0x3a, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3a, 0x3a, 0x50,
0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x62, 0x06, 0x70, 0x72, 0x6f,
0x74, 0x6f, 0x33,
}
var (
@ -1157,8 +1157,7 @@ var file_pbmesh_v1alpha1_pbproxystate_listener_proto_goTypes = []interface{}{
(*wrapperspb.UInt32Value)(nil), // 14: google.protobuf.UInt32Value
(*DestinationCluster)(nil), // 15: hashicorp.consul.mesh.v1alpha1.pbproxystate.DestinationCluster
(*L4WeightedClusterGroup)(nil), // 16: hashicorp.consul.mesh.v1alpha1.pbproxystate.L4WeightedClusterGroup
(*L4TrafficPermissions)(nil), // 17: hashicorp.consul.mesh.v1alpha1.pbproxystate.L4TrafficPermissions
(*L7TrafficPermissions)(nil), // 18: hashicorp.consul.mesh.v1alpha1.pbproxystate.L7TrafficPermissions
(*TrafficPermissions)(nil), // 17: hashicorp.consul.mesh.v1alpha1.pbproxystate.TrafficPermissions
}
var file_pbmesh_v1alpha1_pbproxystate_listener_proto_depIdxs = []int32{
0, // 0: hashicorp.consul.mesh.v1alpha1.pbproxystate.Listener.direction:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.Direction
@ -1179,9 +1178,9 @@ var file_pbmesh_v1alpha1_pbproxystate_listener_proto_depIdxs = []int32{
14, // 15: hashicorp.consul.mesh.v1alpha1.pbproxystate.CidrRange.prefix_len:type_name -> google.protobuf.UInt32Value
15, // 16: hashicorp.consul.mesh.v1alpha1.pbproxystate.L4Destination.cluster:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.DestinationCluster
16, // 17: hashicorp.consul.mesh.v1alpha1.pbproxystate.L4Destination.weighted_clusters:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.L4WeightedClusterGroup
17, // 18: hashicorp.consul.mesh.v1alpha1.pbproxystate.L4Destination.traffic_permissions:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.L4TrafficPermissions
17, // 18: hashicorp.consul.mesh.v1alpha1.pbproxystate.L4Destination.traffic_permissions:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.TrafficPermissions
3, // 19: hashicorp.consul.mesh.v1alpha1.pbproxystate.L7Destination.protocol:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.L7Protocol
18, // 20: hashicorp.consul.mesh.v1alpha1.pbproxystate.L7Destination.traffic_permissions:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.L7TrafficPermissions
17, // 20: hashicorp.consul.mesh.v1alpha1.pbproxystate.L7Destination.traffic_permissions:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.TrafficPermissions
21, // [21:21] is the sub-list for method output_type
21, // [21:21] is the sub-list for method input_type
21, // [21:21] is the sub-list for extension type_name

View File

@ -97,7 +97,7 @@ message L4Destination {
// stat_prefix is for compatibility with v1 xds configuration, so it is generated in exactly the same way.
string stat_prefix = 3;
// traffic_permissions is a list of traffic permissions for this destination.
L4TrafficPermissions traffic_permissions = 4;
TrafficPermissions traffic_permissions = 4;
// max_inbound_connections specifies how many connections this destination can accept.
uint64 max_inbound_connections = 5;
}
@ -110,7 +110,7 @@ message L7Destination {
// protocol for the destination.
L7Protocol protocol = 3;
// traffic_permissions is a list of intentions for this destination.
L7TrafficPermissions traffic_permissions = 4;
TrafficPermissions traffic_permissions = 4;
// include_xfcc specifies whether to add xfcc header.
bool include_xfcc = 5;
// static_route specifies whether this is a static route that is inlined in the listener filter. This is required to

View File

@ -1,20 +0,0 @@
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: BUSL-1.1
package pbproxystate
func (s *L4Principal) ToL7Principal() *L7Principal {
out := &L7Principal{
Spiffe: &Spiffe{
Regex: s.SpiffeRegex,
},
}
for _, regex := range s.ExcludeSpiffeRegexes {
out.ExcludeSpiffes = append(out.ExcludeSpiffes, &Spiffe{
Regex: regex,
})
}
return out
}

View File

@ -8,52 +8,32 @@ import (
)
// MarshalBinary implements encoding.BinaryMarshaler
func (msg *L7TrafficPermissions) MarshalBinary() ([]byte, error) {
func (msg *TrafficPermissions) MarshalBinary() ([]byte, error) {
return proto.Marshal(msg)
}
// UnmarshalBinary implements encoding.BinaryUnmarshaler
func (msg *L7TrafficPermissions) UnmarshalBinary(b []byte) error {
func (msg *TrafficPermissions) UnmarshalBinary(b []byte) error {
return proto.Unmarshal(b, msg)
}
// MarshalBinary implements encoding.BinaryMarshaler
func (msg *L4TrafficPermissions) MarshalBinary() ([]byte, error) {
func (msg *Permission) MarshalBinary() ([]byte, error) {
return proto.Marshal(msg)
}
// UnmarshalBinary implements encoding.BinaryUnmarshaler
func (msg *L4TrafficPermissions) UnmarshalBinary(b []byte) error {
func (msg *Permission) UnmarshalBinary(b []byte) error {
return proto.Unmarshal(b, msg)
}
// MarshalBinary implements encoding.BinaryMarshaler
func (msg *L4Permission) MarshalBinary() ([]byte, error) {
func (msg *Principal) MarshalBinary() ([]byte, error) {
return proto.Marshal(msg)
}
// UnmarshalBinary implements encoding.BinaryUnmarshaler
func (msg *L4Permission) UnmarshalBinary(b []byte) error {
return proto.Unmarshal(b, msg)
}
// MarshalBinary implements encoding.BinaryMarshaler
func (msg *L4Principal) MarshalBinary() ([]byte, error) {
return proto.Marshal(msg)
}
// UnmarshalBinary implements encoding.BinaryUnmarshaler
func (msg *L4Principal) UnmarshalBinary(b []byte) error {
return proto.Unmarshal(b, msg)
}
// MarshalBinary implements encoding.BinaryMarshaler
func (msg *L7Principal) MarshalBinary() ([]byte, error) {
return proto.Marshal(msg)
}
// UnmarshalBinary implements encoding.BinaryUnmarshaler
func (msg *L7Principal) UnmarshalBinary(b []byte) error {
func (msg *Principal) UnmarshalBinary(b []byte) error {
return proto.Unmarshal(b, msg)
}

View File

@ -23,14 +23,17 @@ const (
_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
)
type L7TrafficPermissions struct {
type TrafficPermissions struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
AllowPermissions []*Permission `protobuf:"bytes,1,rep,name=allow_permissions,json=allowPermissions,proto3" json:"allow_permissions,omitempty"`
DenyPermissions []*Permission `protobuf:"bytes,2,rep,name=deny_permissions,json=denyPermissions,proto3" json:"deny_permissions,omitempty"`
}
func (x *L7TrafficPermissions) Reset() {
*x = L7TrafficPermissions{}
func (x *TrafficPermissions) Reset() {
*x = TrafficPermissions{}
if protoimpl.UnsafeEnabled {
mi := &file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[0]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@ -38,13 +41,13 @@ func (x *L7TrafficPermissions) Reset() {
}
}
func (x *L7TrafficPermissions) String() string {
func (x *TrafficPermissions) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*L7TrafficPermissions) ProtoMessage() {}
func (*TrafficPermissions) ProtoMessage() {}
func (x *L7TrafficPermissions) ProtoReflect() protoreflect.Message {
func (x *TrafficPermissions) ProtoReflect() protoreflect.Message {
mi := &file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[0]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@ -56,22 +59,35 @@ func (x *L7TrafficPermissions) ProtoReflect() protoreflect.Message {
return mi.MessageOf(x)
}
// Deprecated: Use L7TrafficPermissions.ProtoReflect.Descriptor instead.
func (*L7TrafficPermissions) Descriptor() ([]byte, []int) {
// Deprecated: Use TrafficPermissions.ProtoReflect.Descriptor instead.
func (*TrafficPermissions) Descriptor() ([]byte, []int) {
return file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_rawDescGZIP(), []int{0}
}
type L4TrafficPermissions struct {
func (x *TrafficPermissions) GetAllowPermissions() []*Permission {
if x != nil {
return x.AllowPermissions
}
return nil
}
func (x *TrafficPermissions) GetDenyPermissions() []*Permission {
if x != nil {
return x.DenyPermissions
}
return nil
}
type Permission struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
AllowPermissions []*L4Permission `protobuf:"bytes,1,rep,name=allow_permissions,json=allowPermissions,proto3" json:"allow_permissions,omitempty"`
DenyPermissions []*L4Permission `protobuf:"bytes,2,rep,name=deny_permissions,json=denyPermissions,proto3" json:"deny_permissions,omitempty"`
Principals []*Principal `protobuf:"bytes,1,rep,name=principals,proto3" json:"principals,omitempty"`
}
func (x *L4TrafficPermissions) Reset() {
*x = L4TrafficPermissions{}
func (x *Permission) Reset() {
*x = Permission{}
if protoimpl.UnsafeEnabled {
mi := &file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[1]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@ -79,13 +95,13 @@ func (x *L4TrafficPermissions) Reset() {
}
}
func (x *L4TrafficPermissions) String() string {
func (x *Permission) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*L4TrafficPermissions) ProtoMessage() {}
func (*Permission) ProtoMessage() {}
func (x *L4TrafficPermissions) ProtoReflect() protoreflect.Message {
func (x *Permission) ProtoReflect() protoreflect.Message {
mi := &file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[1]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@ -97,35 +113,29 @@ func (x *L4TrafficPermissions) ProtoReflect() protoreflect.Message {
return mi.MessageOf(x)
}
// Deprecated: Use L4TrafficPermissions.ProtoReflect.Descriptor instead.
func (*L4TrafficPermissions) Descriptor() ([]byte, []int) {
// Deprecated: Use Permission.ProtoReflect.Descriptor instead.
func (*Permission) Descriptor() ([]byte, []int) {
return file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_rawDescGZIP(), []int{1}
}
func (x *L4TrafficPermissions) GetAllowPermissions() []*L4Permission {
func (x *Permission) GetPrincipals() []*Principal {
if x != nil {
return x.AllowPermissions
return x.Principals
}
return nil
}
func (x *L4TrafficPermissions) GetDenyPermissions() []*L4Permission {
if x != nil {
return x.DenyPermissions
}
return nil
}
type L4Permission struct {
type Principal struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
Principals []*L4Principal `protobuf:"bytes,1,rep,name=principals,proto3" json:"principals,omitempty"`
Spiffe *Spiffe `protobuf:"bytes,1,opt,name=spiffe,proto3" json:"spiffe,omitempty"`
ExcludeSpiffes []*Spiffe `protobuf:"bytes,2,rep,name=exclude_spiffes,json=excludeSpiffes,proto3" json:"exclude_spiffes,omitempty"`
}
func (x *L4Permission) Reset() {
*x = L4Permission{}
func (x *Principal) Reset() {
*x = Principal{}
if protoimpl.UnsafeEnabled {
mi := &file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[2]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@ -133,13 +143,13 @@ func (x *L4Permission) Reset() {
}
}
func (x *L4Permission) String() string {
func (x *Principal) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*L4Permission) ProtoMessage() {}
func (*Principal) ProtoMessage() {}
func (x *L4Permission) ProtoReflect() protoreflect.Message {
func (x *Principal) ProtoReflect() protoreflect.Message {
mi := &file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[2]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@ -151,123 +161,19 @@ func (x *L4Permission) ProtoReflect() protoreflect.Message {
return mi.MessageOf(x)
}
// Deprecated: Use L4Permission.ProtoReflect.Descriptor instead.
func (*L4Permission) Descriptor() ([]byte, []int) {
// Deprecated: Use Principal.ProtoReflect.Descriptor instead.
func (*Principal) Descriptor() ([]byte, []int) {
return file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_rawDescGZIP(), []int{2}
}
func (x *L4Permission) GetPrincipals() []*L4Principal {
if x != nil {
return x.Principals
}
return nil
}
// L4Principal maps into Source. We first convert this to Source before generating Envoy resources.
type L4Principal struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
SpiffeRegex string `protobuf:"bytes,1,opt,name=spiffe_regex,json=spiffeRegex,proto3" json:"spiffe_regex,omitempty"`
ExcludeSpiffeRegexes []string `protobuf:"bytes,2,rep,name=exclude_spiffe_regexes,json=excludeSpiffeRegexes,proto3" json:"exclude_spiffe_regexes,omitempty"`
}
func (x *L4Principal) Reset() {
*x = L4Principal{}
if protoimpl.UnsafeEnabled {
mi := &file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[3]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *L4Principal) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*L4Principal) ProtoMessage() {}
func (x *L4Principal) ProtoReflect() protoreflect.Message {
mi := &file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[3]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use L4Principal.ProtoReflect.Descriptor instead.
func (*L4Principal) Descriptor() ([]byte, []int) {
return file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_rawDescGZIP(), []int{3}
}
func (x *L4Principal) GetSpiffeRegex() string {
if x != nil {
return x.SpiffeRegex
}
return ""
}
func (x *L4Principal) GetExcludeSpiffeRegexes() []string {
if x != nil {
return x.ExcludeSpiffeRegexes
}
return nil
}
type L7Principal struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
unknownFields protoimpl.UnknownFields
Spiffe *Spiffe `protobuf:"bytes,1,opt,name=spiffe,proto3" json:"spiffe,omitempty"`
ExcludeSpiffes []*Spiffe `protobuf:"bytes,2,rep,name=exclude_spiffes,json=excludeSpiffes,proto3" json:"exclude_spiffes,omitempty"`
}
func (x *L7Principal) Reset() {
*x = L7Principal{}
if protoimpl.UnsafeEnabled {
mi := &file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[4]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
}
func (x *L7Principal) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*L7Principal) ProtoMessage() {}
func (x *L7Principal) ProtoReflect() protoreflect.Message {
mi := &file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[4]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use L7Principal.ProtoReflect.Descriptor instead.
func (*L7Principal) Descriptor() ([]byte, []int) {
return file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_rawDescGZIP(), []int{4}
}
func (x *L7Principal) GetSpiffe() *Spiffe {
func (x *Principal) GetSpiffe() *Spiffe {
if x != nil {
return x.Spiffe
}
return nil
}
func (x *L7Principal) GetExcludeSpiffes() []*Spiffe {
func (x *Principal) GetExcludeSpiffes() []*Spiffe {
if x != nil {
return x.ExcludeSpiffes
}
@ -289,7 +195,7 @@ type Spiffe struct {
func (x *Spiffe) Reset() {
*x = Spiffe{}
if protoimpl.UnsafeEnabled {
mi := &file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[5]
mi := &file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[3]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@ -302,7 +208,7 @@ func (x *Spiffe) String() string {
func (*Spiffe) ProtoMessage() {}
func (x *Spiffe) ProtoReflect() protoreflect.Message {
mi := &file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[5]
mi := &file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[3]
if protoimpl.UnsafeEnabled && x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@ -315,7 +221,7 @@ func (x *Spiffe) ProtoReflect() protoreflect.Message {
// Deprecated: Use Spiffe.ProtoReflect.Descriptor instead.
func (*Spiffe) Descriptor() ([]byte, []int) {
return file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_rawDescGZIP(), []int{5}
return file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_rawDescGZIP(), []int{3}
}
func (x *Spiffe) GetRegex() string {
@ -341,74 +247,66 @@ var file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_rawDesc = []byte
0x6e, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x2b, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63,
0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e,
0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79,
0x73, 0x74, 0x61, 0x74, 0x65, 0x22, 0x16, 0x0a, 0x14, 0x4c, 0x37, 0x54, 0x72, 0x61, 0x66, 0x66,
0x69, 0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x22, 0xe4, 0x01,
0x0a, 0x14, 0x4c, 0x34, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x65, 0x72, 0x6d, 0x69,
0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x66, 0x0a, 0x11, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x5f,
0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28,
0x0b, 0x32, 0x39, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f,
0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68,
0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e,
0x4c, 0x34, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x10, 0x61, 0x6c,
0x6c, 0x6f, 0x77, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x64,
0x0a, 0x10, 0x64, 0x65, 0x6e, 0x79, 0x5f, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f,
0x6e, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x39, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69,
0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68,
0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78,
0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x4c, 0x34, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73,
0x69, 0x6f, 0x6e, 0x52, 0x0f, 0x64, 0x65, 0x6e, 0x79, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73,
0x69, 0x6f, 0x6e, 0x73, 0x22, 0x68, 0x0a, 0x0c, 0x4c, 0x34, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73,
0x73, 0x69, 0x6f, 0x6e, 0x12, 0x58, 0x0a, 0x0a, 0x70, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61,
0x6c, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x38, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69,
0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68,
0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78,
0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x4c, 0x34, 0x50, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70,
0x61, 0x6c, 0x52, 0x0a, 0x70, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x73, 0x22, 0x66,
0x0a, 0x0b, 0x4c, 0x34, 0x50, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x12, 0x21, 0x0a,
0x0c, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x5f, 0x72, 0x65, 0x67, 0x65, 0x78, 0x18, 0x01, 0x20,
0x01, 0x28, 0x09, 0x52, 0x0b, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x52, 0x65, 0x67, 0x65, 0x78,
0x12, 0x34, 0x0a, 0x16, 0x65, 0x78, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x5f, 0x73, 0x70, 0x69, 0x66,
0x66, 0x65, 0x5f, 0x72, 0x65, 0x67, 0x65, 0x78, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09,
0x52, 0x14, 0x65, 0x78, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x53, 0x70, 0x69, 0x66, 0x66, 0x65, 0x52,
0x65, 0x67, 0x65, 0x78, 0x65, 0x73, 0x22, 0xb8, 0x01, 0x0a, 0x0b, 0x4c, 0x37, 0x50, 0x72, 0x69,
0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x12, 0x4b, 0x0a, 0x06, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65,
0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x33, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f,
0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76,
0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73,
0x74, 0x61, 0x74, 0x65, 0x2e, 0x53, 0x70, 0x69, 0x66, 0x66, 0x65, 0x52, 0x06, 0x73, 0x70, 0x69,
0x66, 0x66, 0x65, 0x12, 0x5c, 0x0a, 0x0f, 0x65, 0x78, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x5f, 0x73,
0x70, 0x69, 0x66, 0x66, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x33, 0x2e, 0x68,
0x73, 0x74, 0x61, 0x74, 0x65, 0x22, 0xde, 0x01, 0x0a, 0x12, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69,
0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x64, 0x0a, 0x11,
0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x5f, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e,
0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x37, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63,
0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e,
0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79,
0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e,
0x52, 0x10, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f,
0x6e, 0x73, 0x12, 0x62, 0x0a, 0x10, 0x64, 0x65, 0x6e, 0x79, 0x5f, 0x70, 0x65, 0x72, 0x6d, 0x69,
0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x37, 0x2e, 0x68,
0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e,
0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62,
0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x53, 0x70, 0x69, 0x66, 0x66,
0x65, 0x52, 0x0e, 0x65, 0x78, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x53, 0x70, 0x69, 0x66, 0x66, 0x65,
0x73, 0x22, 0x3d, 0x0a, 0x06, 0x53, 0x70, 0x69, 0x66, 0x66, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x72,
0x65, 0x67, 0x65, 0x78, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x72, 0x65, 0x67, 0x65,
0x78, 0x12, 0x1d, 0x0a, 0x0a, 0x78, 0x66, 0x63, 0x63, 0x5f, 0x72, 0x65, 0x67, 0x65, 0x78, 0x18,
0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x78, 0x66, 0x63, 0x63, 0x52, 0x65, 0x67, 0x65, 0x78,
0x42, 0xe3, 0x02, 0x0a, 0x2f, 0x63, 0x6f, 0x6d, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f,
0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76,
0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73,
0x74, 0x61, 0x74, 0x65, 0x42, 0x17, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x65, 0x72,
0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a,
0x45, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68,
0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2f, 0x70, 0x72, 0x6f,
0x74, 0x6f, 0x2d, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2f, 0x70, 0x62, 0x6d, 0x65, 0x73, 0x68,
0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78,
0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0xa2, 0x02, 0x05, 0x48, 0x43, 0x4d, 0x56, 0x50, 0xaa, 0x02,
0x2b, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x43, 0x6f, 0x6e, 0x73, 0x75,
0x6c, 0x2e, 0x4d, 0x65, 0x73, 0x68, 0x2e, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e,
0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0xca, 0x02, 0x2b, 0x48,
0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c,
0x4d, 0x65, 0x73, 0x68, 0x5c, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x5c, 0x50, 0x62,
0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0xe2, 0x02, 0x37, 0x48, 0x61, 0x73,
0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x4d, 0x65,
0x73, 0x68, 0x5c, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x5c, 0x50, 0x62, 0x70, 0x72,
0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61,
0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x2f, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70,
0x3a, 0x3a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x3a, 0x3a, 0x4d, 0x65, 0x73, 0x68, 0x3a, 0x3a,
0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3a, 0x3a, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78,
0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x50, 0x65, 0x72, 0x6d, 0x69,
0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x0f, 0x64, 0x65, 0x6e, 0x79, 0x50, 0x65, 0x72, 0x6d, 0x69,
0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x22, 0x64, 0x0a, 0x0a, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73,
0x73, 0x69, 0x6f, 0x6e, 0x12, 0x56, 0x0a, 0x0a, 0x70, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61,
0x6c, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x36, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69,
0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68,
0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78,
0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x50, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c,
0x52, 0x0a, 0x70, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x73, 0x22, 0xb6, 0x01, 0x0a,
0x09, 0x50, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x12, 0x4b, 0x0a, 0x06, 0x73, 0x70,
0x69, 0x66, 0x66, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x33, 0x2e, 0x68, 0x61, 0x73,
0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65,
0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72,
0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x53, 0x70, 0x69, 0x66, 0x66, 0x65, 0x52,
0x06, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x12, 0x5c, 0x0a, 0x0f, 0x65, 0x78, 0x63, 0x6c, 0x75,
0x64, 0x65, 0x5f, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b,
0x32, 0x33, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e,
0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61,
0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x53,
0x70, 0x69, 0x66, 0x66, 0x65, 0x52, 0x0e, 0x65, 0x78, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x53, 0x70,
0x69, 0x66, 0x66, 0x65, 0x73, 0x22, 0x3d, 0x0a, 0x06, 0x53, 0x70, 0x69, 0x66, 0x66, 0x65, 0x12,
0x14, 0x0a, 0x05, 0x72, 0x65, 0x67, 0x65, 0x78, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05,
0x72, 0x65, 0x67, 0x65, 0x78, 0x12, 0x1d, 0x0a, 0x0a, 0x78, 0x66, 0x63, 0x63, 0x5f, 0x72, 0x65,
0x67, 0x65, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x78, 0x66, 0x63, 0x63, 0x52,
0x65, 0x67, 0x65, 0x78, 0x42, 0xe3, 0x02, 0x0a, 0x2f, 0x63, 0x6f, 0x6d, 0x2e, 0x68, 0x61, 0x73,
0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65,
0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72,
0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x42, 0x17, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69,
0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x50, 0x72, 0x6f, 0x74,
0x6f, 0x50, 0x01, 0x5a, 0x45, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f,
0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c,
0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2d, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2f, 0x70, 0x62,
0x6d, 0x65, 0x73, 0x68, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x70, 0x62,
0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0xa2, 0x02, 0x05, 0x48, 0x43, 0x4d,
0x56, 0x50, 0xaa, 0x02, 0x2b, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x43,
0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x4d, 0x65, 0x73, 0x68, 0x2e, 0x56, 0x31, 0x61, 0x6c, 0x70,
0x68, 0x61, 0x31, 0x2e, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65,
0xca, 0x02, 0x2b, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e,
0x73, 0x75, 0x6c, 0x5c, 0x4d, 0x65, 0x73, 0x68, 0x5c, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61,
0x31, 0x5c, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0xe2, 0x02,
0x37, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75,
0x6c, 0x5c, 0x4d, 0x65, 0x73, 0x68, 0x5c, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x5c,
0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x5c, 0x47, 0x50, 0x42,
0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x2f, 0x48, 0x61, 0x73, 0x68, 0x69,
0x63, 0x6f, 0x72, 0x70, 0x3a, 0x3a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x3a, 0x3a, 0x4d, 0x65,
0x73, 0x68, 0x3a, 0x3a, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3a, 0x3a, 0x50, 0x62,
0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
0x6f, 0x33,
}
var (
@ -423,21 +321,19 @@ func file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_rawDescGZIP() [
return file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_rawDescData
}
var file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes = make([]protoimpl.MessageInfo, 6)
var file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes = make([]protoimpl.MessageInfo, 4)
var file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_goTypes = []interface{}{
(*L7TrafficPermissions)(nil), // 0: hashicorp.consul.mesh.v1alpha1.pbproxystate.L7TrafficPermissions
(*L4TrafficPermissions)(nil), // 1: hashicorp.consul.mesh.v1alpha1.pbproxystate.L4TrafficPermissions
(*L4Permission)(nil), // 2: hashicorp.consul.mesh.v1alpha1.pbproxystate.L4Permission
(*L4Principal)(nil), // 3: hashicorp.consul.mesh.v1alpha1.pbproxystate.L4Principal
(*L7Principal)(nil), // 4: hashicorp.consul.mesh.v1alpha1.pbproxystate.L7Principal
(*Spiffe)(nil), // 5: hashicorp.consul.mesh.v1alpha1.pbproxystate.Spiffe
(*TrafficPermissions)(nil), // 0: hashicorp.consul.mesh.v1alpha1.pbproxystate.TrafficPermissions
(*Permission)(nil), // 1: hashicorp.consul.mesh.v1alpha1.pbproxystate.Permission
(*Principal)(nil), // 2: hashicorp.consul.mesh.v1alpha1.pbproxystate.Principal
(*Spiffe)(nil), // 3: hashicorp.consul.mesh.v1alpha1.pbproxystate.Spiffe
}
var file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_depIdxs = []int32{
2, // 0: hashicorp.consul.mesh.v1alpha1.pbproxystate.L4TrafficPermissions.allow_permissions:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.L4Permission
2, // 1: hashicorp.consul.mesh.v1alpha1.pbproxystate.L4TrafficPermissions.deny_permissions:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.L4Permission
3, // 2: hashicorp.consul.mesh.v1alpha1.pbproxystate.L4Permission.principals:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.L4Principal
5, // 3: hashicorp.consul.mesh.v1alpha1.pbproxystate.L7Principal.spiffe:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.Spiffe
5, // 4: hashicorp.consul.mesh.v1alpha1.pbproxystate.L7Principal.exclude_spiffes:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.Spiffe
1, // 0: hashicorp.consul.mesh.v1alpha1.pbproxystate.TrafficPermissions.allow_permissions:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.Permission
1, // 1: hashicorp.consul.mesh.v1alpha1.pbproxystate.TrafficPermissions.deny_permissions:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.Permission
2, // 2: hashicorp.consul.mesh.v1alpha1.pbproxystate.Permission.principals:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.Principal
3, // 3: hashicorp.consul.mesh.v1alpha1.pbproxystate.Principal.spiffe:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.Spiffe
3, // 4: hashicorp.consul.mesh.v1alpha1.pbproxystate.Principal.exclude_spiffes:type_name -> hashicorp.consul.mesh.v1alpha1.pbproxystate.Spiffe
5, // [5:5] is the sub-list for method output_type
5, // [5:5] is the sub-list for method input_type
5, // [5:5] is the sub-list for extension type_name
@ -452,7 +348,7 @@ func file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_init() {
}
if !protoimpl.UnsafeEnabled {
file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*L7TrafficPermissions); i {
switch v := v.(*TrafficPermissions); i {
case 0:
return &v.state
case 1:
@ -464,7 +360,7 @@ func file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_init() {
}
}
file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*L4TrafficPermissions); i {
switch v := v.(*Permission); i {
case 0:
return &v.state
case 1:
@ -476,7 +372,7 @@ func file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_init() {
}
}
file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*L4Permission); i {
switch v := v.(*Principal); i {
case 0:
return &v.state
case 1:
@ -488,30 +384,6 @@ func file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_init() {
}
}
file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*L4Principal); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*L7Principal); i {
case 0:
return &v.state
case 1:
return &v.sizeCache
case 2:
return &v.unknownFields
default:
return nil
}
}
file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
switch v := v.(*Spiffe); i {
case 0:
return &v.state
@ -530,7 +402,7 @@ func file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_init() {
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_pbmesh_v1alpha1_pbproxystate_traffic_permissions_proto_rawDesc,
NumEnums: 0,
NumMessages: 6,
NumMessages: 4,
NumExtensions: 0,
NumServices: 0,
},

View File

@ -5,28 +5,20 @@ syntax = "proto3";
package hashicorp.consul.mesh.v1alpha1.pbproxystate;
message L7TrafficPermissions {}
message L4TrafficPermissions {
repeated L4Permission allow_permissions = 1;
repeated L4Permission deny_permissions = 2;
message TrafficPermissions {
repeated Permission allow_permissions = 1;
repeated Permission deny_permissions = 2;
}
message L4Permission {
repeated L4Principal principals = 1;
message Permission {
repeated Principal principals = 1;
// We don't need destination rules here because they either apply to L7 features or multi-ports.
// We don't need destination rules here yet because they either apply to L7 features or multi-ports.
// In the case of multiple ports, the sidecar proxy controller is responsible for filtering
// per-port permissions.
}
// L4Principal maps into Source. We first convert this to Source before generating Envoy resources.
message L4Principal {
string spiffe_regex = 1;
repeated string exclude_spiffe_regexes = 2;
}
message L7Principal {
message Principal {
Spiffe spiffe = 1;
repeated Spiffe exclude_spiffes = 2;
}