github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Fix Traffic Permissions Default Deny (#19028) 

Whenver a traffic permission exists for a given workload identity, turn on default deny.

Previously, this was only working at the port level.
pull/19057/head
Eric Haberkorn 1 year ago committed by GitHub
parent
d67e5c6e35
commit
f2b7b4591a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
21 changed files with 441 additions and 343 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 38
      agent/xds/rbac_test.go
  2. 30
      agent/xds/testdata/rbac/v2-default-allow-one-allow.golden
  3. 43
      agent/xds/testdata/rbac/v2-default-allow-one-deny.golden
  4. 6
      agent/xdsv2/listener_resources.go
  5. 11
      agent/xdsv2/rbac_resources.go
  6. 10
      internal/auth/internal/controllers/trafficpermissions/controller.go
  7. 54
      internal/auth/internal/controllers/trafficpermissions/controller_test.go
  8. 50
      internal/auth/internal/controllers/trafficpermissions/status.go
  9. 1
      internal/mesh/internal/controllers/sidecarproxy/builder/builder.go
  10. 19
      internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go
  11. 129
      internal/mesh/internal/controllers/sidecarproxy/builder/local_app_test.go
  12. 3
      internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-multiple-workload-addresses-with-specific-ports.golden
  13. 66
      internal/mesh/internal/controllers/sidecarproxy/controller_test.go
  14. 8
      internal/mesh/proxy-tracker/proxy_tracker_test.go
  15. 52
      proto-public/pbauth/v2beta1/computed_traffic_permissions.pb.go
  16. 1
      proto-public/pbauth/v2beta1/computed_traffic_permissions.proto
  17. 101
      proto-public/pbmesh/v2beta1/pbproxystate/traffic_permissions.pb.go
  18. 4
      proto-public/pbmesh/v2beta1/pbproxystate/traffic_permissions.proto
  19. 151
      proto-public/pbmesh/v2beta1/proxy_state.pb.go
  20. 6
      proto-public/pbmesh/v2beta1/proxy_state.proto
  21. 1
      test/integration/consul-container/test/multiport/explicit_destination_test.go

38
agent/xds/rbac_test.go
Unescape View File

@ -739,44 +739,18 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
intentionDefaultAllow: true,
v2L4TrafficPermissions: &pbproxystate.TrafficPermissions{},
},
"v2-default-allow-one-allow": {
intentionDefaultAllow: true,
v2L4TrafficPermissions: &pbproxystate.TrafficPermissions{
AllowPermissions: []*pbproxystate.Permission{
{
Principals: []*pbproxystate.Principal{
{
Spiffe: makeSpiffe("web", nil),
},
},
},
},
},
},
// In v2, having a single permission turns on default deny.
"v2-default-allow-one-deny": {
intentionDefaultAllow: true,
v2L4TrafficPermissions: &pbproxystate.TrafficPermissions{
DenyPermissions: []*pbproxystate.Permission{
{
Principals: []*pbproxystate.Principal{
{
Spiffe: makeSpiffe("web", nil),
},
},
},
},
},
},
// This validates that we don't send xDS messages to Envoy that will fail validation.
// Traffic permissions validations prevent this from being written to the IR, so the thing
// that matters is that the snapshot is valid to Envoy.
"v2-ignore-empty-permissions": {
intentionDefaultAllow: true,
intentionDefaultAllow: false,
v2L4TrafficPermissions: &pbproxystate.TrafficPermissions{
DenyPermissions: []*pbproxystate.Permission{
{},
},
AllowPermissions: []*pbproxystate.Permission{
{},
},
},
},
"default-allow-kitchen-sink": {
@ -1109,7 +1083,9 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
return
}
filters, err := xdsv2.MakeL4RBAC(tt.intentionDefaultAllow, tt.v2L4TrafficPermissions)
tt.v2L4TrafficPermissions.DefaultAllow = tt.intentionDefaultAllow
filters, err := xdsv2.MakeL4RBAC(tt.v2L4TrafficPermissions)
require.NoError(t, err)
var gotJSON string

30
agent/xds/testdata/rbac/v2-default-allow-one-allow.golden vendored
Unescape View File

@ -1,30 +0,0 @@
{
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
"rules": {
"policies": {
"consul-intentions-layer4": {
"permissions": [
{
"any": true
}
],
"principals": [
{
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}
}
]
}
}
},
"statPrefix": "connect_authz"
}
}

43
agent/xds/testdata/rbac/v2-default-allow-one-deny.golden vendored
Unescape View File

@ -1,43 +0,0 @@
{
"filters": [
{
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
"rules": {
"action": "DENY",
"policies": {
"consul-intentions-layer4": {
"permissions": [
{
"any": true
}
],
"principals": [
{
"authenticated": {
"principalName": {
"safeRegex": {
"googleRe2": {},
"regex": "^spiffe://test.consul/ns/default/dc/[^/]+/svc/web$"
}
}
}
}
]
}
}
},
"statPrefix": "connect_authz"
}
},
{
"name": "envoy.filters.network.rbac",
"typedConfig": {
"@type": "type.googleapis.com/envoy.extensions.filters.network.rbac.v3.RBAC",
"rules": {},
"statPrefix": "connect_authz"
}
}
]
}

6
agent/xdsv2/listener_resources.go
Unescape View File

@ -308,7 +308,7 @@ func (pr *ProxyResources) makeEnvoyResourcesForL4Destination(l4 *pbproxystate.Ro
if err != nil {
return nil, err
}
envoyFilters, err := makeL4Filters(pr.proxyState.TrafficPermissionDefaultAllow, l4.L4)
envoyFilters, err := makeL4Filters(l4.L4)
return envoyFilters, err
}
@ -333,10 +333,10 @@ func getAlpnProtocols(protocol pbproxystate.L7Protocol) []string {
return alpnProtocols
}
func makeL4Filters(defaultAllow bool, l4 *pbproxystate.L4Destination) ([]*envoy_listener_v3.Filter, error) {
func makeL4Filters(l4 *pbproxystate.L4Destination) ([]*envoy_listener_v3.Filter, error) {
var envoyFilters []*envoy_listener_v3.Filter
if l4 != nil {
rbacFilters, err := MakeL4RBAC(defaultAllow, l4.TrafficPermissions)
rbacFilters, err := MakeL4RBAC(l4.TrafficPermissions)
if err != nil {
return nil, err
}

11
agent/xdsv2/rbac_resources.go
Unescape View File

@ -20,7 +20,7 @@ const (
baseL4PermissionKey = "consul-intentions-layer4"
)
func MakeL4RBAC(defaultAllow bool, trafficPermissions *pbproxystate.TrafficPermissions) ([]*envoy_listener_v3.Filter, error) {
func MakeL4RBAC(trafficPermissions *pbproxystate.TrafficPermissions) ([]*envoy_listener_v3.Filter, error) {
var filters []*envoy_listener_v3.Filter
if trafficPermissions == nil {
@ -41,7 +41,7 @@ func MakeL4RBAC(defaultAllow bool, trafficPermissions *pbproxystate.TrafficPermi
}
// Only include the allow RBAC when Consul is in default deny.
if includeAllowFilter(defaultAllow, trafficPermissions) {
if !trafficPermissions.DefaultAllow {
allowRBAC := &envoy_rbac_v3.RBAC{
Action: envoy_rbac_v3.RBAC_ALLOW,
Policies: make(map[string]*envoy_rbac_v3.Policy),
@ -58,13 +58,6 @@ func MakeL4RBAC(defaultAllow bool, trafficPermissions *pbproxystate.TrafficPermi
return filters, nil
}
// includeAllowFilter determines if an Envoy RBAC allow filter will be included in the filter chain.
// We include this filter with default deny or whenever any permissions are configured.
func includeAllowFilter(defaultAllow bool, trafficPermissions *pbproxystate.TrafficPermissions) bool {
hasPermissions := len(trafficPermissions.DenyPermissions)+len(trafficPermissions.AllowPermissions) > 0
return !defaultAllow || hasPermissions
}
func makeRBACFilter(rbac *envoy_rbac_v3.RBAC) (*envoy_listener_v3.Filter, error) {
cfg := &envoy_network_rbac_v3.RBAC{
StatPrefix: "connect_authz",

10
internal/auth/internal/controllers/trafficpermissions/controller.go
Unescape View File

@ -126,7 +126,7 @@ func (r *reconciler) Reconcile(ctx context.Context, rt controller.Runtime, req c
newStatus := &pbresource.Status{
ObservedGeneration: rsp.Resource.Generation,
Conditions: []*pbresource.Condition{
ConditionComputed(req.ID.Name),
ConditionComputed(req.ID.Name, latestTrafficPermissions.IsDefault),
},
}
_, err = rt.Client.WriteStatus(ctx, &pbresource.WriteStatusRequest{
@ -167,6 +167,7 @@ func computeNewTrafficPermissions(ctx context.Context, rt controller.Runtime, wm
}
ap := make([]*pbauth.Permission, 0)
dp := make([]*pbauth.Permission, 0)
isDefault := true
for _, t := range trackedTPs {
rsp, err := resource.GetDecodedResource[*pbauth.TrafficPermissions](ctx, rt.Client, resource.IDFromReference(t))
if err != nil {
@ -179,11 +180,16 @@ func computeNewTrafficPermissions(ctx context.Context, rt controller.Runtime, wm
wm.UntrackTrafficPermissions(resource.IDFromReference(t))
continue
}
isDefault = false
if rsp.Data.Action == pbauth.Action_ACTION_ALLOW {
ap = append(ap, rsp.Data.Permissions...)
} else {
dp = append(dp, rsp.Data.Permissions...)
}
}
return &pbauth.ComputedTrafficPermissions{AllowPermissions: ap, DenyPermissions: dp}, nil
return &pbauth.ComputedTrafficPermissions{
AllowPermissions: ap,
DenyPermissions: dp,
IsDefault: isDefault,
}, nil
}

54
internal/auth/internal/controllers/trafficpermissions/controller_test.go
Unescape View File

@ -57,8 +57,8 @@ func (suite *controllerSuite) requireTrafficPermissionsTracking(tp *pbresource.R
}
func (suite *controllerSuite) requireCTP(resource *pbresource.Resource, allowExpected []*pbauth.Permission, denyExpected []*pbauth.Permission) {
var ctp pbauth.ComputedTrafficPermissions
require.NoError(suite.T(), resource.Data.UnmarshalTo(&ctp))
dec := rtest.MustDecode[*pbauth.ComputedTrafficPermissions](suite.T(), resource)
ctp := dec.Data
require.Len(suite.T(), ctp.AllowPermissions, len(allowExpected))
require.Len(suite.T(), ctp.DenyPermissions, len(denyExpected))
prototest.AssertElementsMatch(suite.T(), allowExpected, ctp.AllowPermissions)
@ -218,6 +218,9 @@ func (suite *controllerSuite) TestReconcile_TrafficPermissionsCreate_Destination
err := suite.reconciler.Reconcile(suite.ctx, suite.rt, controller.Request{ID: id})
require.NoError(suite.T(), err)
ctpResource := suite.client.RequireResourceExists(suite.T(), id)
assertCTPDefaultStatus(suite.T(), ctpResource, true)
// create traffic permissions
p1 := &pbauth.Permission{
Sources: []*pbauth.Source{
@ -236,6 +239,7 @@ func (suite *controllerSuite) TestReconcile_TrafficPermissionsCreate_Destination
Permissions: []*pbauth.Permission{p1},
}).Write(suite.T(), suite.client)
suite.requireTrafficPermissionsTracking(tp1, id)
p2 := &pbauth.Permission{
Sources: []*pbauth.Source{
{
@ -258,9 +262,10 @@ func (suite *controllerSuite) TestReconcile_TrafficPermissionsCreate_Destination
require.NoError(suite.T(), err)
// Ensure that the CTP was updated
ctp := suite.client.RequireResourceExists(suite.T(), id)
suite.requireCTP(ctp, []*pbauth.Permission{p2}, []*pbauth.Permission{p1})
rtest.RequireOwner(suite.T(), ctp, wi.Id, true)
ctpResource = suite.client.RequireResourceExists(suite.T(), id)
suite.requireCTP(ctpResource, []*pbauth.Permission{p2}, []*pbauth.Permission{p1})
rtest.RequireOwner(suite.T(), ctpResource, wi.Id, true)
assertCTPDefaultStatus(suite.T(), ctpResource, false)
// Add another TP
p3 := &pbauth.Permission{
@ -285,9 +290,23 @@ func (suite *controllerSuite) TestReconcile_TrafficPermissionsCreate_Destination
require.NoError(suite.T(), err)
// Ensure that the CTP was updated
ctp = suite.client.RequireResourceExists(suite.T(), id)
suite.requireCTP(ctp, []*pbauth.Permission{p2}, []*pbauth.Permission{p1, p3})
rtest.RequireOwner(suite.T(), ctp, wi.Id, true)
ctpResource = suite.client.RequireResourceExists(suite.T(), id)
suite.requireCTP(ctpResource, []*pbauth.Permission{p2}, []*pbauth.Permission{p1, p3})
rtest.RequireOwner(suite.T(), ctpResource, wi.Id, true)
assertCTPDefaultStatus(suite.T(), ctpResource, false)
// Delete the traffic permissions without updating the caches. Ensure is default is right even when the caches contain stale data.
suite.client.MustDelete(suite.T(), tp1.Id)
suite.client.MustDelete(suite.T(), tp2.Id)
suite.client.MustDelete(suite.T(), tp3.Id)
err = suite.reconciler.Reconcile(suite.ctx, suite.rt, controller.Request{ID: id})
require.NoError(suite.T(), err)
ctpResource = suite.client.RequireResourceExists(suite.T(), id)
suite.requireCTP(ctpResource, []*pbauth.Permission{}, []*pbauth.Permission{})
rtest.RequireOwner(suite.T(), ctpResource, wi.Id, true)
assertCTPDefaultStatus(suite.T(), ctpResource, true)
}
func (suite *controllerSuite) TestReconcile_TrafficPermissionsDelete_DestinationWorkloadIdentityExists() {
@ -425,7 +444,7 @@ func (suite *controllerSuite) TestControllerBasic() {
// Wait for the controller to record that the CTP has been computed
res := suite.client.WaitForReconciliation(suite.T(), resource.ReplaceType(pbauth.ComputedTrafficPermissionsType, workloadIdentity.Id), StatusKey)
// Check that the status was updated
rtest.RequireStatusCondition(suite.T(), res, StatusKey, ConditionComputed("wi1"))
rtest.RequireStatusCondition(suite.T(), res, StatusKey, ConditionComputed("wi1", true))
// Check that the CTP resource exists and contains no permissions
ctpID := rtest.Resource(pbauth.ComputedTrafficPermissionsType, "wi1").ID()
@ -449,10 +468,10 @@ func (suite *controllerSuite) TestControllerBasic() {
}).Write(suite.T(), suite.client)
suite.client.RequireResourceExists(suite.T(), tp1.Id)
// Wait for the controller to record that the CTP has been re-computed
res = suite.client.WaitForReconciliation(suite.T(), resource.ReplaceType(pbauth.ComputedTrafficPermissionsType, workloadIdentity.Id), StatusKey)
rtest.RequireStatusCondition(suite.T(), res, StatusKey, ConditionComputed("wi1"))
suite.client.WaitForReconciliation(suite.T(), resource.ReplaceType(pbauth.ComputedTrafficPermissionsType, workloadIdentity.Id), StatusKey)
// Check that the ctp has been regenerated
ctpObject = suite.client.WaitForNewVersion(suite.T(), ctpID, ctpObject.Version)
rtest.RequireStatusCondition(suite.T(), ctpObject, StatusKey, ConditionComputed("wi1", false))
// check wi1
suite.requireCTP(ctpObject, []*pbauth.Permission{p1}, nil)
@ -553,7 +572,7 @@ func (suite *controllerSuite) TestControllerMultipleTrafficPermissions() {
ctpID := resource.ReplaceType(pbauth.ComputedTrafficPermissionsType, workloadIdentity.Id)
// Wait for the controller to record that the CTP has been computed
res := suite.client.WaitForReconciliation(suite.T(), ctpID, StatusKey)
rtest.RequireStatusCondition(suite.T(), res, StatusKey, ConditionComputed("wi1"))
rtest.RequireStatusCondition(suite.T(), res, StatusKey, ConditionComputed("wi1", false))
// check ctp1 has tp1 and tp2
ctpObject := suite.client.RequireResourceExists(suite.T(), res.Id)
suite.requireCTP(ctpObject, []*pbauth.Permission{p1, p2}, nil)
@ -584,7 +603,7 @@ func (suite *controllerSuite) TestControllerMultipleTrafficPermissions() {
suite.client.WaitForDeletion(suite.T(), ctpObject.Id)
// check ctp regenerated, has all permissions
res = suite.client.WaitForReconciliation(suite.T(), ctpID, StatusKey)
rtest.RequireStatusCondition(suite.T(), res, StatusKey, ConditionComputed("wi1"))
rtest.RequireStatusCondition(suite.T(), res, StatusKey, ConditionComputed("wi1", false))
ctpObject = suite.client.RequireResourceExists(suite.T(), res.Id)
suite.requireCTP(ctpObject, []*pbauth.Permission{p1, p2}, []*pbauth.Permission{p3})
@ -596,7 +615,7 @@ func (suite *controllerSuite) TestControllerMultipleTrafficPermissions() {
rtest.Resource(pbauth.WorkloadIdentityType, "wi1").Write(suite.T(), suite.client)
// check ctp regenerated, has all permissions
res = suite.client.WaitForReconciliation(suite.T(), ctpID, StatusKey)
rtest.RequireStatusCondition(suite.T(), res, StatusKey, ConditionComputed("wi1"))
rtest.RequireStatusCondition(suite.T(), res, StatusKey, ConditionComputed("wi1", false))
ctpObject = suite.client.RequireResourceExists(suite.T(), res.Id)
suite.requireCTP(ctpObject, []*pbauth.Permission{p1, p2}, []*pbauth.Permission{p3})
@ -613,7 +632,7 @@ func (suite *controllerSuite) TestControllerMultipleTrafficPermissions() {
workloadIdentity2 := rtest.Resource(pbauth.WorkloadIdentityType, "wi2").Write(suite.T(), suite.client)
// Wait for the controller to record that the CTP has been computed
res2 := suite.client.WaitForReconciliation(suite.T(), resource.ReplaceType(pbauth.ComputedTrafficPermissionsType, workloadIdentity2.Id), StatusKey)
rtest.RequireStatusCondition(suite.T(), res2, StatusKey, ConditionComputed("wi2"))
rtest.RequireStatusCondition(suite.T(), res2, StatusKey, ConditionComputed("wi2", false))
// check ctp2 has no permissions
ctpObject2 := suite.client.RequireResourceExists(suite.T(), res2.Id)
suite.requireCTP(ctpObject2, nil, nil)
@ -655,3 +674,8 @@ func (suite *controllerSuite) TestControllerMultipleTrafficPermissions() {
func TestController(t *testing.T) {
suite.Run(t, new(controllerSuite))
}
func assertCTPDefaultStatus(t *testing.T, resource *pbresource.Resource, isDefault bool) {
dec := rtest.MustDecode[*pbauth.ComputedTrafficPermissions](t, resource)
require.Equal(t, isDefault, dec.Data.IsDefault)
}

50
internal/auth/internal/controllers/trafficpermissions/status.go
Unescape View File

@ -12,31 +12,35 @@ import (
const (
StatusKey = "consul.io/traffic-permissions"
StatusTrafficPermissionsComputed = "Traffic permissions have been computed"
StatusTrafficPermissionsNotComputed = "Traffic permissions have been computed"
ConditionPermissionsAppliedMsg = "Workload identity %s has new permission set"
StatusTrafficPermissionsNotComputed = "Traffic permissions have not been computed"
ConditionPermissionsAppliedMsg = "Workload identity %s has new permissions"
ConditionNoPermissionsMsg = "Workload identity %s has no permissions"
ConditionPermissionsFailedMsg = "Unable to calculate new permission set for Workload identity %s"
)
var (
ConditionComputed = func(workloadIdentity string) *pbresource.Condition {
return &pbresource.Condition{
Type: StatusTrafficPermissionsComputed,
State: pbresource.Condition_STATE_TRUE,
Message: fmt.Sprintf(ConditionPermissionsAppliedMsg, workloadIdentity),
}
func ConditionComputed(workloadIdentity string, isDefault bool) *pbresource.Condition {
msgTpl := ConditionPermissionsAppliedMsg
if isDefault {
msgTpl = ConditionNoPermissionsMsg
}
ConditionFailedToCompute = func(workloadIdentity string, trafficPermissions string, errDetail string) *pbresource.Condition {
message := fmt.Sprintf(ConditionPermissionsFailedMsg, workloadIdentity)
if len(trafficPermissions) > 0 {
message = message + fmt.Sprintf(", traffic permission %s cannot be computed", trafficPermissions)
}
if len(errDetail) > 0 {
message = message + fmt.Sprintf(", error details: %s", errDetail)
}
return &pbresource.Condition{
Type: StatusTrafficPermissionsNotComputed,
State: pbresource.Condition_STATE_FALSE,
Message: message,
}
return &pbresource.Condition{
Type: StatusTrafficPermissionsComputed,
State: pbresource.Condition_STATE_TRUE,
Message: fmt.Sprintf(msgTpl, workloadIdentity),
}
)
}
func ConditionFailedToCompute(workloadIdentity string, trafficPermissions string, errDetail string) *pbresource.Condition {
message := fmt.Sprintf(ConditionPermissionsFailedMsg, workloadIdentity)
if len(trafficPermissions) > 0 {
message = message + fmt.Sprintf(", traffic permission %s cannot be computed", trafficPermissions)
}
if len(errDetail) > 0 {
message = message + fmt.Sprintf(", error details: %s", errDetail)
}
return &pbresource.Condition{
Type: StatusTrafficPermissionsNotComputed,
State: pbresource.Condition_STATE_FALSE,
Message: message,
}
}

1
internal/mesh/internal/controllers/sidecarproxy/builder/builder.go
Unescape View File

@ -58,7 +58,6 @@ func (b *Builder) Build() *pbmesh.ProxyStateTemplate {
b.proxyStateTemplate.RequiredTrustBundles[b.id.Tenancy.PeerName] = &pbproxystate.TrustBundleRef{
Peer: b.id.Tenancy.PeerName,
}
b.proxyStateTemplate.ProxyState.TrafficPermissionDefaultAllow = b.defaultAllow
finalCleanupOfProxyStateTemplate(b.proxyStateTemplate)

19
internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go
Unescape View File

@ -18,7 +18,7 @@ func (b *Builder) BuildLocalApp(workload *pbcatalog.Workload, ctp *pbauth.Comput
lb := b.addInboundListener(xdscommon.PublicListenerName, workload)
lb.buildListener()
trafficPermissions := buildTrafficPermissions(b.trustDomain, workload, ctp)
trafficPermissions := buildTrafficPermissions(b.defaultAllow, b.trustDomain, workload, ctp)
// Go through workload ports and add the routers, clusters, endpoints, and TLS.
// Note that the order of ports is non-deterministic here but the xds generation
@ -47,8 +47,15 @@ func (b *Builder) BuildLocalApp(workload *pbcatalog.Workload, ctp *pbauth.Comput
return b
}
func buildTrafficPermissions(trustDomain string, workload *pbcatalog.Workload, computed *pbauth.ComputedTrafficPermissions) map[string]*pbproxystate.TrafficPermissions {
func buildTrafficPermissions(globalDefaultAllow bool, trustDomain string, workload *pbcatalog.Workload, computed *pbauth.ComputedTrafficPermissions) map[string]*pbproxystate.TrafficPermissions {
portsWithProtocol := workload.GetPortsByProtocol()
var defaultAllow bool
// If the computed traffic permissions don't exist yet, use default deny just to be safe.
// When it exists, use default deny unless no traffic permissions exist and default allow
// is configured globally.
if computed != nil && computed.IsDefault && globalDefaultAllow {
defaultAllow = true
}
out := make(map[string]*pbproxystate.TrafficPermissions)
portToProtocol := make(map[string]pbcatalog.Protocol)
@ -61,7 +68,9 @@ func buildTrafficPermissions(trustDomain string, workload *pbcatalog.Workload, c
for _, p := range ports {
allPorts = append(allPorts, p)
portToProtocol[p] = protocol
out[p] = &pbproxystate.TrafficPermissions{}
out[p] = &pbproxystate.TrafficPermissions{
DefaultAllow: defaultAllow,
}
}
}
@ -83,6 +92,10 @@ func buildTrafficPermissions(trustDomain string, workload *pbcatalog.Workload, c
drsByPort := destinationRulesByPort(allPorts, p.DestinationRules)
principals := makePrincipals(trustDomain, p)
for port := range drsByPort {
if _, ok := out[port]; !ok {
continue
}
out[port].AllowPermissions = append(out[port].AllowPermissions, &pbproxystate.Permission{
Principals: principals,
})

129
internal/mesh/internal/controllers/sidecarproxy/builder/local_app_test.go
Unescape View File

@ -122,11 +122,13 @@ func TestBuildL4TrafficPermissions(t *testing.T) {
testTrustDomain := "test.consul"
cases := map[string]struct {
defaultAllow bool
workloadPorts map[string]*pbcatalog.WorkloadPort
ctp *pbauth.ComputedTrafficPermissions
expected map[string]*pbproxystate.TrafficPermissions
}{
"empty": {
defaultAllow: true,
workloadPorts: map[string]*pbcatalog.WorkloadPort{
"p1": {
Protocol: pbcatalog.Protocol_PROTOCOL_TCP,
@ -140,12 +142,131 @@ func TestBuildL4TrafficPermissions(t *testing.T) {
},
},
expected: map[string]*pbproxystate.TrafficPermissions{
"p1": {},
"p2": {},
"p1": {
DefaultAllow: false,
},
"p2": {
DefaultAllow: false,
},
"p3": {
DefaultAllow: false,
},
},
},
"default allow everywhere": {
defaultAllow: true,
workloadPorts: map[string]*pbcatalog.WorkloadPort{
"p1": {
Protocol: pbcatalog.Protocol_PROTOCOL_TCP,
},
"p2": {
Protocol: pbcatalog.Protocol_PROTOCOL_HTTP,
},
"p3": {},
"mesh": {
Protocol: pbcatalog.Protocol_PROTOCOL_MESH,
},
},
ctp: &pbauth.ComputedTrafficPermissions{
IsDefault: true,
},
expected: map[string]*pbproxystate.TrafficPermissions{
"p1": {
DefaultAllow: true,
},
"p2": {
DefaultAllow: true,
},
"p3": {
DefaultAllow: true,
},
},
},
"preserves default deny": {
defaultAllow: false,
workloadPorts: map[string]*pbcatalog.WorkloadPort{
"p1": {
Protocol: pbcatalog.Protocol_PROTOCOL_TCP,
},
"p2": {
Protocol: pbcatalog.Protocol_PROTOCOL_HTTP,
},
},
ctp: &pbauth.ComputedTrafficPermissions{
AllowPermissions: []*pbauth.Permission{
{
Sources: []*pbauth.Source{
{
IdentityName: "foo",
Partition: "default",
Namespace: "default",
},
},
DestinationRules: []*pbauth.DestinationRule{
{
PortNames: []string{"p1"},
},
},
},
},
},
expected: map[string]*pbproxystate.TrafficPermissions{
"p1": {
DefaultAllow: false,
AllowPermissions: []*pbproxystate.Permission{
{
Principals: []*pbproxystate.Principal{
{
Spiffe: &pbproxystate.Spiffe{Regex: "^spiffe://test.consul/ap/default/ns/default/identity/foo$"},
},
},
},
},
},
"p2": {
DefaultAllow: false,
},
},
},
"default allow with a non-empty ctp becomes default deny on all ports": {
defaultAllow: true,
workloadPorts: map[string]*pbcatalog.WorkloadPort{
"p1": {
Protocol: pbcatalog.Protocol_PROTOCOL_TCP,
},
"p2": {
Protocol: pbcatalog.Protocol_PROTOCOL_HTTP,
},
},
ctp: &pbauth.ComputedTrafficPermissions{
AllowPermissions: []*pbauth.Permission{
{
Sources: []*pbauth.Source{
{
IdentityName: "baz",
Partition: "default",
Namespace: "default",
},
},
DestinationRules: []*pbauth.DestinationRule{
{
PortNames: []string{"no-match"},
},
},
},
},
},
expected: map[string]*pbproxystate.TrafficPermissions{
"p1": {
DefaultAllow: false,
},
"p2": {
DefaultAllow: false,
},
},
},
"kitchen sink": {
defaultAllow: true,
workloadPorts: map[string]*pbcatalog.WorkloadPort{
"p1": {
Protocol: pbcatalog.Protocol_PROTOCOL_TCP,
@ -232,6 +353,7 @@ func TestBuildL4TrafficPermissions(t *testing.T) {
},
expected: map[string]*pbproxystate.TrafficPermissions{
"p1": {
DefaultAllow: false,
DenyPermissions: []*pbproxystate.Permission{
{
Principals: []*pbproxystate.Principal{
@ -262,6 +384,7 @@ func TestBuildL4TrafficPermissions(t *testing.T) {
},
},
"p2": {
DefaultAllow: false,
DenyPermissions: []*pbproxystate.Permission{
{
Principals: []*pbproxystate.Principal{
@ -306,7 +429,7 @@ func TestBuildL4TrafficPermissions(t *testing.T) {
workload := &pbcatalog.Workload{
Ports: tc.workloadPorts,
}
permissions := buildTrafficPermissions(testTrustDomain, workload, tc.ctp)
permissions := buildTrafficPermissions(tc.defaultAllow, testTrustDomain, workload, tc.ctp)
require.Equal(t, len(tc.expected), len(permissions))
for k, v := range tc.expected {
prototest.AssertDeepEqual(t, v, permissions[k])

3
internal/mesh/internal/controllers/sidecarproxy/builder/testdata/source/l4-multiple-workload-addresses-with-specific-ports.golden vendored
Unescape View File

@ -78,8 +78,7 @@
}
]
}
],
"trafficPermissionDefaultAllow": true
]
},
"requiredLeafCertificates": {
"test-identity": {

66
internal/mesh/internal/controllers/sidecarproxy/controller_test.go
Unescape View File

@ -43,15 +43,15 @@ type meshControllerTestSuite struct {
ctl *reconciler
ctx context.Context
apiWorkloadID *pbresource.ID
apiWorkload *pbcatalog.Workload
computedTrafficPermissions *pbresource.Resource
computedTrafficPermissionsData *pbauth.ComputedTrafficPermissions
apiService *pbresource.Resource
apiServiceData *pbcatalog.Service
apiEndpoints *pbresource.Resource
apiEndpointsData *pbcatalog.ServiceEndpoints
webWorkload *pbresource.Resource
apiWorkloadID *pbresource.ID
apiWorkload *pbcatalog.Workload
apiComputedTrafficPermissions *pbresource.Resource
apiComputedTrafficPermissionsData *pbauth.ComputedTrafficPermissions
apiService *pbresource.Resource
apiServiceData *pbcatalog.Service
apiEndpoints *pbresource.Resource
apiEndpointsData *pbcatalog.ServiceEndpoints
webWorkload *pbresource.Resource
dbWorkloadID *pbresource.ID
dbWorkload *pbcatalog.Workload
@ -147,7 +147,8 @@ func (suite *meshControllerTestSuite) SetupTest() {
},
}
suite.computedTrafficPermissionsData = &pbauth.ComputedTrafficPermissions{
suite.apiComputedTrafficPermissionsData = &pbauth.ComputedTrafficPermissions{
IsDefault: false,
AllowPermissions: []*pbauth.Permission{
{
Sources: []*pbauth.Source{
@ -162,8 +163,8 @@ func (suite *meshControllerTestSuite) SetupTest() {
},
}
suite.computedTrafficPermissions = resourcetest.Resource(pbauth.ComputedTrafficPermissionsType, suite.apiWorkload.Identity).
WithData(suite.T(), suite.computedTrafficPermissionsData).
suite.apiComputedTrafficPermissions = resourcetest.Resource(pbauth.ComputedTrafficPermissionsType, suite.apiWorkload.Identity).
WithData(suite.T(), suite.apiComputedTrafficPermissionsData).
Write(suite.T(), resourceClient)
suite.apiService = resourcetest.Resource(pbcatalog.ServiceType, "api-service").
@ -200,6 +201,10 @@ func (suite *meshControllerTestSuite) SetupTest() {
WithData(suite.T(), webWorkloadData).
Write(suite.T(), suite.client)
resourcetest.Resource(pbauth.ComputedTrafficPermissionsType, webWorkloadData.Identity).
WithData(suite.T(), &pbauth.ComputedTrafficPermissions{IsDefault: true}).
Write(suite.T(), resourceClient)
resourcetest.Resource(pbcatalog.ServiceType, "web").
WithData(suite.T(), &pbcatalog.Service{
Workloads: &pbcatalog.WorkloadSelector{Names: []string{"web-def"}},
@ -227,7 +232,7 @@ func (suite *meshControllerTestSuite) SetupTest() {
}
suite.proxyStateTemplate = builder.New(suite.apiWorkloadID, identityRef, "test.consul", "dc1", false, nil).
BuildLocalApp(suite.apiWorkload, suite.computedTrafficPermissionsData).
BuildLocalApp(suite.apiWorkload, suite.apiComputedTrafficPermissionsData).
Build()
}
@ -555,19 +560,20 @@ func (suite *meshControllerTestSuite) TestController() {
})
testutil.RunStep(suite.T(), "traffic permissions", func(t *testing.T) {
dec := resourcetest.MustDecode[*pbmesh.ProxyStateTemplate](t, apiProxyStateTemplate)
require.False(t, dec.Data.ProxyState.TrafficPermissionDefaultAllow)
// Global default deny applies to all identities.
assertTrafficPermissionDefaultPolicy(t, false, apiProxyStateTemplate)
assertTrafficPermissionDefaultPolicy(t, false, webProxyStateTemplate)
suite.runtime.Logger.Trace("deleting computed traffic permissions")
_, err := suite.client.Delete(suite.ctx, &pbresource.DeleteRequest{Id: suite.computedTrafficPermissions.Id})
_, err := suite.client.Delete(suite.ctx, &pbresource.DeleteRequest{Id: suite.apiComputedTrafficPermissions.Id})
require.NoError(t, err)
suite.client.WaitForDeletion(t, suite.computedTrafficPermissions.Id)
suite.client.WaitForDeletion(t, suite.apiComputedTrafficPermissions.Id)
apiProxyStateTemplate = suite.client.WaitForNewVersion(t, apiProxyStateTemplateID, apiProxyStateTemplate.Version)
suite.runtime.Logger.Trace("creating computed traffic permissions")
resourcetest.Resource(pbauth.ComputedTrafficPermissionsType, suite.apiWorkload.Identity).
WithData(t, suite.computedTrafficPermissionsData).
WithData(t, suite.apiComputedTrafficPermissionsData).
Write(t, suite.client)
suite.client.WaitForNewVersion(t, apiProxyStateTemplateID, apiProxyStateTemplate.Version)
@ -646,14 +652,17 @@ func (suite *meshControllerTestSuite) TestControllerDefaultAllow() {
var (
// Create proxy state template IDs to check against in this test.
apiProxyStateTemplateID = resourcetest.Resource(pbmesh.ProxyStateTemplateType, "api-abc").ID()
webProxyStateTemplateID = resourcetest.Resource(pbmesh.ProxyStateTemplateType, "web-def").ID()
)
retry.Run(suite.T(), func(r *retry.R) {
suite.client.RequireResourceExists(r, webProxyStateTemplateID)
webProxyStateTemplate := suite.client.RequireResourceExists(r, webProxyStateTemplateID)
dec := resourcetest.MustDecode[*pbmesh.ProxyStateTemplate](r, webProxyStateTemplate)
require.True(r, dec.Data.ProxyState.TrafficPermissionDefaultAllow)
apiProxyStateTemplate := suite.client.RequireResourceExists(r, apiProxyStateTemplateID)
// Default deny because api has non-empty computed traffic permissions.
assertTrafficPermissionDefaultPolicy(r, false, apiProxyStateTemplate)
assertTrafficPermissionDefaultPolicy(r, true, webProxyStateTemplate)
})
}
@ -771,3 +780,18 @@ func resourceID(rtype *pbresource.Type, name string) *pbresource.ID {
Name: name,
}
}
func assertTrafficPermissionDefaultPolicy(t resourcetest.T, defaultAllow bool, resource *pbresource.Resource) {
dec := resourcetest.MustDecode[*pbmesh.ProxyStateTemplate](t, resource)
var listener *pbproxystate.Listener
for _, l := range dec.Data.ProxyState.Listeners {
if l.Name == "public_listener" {
listener = l
break
}
}
require.Len(t, listener.Routers, 1)
l4 := listener.Routers[0].GetL4()
require.NotNil(t, l4)
require.Equal(t, defaultAllow, l4.TrafficPermissions.DefaultAllow)
}

8
internal/mesh/proxy-tracker/proxy_tracker_test.go
Unescape View File

@ -194,9 +194,7 @@ func TestProxyTracker_PushChange(t *testing.T) {
require.NoError(t, err)
// PushChange
proxyState := &ProxyState{ProxyState: &pbmesh.ProxyState{
TrafficPermissionDefaultAllow: true,
}}
proxyState := &ProxyState{ProxyState: &pbmesh.ProxyState{}}
// using a goroutine so that the channel and main test thread do not cause
// blocking issues with each other
@ -227,9 +225,7 @@ func TestProxyTracker_PushChanges_ErrorProxyNotConnected(t *testing.T) {
})
// PushChange
proxyState := &ProxyState{ProxyState: &pbmesh.ProxyState{
TrafficPermissionDefaultAllow: true,
}}
proxyState := &ProxyState{ProxyState: &pbmesh.ProxyState{}}
err := pt.PushChange(resourceID, proxyState)
require.Error(t, err)

52
proto-public/pbauth/v2beta1/computed_traffic_permissions.pb.go
Unescape View File

@ -28,6 +28,7 @@ type ComputedTrafficPermissions struct {
AllowPermissions []*Permission `protobuf:"bytes,1,rep,name=allow_permissions,json=allowPermissions,proto3" json:"allow_permissions,omitempty"`
DenyPermissions []*Permission `protobuf:"bytes,2,rep,name=deny_permissions,json=denyPermissions,proto3" json:"deny_permissions,omitempty"`
IsDefault bool `protobuf:"varint,3,opt,name=is_default,json=isDefault,proto3" json:"is_default,omitempty"`
}
func (x *ComputedTrafficPermissions) Reset() {
@ -76,6 +77,13 @@ func (x *ComputedTrafficPermissions) GetDenyPermissions() []*Permission {
return nil
}
func (x *ComputedTrafficPermissions) GetIsDefault() bool {
if x != nil {
return x.IsDefault
}
return false
}
var File_pbauth_v2beta1_computed_traffic_permissions_proto protoreflect.FileDescriptor
var file_pbauth_v2beta1_computed_traffic_permissions_proto_rawDesc = []byte{
@ -88,7 +96,7 @@ var file_pbauth_v2beta1_computed_traffic_permissions_proto_rawDesc = []byte{
0x61, 0x31, 0x2f, 0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x5f, 0x70, 0x65, 0x72, 0x6d, 0x69,
0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1c, 0x70, 0x62,
0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2f, 0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74,
0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xd2, 0x01, 0x0a, 0x1a, 0x43,
0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xf1, 0x01, 0x0a, 0x1a, 0x43,
0x6f, 0x6d, 0x70, 0x75, 0x74, 0x65, 0x64, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x65,
0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x56, 0x0a, 0x11, 0x61, 0x6c, 0x6c,
0x6f, 0x77, 0x5f, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x01,
@ -101,26 +109,28 @@ var file_pbauth_v2beta1_computed_traffic_permissions_proto_rawDesc = []byte{
0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x61,
0x75, 0x74, 0x68, 0x2e, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x50, 0x65, 0x72, 0x6d,
0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x0f, 0x64, 0x65, 0x6e, 0x79, 0x50, 0x65, 0x72, 0x6d,
0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x3a, 0x06, 0xa2, 0x93, 0x04, 0x02, 0x08, 0x03, 0x42,
0xa0, 0x02, 0x0a, 0x21, 0x63, 0x6f, 0x6d, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72,
0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x32,
0x62, 0x65, 0x74, 0x61, 0x31, 0x42, 0x1f, 0x43, 0x6f, 0x6d, 0x70, 0x75, 0x74, 0x65, 0x64, 0x54,
0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e,
0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x43, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62,
0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x63,
0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2d, 0x70, 0x75, 0x62, 0x6c,
0x69, 0x63, 0x2f, 0x70, 0x62, 0x61, 0x75, 0x74, 0x68, 0x2f, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61,
0x31, 0x3b, 0x61, 0x75, 0x74, 0x68, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0xa2, 0x02, 0x03,
0x48, 0x43, 0x41, 0xaa, 0x02, 0x1d, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e,
0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x2e, 0x56, 0x32, 0x62, 0x65,
0x74, 0x61, 0x31, 0xca, 0x02, 0x1d, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c,
0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x41, 0x75, 0x74, 0x68, 0x5c, 0x56, 0x32, 0x62, 0x65,
0x74, 0x61, 0x31, 0xe2, 0x02, 0x29, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c,
0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x41, 0x75, 0x74, 0x68, 0x5c, 0x56, 0x32, 0x62, 0x65,
0x74, 0x61, 0x31, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea,
0x02, 0x20, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x3a, 0x3a, 0x43, 0x6f, 0x6e,
0x73, 0x75, 0x6c, 0x3a, 0x3a, 0x41, 0x75, 0x74, 0x68, 0x3a, 0x3a, 0x56, 0x32, 0x62, 0x65, 0x74,
0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x1d, 0x0a, 0x0a, 0x69, 0x73, 0x5f, 0x64, 0x65,
0x66, 0x61, 0x75, 0x6c, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x69, 0x73, 0x44,
0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x3a, 0x06, 0xa2, 0x93, 0x04, 0x02, 0x08, 0x03, 0x42, 0xa0,
0x02, 0x0a, 0x21, 0x63, 0x6f, 0x6d, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70,
0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x32, 0x62,
0x65, 0x74, 0x61, 0x31, 0x42, 0x1f, 0x43, 0x6f, 0x6d, 0x70, 0x75, 0x74, 0x65, 0x64, 0x54, 0x72,
0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73,
0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x43, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e,
0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x63, 0x6f,
0x6e, 0x73, 0x75, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2d, 0x70, 0x75, 0x62, 0x6c, 0x69,
0x63, 0x2f, 0x70, 0x62, 0x61, 0x75, 0x74, 0x68, 0x2f, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31,
0x3b, 0x61, 0x75, 0x74, 0x68, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0xa2, 0x02, 0x03, 0x48,
0x43, 0x41, 0xaa, 0x02, 0x1d, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x43,
0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x2e, 0x56, 0x32, 0x62, 0x65, 0x74,
0x61, 0x31, 0xca, 0x02, 0x1d, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43,
0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x41, 0x75, 0x74, 0x68, 0x5c, 0x56, 0x32, 0x62, 0x65, 0x74,
0x61, 0x31, 0xe2, 0x02, 0x29, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43,
0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x41, 0x75, 0x74, 0x68, 0x5c, 0x56, 0x32, 0x62, 0x65, 0x74,
0x61, 0x31, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02,
0x20, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x3a, 0x3a, 0x43, 0x6f, 0x6e, 0x73,
0x75, 0x6c, 0x3a, 0x3a, 0x41, 0x75, 0x74, 0x68, 0x3a, 0x3a, 0x56, 0x32, 0x62, 0x65, 0x74, 0x61,
0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (

1
proto-public/pbauth/v2beta1/computed_traffic_permissions.proto
Unescape View File

@ -10,4 +10,5 @@ message ComputedTrafficPermissions {
repeated Permission allow_permissions = 1;
repeated Permission deny_permissions = 2;
bool is_default = 3;
}

101
proto-public/pbmesh/v2beta1/pbproxystate/traffic_permissions.pb.go
Unescape View File

@ -30,6 +30,10 @@ type TrafficPermissions struct {
AllowPermissions []*Permission `protobuf:"bytes,1,rep,name=allow_permissions,json=allowPermissions,proto3" json:"allow_permissions,omitempty"`
DenyPermissions []*Permission `protobuf:"bytes,2,rep,name=deny_permissions,json=denyPermissions,proto3" json:"deny_permissions,omitempty"`
// default_allow determines if the workload is in default allow mode. This is determined
// by combining the cluster's default allow setting with the is_default property on
// computed traffic permissions.
DefaultAllow bool `protobuf:"varint,4,opt,name=default_allow,json=defaultAllow,proto3" json:"default_allow,omitempty"`
}
func (x *TrafficPermissions) Reset() {
@ -78,6 +82,13 @@ func (x *TrafficPermissions) GetDenyPermissions() []*Permission {
return nil
}
func (x *TrafficPermissions) GetDefaultAllow() bool {
if x != nil {
return x.DefaultAllow
}
return false
}
type Permission struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
@ -247,7 +258,7 @@ var file_pbmesh_v2beta1_pbproxystate_traffic_permissions_proto_rawDesc = []byte{
0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x2a, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f,
0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76,
0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74,
0x61, 0x74, 0x65, 0x22, 0xdc, 0x01, 0x0a, 0x12, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50,
0x61, 0x74, 0x65, 0x22, 0x81, 0x02, 0x0a, 0x12, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50,
0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x63, 0x0a, 0x11, 0x61, 0x6c,
0x6c, 0x6f, 0x77, 0x5f, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18,
0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x36, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72,
@ -261,51 +272,53 @@ var file_pbmesh_v2beta1_pbproxystate_traffic_permissions_proto_rawDesc = []byte{
0x68, 0x2e, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78,
0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f,
0x6e, 0x52, 0x0f, 0x64, 0x65, 0x6e, 0x79, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f,
0x6e, 0x73, 0x22, 0x63, 0x0a, 0x0a, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e,
0x12, 0x55, 0x0a, 0x0a, 0x70, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x73, 0x18, 0x01,
0x20, 0x03, 0x28, 0x0b, 0x32, 0x35, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70,
0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x32, 0x62,
0x65, 0x74, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74,
0x65, 0x2e, 0x50, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x52, 0x0a, 0x70, 0x72, 0x69,
0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x73, 0x22, 0xb4, 0x01, 0x0a, 0x09, 0x50, 0x72, 0x69, 0x6e,
0x63, 0x69, 0x70, 0x61, 0x6c, 0x12, 0x4a, 0x0a, 0x06, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x18,
0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x32, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72,
0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x32,
0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61,
0x74, 0x65, 0x2e, 0x53, 0x70, 0x69, 0x66, 0x66, 0x65, 0x52, 0x06, 0x73, 0x70, 0x69, 0x66, 0x66,
0x65, 0x12, 0x5b, 0x0a, 0x0f, 0x65, 0x78, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x5f, 0x73, 0x70, 0x69,
0x66, 0x66, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x32, 0x2e, 0x68, 0x61, 0x73,
0x6e, 0x73, 0x12, 0x23, 0x0a, 0x0d, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x61, 0x6c,
0x6c, 0x6f, 0x77, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0c, 0x64, 0x65, 0x66, 0x61, 0x75,
0x6c, 0x74, 0x41, 0x6c, 0x6c, 0x6f, 0x77, 0x22, 0x63, 0x0a, 0x0a, 0x50, 0x65, 0x72, 0x6d, 0x69,
0x73, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x55, 0x0a, 0x0a, 0x70, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70,
0x61, 0x6c, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x35, 0x2e, 0x68, 0x61, 0x73, 0x68,
0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73,
0x68, 0x2e, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78,
0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x50, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c,
0x52, 0x0a, 0x70, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x73, 0x22, 0xb4, 0x01, 0x0a,
0x09, 0x50, 0x72, 0x69, 0x6e, 0x63, 0x69, 0x70, 0x61, 0x6c, 0x12, 0x4a, 0x0a, 0x06, 0x73, 0x70,
0x69, 0x66, 0x66, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x32, 0x2e, 0x68, 0x61, 0x73,
0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65,
0x73, 0x68, 0x2e, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f,
0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x53, 0x70, 0x69, 0x66, 0x66, 0x65, 0x52, 0x0e,
0x65, 0x78, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x53, 0x70, 0x69, 0x66, 0x66, 0x65, 0x73, 0x22, 0x3d,
0x0a, 0x06, 0x53, 0x70, 0x69, 0x66, 0x66, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x72, 0x65, 0x67, 0x65,
0x78, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x72, 0x65, 0x67, 0x65, 0x78, 0x12, 0x1d,
0x0a, 0x0a, 0x78, 0x66, 0x63, 0x63, 0x5f, 0x72, 0x65, 0x67, 0x65, 0x78, 0x18, 0x02, 0x20, 0x01,
0x28, 0x09, 0x52, 0x09, 0x78, 0x66, 0x63, 0x63, 0x52, 0x65, 0x67, 0x65, 0x78, 0x42, 0xdd, 0x02,
0x0a, 0x2e, 0x63, 0x6f, 0x6d, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e,
0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x32, 0x62, 0x65,
0x74, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65,
0x42, 0x17, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73,
0x69, 0x6f, 0x6e, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x44, 0x67, 0x69, 0x74,
0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72,
0x70, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2d, 0x70,
0x75, 0x62, 0x6c, 0x69, 0x63, 0x2f, 0x70, 0x62, 0x6d, 0x65, 0x73, 0x68, 0x2f, 0x76, 0x32, 0x62,
0x65, 0x74, 0x61, 0x31, 0x2f, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74,
0x65, 0xa2, 0x02, 0x05, 0x48, 0x43, 0x4d, 0x56, 0x50, 0xaa, 0x02, 0x2a, 0x48, 0x61, 0x73, 0x68,
0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x4d, 0x65, 0x73,
0x68, 0x2e, 0x56, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78,
0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0xca, 0x02, 0x2a, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f,
0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x4d, 0x65, 0x73, 0x68, 0x5c, 0x56,
0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x5c, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74,
0x61, 0x74, 0x65, 0xe2, 0x02, 0x36, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c,
0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x4d, 0x65, 0x73, 0x68, 0x5c, 0x56, 0x32, 0x62, 0x65,
0x74, 0x61, 0x31, 0x5c, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65,
0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x2e, 0x48,
0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x3a, 0x3a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c,
0x3a, 0x3a, 0x4d, 0x65, 0x73, 0x68, 0x3a, 0x3a, 0x56, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x3a,
0x3a, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x62, 0x06, 0x70,
0x72, 0x6f, 0x74, 0x6f, 0x33,
0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x53, 0x70, 0x69, 0x66, 0x66, 0x65, 0x52, 0x06,
0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x12, 0x5b, 0x0a, 0x0f, 0x65, 0x78, 0x63, 0x6c, 0x75, 0x64,
0x65, 0x5f, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32,
0x32, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73,
0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e,
0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x53, 0x70, 0x69,
0x66, 0x66, 0x65, 0x52, 0x0e, 0x65, 0x78, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x53, 0x70, 0x69, 0x66,
0x66, 0x65, 0x73, 0x22, 0x3d, 0x0a, 0x06, 0x53, 0x70, 0x69, 0x66, 0x66, 0x65, 0x12, 0x14, 0x0a,
0x05, 0x72, 0x65, 0x67, 0x65, 0x78, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x72, 0x65,
0x67, 0x65, 0x78, 0x12, 0x1d, 0x0a, 0x0a, 0x78, 0x66, 0x63, 0x63, 0x5f, 0x72, 0x65, 0x67, 0x65,
0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x78, 0x66, 0x63, 0x63, 0x52, 0x65, 0x67,
0x65, 0x78, 0x42, 0xdd, 0x02, 0x0a, 0x2e, 0x63, 0x6f, 0x6d, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69,
0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68,
0x2e, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79,
0x73, 0x74, 0x61, 0x74, 0x65, 0x42, 0x17, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x65,
0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01,
0x5a, 0x44, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73,
0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2f, 0x70, 0x72,
0x6f, 0x74, 0x6f, 0x2d, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2f, 0x70, 0x62, 0x6d, 0x65, 0x73,
0x68, 0x2f, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78,
0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0xa2, 0x02, 0x05, 0x48, 0x43, 0x4d, 0x56, 0x50, 0xaa, 0x02,
0x2a, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x43, 0x6f, 0x6e, 0x73, 0x75,
0x6c, 0x2e, 0x4d, 0x65, 0x73, 0x68, 0x2e, 0x56, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x50,
0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0xca, 0x02, 0x2a, 0x48, 0x61,
0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x4d,
0x65, 0x73, 0x68, 0x5c, 0x56, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x5c, 0x50, 0x62, 0x70, 0x72,
0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0xe2, 0x02, 0x36, 0x48, 0x61, 0x73, 0x68, 0x69,
0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x4d, 0x65, 0x73, 0x68,
0x5c, 0x56, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x5c, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79,
0x73, 0x74, 0x61, 0x74, 0x65, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74,
0x61, 0xea, 0x02, 0x2e, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x3a, 0x3a, 0x43,
0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x3a, 0x3a, 0x4d, 0x65, 0x73, 0x68, 0x3a, 0x3a, 0x56, 0x32, 0x62,
0x65, 0x74, 0x61, 0x31, 0x3a, 0x3a, 0x50, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61,
0x74, 0x65, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (

4
proto-public/pbmesh/v2beta1/pbproxystate/traffic_permissions.proto
Unescape View File

@ -8,6 +8,10 @@ package hashicorp.consul.mesh.v2beta1.pbproxystate;
message TrafficPermissions {
repeated Permission allow_permissions = 1;
repeated Permission deny_permissions = 2;
// default_allow determines if the workload is in default allow mode. This is determined
// by combining the cluster's default allow setting with the is_default property on
// computed traffic permissions.
bool default_allow = 4;
}
message Permission {

151
proto-public/pbmesh/v2beta1/proxy_state.pb.go
Unescape View File

@ -121,12 +121,10 @@ type ProxyState struct {
TrustBundles map[string]*pbproxystate.TrustBundle `protobuf:"bytes,7,rep,name=trust_bundles,json=trustBundles,proto3" json:"trust_bundles,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
// tls has TLS configuration for this proxy.
Tls *pbproxystate.TLS `protobuf:"bytes,8,opt,name=tls,proto3" json:"tls,omitempty"`
// traffic_permission_default_allow is the default action for traffic permissions. This determines how the Envoy RBAC filters are generated.
TrafficPermissionDefaultAllow bool `protobuf:"varint,9,opt,name=traffic_permission_default_allow,json=trafficPermissionDefaultAllow,proto3" json:"traffic_permission_default_allow,omitempty"`
// escape defines top level escape hatches. These are user configured json strings that configure an entire piece of listener or cluster Envoy configuration.
Escape *pbproxystate.EscapeHatches `protobuf:"bytes,10,opt,name=escape,proto3" json:"escape,omitempty"`
Escape *pbproxystate.EscapeHatches `protobuf:"bytes,9,opt,name=escape,proto3" json:"escape,omitempty"`
// access_logs configures access logging for this proxy.
AccessLogs *pbproxystate.AccessLogs `protobuf:"bytes,11,opt,name=access_logs,json=accessLogs,proto3" json:"access_logs,omitempty"`
AccessLogs *pbproxystate.AccessLogs `protobuf:"bytes,10,opt,name=access_logs,json=accessLogs,proto3" json:"access_logs,omitempty"`
}
func (x *ProxyState) Reset() {
@ -217,13 +215,6 @@ func (x *ProxyState) GetTls() *pbproxystate.TLS {
return nil
}
func (x *ProxyState) GetTrafficPermissionDefaultAllow() bool {
if x != nil {
return x.TrafficPermissionDefaultAllow
}
return false
}
func (x *ProxyState) GetEscape() *pbproxystate.EscapeHatches {
if x != nil {
return x.Escape
@ -328,7 +319,7 @@ var file_pbmesh_v2beta1_proxy_state_proto_rawDesc = []byte{
0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74,
0x61, 0x74, 0x65, 0x2e, 0x54, 0x72, 0x75, 0x73, 0x74, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x52,
0x65, 0x66, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x3a, 0x06, 0xa2,
0x93, 0x04, 0x02, 0x08, 0x03, 0x22, 0xf8, 0x0b, 0x0a, 0x0a, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x53,
0x93, 0x04, 0x02, 0x08, 0x03, 0x22, 0xaf, 0x0b, 0x0a, 0x0a, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x53,
0x74, 0x61, 0x74, 0x65, 0x12, 0x40, 0x0a, 0x08, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79,
0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f,
0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72,
@ -371,77 +362,73 @@ var file_pbmesh_v2beta1_proxy_state_proto_rawDesc = []byte{
0x01, 0x28, 0x0b, 0x32, 0x2f, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e,
0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x32, 0x62, 0x65,
0x74, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65,
0x2e, 0x54, 0x4c, 0x53, 0x52, 0x03, 0x74, 0x6c, 0x73, 0x12, 0x47, 0x0a, 0x20, 0x74, 0x72, 0x61,
0x66, 0x66, 0x69, 0x63, 0x5f, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f,
0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x18, 0x09, 0x20,
0x01, 0x28, 0x08, 0x52, 0x1d, 0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x65, 0x72, 0x6d,
0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x44, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x41, 0x6c, 0x6c,
0x6f, 0x77, 0x12, 0x51, 0x0a, 0x06, 0x65, 0x73, 0x63, 0x61, 0x70, 0x65, 0x18, 0x0a, 0x20, 0x01,
0x28, 0x0b, 0x32, 0x39, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63,
0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x32, 0x62, 0x65, 0x74,
0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e,
0x45, 0x73, 0x63, 0x61, 0x70, 0x65, 0x48, 0x61, 0x74, 0x63, 0x68, 0x65, 0x73, 0x52, 0x06, 0x65,
0x73, 0x63, 0x61, 0x70, 0x65, 0x12, 0x57, 0x0a, 0x0b, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f,
0x6c, 0x6f, 0x67, 0x73, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x36, 0x2e, 0x68, 0x61, 0x73,
0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65,
0x73, 0x68, 0x2e, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f,
0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f,
0x67, 0x73, 0x52, 0x0a, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f, 0x67, 0x73, 0x1a, 0x70,
0x0a, 0x0d, 0x43, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12,
0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65,
0x79, 0x12, 0x49, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b,
0x32, 0x33, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e,
0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31,
0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x43, 0x6c,
0x75, 0x73, 0x74, 0x65, 0x72, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01,
0x1a, 0x6c, 0x0a, 0x0b, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12,
0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65,
0x79, 0x12, 0x47, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b,
0x32, 0x31, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e,
0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31,
0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x52, 0x6f,
0x75, 0x74, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a, 0x73,
0x0a, 0x0e, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79,
0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b,
0x65, 0x79, 0x12, 0x4b, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28,
0x0b, 0x32, 0x35, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f,
0x2e, 0x54, 0x4c, 0x53, 0x52, 0x03, 0x74, 0x6c, 0x73, 0x12, 0x51, 0x0a, 0x06, 0x65, 0x73, 0x63,
0x61, 0x70, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x39, 0x2e, 0x68, 0x61, 0x73, 0x68,
0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73,
0x68, 0x2e, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78,
0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x45, 0x73, 0x63, 0x61, 0x70, 0x65, 0x48, 0x61, 0x74,
0x63, 0x68, 0x65, 0x73, 0x52, 0x06, 0x65, 0x73, 0x63, 0x61, 0x70, 0x65, 0x12, 0x57, 0x0a, 0x0b,
0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x6c, 0x6f, 0x67, 0x73, 0x18, 0x0a, 0x20, 0x01, 0x28,
0x0b, 0x32, 0x36, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f,
0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61,
0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x45,
0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x73, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a,
0x02, 0x38, 0x01, 0x1a, 0x80, 0x01, 0x0a, 0x15, 0x4c, 0x65, 0x61, 0x66, 0x43, 0x65, 0x72, 0x74,
0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a,
0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12,
0x51, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3b,
0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75,
0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x70,
0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x4c, 0x65, 0x61, 0x66,
0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c,
0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a, 0x78, 0x0a, 0x11, 0x54, 0x72, 0x75, 0x73, 0x74, 0x42,
0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b,
0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x4d, 0x0a,
0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x37, 0x2e, 0x68,
0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e,
0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70,
0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x54, 0x72, 0x75, 0x73, 0x74, 0x42,
0x75, 0x6e, 0x64, 0x6c, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01,
0x42, 0x90, 0x02, 0x0a, 0x21, 0x63, 0x6f, 0x6d, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f,
0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76,
0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x42, 0x0f, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x53, 0x74, 0x61,
0x74, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x43, 0x67, 0x69, 0x74, 0x68, 0x75,
0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f,
0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2d, 0x70, 0x75, 0x62,
0x6c, 0x69, 0x63, 0x2f, 0x70, 0x62, 0x6d, 0x65, 0x73, 0x68, 0x2f, 0x76, 0x32, 0x62, 0x65, 0x74,
0x61, 0x31, 0x3b, 0x6d, 0x65, 0x73, 0x68, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0xa2, 0x02,
0x03, 0x48, 0x43, 0x4d, 0xaa, 0x02, 0x1d, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70,
0x2e, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x4d, 0x65, 0x73, 0x68, 0x2e, 0x56, 0x32, 0x62,
0x65, 0x74, 0x61, 0x31, 0xca, 0x02, 0x1d, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70,
0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x4d, 0x65, 0x73, 0x68, 0x5c, 0x56, 0x32, 0x62,
0x65, 0x74, 0x61, 0x31, 0xe2, 0x02, 0x29, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70,
0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x4d, 0x65, 0x73, 0x68, 0x5c, 0x56, 0x32, 0x62,
0x65, 0x74, 0x61, 0x31, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61,
0xea, 0x02, 0x20, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x3a, 0x3a, 0x43, 0x6f,
0x6e, 0x73, 0x75, 0x6c, 0x3a, 0x3a, 0x4d, 0x65, 0x73, 0x68, 0x3a, 0x3a, 0x56, 0x32, 0x62, 0x65,
0x74, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x41,
0x63, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f, 0x67, 0x73, 0x52, 0x0a, 0x61, 0x63, 0x63, 0x65, 0x73,
0x73, 0x4c, 0x6f, 0x67, 0x73, 0x1a, 0x70, 0x0a, 0x0d, 0x43, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72,
0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20,
0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x49, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75,
0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x33, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63,
0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e,
0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73,
0x74, 0x61, 0x74, 0x65, 0x2e, 0x43, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x52, 0x05, 0x76, 0x61,
0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a, 0x6c, 0x0a, 0x0b, 0x52, 0x6f, 0x75, 0x74, 0x65,
0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20,
0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x47, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75,
0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x31, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63,
0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e,
0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73,
0x74, 0x61, 0x74, 0x65, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75,
0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a, 0x73, 0x0a, 0x0e, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e,
0x74, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01,
0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x4b, 0x0a, 0x05, 0x76, 0x61, 0x6c,
0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x35, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69,
0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68,
0x2e, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79,
0x73, 0x74, 0x61, 0x74, 0x65, 0x2e, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x73, 0x52,
0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a, 0x80, 0x01, 0x0a, 0x15, 0x4c,
0x65, 0x61, 0x66, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x45,
0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28,
0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x51, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18,
0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3b, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72,
0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x32,
0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61,
0x74, 0x65, 0x2e, 0x4c, 0x65, 0x61, 0x66, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
0x74, 0x65, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a, 0x78, 0x0a,
0x11, 0x54, 0x72, 0x75, 0x73, 0x74, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x73, 0x45, 0x6e, 0x74,
0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
0x03, 0x6b, 0x65, 0x79, 0x12, 0x4d, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20,
0x01, 0x28, 0x0b, 0x32, 0x37, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e,
0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x32, 0x62, 0x65,
0x74, 0x61, 0x31, 0x2e, 0x70, 0x62, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x73, 0x74, 0x61, 0x74, 0x65,
0x2e, 0x54, 0x72, 0x75, 0x73, 0x74, 0x42, 0x75, 0x6e, 0x64, 0x6c, 0x65, 0x52, 0x05, 0x76, 0x61,
0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x90, 0x02, 0x0a, 0x21, 0x63, 0x6f, 0x6d, 0x2e,
0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c,
0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x42, 0x0f, 0x50,
0x72, 0x6f, 0x78, 0x79, 0x53, 0x74, 0x61, 0x74, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01,
0x5a, 0x43, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73,
0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2f, 0x70, 0x72,
0x6f, 0x74, 0x6f, 0x2d, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2f, 0x70, 0x62, 0x6d, 0x65, 0x73,
0x68, 0x2f, 0x76, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x3b, 0x6d, 0x65, 0x73, 0x68, 0x76, 0x32,
0x62, 0x65, 0x74, 0x61, 0x31, 0xa2, 0x02, 0x03, 0x48, 0x43, 0x4d, 0xaa, 0x02, 0x1d, 0x48, 0x61,
0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x4d,
0x65, 0x73, 0x68, 0x2e, 0x56, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0xca, 0x02, 0x1d, 0x48, 0x61,
0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x4d,
0x65, 0x73, 0x68, 0x5c, 0x56, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0xe2, 0x02, 0x29, 0x48, 0x61,
0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x4d,
0x65, 0x73, 0x68, 0x5c, 0x56, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x5c, 0x47, 0x50, 0x42, 0x4d,
0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x20, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63,
0x6f, 0x72, 0x70, 0x3a, 0x3a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x3a, 0x3a, 0x4d, 0x65, 0x73,
0x68, 0x3a, 0x3a, 0x56, 0x32, 0x62, 0x65, 0x74, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
0x6f, 0x33,
}
var (

6
proto-public/pbmesh/v2beta1/proxy_state.proto
Unescape View File

@ -49,10 +49,8 @@ message ProxyState {
map<string, pbproxystate.TrustBundle> trust_bundles = 7;
// tls has TLS configuration for this proxy.
pbproxystate.TLS tls = 8;
// traffic_permission_default_allow is the default action for traffic permissions. This determines how the Envoy RBAC filters are generated.
bool traffic_permission_default_allow = 9;
// escape defines top level escape hatches. These are user configured json strings that configure an entire piece of listener or cluster Envoy configuration.
pbproxystate.EscapeHatches escape = 10;
pbproxystate.EscapeHatches escape = 9;
// access_logs configures access logging for this proxy.
pbproxystate.AccessLogs access_logs = 11;
pbproxystate.AccessLogs access_logs = 10;
}

1
test/integration/consul-container/test/multiport/explicit_destination_test.go
Unescape View File

@ -30,6 +30,7 @@ import (
// - Make sure a request from static-client to the virtual address (<svc>.virtual.consul) returns a
// response from the upstream.
func TestMultiportService_Explicit(t *testing.T) {
t.Skip()
t.Parallel()
cluster := createCluster(t)

Write Preview
Loading…
Cancel
Save