// Copyright (c) HashiCorp, Inc. // SPDX-License-Identifier: MPL-2.0 syntax = "proto3"; package hashicorp.consul.mesh.v2beta1; import "google/protobuf/struct.proto"; import "pbcatalog/v2beta1/selector.proto"; import "pbmesh/v2beta1/connection.proto"; import "pbmesh/v2beta1/expose.proto"; import "pbmesh/v2beta1/routing.proto"; import "pbresource/annotations.proto"; // This is a Resource type. message ProxyConfiguration { option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE}; // Selection of workloads this proxy configuration should apply to. // These can be prefixes or specific workload names. hashicorp.consul.catalog.v2beta1.WorkloadSelector workloads = 1; // dynamic_config is the configuration that could be changed // dynamically (i.e. without needing restart). DynamicConfig dynamic_config = 2; // bootstrap_config is the configuration that requires proxies // to be restarted to be applied. BootstrapConfig bootstrap_config = 3; // deprecated: prevent usage when using v2 APIs directly. // needed for backwards compatibility // // +kubebuilder:validation:Type=object // +kubebuilder:validation:Schemaless // +kubebuilder:pruning:PreserveUnknownFields google.protobuf.Struct opaque_config = 4 [deprecated = true]; } message DynamicConfig { // mode indicates the proxy's mode. This will default to 'transparent'. ProxyMode mode = 1; TransparentProxy transparent_proxy = 2; MutualTLSMode mutual_tls_mode = 3; // local_connection is the configuration that should be used // to connect to the local application provided per-port. // The map keys should correspond to port names on the workload. map local_connection = 4; // inbound_connections configures inbound connections to the proxy. InboundConnectionsConfig inbound_connections = 5; MeshGatewayMode mesh_gateway_mode = 6; ExposeConfig expose_config = 7; // AccessLogs configures the output and format of Envoy access logs AccessLogsConfig access_logs = 8; repeated EnvoyExtension envoy_extensions = 9; string public_listener_json = 10; string listener_tracing_json = 11; string local_cluster_json = 12; // deprecated: // local_workload_address, local_workload_port, and local_workload_socket_path // are deprecated and are only needed for migration of existing resources. string local_workload_address = 13 [deprecated = true]; uint32 local_workload_port = 14 [deprecated = true]; string local_workload_socket_path = 15 [deprecated = true]; } message TransparentProxy { // outbound_listener_port is the port for the proxy's outbound listener. // This defaults to 15001. uint32 outbound_listener_port = 1; // dialed_directly indicates whether this proxy should be dialed using original destination IP // in the connection rather than load balance between all endpoints. bool dialed_directly = 2; } // BootstrapConfig is equivalent to configuration defined // in our docs. message BootstrapConfig { string statsd_url = 1; string dogstatsd_url = 2; repeated string stats_tags = 3; string prometheus_bind_addr = 4; string stats_bind_addr = 5; string ready_bind_addr = 6; string override_json_tpl = 7; string static_clusters_json = 8; string static_listeners_json = 9; string stats_sinks_json = 10; string stats_config_json = 11; string stats_flush_interval = 12; string tracing_config_json = 13; string telemetry_collector_bind_socket_dir = 14; } // +kubebuilder:validation:Enum=PROXY_MODE_DEFAULT;PROXY_MODE_TRANSPARENT;PROXY_MODE_DIRECT // +kubebuilder:validation:Type=string enum ProxyMode { // ProxyModeDefault represents no specific mode and should // be used to indicate that a different layer of the configuration // chain should take precedence // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX PROXY_MODE_DEFAULT = 0; // ProxyModeTransparent represents that inbound and outbound application // traffic is being captured and redirected through the proxy. PROXY_MODE_TRANSPARENT = 1; // ProxyModeDirect represents that the proxy's listeners must be dialed directly // by the local application and other proxies. PROXY_MODE_DIRECT = 2; } // AccessLogsConfig contains the associated default settings for all Envoy // instances within the datacenter or partition message AccessLogsConfig { // Enabled turns off all access logging bool enabled = 1; // DisableListenerLogs turns off just listener logs for connections rejected by Envoy because they don't // have a matching listener filter. bool disable_listener_logs = 2; // Type selects the output for logs: "file", "stderr". "stdout" LogSinkType type = 3; // Path is the output file to write logs string path = 4; // The presence of one format string or the other implies the access log string encoding. // Defining both is invalid. string json_format = 5; string text_format = 6; } // +kubebuilder:validation:Enum=LOG_SINK_TYPE_DEFAULT;LOG_SINK_TYPE_FILE;LOG_SINK_TYPE_STDERR;LOG_SINK_TYPE_STDOUT // +kubebuilder:validation:Type=string enum LogSinkType { // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX LOG_SINK_TYPE_DEFAULT = 0; LOG_SINK_TYPE_FILE = 1; LOG_SINK_TYPE_STDERR = 2; LOG_SINK_TYPE_STDOUT = 3; } // EnvoyExtension has configuration for an extension that patches Envoy resources. message EnvoyExtension { string name = 1; bool required = 2; // +kubebuilder:validation:Type=object // +kubebuilder:validation:Schemaless // +kubebuilder:pruning:PreserveUnknownFields google.protobuf.Struct arguments = 3; string consul_version = 4; string envoy_version = 5; } // +kubebuilder:validation:Enum=MUTUAL_TLS_MODE_DEFAULT;MUTUAL_TLS_MODE_STRICT;MUTUAL_TLS_MODE_PERMISSIVE // +kubebuilder:validation:Type=string enum MutualTLSMode { // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX MUTUAL_TLS_MODE_DEFAULT = 0; MUTUAL_TLS_MODE_STRICT = 1; MUTUAL_TLS_MODE_PERMISSIVE = 2; }