// Copyright (c) HashiCorp, Inc. // SPDX-License-Identifier: MPL-2.0 syntax = "proto3"; package hashicorp.consul.mesh.v2beta1.pbproxystate; message TrafficPermissions { repeated Permission allow_permissions = 1; repeated Permission deny_permissions = 2; // default_allow determines if the workload is in default allow mode. This is determined // by combining the cluster's default allow setting with the is_default property on // computed traffic permissions. bool default_allow = 4; } message Permission { repeated Principal principals = 1; // We don't need destination rules here yet because they either apply to L7 features or multi-ports. // In the case of multiple ports, the sidecar proxy controller is responsible for filtering // per-port permissions. } message Principal { Spiffe spiffe = 1; repeated Spiffe exclude_spiffes = 2; } message Spiffe { // regex is the regular expression for matching spiffe ids. string regex = 1; // xfcc_regex specifies that Envoy needs to find the spiffe id in an xfcc header. // It is currently unused, but considering this is important for to avoid breaking changes. string xfcc_regex = 2; }