mirror of https://github.com/hashicorp/consul
133 lines
4.3 KiB
Protocol Buffer
133 lines
4.3 KiB
Protocol Buffer
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
syntax = "proto3";
|
|
|
|
package hashicorp.consul.auth.v2beta1;
|
|
|
|
import "pbresource/annotations.proto";
|
|
|
|
message TrafficPermissions {
|
|
option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE};
|
|
|
|
// Destination is a configuration of the destination proxies
|
|
// where these traffic permissions should apply.
|
|
Destination destination = 1;
|
|
|
|
// Action can be either allow or deny for the entire object. It will default to allow.
|
|
//
|
|
// If action is allow, we will allow the connection if one of the rules in Rules matches, in other words, we will deny
|
|
// all requests except for the ones that match Rules. If Consul is in default allow mode, then allow
|
|
// actions have no effect without a deny permission as everything is allowed by default.
|
|
//
|
|
// If action is deny, we will deny the connection if one of the rules in Rules match, in other words,
|
|
// we will allow all requests except for the ones that match Rules. If Consul is default deny mode,
|
|
// then deny permissions have no effect without an allow permission as everything is denied by default.
|
|
//
|
|
// Action unspecified is reserved for compatibility with the addition of future actions.
|
|
Action action = 2;
|
|
|
|
// Permissions is a list of permissions to match on. They are applied using OR semantics.
|
|
repeated Permission permissions = 3;
|
|
}
|
|
|
|
message NamespaceTrafficPermissions {
|
|
option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE};
|
|
|
|
Action action = 1;
|
|
repeated Permission permissions = 2;
|
|
}
|
|
|
|
message PartitionTrafficPermissions {
|
|
option (hashicorp.consul.resource.spec) = {scope: SCOPE_PARTITION};
|
|
|
|
Action action = 1;
|
|
repeated Permission permissions = 2;
|
|
}
|
|
|
|
// Destination contains the name or name-prefix of the WorkloadIdentity.
|
|
// The WorkloadIdentity resource must be in the same tenancy as the TrafficPermissions resource.
|
|
message Destination {
|
|
string identity_name = 1;
|
|
}
|
|
|
|
// +kubebuilder:validation:Enum=ACTION_ALLOW;ACTION_DENY;ACTION_UNKNOWN
|
|
// +kubebuilder:validation:Type=string
|
|
enum Action {
|
|
ACTION_UNSPECIFIED = 0;
|
|
ACTION_DENY = 1;
|
|
ACTION_ALLOW = 2;
|
|
}
|
|
|
|
// Permissions is a list of permissions to match on.
|
|
message Permission {
|
|
// Sources is a list of sources in this traffic permission.
|
|
repeated Source sources = 1;
|
|
// DestinationRules is a list of rules to apply for matching sources in this Permission.
|
|
// These rules are specific to the request or connection that is going to the destination(s)
|
|
// selected by the TrafficPermissions resource.
|
|
repeated DestinationRule destination_rules = 2;
|
|
}
|
|
|
|
// Source represents the source identity.
|
|
// To specify any of the wildcard sources, the specific fields need to be omitted.
|
|
// For example, for a wildcard namespace, identity_name should be omitted.
|
|
message Source {
|
|
string identity_name = 1;
|
|
string namespace = 2;
|
|
string partition = 3;
|
|
string peer = 4;
|
|
string sameness_group = 5;
|
|
|
|
// Exclude is a list of sources to exclude from this source.
|
|
repeated ExcludeSource exclude = 6;
|
|
}
|
|
|
|
// ExcludeSource is almost the same as source but it prevents the addition of
|
|
// matching sources.
|
|
message ExcludeSource {
|
|
string identity_name = 1;
|
|
string namespace = 2;
|
|
string partition = 3;
|
|
string peer = 4;
|
|
string sameness_group = 5;
|
|
}
|
|
|
|
// DestinationRule contains rules rules to apply to the incoming connection.
|
|
message DestinationRule {
|
|
string path_exact = 1;
|
|
string path_prefix = 2;
|
|
string path_regex = 3;
|
|
// Methods is the list of HTTP methods. If no methods are specified,
|
|
// this rule will apply to all methods.
|
|
repeated string methods = 4;
|
|
repeated DestinationRuleHeader headers = 5;
|
|
repeated string port_names = 6;
|
|
// Exclude contains a list of rules to exclude when evaluating rules for the incoming connection.
|
|
repeated ExcludePermissionRule exclude = 7;
|
|
}
|
|
|
|
message ExcludePermissionRule {
|
|
string path_exact = 1;
|
|
string path_prefix = 2;
|
|
string path_regex = 3;
|
|
// Methods is the list of HTTP methods.
|
|
repeated string methods = 4;
|
|
|
|
repeated DestinationRuleHeader headers = 5;
|
|
|
|
// PortNames is a list of workload ports to apply this rule to. The ports specified here
|
|
// must be the ports used in the connection.
|
|
repeated string port_names = 6;
|
|
}
|
|
|
|
message DestinationRuleHeader {
|
|
string name = 1;
|
|
bool present = 2;
|
|
string exact = 3;
|
|
string prefix = 4;
|
|
string suffix = 5;
|
|
string regex = 6;
|
|
bool invert = 7;
|
|
}
|