2023-05-05 09:47:28 -04:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
2023-08-21 12:31:54 -05:00
|
|
|
// SPDX-License-Identifier: MPL-2.0
|
2023-05-05 09:47:28 -04:00
|
|
|
|
|
|
|
syntax = "proto3";
|
|
|
|
|
2023-09-22 10:51:15 -06:00
|
|
|
package hashicorp.consul.mesh.v2beta1;
|
2023-05-05 09:47:28 -04:00
|
|
|
|
|
|
|
import "google/protobuf/struct.proto";
|
2023-09-22 10:51:15 -06:00
|
|
|
import "pbcatalog/v2beta1/selector.proto";
|
|
|
|
import "pbmesh/v2beta1/connection.proto";
|
|
|
|
import "pbmesh/v2beta1/expose.proto";
|
|
|
|
import "pbmesh/v2beta1/routing.proto";
|
2023-09-22 15:50:56 -06:00
|
|
|
import "pbresource/annotations.proto";
|
2023-05-05 09:47:28 -04:00
|
|
|
|
2023-08-03 13:42:04 -05:00
|
|
|
// This is a Resource type.
|
2023-05-05 09:47:28 -04:00
|
|
|
message ProxyConfiguration {
|
2023-09-22 15:50:56 -06:00
|
|
|
option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE};
|
|
|
|
|
2023-05-05 09:47:28 -04:00
|
|
|
// Selection of workloads this proxy configuration should apply to.
|
|
|
|
// These can be prefixes or specific workload names.
|
2023-09-22 10:51:15 -06:00
|
|
|
hashicorp.consul.catalog.v2beta1.WorkloadSelector workloads = 1;
|
2023-05-05 09:47:28 -04:00
|
|
|
|
|
|
|
// dynamic_config is the configuration that could be changed
|
|
|
|
// dynamically (i.e. without needing restart).
|
|
|
|
DynamicConfig dynamic_config = 2;
|
|
|
|
|
|
|
|
// bootstrap_config is the configuration that requires proxies
|
|
|
|
// to be restarted to be applied.
|
|
|
|
BootstrapConfig bootstrap_config = 3;
|
|
|
|
|
|
|
|
// deprecated: prevent usage when using v2 APIs directly.
|
|
|
|
// needed for backwards compatibility
|
2023-10-13 10:55:58 -04:00
|
|
|
//
|
|
|
|
// +kubebuilder:validation:Type=object
|
|
|
|
// +kubebuilder:validation:Schemaless
|
|
|
|
// +kubebuilder:pruning:PreserveUnknownFields
|
2023-05-05 09:47:28 -04:00
|
|
|
google.protobuf.Struct opaque_config = 4 [deprecated = true];
|
|
|
|
}
|
|
|
|
|
|
|
|
message DynamicConfig {
|
|
|
|
// mode indicates the proxy's mode. This will default to 'transparent'.
|
|
|
|
ProxyMode mode = 1;
|
|
|
|
|
|
|
|
TransparentProxy transparent_proxy = 2;
|
|
|
|
|
2023-08-03 13:42:04 -05:00
|
|
|
MutualTLSMode mutual_tls_mode = 3;
|
|
|
|
|
2023-05-05 09:47:28 -04:00
|
|
|
// local_connection is the configuration that should be used
|
|
|
|
// to connect to the local application provided per-port.
|
|
|
|
// The map keys should correspond to port names on the workload.
|
2023-08-03 13:42:04 -05:00
|
|
|
map<string, ConnectionConfig> local_connection = 4;
|
2023-05-05 09:47:28 -04:00
|
|
|
|
|
|
|
// inbound_connections configures inbound connections to the proxy.
|
2023-08-03 13:42:04 -05:00
|
|
|
InboundConnectionsConfig inbound_connections = 5;
|
|
|
|
|
|
|
|
MeshGatewayMode mesh_gateway_mode = 6;
|
|
|
|
|
|
|
|
ExposeConfig expose_config = 7;
|
2023-05-05 09:47:28 -04:00
|
|
|
|
2023-08-03 13:42:04 -05:00
|
|
|
// AccessLogs configures the output and format of Envoy access logs
|
|
|
|
AccessLogsConfig access_logs = 8;
|
2023-05-05 09:47:28 -04:00
|
|
|
|
2023-10-13 15:21:39 -06:00
|
|
|
string public_listener_json = 9;
|
|
|
|
string listener_tracing_json = 10;
|
|
|
|
string local_cluster_json = 11;
|
2023-05-05 09:47:28 -04:00
|
|
|
|
|
|
|
// deprecated:
|
|
|
|
// local_workload_address, local_workload_port, and local_workload_socket_path
|
|
|
|
// are deprecated and are only needed for migration of existing resources.
|
2023-10-13 15:21:39 -06:00
|
|
|
string local_workload_address = 12 [deprecated = true];
|
|
|
|
uint32 local_workload_port = 13 [deprecated = true];
|
|
|
|
string local_workload_socket_path = 14 [deprecated = true];
|
2023-05-05 09:47:28 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
message TransparentProxy {
|
|
|
|
// outbound_listener_port is the port for the proxy's outbound listener.
|
|
|
|
// This defaults to 15001.
|
|
|
|
uint32 outbound_listener_port = 1;
|
|
|
|
|
|
|
|
// dialed_directly indicates whether this proxy should be dialed using original destination IP
|
|
|
|
// in the connection rather than load balance between all endpoints.
|
|
|
|
bool dialed_directly = 2;
|
|
|
|
}
|
|
|
|
|
|
|
|
// BootstrapConfig is equivalent to configuration defined
|
|
|
|
// in our docs.
|
|
|
|
message BootstrapConfig {
|
|
|
|
string statsd_url = 1;
|
|
|
|
string dogstatsd_url = 2;
|
|
|
|
repeated string stats_tags = 3;
|
|
|
|
string prometheus_bind_addr = 4;
|
|
|
|
string stats_bind_addr = 5;
|
|
|
|
string ready_bind_addr = 6;
|
|
|
|
string override_json_tpl = 7;
|
|
|
|
string static_clusters_json = 8;
|
|
|
|
string static_listeners_json = 9;
|
|
|
|
string stats_sinks_json = 10;
|
|
|
|
string stats_config_json = 11;
|
|
|
|
string stats_flush_interval = 12;
|
|
|
|
string tracing_config_json = 13;
|
2023-09-01 16:48:06 -04:00
|
|
|
string telemetry_collector_bind_socket_dir = 14;
|
2023-05-05 09:47:28 -04:00
|
|
|
}
|
|
|
|
|
2023-10-13 10:55:58 -04:00
|
|
|
// +kubebuilder:validation:Enum=PROXY_MODE_DEFAULT;PROXY_MODE_TRANSPARENT;PROXY_MODE_DIRECT
|
|
|
|
// +kubebuilder:validation:Type=string
|
2023-05-05 09:47:28 -04:00
|
|
|
enum ProxyMode {
|
|
|
|
// ProxyModeDefault represents no specific mode and should
|
|
|
|
// be used to indicate that a different layer of the configuration
|
|
|
|
// chain should take precedence
|
|
|
|
// buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX
|
|
|
|
PROXY_MODE_DEFAULT = 0;
|
|
|
|
|
|
|
|
// ProxyModeTransparent represents that inbound and outbound application
|
|
|
|
// traffic is being captured and redirected through the proxy.
|
|
|
|
PROXY_MODE_TRANSPARENT = 1;
|
|
|
|
|
|
|
|
// ProxyModeDirect represents that the proxy's listeners must be dialed directly
|
|
|
|
// by the local application and other proxies.
|
|
|
|
PROXY_MODE_DIRECT = 2;
|
|
|
|
}
|
2023-08-03 13:42:04 -05:00
|
|
|
|
|
|
|
// AccessLogsConfig contains the associated default settings for all Envoy
|
|
|
|
// instances within the datacenter or partition
|
|
|
|
message AccessLogsConfig {
|
|
|
|
// Enabled turns off all access logging
|
|
|
|
bool enabled = 1;
|
|
|
|
|
|
|
|
// DisableListenerLogs turns off just listener logs for connections rejected by Envoy because they don't
|
|
|
|
// have a matching listener filter.
|
|
|
|
bool disable_listener_logs = 2;
|
|
|
|
|
|
|
|
// Type selects the output for logs: "file", "stderr". "stdout"
|
|
|
|
LogSinkType type = 3;
|
|
|
|
|
|
|
|
// Path is the output file to write logs
|
|
|
|
string path = 4;
|
|
|
|
|
|
|
|
// The presence of one format string or the other implies the access log string encoding.
|
2023-10-13 10:55:58 -04:00
|
|
|
// Defining both is invalid.
|
2023-08-03 13:42:04 -05:00
|
|
|
string json_format = 5;
|
|
|
|
string text_format = 6;
|
|
|
|
}
|
|
|
|
|
2023-10-13 10:55:58 -04:00
|
|
|
// +kubebuilder:validation:Enum=LOG_SINK_TYPE_DEFAULT;LOG_SINK_TYPE_FILE;LOG_SINK_TYPE_STDERR;LOG_SINK_TYPE_STDOUT
|
|
|
|
// +kubebuilder:validation:Type=string
|
2023-08-03 13:42:04 -05:00
|
|
|
enum LogSinkType {
|
|
|
|
// buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX
|
|
|
|
LOG_SINK_TYPE_DEFAULT = 0;
|
|
|
|
LOG_SINK_TYPE_FILE = 1;
|
|
|
|
LOG_SINK_TYPE_STDERR = 2;
|
|
|
|
LOG_SINK_TYPE_STDOUT = 3;
|
|
|
|
}
|
|
|
|
|
|
|
|
// EnvoyExtension has configuration for an extension that patches Envoy resources.
|
|
|
|
message EnvoyExtension {
|
|
|
|
string name = 1;
|
|
|
|
bool required = 2;
|
2023-10-13 10:55:58 -04:00
|
|
|
// +kubebuilder:validation:Type=object
|
|
|
|
// +kubebuilder:validation:Schemaless
|
|
|
|
// +kubebuilder:pruning:PreserveUnknownFields
|
2023-08-03 13:42:04 -05:00
|
|
|
google.protobuf.Struct arguments = 3;
|
|
|
|
string consul_version = 4;
|
|
|
|
string envoy_version = 5;
|
|
|
|
}
|
|
|
|
|
2023-10-13 10:55:58 -04:00
|
|
|
// +kubebuilder:validation:Enum=MUTUAL_TLS_MODE_DEFAULT;MUTUAL_TLS_MODE_STRICT;MUTUAL_TLS_MODE_PERMISSIVE
|
|
|
|
// +kubebuilder:validation:Type=string
|
2023-08-03 13:42:04 -05:00
|
|
|
enum MutualTLSMode {
|
|
|
|
// buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX
|
|
|
|
MUTUAL_TLS_MODE_DEFAULT = 0;
|
|
|
|
MUTUAL_TLS_MODE_STRICT = 1;
|
|
|
|
MUTUAL_TLS_MODE_PERMISSIVE = 2;
|
|
|
|
}
|