2023-07-21 16:21:39 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
2023-08-21 17:31:54 +00:00
|
|
|
// SPDX-License-Identifier: MPL-2.0
|
2023-07-21 16:21:39 +00:00
|
|
|
|
|
|
|
syntax = "proto3";
|
|
|
|
|
2023-09-22 16:51:15 +00:00
|
|
|
package hashicorp.consul.mesh.v2beta1.pbproxystate;
|
2023-07-21 16:21:39 +00:00
|
|
|
|
|
|
|
message TLS {
|
|
|
|
// inbound_tls_parameters has default TLS parameter configuration for inbound connections. These can be overridden per
|
|
|
|
// transport socket.
|
|
|
|
TLSParameters inbound_tls_parameters = 1;
|
|
|
|
// outbound_tls_parameters has default TLS parameter configuration for inbound connections. These can be overridden per transport socket.
|
|
|
|
TLSParameters outbound_tls_parameters = 2;
|
|
|
|
}
|
|
|
|
|
|
|
|
message TransportSocket {
|
2023-08-17 18:43:21 +00:00
|
|
|
// name of the transport socket
|
|
|
|
string name = 1;
|
2023-07-21 16:21:39 +00:00
|
|
|
oneof connection_tls {
|
|
|
|
// inbound_mesh is for incoming connections FROM the mesh.
|
2023-08-17 18:43:21 +00:00
|
|
|
InboundMeshMTLS inbound_mesh = 2;
|
2023-07-21 16:21:39 +00:00
|
|
|
// outbound_mesh is for outbound connections TO mesh destinations.
|
2023-08-17 18:43:21 +00:00
|
|
|
OutboundMeshMTLS outbound_mesh = 3;
|
2023-07-21 16:21:39 +00:00
|
|
|
// inbound_non_mesh is for incoming connections FROM non mesh.
|
2023-08-17 18:43:21 +00:00
|
|
|
InboundNonMeshTLS inbound_non_mesh = 4;
|
2023-07-21 16:21:39 +00:00
|
|
|
// outbound_non_mesh is for outbound connections TO non mesh destinations.
|
2023-08-17 18:43:21 +00:00
|
|
|
OutboundNonMeshTLS outbound_non_mesh = 5;
|
2023-07-21 16:21:39 +00:00
|
|
|
}
|
|
|
|
// tls_parameters can override any top level tls parameters that are configured.
|
2023-08-17 18:43:21 +00:00
|
|
|
TLSParameters tls_parameters = 6;
|
|
|
|
repeated string alpn_protocols = 7;
|
2023-07-21 16:21:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
message InboundMeshMTLS {
|
|
|
|
// identity_key is UUID key to use to look up the leaf certificate in ProxyState to present for incoming connections.
|
|
|
|
string identity_key = 1;
|
|
|
|
// validation_context has what is needed to validate incoming connections.
|
|
|
|
MeshInboundValidationContext validation_context = 2;
|
|
|
|
}
|
|
|
|
|
|
|
|
message OutboundMeshMTLS {
|
|
|
|
// identity_key is UUID key to use to look up the leaf certificate in ProxyState when connecting to destinations.
|
|
|
|
string identity_key = 1;
|
|
|
|
// validation_context has what is needed to validate the destination.
|
|
|
|
MeshOutboundValidationContext validation_context = 2;
|
|
|
|
// sni to use when connecting to the destination.
|
|
|
|
string sni = 3;
|
|
|
|
}
|
|
|
|
|
|
|
|
message InboundNonMeshTLS {
|
|
|
|
// identity is the reference to the leaf certificate to present for incoming connections.
|
|
|
|
oneof identity {
|
|
|
|
// leaf_key is the UUID key to use to look up the leaf certificate in the ProxyState leaf certificate map.
|
|
|
|
string leaf_key = 1;
|
|
|
|
// sds refers to certificates retrieved via Envoy SDS.
|
|
|
|
SDSCertificate sds = 2;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
message OutboundNonMeshTLS {
|
|
|
|
// cert_file is a filename for a certificate to present for outbound connections.
|
|
|
|
string cert_file = 1;
|
|
|
|
// key_file is a filename for a key for outbound connections.
|
|
|
|
string key_file = 2;
|
|
|
|
// validation_context has what is needed to validate the destination.
|
|
|
|
NonMeshOutboundValidationContext validation_context = 3;
|
|
|
|
}
|
|
|
|
|
|
|
|
message MeshInboundValidationContext {
|
|
|
|
// trust_bundle_peer_name_keys is which trust bundles to use for validating incoming connections. If this workload is exported
|
|
|
|
// to peers, the incoming connection could be from a different peer, requiring that trust bundle to validate the
|
|
|
|
// connection. These could be local or peered trust bundles. This will be a key in the trust bundle map.
|
|
|
|
repeated string trust_bundle_peer_name_keys = 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
message MeshOutboundValidationContext {
|
|
|
|
// trust_bundle_peer_name_key is which trust bundle to use for the destination. It could be the local or a peer's trust bundle.
|
|
|
|
// This will be a key in the trust bundle map.
|
|
|
|
string trust_bundle_peer_name_key = 1;
|
|
|
|
// spiffe_ids is one or more spiffe IDs to validate.
|
|
|
|
repeated string spiffe_ids = 2;
|
|
|
|
}
|
|
|
|
|
|
|
|
message NonMeshOutboundValidationContext {
|
|
|
|
// ca_file is a filename for a ca for outbound connections to validate the destination.
|
|
|
|
string ca_file = 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
message SDSCertificate {
|
|
|
|
string cluster_name = 1;
|
|
|
|
string cert_resource = 2;
|
|
|
|
}
|
|
|
|
|
|
|
|
message TLSParameters {
|
|
|
|
TLSVersion min_version = 1;
|
|
|
|
TLSVersion max_version = 2;
|
|
|
|
repeated TLSCipherSuite cipher_suites = 3;
|
|
|
|
}
|
|
|
|
|
|
|
|
message LeafCertificate {
|
|
|
|
string cert = 1;
|
|
|
|
string key = 2;
|
|
|
|
}
|
|
|
|
|
|
|
|
message TrustBundle {
|
2023-08-01 17:35:17 +00:00
|
|
|
string trust_domain = 1;
|
|
|
|
repeated string roots = 2;
|
2023-07-21 16:21:39 +00:00
|
|
|
}
|
|
|
|
|
2023-10-13 14:55:58 +00:00
|
|
|
// +kubebuilder:validation:Enum=TLS_VERSION_AUTO;TLS_VERSION_1_0;TLS_VERSION_1_1;TLS_VERSION_1_2;TLS_VERSION_1_3;TLS_VERSION_INVALID;TLS_VERSION_UNSPECIFIED
|
|
|
|
// +kubebuilder:validation:Type=string
|
2023-07-21 16:21:39 +00:00
|
|
|
enum TLSVersion {
|
|
|
|
// buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX
|
|
|
|
TLS_VERSION_AUTO = 0;
|
|
|
|
TLS_VERSION_1_0 = 1;
|
|
|
|
TLS_VERSION_1_1 = 2;
|
|
|
|
TLS_VERSION_1_2 = 3;
|
|
|
|
TLS_VERSION_1_3 = 4;
|
|
|
|
TLS_VERSION_INVALID = 5;
|
|
|
|
TLS_VERSION_UNSPECIFIED = 6;
|
|
|
|
}
|
|
|
|
|
2023-10-13 14:55:58 +00:00
|
|
|
// +kubebuilder:validation:Enum=TLS_CIPHER_SUITE_ECDHE_ECDSA_AES128_GCM_SHA256;TLS_CIPHER_SUITE_AES256_SHA;TLS_CIPHER_SUITE_ECDHE_ECDSA_CHACHA20_POLY1305;TLS_CIPHER_SUITE_ECDHE_RSA_AES128_GCM_SHA256;TLS_CIPHER_SUITE_ECDHE_RSA_CHACHA20_POLY1305;TLS_CIPHER_SUITE_ECDHE_ECDSA_AES128_SHA;TLS_CIPHER_SUITE_ECDHE_RSA_AES128_SHA;TLS_CIPHER_SUITE_AES128_GCM_SHA256;TLS_CIPHER_SUITE_AES128_SHA;TLS_CIPHER_SUITE_ECDHE_ECDSA_AES256_GCM_SHA384;TLS_CIPHER_SUITE_ECDHE_RSA_AES256_GCM_SHA384;TLS_CIPHER_SUITE_ECDHE_ECDSA_AES256_SHA;TLS_CIPHER_SUITE_ECDHE_RSA_AES256_SHA;TLS_CIPHER_SUITE_AES256_GCM_SHA384
|
|
|
|
// +kubebuilder:validation:Type=string
|
2023-07-21 16:21:39 +00:00
|
|
|
enum TLSCipherSuite {
|
|
|
|
// buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX
|
|
|
|
TLS_CIPHER_SUITE_ECDHE_ECDSA_AES128_GCM_SHA256 = 0;
|
|
|
|
TLS_CIPHER_SUITE_ECDHE_ECDSA_CHACHA20_POLY1305 = 1;
|
|
|
|
TLS_CIPHER_SUITE_ECDHE_RSA_AES128_GCM_SHA256 = 2;
|
|
|
|
TLS_CIPHER_SUITE_ECDHE_RSA_CHACHA20_POLY1305 = 3;
|
|
|
|
TLS_CIPHER_SUITE_ECDHE_ECDSA_AES128_SHA = 4;
|
|
|
|
TLS_CIPHER_SUITE_ECDHE_RSA_AES128_SHA = 5;
|
|
|
|
TLS_CIPHER_SUITE_AES128_GCM_SHA256 = 6;
|
|
|
|
TLS_CIPHER_SUITE_AES128_SHA = 7;
|
|
|
|
TLS_CIPHER_SUITE_ECDHE_ECDSA_AES256_GCM_SHA384 = 8;
|
|
|
|
TLS_CIPHER_SUITE_ECDHE_RSA_AES256_GCM_SHA384 = 9;
|
|
|
|
TLS_CIPHER_SUITE_ECDHE_ECDSA_AES256_SHA = 10;
|
|
|
|
TLS_CIPHER_SUITE_ECDHE_RSA_AES256_SHA = 11;
|
|
|
|
TLS_CIPHER_SUITE_AES256_GCM_SHA384 = 12;
|
|
|
|
TLS_CIPHER_SUITE_AES256_SHA = 13;
|
|
|
|
}
|