proxycfg: server-local config entry data sources
This is the OSS portion of enterprise PR 2056.
This commit provides server-local implementations of the proxycfg.ConfigEntry
and proxycfg.ConfigEntryList interfaces, that source data from streaming events.
It makes use of the LocalMaterializer type introduced for peering replication,
adding the necessary support for authorization.
It also adds support for "wildcard" subscriptions (within a topic) to the event
publisher, as this is needed to fetch service-resolvers for all services when
configuring mesh gateways.
Currently, events will be emitted for just the ingress-gateway, service-resolver,
and mesh config entry types, as these are the only entries required by proxycfg
— the events will be emitted on topics named IngressGateway, ServiceResolver,
and MeshConfig topics respectively.
Though these events will only be consumed "locally" for now, they can also be
consumed via the gRPC endpoint (confirmed using grpcurl) so using them from
client agents should be a case of swapping the LocalMaterializer for an
RPCMaterializer.
2022-07-01 16:09:47 +01:00
|
|
|
syntax = "proto3";
|
|
|
|
|
|
|
|
import "proto/pbcommon/common.proto";
|
|
|
|
import "google/protobuf/duration.proto";
|
2022-07-01 16:15:49 +01:00
|
|
|
import "google/protobuf/timestamp.proto";
|
proxycfg: server-local config entry data sources
This is the OSS portion of enterprise PR 2056.
This commit provides server-local implementations of the proxycfg.ConfigEntry
and proxycfg.ConfigEntryList interfaces, that source data from streaming events.
It makes use of the LocalMaterializer type introduced for peering replication,
adding the necessary support for authorization.
It also adds support for "wildcard" subscriptions (within a topic) to the event
publisher, as this is needed to fetch service-resolvers for all services when
configuring mesh gateways.
Currently, events will be emitted for just the ingress-gateway, service-resolver,
and mesh config entry types, as these are the only entries required by proxycfg
— the events will be emitted on topics named IngressGateway, ServiceResolver,
and MeshConfig topics respectively.
Though these events will only be consumed "locally" for now, they can also be
consumed via the gRPC endpoint (confirmed using grpcurl) so using them from
client agents should be a case of swapping the LocalMaterializer for an
RPCMaterializer.
2022-07-01 16:09:47 +01:00
|
|
|
|
|
|
|
package configentry;
|
|
|
|
|
|
|
|
enum Kind {
|
|
|
|
KindUnknown = 0;
|
|
|
|
KindMeshConfig = 1;
|
|
|
|
KindServiceResolver = 2;
|
|
|
|
KindIngressGateway = 3;
|
2022-07-01 16:15:49 +01:00
|
|
|
KindServiceIntentions = 4;
|
proxycfg: server-local config entry data sources
This is the OSS portion of enterprise PR 2056.
This commit provides server-local implementations of the proxycfg.ConfigEntry
and proxycfg.ConfigEntryList interfaces, that source data from streaming events.
It makes use of the LocalMaterializer type introduced for peering replication,
adding the necessary support for authorization.
It also adds support for "wildcard" subscriptions (within a topic) to the event
publisher, as this is needed to fetch service-resolvers for all services when
configuring mesh gateways.
Currently, events will be emitted for just the ingress-gateway, service-resolver,
and mesh config entry types, as these are the only entries required by proxycfg
— the events will be emitted on topics named IngressGateway, ServiceResolver,
and MeshConfig topics respectively.
Though these events will only be consumed "locally" for now, they can also be
consumed via the gRPC endpoint (confirmed using grpcurl) so using them from
client agents should be a case of swapping the LocalMaterializer for an
RPCMaterializer.
2022-07-01 16:09:47 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
message ConfigEntry {
|
|
|
|
Kind Kind = 1;
|
|
|
|
string Name = 2;
|
|
|
|
|
|
|
|
common.EnterpriseMeta EnterpriseMeta = 3;
|
|
|
|
common.RaftIndex RaftIndex = 4;
|
|
|
|
|
|
|
|
oneof Entry {
|
|
|
|
MeshConfig MeshConfig = 5;
|
|
|
|
ServiceResolver ServiceResolver = 6;
|
|
|
|
IngressGateway IngressGateway = 7;
|
2022-07-01 16:15:49 +01:00
|
|
|
ServiceIntentions ServiceIntentions = 8;
|
proxycfg: server-local config entry data sources
This is the OSS portion of enterprise PR 2056.
This commit provides server-local implementations of the proxycfg.ConfigEntry
and proxycfg.ConfigEntryList interfaces, that source data from streaming events.
It makes use of the LocalMaterializer type introduced for peering replication,
adding the necessary support for authorization.
It also adds support for "wildcard" subscriptions (within a topic) to the event
publisher, as this is needed to fetch service-resolvers for all services when
configuring mesh gateways.
Currently, events will be emitted for just the ingress-gateway, service-resolver,
and mesh config entry types, as these are the only entries required by proxycfg
— the events will be emitted on topics named IngressGateway, ServiceResolver,
and MeshConfig topics respectively.
Though these events will only be consumed "locally" for now, they can also be
consumed via the gRPC endpoint (confirmed using grpcurl) so using them from
client agents should be a case of swapping the LocalMaterializer for an
RPCMaterializer.
2022-07-01 16:09:47 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// mog annotation:
|
|
|
|
//
|
|
|
|
// target=github.com/hashicorp/consul/agent/structs.MeshConfigEntry
|
|
|
|
// output=config_entry.gen.go
|
|
|
|
// name=Structs
|
|
|
|
// ignore-fields=RaftIndex,EnterpriseMeta
|
|
|
|
message MeshConfig {
|
|
|
|
TransparentProxyMeshConfig TransparentProxy = 1;
|
|
|
|
MeshTLSConfig TLS = 2;
|
|
|
|
MeshHTTPConfig HTTP = 3;
|
|
|
|
map<string, string> Meta = 4;
|
|
|
|
}
|
|
|
|
|
|
|
|
// mog annotation:
|
|
|
|
//
|
|
|
|
// target=github.com/hashicorp/consul/agent/structs.TransparentProxyMeshConfig
|
|
|
|
// output=config_entry.gen.go
|
|
|
|
// name=Structs
|
|
|
|
message TransparentProxyMeshConfig {
|
|
|
|
bool MeshDestinationsOnly = 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
// mog annotation:
|
|
|
|
//
|
|
|
|
// target=github.com/hashicorp/consul/agent/structs.MeshTLSConfig
|
|
|
|
// output=config_entry.gen.go
|
|
|
|
// name=Structs
|
|
|
|
message MeshTLSConfig {
|
|
|
|
MeshDirectionalTLSConfig Incoming = 1;
|
|
|
|
MeshDirectionalTLSConfig Outgoing = 2;
|
|
|
|
}
|
|
|
|
|
|
|
|
// mog annotation:
|
|
|
|
//
|
|
|
|
// target=github.com/hashicorp/consul/agent/structs.MeshDirectionalTLSConfig
|
|
|
|
// output=config_entry.gen.go
|
|
|
|
// name=Structs
|
|
|
|
message MeshDirectionalTLSConfig {
|
|
|
|
// mog: func-from=tlsVersionFromStructs func-to=tlsVersionToStructs
|
|
|
|
string TLSMinVersion = 1;
|
|
|
|
// mog: func-from=tlsVersionFromStructs func-to=tlsVersionToStructs
|
|
|
|
string TLSMaxVersion = 2;
|
|
|
|
// mog: func-from=cipherSuitesFromStructs func-to=cipherSuitesToStructs
|
|
|
|
repeated string CipherSuites = 3;
|
|
|
|
}
|
|
|
|
|
|
|
|
// mog annotation:
|
|
|
|
//
|
|
|
|
// target=github.com/hashicorp/consul/agent/structs.MeshHTTPConfig
|
|
|
|
// output=config_entry.gen.go
|
|
|
|
// name=Structs
|
|
|
|
message MeshHTTPConfig {
|
|
|
|
bool SanitizeXForwardedClientCert = 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
// mog annotation:
|
|
|
|
//
|
|
|
|
// target=github.com/hashicorp/consul/agent/structs.ServiceResolverConfigEntry
|
|
|
|
// output=config_entry.gen.go
|
|
|
|
// name=Structs
|
|
|
|
// ignore-fields=Kind,Name,RaftIndex,EnterpriseMeta
|
|
|
|
message ServiceResolver {
|
|
|
|
string DefaultSubset = 1;
|
|
|
|
map<string, ServiceResolverSubset> Subsets = 2;
|
|
|
|
ServiceResolverRedirect Redirect = 3;
|
|
|
|
map<string, ServiceResolverFailover> Failover = 4;
|
|
|
|
// mog: func-to=structs.DurationFromProto func-from=structs.DurationToProto
|
|
|
|
google.protobuf.Duration ConnectTimeout = 5;
|
|
|
|
LoadBalancer LoadBalancer = 6;
|
|
|
|
map<string, string> Meta = 7;
|
|
|
|
}
|
|
|
|
|
|
|
|
// mog annotation:
|
|
|
|
//
|
|
|
|
// target=github.com/hashicorp/consul/agent/structs.ServiceResolverSubset
|
|
|
|
// output=config_entry.gen.go
|
|
|
|
// name=Structs
|
|
|
|
message ServiceResolverSubset {
|
|
|
|
string Filter = 1;
|
|
|
|
bool OnlyPassing = 2;
|
|
|
|
}
|
|
|
|
|
|
|
|
// mog annotation:
|
|
|
|
//
|
|
|
|
// target=github.com/hashicorp/consul/agent/structs.ServiceResolverRedirect
|
|
|
|
// output=config_entry.gen.go
|
|
|
|
// name=Structs
|
|
|
|
message ServiceResolverRedirect {
|
|
|
|
string Service = 1;
|
|
|
|
string ServiceSubset = 2;
|
|
|
|
string Namespace = 3;
|
|
|
|
string Partition = 4;
|
|
|
|
string Datacenter = 5;
|
|
|
|
}
|
|
|
|
|
|
|
|
// mog annotation:
|
|
|
|
//
|
|
|
|
// target=github.com/hashicorp/consul/agent/structs.ServiceResolverFailover
|
|
|
|
// output=config_entry.gen.go
|
|
|
|
// name=Structs
|
|
|
|
message ServiceResolverFailover {
|
|
|
|
string Service = 1;
|
|
|
|
string ServiceSubset = 2;
|
|
|
|
string Namespace = 3;
|
|
|
|
repeated string Datacenters = 4;
|
|
|
|
}
|
|
|
|
|
|
|
|
// mog annotation:
|
|
|
|
//
|
|
|
|
// target=github.com/hashicorp/consul/agent/structs.LoadBalancer
|
|
|
|
// output=config_entry.gen.go
|
|
|
|
// name=Structs
|
|
|
|
message LoadBalancer {
|
|
|
|
string Policy = 1;
|
|
|
|
RingHashConfig RingHashConfig = 2;
|
|
|
|
LeastRequestConfig LeastRequestConfig = 3;
|
|
|
|
repeated HashPolicy HashPolicies = 4;
|
|
|
|
}
|
|
|
|
|
|
|
|
// mog annotation:
|
|
|
|
//
|
|
|
|
// target=github.com/hashicorp/consul/agent/structs.RingHashConfig
|
|
|
|
// output=config_entry.gen.go
|
|
|
|
// name=Structs
|
|
|
|
message RingHashConfig {
|
|
|
|
uint64 MinimumRingSize = 1;
|
|
|
|
uint64 MaximumRingSize = 2;
|
|
|
|
}
|
|
|
|
|
|
|
|
// mog annotation:
|
|
|
|
//
|
|
|
|
// target=github.com/hashicorp/consul/agent/structs.LeastRequestConfig
|
|
|
|
// output=config_entry.gen.go
|
|
|
|
// name=Structs
|
|
|
|
message LeastRequestConfig {
|
|
|
|
uint32 ChoiceCount = 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
// mog annotation:
|
|
|
|
//
|
|
|
|
// target=github.com/hashicorp/consul/agent/structs.HashPolicy
|
|
|
|
// output=config_entry.gen.go
|
|
|
|
// name=Structs
|
|
|
|
message HashPolicy {
|
|
|
|
string Field = 1;
|
|
|
|
string FieldValue = 2;
|
|
|
|
CookieConfig CookieConfig = 3;
|
|
|
|
bool SourceIP = 4;
|
|
|
|
bool Terminal = 5;
|
|
|
|
}
|
|
|
|
|
|
|
|
// mog annotation:
|
|
|
|
//
|
|
|
|
// target=github.com/hashicorp/consul/agent/structs.CookieConfig
|
|
|
|
// output=config_entry.gen.go
|
|
|
|
// name=Structs
|
|
|
|
message CookieConfig {
|
|
|
|
bool Session = 1;
|
|
|
|
// mog: func-to=structs.DurationFromProto func-from=structs.DurationToProto
|
|
|
|
google.protobuf.Duration TTL = 2;
|
|
|
|
string Path = 3;
|
|
|
|
}
|
|
|
|
|
|
|
|
// mog annotation:
|
|
|
|
//
|
|
|
|
// target=github.com/hashicorp/consul/agent/structs.IngressGatewayConfigEntry
|
|
|
|
// output=config_entry.gen.go
|
|
|
|
// name=Structs
|
|
|
|
// ignore-fields=Kind,Name,RaftIndex,EnterpriseMeta
|
|
|
|
message IngressGateway {
|
|
|
|
GatewayTLSConfig TLS = 1;
|
|
|
|
repeated IngressListener Listeners = 2;
|
|
|
|
map<string, string> Meta = 3;
|
|
|
|
}
|
|
|
|
|
|
|
|
// mog annotation:
|
|
|
|
//
|
|
|
|
// target=github.com/hashicorp/consul/agent/structs.GatewayTLSConfig
|
|
|
|
// output=config_entry.gen.go
|
|
|
|
// name=Structs
|
|
|
|
message GatewayTLSConfig {
|
|
|
|
bool Enabled = 1;
|
|
|
|
GatewayTLSSDSConfig SDS = 2;
|
|
|
|
// mog: func-from=tlsVersionFromStructs func-to=tlsVersionToStructs
|
|
|
|
string TLSMinVersion = 3;
|
|
|
|
// mog: func-from=tlsVersionFromStructs func-to=tlsVersionToStructs
|
|
|
|
string TLSMaxVersion = 4;
|
|
|
|
// mog: func-from=cipherSuitesFromStructs func-to=cipherSuitesToStructs
|
|
|
|
repeated string CipherSuites = 5;
|
|
|
|
}
|
|
|
|
|
|
|
|
// mog annotation:
|
|
|
|
//
|
|
|
|
// target=github.com/hashicorp/consul/agent/structs.GatewayTLSSDSConfig
|
|
|
|
// output=config_entry.gen.go
|
|
|
|
// name=Structs
|
|
|
|
message GatewayTLSSDSConfig {
|
|
|
|
string ClusterName = 1;
|
|
|
|
string CertResource = 2;
|
|
|
|
}
|
|
|
|
|
|
|
|
// mog annotation:
|
|
|
|
//
|
|
|
|
// target=github.com/hashicorp/consul/agent/structs.IngressListener
|
|
|
|
// output=config_entry.gen.go
|
|
|
|
// name=Structs
|
|
|
|
message IngressListener {
|
|
|
|
// mog: func-to=int func-from=int32
|
|
|
|
int32 Port = 1;
|
|
|
|
string Protocol = 2;
|
|
|
|
repeated IngressService Services = 3;
|
|
|
|
GatewayTLSConfig TLS = 4;
|
|
|
|
}
|
|
|
|
|
|
|
|
// mog annotation:
|
|
|
|
//
|
|
|
|
// target=github.com/hashicorp/consul/agent/structs.IngressService
|
|
|
|
// output=config_entry.gen.go
|
|
|
|
// name=Structs
|
|
|
|
message IngressService {
|
|
|
|
string Name = 1;
|
|
|
|
repeated string Hosts = 2;
|
|
|
|
GatewayServiceTLSConfig TLS = 3;
|
|
|
|
HTTPHeaderModifiers RequestHeaders = 4;
|
|
|
|
HTTPHeaderModifiers ResponseHeaders = 5;
|
|
|
|
map<string, string> Meta = 6;
|
|
|
|
// mog: func-to=enterpriseMetaToStructs func-from=enterpriseMetaFromStructs
|
|
|
|
common.EnterpriseMeta EnterpriseMeta = 7;
|
|
|
|
}
|
|
|
|
|
|
|
|
// mog annotation:
|
|
|
|
//
|
|
|
|
// target=github.com/hashicorp/consul/agent/structs.GatewayServiceTLSConfig
|
|
|
|
// output=config_entry.gen.go
|
|
|
|
// name=Structs
|
|
|
|
message GatewayServiceTLSConfig {
|
|
|
|
GatewayTLSSDSConfig SDS = 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
// mog annotation:
|
|
|
|
//
|
|
|
|
// target=github.com/hashicorp/consul/agent/structs.HTTPHeaderModifiers
|
|
|
|
// output=config_entry.gen.go
|
|
|
|
// name=Structs
|
|
|
|
message HTTPHeaderModifiers {
|
|
|
|
map<string, string> Add = 1;
|
|
|
|
map<string, string> Set = 2;
|
|
|
|
repeated string Remove = 3;
|
|
|
|
}
|
2022-07-01 16:15:49 +01:00
|
|
|
|
|
|
|
// mog annotation:
|
|
|
|
//
|
|
|
|
// target=github.com/hashicorp/consul/agent/structs.ServiceIntentionsConfigEntry
|
|
|
|
// output=config_entry.gen.go
|
|
|
|
// name=Structs
|
|
|
|
// ignore-fields=Kind,Name,RaftIndex,EnterpriseMeta
|
|
|
|
message ServiceIntentions {
|
|
|
|
repeated SourceIntention Sources = 1;
|
|
|
|
map<string, string> Meta = 2;
|
|
|
|
}
|
|
|
|
|
|
|
|
// mog annotation:
|
|
|
|
//
|
|
|
|
// target=github.com/hashicorp/consul/agent/structs.SourceIntention
|
|
|
|
// output=config_entry.gen.go
|
|
|
|
// name=Structs
|
|
|
|
message SourceIntention {
|
|
|
|
string Name = 1;
|
|
|
|
// mog: func-to=intentionActionToStructs func-from=intentionActionFromStructs
|
|
|
|
IntentionAction Action = 2;
|
|
|
|
repeated IntentionPermission Permissions = 3;
|
|
|
|
// mog: func-to=int func-from=int32
|
|
|
|
int32 Precedence = 4;
|
|
|
|
string LegacyID = 5;
|
|
|
|
// mog: func-to=intentionSourceTypeToStructs func-from=intentionSourceTypeFromStructs
|
|
|
|
IntentionSourceType Type = 6;
|
|
|
|
string Description = 7;
|
|
|
|
map<string, string> LegacyMeta = 8;
|
|
|
|
// mog: func-to=timeToStructs func-from=timeFromStructs
|
|
|
|
google.protobuf.Timestamp LegacyCreateTime = 9;
|
|
|
|
// mog: func-to=timeToStructs func-from=timeFromStructs
|
|
|
|
google.protobuf.Timestamp LegacyUpdateTime = 10;
|
|
|
|
// mog: func-to=enterpriseMetaToStructs func-from=enterpriseMetaFromStructs
|
|
|
|
common.EnterpriseMeta EnterpriseMeta = 11;
|
|
|
|
string Peer = 12;
|
|
|
|
}
|
|
|
|
|
|
|
|
enum IntentionAction {
|
|
|
|
Deny = 0;
|
|
|
|
Allow = 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
enum IntentionSourceType {
|
|
|
|
Consul = 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
// mog annotation:
|
|
|
|
//
|
|
|
|
// target=github.com/hashicorp/consul/agent/structs.IntentionPermission
|
|
|
|
// output=config_entry.gen.go
|
|
|
|
// name=Structs
|
|
|
|
message IntentionPermission {
|
|
|
|
// mog: func-to=intentionActionToStructs func-from=intentionActionFromStructs
|
|
|
|
IntentionAction Action = 1;
|
|
|
|
IntentionHTTPPermission HTTP = 2;
|
|
|
|
}
|
|
|
|
|
|
|
|
// mog annotation:
|
|
|
|
//
|
|
|
|
// target=github.com/hashicorp/consul/agent/structs.IntentionHTTPPermission
|
|
|
|
// output=config_entry.gen.go
|
|
|
|
// name=Structs
|
|
|
|
message IntentionHTTPPermission {
|
|
|
|
string PathExact = 1;
|
|
|
|
string PathPrefix = 2;
|
|
|
|
string PathRegex = 3;
|
|
|
|
repeated IntentionHTTPHeaderPermission Header = 4;
|
|
|
|
repeated string Methods = 5;
|
|
|
|
}
|
|
|
|
|
|
|
|
// mog annotation:
|
|
|
|
//
|
|
|
|
// target=github.com/hashicorp/consul/agent/structs.IntentionHTTPHeaderPermission
|
|
|
|
// output=config_entry.gen.go
|
|
|
|
// name=Structs
|
|
|
|
message IntentionHTTPHeaderPermission {
|
|
|
|
string Name = 1;
|
|
|
|
bool Present = 2;
|
|
|
|
string Exact = 3;
|
|
|
|
string Prefix = 4;
|
|
|
|
string Suffix = 5;
|
|
|
|
string Regex = 6;
|
|
|
|
bool Invert = 7;
|
|
|
|
}
|