2023-09-13 13:03:42 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
|
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
|
|
|
|
syntax = "proto3";
|
|
|
|
|
2023-09-22 16:51:15 +00:00
|
|
|
package hashicorp.consul.mesh.v2beta1.pbproxystate;
|
2023-09-13 13:03:42 +00:00
|
|
|
|
2023-09-15 16:31:22 +00:00
|
|
|
message TrafficPermissions {
|
|
|
|
repeated Permission allow_permissions = 1;
|
|
|
|
repeated Permission deny_permissions = 2;
|
2023-10-04 13:58:28 +00:00
|
|
|
// default_allow determines if the workload is in default allow mode. This is determined
|
|
|
|
// by combining the cluster's default allow setting with the is_default property on
|
|
|
|
// computed traffic permissions.
|
|
|
|
bool default_allow = 4;
|
2023-09-13 13:03:42 +00:00
|
|
|
}
|
|
|
|
|
2023-09-15 16:31:22 +00:00
|
|
|
message Permission {
|
|
|
|
repeated Principal principals = 1;
|
2023-09-13 13:03:42 +00:00
|
|
|
|
2023-09-15 16:31:22 +00:00
|
|
|
// We don't need destination rules here yet because they either apply to L7 features or multi-ports.
|
2023-09-13 13:03:42 +00:00
|
|
|
// In the case of multiple ports, the sidecar proxy controller is responsible for filtering
|
|
|
|
// per-port permissions.
|
|
|
|
}
|
|
|
|
|
2023-09-15 16:31:22 +00:00
|
|
|
message Principal {
|
2023-09-13 13:03:42 +00:00
|
|
|
Spiffe spiffe = 1;
|
|
|
|
repeated Spiffe exclude_spiffes = 2;
|
|
|
|
}
|
|
|
|
|
|
|
|
message Spiffe {
|
|
|
|
// regex is the regular expression for matching spiffe ids.
|
|
|
|
string regex = 1;
|
|
|
|
|
|
|
|
// xfcc_regex specifies that Envoy needs to find the spiffe id in an xfcc header.
|
|
|
|
// It is currently unused, but considering this is important for to avoid breaking changes.
|
|
|
|
string xfcc_regex = 2;
|
|
|
|
}
|