consul/proto-public/pbauth/v2beta1/traffic_permissions.proto

142 lines
4.8 KiB
Protocol Buffer
Raw Normal View History

2024-01-10 11:05:12 -06:00
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
syntax = "proto3";
package hashicorp.consul.auth.v2beta1;
import "pbresource/annotations.proto";
// TrafficPermissions authorizes traffic between workloads in a Consul service mesh.
message TrafficPermissions {
option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE};
// Destination is a configuration of the destination proxies
// where these traffic permissions should apply.
Destination destination = 1;
// Action can be either allow or deny for the entire object. It will default to allow.
// Deny actions are available only in Consul Enterprise.
//
// If action is allow, we will allow the connection if one of the rules in Rules matches, in other words, we will deny
// all requests except for the ones that match Rules. If Consul is in default allow mode, then allow
// actions have no effect without a deny permission as everything is allowed by default.
//
// If action is deny, we will deny the connection if one of the rules in Rules match, in other words,
// we will allow all requests except for the ones that match Rules. If Consul is default deny mode,
// then deny permissions have no effect without an allow permission as everything is denied by default.
//
// Action unspecified is reserved for compatibility with the addition of future actions.
Action action = 2;
// Permissions is a list of permissions to match on. They are applied using OR semantics.
repeated Permission permissions = 3;
}
// NamespaceTrafficPermissions represents traffic permissions that should
// apply to all destinations in a namespace.
message NamespaceTrafficPermissions {
option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE};
Action action = 1;
repeated Permission permissions = 2;
}
// PartitionTrafficPermissions represents traffic permissions that should
// apply to all destinations in a partition.
message PartitionTrafficPermissions {
option (hashicorp.consul.resource.spec) = {scope: SCOPE_PARTITION};
Action action = 1;
repeated Permission permissions = 2;
}
// Destination contains the name or name-prefix of the WorkloadIdentity.
// The WorkloadIdentity resource must be in the same tenancy as the TrafficPermissions resource.
message Destination {
string identity_name = 1;
}
// Action specifies the behavior of a TrafficPermission.
// ACTION_DENY is only available in Consul enterprise.
//
// +kubebuilder:validation:Enum=ACTION_ALLOW;ACTION_DENY;ACTION_UNKNOWN
// +kubebuilder:validation:Type=string
enum Action {
ACTION_UNSPECIFIED = 0;
ACTION_DENY = 1;
ACTION_ALLOW = 2;
}
// Permissions is a list of permissions to match on.
message Permission {
// Sources is a list of sources in this traffic permission.
repeated Source sources = 1;
// DestinationRules is a list of rules to apply for matching sources in this Permission.
// These rules are specific to the request or connection that is going to the destination(s)
// selected by the TrafficPermissions resource.
repeated DestinationRule destination_rules = 2;
}
// Source represents the source identity.
// To specify any of the wildcard sources, the specific fields need to be omitted.
// For example, for a wildcard namespace, identity_name should be omitted.
message Source {
string identity_name = 1;
string namespace = 2;
string partition = 3;
string peer = 4;
string sameness_group = 5;
// Exclude is a list of sources to exclude from this source.
repeated ExcludeSource exclude = 6;
}
// ExcludeSource is almost the same as source but it prevents the addition of
// matching sources.
message ExcludeSource {
string identity_name = 1;
string namespace = 2;
string partition = 3;
string peer = 4;
string sameness_group = 5;
}
// DestinationRule contains rules rules to apply to the incoming connection.
message DestinationRule {
string path_exact = 1;
string path_prefix = 2;
string path_regex = 3;
// Methods is the list of HTTP methods. If no methods are specified,
// this rule will apply to all methods.
repeated string methods = 4;
repeated DestinationRuleHeader headers = 5;
repeated string port_names = 6;
// Exclude contains a list of rules to exclude when evaluating rules for the incoming connection.
repeated ExcludePermissionRule exclude = 7;
}
message ExcludePermissionRule {
string path_exact = 1;
string path_prefix = 2;
string path_regex = 3;
// Methods is the list of HTTP methods.
repeated string methods = 4;
repeated DestinationRuleHeader headers = 5;
// PortNames is a list of workload ports to apply this rule to. The ports specified here
// must be the ports used in the connection.
repeated string port_names = 6;
}
message DestinationRuleHeader {
string name = 1;
bool present = 2;
string exact = 3;
string prefix = 4;
string suffix = 5;
string regex = 6;
bool invert = 7;
}