register traffic permission and workload identity types (#18704)

* add workload identity and traffic permission protos

* register new types

* add generated pb code

* fix exports.go path

* add proto newlines

* fix type name

Co-authored-by: Eric Haberkorn <erichaberkorn@gmail.com>

* address review

* fix protos and add tests

* fix validation constraints

* add tests

---------

Co-authored-by: Eric Haberkorn <erichaberkorn@gmail.com>

agent/consul/type_registry.go

@@ -4,6 +4,7 @@
 package consul
 
 import (
+	"github.com/hashicorp/consul/internal/auth"
 	"github.com/hashicorp/consul/internal/catalog"
 	"github.com/hashicorp/consul/internal/mesh"
 	"github.com/hashicorp/consul/internal/resource"
@@ -23,6 +24,7 @@ func NewTypeRegistry() resource.Registry {
 	demo.RegisterTypes(registry)
 	mesh.RegisterTypes(registry)
 	catalog.RegisterTypes(registry)
+	auth.RegisterTypes(registry)
 
 	return registry
 }

internal/auth/exports.go

@@ -0,0 +1,41 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package auth
+
+import (
+	"github.com/hashicorp/consul/internal/auth/internal/types"
+	"github.com/hashicorp/consul/internal/resource"
+)
+
+var (
+	// API Group Information
+
+	APIGroup        = types.GroupName
+	VersionV1Alpha1 = types.VersionV1Alpha1
+	CurrentVersion  = types.CurrentVersion
+
+	// Resource Kind Names.
+
+	WorkloadIdentity           = types.WorkloadIdentityKind
+	TrafficPermissions         = types.TrafficPermissionsKind
+	ComputedTrafficPermissions = types.ComputedTrafficPermissionsKind
+
+	// Resource Types for the v1alpha1 version.
+
+	WorkloadIdentityV1Alpha1Type           = types.WorkloadIdentityV1Alpha1Type
+	TrafficPermissionsV1Alpha1Type         = types.TrafficPermissionsV1Alpha1Type
+	ComputedTrafficPermissionsV1Alpha1Type = types.ComputedTrafficPermissionsV1Alpha1Type
+
+	// Resource Types for the latest version.
+
+	WorkloadIdentityType           = types.WorkloadIdentityType
+	TrafficPermissionsType         = types.TrafficPermissionsType
+	ComputedTrafficPermissionsType = types.ComputedTrafficPermissionsType
+)
+
+// RegisterTypes adds all resource types within the "catalog" API group
+// to the given type registry
+func RegisterTypes(r resource.Registry) {
+	types.Register(r)
+}

internal/auth/internal/types/computed_traffic_permissions.go

@@ -0,0 +1,33 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package types
+
+import (
+	"github.com/hashicorp/consul/internal/resource"
+	pbauth "github.com/hashicorp/consul/proto-public/pbauth/v1alpha1"
+	"github.com/hashicorp/consul/proto-public/pbresource"
+)
+
+const (
+	ComputedTrafficPermissionsKind = "ComputedTrafficPermission"
+)
+
+var (
+	ComputedTrafficPermissionsV1Alpha1Type = &pbresource.Type{
+		Group:        GroupName,
+		GroupVersion: VersionV1Alpha1,
+		Kind:         ComputedTrafficPermissionsKind,
+	}
+
+	ComputedTrafficPermissionsType = ComputedTrafficPermissionsV1Alpha1Type
+)
+
+func RegisterComputedTrafficPermission(r resource.Registry) {
+	r.Register(resource.Registration{
+		Type:     ComputedTrafficPermissionsV1Alpha1Type,
+		Proto:    &pbauth.ComputedTrafficPermissions{},
+		Scope:    resource.ScopeNamespace,
+		Validate: nil,
+	})
+}

internal/auth/internal/types/errors.go

@@ -0,0 +1,12 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package types
+
+import "errors"
+
+var (
+	errInvalidAction       = errors.New("action must be either allow or deny")
+	errSourcesTenancy      = errors.New("permissions sources may not specify partitions, peers, and sameness_groups together")
+	errInvalidPrefixValues = errors.New("prefix values, regex values, and explicit names must not combined")
+)

internal/auth/internal/types/traffic_permissions.go

@@ -0,0 +1,144 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package types
+
+import (
+	"github.com/hashicorp/go-multierror"
+
+	"github.com/hashicorp/consul/internal/resource"
+	pbauth "github.com/hashicorp/consul/proto-public/pbauth/v1alpha1"
+	"github.com/hashicorp/consul/proto-public/pbresource"
+)
+
+const (
+	TrafficPermissionsKind = "TrafficPermissions"
+)
+
+var (
+	TrafficPermissionsV1Alpha1Type = &pbresource.Type{
+		Group:        GroupName,
+		GroupVersion: VersionV1Alpha1,
+		Kind:         TrafficPermissionsKind,
+	}
+
+	TrafficPermissionsType = TrafficPermissionsV1Alpha1Type
+)
+
+func RegisterTrafficPermissions(r resource.Registry) {
+	r.Register(resource.Registration{
+		Type:     TrafficPermissionsV1Alpha1Type,
+		Proto:    &pbauth.TrafficPermissions{},
+		Scope:    resource.ScopeNamespace,
+		Validate: ValidateTrafficPermissions,
+	})
+}
+
+func ValidateTrafficPermissions(res *pbresource.Resource) error {
+	var tp pbauth.TrafficPermissions
+
+	if err := res.Data.UnmarshalTo(&tp); err != nil {
+		return resource.NewErrDataParse(&tp, err)
+	}
+
+	var err error
+
+	if tp.Action == pbauth.Action_ACTION_UNSPECIFIED {
+		err = multierror.Append(err, resource.ErrInvalidField{
+			Name:    "data.action",
+			Wrapped: errInvalidAction,
+		})
+	}
+	if tp.Destination == nil || (len(tp.Destination.IdentityName) == 0) {
+		err = multierror.Append(err, resource.ErrInvalidField{
+			Name:    "data.destination",
+			Wrapped: resource.ErrEmpty,
+		})
+	}
+	// Validate permissions
+	for i, permission := range tp.Permissions {
+		wrapPermissionErr := func(err error) error {
+			return resource.ErrInvalidListElement{
+				Name:    "permissions",
+				Index:   i,
+				Wrapped: err,
+			}
+		}
+		for s, src := range permission.Sources {
+			wrapSrcErr := func(err error) error {
+				return wrapPermissionErr(resource.ErrInvalidListElement{
+					Name:    "sources",
+					Index:   s,
+					Wrapped: err,
+				})
+			}
+			if (len(src.Partition) > 0 && len(src.Peer) > 0) ||
+				(len(src.Partition) > 0 && len(src.SamenessGroup) > 0) ||
+				(len(src.Peer) > 0 && len(src.SamenessGroup) > 0) {
+				err = multierror.Append(err, wrapSrcErr(resource.ErrInvalidListElement{
+					Name:    "source",
+					Wrapped: errSourcesTenancy,
+				}))
+			}
+			if len(src.Exclude) > 0 {
+				for e, d := range src.Exclude {
+					wrapExclSrcErr := func(err error) error {
+						return wrapPermissionErr(resource.ErrInvalidListElement{
+							Name:    "exclude_sources",
+							Index:   e,
+							Wrapped: err,
+						})
+					}
+					if (len(d.Partition) > 0 && len(d.Peer) > 0) ||
+						(len(d.Partition) > 0 && len(d.SamenessGroup) > 0) ||
+						(len(d.Peer) > 0 && len(d.SamenessGroup) > 0) {
+						err = multierror.Append(err, wrapExclSrcErr(resource.ErrInvalidListElement{
+							Name:    "exclude_source",
+							Wrapped: errSourcesTenancy,
+						}))
+					}
+				}
+			}
+		}
+		if len(permission.DestinationRules) > 0 {
+			for d, dest := range permission.DestinationRules {
+				wrapDestRuleErr := func(err error) error {
+					return wrapPermissionErr(resource.ErrInvalidListElement{
+						Name:    "destination_rules",
+						Index:   d,
+						Wrapped: err,
+					})
+				}
+				if (len(dest.PathExact) > 0 && len(dest.PathPrefix) > 0) ||
+					(len(dest.PathRegex) > 0 && len(dest.PathExact) > 0) ||
+					(len(dest.PathRegex) > 0 && len(dest.PathPrefix) > 0) {
+					err = multierror.Append(err, wrapDestRuleErr(resource.ErrInvalidListElement{
+						Name:    "destination_rule",
+						Wrapped: errInvalidPrefixValues,
+					}))
+				}
+				if len(dest.Exclude) > 0 {
+					for e, excl := range dest.Exclude {
+						wrapExclPermRuleErr := func(err error) error {
+							return wrapPermissionErr(resource.ErrInvalidListElement{
+								Name:    "exclude_permission_rules",
+								Index:   e,
+								Wrapped: err,
+							})
+						}
+						if (len(excl.PathExact) > 0 && len(excl.PathPrefix) > 0) ||
+							(len(excl.PathRegex) > 0 && len(excl.PathExact) > 0) ||
+							(len(excl.PathRegex) > 0 && len(excl.PathPrefix) > 0) {
+							err = multierror.Append(err, wrapExclPermRuleErr(resource.ErrInvalidListElement{
+								Name:    "exclude_permission_rule",
+								Wrapped: errInvalidPrefixValues,
+							}))
+						}
+					}
+				}
+			}
+		}
+	}
+
+	return err
+}

internal/auth/internal/types/traffic_permissions_test.go

@@ -0,0 +1,262 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package types
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/reflect/protoreflect"
+	"google.golang.org/protobuf/types/known/anypb"
+
+	"github.com/hashicorp/consul/internal/resource"
+	pbauth "github.com/hashicorp/consul/proto-public/pbauth/v1alpha1"
+	"github.com/hashicorp/consul/proto-public/pbresource"
+)
+
+func createTrafficPermissionsResource(t *testing.T, data protoreflect.ProtoMessage) *pbresource.Resource {
+	res := &pbresource.Resource{
+		Id: &pbresource.ID{
+			Type: TrafficPermissionsType,
+			Tenancy: &pbresource.Tenancy{
+				Partition: "default",
+				Namespace: "default",
+				PeerName:  "local",
+			},
+			Name: "test-traffic-permissions",
+		},
+	}
+
+	var err error
+	res.Data, err = anypb.New(data)
+	require.NoError(t, err)
+	return res
+}
+
+func TestTrafficPermissions_OkMinimal(t *testing.T) {
+	data := &pbauth.TrafficPermissions{
+		Destination: &pbauth.Destination{IdentityName: "wi-1"},
+		Action:      pbauth.Action_ACTION_ALLOW,
+	}
+
+	res := createTrafficPermissionsResource(t, data)
+
+	err := ValidateTrafficPermissions(res)
+	require.NoError(t, err)
+}
+
+func TestTrafficPermissions_OkFull(t *testing.T) {
+	data := &pbauth.TrafficPermissions{
+		Destination: &pbauth.Destination{
+			IdentityName: "w1",
+		},
+		Action: pbauth.Action_ACTION_ALLOW,
+		Permissions: []*pbauth.Permission{
+			{
+				Sources: nil,
+				DestinationRules: []*pbauth.DestinationRule{
+					{
+						PathPrefix: "foo",
+						Exclude: []*pbauth.ExcludePermissionRule{
+							{
+								PathExact: "baz",
+							},
+						},
+					},
+					{
+						PathPrefix: "bar",
+					},
+				},
+			},
+			{
+				Sources: []*pbauth.Source{
+					{
+						IdentityName: "wi-3",
+						Peer:         "p1",
+					},
+				},
+			},
+		},
+	}
+
+	res := createTrafficPermissionsResource(t, data)
+
+	err := ValidateTrafficPermissions(res)
+	require.NoError(t, err)
+}
+
+func TestValidateTrafficPermissions_ParseError(t *testing.T) {
+	// Any type other than the TrafficPermissions type would work
+	// to cause the error we are expecting
+	data := &pbauth.ComputedTrafficPermissions{AllowPermissions: nil}
+
+	res := createTrafficPermissionsResource(t, data)
+
+	err := ValidateTrafficPermissions(res)
+	require.Error(t, err)
+	require.ErrorAs(t, err, &resource.ErrDataParse{})
+}
+
+func TestValidateTrafficPermissions_UnsupportedAction(t *testing.T) {
+	data := &pbauth.TrafficPermissions{
+		Destination: &pbauth.Destination{
+			IdentityName: "wi1",
+		},
+		Action:      pbauth.Action_ACTION_UNSPECIFIED,
+		Permissions: nil,
+	}
+
+	res := createTrafficPermissionsResource(t, data)
+
+	err := ValidateTrafficPermissions(res)
+	require.Error(t, err)
+	expected := resource.ErrInvalidField{
+		Name:    "data.action",
+		Wrapped: errInvalidAction,
+	}
+	var actual resource.ErrInvalidField
+	require.ErrorAs(t, err, &actual)
+	require.Equal(t, expected, actual)
+}
+
+func TestValidateTrafficPermissions_DestinationRulePathPrefixRegex(t *testing.T) {
+	data := &pbauth.TrafficPermissions{
+		Destination: &pbauth.Destination{
+			IdentityName: "w1",
+		},
+		Action: pbauth.Action_ACTION_ALLOW,
+		Permissions: []*pbauth.Permission{
+			{
+				Sources: nil,
+				DestinationRules: []*pbauth.DestinationRule{
+					{
+						PathExact:  "wi2",
+						PathPrefix: "wi",
+						PathRegex:  "wi.*",
+					},
+				},
+			},
+		},
+	}
+
+	res := createTrafficPermissionsResource(t, data)
+
+	err := ValidateTrafficPermissions(res)
+	require.Error(t, err)
+	expected := resource.ErrInvalidListElement{
+		Name:    "destination_rule",
+		Wrapped: errInvalidPrefixValues,
+	}
+	var actual resource.ErrInvalidListElement
+	require.ErrorAs(t, err, &actual)
+	require.Equal(t, "permissions", actual.Name)
+	err = actual.Unwrap()
+	require.ErrorAs(t, err, &actual)
+	require.ErrorIs(t, expected, actual.Unwrap())
+}
+
+func TestValidateTrafficPermissions_NoDestination(t *testing.T) {
+	data := &pbauth.TrafficPermissions{
+		Action: pbauth.Action_ACTION_ALLOW,
+		Permissions: []*pbauth.Permission{
+			{
+				Sources: nil,
+				DestinationRules: []*pbauth.DestinationRule{
+					{
+						PathExact: "wi2",
+					},
+				},
+			},
+		},
+	}
+
+	res := createTrafficPermissionsResource(t, data)
+
+	err := ValidateTrafficPermissions(res)
+	require.Error(t, err)
+	expected := resource.ErrInvalidField{
+		Name:    "data.destination",
+		Wrapped: resource.ErrEmpty,
+	}
+	var actual resource.ErrInvalidField
+	require.ErrorAs(t, err, &actual)
+	require.Equal(t, "data.destination", actual.Name)
+	require.Equal(t, expected, actual)
+}
+
+func TestValidateTrafficPermissions_SourceTenancy(t *testing.T) {
+	data := &pbauth.TrafficPermissions{
+		Destination: &pbauth.Destination{
+			IdentityName: "w1",
+		},
+		Action: pbauth.Action_ACTION_ALLOW,
+		Permissions: []*pbauth.Permission{
+			{
+				Sources: []*pbauth.Source{
+					{
+						Partition:     "ap1",
+						Peer:          "cl1",
+						SamenessGroup: "sg1",
+					},
+				},
+				DestinationRules: nil,
+			},
+		},
+	}
+
+	res := createTrafficPermissionsResource(t, data)
+
+	err := ValidateTrafficPermissions(res)
+	require.Error(t, err)
+	expected := resource.ErrInvalidListElement{
+		Name:    "source",
+		Wrapped: errSourcesTenancy,
+	}
+	var actual resource.ErrInvalidListElement
+	require.ErrorAs(t, err, &actual)
+	require.Equal(t, "permissions", actual.Name)
+	err = actual.Unwrap()
+	require.ErrorAs(t, err, &actual)
+	require.ErrorIs(t, expected, actual.Unwrap())
+}
+
+func TestValidateTrafficPermissions_ExcludeSourceTenancy(t *testing.T) {
+	data := &pbauth.TrafficPermissions{
+		Destination: &pbauth.Destination{
+			IdentityName: "w1",
+		},
+		Action: pbauth.Action_ACTION_ALLOW,
+		Permissions: []*pbauth.Permission{
+			{
+				Sources: []*pbauth.Source{
+					{
+						Namespace: "ns1",
+						Exclude: []*pbauth.ExcludeSource{
+							{
+								Partition:     "ap1",
+								Peer:          "cl1",
+								SamenessGroup: "sg1",
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	res := createTrafficPermissionsResource(t, data)
+
+	err := ValidateTrafficPermissions(res)
+	require.Error(t, err)
+	expected := resource.ErrInvalidListElement{
+		Name:    "exclude_source",
+		Wrapped: errSourcesTenancy,
+	}
+	var actual resource.ErrInvalidListElement
+	require.ErrorAs(t, err, &actual)
+	require.Equal(t, "permissions", actual.Name)
+	err = actual.Unwrap()
+	require.ErrorAs(t, err, &actual)
+	require.ErrorIs(t, expected, actual.Unwrap())
+}

internal/auth/internal/types/types.go

@@ -0,0 +1,20 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package types
+
+import (
+	"github.com/hashicorp/consul/internal/resource"
+)
+
+const (
+	GroupName       = "auth"
+	VersionV1Alpha1 = "v1alpha1"
+	CurrentVersion  = VersionV1Alpha1
+)
+
+func Register(r resource.Registry) {
+	RegisterWorkloadIdentity(r)
+	RegisterTrafficPermissions(r)
+	RegisterComputedTrafficPermission(r)
+}

internal/auth/internal/types/workload_identity.go

@@ -0,0 +1,33 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package types
+
+import (
+	"github.com/hashicorp/consul/internal/resource"
+	pbauth "github.com/hashicorp/consul/proto-public/pbauth/v1alpha1"
+	"github.com/hashicorp/consul/proto-public/pbresource"
+)
+
+const (
+	WorkloadIdentityKind = "WorkloadIdentity"
+)
+
+var (
+	WorkloadIdentityV1Alpha1Type = &pbresource.Type{
+		Group:        GroupName,
+		GroupVersion: VersionV1Alpha1,
+		Kind:         WorkloadIdentityKind,
+	}
+
+	WorkloadIdentityType = WorkloadIdentityV1Alpha1Type
+)
+
+func RegisterWorkloadIdentity(r resource.Registry) {
+	r.Register(resource.Registration{
+		Type:     WorkloadIdentityV1Alpha1Type,
+		Proto:    &pbauth.WorkloadIdentity{},
+		Scope:    resource.ScopeNamespace,
+		Validate: nil,
+	})
+}

proto-public/pbauth/v1alpha1/computed_traffic_permissions.pb.binary.go

@@ -0,0 +1,18 @@
+// Code generated by protoc-gen-go-binary. DO NOT EDIT.
+// source: pbauth/v1alpha1/computed_traffic_permissions.proto
+
+package authv1alpha1
+
+import (
+	"google.golang.org/protobuf/proto"
+)
+
+// MarshalBinary implements encoding.BinaryMarshaler
+func (msg *ComputedTrafficPermissions) MarshalBinary() ([]byte, error) {
+	return proto.Marshal(msg)
+}
+
+// UnmarshalBinary implements encoding.BinaryUnmarshaler
+func (msg *ComputedTrafficPermissions) UnmarshalBinary(b []byte) error {
+	return proto.Unmarshal(b, msg)
+}

proto-public/pbauth/v1alpha1/computed_traffic_permissions.pb.go

@@ -0,0 +1,188 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.30.0
+// 	protoc        (unknown)
+// source: pbauth/v1alpha1/computed_traffic_permissions.proto
+
+package authv1alpha1
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type ComputedTrafficPermissions struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	AllowPermissions []*Permission `protobuf:"bytes,1,rep,name=allow_permissions,json=allowPermissions,proto3" json:"allow_permissions,omitempty"`
+	DenyPermissions  []*Permission `protobuf:"bytes,2,rep,name=deny_permissions,json=denyPermissions,proto3" json:"deny_permissions,omitempty"`
+}
+
+func (x *ComputedTrafficPermissions) Reset() {
+	*x = ComputedTrafficPermissions{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_pbauth_v1alpha1_computed_traffic_permissions_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *ComputedTrafficPermissions) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ComputedTrafficPermissions) ProtoMessage() {}
+
+func (x *ComputedTrafficPermissions) ProtoReflect() protoreflect.Message {
+	mi := &file_pbauth_v1alpha1_computed_traffic_permissions_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ComputedTrafficPermissions.ProtoReflect.Descriptor instead.
+func (*ComputedTrafficPermissions) Descriptor() ([]byte, []int) {
+	return file_pbauth_v1alpha1_computed_traffic_permissions_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *ComputedTrafficPermissions) GetAllowPermissions() []*Permission {
+	if x != nil {
+		return x.AllowPermissions
+	}
+	return nil
+}
+
+func (x *ComputedTrafficPermissions) GetDenyPermissions() []*Permission {
+	if x != nil {
+		return x.DenyPermissions
+	}
+	return nil
+}
+
+var File_pbauth_v1alpha1_computed_traffic_permissions_proto protoreflect.FileDescriptor
+
+var file_pbauth_v1alpha1_computed_traffic_permissions_proto_rawDesc = []byte{
+	0x0a, 0x32, 0x70, 0x62, 0x61, 0x75, 0x74, 0x68, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61,
+	0x31, 0x2f, 0x63, 0x6f, 0x6d, 0x70, 0x75, 0x74, 0x65, 0x64, 0x5f, 0x74, 0x72, 0x61, 0x66, 0x66,
+	0x69, 0x63, 0x5f, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e,
+	0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c,
+	0x70, 0x68, 0x61, 0x31, 0x1a, 0x29, 0x70, 0x62, 0x61, 0x75, 0x74, 0x68, 0x2f, 0x76, 0x31, 0x61,
+	0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x74, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x5f, 0x70, 0x65,
+	0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22,
+	0xcc, 0x01, 0x0a, 0x1a, 0x43, 0x6f, 0x6d, 0x70, 0x75, 0x74, 0x65, 0x64, 0x54, 0x72, 0x61, 0x66,
+	0x66, 0x69, 0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x57,
+	0x0a, 0x11, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x5f, 0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69,
+	0x6f, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2a, 0x2e, 0x68, 0x61, 0x73, 0x68,
+	0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x61, 0x75, 0x74,
+	0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x50, 0x65, 0x72, 0x6d, 0x69,
+	0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x10, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x50, 0x65, 0x72, 0x6d,
+	0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x55, 0x0a, 0x10, 0x64, 0x65, 0x6e, 0x79, 0x5f,
+	0x70, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28,
+	0x0b, 0x32, 0x2a, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f,
+	0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68,
+	0x61, 0x31, 0x2e, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x0f, 0x64,
+	0x65, 0x6e, 0x79, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x42, 0xa7,
+	0x02, 0x0a, 0x22, 0x63, 0x6f, 0x6d, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70,
+	0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x31, 0x61,
+	0x6c, 0x70, 0x68, 0x61, 0x31, 0x42, 0x1f, 0x43, 0x6f, 0x6d, 0x70, 0x75, 0x74, 0x65, 0x64, 0x54,
+	0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e,
+	0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x45, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62,
+	0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2f, 0x63,
+	0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2d, 0x70, 0x75, 0x62, 0x6c,
+	0x69, 0x63, 0x2f, 0x70, 0x62, 0x61, 0x75, 0x74, 0x68, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68,
+	0x61, 0x31, 0x3b, 0x61, 0x75, 0x74, 0x68, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0xa2,
+	0x02, 0x03, 0x48, 0x43, 0x41, 0xaa, 0x02, 0x1e, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72,
+	0x70, 0x2e, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x41, 0x75, 0x74, 0x68, 0x2e, 0x56, 0x31,
+	0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0xca, 0x02, 0x1e, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f,
+	0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x41, 0x75, 0x74, 0x68, 0x5c, 0x56,
+	0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0xe2, 0x02, 0x2a, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63,
+	0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x41, 0x75, 0x74, 0x68, 0x5c,
+	0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61,
+	0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x21, 0x48, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70,
+	0x3a, 0x3a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x3a, 0x3a, 0x41, 0x75, 0x74, 0x68, 0x3a, 0x3a,
+	0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_pbauth_v1alpha1_computed_traffic_permissions_proto_rawDescOnce sync.Once
+	file_pbauth_v1alpha1_computed_traffic_permissions_proto_rawDescData = file_pbauth_v1alpha1_computed_traffic_permissions_proto_rawDesc
+)
+
+func file_pbauth_v1alpha1_computed_traffic_permissions_proto_rawDescGZIP() []byte {
+	file_pbauth_v1alpha1_computed_traffic_permissions_proto_rawDescOnce.Do(func() {
+		file_pbauth_v1alpha1_computed_traffic_permissions_proto_rawDescData = protoimpl.X.CompressGZIP(file_pbauth_v1alpha1_computed_traffic_permissions_proto_rawDescData)
+	})
+	return file_pbauth_v1alpha1_computed_traffic_permissions_proto_rawDescData
+}
+
+var file_pbauth_v1alpha1_computed_traffic_permissions_proto_msgTypes = make([]protoimpl.MessageInfo, 1)
+var file_pbauth_v1alpha1_computed_traffic_permissions_proto_goTypes = []interface{}{
+	(*ComputedTrafficPermissions)(nil), // 0: hashicorp.consul.auth.v1alpha1.ComputedTrafficPermissions
+	(*Permission)(nil),                 // 1: hashicorp.consul.auth.v1alpha1.Permission
+}
+var file_pbauth_v1alpha1_computed_traffic_permissions_proto_depIdxs = []int32{
+	1, // 0: hashicorp.consul.auth.v1alpha1.ComputedTrafficPermissions.allow_permissions:type_name -> hashicorp.consul.auth.v1alpha1.Permission
+	1, // 1: hashicorp.consul.auth.v1alpha1.ComputedTrafficPermissions.deny_permissions:type_name -> hashicorp.consul.auth.v1alpha1.Permission
+	2, // [2:2] is the sub-list for method output_type
+	2, // [2:2] is the sub-list for method input_type
+	2, // [2:2] is the sub-list for extension type_name
+	2, // [2:2] is the sub-list for extension extendee
+	0, // [0:2] is the sub-list for field type_name
+}
+
+func init() { file_pbauth_v1alpha1_computed_traffic_permissions_proto_init() }
+func file_pbauth_v1alpha1_computed_traffic_permissions_proto_init() {
+	if File_pbauth_v1alpha1_computed_traffic_permissions_proto != nil {
+		return
+	}
+	file_pbauth_v1alpha1_traffic_permissions_proto_init()
+	if !protoimpl.UnsafeEnabled {
+		file_pbauth_v1alpha1_computed_traffic_permissions_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*ComputedTrafficPermissions); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_pbauth_v1alpha1_computed_traffic_permissions_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   1,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_pbauth_v1alpha1_computed_traffic_permissions_proto_goTypes,
+		DependencyIndexes: file_pbauth_v1alpha1_computed_traffic_permissions_proto_depIdxs,
+		MessageInfos:      file_pbauth_v1alpha1_computed_traffic_permissions_proto_msgTypes,
+	}.Build()
+	File_pbauth_v1alpha1_computed_traffic_permissions_proto = out.File
+	file_pbauth_v1alpha1_computed_traffic_permissions_proto_rawDesc = nil
+	file_pbauth_v1alpha1_computed_traffic_permissions_proto_goTypes = nil
+	file_pbauth_v1alpha1_computed_traffic_permissions_proto_depIdxs = nil
+}

proto-public/pbauth/v1alpha1/computed_traffic_permissions.proto

@@ -0,0 +1,10 @@
+syntax = "proto3";
+
+package hashicorp.consul.auth.v1alpha1;
+
+import "pbauth/v1alpha1/traffic_permissions.proto";
+
+message ComputedTrafficPermissions {
+  repeated Permission allow_permissions = 1;
+  repeated Permission deny_permissions = 2;
+}

proto-public/pbauth/v1alpha1/traffic_permissions.pb.binary.go

@@ -0,0 +1,108 @@
+// Code generated by protoc-gen-go-binary. DO NOT EDIT.
+// source: pbauth/v1alpha1/traffic_permissions.proto
+
+package authv1alpha1
+
+import (
+	"google.golang.org/protobuf/proto"
+)
+
+// MarshalBinary implements encoding.BinaryMarshaler
+func (msg *TrafficPermissions) MarshalBinary() ([]byte, error) {
+	return proto.Marshal(msg)
+}
+
+// UnmarshalBinary implements encoding.BinaryUnmarshaler
+func (msg *TrafficPermissions) UnmarshalBinary(b []byte) error {
+	return proto.Unmarshal(b, msg)
+}
+
+// MarshalBinary implements encoding.BinaryMarshaler
+func (msg *NamespaceTrafficPermissions) MarshalBinary() ([]byte, error) {
+	return proto.Marshal(msg)
+}
+
+// UnmarshalBinary implements encoding.BinaryUnmarshaler
+func (msg *NamespaceTrafficPermissions) UnmarshalBinary(b []byte) error {
+	return proto.Unmarshal(b, msg)
+}
+
+// MarshalBinary implements encoding.BinaryMarshaler
+func (msg *PartitionTrafficPermissions) MarshalBinary() ([]byte, error) {
+	return proto.Marshal(msg)
+}
+
+// UnmarshalBinary implements encoding.BinaryUnmarshaler
+func (msg *PartitionTrafficPermissions) UnmarshalBinary(b []byte) error {
+	return proto.Unmarshal(b, msg)
+}
+
+// MarshalBinary implements encoding.BinaryMarshaler
+func (msg *Destination) MarshalBinary() ([]byte, error) {
+	return proto.Marshal(msg)
+}
+
+// UnmarshalBinary implements encoding.BinaryUnmarshaler
+func (msg *Destination) UnmarshalBinary(b []byte) error {
+	return proto.Unmarshal(b, msg)
+}
+
+// MarshalBinary implements encoding.BinaryMarshaler
+func (msg *Permission) MarshalBinary() ([]byte, error) {
+	return proto.Marshal(msg)
+}
+
+// UnmarshalBinary implements encoding.BinaryUnmarshaler
+func (msg *Permission) UnmarshalBinary(b []byte) error {
+	return proto.Unmarshal(b, msg)
+}
+
+// MarshalBinary implements encoding.BinaryMarshaler
+func (msg *Source) MarshalBinary() ([]byte, error) {
+	return proto.Marshal(msg)
+}
+
+// UnmarshalBinary implements encoding.BinaryUnmarshaler
+func (msg *Source) UnmarshalBinary(b []byte) error {
+	return proto.Unmarshal(b, msg)
+}
+
+// MarshalBinary implements encoding.BinaryMarshaler
+func (msg *ExcludeSource) MarshalBinary() ([]byte, error) {
+	return proto.Marshal(msg)
+}
+
+// UnmarshalBinary implements encoding.BinaryUnmarshaler
+func (msg *ExcludeSource) UnmarshalBinary(b []byte) error {
+	return proto.Unmarshal(b, msg)
+}
+
+// MarshalBinary implements encoding.BinaryMarshaler
+func (msg *DestinationRule) MarshalBinary() ([]byte, error) {
+	return proto.Marshal(msg)
+}
+
+// UnmarshalBinary implements encoding.BinaryUnmarshaler
+func (msg *DestinationRule) UnmarshalBinary(b []byte) error {
+	return proto.Unmarshal(b, msg)
+}
+
+// MarshalBinary implements encoding.BinaryMarshaler
+func (msg *ExcludePermissionRule) MarshalBinary() ([]byte, error) {
+	return proto.Marshal(msg)
+}
+
+// UnmarshalBinary implements encoding.BinaryUnmarshaler
+func (msg *ExcludePermissionRule) UnmarshalBinary(b []byte) error {
+	return proto.Unmarshal(b, msg)
+}
+
+// MarshalBinary implements encoding.BinaryMarshaler
+func (msg *DestinationRuleHeader) MarshalBinary() ([]byte, error) {
+	return proto.Marshal(msg)
+}
+
+// UnmarshalBinary implements encoding.BinaryUnmarshaler
+func (msg *DestinationRuleHeader) UnmarshalBinary(b []byte) error {
+	return proto.Unmarshal(b, msg)
+}

proto-public/pbauth/v1alpha1/traffic_permissions.proto

@@ -0,0 +1,124 @@
+syntax = "proto3";
+
+package hashicorp.consul.auth.v1alpha1;
+
+message TrafficPermissions {
+  // destination is a configuration of the destination proxies
+  // where these traffic permissions should apply.
+  Destination destination = 1;
+
+  // Action can be either allow or deny for the entire object. It will default to allow.
+  //
+  // If action is allow,
+  // we will allow the connection if one of the rules in Rules matches, in other words, we will deny
+  // all requests except for the ones that match Rules. If Consul is in default allow mode, then allow
+  // actions have no effect without a deny permission as everything is allowed by default.
+  //
+  // If action is deny,
+  // we will deny the connection if one of the rules in Rules match, in other words,
+  // we will allow all requests except for the ones that match Rules. If Consul is default deny mode,
+  // then deny permissions have no effect without an allow permission as everything is denied by default.
+  //
+  // Action unspecified is reserved for compatibility with the addition of future actions.
+  Action action = 2;
+
+  // permissions is a list of permissions to match on.
+  // They are applied using OR semantics.
+  repeated Permission permissions = 3;
+}
+
+message NamespaceTrafficPermissions {
+  Action action = 1;
+  repeated Permission permissions = 2;
+}
+
+message PartitionTrafficPermissions {
+  Action action = 1;
+  repeated Permission permissions = 2;
+}
+
+// Destination contains the name or name-prefix of the WorkloadIdentity.
+// The WorkloadIdentity resource must
+// be in the same tenancy as the TrafficPermissions resource.
+message Destination {
+  string identity_name = 1;
+  string identity_prefix = 2;
+}
+
+enum Action {
+  ACTION_UNSPECIFIED = 0;
+  ACTION_DENY = 1;
+  ACTION_ALLOW = 2;
+}
+
+// permissions is a list of permissions to match on.
+message Permission {
+  // sources is a list of sources in this traffic permission.
+  repeated Source sources = 1;
+  // destination_rules is a list of rules to apply for matching sources in this Permission.
+  // These rules are specific to the request or connection that is going to the destination(s)
+  // selected by the TrafficPermissions resource.
+  repeated DestinationRule destination_rules = 2;
+}
+
+// Source represents the source identity.
+// To specify any of the wildcard sources, the specific fields need to be omitted.
+// For example, for a wildcard namespace, identity_name should be omitted.
+message Source {
+  string identity_name = 1;
+  string namespace = 2;
+  string partition = 3;
+  string peer = 4;
+  string sameness_group = 5;
+
+  // exclude is a list of sources to exclude from this source.
+  repeated ExcludeSource exclude = 6;
+}
+
+// ExcludeSource is almost the same as source but it prevents the addition of
+// matchiing sources.
+message ExcludeSource {
+  string identity_name = 1;
+  string namespace = 2;
+  string partition = 3;
+  string peer = 4;
+  string sameness_group = 5;
+}
+
+// DestinationRule contains rules rules to apply to the incoming connection.
+message DestinationRule {
+  string path_exact = 1;
+  string path_prefix = 2;
+  string path_regex = 3;
+  // methods is the list of HTTP methods. If no methods are specified,
+  // this rule will apply to all methods.
+  repeated string methods = 4;
+  DestinationRuleHeader header = 5;
+  repeated string port_names = 6;
+  // exclude contains a list of rules to exclude when evaluating rules for the incoming connection.
+  repeated ExcludePermissionRule exclude = 7;
+}
+
+message ExcludePermissionRule {
+  string path_exact = 1;
+  string path_prefix = 2;
+  string path_regex = 3;
+  // methods is the list of HTTP methods.
+  repeated string methods = 4;
+
+  DestinationRuleHeader header = 5;
+
+  // port_names is a list of workload ports to apply this rule to. The ports specified here
+  // must be the ports used in the connection.
+  repeated string port_names = 6;
+}
+
+message DestinationRuleHeader {
+  string name = 1;
+  bool present = 2;
+  string exact = 3;
+  string prefix = 4;
+  string suffix = 5;
+  string regex = 6;
+  bool invert = 7;
+}

proto-public/pbauth/v1alpha1/workload_identity.pb.binary.go

@@ -0,0 +1,18 @@
+// Code generated by protoc-gen-go-binary. DO NOT EDIT.
+// source: pbauth/v1alpha1/workload_identity.proto
+
+package authv1alpha1
+
+import (
+	"google.golang.org/protobuf/proto"
+)
+
+// MarshalBinary implements encoding.BinaryMarshaler
+func (msg *WorkloadIdentity) MarshalBinary() ([]byte, error) {
+	return proto.Marshal(msg)
+}
+
+// UnmarshalBinary implements encoding.BinaryUnmarshaler
+func (msg *WorkloadIdentity) UnmarshalBinary(b []byte) error {
+	return proto.Unmarshal(b, msg)
+}

proto-public/pbauth/v1alpha1/workload_identity.pb.go

@@ -0,0 +1,152 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.30.0
+// 	protoc        (unknown)
+// source: pbauth/v1alpha1/workload_identity.proto
+
+package authv1alpha1
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type WorkloadIdentity struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *WorkloadIdentity) Reset() {
+	*x = WorkloadIdentity{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_pbauth_v1alpha1_workload_identity_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *WorkloadIdentity) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*WorkloadIdentity) ProtoMessage() {}
+
+func (x *WorkloadIdentity) ProtoReflect() protoreflect.Message {
+	mi := &file_pbauth_v1alpha1_workload_identity_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use WorkloadIdentity.ProtoReflect.Descriptor instead.
+func (*WorkloadIdentity) Descriptor() ([]byte, []int) {
+	return file_pbauth_v1alpha1_workload_identity_proto_rawDescGZIP(), []int{0}
+}
+
+var File_pbauth_v1alpha1_workload_identity_proto protoreflect.FileDescriptor
+
+var file_pbauth_v1alpha1_workload_identity_proto_rawDesc = []byte{
+	0x0a, 0x27, 0x70, 0x62, 0x61, 0x75, 0x74, 0x68, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61,
+	0x31, 0x2f, 0x77, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74,
+	0x69, 0x74, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1e, 0x68, 0x61, 0x73, 0x68, 0x69,
+	0x63, 0x6f, 0x72, 0x70, 0x2e, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x61, 0x75, 0x74, 0x68,
+	0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x22, 0x12, 0x0a, 0x10, 0x57, 0x6f, 0x72,
+	0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x42, 0x9d, 0x02,
+	0x0a, 0x22, 0x63, 0x6f, 0x6d, 0x2e, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e,
+	0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x61, 0x75, 0x74, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c,
+	0x70, 0x68, 0x61, 0x31, 0x42, 0x15, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x49, 0x64,
+	0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x45, 0x67,
+	0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x68, 0x61, 0x73, 0x68, 0x69, 0x63,
+	0x6f, 0x72, 0x70, 0x2f, 0x63, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x2d, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2f, 0x70, 0x62, 0x61, 0x75, 0x74, 0x68, 0x2f, 0x76,
+	0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x3b, 0x61, 0x75, 0x74, 0x68, 0x76, 0x31, 0x61, 0x6c,
+	0x70, 0x68, 0x61, 0x31, 0xa2, 0x02, 0x03, 0x48, 0x43, 0x41, 0xaa, 0x02, 0x1e, 0x48, 0x61, 0x73,
+	0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x2e, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x2e, 0x41, 0x75,
+	0x74, 0x68, 0x2e, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0xca, 0x02, 0x1e, 0x48, 0x61,
+	0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c, 0x41,
+	0x75, 0x74, 0x68, 0x5c, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0xe2, 0x02, 0x2a, 0x48,
+	0x61, 0x73, 0x68, 0x69, 0x63, 0x6f, 0x72, 0x70, 0x5c, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x5c,
+	0x41, 0x75, 0x74, 0x68, 0x5c, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x5c, 0x47, 0x50,
+	0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x21, 0x48, 0x61, 0x73, 0x68,
+	0x69, 0x63, 0x6f, 0x72, 0x70, 0x3a, 0x3a, 0x43, 0x6f, 0x6e, 0x73, 0x75, 0x6c, 0x3a, 0x3a, 0x41,
+	0x75, 0x74, 0x68, 0x3a, 0x3a, 0x56, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_pbauth_v1alpha1_workload_identity_proto_rawDescOnce sync.Once
+	file_pbauth_v1alpha1_workload_identity_proto_rawDescData = file_pbauth_v1alpha1_workload_identity_proto_rawDesc
+)
+
+func file_pbauth_v1alpha1_workload_identity_proto_rawDescGZIP() []byte {
+	file_pbauth_v1alpha1_workload_identity_proto_rawDescOnce.Do(func() {
+		file_pbauth_v1alpha1_workload_identity_proto_rawDescData = protoimpl.X.CompressGZIP(file_pbauth_v1alpha1_workload_identity_proto_rawDescData)
+	})
+	return file_pbauth_v1alpha1_workload_identity_proto_rawDescData
+}
+
+var file_pbauth_v1alpha1_workload_identity_proto_msgTypes = make([]protoimpl.MessageInfo, 1)
+var file_pbauth_v1alpha1_workload_identity_proto_goTypes = []interface{}{
+	(*WorkloadIdentity)(nil), // 0: hashicorp.consul.auth.v1alpha1.WorkloadIdentity
+}
+var file_pbauth_v1alpha1_workload_identity_proto_depIdxs = []int32{
+	0, // [0:0] is the sub-list for method output_type
+	0, // [0:0] is the sub-list for method input_type
+	0, // [0:0] is the sub-list for extension type_name
+	0, // [0:0] is the sub-list for extension extendee
+	0, // [0:0] is the sub-list for field type_name
+}
+
+func init() { file_pbauth_v1alpha1_workload_identity_proto_init() }
+func file_pbauth_v1alpha1_workload_identity_proto_init() {
+	if File_pbauth_v1alpha1_workload_identity_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_pbauth_v1alpha1_workload_identity_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*WorkloadIdentity); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_pbauth_v1alpha1_workload_identity_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   1,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_pbauth_v1alpha1_workload_identity_proto_goTypes,
+		DependencyIndexes: file_pbauth_v1alpha1_workload_identity_proto_depIdxs,
+		MessageInfos:      file_pbauth_v1alpha1_workload_identity_proto_msgTypes,
+	}.Build()
+	File_pbauth_v1alpha1_workload_identity_proto = out.File
+	file_pbauth_v1alpha1_workload_identity_proto_rawDesc = nil
+	file_pbauth_v1alpha1_workload_identity_proto_goTypes = nil
+	file_pbauth_v1alpha1_workload_identity_proto_depIdxs = nil
+}

proto-public/pbauth/v1alpha1/workload_identity.proto

@@ -0,0 +1,5 @@
+syntax = "proto3";
+
+package hashicorp.consul.auth.v1alpha1;
+
+message WorkloadIdentity {}