// Copyright (c) HashiCorp, Inc. // SPDX-License-Identifier: MPL-2.0 syntax = "proto3"; package hashicorp.consul.auth.v2beta1; import "pbresource/annotations.proto"; message TrafficPermissions { option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE}; // Destination is a configuration of the destination proxies // where these traffic permissions should apply. Destination destination = 1; // Action can be either allow or deny for the entire object. It will default to allow. // // If action is allow, we will allow the connection if one of the rules in Rules matches, in other words, we will deny // all requests except for the ones that match Rules. If Consul is in default allow mode, then allow // actions have no effect without a deny permission as everything is allowed by default. // // If action is deny, we will deny the connection if one of the rules in Rules match, in other words, // we will allow all requests except for the ones that match Rules. If Consul is default deny mode, // then deny permissions have no effect without an allow permission as everything is denied by default. // // Action unspecified is reserved for compatibility with the addition of future actions. Action action = 2; // Permissions is a list of permissions to match on. They are applied using OR semantics. repeated Permission permissions = 3; } message NamespaceTrafficPermissions { option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE}; Action action = 1; repeated Permission permissions = 2; } message PartitionTrafficPermissions { option (hashicorp.consul.resource.spec) = {scope: SCOPE_PARTITION}; Action action = 1; repeated Permission permissions = 2; } // Destination contains the name or name-prefix of the WorkloadIdentity. // The WorkloadIdentity resource must be in the same tenancy as the TrafficPermissions resource. message Destination { string identity_name = 1; } // +kubebuilder:validation:Enum=ACTION_ALLOW;ACTION_DENY;ACTION_UNKNOWN // +kubebuilder:validation:Type=string enum Action { ACTION_UNSPECIFIED = 0; ACTION_DENY = 1; ACTION_ALLOW = 2; } // Permissions is a list of permissions to match on. message Permission { // Sources is a list of sources in this traffic permission. repeated Source sources = 1; // DestinationRules is a list of rules to apply for matching sources in this Permission. // These rules are specific to the request or connection that is going to the destination(s) // selected by the TrafficPermissions resource. repeated DestinationRule destination_rules = 2; } // Source represents the source identity. // To specify any of the wildcard sources, the specific fields need to be omitted. // For example, for a wildcard namespace, identity_name should be omitted. message Source { string identity_name = 1; string namespace = 2; string partition = 3; string peer = 4; string sameness_group = 5; // Exclude is a list of sources to exclude from this source. repeated ExcludeSource exclude = 6; } // ExcludeSource is almost the same as source but it prevents the addition of // matching sources. message ExcludeSource { string identity_name = 1; string namespace = 2; string partition = 3; string peer = 4; string sameness_group = 5; } // DestinationRule contains rules rules to apply to the incoming connection. message DestinationRule { string path_exact = 1; string path_prefix = 2; string path_regex = 3; // Methods is the list of HTTP methods. If no methods are specified, // this rule will apply to all methods. repeated string methods = 4; DestinationRuleHeader header = 5; repeated string port_names = 6; // Exclude contains a list of rules to exclude when evaluating rules for the incoming connection. repeated ExcludePermissionRule exclude = 7; } message ExcludePermissionRule { string path_exact = 1; string path_prefix = 2; string path_regex = 3; // Methods is the list of HTTP methods. repeated string methods = 4; DestinationRuleHeader header = 5; // PortNames is a list of workload ports to apply this rule to. The ports specified here // must be the ports used in the connection. repeated string port_names = 6; } message DestinationRuleHeader { string name = 1; bool present = 2; string exact = 3; string prefix = 4; string suffix = 5; string regex = 6; bool invert = 7; }