syntax = "proto3"; package hashicorp.consul.auth.v2beta1; import "pbresource/annotations.proto"; message TrafficPermissions { option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE}; // destination is a configuration of the destination proxies // where these traffic permissions should apply. Destination destination = 1; // Action can be either allow or deny for the entire object. It will default to allow. // // If action is allow, // we will allow the connection if one of the rules in Rules matches, in other words, we will deny // all requests except for the ones that match Rules. If Consul is in default allow mode, then allow // actions have no effect without a deny permission as everything is allowed by default. // // If action is deny, // we will deny the connection if one of the rules in Rules match, in other words, // we will allow all requests except for the ones that match Rules. If Consul is default deny mode, // then deny permissions have no effect without an allow permission as everything is denied by default. // // Action unspecified is reserved for compatibility with the addition of future actions. Action action = 2; // permissions is a list of permissions to match on. // They are applied using OR semantics. repeated Permission permissions = 3; } message NamespaceTrafficPermissions { option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE}; Action action = 1; repeated Permission permissions = 2; } message PartitionTrafficPermissions { option (hashicorp.consul.resource.spec) = {scope: SCOPE_PARTITION}; Action action = 1; repeated Permission permissions = 2; } // Destination contains the name or name-prefix of the WorkloadIdentity. // The WorkloadIdentity resource must // be in the same tenancy as the TrafficPermissions resource. message Destination { string identity_name = 1; } enum Action { ACTION_UNSPECIFIED = 0; ACTION_DENY = 1; ACTION_ALLOW = 2; } // permissions is a list of permissions to match on. message Permission { // sources is a list of sources in this traffic permission. repeated Source sources = 1; // destination_rules is a list of rules to apply for matching sources in this Permission. // These rules are specific to the request or connection that is going to the destination(s) // selected by the TrafficPermissions resource. repeated DestinationRule destination_rules = 2; } // Source represents the source identity. // To specify any of the wildcard sources, the specific fields need to be omitted. // For example, for a wildcard namespace, identity_name should be omitted. message Source { string identity_name = 1; string namespace = 2; string partition = 3; string peer = 4; string sameness_group = 5; // exclude is a list of sources to exclude from this source. repeated ExcludeSource exclude = 6; } // ExcludeSource is almost the same as source but it prevents the addition of // matchiing sources. message ExcludeSource { string identity_name = 1; string namespace = 2; string partition = 3; string peer = 4; string sameness_group = 5; } // DestinationRule contains rules rules to apply to the incoming connection. message DestinationRule { string path_exact = 1; string path_prefix = 2; string path_regex = 3; // methods is the list of HTTP methods. If no methods are specified, // this rule will apply to all methods. repeated string methods = 4; DestinationRuleHeader header = 5; repeated string port_names = 6; // exclude contains a list of rules to exclude when evaluating rules for the incoming connection. repeated ExcludePermissionRule exclude = 7; } message ExcludePermissionRule { string path_exact = 1; string path_prefix = 2; string path_regex = 3; // methods is the list of HTTP methods. repeated string methods = 4; DestinationRuleHeader header = 5; // port_names is a list of workload ports to apply this rule to. The ports specified here // must be the ports used in the connection. repeated string port_names = 6; } message DestinationRuleHeader { string name = 1; bool present = 2; string exact = 3; string prefix = 4; string suffix = 5; string regex = 6; bool invert = 7; }