// Copyright (c) HashiCorp, Inc. // SPDX-License-Identifier: MPL-2.0 syntax = "proto3"; package hashicorp.consul.mesh.v2beta1.pbproxystate; message TLS { // inbound_tls_parameters has default TLS parameter configuration for inbound connections. These can be overridden per // transport socket. TLSParameters inbound_tls_parameters = 1; // outbound_tls_parameters has default TLS parameter configuration for inbound connections. These can be overridden per transport socket. TLSParameters outbound_tls_parameters = 2; } message TransportSocket { // name of the transport socket string name = 1; oneof connection_tls { // inbound_mesh is for incoming connections FROM the mesh. InboundMeshMTLS inbound_mesh = 2; // outbound_mesh is for outbound connections TO mesh destinations. OutboundMeshMTLS outbound_mesh = 3; // inbound_non_mesh is for incoming connections FROM non mesh. InboundNonMeshTLS inbound_non_mesh = 4; // outbound_non_mesh is for outbound connections TO non mesh destinations. OutboundNonMeshTLS outbound_non_mesh = 5; } // tls_parameters can override any top level tls parameters that are configured. TLSParameters tls_parameters = 6; repeated string alpn_protocols = 7; } message InboundMeshMTLS { // identity_key is UUID key to use to look up the leaf certificate in ProxyState to present for incoming connections. string identity_key = 1; // validation_context has what is needed to validate incoming connections. MeshInboundValidationContext validation_context = 2; } message OutboundMeshMTLS { // identity_key is UUID key to use to look up the leaf certificate in ProxyState when connecting to destinations. string identity_key = 1; // validation_context has what is needed to validate the destination. MeshOutboundValidationContext validation_context = 2; // sni to use when connecting to the destination. string sni = 3; } message InboundNonMeshTLS { // identity is the reference to the leaf certificate to present for incoming connections. oneof identity { // leaf_key is the UUID key to use to look up the leaf certificate in the ProxyState leaf certificate map. string leaf_key = 1; // sds refers to certificates retrieved via Envoy SDS. SDSCertificate sds = 2; } } message OutboundNonMeshTLS { // cert_file is a filename for a certificate to present for outbound connections. string cert_file = 1; // key_file is a filename for a key for outbound connections. string key_file = 2; // validation_context has what is needed to validate the destination. NonMeshOutboundValidationContext validation_context = 3; } message MeshInboundValidationContext { // trust_bundle_peer_name_keys is which trust bundles to use for validating incoming connections. If this workload is exported // to peers, the incoming connection could be from a different peer, requiring that trust bundle to validate the // connection. These could be local or peered trust bundles. This will be a key in the trust bundle map. repeated string trust_bundle_peer_name_keys = 1; } message MeshOutboundValidationContext { // trust_bundle_peer_name_key is which trust bundle to use for the destination. It could be the local or a peer's trust bundle. // This will be a key in the trust bundle map. string trust_bundle_peer_name_key = 1; // spiffe_ids is one or more spiffe IDs to validate. repeated string spiffe_ids = 2; } message NonMeshOutboundValidationContext { // ca_file is a filename for a ca for outbound connections to validate the destination. string ca_file = 1; } message SDSCertificate { string cluster_name = 1; string cert_resource = 2; } message TLSParameters { TLSVersion min_version = 1; TLSVersion max_version = 2; repeated TLSCipherSuite cipher_suites = 3; } message LeafCertificate { string cert = 1; string key = 2; } message TrustBundle { string trust_domain = 1; repeated string roots = 2; } // +kubebuilder:validation:Enum=TLS_VERSION_AUTO;TLS_VERSION_1_0;TLS_VERSION_1_1;TLS_VERSION_1_2;TLS_VERSION_1_3;TLS_VERSION_INVALID;TLS_VERSION_UNSPECIFIED // +kubebuilder:validation:Type=string enum TLSVersion { // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX TLS_VERSION_AUTO = 0; TLS_VERSION_1_0 = 1; TLS_VERSION_1_1 = 2; TLS_VERSION_1_2 = 3; TLS_VERSION_1_3 = 4; TLS_VERSION_INVALID = 5; TLS_VERSION_UNSPECIFIED = 6; } // +kubebuilder:validation:Enum=TLS_CIPHER_SUITE_ECDHE_ECDSA_AES128_GCM_SHA256;TLS_CIPHER_SUITE_AES256_SHA;TLS_CIPHER_SUITE_ECDHE_ECDSA_CHACHA20_POLY1305;TLS_CIPHER_SUITE_ECDHE_RSA_AES128_GCM_SHA256;TLS_CIPHER_SUITE_ECDHE_RSA_CHACHA20_POLY1305;TLS_CIPHER_SUITE_ECDHE_ECDSA_AES128_SHA;TLS_CIPHER_SUITE_ECDHE_RSA_AES128_SHA;TLS_CIPHER_SUITE_AES128_GCM_SHA256;TLS_CIPHER_SUITE_AES128_SHA;TLS_CIPHER_SUITE_ECDHE_ECDSA_AES256_GCM_SHA384;TLS_CIPHER_SUITE_ECDHE_RSA_AES256_GCM_SHA384;TLS_CIPHER_SUITE_ECDHE_ECDSA_AES256_SHA;TLS_CIPHER_SUITE_ECDHE_RSA_AES256_SHA;TLS_CIPHER_SUITE_AES256_GCM_SHA384 // +kubebuilder:validation:Type=string enum TLSCipherSuite { // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX TLS_CIPHER_SUITE_ECDHE_ECDSA_AES128_GCM_SHA256 = 0; TLS_CIPHER_SUITE_ECDHE_ECDSA_CHACHA20_POLY1305 = 1; TLS_CIPHER_SUITE_ECDHE_RSA_AES128_GCM_SHA256 = 2; TLS_CIPHER_SUITE_ECDHE_RSA_CHACHA20_POLY1305 = 3; TLS_CIPHER_SUITE_ECDHE_ECDSA_AES128_SHA = 4; TLS_CIPHER_SUITE_ECDHE_RSA_AES128_SHA = 5; TLS_CIPHER_SUITE_AES128_GCM_SHA256 = 6; TLS_CIPHER_SUITE_AES128_SHA = 7; TLS_CIPHER_SUITE_ECDHE_ECDSA_AES256_GCM_SHA384 = 8; TLS_CIPHER_SUITE_ECDHE_RSA_AES256_GCM_SHA384 = 9; TLS_CIPHER_SUITE_ECDHE_ECDSA_AES256_SHA = 10; TLS_CIPHER_SUITE_ECDHE_RSA_AES256_SHA = 11; TLS_CIPHER_SUITE_AES256_GCM_SHA384 = 12; TLS_CIPHER_SUITE_AES256_SHA = 13; }