mirror of
https://github.com/status-im/consul.git
synced 2025-01-24 20:51:10 +00:00
12be06f8e5
Add support for TCP traffic permissions
42 lines
1.2 KiB
Protocol Buffer
42 lines
1.2 KiB
Protocol Buffer
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: BUSL-1.1
|
|
|
|
syntax = "proto3";
|
|
|
|
package hashicorp.consul.mesh.v1alpha1.pbproxystate;
|
|
|
|
message L7TrafficPermissions {}
|
|
|
|
message L4TrafficPermissions {
|
|
repeated L4Permission allow_permissions = 1;
|
|
repeated L4Permission deny_permissions = 2;
|
|
}
|
|
|
|
message L4Permission {
|
|
repeated L4Principal principals = 1;
|
|
|
|
// We don't need destination rules here because they either apply to L7 features or multi-ports.
|
|
// In the case of multiple ports, the sidecar proxy controller is responsible for filtering
|
|
// per-port permissions.
|
|
}
|
|
|
|
// L4Principal maps into Source. We first convert this to Source before generating Envoy resources.
|
|
message L4Principal {
|
|
string spiffe_regex = 1;
|
|
repeated string exclude_spiffe_regexes = 2;
|
|
}
|
|
|
|
message L7Principal {
|
|
Spiffe spiffe = 1;
|
|
repeated Spiffe exclude_spiffes = 2;
|
|
}
|
|
|
|
message Spiffe {
|
|
// regex is the regular expression for matching spiffe ids.
|
|
string regex = 1;
|
|
|
|
// xfcc_regex specifies that Envoy needs to find the spiffe id in an xfcc header.
|
|
// It is currently unused, but considering this is important for to avoid breaking changes.
|
|
string xfcc_regex = 2;
|
|
}
|