mirror of
https://github.com/status-im/consul.git
synced 2025-01-09 21:35:52 +00:00
202090e5d5
* workload identity boilerplate * notes from discussion with Iryna * WIP traffic permissions controller poc * workload identity, traffic permissions validation, errors, types * traffic permissions mapper framing, traffic permissions controller updates. * more roughing out of the controller * cleanup * controller and mapper logic * tests * refactor mapper logic, add tests * clean up tenancy and integration test stubs * consolidate mapping * cleanup cache leak, revert bimapper changes * address review comments * test fix and rebase * use resource helper --------- Co-authored-by: John Landa <john.landa@hashicorp.com>
132 lines
4.2 KiB
Protocol Buffer
132 lines
4.2 KiB
Protocol Buffer
syntax = "proto3";
|
|
|
|
package hashicorp.consul.auth.v2beta1;
|
|
|
|
import "pbresource/annotations.proto";
|
|
|
|
message TrafficPermissions {
|
|
option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE};
|
|
|
|
// destination is a configuration of the destination proxies
|
|
// where these traffic permissions should apply.
|
|
Destination destination = 1;
|
|
|
|
// Action can be either allow or deny for the entire object. It will default to allow.
|
|
//
|
|
// If action is allow,
|
|
// we will allow the connection if one of the rules in Rules matches, in other words, we will deny
|
|
// all requests except for the ones that match Rules. If Consul is in default allow mode, then allow
|
|
// actions have no effect without a deny permission as everything is allowed by default.
|
|
//
|
|
// If action is deny,
|
|
// we will deny the connection if one of the rules in Rules match, in other words,
|
|
// we will allow all requests except for the ones that match Rules. If Consul is default deny mode,
|
|
// then deny permissions have no effect without an allow permission as everything is denied by default.
|
|
//
|
|
// Action unspecified is reserved for compatibility with the addition of future actions.
|
|
Action action = 2;
|
|
|
|
// permissions is a list of permissions to match on.
|
|
// They are applied using OR semantics.
|
|
repeated Permission permissions = 3;
|
|
}
|
|
|
|
message NamespaceTrafficPermissions {
|
|
option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE};
|
|
|
|
Action action = 1;
|
|
repeated Permission permissions = 2;
|
|
}
|
|
|
|
message PartitionTrafficPermissions {
|
|
option (hashicorp.consul.resource.spec) = {scope: SCOPE_PARTITION};
|
|
|
|
Action action = 1;
|
|
repeated Permission permissions = 2;
|
|
}
|
|
|
|
// Destination contains the name or name-prefix of the WorkloadIdentity.
|
|
// The WorkloadIdentity resource must
|
|
// be in the same tenancy as the TrafficPermissions resource.
|
|
message Destination {
|
|
string identity_name = 1;
|
|
}
|
|
|
|
enum Action {
|
|
ACTION_UNSPECIFIED = 0;
|
|
ACTION_DENY = 1;
|
|
ACTION_ALLOW = 2;
|
|
}
|
|
|
|
// permissions is a list of permissions to match on.
|
|
message Permission {
|
|
// sources is a list of sources in this traffic permission.
|
|
repeated Source sources = 1;
|
|
// destination_rules is a list of rules to apply for matching sources in this Permission.
|
|
// These rules are specific to the request or connection that is going to the destination(s)
|
|
// selected by the TrafficPermissions resource.
|
|
repeated DestinationRule destination_rules = 2;
|
|
}
|
|
|
|
// Source represents the source identity.
|
|
// To specify any of the wildcard sources, the specific fields need to be omitted.
|
|
// For example, for a wildcard namespace, identity_name should be omitted.
|
|
message Source {
|
|
string identity_name = 1;
|
|
string namespace = 2;
|
|
string partition = 3;
|
|
string peer = 4;
|
|
string sameness_group = 5;
|
|
|
|
// exclude is a list of sources to exclude from this source.
|
|
repeated ExcludeSource exclude = 6;
|
|
}
|
|
|
|
// ExcludeSource is almost the same as source but it prevents the addition of
|
|
// matchiing sources.
|
|
message ExcludeSource {
|
|
string identity_name = 1;
|
|
string namespace = 2;
|
|
string partition = 3;
|
|
string peer = 4;
|
|
string sameness_group = 5;
|
|
}
|
|
|
|
// DestinationRule contains rules rules to apply to the incoming connection.
|
|
message DestinationRule {
|
|
string path_exact = 1;
|
|
string path_prefix = 2;
|
|
string path_regex = 3;
|
|
// methods is the list of HTTP methods. If no methods are specified,
|
|
// this rule will apply to all methods.
|
|
repeated string methods = 4;
|
|
DestinationRuleHeader header = 5;
|
|
repeated string port_names = 6;
|
|
// exclude contains a list of rules to exclude when evaluating rules for the incoming connection.
|
|
repeated ExcludePermissionRule exclude = 7;
|
|
}
|
|
|
|
message ExcludePermissionRule {
|
|
string path_exact = 1;
|
|
string path_prefix = 2;
|
|
string path_regex = 3;
|
|
// methods is the list of HTTP methods.
|
|
repeated string methods = 4;
|
|
|
|
DestinationRuleHeader header = 5;
|
|
|
|
// port_names is a list of workload ports to apply this rule to. The ports specified here
|
|
// must be the ports used in the connection.
|
|
repeated string port_names = 6;
|
|
}
|
|
|
|
message DestinationRuleHeader {
|
|
string name = 1;
|
|
bool present = 2;
|
|
string exact = 3;
|
|
string prefix = 4;
|
|
string suffix = 5;
|
|
string regex = 6;
|
|
bool invert = 7;
|
|
}
|