mirror of
https://github.com/status-im/consul.git
synced 2025-01-25 21:19:12 +00:00
37ccbd2826
This is the OSS portion of enterprise PR 2141. This commit provides a server-local implementation of the `proxycfg.Intentions` interface that sources data from streaming events. It adds events for the `service-intentions` config entry type, and then consumes event streams (via materialized views) for the service's explicit intentions and any applicable wildcard intentions, merging them into a single list of intentions. An alternative approach I considered was to consume _all_ intention events (via `SubjectWildcard`) and filter out the irrelevant ones. This would admittedly remove some complexity in the `agent/proxycfg-glue` package but at the expense of considerable overhead from waking potentially many thousands of connect proxies every time any intention is updated.
366 lines
9.3 KiB
Protocol Buffer
366 lines
9.3 KiB
Protocol Buffer
syntax = "proto3";
|
|
|
|
import "proto/pbcommon/common.proto";
|
|
import "google/protobuf/duration.proto";
|
|
import "google/protobuf/timestamp.proto";
|
|
|
|
package configentry;
|
|
|
|
enum Kind {
|
|
KindUnknown = 0;
|
|
KindMeshConfig = 1;
|
|
KindServiceResolver = 2;
|
|
KindIngressGateway = 3;
|
|
KindServiceIntentions = 4;
|
|
}
|
|
|
|
message ConfigEntry {
|
|
Kind Kind = 1;
|
|
string Name = 2;
|
|
|
|
common.EnterpriseMeta EnterpriseMeta = 3;
|
|
common.RaftIndex RaftIndex = 4;
|
|
|
|
oneof Entry {
|
|
MeshConfig MeshConfig = 5;
|
|
ServiceResolver ServiceResolver = 6;
|
|
IngressGateway IngressGateway = 7;
|
|
ServiceIntentions ServiceIntentions = 8;
|
|
}
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.MeshConfigEntry
|
|
// output=config_entry.gen.go
|
|
// name=Structs
|
|
// ignore-fields=RaftIndex,EnterpriseMeta
|
|
message MeshConfig {
|
|
TransparentProxyMeshConfig TransparentProxy = 1;
|
|
MeshTLSConfig TLS = 2;
|
|
MeshHTTPConfig HTTP = 3;
|
|
map<string, string> Meta = 4;
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.TransparentProxyMeshConfig
|
|
// output=config_entry.gen.go
|
|
// name=Structs
|
|
message TransparentProxyMeshConfig {
|
|
bool MeshDestinationsOnly = 1;
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.MeshTLSConfig
|
|
// output=config_entry.gen.go
|
|
// name=Structs
|
|
message MeshTLSConfig {
|
|
MeshDirectionalTLSConfig Incoming = 1;
|
|
MeshDirectionalTLSConfig Outgoing = 2;
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.MeshDirectionalTLSConfig
|
|
// output=config_entry.gen.go
|
|
// name=Structs
|
|
message MeshDirectionalTLSConfig {
|
|
// mog: func-from=tlsVersionFromStructs func-to=tlsVersionToStructs
|
|
string TLSMinVersion = 1;
|
|
// mog: func-from=tlsVersionFromStructs func-to=tlsVersionToStructs
|
|
string TLSMaxVersion = 2;
|
|
// mog: func-from=cipherSuitesFromStructs func-to=cipherSuitesToStructs
|
|
repeated string CipherSuites = 3;
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.MeshHTTPConfig
|
|
// output=config_entry.gen.go
|
|
// name=Structs
|
|
message MeshHTTPConfig {
|
|
bool SanitizeXForwardedClientCert = 1;
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.ServiceResolverConfigEntry
|
|
// output=config_entry.gen.go
|
|
// name=Structs
|
|
// ignore-fields=Kind,Name,RaftIndex,EnterpriseMeta
|
|
message ServiceResolver {
|
|
string DefaultSubset = 1;
|
|
map<string, ServiceResolverSubset> Subsets = 2;
|
|
ServiceResolverRedirect Redirect = 3;
|
|
map<string, ServiceResolverFailover> Failover = 4;
|
|
// mog: func-to=structs.DurationFromProto func-from=structs.DurationToProto
|
|
google.protobuf.Duration ConnectTimeout = 5;
|
|
LoadBalancer LoadBalancer = 6;
|
|
map<string, string> Meta = 7;
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.ServiceResolverSubset
|
|
// output=config_entry.gen.go
|
|
// name=Structs
|
|
message ServiceResolverSubset {
|
|
string Filter = 1;
|
|
bool OnlyPassing = 2;
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.ServiceResolverRedirect
|
|
// output=config_entry.gen.go
|
|
// name=Structs
|
|
message ServiceResolverRedirect {
|
|
string Service = 1;
|
|
string ServiceSubset = 2;
|
|
string Namespace = 3;
|
|
string Partition = 4;
|
|
string Datacenter = 5;
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.ServiceResolverFailover
|
|
// output=config_entry.gen.go
|
|
// name=Structs
|
|
message ServiceResolverFailover {
|
|
string Service = 1;
|
|
string ServiceSubset = 2;
|
|
string Namespace = 3;
|
|
repeated string Datacenters = 4;
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.LoadBalancer
|
|
// output=config_entry.gen.go
|
|
// name=Structs
|
|
message LoadBalancer {
|
|
string Policy = 1;
|
|
RingHashConfig RingHashConfig = 2;
|
|
LeastRequestConfig LeastRequestConfig = 3;
|
|
repeated HashPolicy HashPolicies = 4;
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.RingHashConfig
|
|
// output=config_entry.gen.go
|
|
// name=Structs
|
|
message RingHashConfig {
|
|
uint64 MinimumRingSize = 1;
|
|
uint64 MaximumRingSize = 2;
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.LeastRequestConfig
|
|
// output=config_entry.gen.go
|
|
// name=Structs
|
|
message LeastRequestConfig {
|
|
uint32 ChoiceCount = 1;
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.HashPolicy
|
|
// output=config_entry.gen.go
|
|
// name=Structs
|
|
message HashPolicy {
|
|
string Field = 1;
|
|
string FieldValue = 2;
|
|
CookieConfig CookieConfig = 3;
|
|
bool SourceIP = 4;
|
|
bool Terminal = 5;
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.CookieConfig
|
|
// output=config_entry.gen.go
|
|
// name=Structs
|
|
message CookieConfig {
|
|
bool Session = 1;
|
|
// mog: func-to=structs.DurationFromProto func-from=structs.DurationToProto
|
|
google.protobuf.Duration TTL = 2;
|
|
string Path = 3;
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.IngressGatewayConfigEntry
|
|
// output=config_entry.gen.go
|
|
// name=Structs
|
|
// ignore-fields=Kind,Name,RaftIndex,EnterpriseMeta
|
|
message IngressGateway {
|
|
GatewayTLSConfig TLS = 1;
|
|
repeated IngressListener Listeners = 2;
|
|
map<string, string> Meta = 3;
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.GatewayTLSConfig
|
|
// output=config_entry.gen.go
|
|
// name=Structs
|
|
message GatewayTLSConfig {
|
|
bool Enabled = 1;
|
|
GatewayTLSSDSConfig SDS = 2;
|
|
// mog: func-from=tlsVersionFromStructs func-to=tlsVersionToStructs
|
|
string TLSMinVersion = 3;
|
|
// mog: func-from=tlsVersionFromStructs func-to=tlsVersionToStructs
|
|
string TLSMaxVersion = 4;
|
|
// mog: func-from=cipherSuitesFromStructs func-to=cipherSuitesToStructs
|
|
repeated string CipherSuites = 5;
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.GatewayTLSSDSConfig
|
|
// output=config_entry.gen.go
|
|
// name=Structs
|
|
message GatewayTLSSDSConfig {
|
|
string ClusterName = 1;
|
|
string CertResource = 2;
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.IngressListener
|
|
// output=config_entry.gen.go
|
|
// name=Structs
|
|
message IngressListener {
|
|
// mog: func-to=int func-from=int32
|
|
int32 Port = 1;
|
|
string Protocol = 2;
|
|
repeated IngressService Services = 3;
|
|
GatewayTLSConfig TLS = 4;
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.IngressService
|
|
// output=config_entry.gen.go
|
|
// name=Structs
|
|
message IngressService {
|
|
string Name = 1;
|
|
repeated string Hosts = 2;
|
|
GatewayServiceTLSConfig TLS = 3;
|
|
HTTPHeaderModifiers RequestHeaders = 4;
|
|
HTTPHeaderModifiers ResponseHeaders = 5;
|
|
map<string, string> Meta = 6;
|
|
// mog: func-to=enterpriseMetaToStructs func-from=enterpriseMetaFromStructs
|
|
common.EnterpriseMeta EnterpriseMeta = 7;
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.GatewayServiceTLSConfig
|
|
// output=config_entry.gen.go
|
|
// name=Structs
|
|
message GatewayServiceTLSConfig {
|
|
GatewayTLSSDSConfig SDS = 1;
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.HTTPHeaderModifiers
|
|
// output=config_entry.gen.go
|
|
// name=Structs
|
|
message HTTPHeaderModifiers {
|
|
map<string, string> Add = 1;
|
|
map<string, string> Set = 2;
|
|
repeated string Remove = 3;
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.ServiceIntentionsConfigEntry
|
|
// output=config_entry.gen.go
|
|
// name=Structs
|
|
// ignore-fields=Kind,Name,RaftIndex,EnterpriseMeta
|
|
message ServiceIntentions {
|
|
repeated SourceIntention Sources = 1;
|
|
map<string, string> Meta = 2;
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.SourceIntention
|
|
// output=config_entry.gen.go
|
|
// name=Structs
|
|
message SourceIntention {
|
|
string Name = 1;
|
|
// mog: func-to=intentionActionToStructs func-from=intentionActionFromStructs
|
|
IntentionAction Action = 2;
|
|
repeated IntentionPermission Permissions = 3;
|
|
// mog: func-to=int func-from=int32
|
|
int32 Precedence = 4;
|
|
string LegacyID = 5;
|
|
// mog: func-to=intentionSourceTypeToStructs func-from=intentionSourceTypeFromStructs
|
|
IntentionSourceType Type = 6;
|
|
string Description = 7;
|
|
map<string, string> LegacyMeta = 8;
|
|
// mog: func-to=timeToStructs func-from=timeFromStructs
|
|
google.protobuf.Timestamp LegacyCreateTime = 9;
|
|
// mog: func-to=timeToStructs func-from=timeFromStructs
|
|
google.protobuf.Timestamp LegacyUpdateTime = 10;
|
|
// mog: func-to=enterpriseMetaToStructs func-from=enterpriseMetaFromStructs
|
|
common.EnterpriseMeta EnterpriseMeta = 11;
|
|
string Peer = 12;
|
|
}
|
|
|
|
enum IntentionAction {
|
|
Deny = 0;
|
|
Allow = 1;
|
|
}
|
|
|
|
enum IntentionSourceType {
|
|
Consul = 0;
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.IntentionPermission
|
|
// output=config_entry.gen.go
|
|
// name=Structs
|
|
message IntentionPermission {
|
|
// mog: func-to=intentionActionToStructs func-from=intentionActionFromStructs
|
|
IntentionAction Action = 1;
|
|
IntentionHTTPPermission HTTP = 2;
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.IntentionHTTPPermission
|
|
// output=config_entry.gen.go
|
|
// name=Structs
|
|
message IntentionHTTPPermission {
|
|
string PathExact = 1;
|
|
string PathPrefix = 2;
|
|
string PathRegex = 3;
|
|
repeated IntentionHTTPHeaderPermission Header = 4;
|
|
repeated string Methods = 5;
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.IntentionHTTPHeaderPermission
|
|
// output=config_entry.gen.go
|
|
// name=Structs
|
|
message IntentionHTTPHeaderPermission {
|
|
string Name = 1;
|
|
bool Present = 2;
|
|
string Exact = 3;
|
|
string Prefix = 4;
|
|
string Suffix = 5;
|
|
string Regex = 6;
|
|
bool Invert = 7;
|
|
}
|