mirror of https://github.com/status-im/consul.git
65 lines
1.7 KiB
Protocol Buffer
65 lines
1.7 KiB
Protocol Buffer
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
syntax = "proto3";
|
|
|
|
package hashicorp.consul.mesh.v2beta1.pbproxystate;
|
|
|
|
message TrafficPermissions {
|
|
repeated Permission allow_permissions = 1;
|
|
repeated Permission deny_permissions = 2;
|
|
// default_allow determines if the workload is in default allow mode. This is determined
|
|
// by combining the cluster's default allow setting with the is_default property on
|
|
// computed traffic permissions.
|
|
bool default_allow = 4;
|
|
}
|
|
|
|
message Permission {
|
|
repeated Principal principals = 1;
|
|
|
|
// In the case of multiple ports, the sidecar proxy controller is responsible for filtering
|
|
// per-port permissions.
|
|
repeated DestinationRule destination_rules = 2;
|
|
}
|
|
|
|
message Principal {
|
|
Spiffe spiffe = 1;
|
|
repeated Spiffe exclude_spiffes = 2;
|
|
}
|
|
|
|
message Spiffe {
|
|
// regex is the regular expression for matching spiffe ids.
|
|
string regex = 1;
|
|
|
|
// xfcc_regex specifies that Envoy needs to find the spiffe id in an xfcc header.
|
|
// It is currently unused, but considering this is important for to avoid breaking changes.
|
|
string xfcc_regex = 2;
|
|
}
|
|
|
|
message DestinationRule {
|
|
string path_exact = 1;
|
|
string path_prefix = 2;
|
|
string path_regex = 3;
|
|
repeated string methods = 4;
|
|
repeated DestinationRuleHeader destination_rule_header = 5;
|
|
repeated ExcludePermissionRule exclude = 6;
|
|
}
|
|
|
|
message DestinationRuleHeader {
|
|
string name = 1;
|
|
bool present = 2;
|
|
string exact = 3;
|
|
string prefix = 4;
|
|
string suffix = 5;
|
|
string regex = 6;
|
|
bool invert = 7;
|
|
}
|
|
|
|
message ExcludePermissionRule {
|
|
string path_exact = 1;
|
|
string path_prefix = 2;
|
|
string path_regex = 3;
|
|
repeated string methods = 4;
|
|
repeated DestinationRuleHeader headers = 5;
|
|
}
|