consul/proto-public/pbmesh/v2beta1/proxy_configuration.proto

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

syntax = "proto3";

package hashicorp.consul.mesh.v2beta1;

import "google/protobuf/struct.proto";
import "pbcatalog/v2beta1/selector.proto";
import "pbmesh/v2beta1/connection.proto";
import "pbmesh/v2beta1/expose.proto";
import "pbmesh/v2beta1/routing.proto";
import "pbresource/annotations.proto";

// This is a Resource type.
message ProxyConfiguration {
  option (hashicorp.consul.resource.spec) = {scope: SCOPE_NAMESPACE};

  // Selection of workloads this proxy configuration should apply to.
  // These can be prefixes or specific workload names.
  hashicorp.consul.catalog.v2beta1.WorkloadSelector workloads = 1;

  // dynamic_config is the configuration that could be changed
  // dynamically (i.e. without needing restart).
  DynamicConfig dynamic_config = 2;

  // bootstrap_config is the configuration that requires proxies
  // to be restarted to be applied.
  BootstrapConfig bootstrap_config = 3;

  // deprecated: prevent usage when using v2 APIs directly.
  // needed for backwards compatibility
  //
  // +kubebuilder:validation:Type=object
  // +kubebuilder:validation:Schemaless
  // +kubebuilder:pruning:PreserveUnknownFields
  google.protobuf.Struct opaque_config = 4 [deprecated = true];
}

message DynamicConfig {
  // mode indicates the proxy's mode. This will default to 'transparent'.
  ProxyMode mode = 1;

  TransparentProxy transparent_proxy = 2;

  MutualTLSMode mutual_tls_mode = 3;

  // local_connection is the configuration that should be used
  // to connect to the local application provided per-port.
  // The map keys should correspond to port names on the workload.
  map<string, ConnectionConfig> local_connection = 4;

  // inbound_connections configures inbound connections to the proxy.
  InboundConnectionsConfig inbound_connections = 5;

  MeshGatewayMode mesh_gateway_mode = 6;

  ExposeConfig expose_config = 7;

  // AccessLogs configures the output and format of Envoy access logs
  AccessLogsConfig access_logs = 8;

  string public_listener_json = 9;
  string listener_tracing_json = 10;
  string local_cluster_json = 11;

  // deprecated:
  // local_workload_address, local_workload_port, and local_workload_socket_path
  // are deprecated and are only needed for migration of existing resources.
  string local_workload_address = 12 [deprecated = true];
  uint32 local_workload_port = 13 [deprecated = true];
  string local_workload_socket_path = 14 [deprecated = true];
}

message TransparentProxy {
  // outbound_listener_port is the port for the proxy's outbound listener.
  // This defaults to 15001.
  uint32 outbound_listener_port = 1;

  // dialed_directly indicates whether this proxy should be dialed using original destination IP
  // in the connection rather than load balance between all endpoints.
  bool dialed_directly = 2;
}

// BootstrapConfig is equivalent to configuration defined
// in our docs.
message BootstrapConfig {
  string statsd_url = 1;
  string dogstatsd_url = 2;
  repeated string stats_tags = 3;
  string prometheus_bind_addr = 4;
  string stats_bind_addr = 5;
  string ready_bind_addr = 6;
  string override_json_tpl = 7;
  string static_clusters_json = 8;
  string static_listeners_json = 9;
  string stats_sinks_json = 10;
  string stats_config_json = 11;
  string stats_flush_interval = 12;
  string tracing_config_json = 13;
  string telemetry_collector_bind_socket_dir = 14;
}

// +kubebuilder:validation:Enum=PROXY_MODE_DEFAULT;PROXY_MODE_TRANSPARENT;PROXY_MODE_DIRECT
// +kubebuilder:validation:Type=string
enum ProxyMode {
  // ProxyModeDefault represents no specific mode and should
  // be used to indicate that a different layer of the configuration
  // chain should take precedence
  // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX
  PROXY_MODE_DEFAULT = 0;

  // ProxyModeTransparent represents that inbound and outbound application
  // traffic is being captured and redirected through the proxy.
  PROXY_MODE_TRANSPARENT = 1;

  // ProxyModeDirect represents that the proxy's listeners must be dialed directly
  // by the local application and other proxies.
  PROXY_MODE_DIRECT = 2;
}

// AccessLogsConfig contains the associated default settings for all Envoy
// instances within the datacenter or partition
message AccessLogsConfig {
  // Enabled turns off all access logging
  bool enabled = 1;

  // DisableListenerLogs turns off just listener logs for connections rejected by Envoy because they don't
  // have a matching listener filter.
  bool disable_listener_logs = 2;

  // Type selects the output for logs: "file", "stderr". "stdout"
  LogSinkType type = 3;

  // Path is the output file to write logs
  string path = 4;

  // The presence of one format string or the other implies the access log string encoding.
  // Defining both is invalid.
  string json_format = 5;
  string text_format = 6;
}

// +kubebuilder:validation:Enum=LOG_SINK_TYPE_DEFAULT;LOG_SINK_TYPE_FILE;LOG_SINK_TYPE_STDERR;LOG_SINK_TYPE_STDOUT
// +kubebuilder:validation:Type=string
enum LogSinkType {
  // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX
  LOG_SINK_TYPE_DEFAULT = 0;
  LOG_SINK_TYPE_FILE = 1;
  LOG_SINK_TYPE_STDERR = 2;
  LOG_SINK_TYPE_STDOUT = 3;
}

// EnvoyExtension has configuration for an extension that patches Envoy resources.
message EnvoyExtension {
  string name = 1;
  bool required = 2;
  // +kubebuilder:validation:Type=object
  // +kubebuilder:validation:Schemaless
  // +kubebuilder:pruning:PreserveUnknownFields
  google.protobuf.Struct arguments = 3;
  string consul_version = 4;
  string envoy_version = 5;
}

// +kubebuilder:validation:Enum=MUTUAL_TLS_MODE_DEFAULT;MUTUAL_TLS_MODE_STRICT;MUTUAL_TLS_MODE_PERMISSIVE
// +kubebuilder:validation:Type=string
enum MutualTLSMode {
  // buf:lint:ignore ENUM_ZERO_VALUE_SUFFIX
  MUTUAL_TLS_MODE_DEFAULT = 0;
  MUTUAL_TLS_MODE_STRICT = 1;
  MUTUAL_TLS_MODE_PERMISSIVE = 2;
}