mirror of
https://github.com/status-im/consul.git
synced 2025-01-12 06:44:41 +00:00
77ecff3209
This implements permissive mTLS , which allows toggling services into "permissive" mTLS mode. Permissive mTLS mode allows incoming "non Consul-mTLS" traffic to be forward unmodified to the application. * Update service-defaults and proxy-defaults config entries with a MutualTLSMode field * Update the mesh config entry with an AllowEnablingPermissiveMutualTLS field and implement the necessary validation. AllowEnablingPermissiveMutualTLS must be true to allow changing to MutualTLSMode=permissive, but this does not require that all proxy-defaults and service-defaults are currently in strict mode. * Update xDS listener config to add a "permissive filter chain" when MutualTLSMode=permissive for a particular service. The permissive filter chain matches incoming traffic by the destination port. If the destination port matches the service port from the catalog, then no mTLS is required and the traffic sent is forwarded unmodified to the application.
334 lines
12 KiB
Protocol Buffer
334 lines
12 KiB
Protocol Buffer
// Copyright (c) HashiCorp, Inc.
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
syntax = "proto3";
|
|
|
|
package hashicorp.consul.internal.service;
|
|
|
|
import "google/protobuf/struct.proto";
|
|
import "private/pbcommon/common.proto";
|
|
import "private/pbservice/healthcheck.proto";
|
|
|
|
// ConnectProxyConfig describes the configuration needed for any proxy managed
|
|
// or unmanaged. It describes a single logical service's listener and optionally
|
|
// upstreams and sidecar-related config for a single instance. To describe a
|
|
// centralized proxy that routed traffic for multiple services, a different one
|
|
// of these would be needed for each, sharing the same LogicalProxyID.
|
|
//
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.ConnectProxyConfig
|
|
// output=service.gen.go
|
|
// name=Structs
|
|
// ignore-fields=MutualTLSMode
|
|
message ConnectProxyConfig {
|
|
// DestinationServiceName is required and is the name of the service to accept
|
|
// traffic for.
|
|
string DestinationServiceName = 1;
|
|
|
|
// DestinationServiceID is optional and should only be specified for
|
|
// "side-car" style proxies where the proxy is in front of just a single
|
|
// instance of the service. It should be set to the service ID of the instance
|
|
// being represented which must be registered to the same agent. It's valid to
|
|
// provide a service ID that does not yet exist to avoid timing issues when
|
|
// bootstrapping a service with a proxy.
|
|
string DestinationServiceID = 2;
|
|
|
|
// LocalServiceAddress is the address of the local service instance. It is
|
|
// optional and should only be specified for "side-car" style proxies. It will
|
|
// default to 127.0.0.1 if the proxy is a "side-car" (DestinationServiceID is
|
|
// set) but otherwise will be ignored.
|
|
string LocalServiceAddress = 3;
|
|
|
|
// LocalServicePort is the port of the local service instance. It is optional
|
|
// and should only be specified for "side-car" style proxies. It will default
|
|
// to the registered port for the instance if the proxy is a "side-car"
|
|
// (DestinationServiceID is set) but otherwise will be ignored.
|
|
// mog: func-to=int func-from=int32
|
|
int32 LocalServicePort = 4;
|
|
|
|
// Config is the arbitrary configuration data provided with the proxy
|
|
// registration.
|
|
// mog: func-to=ProtobufTypesStructToMapStringInterface func-from=MapStringInterfaceToProtobufTypesStruct
|
|
google.protobuf.Struct Config = 5;
|
|
|
|
// Upstreams describes any upstream dependencies the proxy instance should
|
|
// setup.
|
|
// mog: func-to=UpstreamsToStructs func-from=NewUpstreamsFromStructs
|
|
repeated Upstream Upstreams = 6;
|
|
|
|
// MeshGateway defines the mesh gateway configuration for upstreams
|
|
MeshGatewayConfig MeshGateway = 7;
|
|
|
|
// Expose defines whether checks or paths are exposed through the proxy
|
|
ExposeConfig Expose = 8;
|
|
|
|
// Mode represents how the proxy's inbound and upstream listeners are dialed.
|
|
// mog: func-to=structs.ProxyMode func-from=string
|
|
string Mode = 9;
|
|
|
|
// TransparentProxy defines configuration for when the proxy is in
|
|
// transparent mode.
|
|
TransparentProxyConfig TransparentProxy = 10;
|
|
|
|
// LocalServiceSocketPath is the path to the unix domain socket for the local service instance
|
|
string LocalServiceSocketPath = 11;
|
|
|
|
// mog: func-to=EnvoyExtensionsToStructs func-from=EnvoyExtensionsFromStructs
|
|
repeated hashicorp.consul.internal.common.EnvoyExtension EnvoyExtensions = 12;
|
|
|
|
// AccessLogsConfig defines envoys access log configuration.
|
|
AccessLogsConfig AccessLogs = 13;
|
|
}
|
|
|
|
// Upstream represents a single upstream dependency for a service or proxy. It
|
|
// describes the mechanism used to discover instances to communicate with (the
|
|
// Target) as well as any potential client configuration that may be useful such
|
|
// as load balancer options, timeouts etc.
|
|
//
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.Upstream
|
|
// output=service.gen.go
|
|
// name=Structs
|
|
// ignore-fields=IngressHosts
|
|
message Upstream {
|
|
// Destination fields are the required ones for determining what this upstream
|
|
// points to. Depending on DestinationType some other fields below might
|
|
// further restrict the set of instances allowable.
|
|
//
|
|
// DestinationType would be better as an int constant but even with custom
|
|
// JSON marshallers it causes havoc with all the mapstructure mangling we do
|
|
// on service definitions in various places.
|
|
string DestinationType = 1;
|
|
string DestinationNamespace = 2;
|
|
string DestinationPartition = 12;
|
|
string DestinationPeer = 13;
|
|
string DestinationName = 3;
|
|
|
|
// Datacenter that the service discovery request should be run against. Note
|
|
// for prepared queries, the actual results might be from a different
|
|
// datacenter.
|
|
string Datacenter = 4;
|
|
|
|
// LocalBindAddress is the ip address a side-car proxy should listen on for
|
|
// traffic destined for this upstream service. Default if empty is 127.0.0.1.
|
|
string LocalBindAddress = 5;
|
|
|
|
// LocalBindPort is the ip address a side-car proxy should listen on for
|
|
// traffic destined for this upstream service. Required.
|
|
// mog: func-to=int func-from=int32
|
|
int32 LocalBindPort = 6;
|
|
|
|
// Config is an opaque config that is specific to the proxy process being run.
|
|
// It can be used to pass arbitrary configuration for this specific upstream
|
|
// to the proxy.
|
|
// mog: func-to=ProtobufTypesStructToMapStringInterface func-from=MapStringInterfaceToProtobufTypesStruct
|
|
google.protobuf.Struct Config = 7;
|
|
|
|
// MeshGateway is the configuration for mesh gateway usage of this upstream
|
|
MeshGatewayConfig MeshGateway = 8;
|
|
|
|
// CentrallyConfigured indicates whether the upstream was defined in a proxy
|
|
// instance registration or whether it was generated from a config entry.
|
|
bool CentrallyConfigured = 9;
|
|
|
|
// LocalBindSocketPath is the socket to create to connect to the upstream service
|
|
string LocalBindSocketPath = 10;
|
|
string LocalBindSocketMode = 11;
|
|
}
|
|
|
|
// ServiceConnect are the shared Connect settings between all service
|
|
// definitions from the agent to the state store.
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.ServiceConnect
|
|
// output=service.gen.go
|
|
// name=Structs
|
|
message ServiceConnect {
|
|
// Native is true when this service can natively understand Connect.
|
|
bool Native = 1;
|
|
|
|
reserved 2;
|
|
|
|
// SidecarService is a nested Service Definition to register at the same time.
|
|
// It's purely a convenience mechanism to allow specifying a sidecar service
|
|
// along with the application service definition. It's nested nature allows
|
|
// all of the fields to be defaulted which can reduce the amount of
|
|
// boilerplate needed to register a sidecar service separately, but the end
|
|
// result is identical to just making a second service registration via any
|
|
// other means.
|
|
// mog: func-to=ServiceDefinitionPtrToStructs func-from=NewServiceDefinitionPtrFromStructs
|
|
ServiceDefinition SidecarService = 3;
|
|
|
|
PeeringServiceMeta PeerMeta = 4;
|
|
}
|
|
|
|
// PeeringServiceMeta is read-only information provided from an exported peer.
|
|
//
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.PeeringServiceMeta
|
|
// output=service.gen.go
|
|
// name=Structs
|
|
message PeeringServiceMeta {
|
|
repeated string SNI = 1;
|
|
repeated string SpiffeID = 2;
|
|
string Protocol = 3;
|
|
}
|
|
|
|
// ExposeConfig describes HTTP paths to expose through Envoy outside of Connect.
|
|
// Users can expose individual paths and/or all HTTP/GRPC paths for checks.
|
|
//
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.ExposeConfig
|
|
// output=service.gen.go
|
|
// name=Structs
|
|
message ExposeConfig {
|
|
// Checks defines whether paths associated with Consul checks will be exposed.
|
|
// This flag triggers exposing all HTTP and GRPC check paths registered for the service.
|
|
bool Checks = 1;
|
|
|
|
// Paths is the list of paths exposed through the proxy.
|
|
// mog: func-to=ExposePathSliceToStructs func-from=NewExposePathSliceFromStructs
|
|
repeated ExposePath Paths = 2;
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.ExposePath
|
|
// output=service.gen.go
|
|
// name=Structs
|
|
message ExposePath {
|
|
// ListenerPort defines the port of the proxy's listener for exposed paths.
|
|
// mog: func-to=int func-from=int32
|
|
int32 ListenerPort = 1;
|
|
|
|
// ExposePath is the path to expose through the proxy, ie. "/metrics."
|
|
string Path = 2;
|
|
|
|
// LocalPathPort is the port that the service is listening on for the given path.
|
|
// mog: func-to=int func-from=int32
|
|
int32 LocalPathPort = 3;
|
|
|
|
// Protocol describes the upstream's service protocol.
|
|
// Valid values are "http" and "http2", defaults to "http"
|
|
string Protocol = 4;
|
|
|
|
// ParsedFromCheck is set if this path was parsed from a registered check
|
|
bool ParsedFromCheck = 5;
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.MeshGatewayConfig
|
|
// output=service.gen.go
|
|
// name=Structs
|
|
message MeshGatewayConfig {
|
|
// mog: func-to=structs.MeshGatewayMode func-from=string
|
|
string Mode = 1;
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.TransparentProxyConfig
|
|
// output=service.gen.go
|
|
// name=Structs
|
|
message TransparentProxyConfig {
|
|
// mog: func-to=int func-from=int32
|
|
int32 OutboundListenerPort = 1;
|
|
|
|
// DialedDirectly indicates whether transparent proxies can dial this proxy instance directly.
|
|
// The discovery chain is not considered when dialing a service instance directly.
|
|
// This setting is useful when addressing stateful services, such as a database cluster with a leader node.
|
|
bool DialedDirectly = 2;
|
|
}
|
|
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.AccessLogsConfig
|
|
// output=service.gen.go
|
|
// name=Structs
|
|
message AccessLogsConfig {
|
|
bool Enabled = 1;
|
|
bool DisableListenerLogs = 2;
|
|
|
|
// Type represents the desired envoy log sink (e.g. stdout, stderr, file ...).
|
|
// mog: func-to=structs.LogSinkType func-from=string
|
|
string Type = 3;
|
|
|
|
string Path = 4;
|
|
string JSONFormat = 5;
|
|
string TextFormat = 6;
|
|
}
|
|
|
|
// ServiceDefinition is used to JSON decode the Service definitions. For
|
|
// documentation on specific fields see NodeService which is better documented.
|
|
//
|
|
// mog annotation:
|
|
//
|
|
// target=github.com/hashicorp/consul/agent/structs.ServiceDefinition
|
|
// output=service.gen.go
|
|
// name=Structs
|
|
message ServiceDefinition {
|
|
// mog: func-to=structs.ServiceKind func-from=string
|
|
string Kind = 1;
|
|
string ID = 2;
|
|
string Name = 3;
|
|
repeated string Tags = 4;
|
|
string Address = 5;
|
|
// mog: func-to=MapStringServiceAddressToStructs func-from=NewMapStringServiceAddressFromStructs
|
|
map<string, ServiceAddress> TaggedAddresses = 16;
|
|
map<string, string> Meta = 6;
|
|
// mog: func-to=int func-from=int32
|
|
int32 Port = 7;
|
|
// Path for socket
|
|
string SocketPath = 18;
|
|
CheckType Check = 8;
|
|
// mog: func-to=CheckTypesToStructs func-from=NewCheckTypesFromStructs
|
|
repeated CheckType Checks = 9;
|
|
// mog: func-to=WeightsPtrToStructs func-from=NewWeightsPtrFromStructs
|
|
Weights Weights = 10;
|
|
string Token = 11;
|
|
bool EnableTagOverride = 12;
|
|
|
|
// Proxy is the configuration set for Kind = connect-proxy. It is mandatory in
|
|
// that case and an error to be set for any other kind. This config is part of
|
|
// a proxy service definition and is distinct from but shares some fields with
|
|
// the Connect.Proxy which configures a managed proxy as part of the actual
|
|
// service's definition. This duplication is ugly but seemed better than the
|
|
// alternative which was to re-use the same struct fields for both cases even
|
|
// though the semantics are different and the non-shared fields make no sense
|
|
// in the other case. ProxyConfig may be a more natural name here, but it's
|
|
// confusing for the UX because one of the fields in ConnectProxyConfig is
|
|
// also called just "Config"
|
|
// mog: func-to=ConnectProxyConfigPtrToStructs func-from=NewConnectProxyConfigPtrFromStructs
|
|
ConnectProxyConfig Proxy = 14;
|
|
|
|
// mog: func-to=EnterpriseMetaToStructs func-from=NewEnterpriseMetaFromStructs
|
|
common.EnterpriseMeta EnterpriseMeta = 17;
|
|
|
|
// mog: func-to=ServiceConnectPtrToStructs func-from=NewServiceConnectPtrFromStructs
|
|
ServiceConnect Connect = 15;
|
|
|
|
// Locality identifies where the service is running.
|
|
// mog: func-to=LocalityToStructs func-from=LocalityFromStructs
|
|
common.Locality Locality = 19;
|
|
}
|
|
|
|
// Type to hold an address and port of a service
|
|
message ServiceAddress {
|
|
string Address = 1;
|
|
// mog: func-to=int func-from=int32
|
|
int32 Port = 2;
|
|
}
|
|
|
|
// Weights represent the weight used by DNS for a given status
|
|
message Weights {
|
|
// mog: func-to=int func-from=int32
|
|
int32 Passing = 1;
|
|
// mog: func-to=int func-from=int32
|
|
int32 Warning = 2;
|
|
}
|