consul/proto-public/pbmesh/v2beta1/pbproxystate/traffic_permissions.proto
skpratt 57bad0df85
add traffic permissions excludes and tests (#20453)
* add traffic permissions tests

* review fixes

* Update internal/mesh/internal/controllers/sidecarproxy/builder/local_app.go

Co-authored-by: John Landa <jonathanlanda@gmail.com>

---------

Co-authored-by: John Landa <jonathanlanda@gmail.com>
2024-02-07 20:21:44 +00:00

65 lines
1.7 KiB
Protocol Buffer

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
syntax = "proto3";
package hashicorp.consul.mesh.v2beta1.pbproxystate;
message TrafficPermissions {
repeated Permission allow_permissions = 1;
repeated Permission deny_permissions = 2;
// default_allow determines if the workload is in default allow mode. This is determined
// by combining the cluster's default allow setting with the is_default property on
// computed traffic permissions.
bool default_allow = 4;
}
message Permission {
repeated Principal principals = 1;
// In the case of multiple ports, the sidecar proxy controller is responsible for filtering
// per-port permissions.
repeated DestinationRule destination_rules = 2;
}
message Principal {
Spiffe spiffe = 1;
repeated Spiffe exclude_spiffes = 2;
}
message Spiffe {
// regex is the regular expression for matching spiffe ids.
string regex = 1;
// xfcc_regex specifies that Envoy needs to find the spiffe id in an xfcc header.
// It is currently unused, but considering this is important for to avoid breaking changes.
string xfcc_regex = 2;
}
message DestinationRule {
string path_exact = 1;
string path_prefix = 2;
string path_regex = 3;
repeated string methods = 4;
repeated DestinationRuleHeader destination_rule_header = 5;
repeated ExcludePermissionRule exclude = 6;
}
message DestinationRuleHeader {
string name = 1;
bool present = 2;
string exact = 3;
string prefix = 4;
string suffix = 5;
string regex = 6;
bool invert = 7;
}
message ExcludePermissionRule {
string path_exact = 1;
string path_prefix = 2;
string path_regex = 3;
repeated string methods = 4;
repeated DestinationRuleHeader headers = 5;
}