github.com/google/fleetspeak@v0.1.15-0.20240426164851-4f31f62c1aea/fleetspeak/src/server/components/proto/fleetspeak_components/config.proto

// Copyright 2019 Google Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

syntax = "proto3";

package fleetspeak.components;

option go_package = "github.com/google/fleetspeak/fleetspeak/src/server/components/proto/fleetspeak_components";

message Config {
  // Mysql connection string. Required.
  //
  // https://github.com/go-sql-driver/mysql#dsn-data-source-name
  string mysql_data_source_name = 1;

  // The parameters required to stand up an https server.
  HttpsConfig https_config = 2;

  // Parameters required to stand up an admin server. Either this or
  // "https_config", or both, have to be specified.
  AdminConfig admin_config = 7;

  // Parameters required to set up a stats collector.
  StatsConfig stats_config = 8;

  // Parameters required to stand up a http health check service. Optional.
  HealthCheckConfig health_check_config = 9;

  // If set, expects connections to arrive through a load balance implementing
  // the PROXY protocol.
  //
  // https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
  bool proxy_protocol = 3;

  // If set, only clients reporting this label will be allowed to
  // connect. Meant as a sanity check that the client and server are for the
  // same Fleetspeak installation.
  string required_label = 4;

  // If set, the bind address to listen on to receive notifications from other
  // fleetspeak servers. Optional, but strongly recommended for installations
  // involving multiple servers. e.g. ":8080", "localhost:1234".
  string notification_listen_address = 5;

  // If set, other servers will be told to use this address in order to connect
  // with this server's notification port. Has no effect when
  // notification_listen_address is unset.
  string notification_public_address = 6;

  // If set, a HTTP notifier implementation is used for sending notifications.
  // Set this if running a pure admin server (without a notification listener)
  // in a distributed setup.
  bool notification_use_http_notifier = 10;
}

// In this mode Fleetspeak accepts a mTLS connection directly from the client.
// The Fleetspeak frontend uses the client certificate from the HTTPS request
// to identify the client.
// This is the default operating mode of the frontend.
message MTlsConfig {}

// In this mode Fleetspeak accepts a TLS connection from an intermediate actor
// which terminates the TLS protocol (typically a layer 7 load balancer).
// The intermediate actor passes the client certificate it receives from the
// original TLS connection to the frontend via an HTTP header.
// The Fleetspeak frontend uses the certificate passed in this header to
// identify the client.
message HttpsHeaderConfig {
  // The name of the HTTP header set by the intermediary that contains the
  // forwarded client certificate. Required.
  string client_certificate_header = 1;
}

// In this mode Fleetspeak accepts a TLS connection from an intermediate actor
// which terminates the TLS protocol (typically a layer 7 load balancer).
// The original client passes the certificate it uses for the TLS protocol to
// the frontend via an HTTP header.
// The intermediate actor passes a SHA256 checksum of client certificate it
// receives from the original TLS connection to the frontend via a second HTTP
// header.
// The Fleetspeak frontend uses the certificate passed passed from the client
// to identify it, and uses the hash from the intermediate actor to verify that
// this certificate was in fact used in the original TLS connection.
message HttpsHeaderChecksumConfig {
  // The name of the HTTP header set by the client that contains the original
  // client certificate. Required.
  string client_certificate_header = 1;
  // The name of the HTTP header set by the intermediary that contains the
  // client certificate checksum. Required.
  string client_certificate_checksum_header = 2;
}

// In this mode Fleetspeak runs in clear text (HTTP). This allows for
// Fleetspeak to be deployed in a Service Mesh behind a side car proxy that
// offers a secure communications channel.
// Fleetspeak accepts a TLS connection from an intermediate actor which
// terminates the TLS protocol (typically a layer 7 load balancer).
// The intermediate actor passes the client certificate it receives from the
// original TLS connection to the frontend via an HTTP header.
// The Fleetspeak frontend uses the certificate passed in this header to
// identify the client.
message CleartextHeaderConfig {
  // The name of the HTTP header set by the intermediary that contains the
  // forwarded client certificate. Required.
  string client_certificate_header = 1;
}

// In this mode Fleetspeak runs in clear text (HTTP). This allows for
// Fleetspeak to be deployed in a Service Mesh behind a side car proxy that
// offers a secure communications channel.
// Fleetspeak accepts a TLS connection from an intermediate actor which
// terminates the TLS protocol (typically a layer 7 load balancer).
// The original client passes the certificate it uses for the TLS protocol to
// the frontend via an HTTP header.
// The intermediate actor passes a SHA256 checksum of client certificate it
// receives from the original TLS connection to the frontend via a second HTTP
// header.
// The Fleetspeak frontend uses the certificate passed passed from the client
// to identify it, and uses the hash from the intermediate actor to verify that
// this certificate was in fact used in the original TLS connection.
message CleartextHeaderChecksumConfig {
  // The name of the HTTP header set by the client that contains the original
  // client certificate. Required.
  string client_certificate_header = 1;
  // The name of the HTTP header set by the intermediary that contains the
  // client certificate checksum. Required.
  string client_certificate_checksum_header = 2;
}

// In this mode Fleetspeak runs in clear text (HTTP). This allows for
// Fleetspeak to be deployed in a Service Mesh behind a side car proxy that
// offers a secure communications channel.
// Fleetspeak accepts a TLS connection from an intermediate envoy which
// terminates the mTLS protocol exchange.
// The intermediate envoy passes the client certificate it receives from the
// original mTLS connection to the frontend via an HTTP header.
// The Fleetspeak frontend uses the certificate passed in this header to
// identify the client.
message CleartextXfccConfig {
  // The name of the HTTP header set by the intermediary envoy that contains
  // the forwarded client certificate. Required.
  string client_certificate_header = 1;
}

// The frontend config determines how the Fleetspeak frontend communicates with
// clients and how it identifies them.
message FrontendConfig {
  // The mode in which the frontend should operate. Defaults to MTlsConfig.
  //
  // Note: Typically MTlsConfig should be used. The other options are only used
  // in scenarios where a direct TLS connection between client and server is not
  // possible.
  oneof frontend_mode {
    MTlsConfig mtls_config = 7;
    HttpsHeaderConfig https_header_config = 8;
    HttpsHeaderChecksumConfig https_header_checksum_config = 9;
    CleartextHeaderConfig cleartext_header_config = 10;
    CleartextHeaderChecksumConfig cleartext_header_checksum_config = 11;
    CleartextXfccConfig cleartext_xfcc_config = 12;
  }
}

message HttpsConfig {
  reserved 5, 6;

  // The bind address to listen on for client connections, e.g. ":443" or
  // "localhost:1234". Required.
  string listen_address = 1;

  // A certificate chain which identifies the server to clients. Must lead to a
  // certificate known to the clients. x509 format. Required, if frontend mode
  // is not cleartext (ie neither CleartextHeaderConfig nor
  // CleartextHeaderChecksumConfig)
  string certificates = 2;

  // The private key used to identify the server. Must match the first entry in
  // certificates. x509 format. Required, if frontend mode is not cleartext
  // (ie neither CleartextHeaderConfig nor CleartextHeaderChecksumConfig)
  string key = 3;

  // If set, disables long running (streaming) connections. This type of
  // connection causes more active connections but can reduce database load and
  // server->client communications latency.
  bool disable_streaming = 4;

  // The frontend config.
  // Optional; If not set, Fleetspeak will default to using MTlsConfig.
  FrontendConfig frontend_config = 7;
}

message AdminConfig {
  // The bind address to listen on for connections, e.g. ":443" or
  // "localhost:1234". Required.
  string listen_address = 1;
}

message StatsConfig {
  // The bind address to listen on for Prometheus http metric collection in the
  // form "<host>:<port>", e.g. "localhost:2112".
  // Optional; if no address is configured, then no stats collector
  // will be used (i.e. noopStatsCollector).
  string address = 1;
}

message HealthCheckConfig {
  // The bind address to listen on for http health check probes in the
  // form "<host>:<port>", e.g. "localhost:8080".
  string listen_address = 1;
}