diff --git a/protect/control/v1/common.proto b/protect/control/v1/common.proto index 8b9d33a..cb6111f 100644 --- a/protect/control/v1/common.proto +++ b/protect/control/v1/common.proto @@ -5,10 +5,17 @@ package protect.control.v1; import "google/protobuf/struct.proto"; import "google/protobuf/timestamp.proto"; +message ResourceOrigin { + string zone_id = 1; + string workload_id = 2; + string user_agent = 3; +} + message Zone { string id = 1; ZoneSpec spec = 2; ZoneStatus status = 3; + ResourceOrigin origin = 4; } // Represents a Zone. @@ -29,6 +36,22 @@ message ZoneSpec { // When set, this zone is a fork of the named parent zone; the reconciler // forks the child from the parent rather than building it from scratch. string fork_parent_zone_id = 12; + // Configures Control API access for the zone. + ZoneControlApiSpec control_api = 13; +} + +// Access control specification on the Control API for a zone. +enum ZoneControlApiAccess { + // Deny access to the Control API for this zone. + ZONE_CONTROL_API_ACCESS_DENY = 0; + // Allow access to the Control API for this zone. + ZONE_CONTROL_API_ACCESS_ALLOW = 1; +} + +// Configures the Control API for a zone. +message ZoneControlApiSpec { + // Controls access to the Control API. + ZoneControlApiAccess access = 1; } enum ZoneResourceAdjustmentPolicy { @@ -447,6 +470,7 @@ message Workload { string id = 1; WorkloadSpec spec = 2; WorkloadStatus status = 3; + ResourceOrigin origin = 4; } enum HostCpuTopologyClass { diff --git a/protect/control/v1/control.proto b/protect/control/v1/control.proto index df48240..b2acfae 100644 --- a/protect/control/v1/control.proto +++ b/protect/control/v1/control.proto @@ -7,6 +7,9 @@ import "protect/control/v1/common.proto"; service ControlService { rpc GetHostStatus(GetHostStatusRequest) returns (GetHostStatusReply); rpc SnoopIdm(SnoopIdmRequest) returns (stream SnoopIdmReply); + // Snoops on the Control API, returning a stream of live Control API packets. + // Other control API snoops will be skipped from the responses. + rpc SnoopControl(SnoopControlRequest) returns (stream SnoopControlReply); rpc GetHostCpuTopology(GetHostCpuTopologyRequest) returns (GetHostCpuTopologyReply); rpc ListDevices(ListDevicesRequest) returns (ListDevicesReply); @@ -549,6 +552,43 @@ message SnoopIdmPacket { bytes packet = 3; } +// Request to snoop the Control API traffic for this host. +message SnoopControlRequest {} + +// Reply for the SnoopControl RPC, contains a batch of packets from the Control API. +message SnoopControlReply { + // Snooped packets that were received from the Control API. + repeated SnoopControlPacket packets = 1; + // Number of packets that were skipped due to buffer constraints. + uint64 skipped = 2; +} + +/// Represents the form of a packet in the Control API. +enum SnoopControlPacketForm { + SNOOP_CONTROL_PACKET_FORM_UNKNOWN = 0; + SNOOP_CONTROL_PACKET_FORM_REQUEST = 1; + SNOOP_CONTROL_PACKET_FORM_ERROR = 2; + SNOOP_CONTROL_PACKET_FORM_RESPONSE = 3; +} + +/// Represents a packet of data in/out of the Control API. +message SnoopControlPacket { + // Unique identifier for the packet. + uint64 id = 1; + // Origin of the RPC. + ResourceOrigin origin = 2; + // Service name of the RPC. + string service = 3; + // Method name of the RPC. + string method = 4; + // Form of the packet. + SnoopControlPacketForm form = 5; + // Payload of the packet. + string payload = 6; + // Whether the stream is closed. + bool closed = 7; +} + // Pulls an OCI image into the local image cache, packing it into the requested `format`. // `overwrite_cache` forces a fresh pull and repack even if the image is already cached. // `update` re-resolves the image reference against the registry (picking up new content