fixup! Add support for TCP traffic permissions

agent/xds/proxystateconverter/listeners.go

@@ -1053,9 +1053,9 @@ func (s *Converter) makeInboundListener(cfgSnap *proxycfg.ConfigSnapshot, name s
 			l4Dest.MaxInboundConnections = uint64(cfg.MaxInboundConnections)
 		}
 
-		defaultAction := pbproxystate.TrafficPermissionAction_INTENTION_ACTION_DENY
+		defaultAction := pbproxystate.TrafficPermissionAction_TRAFFIC_PERMISSION_ACTION_DENY
 		if cfgSnap.IntentionDefaultAllow {
-			defaultAction = pbproxystate.TrafficPermissionAction_INTENTION_ACTION_ALLOW
+			defaultAction = pbproxystate.TrafficPermissionAction_TRAFFIC_PERMISSION_ACTION_ALLOW
 		}
 		l4Dest.TrafficPermissions = &pbproxystate.L4TrafficPermissions{
 			DefaultAction: defaultAction,
@@ -1580,7 +1580,7 @@ func (g *Converter) makeL7Destination(opts destinationOpts) (*pbproxystate.L7Des
 	// access and that every filter chain uses our TLS certs.
 	if len(opts.httpAuthzFilters) > 0 {
 		// TODO(proxystate) support intentions in the future
-		dest.TrafficPermissions = make([]*pbproxystate.L7TrafficPermission, 0)
+		dest.TrafficPermissions = &pbproxystate.L7TrafficPermissions{}
 		//cfg.HttpFilters = append(opts.httpAuthzFilters, cfg.HttpFilters...)
 	}
 

agent/xds/rbac_test.go

@@ -1126,9 +1126,9 @@ func TestMakeRBACNetworkAndHTTPFilters(t *testing.T) {
 					if tt.v2L4TrafficPermissions == nil {
 						return
 					}
-					tt.v2L4TrafficPermissions.DefaultAction = pbproxystate.TrafficPermissionAction_INTENTION_ACTION_DENY
+					tt.v2L4TrafficPermissions.DefaultAction = pbproxystate.TrafficPermissionAction_TRAFFIC_PERMISSION_ACTION_DENY
 					if tt.intentionDefaultAllow {
-						tt.v2L4TrafficPermissions.DefaultAction = pbproxystate.TrafficPermissionAction_INTENTION_ACTION_ALLOW
+						tt.v2L4TrafficPermissions.DefaultAction = pbproxystate.TrafficPermissionAction_TRAFFIC_PERMISSION_ACTION_ALLOW
 					}
 
 					filters, err := xdsv2.MakeL4RBAC(tt.v2L4TrafficPermissions)

agent/xdsv2/rbac_resources.go

@@ -98,7 +98,7 @@ func makeRBACs(trafficPermissions *pbproxystate.L4TrafficPermissions) ([]*envoy_
 
 func finalizeRBAC(rbac *envoy_rbac_v3.RBAC, defaultAction pbproxystate.TrafficPermissionAction) *envoy_rbac_v3.RBAC {
 	isRBACAllow := rbac.Action == envoy_rbac_v3.RBAC_ALLOW
-	isConsulAllow := defaultAction == pbproxystate.TrafficPermissionAction_INTENTION_ACTION_ALLOW
+	isConsulAllow := defaultAction == pbproxystate.TrafficPermissionAction_TRAFFIC_PERMISSION_ACTION_ALLOW
 	// Remove allow traffic permissions with default allow. This is required because including an allow RBAC filter enforces default deny.
 	// It is safe because deny traffic permissions are applied before allow permissions, so explicit allow is equivalent to default allow. 
 	removeAllows := isRBACAllow && isConsulAllow

proto-public/pbmesh/v1alpha1/pbproxystate/listener.proto

@@ -105,7 +105,7 @@ message L7Destination {
   // protocol for the destination.
   L7Protocol protocol = 3;
   // traffic_permissions is a list of intentions for this destination.
-  repeated L7TrafficPermission traffic_permissions = 4;
+  L7TrafficPermissions traffic_permissions = 4;
   // add_empty_intention specifies whether to add an empty intention for this destination, when there are no other intentions specified.
   bool add_empty_intention = 5;
   // include_xfcc specifies whether to add xfcc header.

proto-public/pbmesh/v1alpha1/pbproxystate/traffic_permissions.proto

@@ -5,11 +5,12 @@ syntax = "proto3";
 
 package hashicorp.consul.mesh.v1alpha1.pbproxystate;
 
-message L7TrafficPermission {}
+message L7TrafficPermissions {}
 
 enum TrafficPermissionAction {
-  INTENTION_ACTION_DENY = 0;
-  INTENTION_ACTION_ALLOW = 1;
+  TRAFFIC_PERMISSION_ACTION_UNSPECIFIED = 0;
+  TRAFFIC_PERMISSION_ACTION_DENY = 1;
+  TRAFFIC_PERMISSION_ACTION_ALLOW = 2;
 }
 
 message L4TrafficPermissions {