syntax = "proto3";
package config;
option go_package = "code.hackerspace.pl/hscloud/cluster/admitomatic/config";

// Admitomatic configuration, passed as a text proto, for
// example:
//
//  $ cat sample.pb.text
//  allow_domain { namespace: "example" dns: "*.example.com" }
//  allow_domain {
//    namespace: "personal-q3k" dns: "foo.q3k.org"
//  }
//  allow_domain {
//    namespace: "personal-q3k" dns: "bar.q3k.org"
//  }
//
message Config {
    // List of domains that are allowed to be configured as
    // ingresses in a given namespace. If a domain does not
    // appear in this list, it will be allowed to run in any
    // namespace.
    repeated AllowDomain allow_domain = 1;

    // List of namespaces that do not have any domain/annotation checks.
    repeated string anything_goes_namespace = 2;
}

message AllowDomain {
    // namespace is a kubernetes namespace. An empty string is
    // treated as the 'default' namespace.
    string namespace = 1;
    // dns is a domain name like 'example.com' or a wildcard
    // like '*.foo.example.com'.
    // Wildcards match domains at any level beneath the root,
    // so the example above would match 'bar.foo.example.com'
    // and 'baz.bar.foo.example.com'. However, they do not
    // catch the root itself, ie. the above would not catch
    // 'foo.example.com'.
    string dns = 2;
    // regexp enables `dns` to be treated as a domain name regexp
    // and namespace as a template that can use $n regexp match references
    // For example, dns: `([^.]+)\.hscloud\.ovh` and template: `personal-$1`
    // will allow `hans.hscloud.ovh` ingress only for `personal-hans` namespace
    bool regexp = 3;
}