SDS¶
DataSource¶
{
"filename": "...",
"inline": "..."
}
TlsParameters¶
{
"tls_minimum_protocol_version": "...",
"tls_maximum_protocol_version": "...",
"cipher_suites": [],
"ecdh_curves": []
}
- tls_minimum_protocol_version
- (TlsParameters.TlsProtocol) Allowed TLS protocols.
- tls_maximum_protocol_version
- (TlsParameters.TlsProtocol)
- cipher_suites
- (string) If specified, the TLS listener will only support the specified cipher list.
- ecdh_curves
- (string) If specified, the TLS connection will only support the specified ECDH curves. If not specified, the default curves (X25519, P-256) will be used.
Enum TlsParameters.TlsProtocol¶
[TlsParameters.TlsProtocol proto]
- TLS_AUTO
- (DEFAULT)
- TLSv1_0
-
- TLSv1_1
-
- TLSv1_2
-
- TLSv1_3
-
TlsCertificate¶
TLS certs can be loaded from file or delivered inline [V2-API-DIFF]. Individual fields may be loaded from either.
{
"certificate_chain": "{...}",
"private_key": "{...}",
"password": "{...}",
"ocsp_staple": "{...}",
"signed_certificate_timestamp": []
}
- certificate_chain
- (DataSource)
- private_key
- (DataSource)
- password
- (DataSource)
- ocsp_staple
- (DataSource)
- signed_certificate_timestamp
- (DataSource)
TlsSessionTicketKeys¶
{
"keys": []
}
- keys
(DataSource) Keys to encrypt/decrypt TLS session tickets for session resumption. The first key is used to encrypt new tickets that are created. All keys are candidates for decrypting received tickets.
Each key must be exactly 80 bytes long, containing cryptographically-secure random data. For example, the output of “openssl rand 80”.
CertificateValidationContext¶
[CertificateValidationContext proto]
{
"trusted_ca": "{...}",
"verify_certificate_hash": [],
"verify_spki_sha256": [],
"verify_subject_alt_name": [],
"require_ocsp_staple": "{...}",
"require_signed_certificate_timestamp": "{...}"
}
- trusted_ca
- (DataSource) TLS certificate data containing certificate authority certificates to use in verifying a presented certificate. If not specified and a certificate is presented it will not be verified.
- verify_certificate_hash
- (string) If specified, Envoy will verify (pin) hex-encoded SHA-256 hash of the presented certificate.
- verify_spki_sha256
- (string) If specified, Envoy will verify (pin) base64-encoded SHA-256 hash of the Subject Public Key Information (SPKI) of the presented certificate. This is the same format as used in HTTP Public Key Pinning.
- verify_subject_alt_name
- (string) An optional list of subject alt names. If specified, Envoy will verify that the certificate’s subject alt name matches one of the specified values.
- require_ocsp_staple
- (BoolValue) Must present a signed time-stamped OCSP response.
- require_signed_certificate_timestamp
- (BoolValue) Must present signed certificate time-stamp.
CommonTlsContext¶
TLS context shared by both client and server TLS contexts.
{
"tls_params": "{...}",
"tls_certificates": [],
"tls_certificate_sds_secret_configs": [],
"validation_context": "{...}",
"alpn_protocols": [],
"deprecated_v1": "{...}"
}
- tls_params
- (TlsParameters) TLS protocol versions, cipher suites etc.
- tls_certificates
- (TlsCertificate) Multiple TLS certificates can be associated with the same context, e.g. to allow both RSA and ECDSA certificates [V2-API-DIFF]. TLS certificates can be either configured locally or fetched from SDS.
- tls_certificate_sds_secret_configs
- (SdsSecretConfig)
- validation_context
- (CertificateValidationContext) How to validate peer certificates.
- alpn_protocols
- (string) Protocols to negotiate over ALPN
- deprecated_v1
- (CommonTlsContext.DeprecatedV1)
CommonTlsContext.DeprecatedV1¶
[CommonTlsContext.DeprecatedV1 proto]
These fields are deprecated and only are used during the interim v1 -> v2 transition period for internal purposes. They should not be used outside of the Envoy binary.
{
"alt_alpn_protocols": "..."
}
- alt_alpn_protocols
- (string)
UpstreamTlsContext¶
{
"common_tls_context": "{...}",
"sni": "..."
}
- common_tls_context
- (CommonTlsContext)
- sni
- (string) SNI string to use when creating TLS backend connections.
DownstreamTlsContext¶
[V2-API-DIFF] This has been reworked to support alternative modes of certificate/key delivery, for consistency with the upstream TLS context and to segregate the client/server aspects of the TLS context.
{
"common_tls_context": "{...}",
"require_client_certificate": "{...}",
"require_sni": "{...}",
"session_ticket_keys": "{...}",
"session_ticket_keys_sds_secret_config": "{...}"
}
- common_tls_context
- (CommonTlsContext)
- require_client_certificate
- (BoolValue) If specified, Envoy will reject connections without a valid client certificate.
- require_sni
- (BoolValue) If specified, Envoy will reject connections without a valid and matching SNI.
- session_ticket_keys
-
Only one of session_ticket_keys, session_ticket_keys_sds_secret_config may be set.
- session_ticket_keys_sds_secret_config
-
Only one of session_ticket_keys, session_ticket_keys_sds_secret_config may be set.
SdsSecretConfig¶
{
"name": "...",
"sds_config": "{...}"
}
- name
- (string) Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to. When both name and config are specified, then secret can be fetched and/or reloaded via SDS. When only name is specified, then secret will be loaded from static resources [V2-API-DIFF].
- sds_config
- (ConfigSource)
Secret¶
{
"name": "...",
"tls_certificate": "{...}",
"session_ticket_keys": "{...}"
}
- name
- (string) Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
- tls_certificate
-
Only one of tls_certificate, session_ticket_keys may be set.
- session_ticket_keys
-
Only one of tls_certificate, session_ticket_keys may be set.