From 179de71a10f081cba9cf87c0f5abb76c59ccee54 Mon Sep 17 00:00:00 2001 From: "data-plane-api(Azure Pipelines)" Date: Sun, 13 Dec 2020 22:04:32 +0000 Subject: [PATCH] transport socket: api and implementation for startTls transport socket (#13112) Signed-off-by: Christoph Pakulski Mirrored from https://github.com/envoyproxy/envoy @ 98e8bf3f09fa2af3735217bfc7046517250cdfd2 --- BUILD | 1 + .../transport_sockets/starttls/v3/BUILD | 13 ++++++ .../starttls/v3/starttls.proto | 38 +++++++++++++++++ .../transport_sockets/starttls/v4alpha/BUILD | 14 +++++++ .../starttls/v4alpha/starttls.proto | 41 +++++++++++++++++++ versioning/BUILD | 1 + 6 files changed, 108 insertions(+) create mode 100644 envoy/extensions/transport_sockets/starttls/v3/BUILD create mode 100644 envoy/extensions/transport_sockets/starttls/v3/starttls.proto create mode 100644 envoy/extensions/transport_sockets/starttls/v4alpha/BUILD create mode 100644 envoy/extensions/transport_sockets/starttls/v4alpha/starttls.proto diff --git a/BUILD b/BUILD index cc41b7c0..82a15929 100644 --- a/BUILD +++ b/BUILD @@ -244,6 +244,7 @@ proto_library( "//envoy/extensions/transport_sockets/proxy_protocol/v3:pkg", "//envoy/extensions/transport_sockets/quic/v3:pkg", "//envoy/extensions/transport_sockets/raw_buffer/v3:pkg", + "//envoy/extensions/transport_sockets/starttls/v3:pkg", "//envoy/extensions/transport_sockets/tap/v3:pkg", "//envoy/extensions/transport_sockets/tls/v3:pkg", "//envoy/extensions/upstreams/http/generic/v3:pkg", diff --git a/envoy/extensions/transport_sockets/starttls/v3/BUILD b/envoy/extensions/transport_sockets/starttls/v3/BUILD new file mode 100644 index 00000000..7ae3c01a --- /dev/null +++ b/envoy/extensions/transport_sockets/starttls/v3/BUILD @@ -0,0 +1,13 @@ +# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/extensions/transport_sockets/raw_buffer/v3:pkg", + "//envoy/extensions/transport_sockets/tls/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/envoy/extensions/transport_sockets/starttls/v3/starttls.proto b/envoy/extensions/transport_sockets/starttls/v3/starttls.proto new file mode 100644 index 00000000..d9da31e7 --- /dev/null +++ b/envoy/extensions/transport_sockets/starttls/v3/starttls.proto @@ -0,0 +1,38 @@ +syntax = "proto3"; + +package envoy.extensions.transport_sockets.starttls.v3; + +import "envoy/extensions/transport_sockets/raw_buffer/v3/raw_buffer.proto"; +import "envoy/extensions/transport_sockets/tls/v3/tls.proto"; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.starttls.v3"; +option java_outer_classname = "StarttlsProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: StartTls] +// [#extension: envoy.transport_sockets.starttls] + +// StartTls transport socket addresses situations when a protocol starts in clear-text and +// negotiates an in-band switch to TLS. StartTls transport socket is protocol agnostic and requires +// a network filter which understands protocol exchange and a state machine to signal to the StartTls +// transport socket when a switch to TLS is required. + +// Configuration for StartTls transport socket. +// StartTls transport socket wraps two sockets: +// - raw_buffer socket which is used at the beginning of the session +// - TLS socket used when a protocol negotiates a switch to encrypted traffic. +message StartTlsConfig { + // (optional) Configuration for clear-text socket used at the beginning of the session. + raw_buffer.v3.RawBuffer cleartext_socket_config = 1; + + // Configuration for TLS socket. + transport_sockets.tls.v3.DownstreamTlsContext tls_socket_config = 2 + [(validate.rules).message = {required: true}]; +} diff --git a/envoy/extensions/transport_sockets/starttls/v4alpha/BUILD b/envoy/extensions/transport_sockets/starttls/v4alpha/BUILD new file mode 100644 index 00000000..b160d85d --- /dev/null +++ b/envoy/extensions/transport_sockets/starttls/v4alpha/BUILD @@ -0,0 +1,14 @@ +# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/extensions/transport_sockets/raw_buffer/v3:pkg", + "//envoy/extensions/transport_sockets/starttls/v3:pkg", + "//envoy/extensions/transport_sockets/tls/v4alpha:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/envoy/extensions/transport_sockets/starttls/v4alpha/starttls.proto b/envoy/extensions/transport_sockets/starttls/v4alpha/starttls.proto new file mode 100644 index 00000000..32350cf7 --- /dev/null +++ b/envoy/extensions/transport_sockets/starttls/v4alpha/starttls.proto @@ -0,0 +1,41 @@ +syntax = "proto3"; + +package envoy.extensions.transport_sockets.starttls.v4alpha; + +import "envoy/extensions/transport_sockets/raw_buffer/v3/raw_buffer.proto"; +import "envoy/extensions/transport_sockets/tls/v4alpha/tls.proto"; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.starttls.v4alpha"; +option java_outer_classname = "StarttlsProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE; + +// [#protodoc-title: StartTls] +// [#extension: envoy.transport_sockets.starttls] + +// StartTls transport socket addresses situations when a protocol starts in clear-text and +// negotiates an in-band switch to TLS. StartTls transport socket is protocol agnostic and requires +// a network filter which understands protocol exchange and a state machine to signal to the StartTls +// transport socket when a switch to TLS is required. + +// Configuration for StartTls transport socket. +// StartTls transport socket wraps two sockets: +// - raw_buffer socket which is used at the beginning of the session +// - TLS socket used when a protocol negotiates a switch to encrypted traffic. +message StartTlsConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.extensions.transport_sockets.starttls.v3.StartTlsConfig"; + + // (optional) Configuration for clear-text socket used at the beginning of the session. + raw_buffer.v3.RawBuffer cleartext_socket_config = 1; + + // Configuration for TLS socket. + transport_sockets.tls.v4alpha.DownstreamTlsContext tls_socket_config = 2 + [(validate.rules).message = {required: true}]; +} diff --git a/versioning/BUILD b/versioning/BUILD index d5b60986..9b9ea97e 100644 --- a/versioning/BUILD +++ b/versioning/BUILD @@ -127,6 +127,7 @@ proto_library( "//envoy/extensions/transport_sockets/proxy_protocol/v3:pkg", "//envoy/extensions/transport_sockets/quic/v3:pkg", "//envoy/extensions/transport_sockets/raw_buffer/v3:pkg", + "//envoy/extensions/transport_sockets/starttls/v3:pkg", "//envoy/extensions/transport_sockets/tap/v3:pkg", "//envoy/extensions/transport_sockets/tls/v3:pkg", "//envoy/extensions/upstreams/http/generic/v3:pkg",