|
|
@ -99,7 +99,7 @@ message DownstreamTlsContext { |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
// TLS context shared by both client and server TLS contexts. |
|
|
|
// TLS context shared by both client and server TLS contexts. |
|
|
|
// [#next-free-field: 11] |
|
|
|
// [#next-free-field: 13] |
|
|
|
message CommonTlsContext { |
|
|
|
message CommonTlsContext { |
|
|
|
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CommonTlsContext"; |
|
|
|
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CommonTlsContext"; |
|
|
|
|
|
|
|
|
|
|
@ -123,6 +123,26 @@ message CommonTlsContext { |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// Similar to CertificateProvider above, but allows the provider instances to be configured on |
|
|
|
|
|
|
|
// the client side instead of being sent from the control plane. |
|
|
|
|
|
|
|
message CertificateProviderInstance { |
|
|
|
|
|
|
|
// Provider instance name. This name must be defined in the client's configuration (e.g., a |
|
|
|
|
|
|
|
// bootstrap file) to correspond to a provider instance (i.e., the same data in the typed_config |
|
|
|
|
|
|
|
// field that would be sent in the CertificateProvider message if the config was sent by the |
|
|
|
|
|
|
|
// control plane). If not present, defaults to "default". |
|
|
|
|
|
|
|
// |
|
|
|
|
|
|
|
// Instance names should generally be defined not in terms of the underlying provider |
|
|
|
|
|
|
|
// implementation (e.g., "file_watcher") but rather in terms of the function of the |
|
|
|
|
|
|
|
// certificates (e.g., "foo_deployment_identity"). |
|
|
|
|
|
|
|
string instance_name = 1; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// Opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify |
|
|
|
|
|
|
|
// a root-certificate (validation context) or "example.com" to specify a certificate for a |
|
|
|
|
|
|
|
// particular domain. Not all provider instances will actually use this field, so the value |
|
|
|
|
|
|
|
// defaults to the empty string. |
|
|
|
|
|
|
|
string certificate_name = 2; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
message CombinedCertificateValidationContext { |
|
|
|
message CombinedCertificateValidationContext { |
|
|
|
option (udpa.annotations.versioning).previous_message_type = |
|
|
|
option (udpa.annotations.versioning).previous_message_type = |
|
|
|
"envoy.api.v2.auth.CommonTlsContext.CombinedCertificateValidationContext"; |
|
|
|
"envoy.api.v2.auth.CommonTlsContext.CombinedCertificateValidationContext"; |
|
|
@ -133,17 +153,26 @@ message CommonTlsContext { |
|
|
|
|
|
|
|
|
|
|
|
// Config for fetching validation context via SDS API. Note SDS API allows certificates to be |
|
|
|
// Config for fetching validation context via SDS API. Note SDS API allows certificates to be |
|
|
|
// fetched/refreshed over the network asynchronously with respect to the TLS handshake. |
|
|
|
// fetched/refreshed over the network asynchronously with respect to the TLS handshake. |
|
|
|
// Only to be used when validation_context_certificate_provider is not used. |
|
|
|
// Only one of validation_context_sds_secret_config, validation_context_certificate_provider, |
|
|
|
|
|
|
|
// or validation_context_certificate_provider_instance may be used. |
|
|
|
SdsSecretConfig validation_context_sds_secret_config = 2 [ |
|
|
|
SdsSecretConfig validation_context_sds_secret_config = 2 [ |
|
|
|
(validate.rules).message = {required: true}, |
|
|
|
(validate.rules).message = {required: true}, |
|
|
|
(udpa.annotations.field_migrate).oneof_promotion = "dynamic_validation_context" |
|
|
|
(udpa.annotations.field_migrate).oneof_promotion = "dynamic_validation_context" |
|
|
|
]; |
|
|
|
]; |
|
|
|
|
|
|
|
|
|
|
|
// Certificate provider for fetching validation context - only to be used when |
|
|
|
// Certificate provider for fetching validation context. |
|
|
|
// validation_context_sds_secret_config is not used. |
|
|
|
// Only one of validation_context_sds_secret_config, validation_context_certificate_provider, |
|
|
|
|
|
|
|
// or validation_context_certificate_provider_instance may be used. |
|
|
|
// [#not-implemented-hide:] |
|
|
|
// [#not-implemented-hide:] |
|
|
|
CertificateProvider validation_context_certificate_provider = 3 |
|
|
|
CertificateProvider validation_context_certificate_provider = 3 |
|
|
|
[(udpa.annotations.field_migrate).oneof_promotion = "dynamic_validation_context"]; |
|
|
|
[(udpa.annotations.field_migrate).oneof_promotion = "dynamic_validation_context"]; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// Certificate provider instance for fetching validation context. |
|
|
|
|
|
|
|
// Only one of validation_context_sds_secret_config, validation_context_certificate_provider, |
|
|
|
|
|
|
|
// or validation_context_certificate_provider_instance may be used. |
|
|
|
|
|
|
|
// [#not-implemented-hide:] |
|
|
|
|
|
|
|
CertificateProviderInstance validation_context_certificate_provider_instance = 4 |
|
|
|
|
|
|
|
[(udpa.annotations.field_migrate).oneof_promotion = "dynamic_validation_context"]; |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
reserved 5; |
|
|
|
reserved 5; |
|
|
@ -168,6 +197,10 @@ message CommonTlsContext { |
|
|
|
// [#not-implemented-hide:] |
|
|
|
// [#not-implemented-hide:] |
|
|
|
CertificateProvider tls_certificate_certificate_provider = 9; |
|
|
|
CertificateProvider tls_certificate_certificate_provider = 9; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// Certificate provider instance for fetching TLS certificates. |
|
|
|
|
|
|
|
// [#not-implemented-hide:] |
|
|
|
|
|
|
|
CertificateProviderInstance tls_certificate_certificate_provider_instance = 11; |
|
|
|
|
|
|
|
|
|
|
|
oneof validation_context_type { |
|
|
|
oneof validation_context_type { |
|
|
|
// How to validate peer certificates. |
|
|
|
// How to validate peer certificates. |
|
|
|
CertificateValidationContext validation_context = 3; |
|
|
|
CertificateValidationContext validation_context = 3; |
|
|
@ -188,6 +221,10 @@ message CommonTlsContext { |
|
|
|
// Certificate provider for fetching validation context. |
|
|
|
// Certificate provider for fetching validation context. |
|
|
|
// [#not-implemented-hide:] |
|
|
|
// [#not-implemented-hide:] |
|
|
|
CertificateProvider validation_context_certificate_provider = 10; |
|
|
|
CertificateProvider validation_context_certificate_provider = 10; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// Certificate provider instance for fetching validation context. |
|
|
|
|
|
|
|
// [#not-implemented-hide:] |
|
|
|
|
|
|
|
CertificateProviderInstance validation_context_certificate_provider_instance = 12; |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
// Supplies the list of ALPN protocols that the listener should expose. In |
|
|
|
// Supplies the list of ALPN protocols that the listener should expose. In |
|
|
|