tls: plumbing for multiple TLS certificate ingestion. (#5095)

This PR starts to plumb multiple TLS certs from the proto level into the SSL context. We stop short of enabling multiple TLS certificates, but instead have sufficient mechanism and interface changes to propagate them to the SSL context. Future PRs will extend this with the SSL context implementation. Risk Level: Low Testing: bazel test //test/... Part of #1319. Signed-off-by: Harvey Tuch <htuch@google.com> Mirrored from https://github.com/envoyproxy/envoy @ 9d1d959c5e8fc8e02754ea28e6cba9f7b1e3d1fc
6 years ago · 333c95e5c0
parent be02370dc5
commit 333c95e5c0
1 changed files with 4 additions and 5 deletions
--- a/envoy/api/v2/auth/cert.proto
+++ b/envoy/api/v2/auth/cert.proto
@ -229,11 +229,10 @@ message CommonTlsContext {
  // Multiple TLS certificates can be associated with the same context.
  // E.g. to allow both RSA and ECDSA certificates, two TLS certificates can be configured.
  //
-  // .. attention::
+  // Only a single TLS certificate is supported in client contexts. In server contexts, the first
-  //
+  // RSA certificate is used for clients that only support RSA and the first ECDSA certificate is
-  //   Although this is a list, currently only a single certificate is supported. This will be
+  // used for clients that support ECDSA.
-  //   relaxed in the future.
+  repeated TlsCertificate tls_certificates = 2;
  repeated TlsCertificate tls_certificates = 2 [(validate.rules).repeated .max_items = 1];
  // Configs for fetching TLS certificates via SDS API.
  repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6;