diff --git a/BUILD b/BUILD index 0a3d7c74..869e03ce 100644 --- a/BUILD +++ b/BUILD @@ -64,6 +64,7 @@ proto_library( "//contrib/envoy/extensions/filters/network/mysql_proxy/v3:pkg", "//contrib/envoy/extensions/filters/network/postgres_proxy/v3alpha:pkg", "//contrib/envoy/extensions/filters/network/rocketmq_proxy/v3:pkg", + "//contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha:pkg", "//envoy/admin/v3:pkg", "//envoy/config/accesslog/v3:pkg", "//envoy/config/bootstrap/v3:pkg", diff --git a/contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha/BUILD b/contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha/BUILD new file mode 100644 index 00000000..1c1a6f6b --- /dev/null +++ b/contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha/BUILD @@ -0,0 +1,12 @@ +# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py. + +load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package") + +licenses(["notice"]) # Apache 2 + +api_proto_package( + deps = [ + "//envoy/config/core/v3:pkg", + "@com_github_cncf_udpa//udpa/annotations:pkg", + ], +) diff --git a/contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha/cryptomb.proto b/contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha/cryptomb.proto new file mode 100644 index 00000000..aa2d8cd2 --- /dev/null +++ b/contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha/cryptomb.proto @@ -0,0 +1,44 @@ +syntax = "proto3"; + +package envoy.extensions.private_key_providers.cryptomb.v3alpha; + +import "envoy/config/core/v3/base.proto"; + +import "google/protobuf/duration.proto"; + +import "udpa/annotations/sensitive.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.private_key_providers.cryptomb.v3alpha"; +option java_outer_classname = "CryptombProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: CryptoMb private key provider] +// [#extension: envoy.tls.key_providers.cryptomb] + +// A CryptoMbPrivateKeyMethodConfig message specifies how the CryptoMb private +// key provider is configured. The private key provider provides `SIMD` +// processing for RSA sign and decrypt operations (ECDSA signing uses regular +// BoringSSL functions). The provider works by gathering the operations into a +// worker-thread specific queue, and processing the queue using `ipp-crypto` +// library when the queue is full or when a timer expires. +// [#extension-category: envoy.tls.key_providers] +message CryptoMbPrivateKeyMethodConfig { + // Private key to use in the private key provider. If set to inline_bytes or + // inline_string, the value needs to be the private key in PEM format. + config.core.v3.DataSource private_key = 1 [(udpa.annotations.sensitive) = true]; + + // How long to wait until the per-thread processing queue should be + // processed. If the processing queue gets full (eight sign or decrypt + // requests are received) it is processed immediately. However, if the + // queue is not filled before the delay has expired, the requests + // already in the queue are processed, even if the queue is not full. + // In effect, this value controls the balance between latency and + // throughput. The duration needs to be set to a non-zero value. + google.protobuf.Duration poll_delay = 2 [(validate.rules).duration = { + required: true + gt {} + }]; +} diff --git a/versioning/BUILD b/versioning/BUILD index c57ddbb5..b8a81366 100644 --- a/versioning/BUILD +++ b/versioning/BUILD @@ -16,6 +16,7 @@ proto_library( "//contrib/envoy/extensions/filters/network/mysql_proxy/v3:pkg", "//contrib/envoy/extensions/filters/network/postgres_proxy/v3alpha:pkg", "//contrib/envoy/extensions/filters/network/rocketmq_proxy/v3:pkg", + "//contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha:pkg", "//envoy/admin/v3:pkg", "//envoy/config/accesslog/v3:pkg", "//envoy/config/bootstrap/v3:pkg",