api: enhance v3 CommonTlsContext for agentless support (#11061)

Signed-off-by: Sanjay Pujare <sanjaypujare@users.noreply.github.com>

Mirrored from https://github.com/envoyproxy/envoy @ 639c2268460e5468572d3074c4cd34456fe60a9d
master-ci-test
data-plane-api(CircleCI) 5 years ago
parent 6894107a80
commit cf6e0b61d2
  1. 55
      envoy/extensions/transport_sockets/tls/v3/tls.proto
  2. 56
      envoy/extensions/transport_sockets/tls/v4alpha/tls.proto

@ -2,12 +2,15 @@ syntax = "proto3";
package envoy.extensions.transport_sockets.tls.v3;
import "envoy/config/core/v3/extension.proto";
import "envoy/extensions/transport_sockets/tls/v3/common.proto";
import "envoy/extensions/transport_sockets/tls/v3/secret.proto";
import "google/protobuf/any.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
@ -96,10 +99,30 @@ message DownstreamTlsContext {
}
// TLS context shared by both client and server TLS contexts.
// [#next-free-field: 9]
// [#next-free-field: 11]
message CommonTlsContext {
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CommonTlsContext";
// Config for Certificate provider to get certificates. This provider should allow certificates to be
// fetched/refreshed over the network asynchronously with respect to the TLS handshake.
message CertificateProvider {
// opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify
// a root-certificate (validation context) or "TLS" to specify a new tls-certificate.
string name = 1 [(validate.rules).string = {min_bytes: 1}];
// Provider specific config.
// Note: an implementation is expected to dedup multiple instances of the same config
// to maintain a single certificate-provider instance. The sharing can happen, for
// example, among multiple clusters or between the tls_certificate and validation_context
// certificate providers of a cluster.
// This config could be supplied inline or (in future) a named xDS resource.
oneof config {
option (validate.required) = true;
config.core.v3.TypedExtensionConfig typed_config = 2;
}
}
message CombinedCertificateValidationContext {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.auth.CommonTlsContext.CombinedCertificateValidationContext";
@ -108,9 +131,19 @@ message CommonTlsContext {
CertificateValidationContext default_validation_context = 1
[(validate.rules).message = {required: true}];
// Config for fetching validation context via SDS API.
SdsSecretConfig validation_context_sds_secret_config = 2
[(validate.rules).message = {required: true}];
// Config for fetching validation context via SDS API. Note SDS API allows certificates to be
// fetched/refreshed over the network asynchronously with respect to the TLS handshake.
// Only to be used when validation_context_certificate_provider is not used.
SdsSecretConfig validation_context_sds_secret_config = 2 [
(validate.rules).message = {required: true},
(udpa.annotations.field_migrate).oneof_promotion = "dynamic_validation_context"
];
// Certificate provider for fetching validation context - only to be used when
// validation_context_sds_secret_config is not used.
// [#not-implemented-hide:]
CertificateProvider validation_context_certificate_provider = 3
[(udpa.annotations.field_migrate).oneof_promotion = "dynamic_validation_context"];
}
reserved 5;
@ -126,15 +159,21 @@ message CommonTlsContext {
// used for clients that support ECDSA.
repeated TlsCertificate tls_certificates = 2;
// Configs for fetching TLS certificates via SDS API.
// Configs for fetching TLS certificates via SDS API. Note SDS API allows certificates to be
// fetched/refreshed over the network asynchronously with respect to the TLS handshake.
repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6
[(validate.rules).repeated = {max_items: 1}];
// Certificate provider for fetching TLS certificates.
// [#not-implemented-hide:]
CertificateProvider tls_certificate_certificate_provider = 9;
oneof validation_context_type {
// How to validate peer certificates.
CertificateValidationContext validation_context = 3;
// Config for fetching validation context via SDS API.
// Config for fetching validation context via SDS API. Note SDS API allows certificates to be
// fetched/refreshed over the network asynchronously with respect to the TLS handshake.
SdsSecretConfig validation_context_sds_secret_config = 7;
// Combined certificate validation context holds a default CertificateValidationContext
@ -145,6 +184,10 @@ message CommonTlsContext {
// CertificateValidationContext, and concatenates repeated fields to default
// CertificateValidationContext, and logical OR is applied to boolean fields.
CombinedCertificateValidationContext combined_validation_context = 8;
// Certificate provider for fetching validation context.
// [#not-implemented-hide:]
CertificateProvider validation_context_certificate_provider = 10;
}
// Supplies the list of ALPN protocols that the listener should expose. In

@ -2,9 +2,11 @@ syntax = "proto3";
package envoy.extensions.transport_sockets.tls.v4alpha;
import "envoy/config/core/v4alpha/extension.proto";
import "envoy/extensions/transport_sockets/tls/v4alpha/common.proto";
import "envoy/extensions/transport_sockets/tls/v4alpha/secret.proto";
import "google/protobuf/any.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";
@ -96,11 +98,34 @@ message DownstreamTlsContext {
}
// TLS context shared by both client and server TLS contexts.
// [#next-free-field: 9]
// [#next-free-field: 11]
message CommonTlsContext {
option (udpa.annotations.versioning).previous_message_type =
"envoy.extensions.transport_sockets.tls.v3.CommonTlsContext";
// Config for Certificate provider to get certificates. This provider should allow certificates to be
// fetched/refreshed over the network asynchronously with respect to the TLS handshake.
message CertificateProvider {
option (udpa.annotations.versioning).previous_message_type =
"envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CertificateProvider";
// opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify
// a root-certificate (validation context) or "TLS" to specify a new tls-certificate.
string name = 1 [(validate.rules).string = {min_bytes: 1}];
// Provider specific config.
// Note: an implementation is expected to dedup multiple instances of the same config
// to maintain a single certificate-provider instance. The sharing can happen, for
// example, among multiple clusters or between the tls_certificate and validation_context
// certificate providers of a cluster.
// This config could be supplied inline or (in future) a named xDS resource.
oneof config {
option (validate.required) = true;
config.core.v4alpha.TypedExtensionConfig typed_config = 2;
}
}
message CombinedCertificateValidationContext {
option (udpa.annotations.versioning).previous_message_type =
"envoy.extensions.transport_sockets.tls.v3.CommonTlsContext."
@ -110,9 +135,18 @@ message CommonTlsContext {
CertificateValidationContext default_validation_context = 1
[(validate.rules).message = {required: true}];
// Config for fetching validation context via SDS API.
SdsSecretConfig validation_context_sds_secret_config = 2
[(validate.rules).message = {required: true}];
oneof dynamic_validation_context {
// Config for fetching validation context via SDS API. Note SDS API allows certificates to be
// fetched/refreshed over the network asynchronously with respect to the TLS handshake.
// Only to be used when validation_context_certificate_provider is not used.
SdsSecretConfig validation_context_sds_secret_config = 2
[(validate.rules).message = {required: true}];
// Certificate provider for fetching validation context - only to be used when
// validation_context_sds_secret_config is not used.
// [#not-implemented-hide:]
CertificateProvider validation_context_certificate_provider = 3;
}
}
reserved 5;
@ -128,15 +162,21 @@ message CommonTlsContext {
// used for clients that support ECDSA.
repeated TlsCertificate tls_certificates = 2;
// Configs for fetching TLS certificates via SDS API.
// Configs for fetching TLS certificates via SDS API. Note SDS API allows certificates to be
// fetched/refreshed over the network asynchronously with respect to the TLS handshake.
repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6
[(validate.rules).repeated = {max_items: 1}];
// Certificate provider for fetching TLS certificates.
// [#not-implemented-hide:]
CertificateProvider tls_certificate_certificate_provider = 9;
oneof validation_context_type {
// How to validate peer certificates.
CertificateValidationContext validation_context = 3;
// Config for fetching validation context via SDS API.
// Config for fetching validation context via SDS API. Note SDS API allows certificates to be
// fetched/refreshed over the network asynchronously with respect to the TLS handshake.
SdsSecretConfig validation_context_sds_secret_config = 7;
// Combined certificate validation context holds a default CertificateValidationContext
@ -147,6 +187,10 @@ message CommonTlsContext {
// CertificateValidationContext, and concatenates repeated fields to default
// CertificateValidationContext, and logical OR is applied to boolean fields.
CombinedCertificateValidationContext combined_validation_context = 8;
// Certificate provider for fetching validation context.
// [#not-implemented-hide:]
CertificateProvider validation_context_certificate_provider = 10;
}
// Supplies the list of ALPN protocols that the listener should expose. In

Loading…
Cancel
Save