You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
263 lines
9.0 KiB
263 lines
9.0 KiB
syntax = "proto3"; |
|
|
|
package envoy.api.v2; |
|
|
|
import "api/base.proto"; |
|
import "api/discovery.proto"; |
|
|
|
import "google/api/annotations.proto"; |
|
import "google/protobuf/wrappers.proto"; |
|
|
|
import "validate/validate.proto"; |
|
|
|
// [#protodoc-title: Common TLS configuration] |
|
|
|
service SecretDiscoveryService{ |
|
rpc StreamSecrets(stream DiscoveryRequest) |
|
returns (stream DiscoveryResponse) { |
|
} |
|
|
|
rpc FetchSecrets(DiscoveryRequest) |
|
returns (DiscoveryResponse) { |
|
option (google.api.http) = { |
|
post: "/v2/discovery:secrets" |
|
body: "*" |
|
}; |
|
} |
|
} |
|
|
|
message DataSource { |
|
oneof specifier { |
|
option (validate.required) = true; |
|
|
|
// Local filesystem data source. |
|
string filename = 1 [(validate.rules).string.min_len = 1]; |
|
|
|
// [#not-implemented-hide:] |
|
bytes inline = 2; |
|
} |
|
} |
|
|
|
message TlsParameters { |
|
enum TlsProtocol { |
|
// Envoy will choose the optimal TLS version. |
|
TLS_AUTO = 0; |
|
|
|
// TLS 1.0 |
|
TLSv1_0 = 1; |
|
|
|
// TLS 1.1 |
|
TLSv1_1 = 2; |
|
|
|
// TLS 1.2 |
|
TLSv1_2 = 3; |
|
|
|
// TLS 1.3 |
|
TLSv1_3 = 4; |
|
} |
|
|
|
// Minimum TLS protocol version. |
|
TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum.defined_only = true]; |
|
|
|
// Maximum TLS protocol version. |
|
TlsProtocol tls_maximum_protocol_version = 2 [(validate.rules).enum.defined_only = true]; |
|
|
|
// If specified, the TLS listener will only support the specified `cipher list |
|
// <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_. |
|
// If not specified, the default list: |
|
// |
|
// .. code-block:: none |
|
// |
|
// [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] |
|
// [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] |
|
// ECDHE-ECDSA-AES128-SHA256 |
|
// ECDHE-RSA-AES128-SHA256 |
|
// ECDHE-ECDSA-AES128-SHA |
|
// ECDHE-RSA-AES128-SHA |
|
// AES128-GCM-SHA256 |
|
// AES128-SHA256 |
|
// AES128-SHA |
|
// ECDHE-ECDSA-AES256-GCM-SHA384 |
|
// ECDHE-RSA-AES256-GCM-SHA384 |
|
// ECDHE-ECDSA-AES256-SHA384 |
|
// ECDHE-RSA-AES256-SHA384 |
|
// ECDHE-ECDSA-AES256-SHA |
|
// ECDHE-RSA-AES256-SHA |
|
// AES256-GCM-SHA384 |
|
// AES256-SHA256 |
|
// AES256-SHA |
|
// |
|
// will be used. |
|
repeated string cipher_suites = 3; |
|
|
|
// If specified, the TLS connection will only support the specified ECDH |
|
// curves. If not specified, the default curves (X25519, P-256) will be used. |
|
repeated string ecdh_curves = 4; |
|
} |
|
|
|
message TlsCertificate { |
|
// The TLS certificate chain. |
|
DataSource certificate_chain = 1; |
|
|
|
// The TLS private key. |
|
DataSource private_key = 2; |
|
|
|
// [#not-implemented-hide:] |
|
DataSource password = 3; |
|
|
|
// [#not-implemented-hide:] |
|
DataSource ocsp_staple = 4; |
|
|
|
// [#not-implemented-hide:] |
|
repeated DataSource signed_certificate_timestamp = 5; |
|
} |
|
|
|
message TlsSessionTicketKeys { |
|
// Keys for encrypting and decrypting TLS session tickets. The |
|
// first key in the array contains the key to encrypt all new sessions created by this context. |
|
// All keys are candidates for decrypting received tickets. This allows for easy rotation of keys |
|
// by, for example, putting the new key first, and the previous key second. |
|
// |
|
// If :ref:`session_ticket_keys <envoy_api_field_DownstreamTlsContext.session_ticket_keys>` is not |
|
// specified, the TLS library will still support resuming |
|
// sessions via tickets, but it will use an internally-generated and managed key, so sessions |
|
// cannot be resumed across hot restarts or on different hosts. |
|
// |
|
// Each key must contain exactly 80 bytes of cryptographically-secure random data. For |
|
// example, the output of ``openssl rand 80``. |
|
// |
|
// .. attention:: |
|
// |
|
// Using this feature has serious security considerations and risks. Improper handling of keys may |
|
// result in loss of secrecy in connections, even if ciphers supporting perfect forward secrecy |
|
// are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some discussion. |
|
// To minimize the risk, you must: |
|
// |
|
// * Keep the session ticket keys at least as secure as your TLS certificate private keys |
|
// * Rotate session ticket keys at least daily, and preferably hourly |
|
// * Always generate keys using a cryptographically-secure random data source |
|
repeated DataSource keys = 1 [(validate.rules).repeated.min_items = 1]; |
|
} |
|
|
|
message CertificateValidationContext { |
|
// TLS certificate data containing certificate authority certificates to use in verifying |
|
// a presented client side certificate. If not specified and a client certificate is presented it |
|
// will not be verified. By default, a client certificate is optional, unless one of the additional |
|
// options (:ref:`require_client_certificate <envoy_api_field_DownstreamTlsContext.require_client_certificate>`, |
|
// :ref:`verify_certificate_hash <envoy_api_field_CertificateValidationContext.verify_certificate_hash>`, or |
|
// :ref:`verify_subject_alt_name <envoy_api_field_CertificateValidationContext.verify_subject_alt_name>`) is also |
|
// specified. |
|
DataSource trusted_ca = 1; |
|
|
|
// If specified, Envoy will verify (pin) the hex-encoded SHA-256 hash of |
|
// the presented certificate. |
|
repeated string verify_certificate_hash = 2; |
|
|
|
// If specified, Envoy will verify (pin) base64-encoded SHA-256 hash of |
|
// the Subject Public Key Information (SPKI) of the presented certificate. |
|
// This is the same format as used in HTTP Public Key Pinning. |
|
// [#not-implemented-hide:] |
|
repeated string verify_spki_sha256 = 3; |
|
|
|
// An optional list of subject alternative names. If specified, Envoy will verify that |
|
// the certificate’s subject alternative name matches one of the specified values. |
|
repeated string verify_subject_alt_name = 4; |
|
|
|
// [#not-implemented-hide:] Must present a signed time-stamped OCSP response. |
|
google.protobuf.BoolValue require_ocsp_staple = 5; |
|
|
|
// [#not-implemented-hide:] Must present signed certificate time-stamp. |
|
google.protobuf.BoolValue require_signed_certificate_timestamp = 6; |
|
} |
|
|
|
// TLS context shared by both client and server TLS contexts. |
|
message CommonTlsContext { |
|
// TLS protocol versions, cipher suites etc. |
|
TlsParameters tls_params = 1; |
|
|
|
// Multiple TLS certificates can be associated with the same context. |
|
// E.g. to allow both RSA and ECDSA certificates, two TLS certificates can be configured. |
|
// |
|
// .. attention:: |
|
// |
|
// Although this is a list, currently only a single certificate is supported. This will be |
|
// relaxed in the future. |
|
repeated TlsCertificate tls_certificates = 2 [(validate.rules).repeated.max_items = 1]; |
|
|
|
// [#not-implemented-hide:] |
|
repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6; |
|
|
|
// How to validate peer certificates. |
|
CertificateValidationContext validation_context = 3; |
|
|
|
// Supplies the list of ALPN protocols that the listener should expose. In |
|
// practice this is likely to be set to one of two values (see the |
|
// :ref:`codec_type <config_http_conn_man_codec_type>` parameter in the HTTP connection |
|
// manager for more information): |
|
// |
|
// * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1. |
|
// * "http/1.1" If the listener is only going to support HTTP/1.1. |
|
// |
|
// There is no default for this parameter. If empty, Envoy will not expose ALPN. |
|
repeated string alpn_protocols = 4; |
|
|
|
// These fields are deprecated and only are used during the interim v1 -> v2 |
|
// transition period for internal purposes. They should not be used outside of |
|
// the Envoy binary. [#not-implemented-hide:] |
|
message DeprecatedV1 { |
|
string alt_alpn_protocols = 1; |
|
} |
|
|
|
// [#not-implemented-hide:] |
|
DeprecatedV1 deprecated_v1 = 5; |
|
} |
|
|
|
message UpstreamTlsContext { |
|
// Common TLS context settings. |
|
CommonTlsContext common_tls_context = 1; |
|
|
|
// SNI string to use when creating TLS backend connections. |
|
string sni = 2; |
|
} |
|
|
|
message DownstreamTlsContext { |
|
// Common TLS context settings. |
|
CommonTlsContext common_tls_context = 1; |
|
|
|
// If specified, Envoy will reject connections without a valid client |
|
// certificate. |
|
google.protobuf.BoolValue require_client_certificate = 2; |
|
|
|
// If specified, Envoy will reject connections without a valid and matching SNI. |
|
// [#not-implemented-hide:] |
|
google.protobuf.BoolValue require_sni = 3; |
|
|
|
oneof session_ticket_keys_type { |
|
// TLS session ticket key settings. |
|
TlsSessionTicketKeys session_ticket_keys = 4; |
|
|
|
// [#not-implemented-hide:] |
|
SdsSecretConfig session_ticket_keys_sds_secret_config = 5; |
|
} |
|
} |
|
|
|
// [#proto-status: experimental] |
|
// [#not-implemented-hide:] |
|
message SdsSecretConfig { |
|
// Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to. |
|
// When both name and config are specified, then secret can be fetched and/or reloaded via SDS. |
|
// When only name is specified, then secret will be loaded from static resources [V2-API-DIFF]. |
|
string name = 1; |
|
ConfigSource sds_config = 2; |
|
} |
|
|
|
// [#proto-status: experimental] |
|
// [#not-implemented-hide:] |
|
message Secret { |
|
// Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to. |
|
string name = 1; |
|
oneof type { |
|
TlsCertificate tls_certificate = 2; |
|
TlsSessionTicketKeys session_ticket_keys = 3; |
|
} |
|
}
|
|
|