You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
165 lines
5.3 KiB
165 lines
5.3 KiB
syntax = "proto3"; |
|
|
|
package envoy.api.v2; |
|
|
|
import "api/base.proto"; |
|
import "api/discovery.proto"; |
|
|
|
import "google/api/annotations.proto"; |
|
import "google/protobuf/wrappers.proto"; |
|
|
|
service SecretDiscoveryService{ |
|
rpc StreamSecrets(stream DiscoveryRequest) |
|
returns (stream DiscoveryResponse) { |
|
} |
|
|
|
rpc FetchSecrets(DiscoveryRequest) |
|
returns (DiscoveryResponse) { |
|
option (google.api.http) = { |
|
post: "/v2/discovery:secrets" |
|
body: "*" |
|
}; |
|
} |
|
} |
|
|
|
message DataSource { |
|
oneof specifier { |
|
string filename = 1; |
|
bytes inline = 2; |
|
} |
|
} |
|
|
|
message TlsParameters { |
|
enum TlsProtocol { |
|
TLS_AUTO = 0; |
|
TLSv1_0 = 1; |
|
TLSv1_1 = 2; |
|
TLSv1_2 = 3; |
|
TLSv1_3 = 4; |
|
} |
|
// Allowed TLS protocols. |
|
TlsProtocol tls_minimum_protocol_version = 1; |
|
TlsProtocol tls_maximum_protocol_version = 2; |
|
|
|
// If specified, the TLS listener will only support the specified cipher list. |
|
repeated string cipher_suites = 3; |
|
|
|
// If specified, the TLS connection will only support the specified ECDH |
|
// curves. If not specified, the default curves (X25519, P-256) will be used. |
|
repeated string ecdh_curves = 4; |
|
} |
|
|
|
// TLS certs can be loaded from file or delivered inline [V2-API-DIFF]. Individual fields may |
|
// be loaded from either. |
|
message TlsCertificate { |
|
DataSource certificate_chain = 1; |
|
DataSource private_key = 2; |
|
DataSource password = 3; |
|
DataSource ocsp_staple = 4; |
|
repeated DataSource signed_certificate_timestamp = 5; |
|
} |
|
|
|
message TlsSessionTicketKeys { |
|
// Keys to encrypt/decrypt TLS session tickets for session resumption. The first |
|
// key is used to encrypt new tickets that are created. All keys are candidates |
|
// for decrypting received tickets. |
|
// |
|
// Each key must be exactly 80 bytes long, containing cryptographically-secure random |
|
// data. For example, the output of "openssl rand 80". |
|
repeated DataSource keys = 1; |
|
} |
|
|
|
message CertificateValidationContext { |
|
// TLS certificate data containing certificate authority certificates to use |
|
// in verifying a presented certificate. If not specified and a certificate is |
|
// presented it will not be verified. |
|
DataSource trusted_ca = 1; |
|
|
|
// If specified, Envoy will verify (pin) hex-encoded SHA-256 hash of |
|
// the presented certificate. |
|
repeated string verify_certificate_hash = 2; |
|
|
|
// If specified, Envoy will verify (pin) base64-encoded SHA-256 hash of |
|
// the Subject Public Key Information (SPKI) of the presented certificate. |
|
// This is the same format as used in HTTP Public Key Pinning. |
|
repeated string verify_spki_sha256 = 3; |
|
|
|
// An optional list of subject alt names. If specified, Envoy will verify that |
|
// the certificate’s subject alt name matches one of the specified values. |
|
repeated string verify_subject_alt_name = 4; |
|
|
|
// Must present a signed time-stamped OCSP response. |
|
google.protobuf.BoolValue require_ocsp_staple = 5; |
|
|
|
// Must present signed certificate time-stamp. |
|
google.protobuf.BoolValue require_signed_certificate_timestamp = 6; |
|
} |
|
|
|
// TLS context shared by both client and server TLS contexts. |
|
message CommonTlsContext { |
|
// TLS protocol versions, cipher suites etc. |
|
TlsParameters tls_params = 1; |
|
|
|
// Multiple TLS certificates can be associated with the same context, |
|
// e.g. to allow both RSA and ECDSA certificates [V2-API-DIFF]. |
|
// TLS certificates can be either configured locally or fetched from SDS. |
|
repeated TlsCertificate tls_certificates = 2; |
|
repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6; |
|
|
|
// How to validate peer certificates. |
|
CertificateValidationContext validation_context = 3; |
|
|
|
// Protocols to negotiate over ALPN |
|
repeated string alpn_protocols = 4; |
|
|
|
// These fields are deprecated and only are used during the interim v1 -> v2 |
|
// transition period for internal purposes. They should not be used outside of |
|
// the Envoy binary. |
|
message DeprecatedV1 { |
|
string alt_alpn_protocols = 1; |
|
} |
|
DeprecatedV1 deprecated_v1 = 5; |
|
} |
|
|
|
message UpstreamTlsContext { |
|
CommonTlsContext common_tls_context = 1; |
|
|
|
// SNI string to use when creating TLS backend connections. |
|
string sni = 2; |
|
} |
|
|
|
// [V2-API-DIFF] This has been reworked to support alternative modes of |
|
// certificate/key delivery, for consistency with the upstream TLS context and |
|
// to segregate the client/server aspects of the TLS context. |
|
message DownstreamTlsContext { |
|
CommonTlsContext common_tls_context = 1; |
|
|
|
// If specified, Envoy will reject connections without a valid client |
|
// certificate. |
|
google.protobuf.BoolValue require_client_certificate = 2; |
|
|
|
// If specified, Envoy will reject connections without a valid and matching SNI. |
|
google.protobuf.BoolValue require_sni = 3; |
|
|
|
oneof session_ticket_keys_type { |
|
TlsSessionTicketKeys session_ticket_keys = 4; |
|
SdsSecretConfig session_ticket_keys_sds_secret_config = 5; |
|
} |
|
} |
|
|
|
message SdsSecretConfig { |
|
// Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to. |
|
// When both name and config are specified, then secret can be fetched and/or reloaded via SDS. |
|
// When only name is specified, then secret will be loaded from static resources [V2-API-DIFF]. |
|
string name = 1; |
|
ConfigSource sds_config = 2; |
|
} |
|
|
|
message Secret { |
|
// Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to. |
|
string name = 1; |
|
oneof type { |
|
TlsCertificate tls_certificate = 2; |
|
TlsSessionTicketKeys session_ticket_keys = 3; |
|
} |
|
}
|
|
|