auth

package
v1.36.3-20240202201938... Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: unknown License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Index

Constants

View Source 
const CommonTlsContext_CombinedValidationContext_case case_CommonTlsContext_ValidationContextType = 8
View Source 
const CommonTlsContext_ValidationContextSdsSecretConfig_case case_CommonTlsContext_ValidationContextType = 7
View Source 
const CommonTlsContext_ValidationContextType_not_set_case case_CommonTlsContext_ValidationContextType = 0
View Source 
const CommonTlsContext_ValidationContext_case case_CommonTlsContext_ValidationContextType = 3
View Source 
const DownstreamTlsContext_DisableStatelessSessionResumption_case case_DownstreamTlsContext_SessionTicketKeysType = 7
View Source 
const DownstreamTlsContext_SessionTicketKeysSdsSecretConfig_case case_DownstreamTlsContext_SessionTicketKeysType = 5
View Source 
const DownstreamTlsContext_SessionTicketKeysType_not_set_case case_DownstreamTlsContext_SessionTicketKeysType = 0
View Source 
const DownstreamTlsContext_SessionTicketKeys_case case_DownstreamTlsContext_SessionTicketKeysType = 4
View Source 
const PrivateKeyProvider_ConfigType_not_set_case case_PrivateKeyProvider_ConfigType = 0
View Source 
const PrivateKeyProvider_Config_case case_PrivateKeyProvider_ConfigType = 2
View Source 
const PrivateKeyProvider_TypedConfig_case case_PrivateKeyProvider_ConfigType = 3
View Source 
const Secret_GenericSecret_case case_Secret_Type = 5
View Source 
const Secret_SessionTicketKeys_case case_Secret_Type = 3
View Source 
const Secret_TlsCertificate_case case_Secret_Type = 2
View Source 
const Secret_Type_not_set_case case_Secret_Type = 0
View Source 
const Secret_ValidationContext_case case_Secret_Type = 4

Variables

View Source 
var (
	TlsParameters_TlsProtocol_name = map[int32]string{
		0: "TLS_AUTO",
		1: "TLSv1_0",
		2: "TLSv1_1",
		3: "TLSv1_2",
		4: "TLSv1_3",
	}
	TlsParameters_TlsProtocol_value = map[string]int32{
		"TLS_AUTO": 0,
		"TLSv1_0":  1,
		"TLSv1_1":  2,
		"TLSv1_2":  3,
		"TLSv1_3":  4,
	}
)

Enum value maps for TlsParameters_TlsProtocol.

View Source 
var (
	CertificateValidationContext_TrustChainVerification_name = map[int32]string{
		0: "VERIFY_TRUST_CHAIN",
		1: "ACCEPT_UNTRUSTED",
	}
	CertificateValidationContext_TrustChainVerification_value = map[string]int32{
		"VERIFY_TRUST_CHAIN": 0,
		"ACCEPT_UNTRUSTED":   1,
	}
)

Enum value maps for CertificateValidationContext_TrustChainVerification.

View Source 
var File_envoy_api_v2_auth_cert_proto protoreflect.FileDescriptor
View Source 
var File_envoy_api_v2_auth_common_proto protoreflect.FileDescriptor
View Source 
var File_envoy_api_v2_auth_secret_proto protoreflect.FileDescriptor
View Source 
var File_envoy_api_v2_auth_tls_proto protoreflect.FileDescriptor

Functions

This section is empty.

Types

type CertificateValidationContext 

type CertificateValidationContext struct {

	// TLS certificate data containing certificate authority certificates to use in verifying
	// a presented peer certificate (e.g. server certificate for clusters or client certificate
	// for listeners). If not specified and a peer certificate is presented it will not be
	// verified. By default, a client certificate is optional, unless one of the additional
	// options (:ref:`require_client_certificate
	// <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
	// :ref:`verify_certificate_spki
	// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
	// :ref:`verify_certificate_hash
	// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
	// :ref:`match_subject_alt_names
	// <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
	// specified.
	//
	// It can optionally contain certificate revocation lists, in which case Envoy will verify
	// that the presented peer certificate has not been revoked by one of the included CRLs.
	//
	// See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
	// system CA locations.
	TrustedCa *core.DataSource `protobuf:"bytes,1,opt,name=trusted_ca,json=trustedCa,proto3" json:"trusted_ca,omitempty"`
	// An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
	// SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
	// matches one of the specified values.
	//
	// A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
	// can be generated with the following command:
	//
	// .. code-block:: bash
	//
	//	$ openssl x509 -in path/to/client.crt -noout -pubkey
	//	  | openssl pkey -pubin -outform DER
	//	  | openssl dgst -sha256 -binary
	//	  | openssl enc -base64
	//	NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
	//
	// This is the format used in HTTP Public Key Pinning.
	//
	// When both:
	// :ref:`verify_certificate_hash
	// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
	// :ref:`verify_certificate_spki
	// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
	// a hash matching value from either of the lists will result in the certificate being accepted.
	//
	// .. attention::
	//
	//	This option is preferred over :ref:`verify_certificate_hash
	//	<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
	//	because SPKI is tied to a private key, so it doesn't change when the certificate
	//	is renewed using the same private key.
	VerifyCertificateSpki []string `` /* 126-byte string literal not displayed */
	// An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
	// the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
	//
	// A hex-encoded SHA-256 of the certificate can be generated with the following command:
	//
	// .. code-block:: bash
	//
	//	$ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
	//	df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
	//
	// A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
	// can be generated with the following command:
	//
	// .. code-block:: bash
	//
	//	$ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
	//	DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
	//
	// Both of those formats are acceptable.
	//
	// When both:
	// :ref:`verify_certificate_hash
	// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
	// :ref:`verify_certificate_spki
	// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
	// a hash matching value from either of the lists will result in the certificate being accepted.
	VerifyCertificateHash []string `` /* 126-byte string literal not displayed */
	// An optional list of Subject Alternative Names. If specified, Envoy will verify that the
	// Subject Alternative Name of the presented certificate matches one of the specified values.
	//
	// .. attention::
	//
	//	Subject Alternative Names are easily spoofable and verifying only them is insecure,
	//	therefore this option must be used together with :ref:`trusted_ca
	//	<envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
	//
	// Deprecated: Marked as deprecated in envoy/api/v2/auth/common.proto.
	VerifySubjectAltName []string `protobuf:"bytes,4,rep,name=verify_subject_alt_name,json=verifySubjectAltName,proto3" json:"verify_subject_alt_name,omitempty"`
	// An optional list of Subject Alternative name matchers. Envoy will verify that the
	// Subject Alternative Name of the presented certificate matches one of the specified matches.
	//
	// When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
	// configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
	// For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
	// it should be configured as shown below.
	//
	// .. code-block:: yaml
	//
	//	match_subject_alt_names:
	//	  exact: "api.example.com"
	//
	// .. attention::
	//
	//	Subject Alternative Names are easily spoofable and verifying only them is insecure,
	//	therefore this option must be used together with :ref:`trusted_ca
	//	<envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
	MatchSubjectAltNames []*matcher.StringMatcher `protobuf:"bytes,9,rep,name=match_subject_alt_names,json=matchSubjectAltNames,proto3" json:"match_subject_alt_names,omitempty"`
	// [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
	RequireOcspStaple *wrapperspb.BoolValue `protobuf:"bytes,5,opt,name=require_ocsp_staple,json=requireOcspStaple,proto3" json:"require_ocsp_staple,omitempty"`
	// [#not-implemented-hide:] Must present signed certificate time-stamp.
	RequireSignedCertificateTimestamp *wrapperspb.BoolValue `` /* 164-byte string literal not displayed */
	// An optional `certificate revocation list
	// <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
	// (in PEM format). If specified, Envoy will verify that the presented peer
	// certificate has not been revoked by this CRL. If this DataSource contains
	// multiple CRLs, all of them will be used.
	Crl *core.DataSource `protobuf:"bytes,7,opt,name=crl,proto3" json:"crl,omitempty"`
	// If specified, Envoy will not reject expired certificates.
	AllowExpiredCertificate bool `` /* 133-byte string literal not displayed */
	// Certificate trust chain verification mode.
	TrustChainVerification CertificateValidationContext_TrustChainVerification `` /* 206-byte string literal not displayed */
	// contains filtered or unexported fields
}

[#next-free-field: 11]

func (*CertificateValidationContext) ClearCrl 

func (x *CertificateValidationContext) ClearCrl()

func (*CertificateValidationContext) ClearRequireOcspStaple 

func (x *CertificateValidationContext) ClearRequireOcspStaple()

func (*CertificateValidationContext) ClearRequireSignedCertificateTimestamp 

func (x *CertificateValidationContext) ClearRequireSignedCertificateTimestamp()

func (*CertificateValidationContext) ClearTrustedCa 

func (x *CertificateValidationContext) ClearTrustedCa()

func (*CertificateValidationContext) GetAllowExpiredCertificate 

func (x *CertificateValidationContext) GetAllowExpiredCertificate() bool

func (*CertificateValidationContext) GetCrl 

func (x *CertificateValidationContext) GetCrl() *core.DataSource

func (*CertificateValidationContext) GetMatchSubjectAltNames 

func (x *CertificateValidationContext) GetMatchSubjectAltNames() []*matcher.StringMatcher

func (*CertificateValidationContext) GetRequireOcspStaple 

func (x *CertificateValidationContext) GetRequireOcspStaple() *wrapperspb.BoolValue

func (*CertificateValidationContext) GetRequireSignedCertificateTimestamp 

func (x *CertificateValidationContext) GetRequireSignedCertificateTimestamp() *wrapperspb.BoolValue

func (*CertificateValidationContext) GetTrustChainVerification 

func (x *CertificateValidationContext) GetTrustChainVerification() CertificateValidationContext_TrustChainVerification

func (*CertificateValidationContext) GetTrustedCa 

func (x *CertificateValidationContext) GetTrustedCa() *core.DataSource

func (*CertificateValidationContext) GetVerifyCertificateHash 

func (x *CertificateValidationContext) GetVerifyCertificateHash() []string

func (*CertificateValidationContext) GetVerifyCertificateSpki 

func (x *CertificateValidationContext) GetVerifyCertificateSpki() []string

func (*CertificateValidationContext) GetVerifySubjectAltName deprecated 

func (x *CertificateValidationContext) GetVerifySubjectAltName() []string

Deprecated: Marked as deprecated in envoy/api/v2/auth/common.proto.

func (*CertificateValidationContext) HasCrl 

func (x *CertificateValidationContext) HasCrl() bool

func (*CertificateValidationContext) HasRequireOcspStaple 

func (x *CertificateValidationContext) HasRequireOcspStaple() bool

func (*CertificateValidationContext) HasRequireSignedCertificateTimestamp 

func (x *CertificateValidationContext) HasRequireSignedCertificateTimestamp() bool

func (*CertificateValidationContext) HasTrustedCa 

func (x *CertificateValidationContext) HasTrustedCa() bool

func (*CertificateValidationContext) ProtoMessage 

func (*CertificateValidationContext) ProtoMessage()

func (*CertificateValidationContext) ProtoReflect 

func (x *CertificateValidationContext) ProtoReflect() protoreflect.Message

func (*CertificateValidationContext) Reset 

func (x *CertificateValidationContext) Reset()

func (*CertificateValidationContext) SetAllowExpiredCertificate 

func (x *CertificateValidationContext) SetAllowExpiredCertificate(v bool)

func (*CertificateValidationContext) SetCrl 

func (x *CertificateValidationContext) SetCrl(v *core.DataSource)

func (*CertificateValidationContext) SetMatchSubjectAltNames 

func (x *CertificateValidationContext) SetMatchSubjectAltNames(v []*matcher.StringMatcher)

func (*CertificateValidationContext) SetRequireOcspStaple 

func (x *CertificateValidationContext) SetRequireOcspStaple(v *wrapperspb.BoolValue)

func (*CertificateValidationContext) SetRequireSignedCertificateTimestamp 

func (x *CertificateValidationContext) SetRequireSignedCertificateTimestamp(v *wrapperspb.BoolValue)

func (*CertificateValidationContext) SetTrustChainVerification 

func (x *CertificateValidationContext) SetTrustChainVerification(v CertificateValidationContext_TrustChainVerification)

func (*CertificateValidationContext) SetTrustedCa 

func (x *CertificateValidationContext) SetTrustedCa(v *core.DataSource)

func (*CertificateValidationContext) SetVerifyCertificateHash 

func (x *CertificateValidationContext) SetVerifyCertificateHash(v []string)

func (*CertificateValidationContext) SetVerifyCertificateSpki 

func (x *CertificateValidationContext) SetVerifyCertificateSpki(v []string)

func (*CertificateValidationContext) SetVerifySubjectAltName deprecated 

func (x *CertificateValidationContext) SetVerifySubjectAltName(v []string)

Deprecated: Marked as deprecated in envoy/api/v2/auth/common.proto.

func (*CertificateValidationContext) String 

func (x *CertificateValidationContext) String() string

type CertificateValidationContext_TrustChainVerification 

type CertificateValidationContext_TrustChainVerification int32

Peer certificate verification mode. 

const (
	// Perform default certificate verification (e.g., against CA / verification lists)
	CertificateValidationContext_VERIFY_TRUST_CHAIN CertificateValidationContext_TrustChainVerification = 0
	// Connections where the certificate fails verification will be permitted.
	// For HTTP connections, the result of certificate verification can be used in route matching. (
	// see :ref:`validated <envoy_api_field_route.RouteMatch.TlsContextMatchOptions.validated>` ).
	CertificateValidationContext_ACCEPT_UNTRUSTED CertificateValidationContext_TrustChainVerification = 1
)

func (CertificateValidationContext_TrustChainVerification) Descriptor 

func (CertificateValidationContext_TrustChainVerification) Descriptor() protoreflect.EnumDescriptor

func (CertificateValidationContext_TrustChainVerification) Enum 

func (x CertificateValidationContext_TrustChainVerification) Enum() *CertificateValidationContext_TrustChainVerification

func (CertificateValidationContext_TrustChainVerification) Number 

func (x CertificateValidationContext_TrustChainVerification) Number() protoreflect.EnumNumber

func (CertificateValidationContext_TrustChainVerification) String 

func (x CertificateValidationContext_TrustChainVerification) String() string

func (CertificateValidationContext_TrustChainVerification) Type 

func (CertificateValidationContext_TrustChainVerification) Type() protoreflect.EnumType

type CertificateValidationContext_builder 

type CertificateValidationContext_builder struct {

	// TLS certificate data containing certificate authority certificates to use in verifying
	// a presented peer certificate (e.g. server certificate for clusters or client certificate
	// for listeners). If not specified and a peer certificate is presented it will not be
	// verified. By default, a client certificate is optional, unless one of the additional
	// options (:ref:`require_client_certificate
	// <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
	// :ref:`verify_certificate_spki
	// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
	// :ref:`verify_certificate_hash
	// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
	// :ref:`match_subject_alt_names
	// <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
	// specified.
	//
	// It can optionally contain certificate revocation lists, in which case Envoy will verify
	// that the presented peer certificate has not been revoked by one of the included CRLs.
	//
	// See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
	// system CA locations.
	TrustedCa *core.DataSource
	// An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
	// SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
	// matches one of the specified values.
	//
	// A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
	// can be generated with the following command:
	//
	// .. code-block:: bash
	//
	//	$ openssl x509 -in path/to/client.crt -noout -pubkey
	//	  | openssl pkey -pubin -outform DER
	//	  | openssl dgst -sha256 -binary
	//	  | openssl enc -base64
	//	NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
	//
	// This is the format used in HTTP Public Key Pinning.
	//
	// When both:
	// :ref:`verify_certificate_hash
	// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
	// :ref:`verify_certificate_spki
	// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
	// a hash matching value from either of the lists will result in the certificate being accepted.
	//
	// .. attention::
	//
	//	This option is preferred over :ref:`verify_certificate_hash
	//	<envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
	//	because SPKI is tied to a private key, so it doesn't change when the certificate
	//	is renewed using the same private key.
	VerifyCertificateSpki []string
	// An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
	// the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
	//
	// A hex-encoded SHA-256 of the certificate can be generated with the following command:
	//
	// .. code-block:: bash
	//
	//	$ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
	//	df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
	//
	// A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
	// can be generated with the following command:
	//
	// .. code-block:: bash
	//
	//	$ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
	//	DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
	//
	// Both of those formats are acceptable.
	//
	// When both:
	// :ref:`verify_certificate_hash
	// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
	// :ref:`verify_certificate_spki
	// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
	// a hash matching value from either of the lists will result in the certificate being accepted.
	VerifyCertificateHash []string
	// An optional list of Subject Alternative Names. If specified, Envoy will verify that the
	// Subject Alternative Name of the presented certificate matches one of the specified values.
	//
	// .. attention::
	//
	//	Subject Alternative Names are easily spoofable and verifying only them is insecure,
	//	therefore this option must be used together with :ref:`trusted_ca
	//	<envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
	//
	// Deprecated: Marked as deprecated in envoy/api/v2/auth/common.proto.
	VerifySubjectAltName []string
	// An optional list of Subject Alternative name matchers. Envoy will verify that the
	// Subject Alternative Name of the presented certificate matches one of the specified matches.
	//
	// When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
	// configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
	// For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
	// it should be configured as shown below.
	//
	// .. code-block:: yaml
	//
	//	match_subject_alt_names:
	//	  exact: "api.example.com"
	//
	// .. attention::
	//
	//	Subject Alternative Names are easily spoofable and verifying only them is insecure,
	//	therefore this option must be used together with :ref:`trusted_ca
	//	<envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
	MatchSubjectAltNames []*matcher.StringMatcher
	// [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
	RequireOcspStaple *wrapperspb.BoolValue
	// [#not-implemented-hide:] Must present signed certificate time-stamp.
	RequireSignedCertificateTimestamp *wrapperspb.BoolValue
	// An optional `certificate revocation list
	// <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
	// (in PEM format). If specified, Envoy will verify that the presented peer
	// certificate has not been revoked by this CRL. If this DataSource contains
	// multiple CRLs, all of them will be used.
	Crl *core.DataSource
	// If specified, Envoy will not reject expired certificates.
	AllowExpiredCertificate bool
	// Certificate trust chain verification mode.
	TrustChainVerification CertificateValidationContext_TrustChainVerification
	// contains filtered or unexported fields
}

func (CertificateValidationContext_builder) Build 

func (b0 CertificateValidationContext_builder) Build() *CertificateValidationContext

type CommonTlsContext 

type CommonTlsContext struct {

	// TLS protocol versions, cipher suites etc.
	TlsParams *TlsParameters `protobuf:"bytes,1,opt,name=tls_params,json=tlsParams,proto3" json:"tls_params,omitempty"`
	// :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>` can be associated with the
	// same context to allow both RSA and ECDSA certificates.
	//
	// Only a single TLS certificate is supported in client contexts. In server contexts, the first
	// RSA certificate is used for clients that only support RSA and the first ECDSA certificate is
	// used for clients that support ECDSA.
	TlsCertificates []*TlsCertificate `protobuf:"bytes,2,rep,name=tls_certificates,json=tlsCertificates,proto3" json:"tls_certificates,omitempty"`
	// Configs for fetching TLS certificates via SDS API.
	TlsCertificateSdsSecretConfigs []*SdsSecretConfig `` /* 157-byte string literal not displayed */
	// Types that are valid to be assigned to ValidationContextType:
	//
	//	*CommonTlsContext_ValidationContext
	//	*CommonTlsContext_ValidationContextSdsSecretConfig
	//	*CommonTlsContext_CombinedValidationContext
	ValidationContextType isCommonTlsContext_ValidationContextType `protobuf_oneof:"validation_context_type"`
	// Supplies the list of ALPN protocols that the listener should expose. In
	// practice this is likely to be set to one of two values (see the
	// :ref:`codec_type
	// <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.codec_type>`
	// parameter in the HTTP connection manager for more information):
	//
	// * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1.
	// * "http/1.1" If the listener is only going to support HTTP/1.1.
	//
	// There is no default for this parameter. If empty, Envoy will not expose ALPN.
	AlpnProtocols []string `protobuf:"bytes,4,rep,name=alpn_protocols,json=alpnProtocols,proto3" json:"alpn_protocols,omitempty"`
	// contains filtered or unexported fields
}

TLS context shared by both client and server TLS contexts. [#next-free-field: 9]

func (*CommonTlsContext) ClearCombinedValidationContext 

func (x *CommonTlsContext) ClearCombinedValidationContext()

func (*CommonTlsContext) ClearTlsParams 

func (x *CommonTlsContext) ClearTlsParams()

func (*CommonTlsContext) ClearValidationContext 

func (x *CommonTlsContext) ClearValidationContext()

func (*CommonTlsContext) ClearValidationContextSdsSecretConfig 

func (x *CommonTlsContext) ClearValidationContextSdsSecretConfig()

func (*CommonTlsContext) ClearValidationContextType 

func (x *CommonTlsContext) ClearValidationContextType()

func (*CommonTlsContext) GetAlpnProtocols 

func (x *CommonTlsContext) GetAlpnProtocols() []string

func (*CommonTlsContext) GetCombinedValidationContext 

func (x *CommonTlsContext) GetCombinedValidationContext() *CommonTlsContext_CombinedCertificateValidationContext

func (*CommonTlsContext) GetTlsCertificateSdsSecretConfigs 

func (x *CommonTlsContext) GetTlsCertificateSdsSecretConfigs() []*SdsSecretConfig

func (*CommonTlsContext) GetTlsCertificates 

func (x *CommonTlsContext) GetTlsCertificates() []*TlsCertificate

func (*CommonTlsContext) GetTlsParams 

func (x *CommonTlsContext) GetTlsParams() *TlsParameters

func (*CommonTlsContext) GetValidationContext 

func (x *CommonTlsContext) GetValidationContext() *CertificateValidationContext

func (*CommonTlsContext) GetValidationContextSdsSecretConfig 

func (x *CommonTlsContext) GetValidationContextSdsSecretConfig() *SdsSecretConfig

func (*CommonTlsContext) GetValidationContextType 

func (x *CommonTlsContext) GetValidationContextType() isCommonTlsContext_ValidationContextType

func (*CommonTlsContext) HasCombinedValidationContext 

func (x *CommonTlsContext) HasCombinedValidationContext() bool

func (*CommonTlsContext) HasTlsParams 

func (x *CommonTlsContext) HasTlsParams() bool

func (*CommonTlsContext) HasValidationContext 

func (x *CommonTlsContext) HasValidationContext() bool

func (*CommonTlsContext) HasValidationContextSdsSecretConfig 

func (x *CommonTlsContext) HasValidationContextSdsSecretConfig() bool

func (*CommonTlsContext) HasValidationContextType 

func (x *CommonTlsContext) HasValidationContextType() bool

func (*CommonTlsContext) ProtoMessage 

func (*CommonTlsContext) ProtoMessage()

func (*CommonTlsContext) ProtoReflect 

func (x *CommonTlsContext) ProtoReflect() protoreflect.Message

func (*CommonTlsContext) Reset 

func (x *CommonTlsContext) Reset()

func (*CommonTlsContext) SetAlpnProtocols 

func (x *CommonTlsContext) SetAlpnProtocols(v []string)

func (*CommonTlsContext) SetCombinedValidationContext 

func (x *CommonTlsContext) SetCombinedValidationContext(v *CommonTlsContext_CombinedCertificateValidationContext)

func (*CommonTlsContext) SetTlsCertificateSdsSecretConfigs 

func (x *CommonTlsContext) SetTlsCertificateSdsSecretConfigs(v []*SdsSecretConfig)

func (*CommonTlsContext) SetTlsCertificates 

func (x *CommonTlsContext) SetTlsCertificates(v []*TlsCertificate)

func (*CommonTlsContext) SetTlsParams 

func (x *CommonTlsContext) SetTlsParams(v *TlsParameters)

func (*CommonTlsContext) SetValidationContext 

func (x *CommonTlsContext) SetValidationContext(v *CertificateValidationContext)

func (*CommonTlsContext) SetValidationContextSdsSecretConfig 

func (x *CommonTlsContext) SetValidationContextSdsSecretConfig(v *SdsSecretConfig)

func (*CommonTlsContext) String 

func (x *CommonTlsContext) String() string

func (*CommonTlsContext) WhichValidationContextType 

func (x *CommonTlsContext) WhichValidationContextType() case_CommonTlsContext_ValidationContextType

type CommonTlsContext_CombinedCertificateValidationContext 

type CommonTlsContext_CombinedCertificateValidationContext struct {

	// How to validate peer certificates.
	DefaultValidationContext *CertificateValidationContext `` /* 135-byte string literal not displayed */
	// Config for fetching validation context via SDS API.
	ValidationContextSdsSecretConfig *SdsSecretConfig `` /* 163-byte string literal not displayed */
	// contains filtered or unexported fields
}

func (*CommonTlsContext_CombinedCertificateValidationContext) ClearDefaultValidationContext 

func (x *CommonTlsContext_CombinedCertificateValidationContext) ClearDefaultValidationContext()

func (*CommonTlsContext_CombinedCertificateValidationContext) ClearValidationContextSdsSecretConfig 

func (x *CommonTlsContext_CombinedCertificateValidationContext) ClearValidationContextSdsSecretConfig()

func (*CommonTlsContext_CombinedCertificateValidationContext) GetDefaultValidationContext 

func (x *CommonTlsContext_CombinedCertificateValidationContext) GetDefaultValidationContext() *CertificateValidationContext

func (*CommonTlsContext_CombinedCertificateValidationContext) GetValidationContextSdsSecretConfig 

func (x *CommonTlsContext_CombinedCertificateValidationContext) GetValidationContextSdsSecretConfig() *SdsSecretConfig

func (*CommonTlsContext_CombinedCertificateValidationContext) HasDefaultValidationContext 

func (x *CommonTlsContext_CombinedCertificateValidationContext) HasDefaultValidationContext() bool

func (*CommonTlsContext_CombinedCertificateValidationContext) HasValidationContextSdsSecretConfig 

func (x *CommonTlsContext_CombinedCertificateValidationContext) HasValidationContextSdsSecretConfig() bool

func (*CommonTlsContext_CombinedCertificateValidationContext) ProtoMessage 

func (*CommonTlsContext_CombinedCertificateValidationContext) ProtoMessage()

func (*CommonTlsContext_CombinedCertificateValidationContext) ProtoReflect 

func (x *CommonTlsContext_CombinedCertificateValidationContext) ProtoReflect() protoreflect.Message

func (*CommonTlsContext_CombinedCertificateValidationContext) Reset 

func (x *CommonTlsContext_CombinedCertificateValidationContext) Reset()

func (*CommonTlsContext_CombinedCertificateValidationContext) SetDefaultValidationContext 

func (x *CommonTlsContext_CombinedCertificateValidationContext) SetDefaultValidationContext(v *CertificateValidationContext)

func (*CommonTlsContext_CombinedCertificateValidationContext) SetValidationContextSdsSecretConfig 

func (x *CommonTlsContext_CombinedCertificateValidationContext) SetValidationContextSdsSecretConfig(v *SdsSecretConfig)

func (*CommonTlsContext_CombinedCertificateValidationContext) String 

func (x *CommonTlsContext_CombinedCertificateValidationContext) String() string

type CommonTlsContext_CombinedCertificateValidationContext_builder 

type CommonTlsContext_CombinedCertificateValidationContext_builder struct {

	// How to validate peer certificates.
	DefaultValidationContext *CertificateValidationContext
	// Config for fetching validation context via SDS API.
	ValidationContextSdsSecretConfig *SdsSecretConfig
	// contains filtered or unexported fields
}

func (CommonTlsContext_CombinedCertificateValidationContext_builder) Build 

func (b0 CommonTlsContext_CombinedCertificateValidationContext_builder) Build() *CommonTlsContext_CombinedCertificateValidationContext

type CommonTlsContext_CombinedValidationContext 

type CommonTlsContext_CombinedValidationContext struct {
	// Combined certificate validation context holds a default CertificateValidationContext
	// and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic
	// and default CertificateValidationContext are merged into a new CertificateValidationContext
	// for validation. This merge is done by Message::MergeFrom(), so dynamic
	// CertificateValidationContext overwrites singular fields in default
	// CertificateValidationContext, and concatenates repeated fields to default
	// CertificateValidationContext, and logical OR is applied to boolean fields.
	CombinedValidationContext *CommonTlsContext_CombinedCertificateValidationContext `protobuf:"bytes,8,opt,name=combined_validation_context,json=combinedValidationContext,proto3,oneof"`
}

type CommonTlsContext_ValidationContext 

type CommonTlsContext_ValidationContext struct {
	// How to validate peer certificates.
	ValidationContext *CertificateValidationContext `protobuf:"bytes,3,opt,name=validation_context,json=validationContext,proto3,oneof"`
}

type CommonTlsContext_ValidationContextSdsSecretConfig 

type CommonTlsContext_ValidationContextSdsSecretConfig struct {
	// Config for fetching validation context via SDS API.
	ValidationContextSdsSecretConfig *SdsSecretConfig `protobuf:"bytes,7,opt,name=validation_context_sds_secret_config,json=validationContextSdsSecretConfig,proto3,oneof"`
}

type CommonTlsContext_builder 

type CommonTlsContext_builder struct {

	// TLS protocol versions, cipher suites etc.
	TlsParams *TlsParameters
	// :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>` can be associated with the
	// same context to allow both RSA and ECDSA certificates.
	//
	// Only a single TLS certificate is supported in client contexts. In server contexts, the first
	// RSA certificate is used for clients that only support RSA and the first ECDSA certificate is
	// used for clients that support ECDSA.
	TlsCertificates []*TlsCertificate
	// Configs for fetching TLS certificates via SDS API.
	TlsCertificateSdsSecretConfigs []*SdsSecretConfig
	// Fields of oneof ValidationContextType:
	// How to validate peer certificates.
	ValidationContext *CertificateValidationContext
	// Config for fetching validation context via SDS API.
	ValidationContextSdsSecretConfig *SdsSecretConfig
	// Combined certificate validation context holds a default CertificateValidationContext
	// and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic
	// and default CertificateValidationContext are merged into a new CertificateValidationContext
	// for validation. This merge is done by Message::MergeFrom(), so dynamic
	// CertificateValidationContext overwrites singular fields in default
	// CertificateValidationContext, and concatenates repeated fields to default
	// CertificateValidationContext, and logical OR is applied to boolean fields.
	CombinedValidationContext *CommonTlsContext_CombinedCertificateValidationContext
	// -- end of ValidationContextType
	// Supplies the list of ALPN protocols that the listener should expose. In
	// practice this is likely to be set to one of two values (see the
	// :ref:`codec_type
	// <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.codec_type>`
	// parameter in the HTTP connection manager for more information):
	//
	// * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1.
	// * "http/1.1" If the listener is only going to support HTTP/1.1.
	//
	// There is no default for this parameter. If empty, Envoy will not expose ALPN.
	AlpnProtocols []string
	// contains filtered or unexported fields
}

func (CommonTlsContext_builder) Build 

func (b0 CommonTlsContext_builder) Build() *CommonTlsContext

type DownstreamTlsContext 

type DownstreamTlsContext struct {

	// Common TLS context settings.
	CommonTlsContext *CommonTlsContext `protobuf:"bytes,1,opt,name=common_tls_context,json=commonTlsContext,proto3" json:"common_tls_context,omitempty"`
	// If specified, Envoy will reject connections without a valid client
	// certificate.
	RequireClientCertificate *wrapperspb.BoolValue `` /* 135-byte string literal not displayed */
	// If specified, Envoy will reject connections without a valid and matching SNI.
	// [#not-implemented-hide:]
	RequireSni *wrapperspb.BoolValue `protobuf:"bytes,3,opt,name=require_sni,json=requireSni,proto3" json:"require_sni,omitempty"`
	// Types that are valid to be assigned to SessionTicketKeysType:
	//
	//	*DownstreamTlsContext_SessionTicketKeys
	//	*DownstreamTlsContext_SessionTicketKeysSdsSecretConfig
	//	*DownstreamTlsContext_DisableStatelessSessionResumption
	SessionTicketKeysType isDownstreamTlsContext_SessionTicketKeysType `protobuf_oneof:"session_ticket_keys_type"`
	// If specified, “session_timeout“ will change the maximum lifetime (in seconds) of the TLS session.
	// Currently this value is used as a hint for the `TLS session ticket lifetime (for TLSv1.2) <https://tools.ietf.org/html/rfc5077#section-5.6>`_.
	// Only seconds can be specified (fractional seconds are ignored).
	SessionTimeout *durationpb.Duration `protobuf:"bytes,6,opt,name=session_timeout,json=sessionTimeout,proto3" json:"session_timeout,omitempty"`
	// contains filtered or unexported fields
}

[#next-free-field: 8]

func (*DownstreamTlsContext) ClearCommonTlsContext 

func (x *DownstreamTlsContext) ClearCommonTlsContext()

func (*DownstreamTlsContext) ClearDisableStatelessSessionResumption 

func (x *DownstreamTlsContext) ClearDisableStatelessSessionResumption()

func (*DownstreamTlsContext) ClearRequireClientCertificate 

func (x *DownstreamTlsContext) ClearRequireClientCertificate()

func (*DownstreamTlsContext) ClearRequireSni 

func (x *DownstreamTlsContext) ClearRequireSni()

func (*DownstreamTlsContext) ClearSessionTicketKeys 

func (x *DownstreamTlsContext) ClearSessionTicketKeys()

func (*DownstreamTlsContext) ClearSessionTicketKeysSdsSecretConfig 

func (x *DownstreamTlsContext) ClearSessionTicketKeysSdsSecretConfig()

func (*DownstreamTlsContext) ClearSessionTicketKeysType 

func (x *DownstreamTlsContext) ClearSessionTicketKeysType()

func (*DownstreamTlsContext) ClearSessionTimeout 

func (x *DownstreamTlsContext) ClearSessionTimeout()

func (*DownstreamTlsContext) GetCommonTlsContext 

func (x *DownstreamTlsContext) GetCommonTlsContext() *CommonTlsContext

func (*DownstreamTlsContext) GetDisableStatelessSessionResumption 

func (x *DownstreamTlsContext) GetDisableStatelessSessionResumption() bool

func (*DownstreamTlsContext) GetRequireClientCertificate 

func (x *DownstreamTlsContext) GetRequireClientCertificate() *wrapperspb.BoolValue

func (*DownstreamTlsContext) GetRequireSni 

func (x *DownstreamTlsContext) GetRequireSni() *wrapperspb.BoolValue

func (*DownstreamTlsContext) GetSessionTicketKeys 

func (x *DownstreamTlsContext) GetSessionTicketKeys() *TlsSessionTicketKeys

func (*DownstreamTlsContext) GetSessionTicketKeysSdsSecretConfig 

func (x *DownstreamTlsContext) GetSessionTicketKeysSdsSecretConfig() *SdsSecretConfig

func (*DownstreamTlsContext) GetSessionTicketKeysType 

func (x *DownstreamTlsContext) GetSessionTicketKeysType() isDownstreamTlsContext_SessionTicketKeysType

func (*DownstreamTlsContext) GetSessionTimeout 

func (x *DownstreamTlsContext) GetSessionTimeout() *durationpb.Duration

func (*DownstreamTlsContext) HasCommonTlsContext 

func (x *DownstreamTlsContext) HasCommonTlsContext() bool

func (*DownstreamTlsContext) HasDisableStatelessSessionResumption 

func (x *DownstreamTlsContext) HasDisableStatelessSessionResumption() bool

func (*DownstreamTlsContext) HasRequireClientCertificate 

func (x *DownstreamTlsContext) HasRequireClientCertificate() bool

func (*DownstreamTlsContext) HasRequireSni 

func (x *DownstreamTlsContext) HasRequireSni() bool

func (*DownstreamTlsContext) HasSessionTicketKeys 

func (x *DownstreamTlsContext) HasSessionTicketKeys() bool

func (*DownstreamTlsContext) HasSessionTicketKeysSdsSecretConfig 

func (x *DownstreamTlsContext) HasSessionTicketKeysSdsSecretConfig() bool

func (*DownstreamTlsContext) HasSessionTicketKeysType 

func (x *DownstreamTlsContext) HasSessionTicketKeysType() bool

func (*DownstreamTlsContext) HasSessionTimeout 

func (x *DownstreamTlsContext) HasSessionTimeout() bool

func (*DownstreamTlsContext) ProtoMessage 

func (*DownstreamTlsContext) ProtoMessage()

func (*DownstreamTlsContext) ProtoReflect 

func (x *DownstreamTlsContext) ProtoReflect() protoreflect.Message

func (*DownstreamTlsContext) Reset 

func (x *DownstreamTlsContext) Reset()

func (*DownstreamTlsContext) SetCommonTlsContext 

func (x *DownstreamTlsContext) SetCommonTlsContext(v *CommonTlsContext)

func (*DownstreamTlsContext) SetDisableStatelessSessionResumption 

func (x *DownstreamTlsContext) SetDisableStatelessSessionResumption(v bool)

func (*DownstreamTlsContext) SetRequireClientCertificate 

func (x *DownstreamTlsContext) SetRequireClientCertificate(v *wrapperspb.BoolValue)

func (*DownstreamTlsContext) SetRequireSni 

func (x *DownstreamTlsContext) SetRequireSni(v *wrapperspb.BoolValue)

func (*DownstreamTlsContext) SetSessionTicketKeys 

func (x *DownstreamTlsContext) SetSessionTicketKeys(v *TlsSessionTicketKeys)

func (*DownstreamTlsContext) SetSessionTicketKeysSdsSecretConfig 

func (x *DownstreamTlsContext) SetSessionTicketKeysSdsSecretConfig(v *SdsSecretConfig)

func (*DownstreamTlsContext) SetSessionTimeout 

func (x *DownstreamTlsContext) SetSessionTimeout(v *durationpb.Duration)

func (*DownstreamTlsContext) String 

func (x *DownstreamTlsContext) String() string

func (*DownstreamTlsContext) WhichSessionTicketKeysType 

func (x *DownstreamTlsContext) WhichSessionTicketKeysType() case_DownstreamTlsContext_SessionTicketKeysType

type DownstreamTlsContext_DisableStatelessSessionResumption 

type DownstreamTlsContext_DisableStatelessSessionResumption struct {
	// Config for controlling stateless TLS session resumption: setting this to true will cause the TLS
	// server to not issue TLS session tickets for the purposes of stateless TLS session resumption.
	// If set to false, the TLS server will issue TLS session tickets and encrypt/decrypt them using
	// the keys specified through either :ref:`session_ticket_keys <envoy_api_field_auth.DownstreamTlsContext.session_ticket_keys>`
	// or :ref:`session_ticket_keys_sds_secret_config <envoy_api_field_auth.DownstreamTlsContext.session_ticket_keys_sds_secret_config>`.
	// If this config is set to false and no keys are explicitly configured, the TLS server will issue
	// TLS session tickets and encrypt/decrypt them using an internally-generated and managed key, with the
	// implication that sessions cannot be resumed across hot restarts or on different hosts.
	DisableStatelessSessionResumption bool `protobuf:"varint,7,opt,name=disable_stateless_session_resumption,json=disableStatelessSessionResumption,proto3,oneof"`
}

type DownstreamTlsContext_SessionTicketKeys 

type DownstreamTlsContext_SessionTicketKeys struct {
	// TLS session ticket key settings.
	SessionTicketKeys *TlsSessionTicketKeys `protobuf:"bytes,4,opt,name=session_ticket_keys,json=sessionTicketKeys,proto3,oneof"`
}

type DownstreamTlsContext_SessionTicketKeysSdsSecretConfig 

type DownstreamTlsContext_SessionTicketKeysSdsSecretConfig struct {
	// Config for fetching TLS session ticket keys via SDS API.
	SessionTicketKeysSdsSecretConfig *SdsSecretConfig `protobuf:"bytes,5,opt,name=session_ticket_keys_sds_secret_config,json=sessionTicketKeysSdsSecretConfig,proto3,oneof"`
}

type DownstreamTlsContext_builder 

type DownstreamTlsContext_builder struct {

	// Common TLS context settings.
	CommonTlsContext *CommonTlsContext
	// If specified, Envoy will reject connections without a valid client
	// certificate.
	RequireClientCertificate *wrapperspb.BoolValue
	// If specified, Envoy will reject connections without a valid and matching SNI.
	// [#not-implemented-hide:]
	RequireSni *wrapperspb.BoolValue
	// Fields of oneof SessionTicketKeysType:
	// TLS session ticket key settings.
	SessionTicketKeys *TlsSessionTicketKeys
	// Config for fetching TLS session ticket keys via SDS API.
	SessionTicketKeysSdsSecretConfig *SdsSecretConfig
	// Config for controlling stateless TLS session resumption: setting this to true will cause the TLS
	// server to not issue TLS session tickets for the purposes of stateless TLS session resumption.
	// If set to false, the TLS server will issue TLS session tickets and encrypt/decrypt them using
	// the keys specified through either :ref:`session_ticket_keys <envoy_api_field_auth.DownstreamTlsContext.session_ticket_keys>`
	// or :ref:`session_ticket_keys_sds_secret_config <envoy_api_field_auth.DownstreamTlsContext.session_ticket_keys_sds_secret_config>`.
	// If this config is set to false and no keys are explicitly configured, the TLS server will issue
	// TLS session tickets and encrypt/decrypt them using an internally-generated and managed key, with the
	// implication that sessions cannot be resumed across hot restarts or on different hosts.
	DisableStatelessSessionResumption *bool
	// -- end of SessionTicketKeysType
	// If specified, “session_timeout“ will change the maximum lifetime (in seconds) of the TLS session.
	// Currently this value is used as a hint for the `TLS session ticket lifetime (for TLSv1.2) <https://tools.ietf.org/html/rfc5077#section-5.6>`_.
	// Only seconds can be specified (fractional seconds are ignored).
	SessionTimeout *durationpb.Duration
	// contains filtered or unexported fields
}

func (DownstreamTlsContext_builder) Build 

func (b0 DownstreamTlsContext_builder) Build() *DownstreamTlsContext

type GenericSecret 

type GenericSecret struct {

	// Secret of generic type and is available to filters.
	Secret *core.DataSource `protobuf:"bytes,1,opt,name=secret,proto3" json:"secret,omitempty"`
	// contains filtered or unexported fields
}

func (*GenericSecret) ClearSecret 

func (x *GenericSecret) ClearSecret()

func (*GenericSecret) GetSecret 

func (x *GenericSecret) GetSecret() *core.DataSource

func (*GenericSecret) HasSecret 

func (x *GenericSecret) HasSecret() bool

func (*GenericSecret) ProtoMessage 

func (*GenericSecret) ProtoMessage()

func (*GenericSecret) ProtoReflect 

func (x *GenericSecret) ProtoReflect() protoreflect.Message

func (*GenericSecret) Reset 

func (x *GenericSecret) Reset()

func (*GenericSecret) SetSecret 

func (x *GenericSecret) SetSecret(v *core.DataSource)

func (*GenericSecret) String 

func (x *GenericSecret) String() string

type GenericSecret_builder 

type GenericSecret_builder struct {

	// Secret of generic type and is available to filters.
	Secret *core.DataSource
	// contains filtered or unexported fields
}

func (GenericSecret_builder) Build 

func (b0 GenericSecret_builder) Build() *GenericSecret

type PrivateKeyProvider 

type PrivateKeyProvider struct {

	// Private key method provider name. The name must match a
	// supported private key method provider type.
	ProviderName string `protobuf:"bytes,1,opt,name=provider_name,json=providerName,proto3" json:"provider_name,omitempty"`
	// Private key method provider specific configuration.
	//
	// Types that are valid to be assigned to ConfigType:
	//
	//	*PrivateKeyProvider_Config
	//	*PrivateKeyProvider_TypedConfig
	ConfigType isPrivateKeyProvider_ConfigType `protobuf_oneof:"config_type"`
	// contains filtered or unexported fields
}

BoringSSL private key method configuration. The private key methods are used for external (potentially asynchronous) signing and decryption operations. Some use cases for private key methods would be TPM support and TLS acceleration.

func (*PrivateKeyProvider) ClearConfig deprecated 

func (x *PrivateKeyProvider) ClearConfig()

Deprecated: Marked as deprecated in envoy/api/v2/auth/common.proto.

func (*PrivateKeyProvider) ClearConfigType 

func (x *PrivateKeyProvider) ClearConfigType()

func (*PrivateKeyProvider) ClearTypedConfig 

func (x *PrivateKeyProvider) ClearTypedConfig()

func (*PrivateKeyProvider) GetConfig deprecated 

func (x *PrivateKeyProvider) GetConfig() *structpb.Struct

Deprecated: Marked as deprecated in envoy/api/v2/auth/common.proto.

func (*PrivateKeyProvider) GetConfigType 

func (x *PrivateKeyProvider) GetConfigType() isPrivateKeyProvider_ConfigType

func (*PrivateKeyProvider) GetProviderName 

func (x *PrivateKeyProvider) GetProviderName() string

func (*PrivateKeyProvider) GetTypedConfig 

func (x *PrivateKeyProvider) GetTypedConfig() *anypb.Any

func (*PrivateKeyProvider) HasConfig deprecated 

func (x *PrivateKeyProvider) HasConfig() bool

Deprecated: Marked as deprecated in envoy/api/v2/auth/common.proto.

func (*PrivateKeyProvider) HasConfigType 

func (x *PrivateKeyProvider) HasConfigType() bool

func (*PrivateKeyProvider) HasTypedConfig 

func (x *PrivateKeyProvider) HasTypedConfig() bool

func (*PrivateKeyProvider) ProtoMessage 

func (*PrivateKeyProvider) ProtoMessage()

func (*PrivateKeyProvider) ProtoReflect 

func (x *PrivateKeyProvider) ProtoReflect() protoreflect.Message

func (*PrivateKeyProvider) Reset 

func (x *PrivateKeyProvider) Reset()

func (*PrivateKeyProvider) SetConfig deprecated 

func (x *PrivateKeyProvider) SetConfig(v *structpb.Struct)

Deprecated: Marked as deprecated in envoy/api/v2/auth/common.proto.

func (*PrivateKeyProvider) SetProviderName 

func (x *PrivateKeyProvider) SetProviderName(v string)

func (*PrivateKeyProvider) SetTypedConfig 

func (x *PrivateKeyProvider) SetTypedConfig(v *anypb.Any)

func (*PrivateKeyProvider) String 

func (x *PrivateKeyProvider) String() string

func (*PrivateKeyProvider) WhichConfigType 

func (x *PrivateKeyProvider) WhichConfigType() case_PrivateKeyProvider_ConfigType

type PrivateKeyProvider_Config 

type PrivateKeyProvider_Config struct {
	// Deprecated: Marked as deprecated in envoy/api/v2/auth/common.proto.
	Config *structpb.Struct `protobuf:"bytes,2,opt,name=config,proto3,oneof"`
}

type PrivateKeyProvider_TypedConfig 

type PrivateKeyProvider_TypedConfig struct {
	TypedConfig *anypb.Any `protobuf:"bytes,3,opt,name=typed_config,json=typedConfig,proto3,oneof"`
}

type PrivateKeyProvider_builder 

type PrivateKeyProvider_builder struct {

	// Private key method provider name. The name must match a
	// supported private key method provider type.
	ProviderName string

	// Fields of oneof ConfigType:
	// Deprecated: Marked as deprecated in envoy/api/v2/auth/common.proto.
	Config      *structpb.Struct
	TypedConfig *anypb.Any
	// contains filtered or unexported fields
}

func (PrivateKeyProvider_builder) Build 

func (b0 PrivateKeyProvider_builder) Build() *PrivateKeyProvider

type SdsSecretConfig 

type SdsSecretConfig struct {

	// Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
	// When both name and config are specified, then secret can be fetched and/or reloaded via
	// SDS. When only name is specified, then secret will be loaded from static resources.
	Name      string             `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	SdsConfig *core.ConfigSource `protobuf:"bytes,2,opt,name=sds_config,json=sdsConfig,proto3" json:"sds_config,omitempty"`
	// contains filtered or unexported fields
}

func (*SdsSecretConfig) ClearSdsConfig 

func (x *SdsSecretConfig) ClearSdsConfig()

func (*SdsSecretConfig) GetName 

func (x *SdsSecretConfig) GetName() string

func (*SdsSecretConfig) GetSdsConfig 

func (x *SdsSecretConfig) GetSdsConfig() *core.ConfigSource

func (*SdsSecretConfig) HasSdsConfig 

func (x *SdsSecretConfig) HasSdsConfig() bool

func (*SdsSecretConfig) ProtoMessage 

func (*SdsSecretConfig) ProtoMessage()

func (*SdsSecretConfig) ProtoReflect 

func (x *SdsSecretConfig) ProtoReflect() protoreflect.Message

func (*SdsSecretConfig) Reset 

func (x *SdsSecretConfig) Reset()

func (*SdsSecretConfig) SetName 

func (x *SdsSecretConfig) SetName(v string)

func (*SdsSecretConfig) SetSdsConfig 

func (x *SdsSecretConfig) SetSdsConfig(v *core.ConfigSource)

func (*SdsSecretConfig) String 

func (x *SdsSecretConfig) String() string

type SdsSecretConfig_builder 

type SdsSecretConfig_builder struct {

	// Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
	// When both name and config are specified, then secret can be fetched and/or reloaded via
	// SDS. When only name is specified, then secret will be loaded from static resources.
	Name      string
	SdsConfig *core.ConfigSource
	// contains filtered or unexported fields
}

func (SdsSecretConfig_builder) Build 

func (b0 SdsSecretConfig_builder) Build() *SdsSecretConfig

type Secret 

type Secret struct {

	// Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// Types that are valid to be assigned to Type:
	//
	//	*Secret_TlsCertificate
	//	*Secret_SessionTicketKeys
	//	*Secret_ValidationContext
	//	*Secret_GenericSecret
	Type isSecret_Type `protobuf_oneof:"type"`
	// contains filtered or unexported fields
}

[#next-free-field: 6]

func (*Secret) ClearGenericSecret 

func (x *Secret) ClearGenericSecret()

func (*Secret) ClearSessionTicketKeys 

func (x *Secret) ClearSessionTicketKeys()

func (*Secret) ClearTlsCertificate 

func (x *Secret) ClearTlsCertificate()

func (*Secret) ClearType 

func (x *Secret) ClearType()

func (*Secret) ClearValidationContext 

func (x *Secret) ClearValidationContext()

func (*Secret) GetGenericSecret 

func (x *Secret) GetGenericSecret() *GenericSecret

func (*Secret) GetName 

func (x *Secret) GetName() string

func (*Secret) GetSessionTicketKeys 

func (x *Secret) GetSessionTicketKeys() *TlsSessionTicketKeys

func (*Secret) GetTlsCertificate 

func (x *Secret) GetTlsCertificate() *TlsCertificate

func (*Secret) GetType 

func (x *Secret) GetType() isSecret_Type

func (*Secret) GetValidationContext 

func (x *Secret) GetValidationContext() *CertificateValidationContext

func (*Secret) HasGenericSecret 

func (x *Secret) HasGenericSecret() bool

func (*Secret) HasSessionTicketKeys 

func (x *Secret) HasSessionTicketKeys() bool

func (*Secret) HasTlsCertificate 

func (x *Secret) HasTlsCertificate() bool

func (*Secret) HasType 

func (x *Secret) HasType() bool

func (*Secret) HasValidationContext 

func (x *Secret) HasValidationContext() bool

func (*Secret) ProtoMessage 

func (*Secret) ProtoMessage()

func (*Secret) ProtoReflect 

func (x *Secret) ProtoReflect() protoreflect.Message

func (*Secret) Reset 

func (x *Secret) Reset()

func (*Secret) SetGenericSecret 

func (x *Secret) SetGenericSecret(v *GenericSecret)

func (*Secret) SetName 

func (x *Secret) SetName(v string)

func (*Secret) SetSessionTicketKeys 

func (x *Secret) SetSessionTicketKeys(v *TlsSessionTicketKeys)

func (*Secret) SetTlsCertificate 

func (x *Secret) SetTlsCertificate(v *TlsCertificate)

func (*Secret) SetValidationContext 

func (x *Secret) SetValidationContext(v *CertificateValidationContext)

func (*Secret) String 

func (x *Secret) String() string

func (*Secret) WhichType 

func (x *Secret) WhichType() case_Secret_Type

type Secret_GenericSecret 

type Secret_GenericSecret struct {
	GenericSecret *GenericSecret `protobuf:"bytes,5,opt,name=generic_secret,json=genericSecret,proto3,oneof"`
}

type Secret_SessionTicketKeys 

type Secret_SessionTicketKeys struct {
	SessionTicketKeys *TlsSessionTicketKeys `protobuf:"bytes,3,opt,name=session_ticket_keys,json=sessionTicketKeys,proto3,oneof"`
}

type Secret_TlsCertificate 

type Secret_TlsCertificate struct {
	TlsCertificate *TlsCertificate `protobuf:"bytes,2,opt,name=tls_certificate,json=tlsCertificate,proto3,oneof"`
}

type Secret_ValidationContext 

type Secret_ValidationContext struct {
	ValidationContext *CertificateValidationContext `protobuf:"bytes,4,opt,name=validation_context,json=validationContext,proto3,oneof"`
}

type Secret_builder 

type Secret_builder struct {

	// Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
	Name string
	// Fields of oneof Type:
	TlsCertificate    *TlsCertificate
	SessionTicketKeys *TlsSessionTicketKeys
	ValidationContext *CertificateValidationContext
	GenericSecret     *GenericSecret
	// contains filtered or unexported fields
}

func (Secret_builder) Build 

func (b0 Secret_builder) Build() *Secret

type TlsCertificate 

type TlsCertificate struct {

	// The TLS certificate chain.
	CertificateChain *core.DataSource `protobuf:"bytes,1,opt,name=certificate_chain,json=certificateChain,proto3" json:"certificate_chain,omitempty"`
	// The TLS private key.
	PrivateKey *core.DataSource `protobuf:"bytes,2,opt,name=private_key,json=privateKey,proto3" json:"private_key,omitempty"`
	// BoringSSL private key method provider. This is an alternative to :ref:`private_key
	// <envoy_api_field_auth.TlsCertificate.private_key>` field. This can't be
	// marked as “oneof“ due to API compatibility reasons. Setting both :ref:`private_key
	// <envoy_api_field_auth.TlsCertificate.private_key>` and
	// :ref:`private_key_provider
	// <envoy_api_field_auth.TlsCertificate.private_key_provider>` fields will result in an
	// error.
	PrivateKeyProvider *PrivateKeyProvider `protobuf:"bytes,6,opt,name=private_key_provider,json=privateKeyProvider,proto3" json:"private_key_provider,omitempty"`
	// The password to decrypt the TLS private key. If this field is not set, it is assumed that the
	// TLS private key is not password encrypted.
	Password *core.DataSource `protobuf:"bytes,3,opt,name=password,proto3" json:"password,omitempty"`
	// [#not-implemented-hide:]
	OcspStaple *core.DataSource `protobuf:"bytes,4,opt,name=ocsp_staple,json=ocspStaple,proto3" json:"ocsp_staple,omitempty"`
	// [#not-implemented-hide:]
	SignedCertificateTimestamp []*core.DataSource `` /* 141-byte string literal not displayed */
	// contains filtered or unexported fields
}

[#next-free-field: 7]

func (*TlsCertificate) ClearCertificateChain 

func (x *TlsCertificate) ClearCertificateChain()

func (*TlsCertificate) ClearOcspStaple 

func (x *TlsCertificate) ClearOcspStaple()

func (*TlsCertificate) ClearPassword 

func (x *TlsCertificate) ClearPassword()

func (*TlsCertificate) ClearPrivateKey 

func (x *TlsCertificate) ClearPrivateKey()

func (*TlsCertificate) ClearPrivateKeyProvider 

func (x *TlsCertificate) ClearPrivateKeyProvider()

func (*TlsCertificate) GetCertificateChain 

func (x *TlsCertificate) GetCertificateChain() *core.DataSource

func (*TlsCertificate) GetOcspStaple 

func (x *TlsCertificate) GetOcspStaple() *core.DataSource

func (*TlsCertificate) GetPassword 

func (x *TlsCertificate) GetPassword() *core.DataSource

func (*TlsCertificate) GetPrivateKey 

func (x *TlsCertificate) GetPrivateKey() *core.DataSource

func (*TlsCertificate) GetPrivateKeyProvider 

func (x *TlsCertificate) GetPrivateKeyProvider() *PrivateKeyProvider

func (*TlsCertificate) GetSignedCertificateTimestamp 

func (x *TlsCertificate) GetSignedCertificateTimestamp() []*core.DataSource

func (*TlsCertificate) HasCertificateChain 

func (x *TlsCertificate) HasCertificateChain() bool

func (*TlsCertificate) HasOcspStaple 

func (x *TlsCertificate) HasOcspStaple() bool

func (*TlsCertificate) HasPassword 

func (x *TlsCertificate) HasPassword() bool

func (*TlsCertificate) HasPrivateKey 

func (x *TlsCertificate) HasPrivateKey() bool

func (*TlsCertificate) HasPrivateKeyProvider 

func (x *TlsCertificate) HasPrivateKeyProvider() bool

func (*TlsCertificate) ProtoMessage 

func (*TlsCertificate) ProtoMessage()

func (*TlsCertificate) ProtoReflect 

func (x *TlsCertificate) ProtoReflect() protoreflect.Message

func (*TlsCertificate) Reset 

func (x *TlsCertificate) Reset()

func (*TlsCertificate) SetCertificateChain 

func (x *TlsCertificate) SetCertificateChain(v *core.DataSource)

func (*TlsCertificate) SetOcspStaple 

func (x *TlsCertificate) SetOcspStaple(v *core.DataSource)

func (*TlsCertificate) SetPassword 

func (x *TlsCertificate) SetPassword(v *core.DataSource)

func (*TlsCertificate) SetPrivateKey 

func (x *TlsCertificate) SetPrivateKey(v *core.DataSource)

func (*TlsCertificate) SetPrivateKeyProvider 

func (x *TlsCertificate) SetPrivateKeyProvider(v *PrivateKeyProvider)

func (*TlsCertificate) SetSignedCertificateTimestamp 

func (x *TlsCertificate) SetSignedCertificateTimestamp(v []*core.DataSource)

func (*TlsCertificate) String 

func (x *TlsCertificate) String() string

type TlsCertificate_builder 

type TlsCertificate_builder struct {

	// The TLS certificate chain.
	CertificateChain *core.DataSource
	// The TLS private key.
	PrivateKey *core.DataSource
	// BoringSSL private key method provider. This is an alternative to :ref:`private_key
	// <envoy_api_field_auth.TlsCertificate.private_key>` field. This can't be
	// marked as “oneof“ due to API compatibility reasons. Setting both :ref:`private_key
	// <envoy_api_field_auth.TlsCertificate.private_key>` and
	// :ref:`private_key_provider
	// <envoy_api_field_auth.TlsCertificate.private_key_provider>` fields will result in an
	// error.
	PrivateKeyProvider *PrivateKeyProvider
	// The password to decrypt the TLS private key. If this field is not set, it is assumed that the
	// TLS private key is not password encrypted.
	Password *core.DataSource
	// [#not-implemented-hide:]
	OcspStaple *core.DataSource
	// [#not-implemented-hide:]
	SignedCertificateTimestamp []*core.DataSource
	// contains filtered or unexported fields
}

func (TlsCertificate_builder) Build 

func (b0 TlsCertificate_builder) Build() *TlsCertificate

type TlsParameters 

type TlsParameters struct {

	// Minimum TLS protocol version. By default, it's “TLSv1_2“ for both clients and servers.
	TlsMinimumProtocolVersion TlsParameters_TlsProtocol `` /* 190-byte string literal not displayed */
	// Maximum TLS protocol version. By default, it's “TLSv1_2“ for clients and “TLSv1_3“ for
	// servers.
	TlsMaximumProtocolVersion TlsParameters_TlsProtocol `` /* 190-byte string literal not displayed */
	// If specified, the TLS listener will only support the specified `cipher list
	// <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_
	// when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not
	// specified, the default list will be used.
	//
	// In non-FIPS builds, the default cipher list is:
	//
	// .. code-block:: none
	//
	//	[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
	//	[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
	//	ECDHE-ECDSA-AES128-SHA
	//	ECDHE-RSA-AES128-SHA
	//	AES128-GCM-SHA256
	//	AES128-SHA
	//	ECDHE-ECDSA-AES256-GCM-SHA384
	//	ECDHE-RSA-AES256-GCM-SHA384
	//	ECDHE-ECDSA-AES256-SHA
	//	ECDHE-RSA-AES256-SHA
	//	AES256-GCM-SHA384
	//	AES256-SHA
	//
	// In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default cipher list is:
	//
	// .. code-block:: none
	//
	//	ECDHE-ECDSA-AES128-GCM-SHA256
	//	ECDHE-RSA-AES128-GCM-SHA256
	//	ECDHE-ECDSA-AES128-SHA
	//	ECDHE-RSA-AES128-SHA
	//	AES128-GCM-SHA256
	//	AES128-SHA
	//	ECDHE-ECDSA-AES256-GCM-SHA384
	//	ECDHE-RSA-AES256-GCM-SHA384
	//	ECDHE-ECDSA-AES256-SHA
	//	ECDHE-RSA-AES256-SHA
	//	AES256-GCM-SHA384
	//	AES256-SHA
	CipherSuites []string `protobuf:"bytes,3,rep,name=cipher_suites,json=cipherSuites,proto3" json:"cipher_suites,omitempty"`
	// If specified, the TLS connection will only support the specified ECDH
	// curves. If not specified, the default curves will be used.
	//
	// In non-FIPS builds, the default curves are:
	//
	// .. code-block:: none
	//
	//	X25519
	//	P-256
	//
	// In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default curve is:
	//
	// .. code-block:: none
	//
	//	P-256
	EcdhCurves []string `protobuf:"bytes,4,rep,name=ecdh_curves,json=ecdhCurves,proto3" json:"ecdh_curves,omitempty"`
	// contains filtered or unexported fields
}

func (*TlsParameters) GetCipherSuites 

func (x *TlsParameters) GetCipherSuites() []string

func (*TlsParameters) GetEcdhCurves 

func (x *TlsParameters) GetEcdhCurves() []string

func (*TlsParameters) GetTlsMaximumProtocolVersion 

func (x *TlsParameters) GetTlsMaximumProtocolVersion() TlsParameters_TlsProtocol

func (*TlsParameters) GetTlsMinimumProtocolVersion 

func (x *TlsParameters) GetTlsMinimumProtocolVersion() TlsParameters_TlsProtocol

func (*TlsParameters) ProtoMessage 

func (*TlsParameters) ProtoMessage()

func (*TlsParameters) ProtoReflect 

func (x *TlsParameters) ProtoReflect() protoreflect.Message

func (*TlsParameters) Reset 

func (x *TlsParameters) Reset()

func (*TlsParameters) SetCipherSuites 

func (x *TlsParameters) SetCipherSuites(v []string)

func (*TlsParameters) SetEcdhCurves 

func (x *TlsParameters) SetEcdhCurves(v []string)

func (*TlsParameters) SetTlsMaximumProtocolVersion 

func (x *TlsParameters) SetTlsMaximumProtocolVersion(v TlsParameters_TlsProtocol)

func (*TlsParameters) SetTlsMinimumProtocolVersion 

func (x *TlsParameters) SetTlsMinimumProtocolVersion(v TlsParameters_TlsProtocol)

func (*TlsParameters) String 

func (x *TlsParameters) String() string

type TlsParameters_TlsProtocol 

type TlsParameters_TlsProtocol int32
const (
	// Envoy will choose the optimal TLS version.
	TlsParameters_TLS_AUTO TlsParameters_TlsProtocol = 0
	// TLS 1.0
	TlsParameters_TLSv1_0 TlsParameters_TlsProtocol = 1
	// TLS 1.1
	TlsParameters_TLSv1_1 TlsParameters_TlsProtocol = 2
	// TLS 1.2
	TlsParameters_TLSv1_2 TlsParameters_TlsProtocol = 3
	// TLS 1.3
	TlsParameters_TLSv1_3 TlsParameters_TlsProtocol = 4
)

func (TlsParameters_TlsProtocol) Descriptor 

func (TlsParameters_TlsProtocol) Descriptor() protoreflect.EnumDescriptor

func (TlsParameters_TlsProtocol) Enum 

func (x TlsParameters_TlsProtocol) Enum() *TlsParameters_TlsProtocol

func (TlsParameters_TlsProtocol) Number 

func (x TlsParameters_TlsProtocol) Number() protoreflect.EnumNumber

func (TlsParameters_TlsProtocol) String 

func (x TlsParameters_TlsProtocol) String() string

func (TlsParameters_TlsProtocol) Type 

func (TlsParameters_TlsProtocol) Type() protoreflect.EnumType

type TlsParameters_builder 

type TlsParameters_builder struct {

	// Minimum TLS protocol version. By default, it's “TLSv1_2“ for both clients and servers.
	TlsMinimumProtocolVersion TlsParameters_TlsProtocol
	// Maximum TLS protocol version. By default, it's “TLSv1_2“ for clients and “TLSv1_3“ for
	// servers.
	TlsMaximumProtocolVersion TlsParameters_TlsProtocol
	// If specified, the TLS listener will only support the specified `cipher list
	// <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_
	// when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not
	// specified, the default list will be used.
	//
	// In non-FIPS builds, the default cipher list is:
	//
	// .. code-block:: none
	//
	//	[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
	//	[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
	//	ECDHE-ECDSA-AES128-SHA
	//	ECDHE-RSA-AES128-SHA
	//	AES128-GCM-SHA256
	//	AES128-SHA
	//	ECDHE-ECDSA-AES256-GCM-SHA384
	//	ECDHE-RSA-AES256-GCM-SHA384
	//	ECDHE-ECDSA-AES256-SHA
	//	ECDHE-RSA-AES256-SHA
	//	AES256-GCM-SHA384
	//	AES256-SHA
	//
	// In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default cipher list is:
	//
	// .. code-block:: none
	//
	//	ECDHE-ECDSA-AES128-GCM-SHA256
	//	ECDHE-RSA-AES128-GCM-SHA256
	//	ECDHE-ECDSA-AES128-SHA
	//	ECDHE-RSA-AES128-SHA
	//	AES128-GCM-SHA256
	//	AES128-SHA
	//	ECDHE-ECDSA-AES256-GCM-SHA384
	//	ECDHE-RSA-AES256-GCM-SHA384
	//	ECDHE-ECDSA-AES256-SHA
	//	ECDHE-RSA-AES256-SHA
	//	AES256-GCM-SHA384
	//	AES256-SHA
	CipherSuites []string
	// If specified, the TLS connection will only support the specified ECDH
	// curves. If not specified, the default curves will be used.
	//
	// In non-FIPS builds, the default curves are:
	//
	// .. code-block:: none
	//
	//	X25519
	//	P-256
	//
	// In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default curve is:
	//
	// .. code-block:: none
	//
	//	P-256
	EcdhCurves []string
	// contains filtered or unexported fields
}

func (TlsParameters_builder) Build 

func (b0 TlsParameters_builder) Build() *TlsParameters

type TlsSessionTicketKeys 

type TlsSessionTicketKeys struct {

	// Keys for encrypting and decrypting TLS session tickets. The
	// first key in the array contains the key to encrypt all new sessions created by this context.
	// All keys are candidates for decrypting received tickets. This allows for easy rotation of keys
	// by, for example, putting the new key first, and the previous key second.
	//
	// If :ref:`session_ticket_keys <envoy_api_field_auth.DownstreamTlsContext.session_ticket_keys>`
	// is not specified, the TLS library will still support resuming sessions via tickets, but it will
	// use an internally-generated and managed key, so sessions cannot be resumed across hot restarts
	// or on different hosts.
	//
	// Each key must contain exactly 80 bytes of cryptographically-secure random data. For
	// example, the output of “openssl rand 80“.
	//
	// .. attention::
	//
	//	Using this feature has serious security considerations and risks. Improper handling of keys
	//	may result in loss of secrecy in connections, even if ciphers supporting perfect forward
	//	secrecy are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some
	//	discussion. To minimize the risk, you must:
	//
	//	* Keep the session ticket keys at least as secure as your TLS certificate private keys
	//	* Rotate session ticket keys at least daily, and preferably hourly
	//	* Always generate keys using a cryptographically-secure random data source
	Keys []*core.DataSource `protobuf:"bytes,1,rep,name=keys,proto3" json:"keys,omitempty"`
	// contains filtered or unexported fields
}

func (*TlsSessionTicketKeys) GetKeys 

func (x *TlsSessionTicketKeys) GetKeys() []*core.DataSource

func (*TlsSessionTicketKeys) ProtoMessage 

func (*TlsSessionTicketKeys) ProtoMessage()

func (*TlsSessionTicketKeys) ProtoReflect 

func (x *TlsSessionTicketKeys) ProtoReflect() protoreflect.Message

func (*TlsSessionTicketKeys) Reset 

func (x *TlsSessionTicketKeys) Reset()

func (*TlsSessionTicketKeys) SetKeys 

func (x *TlsSessionTicketKeys) SetKeys(v []*core.DataSource)

func (*TlsSessionTicketKeys) String 

func (x *TlsSessionTicketKeys) String() string

type TlsSessionTicketKeys_builder 

type TlsSessionTicketKeys_builder struct {

	// Keys for encrypting and decrypting TLS session tickets. The
	// first key in the array contains the key to encrypt all new sessions created by this context.
	// All keys are candidates for decrypting received tickets. This allows for easy rotation of keys
	// by, for example, putting the new key first, and the previous key second.
	//
	// If :ref:`session_ticket_keys <envoy_api_field_auth.DownstreamTlsContext.session_ticket_keys>`
	// is not specified, the TLS library will still support resuming sessions via tickets, but it will
	// use an internally-generated and managed key, so sessions cannot be resumed across hot restarts
	// or on different hosts.
	//
	// Each key must contain exactly 80 bytes of cryptographically-secure random data. For
	// example, the output of “openssl rand 80“.
	//
	// .. attention::
	//
	//	Using this feature has serious security considerations and risks. Improper handling of keys
	//	may result in loss of secrecy in connections, even if ciphers supporting perfect forward
	//	secrecy are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some
	//	discussion. To minimize the risk, you must:
	//
	//	* Keep the session ticket keys at least as secure as your TLS certificate private keys
	//	* Rotate session ticket keys at least daily, and preferably hourly
	//	* Always generate keys using a cryptographically-secure random data source
	Keys []*core.DataSource
	// contains filtered or unexported fields
}

func (TlsSessionTicketKeys_builder) Build 

func (b0 TlsSessionTicketKeys_builder) Build() *TlsSessionTicketKeys

type UpstreamTlsContext 

type UpstreamTlsContext struct {

	// Common TLS context settings.
	//
	// .. attention::
	//
	//	Server certificate verification is not enabled by default. Configure
	//	:ref:`trusted_ca<envoy_api_field_auth.CertificateValidationContext.trusted_ca>` to enable
	//	verification.
	CommonTlsContext *CommonTlsContext `protobuf:"bytes,1,opt,name=common_tls_context,json=commonTlsContext,proto3" json:"common_tls_context,omitempty"`
	// SNI string to use when creating TLS backend connections.
	Sni string `protobuf:"bytes,2,opt,name=sni,proto3" json:"sni,omitempty"`
	// If true, server-initiated TLS renegotiation will be allowed.
	//
	// .. attention::
	//
	//	TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary.
	AllowRenegotiation bool `protobuf:"varint,3,opt,name=allow_renegotiation,json=allowRenegotiation,proto3" json:"allow_renegotiation,omitempty"`
	// Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets
	// for TLSv1.2 and older) to store for the purpose of session resumption.
	//
	// Defaults to 1, setting this to 0 disables session resumption.
	MaxSessionKeys *wrapperspb.UInt32Value `protobuf:"bytes,4,opt,name=max_session_keys,json=maxSessionKeys,proto3" json:"max_session_keys,omitempty"`
	// contains filtered or unexported fields
}

func (*UpstreamTlsContext) ClearCommonTlsContext 

func (x *UpstreamTlsContext) ClearCommonTlsContext()

func (*UpstreamTlsContext) ClearMaxSessionKeys 

func (x *UpstreamTlsContext) ClearMaxSessionKeys()

func (*UpstreamTlsContext) GetAllowRenegotiation 

func (x *UpstreamTlsContext) GetAllowRenegotiation() bool

func (*UpstreamTlsContext) GetCommonTlsContext 

func (x *UpstreamTlsContext) GetCommonTlsContext() *CommonTlsContext

func (*UpstreamTlsContext) GetMaxSessionKeys 

func (x *UpstreamTlsContext) GetMaxSessionKeys() *wrapperspb.UInt32Value

func (*UpstreamTlsContext) GetSni 

func (x *UpstreamTlsContext) GetSni() string

func (*UpstreamTlsContext) HasCommonTlsContext 

func (x *UpstreamTlsContext) HasCommonTlsContext() bool

func (*UpstreamTlsContext) HasMaxSessionKeys 

func (x *UpstreamTlsContext) HasMaxSessionKeys() bool

func (*UpstreamTlsContext) ProtoMessage 

func (*UpstreamTlsContext) ProtoMessage()

func (*UpstreamTlsContext) ProtoReflect 

func (x *UpstreamTlsContext) ProtoReflect() protoreflect.Message

func (*UpstreamTlsContext) Reset 

func (x *UpstreamTlsContext) Reset()

func (*UpstreamTlsContext) SetAllowRenegotiation 

func (x *UpstreamTlsContext) SetAllowRenegotiation(v bool)

func (*UpstreamTlsContext) SetCommonTlsContext 

func (x *UpstreamTlsContext) SetCommonTlsContext(v *CommonTlsContext)

func (*UpstreamTlsContext) SetMaxSessionKeys 

func (x *UpstreamTlsContext) SetMaxSessionKeys(v *wrapperspb.UInt32Value)

func (*UpstreamTlsContext) SetSni 

func (x *UpstreamTlsContext) SetSni(v string)

func (*UpstreamTlsContext) String 

func (x *UpstreamTlsContext) String() string

type UpstreamTlsContext_builder 

type UpstreamTlsContext_builder struct {

	// Common TLS context settings.
	//
	// .. attention::
	//
	//	Server certificate verification is not enabled by default. Configure
	//	:ref:`trusted_ca<envoy_api_field_auth.CertificateValidationContext.trusted_ca>` to enable
	//	verification.
	CommonTlsContext *CommonTlsContext
	// SNI string to use when creating TLS backend connections.
	Sni string
	// If true, server-initiated TLS renegotiation will be allowed.
	//
	// .. attention::
	//
	//	TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary.
	AllowRenegotiation bool
	// Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets
	// for TLSv1.2 and older) to store for the purpose of session resumption.
	//
	// Defaults to 1, setting this to 0 disables session resumption.
	MaxSessionKeys *wrapperspb.UInt32Value
	// contains filtered or unexported fields
}

func (UpstreamTlsContext_builder) Build 

func (b0 UpstreamTlsContext_builder) Build() *UpstreamTlsContext

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.