Documentation ¶
Index ¶
- Constants
- Variables
- type CertificateProviderPluginInstance
- func (x *CertificateProviderPluginInstance) GetCertificateName() string
- func (x *CertificateProviderPluginInstance) GetInstanceName() string
- func (*CertificateProviderPluginInstance) ProtoMessage()
- func (x *CertificateProviderPluginInstance) ProtoReflect() protoreflect.Message
- func (x *CertificateProviderPluginInstance) Reset()
- func (x *CertificateProviderPluginInstance) SetCertificateName(v string)
- func (x *CertificateProviderPluginInstance) SetInstanceName(v string)
- func (x *CertificateProviderPluginInstance) String() string
- type CertificateProviderPluginInstance_builder
- type CertificateValidationContext
- func (x *CertificateValidationContext) ClearCaCertificateProviderInstance()
- func (x *CertificateValidationContext) ClearCrl()
- func (x *CertificateValidationContext) ClearCustomValidatorConfig()
- func (x *CertificateValidationContext) ClearMaxVerifyDepth()
- func (x *CertificateValidationContext) ClearRequireSignedCertificateTimestamp()
- func (x *CertificateValidationContext) ClearTrustedCa()
- func (x *CertificateValidationContext) ClearWatchedDirectory()
- func (x *CertificateValidationContext) GetAllowExpiredCertificate() bool
- func (x *CertificateValidationContext) GetCaCertificateProviderInstance() *CertificateProviderPluginInstance
- func (x *CertificateValidationContext) GetCrl() *v3.DataSource
- func (x *CertificateValidationContext) GetCustomValidatorConfig() *v3.TypedExtensionConfig
- func (x *CertificateValidationContext) GetMatchSubjectAltNames() []*v31.StringMatcherdeprecated
- func (x *CertificateValidationContext) GetMatchTypedSubjectAltNames() []*SubjectAltNameMatcher
- func (x *CertificateValidationContext) GetMaxVerifyDepth() *wrapperspb.UInt32Value
- func (x *CertificateValidationContext) GetOnlyVerifyLeafCertCrl() bool
- func (x *CertificateValidationContext) GetRequireSignedCertificateTimestamp() *wrapperspb.BoolValue
- func (x *CertificateValidationContext) GetTrustChainVerification() CertificateValidationContext_TrustChainVerification
- func (x *CertificateValidationContext) GetTrustedCa() *v3.DataSource
- func (x *CertificateValidationContext) GetVerifyCertificateHash() []string
- func (x *CertificateValidationContext) GetVerifyCertificateSpki() []string
- func (x *CertificateValidationContext) GetWatchedDirectory() *v3.WatchedDirectory
- func (x *CertificateValidationContext) HasCaCertificateProviderInstance() bool
- func (x *CertificateValidationContext) HasCrl() bool
- func (x *CertificateValidationContext) HasCustomValidatorConfig() bool
- func (x *CertificateValidationContext) HasMaxVerifyDepth() bool
- func (x *CertificateValidationContext) HasRequireSignedCertificateTimestamp() bool
- func (x *CertificateValidationContext) HasTrustedCa() bool
- func (x *CertificateValidationContext) HasWatchedDirectory() bool
- func (*CertificateValidationContext) ProtoMessage()
- func (x *CertificateValidationContext) ProtoReflect() protoreflect.Message
- func (x *CertificateValidationContext) Reset()
- func (x *CertificateValidationContext) SetAllowExpiredCertificate(v bool)
- func (x *CertificateValidationContext) SetCaCertificateProviderInstance(v *CertificateProviderPluginInstance)
- func (x *CertificateValidationContext) SetCrl(v *v3.DataSource)
- func (x *CertificateValidationContext) SetCustomValidatorConfig(v *v3.TypedExtensionConfig)
- func (x *CertificateValidationContext) SetMatchSubjectAltNames(v []*v31.StringMatcher)deprecated
- func (x *CertificateValidationContext) SetMatchTypedSubjectAltNames(v []*SubjectAltNameMatcher)
- func (x *CertificateValidationContext) SetMaxVerifyDepth(v *wrapperspb.UInt32Value)
- func (x *CertificateValidationContext) SetOnlyVerifyLeafCertCrl(v bool)
- func (x *CertificateValidationContext) SetRequireSignedCertificateTimestamp(v *wrapperspb.BoolValue)
- func (x *CertificateValidationContext) SetTrustChainVerification(v CertificateValidationContext_TrustChainVerification)
- func (x *CertificateValidationContext) SetTrustedCa(v *v3.DataSource)
- func (x *CertificateValidationContext) SetVerifyCertificateHash(v []string)
- func (x *CertificateValidationContext) SetVerifyCertificateSpki(v []string)
- func (x *CertificateValidationContext) SetWatchedDirectory(v *v3.WatchedDirectory)
- func (x *CertificateValidationContext) String() string
- type CertificateValidationContext_TrustChainVerification
- func (CertificateValidationContext_TrustChainVerification) Descriptor() protoreflect.EnumDescriptor
- func (x CertificateValidationContext_TrustChainVerification) Enum() *CertificateValidationContext_TrustChainVerification
- func (x CertificateValidationContext_TrustChainVerification) Number() protoreflect.EnumNumber
- func (x CertificateValidationContext_TrustChainVerification) String() string
- func (CertificateValidationContext_TrustChainVerification) Type() protoreflect.EnumType
- type CertificateValidationContext_builder
- type CommonTlsContext
- func (x *CommonTlsContext) ClearCombinedValidationContext()
- func (x *CommonTlsContext) ClearCustomHandshaker()
- func (x *CommonTlsContext) ClearKeyLog()
- func (x *CommonTlsContext) ClearTlsCertificateCertificateProvider()deprecated
- func (x *CommonTlsContext) ClearTlsCertificateCertificateProviderInstance()deprecated
- func (x *CommonTlsContext) ClearTlsCertificateProviderInstance()
- func (x *CommonTlsContext) ClearTlsParams()
- func (x *CommonTlsContext) ClearValidationContext()
- func (x *CommonTlsContext) ClearValidationContextCertificateProvider()deprecated
- func (x *CommonTlsContext) ClearValidationContextCertificateProviderInstance()deprecated
- func (x *CommonTlsContext) ClearValidationContextSdsSecretConfig()
- func (x *CommonTlsContext) ClearValidationContextType()
- func (x *CommonTlsContext) GetAlpnProtocols() []string
- func (x *CommonTlsContext) GetCombinedValidationContext() *CommonTlsContext_CombinedCertificateValidationContext
- func (x *CommonTlsContext) GetCustomHandshaker() *v3.TypedExtensionConfig
- func (x *CommonTlsContext) GetKeyLog() *TlsKeyLog
- func (x *CommonTlsContext) GetTlsCertificateCertificateProvider() *CommonTlsContext_CertificateProviderdeprecated
- func (x *CommonTlsContext) GetTlsCertificateCertificateProviderInstance() *CommonTlsContext_CertificateProviderInstancedeprecated
- func (x *CommonTlsContext) GetTlsCertificateProviderInstance() *CertificateProviderPluginInstance
- func (x *CommonTlsContext) GetTlsCertificateSdsSecretConfigs() []*SdsSecretConfig
- func (x *CommonTlsContext) GetTlsCertificates() []*TlsCertificate
- func (x *CommonTlsContext) GetTlsParams() *TlsParameters
- func (x *CommonTlsContext) GetValidationContext() *CertificateValidationContext
- func (x *CommonTlsContext) GetValidationContextCertificateProvider() *CommonTlsContext_CertificateProviderdeprecated
- func (x *CommonTlsContext) GetValidationContextCertificateProviderInstance() *CommonTlsContext_CertificateProviderInstancedeprecated
- func (x *CommonTlsContext) GetValidationContextSdsSecretConfig() *SdsSecretConfig
- func (x *CommonTlsContext) GetValidationContextType() isCommonTlsContext_ValidationContextType
- func (x *CommonTlsContext) HasCombinedValidationContext() bool
- func (x *CommonTlsContext) HasCustomHandshaker() bool
- func (x *CommonTlsContext) HasKeyLog() bool
- func (x *CommonTlsContext) HasTlsCertificateCertificateProvider() booldeprecated
- func (x *CommonTlsContext) HasTlsCertificateCertificateProviderInstance() booldeprecated
- func (x *CommonTlsContext) HasTlsCertificateProviderInstance() bool
- func (x *CommonTlsContext) HasTlsParams() bool
- func (x *CommonTlsContext) HasValidationContext() bool
- func (x *CommonTlsContext) HasValidationContextCertificateProvider() booldeprecated
- func (x *CommonTlsContext) HasValidationContextCertificateProviderInstance() booldeprecated
- func (x *CommonTlsContext) HasValidationContextSdsSecretConfig() bool
- func (x *CommonTlsContext) HasValidationContextType() bool
- func (*CommonTlsContext) ProtoMessage()
- func (x *CommonTlsContext) ProtoReflect() protoreflect.Message
- func (x *CommonTlsContext) Reset()
- func (x *CommonTlsContext) SetAlpnProtocols(v []string)
- func (x *CommonTlsContext) SetCombinedValidationContext(v *CommonTlsContext_CombinedCertificateValidationContext)
- func (x *CommonTlsContext) SetCustomHandshaker(v *v3.TypedExtensionConfig)
- func (x *CommonTlsContext) SetKeyLog(v *TlsKeyLog)
- func (x *CommonTlsContext) SetTlsCertificateCertificateProvider(v *CommonTlsContext_CertificateProvider)deprecated
- func (x *CommonTlsContext) SetTlsCertificateCertificateProviderInstance(v *CommonTlsContext_CertificateProviderInstance)deprecated
- func (x *CommonTlsContext) SetTlsCertificateProviderInstance(v *CertificateProviderPluginInstance)
- func (x *CommonTlsContext) SetTlsCertificateSdsSecretConfigs(v []*SdsSecretConfig)
- func (x *CommonTlsContext) SetTlsCertificates(v []*TlsCertificate)
- func (x *CommonTlsContext) SetTlsParams(v *TlsParameters)
- func (x *CommonTlsContext) SetValidationContext(v *CertificateValidationContext)
- func (x *CommonTlsContext) SetValidationContextCertificateProvider(v *CommonTlsContext_CertificateProvider)deprecated
- func (x *CommonTlsContext) SetValidationContextCertificateProviderInstance(v *CommonTlsContext_CertificateProviderInstance)deprecated
- func (x *CommonTlsContext) SetValidationContextSdsSecretConfig(v *SdsSecretConfig)
- func (x *CommonTlsContext) String() string
- func (x *CommonTlsContext) WhichValidationContextType() case_CommonTlsContext_ValidationContextType
- type CommonTlsContext_CertificateProvider
- func (x *CommonTlsContext_CertificateProvider) ClearConfig()
- func (x *CommonTlsContext_CertificateProvider) ClearTypedConfig()
- func (x *CommonTlsContext_CertificateProvider) GetConfig() isCommonTlsContext_CertificateProvider_Config
- func (x *CommonTlsContext_CertificateProvider) GetName() string
- func (x *CommonTlsContext_CertificateProvider) GetTypedConfig() *v3.TypedExtensionConfig
- func (x *CommonTlsContext_CertificateProvider) HasConfig() bool
- func (x *CommonTlsContext_CertificateProvider) HasTypedConfig() bool
- func (*CommonTlsContext_CertificateProvider) ProtoMessage()
- func (x *CommonTlsContext_CertificateProvider) ProtoReflect() protoreflect.Message
- func (x *CommonTlsContext_CertificateProvider) Reset()
- func (x *CommonTlsContext_CertificateProvider) SetName(v string)
- func (x *CommonTlsContext_CertificateProvider) SetTypedConfig(v *v3.TypedExtensionConfig)
- func (x *CommonTlsContext_CertificateProvider) String() string
- func (x *CommonTlsContext_CertificateProvider) WhichConfig() case_CommonTlsContext_CertificateProvider_Config
- type CommonTlsContext_CertificateProviderInstance
- func (x *CommonTlsContext_CertificateProviderInstance) GetCertificateName() string
- func (x *CommonTlsContext_CertificateProviderInstance) GetInstanceName() string
- func (*CommonTlsContext_CertificateProviderInstance) ProtoMessage()
- func (x *CommonTlsContext_CertificateProviderInstance) ProtoReflect() protoreflect.Message
- func (x *CommonTlsContext_CertificateProviderInstance) Reset()
- func (x *CommonTlsContext_CertificateProviderInstance) SetCertificateName(v string)
- func (x *CommonTlsContext_CertificateProviderInstance) SetInstanceName(v string)
- func (x *CommonTlsContext_CertificateProviderInstance) String() string
- type CommonTlsContext_CertificateProviderInstance_builder
- type CommonTlsContext_CertificateProvider_TypedConfig
- type CommonTlsContext_CertificateProvider_builder
- type CommonTlsContext_CombinedCertificateValidationContext
- func (x *CommonTlsContext_CombinedCertificateValidationContext) ClearDefaultValidationContext()
- func (x *CommonTlsContext_CombinedCertificateValidationContext) ClearValidationContextCertificateProvider()deprecated
- func (x *CommonTlsContext_CombinedCertificateValidationContext) ClearValidationContextCertificateProviderInstance()deprecated
- func (x *CommonTlsContext_CombinedCertificateValidationContext) ClearValidationContextSdsSecretConfig()
- func (x *CommonTlsContext_CombinedCertificateValidationContext) GetDefaultValidationContext() *CertificateValidationContext
- func (x *CommonTlsContext_CombinedCertificateValidationContext) GetValidationContextCertificateProvider() *CommonTlsContext_CertificateProviderdeprecated
- func (x *CommonTlsContext_CombinedCertificateValidationContext) GetValidationContextCertificateProviderInstance() *CommonTlsContext_CertificateProviderInstancedeprecated
- func (x *CommonTlsContext_CombinedCertificateValidationContext) GetValidationContextSdsSecretConfig() *SdsSecretConfig
- func (x *CommonTlsContext_CombinedCertificateValidationContext) HasDefaultValidationContext() bool
- func (x *CommonTlsContext_CombinedCertificateValidationContext) HasValidationContextCertificateProvider() booldeprecated
- func (x *CommonTlsContext_CombinedCertificateValidationContext) HasValidationContextCertificateProviderInstance() booldeprecated
- func (x *CommonTlsContext_CombinedCertificateValidationContext) HasValidationContextSdsSecretConfig() bool
- func (*CommonTlsContext_CombinedCertificateValidationContext) ProtoMessage()
- func (x *CommonTlsContext_CombinedCertificateValidationContext) ProtoReflect() protoreflect.Message
- func (x *CommonTlsContext_CombinedCertificateValidationContext) Reset()
- func (x *CommonTlsContext_CombinedCertificateValidationContext) SetDefaultValidationContext(v *CertificateValidationContext)
- func (x *CommonTlsContext_CombinedCertificateValidationContext) SetValidationContextCertificateProvider(v *CommonTlsContext_CertificateProvider)deprecated
- func (x *CommonTlsContext_CombinedCertificateValidationContext) SetValidationContextCertificateProviderInstance(v *CommonTlsContext_CertificateProviderInstance)deprecated
- func (x *CommonTlsContext_CombinedCertificateValidationContext) SetValidationContextSdsSecretConfig(v *SdsSecretConfig)
- func (x *CommonTlsContext_CombinedCertificateValidationContext) String() string
- type CommonTlsContext_CombinedCertificateValidationContext_builder
- type CommonTlsContext_CombinedValidationContext
- type CommonTlsContext_ValidationContext
- type CommonTlsContext_ValidationContextCertificateProvider
- type CommonTlsContext_ValidationContextCertificateProviderInstance
- type CommonTlsContext_ValidationContextSdsSecretConfig
- type CommonTlsContext_builder
- type DownstreamTlsContext
- func (x *DownstreamTlsContext) ClearCommonTlsContext()
- func (x *DownstreamTlsContext) ClearDisableStatelessSessionResumption()
- func (x *DownstreamTlsContext) ClearFullScanCertsOnSniMismatch()
- func (x *DownstreamTlsContext) ClearRequireClientCertificate()
- func (x *DownstreamTlsContext) ClearRequireSni()
- func (x *DownstreamTlsContext) ClearSessionTicketKeys()
- func (x *DownstreamTlsContext) ClearSessionTicketKeysSdsSecretConfig()
- func (x *DownstreamTlsContext) ClearSessionTicketKeysType()
- func (x *DownstreamTlsContext) ClearSessionTimeout()
- func (x *DownstreamTlsContext) GetCommonTlsContext() *CommonTlsContext
- func (x *DownstreamTlsContext) GetDisableStatefulSessionResumption() bool
- func (x *DownstreamTlsContext) GetDisableStatelessSessionResumption() bool
- func (x *DownstreamTlsContext) GetFullScanCertsOnSniMismatch() *wrapperspb.BoolValue
- func (x *DownstreamTlsContext) GetOcspStaplePolicy() DownstreamTlsContext_OcspStaplePolicy
- func (x *DownstreamTlsContext) GetRequireClientCertificate() *wrapperspb.BoolValue
- func (x *DownstreamTlsContext) GetRequireSni() *wrapperspb.BoolValue
- func (x *DownstreamTlsContext) GetSessionTicketKeys() *TlsSessionTicketKeys
- func (x *DownstreamTlsContext) GetSessionTicketKeysSdsSecretConfig() *SdsSecretConfig
- func (x *DownstreamTlsContext) GetSessionTicketKeysType() isDownstreamTlsContext_SessionTicketKeysType
- func (x *DownstreamTlsContext) GetSessionTimeout() *durationpb.Duration
- func (x *DownstreamTlsContext) HasCommonTlsContext() bool
- func (x *DownstreamTlsContext) HasDisableStatelessSessionResumption() bool
- func (x *DownstreamTlsContext) HasFullScanCertsOnSniMismatch() bool
- func (x *DownstreamTlsContext) HasRequireClientCertificate() bool
- func (x *DownstreamTlsContext) HasRequireSni() bool
- func (x *DownstreamTlsContext) HasSessionTicketKeys() bool
- func (x *DownstreamTlsContext) HasSessionTicketKeysSdsSecretConfig() bool
- func (x *DownstreamTlsContext) HasSessionTicketKeysType() bool
- func (x *DownstreamTlsContext) HasSessionTimeout() bool
- func (*DownstreamTlsContext) ProtoMessage()
- func (x *DownstreamTlsContext) ProtoReflect() protoreflect.Message
- func (x *DownstreamTlsContext) Reset()
- func (x *DownstreamTlsContext) SetCommonTlsContext(v *CommonTlsContext)
- func (x *DownstreamTlsContext) SetDisableStatefulSessionResumption(v bool)
- func (x *DownstreamTlsContext) SetDisableStatelessSessionResumption(v bool)
- func (x *DownstreamTlsContext) SetFullScanCertsOnSniMismatch(v *wrapperspb.BoolValue)
- func (x *DownstreamTlsContext) SetOcspStaplePolicy(v DownstreamTlsContext_OcspStaplePolicy)
- func (x *DownstreamTlsContext) SetRequireClientCertificate(v *wrapperspb.BoolValue)
- func (x *DownstreamTlsContext) SetRequireSni(v *wrapperspb.BoolValue)
- func (x *DownstreamTlsContext) SetSessionTicketKeys(v *TlsSessionTicketKeys)
- func (x *DownstreamTlsContext) SetSessionTicketKeysSdsSecretConfig(v *SdsSecretConfig)
- func (x *DownstreamTlsContext) SetSessionTimeout(v *durationpb.Duration)
- func (x *DownstreamTlsContext) String() string
- func (x *DownstreamTlsContext) WhichSessionTicketKeysType() case_DownstreamTlsContext_SessionTicketKeysType
- type DownstreamTlsContext_DisableStatelessSessionResumption
- type DownstreamTlsContext_OcspStaplePolicy
- func (DownstreamTlsContext_OcspStaplePolicy) Descriptor() protoreflect.EnumDescriptor
- func (x DownstreamTlsContext_OcspStaplePolicy) Enum() *DownstreamTlsContext_OcspStaplePolicy
- func (x DownstreamTlsContext_OcspStaplePolicy) Number() protoreflect.EnumNumber
- func (x DownstreamTlsContext_OcspStaplePolicy) String() string
- func (DownstreamTlsContext_OcspStaplePolicy) Type() protoreflect.EnumType
- type DownstreamTlsContext_SessionTicketKeys
- type DownstreamTlsContext_SessionTicketKeysSdsSecretConfig
- type DownstreamTlsContext_builder
- type GenericSecret
- func (x *GenericSecret) ClearSecret()
- func (x *GenericSecret) GetSecret() *v3.DataSource
- func (x *GenericSecret) HasSecret() bool
- func (*GenericSecret) ProtoMessage()
- func (x *GenericSecret) ProtoReflect() protoreflect.Message
- func (x *GenericSecret) Reset()
- func (x *GenericSecret) SetSecret(v *v3.DataSource)
- func (x *GenericSecret) String() string
- type GenericSecret_builder
- type PrivateKeyProvider
- func (x *PrivateKeyProvider) ClearConfigType()
- func (x *PrivateKeyProvider) ClearTypedConfig()
- func (x *PrivateKeyProvider) GetConfigType() isPrivateKeyProvider_ConfigType
- func (x *PrivateKeyProvider) GetFallback() bool
- func (x *PrivateKeyProvider) GetProviderName() string
- func (x *PrivateKeyProvider) GetTypedConfig() *anypb.Any
- func (x *PrivateKeyProvider) HasConfigType() bool
- func (x *PrivateKeyProvider) HasTypedConfig() bool
- func (*PrivateKeyProvider) ProtoMessage()
- func (x *PrivateKeyProvider) ProtoReflect() protoreflect.Message
- func (x *PrivateKeyProvider) Reset()
- func (x *PrivateKeyProvider) SetFallback(v bool)
- func (x *PrivateKeyProvider) SetProviderName(v string)
- func (x *PrivateKeyProvider) SetTypedConfig(v *anypb.Any)
- func (x *PrivateKeyProvider) String() string
- func (x *PrivateKeyProvider) WhichConfigType() case_PrivateKeyProvider_ConfigType
- type PrivateKeyProvider_TypedConfig
- type PrivateKeyProvider_builder
- type SPIFFECertValidatorConfig
- func (x *SPIFFECertValidatorConfig) GetTrustDomains() []*SPIFFECertValidatorConfig_TrustDomain
- func (*SPIFFECertValidatorConfig) ProtoMessage()
- func (x *SPIFFECertValidatorConfig) ProtoReflect() protoreflect.Message
- func (x *SPIFFECertValidatorConfig) Reset()
- func (x *SPIFFECertValidatorConfig) SetTrustDomains(v []*SPIFFECertValidatorConfig_TrustDomain)
- func (x *SPIFFECertValidatorConfig) String() string
- type SPIFFECertValidatorConfig_TrustDomain
- func (x *SPIFFECertValidatorConfig_TrustDomain) ClearTrustBundle()
- func (x *SPIFFECertValidatorConfig_TrustDomain) GetName() string
- func (x *SPIFFECertValidatorConfig_TrustDomain) GetTrustBundle() *v3.DataSource
- func (x *SPIFFECertValidatorConfig_TrustDomain) HasTrustBundle() bool
- func (*SPIFFECertValidatorConfig_TrustDomain) ProtoMessage()
- func (x *SPIFFECertValidatorConfig_TrustDomain) ProtoReflect() protoreflect.Message
- func (x *SPIFFECertValidatorConfig_TrustDomain) Reset()
- func (x *SPIFFECertValidatorConfig_TrustDomain) SetName(v string)
- func (x *SPIFFECertValidatorConfig_TrustDomain) SetTrustBundle(v *v3.DataSource)
- func (x *SPIFFECertValidatorConfig_TrustDomain) String() string
- type SPIFFECertValidatorConfig_TrustDomain_builder
- type SPIFFECertValidatorConfig_builder
- type SdsSecretConfig
- func (x *SdsSecretConfig) ClearSdsConfig()
- func (x *SdsSecretConfig) GetName() string
- func (x *SdsSecretConfig) GetSdsConfig() *v3.ConfigSource
- func (x *SdsSecretConfig) HasSdsConfig() bool
- func (*SdsSecretConfig) ProtoMessage()
- func (x *SdsSecretConfig) ProtoReflect() protoreflect.Message
- func (x *SdsSecretConfig) Reset()
- func (x *SdsSecretConfig) SetName(v string)
- func (x *SdsSecretConfig) SetSdsConfig(v *v3.ConfigSource)
- func (x *SdsSecretConfig) String() string
- type SdsSecretConfig_builder
- type Secret
- func (x *Secret) ClearGenericSecret()
- func (x *Secret) ClearSessionTicketKeys()
- func (x *Secret) ClearTlsCertificate()
- func (x *Secret) ClearType()
- func (x *Secret) ClearValidationContext()
- func (x *Secret) GetGenericSecret() *GenericSecret
- func (x *Secret) GetName() string
- func (x *Secret) GetSessionTicketKeys() *TlsSessionTicketKeys
- func (x *Secret) GetTlsCertificate() *TlsCertificate
- func (x *Secret) GetType() isSecret_Type
- func (x *Secret) GetValidationContext() *CertificateValidationContext
- func (x *Secret) HasGenericSecret() bool
- func (x *Secret) HasSessionTicketKeys() bool
- func (x *Secret) HasTlsCertificate() bool
- func (x *Secret) HasType() bool
- func (x *Secret) HasValidationContext() bool
- func (*Secret) ProtoMessage()
- func (x *Secret) ProtoReflect() protoreflect.Message
- func (x *Secret) Reset()
- func (x *Secret) SetGenericSecret(v *GenericSecret)
- func (x *Secret) SetName(v string)
- func (x *Secret) SetSessionTicketKeys(v *TlsSessionTicketKeys)
- func (x *Secret) SetTlsCertificate(v *TlsCertificate)
- func (x *Secret) SetValidationContext(v *CertificateValidationContext)
- func (x *Secret) String() string
- func (x *Secret) WhichType() case_Secret_Type
- type Secret_GenericSecret
- type Secret_SessionTicketKeys
- type Secret_TlsCertificate
- type Secret_ValidationContext
- type Secret_builder
- type SubjectAltNameMatcher
- func (x *SubjectAltNameMatcher) ClearMatcher()
- func (x *SubjectAltNameMatcher) GetMatcher() *v31.StringMatcher
- func (x *SubjectAltNameMatcher) GetSanType() SubjectAltNameMatcher_SanType
- func (x *SubjectAltNameMatcher) HasMatcher() bool
- func (*SubjectAltNameMatcher) ProtoMessage()
- func (x *SubjectAltNameMatcher) ProtoReflect() protoreflect.Message
- func (x *SubjectAltNameMatcher) Reset()
- func (x *SubjectAltNameMatcher) SetMatcher(v *v31.StringMatcher)
- func (x *SubjectAltNameMatcher) SetSanType(v SubjectAltNameMatcher_SanType)
- func (x *SubjectAltNameMatcher) String() string
- type SubjectAltNameMatcher_SanType
- func (SubjectAltNameMatcher_SanType) Descriptor() protoreflect.EnumDescriptor
- func (x SubjectAltNameMatcher_SanType) Enum() *SubjectAltNameMatcher_SanType
- func (x SubjectAltNameMatcher_SanType) Number() protoreflect.EnumNumber
- func (x SubjectAltNameMatcher_SanType) String() string
- func (SubjectAltNameMatcher_SanType) Type() protoreflect.EnumType
- type SubjectAltNameMatcher_builder
- type TlsCertificate
- func (x *TlsCertificate) ClearCertificateChain()
- func (x *TlsCertificate) ClearOcspStaple()
- func (x *TlsCertificate) ClearPassword()
- func (x *TlsCertificate) ClearPkcs12()
- func (x *TlsCertificate) ClearPrivateKey()
- func (x *TlsCertificate) ClearPrivateKeyProvider()
- func (x *TlsCertificate) ClearWatchedDirectory()
- func (x *TlsCertificate) GetCertificateChain() *v3.DataSource
- func (x *TlsCertificate) GetOcspStaple() *v3.DataSource
- func (x *TlsCertificate) GetPassword() *v3.DataSource
- func (x *TlsCertificate) GetPkcs12() *v3.DataSource
- func (x *TlsCertificate) GetPrivateKey() *v3.DataSource
- func (x *TlsCertificate) GetPrivateKeyProvider() *PrivateKeyProvider
- func (x *TlsCertificate) GetSignedCertificateTimestamp() []*v3.DataSource
- func (x *TlsCertificate) GetWatchedDirectory() *v3.WatchedDirectory
- func (x *TlsCertificate) HasCertificateChain() bool
- func (x *TlsCertificate) HasOcspStaple() bool
- func (x *TlsCertificate) HasPassword() bool
- func (x *TlsCertificate) HasPkcs12() bool
- func (x *TlsCertificate) HasPrivateKey() bool
- func (x *TlsCertificate) HasPrivateKeyProvider() bool
- func (x *TlsCertificate) HasWatchedDirectory() bool
- func (*TlsCertificate) ProtoMessage()
- func (x *TlsCertificate) ProtoReflect() protoreflect.Message
- func (x *TlsCertificate) Reset()
- func (x *TlsCertificate) SetCertificateChain(v *v3.DataSource)
- func (x *TlsCertificate) SetOcspStaple(v *v3.DataSource)
- func (x *TlsCertificate) SetPassword(v *v3.DataSource)
- func (x *TlsCertificate) SetPkcs12(v *v3.DataSource)
- func (x *TlsCertificate) SetPrivateKey(v *v3.DataSource)
- func (x *TlsCertificate) SetPrivateKeyProvider(v *PrivateKeyProvider)
- func (x *TlsCertificate) SetSignedCertificateTimestamp(v []*v3.DataSource)
- func (x *TlsCertificate) SetWatchedDirectory(v *v3.WatchedDirectory)
- func (x *TlsCertificate) String() string
- type TlsCertificate_builder
- type TlsKeyLog
- func (x *TlsKeyLog) GetLocalAddressRange() []*v3.CidrRange
- func (x *TlsKeyLog) GetPath() string
- func (x *TlsKeyLog) GetRemoteAddressRange() []*v3.CidrRange
- func (*TlsKeyLog) ProtoMessage()
- func (x *TlsKeyLog) ProtoReflect() protoreflect.Message
- func (x *TlsKeyLog) Reset()
- func (x *TlsKeyLog) SetLocalAddressRange(v []*v3.CidrRange)
- func (x *TlsKeyLog) SetPath(v string)
- func (x *TlsKeyLog) SetRemoteAddressRange(v []*v3.CidrRange)
- func (x *TlsKeyLog) String() string
- type TlsKeyLog_builder
- type TlsParameters
- func (x *TlsParameters) GetCipherSuites() []string
- func (x *TlsParameters) GetEcdhCurves() []string
- func (x *TlsParameters) GetSignatureAlgorithms() []string
- func (x *TlsParameters) GetTlsMaximumProtocolVersion() TlsParameters_TlsProtocol
- func (x *TlsParameters) GetTlsMinimumProtocolVersion() TlsParameters_TlsProtocol
- func (*TlsParameters) ProtoMessage()
- func (x *TlsParameters) ProtoReflect() protoreflect.Message
- func (x *TlsParameters) Reset()
- func (x *TlsParameters) SetCipherSuites(v []string)
- func (x *TlsParameters) SetEcdhCurves(v []string)
- func (x *TlsParameters) SetSignatureAlgorithms(v []string)
- func (x *TlsParameters) SetTlsMaximumProtocolVersion(v TlsParameters_TlsProtocol)
- func (x *TlsParameters) SetTlsMinimumProtocolVersion(v TlsParameters_TlsProtocol)
- func (x *TlsParameters) String() string
- type TlsParameters_TlsProtocol
- func (TlsParameters_TlsProtocol) Descriptor() protoreflect.EnumDescriptor
- func (x TlsParameters_TlsProtocol) Enum() *TlsParameters_TlsProtocol
- func (x TlsParameters_TlsProtocol) Number() protoreflect.EnumNumber
- func (x TlsParameters_TlsProtocol) String() string
- func (TlsParameters_TlsProtocol) Type() protoreflect.EnumType
- type TlsParameters_builder
- type TlsSessionTicketKeys
- func (x *TlsSessionTicketKeys) GetKeys() []*v3.DataSource
- func (*TlsSessionTicketKeys) ProtoMessage()
- func (x *TlsSessionTicketKeys) ProtoReflect() protoreflect.Message
- func (x *TlsSessionTicketKeys) Reset()
- func (x *TlsSessionTicketKeys) SetKeys(v []*v3.DataSource)
- func (x *TlsSessionTicketKeys) String() string
- type TlsSessionTicketKeys_builder
- type UpstreamTlsContext
- func (x *UpstreamTlsContext) ClearCommonTlsContext()
- func (x *UpstreamTlsContext) ClearEnforceRsaKeyUsage()
- func (x *UpstreamTlsContext) ClearMaxSessionKeys()
- func (x *UpstreamTlsContext) GetAllowRenegotiation() bool
- func (x *UpstreamTlsContext) GetCommonTlsContext() *CommonTlsContext
- func (x *UpstreamTlsContext) GetEnforceRsaKeyUsage() *wrapperspb.BoolValue
- func (x *UpstreamTlsContext) GetMaxSessionKeys() *wrapperspb.UInt32Value
- func (x *UpstreamTlsContext) GetSni() string
- func (x *UpstreamTlsContext) HasCommonTlsContext() bool
- func (x *UpstreamTlsContext) HasEnforceRsaKeyUsage() bool
- func (x *UpstreamTlsContext) HasMaxSessionKeys() bool
- func (*UpstreamTlsContext) ProtoMessage()
- func (x *UpstreamTlsContext) ProtoReflect() protoreflect.Message
- func (x *UpstreamTlsContext) Reset()
- func (x *UpstreamTlsContext) SetAllowRenegotiation(v bool)
- func (x *UpstreamTlsContext) SetCommonTlsContext(v *CommonTlsContext)
- func (x *UpstreamTlsContext) SetEnforceRsaKeyUsage(v *wrapperspb.BoolValue)
- func (x *UpstreamTlsContext) SetMaxSessionKeys(v *wrapperspb.UInt32Value)
- func (x *UpstreamTlsContext) SetSni(v string)
- func (x *UpstreamTlsContext) String() string
- type UpstreamTlsContext_builder
Constants ¶
const CommonTlsContext_CertificateProvider_Config_not_set_case case_CommonTlsContext_CertificateProvider_Config = 0
const CommonTlsContext_CertificateProvider_TypedConfig_case case_CommonTlsContext_CertificateProvider_Config = 2
const CommonTlsContext_CombinedValidationContext_case case_CommonTlsContext_ValidationContextType = 8
const CommonTlsContext_ValidationContextCertificateProviderInstance_case case_CommonTlsContext_ValidationContextType = 12
const CommonTlsContext_ValidationContextCertificateProvider_case case_CommonTlsContext_ValidationContextType = 10
const CommonTlsContext_ValidationContextSdsSecretConfig_case case_CommonTlsContext_ValidationContextType = 7
const CommonTlsContext_ValidationContextType_not_set_case case_CommonTlsContext_ValidationContextType = 0
const CommonTlsContext_ValidationContext_case case_CommonTlsContext_ValidationContextType = 3
const DownstreamTlsContext_DisableStatelessSessionResumption_case case_DownstreamTlsContext_SessionTicketKeysType = 7
const DownstreamTlsContext_SessionTicketKeysSdsSecretConfig_case case_DownstreamTlsContext_SessionTicketKeysType = 5
const DownstreamTlsContext_SessionTicketKeysType_not_set_case case_DownstreamTlsContext_SessionTicketKeysType = 0
const DownstreamTlsContext_SessionTicketKeys_case case_DownstreamTlsContext_SessionTicketKeysType = 4
const PrivateKeyProvider_ConfigType_not_set_case case_PrivateKeyProvider_ConfigType = 0
const PrivateKeyProvider_TypedConfig_case case_PrivateKeyProvider_ConfigType = 3
const Secret_GenericSecret_case case_Secret_Type = 5
const Secret_SessionTicketKeys_case case_Secret_Type = 3
const Secret_TlsCertificate_case case_Secret_Type = 2
const Secret_Type_not_set_case case_Secret_Type = 0
const Secret_ValidationContext_case case_Secret_Type = 4
Variables ¶
var ( TlsParameters_TlsProtocol_name = map[int32]string{ 0: "TLS_AUTO", 1: "TLSv1_0", 2: "TLSv1_1", 3: "TLSv1_2", 4: "TLSv1_3", } TlsParameters_TlsProtocol_value = map[string]int32{ "TLS_AUTO": 0, "TLSv1_0": 1, "TLSv1_1": 2, "TLSv1_2": 3, "TLSv1_3": 4, } )
Enum value maps for TlsParameters_TlsProtocol.
var ( SubjectAltNameMatcher_SanType_name = map[int32]string{ 0: "SAN_TYPE_UNSPECIFIED", 1: "EMAIL", 2: "DNS", 3: "URI", 4: "IP_ADDRESS", } SubjectAltNameMatcher_SanType_value = map[string]int32{ "SAN_TYPE_UNSPECIFIED": 0, "EMAIL": 1, "DNS": 2, "URI": 3, "IP_ADDRESS": 4, } )
Enum value maps for SubjectAltNameMatcher_SanType.
var ( CertificateValidationContext_TrustChainVerification_name = map[int32]string{ 0: "VERIFY_TRUST_CHAIN", 1: "ACCEPT_UNTRUSTED", } CertificateValidationContext_TrustChainVerification_value = map[string]int32{ "VERIFY_TRUST_CHAIN": 0, "ACCEPT_UNTRUSTED": 1, } )
Enum value maps for CertificateValidationContext_TrustChainVerification.
var ( DownstreamTlsContext_OcspStaplePolicy_name = map[int32]string{ 0: "LENIENT_STAPLING", 1: "STRICT_STAPLING", 2: "MUST_STAPLE", } DownstreamTlsContext_OcspStaplePolicy_value = map[string]int32{ "LENIENT_STAPLING": 0, "STRICT_STAPLING": 1, "MUST_STAPLE": 2, } )
Enum value maps for DownstreamTlsContext_OcspStaplePolicy.
var File_envoy_extensions_transport_sockets_tls_v3_cert_proto protoreflect.FileDescriptor
var File_envoy_extensions_transport_sockets_tls_v3_common_proto protoreflect.FileDescriptor
var File_envoy_extensions_transport_sockets_tls_v3_secret_proto protoreflect.FileDescriptor
var File_envoy_extensions_transport_sockets_tls_v3_tls_proto protoreflect.FileDescriptor
var File_envoy_extensions_transport_sockets_tls_v3_tls_spiffe_validator_config_proto protoreflect.FileDescriptor
Functions ¶
This section is empty.
Types ¶
type CertificateProviderPluginInstance ¶
type CertificateProviderPluginInstance struct { // Provider instance name. If not present, defaults to "default". // // Instance names should generally be defined not in terms of the underlying provider // implementation (e.g., "file_watcher") but rather in terms of the function of the // certificates (e.g., "foo_deployment_identity"). InstanceName string `protobuf:"bytes,1,opt,name=instance_name,json=instanceName,proto3" json:"instance_name,omitempty"` // Opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify // a root-certificate (validation context) or "example.com" to specify a certificate for a // particular domain. Not all provider instances will actually use this field, so the value // defaults to the empty string. CertificateName string `protobuf:"bytes,2,opt,name=certificate_name,json=certificateName,proto3" json:"certificate_name,omitempty"` // contains filtered or unexported fields }
Indicates a certificate to be obtained from a named CertificateProvider plugin instance. The plugin instances are defined in the client's bootstrap file. The plugin allows certificates to be fetched/refreshed over the network asynchronously with respect to the TLS handshake. [#not-implemented-hide:]
func (*CertificateProviderPluginInstance) GetCertificateName ¶
func (x *CertificateProviderPluginInstance) GetCertificateName() string
func (*CertificateProviderPluginInstance) GetInstanceName ¶
func (x *CertificateProviderPluginInstance) GetInstanceName() string
func (*CertificateProviderPluginInstance) ProtoMessage ¶
func (*CertificateProviderPluginInstance) ProtoMessage()
func (*CertificateProviderPluginInstance) ProtoReflect ¶
func (x *CertificateProviderPluginInstance) ProtoReflect() protoreflect.Message
func (*CertificateProviderPluginInstance) Reset ¶
func (x *CertificateProviderPluginInstance) Reset()
func (*CertificateProviderPluginInstance) SetCertificateName ¶
func (x *CertificateProviderPluginInstance) SetCertificateName(v string)
func (*CertificateProviderPluginInstance) SetInstanceName ¶
func (x *CertificateProviderPluginInstance) SetInstanceName(v string)
func (*CertificateProviderPluginInstance) String ¶
func (x *CertificateProviderPluginInstance) String() string
type CertificateProviderPluginInstance_builder ¶
type CertificateProviderPluginInstance_builder struct { // Provider instance name. If not present, defaults to "default". // // Instance names should generally be defined not in terms of the underlying provider // implementation (e.g., "file_watcher") but rather in terms of the function of the // certificates (e.g., "foo_deployment_identity"). InstanceName string // Opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify // a root-certificate (validation context) or "example.com" to specify a certificate for a // particular domain. Not all provider instances will actually use this field, so the value // defaults to the empty string. CertificateName string // contains filtered or unexported fields }
func (CertificateProviderPluginInstance_builder) Build ¶
func (b0 CertificateProviderPluginInstance_builder) Build() *CertificateProviderPluginInstance
type CertificateValidationContext ¶
type CertificateValidationContext struct { // TLS certificate data containing certificate authority certificates to use in verifying // a presented peer certificate (e.g. server certificate for clusters or client certificate // for listeners). If not specified and a peer certificate is presented it will not be // verified. By default, a client certificate is optional, unless one of the additional // options (:ref:`require_client_certificate // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`, // :ref:`verify_certificate_spki // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`, // :ref:`verify_certificate_hash // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or // :ref:`match_typed_subject_alt_names // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also // specified. // // It can optionally contain certificate revocation lists, in which case Envoy will verify // that the presented peer certificate has not been revoked by one of the included CRLs. Note // that if a CRL is provided for any certificate authority in a trust chain, a CRL must be // provided for all certificate authorities in that chain. Failure to do so will result in // verification failure for both revoked and unrevoked certificates from that chain. // The behavior of requiring all certificates to contain CRLs can be altered by // setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` // true. If set to true, only the final certificate in the chain undergoes CRL verification. // // See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common // system CA locations. // // If “trusted_ca“ is a filesystem path, a watch will be added to the parent // directory for any file moves to support rotation. This currently only // applies to dynamic secrets, when the “CertificateValidationContext“ is // delivered via SDS. // // X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in “trusted_ca“ // can be treated as trust anchor as well. It allows verification with building valid partial chain instead // of a full chain. // // Only one of “trusted_ca“ and “ca_certificate_provider_instance“ may be specified. // // [#next-major-version: This field and watched_directory below should ideally be moved into a // separate sub-message, since there's no point in specifying the latter field without this one.] TrustedCa *v3.DataSource `protobuf:"bytes,1,opt,name=trusted_ca,json=trustedCa,proto3" json:"trusted_ca,omitempty"` // Certificate provider instance for fetching TLS certificates. // // Only one of “trusted_ca“ and “ca_certificate_provider_instance“ may be specified. // [#not-implemented-hide:] CaCertificateProviderInstance *CertificateProviderPluginInstance `` /* 153-byte string literal not displayed */ // If specified, updates of a file-based “trusted_ca“ source will be triggered // by this watch. This allows explicit control over the path watched, by // default the parent directory of the filesystem path in “trusted_ca“ is // watched if this field is not specified. This only applies when a // “CertificateValidationContext“ is delivered by SDS with references to // filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>` // documentation for further details. WatchedDirectory *v3.WatchedDirectory `protobuf:"bytes,11,opt,name=watched_directory,json=watchedDirectory,proto3" json:"watched_directory,omitempty"` // An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the // SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate // matches one of the specified values. // // A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate // can be generated with the following command: // // .. code-block:: bash // // $ openssl x509 -in path/to/client.crt -noout -pubkey // | openssl pkey -pubin -outform DER // | openssl dgst -sha256 -binary // | openssl enc -base64 // NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= // // This is the format used in HTTP Public Key Pinning. // // When both: // :ref:`verify_certificate_hash // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and // :ref:`verify_certificate_spki // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, // a hash matching value from either of the lists will result in the certificate being accepted. // // .. attention:: // // This option is preferred over :ref:`verify_certificate_hash // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, // because SPKI is tied to a private key, so it doesn't change when the certificate // is renewed using the same private key. VerifyCertificateSpki []string `` /* 126-byte string literal not displayed */ // An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that // the SHA-256 of the DER-encoded presented certificate matches one of the specified values. // // A hex-encoded SHA-256 of the certificate can be generated with the following command: // // .. code-block:: bash // // $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 // df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a // // A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate // can be generated with the following command: // // .. code-block:: bash // // $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 // DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A // // Both of those formats are acceptable. // // When both: // :ref:`verify_certificate_hash // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and // :ref:`verify_certificate_spki // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, // a hash matching value from either of the lists will result in the certificate being accepted. VerifyCertificateHash []string `` /* 126-byte string literal not displayed */ // An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the // Subject Alternative Name of the presented certificate matches one of the specified matchers. // The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is // matched. // // When a certificate has wildcard DNS SAN entries, to match a specific client, it should be // configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. // For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", // it should be configured as shown below. // // .. code-block:: yaml // // match_typed_subject_alt_names: // - san_type: DNS // matcher: // exact: "api.example.com" // // .. attention:: // // Subject Alternative Names are easily spoofable and verifying only them is insecure, // therefore this option must be used together with :ref:`trusted_ca // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`. MatchTypedSubjectAltNames []*SubjectAltNameMatcher `` /* 143-byte string literal not displayed */ // This field is deprecated in favor of // :ref:`match_typed_subject_alt_names // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. // Note that if both this field and :ref:`match_typed_subject_alt_names // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` // are specified, the former (deprecated field) is ignored. // // Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/common.proto. MatchSubjectAltNames []*v31.StringMatcher `protobuf:"bytes,9,rep,name=match_subject_alt_names,json=matchSubjectAltNames,proto3" json:"match_subject_alt_names,omitempty"` // [#not-implemented-hide:] Must present signed certificate time-stamp. RequireSignedCertificateTimestamp *wrapperspb.BoolValue `` /* 164-byte string literal not displayed */ // An optional `certificate revocation list // <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ // (in PEM format). If specified, Envoy will verify that the presented peer // certificate has not been revoked by this CRL. If this DataSource contains // multiple CRLs, all of them will be used. Note that if a CRL is provided // for any certificate authority in a trust chain, a CRL must be provided // for all certificate authorities in that chain. Failure to do so will // result in verification failure for both revoked and unrevoked certificates // from that chain. This default behavior can be altered by setting // :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to // true. // // If “crl“ is a filesystem path, a watch will be added to the parent // directory for any file moves to support rotation. This currently only // applies to dynamic secrets, when the “CertificateValidationContext“ is // delivered via SDS. Crl *v3.DataSource `protobuf:"bytes,7,opt,name=crl,proto3" json:"crl,omitempty"` // If specified, Envoy will not reject expired certificates. AllowExpiredCertificate bool `` /* 133-byte string literal not displayed */ // Certificate trust chain verification mode. TrustChainVerification CertificateValidationContext_TrustChainVerification `` /* 230-byte string literal not displayed */ // The configuration of an extension specific certificate validator. // If specified, all validation is done by the specified validator, // and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). // Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. // [#extension-category: envoy.tls.cert_validator] CustomValidatorConfig *v3.TypedExtensionConfig `` /* 127-byte string literal not displayed */ // If this option is set to true, only the certificate at the end of the // certificate chain will be subject to validation by :ref:`CRL <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.crl>`. OnlyVerifyLeafCertCrl bool `` /* 132-byte string literal not displayed */ // Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. // This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer // appears in the chain, but in a depth larger than configured, the certificate validation will fail. // This matches the semantics of “SSL_CTX_set_verify_depth“ in OpenSSL 1.0.x and older versions of BoringSSL. It differs from “SSL_CTX_set_verify_depth“ // in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. // Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>` MaxVerifyDepth *wrapperspb.UInt32Value `protobuf:"bytes,16,opt,name=max_verify_depth,json=maxVerifyDepth,proto3" json:"max_verify_depth,omitempty"` // contains filtered or unexported fields }
[#next-free-field: 17]
func (*CertificateValidationContext) ClearCaCertificateProviderInstance ¶
func (x *CertificateValidationContext) ClearCaCertificateProviderInstance()
func (*CertificateValidationContext) ClearCrl ¶
func (x *CertificateValidationContext) ClearCrl()
func (*CertificateValidationContext) ClearCustomValidatorConfig ¶
func (x *CertificateValidationContext) ClearCustomValidatorConfig()
func (*CertificateValidationContext) ClearMaxVerifyDepth ¶
func (x *CertificateValidationContext) ClearMaxVerifyDepth()
func (*CertificateValidationContext) ClearRequireSignedCertificateTimestamp ¶
func (x *CertificateValidationContext) ClearRequireSignedCertificateTimestamp()
func (*CertificateValidationContext) ClearTrustedCa ¶
func (x *CertificateValidationContext) ClearTrustedCa()
func (*CertificateValidationContext) ClearWatchedDirectory ¶
func (x *CertificateValidationContext) ClearWatchedDirectory()
func (*CertificateValidationContext) GetAllowExpiredCertificate ¶
func (x *CertificateValidationContext) GetAllowExpiredCertificate() bool
func (*CertificateValidationContext) GetCaCertificateProviderInstance ¶
func (x *CertificateValidationContext) GetCaCertificateProviderInstance() *CertificateProviderPluginInstance
func (*CertificateValidationContext) GetCrl ¶
func (x *CertificateValidationContext) GetCrl() *v3.DataSource
func (*CertificateValidationContext) GetCustomValidatorConfig ¶
func (x *CertificateValidationContext) GetCustomValidatorConfig() *v3.TypedExtensionConfig
func (*CertificateValidationContext) GetMatchSubjectAltNames
deprecated
func (x *CertificateValidationContext) GetMatchSubjectAltNames() []*v31.StringMatcher
Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/common.proto.
func (*CertificateValidationContext) GetMatchTypedSubjectAltNames ¶
func (x *CertificateValidationContext) GetMatchTypedSubjectAltNames() []*SubjectAltNameMatcher
func (*CertificateValidationContext) GetMaxVerifyDepth ¶
func (x *CertificateValidationContext) GetMaxVerifyDepth() *wrapperspb.UInt32Value
func (*CertificateValidationContext) GetOnlyVerifyLeafCertCrl ¶
func (x *CertificateValidationContext) GetOnlyVerifyLeafCertCrl() bool
func (*CertificateValidationContext) GetRequireSignedCertificateTimestamp ¶
func (x *CertificateValidationContext) GetRequireSignedCertificateTimestamp() *wrapperspb.BoolValue
func (*CertificateValidationContext) GetTrustChainVerification ¶
func (x *CertificateValidationContext) GetTrustChainVerification() CertificateValidationContext_TrustChainVerification
func (*CertificateValidationContext) GetTrustedCa ¶
func (x *CertificateValidationContext) GetTrustedCa() *v3.DataSource
func (*CertificateValidationContext) GetVerifyCertificateHash ¶
func (x *CertificateValidationContext) GetVerifyCertificateHash() []string
func (*CertificateValidationContext) GetVerifyCertificateSpki ¶
func (x *CertificateValidationContext) GetVerifyCertificateSpki() []string
func (*CertificateValidationContext) GetWatchedDirectory ¶
func (x *CertificateValidationContext) GetWatchedDirectory() *v3.WatchedDirectory
func (*CertificateValidationContext) HasCaCertificateProviderInstance ¶
func (x *CertificateValidationContext) HasCaCertificateProviderInstance() bool
func (*CertificateValidationContext) HasCrl ¶
func (x *CertificateValidationContext) HasCrl() bool
func (*CertificateValidationContext) HasCustomValidatorConfig ¶
func (x *CertificateValidationContext) HasCustomValidatorConfig() bool
func (*CertificateValidationContext) HasMaxVerifyDepth ¶
func (x *CertificateValidationContext) HasMaxVerifyDepth() bool
func (*CertificateValidationContext) HasRequireSignedCertificateTimestamp ¶
func (x *CertificateValidationContext) HasRequireSignedCertificateTimestamp() bool
func (*CertificateValidationContext) HasTrustedCa ¶
func (x *CertificateValidationContext) HasTrustedCa() bool
func (*CertificateValidationContext) HasWatchedDirectory ¶
func (x *CertificateValidationContext) HasWatchedDirectory() bool
func (*CertificateValidationContext) ProtoMessage ¶
func (*CertificateValidationContext) ProtoMessage()
func (*CertificateValidationContext) ProtoReflect ¶
func (x *CertificateValidationContext) ProtoReflect() protoreflect.Message
func (*CertificateValidationContext) Reset ¶
func (x *CertificateValidationContext) Reset()
func (*CertificateValidationContext) SetAllowExpiredCertificate ¶
func (x *CertificateValidationContext) SetAllowExpiredCertificate(v bool)
func (*CertificateValidationContext) SetCaCertificateProviderInstance ¶
func (x *CertificateValidationContext) SetCaCertificateProviderInstance(v *CertificateProviderPluginInstance)
func (*CertificateValidationContext) SetCrl ¶
func (x *CertificateValidationContext) SetCrl(v *v3.DataSource)
func (*CertificateValidationContext) SetCustomValidatorConfig ¶
func (x *CertificateValidationContext) SetCustomValidatorConfig(v *v3.TypedExtensionConfig)
func (*CertificateValidationContext) SetMatchSubjectAltNames
deprecated
func (x *CertificateValidationContext) SetMatchSubjectAltNames(v []*v31.StringMatcher)
Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/common.proto.
func (*CertificateValidationContext) SetMatchTypedSubjectAltNames ¶
func (x *CertificateValidationContext) SetMatchTypedSubjectAltNames(v []*SubjectAltNameMatcher)
func (*CertificateValidationContext) SetMaxVerifyDepth ¶
func (x *CertificateValidationContext) SetMaxVerifyDepth(v *wrapperspb.UInt32Value)
func (*CertificateValidationContext) SetOnlyVerifyLeafCertCrl ¶
func (x *CertificateValidationContext) SetOnlyVerifyLeafCertCrl(v bool)
func (*CertificateValidationContext) SetRequireSignedCertificateTimestamp ¶
func (x *CertificateValidationContext) SetRequireSignedCertificateTimestamp(v *wrapperspb.BoolValue)
func (*CertificateValidationContext) SetTrustChainVerification ¶
func (x *CertificateValidationContext) SetTrustChainVerification(v CertificateValidationContext_TrustChainVerification)
func (*CertificateValidationContext) SetTrustedCa ¶
func (x *CertificateValidationContext) SetTrustedCa(v *v3.DataSource)
func (*CertificateValidationContext) SetVerifyCertificateHash ¶
func (x *CertificateValidationContext) SetVerifyCertificateHash(v []string)
func (*CertificateValidationContext) SetVerifyCertificateSpki ¶
func (x *CertificateValidationContext) SetVerifyCertificateSpki(v []string)
func (*CertificateValidationContext) SetWatchedDirectory ¶
func (x *CertificateValidationContext) SetWatchedDirectory(v *v3.WatchedDirectory)
func (*CertificateValidationContext) String ¶
func (x *CertificateValidationContext) String() string
type CertificateValidationContext_TrustChainVerification ¶
type CertificateValidationContext_TrustChainVerification int32
Peer certificate verification mode.
const ( // Perform default certificate verification (e.g., against CA / verification lists) CertificateValidationContext_VERIFY_TRUST_CHAIN CertificateValidationContext_TrustChainVerification = 0 // Connections where the certificate fails verification will be permitted. // For HTTP connections, the result of certificate verification can be used in route matching. ( // see :ref:`validated <envoy_v3_api_field_config.route.v3.RouteMatch.TlsContextMatchOptions.validated>` ). CertificateValidationContext_ACCEPT_UNTRUSTED CertificateValidationContext_TrustChainVerification = 1 )
func (CertificateValidationContext_TrustChainVerification) Descriptor ¶
func (CertificateValidationContext_TrustChainVerification) Descriptor() protoreflect.EnumDescriptor
func (CertificateValidationContext_TrustChainVerification) Enum ¶
func (CertificateValidationContext_TrustChainVerification) Number ¶
func (x CertificateValidationContext_TrustChainVerification) Number() protoreflect.EnumNumber
func (CertificateValidationContext_TrustChainVerification) String ¶
func (x CertificateValidationContext_TrustChainVerification) String() string
func (CertificateValidationContext_TrustChainVerification) Type ¶
type CertificateValidationContext_builder ¶
type CertificateValidationContext_builder struct { // TLS certificate data containing certificate authority certificates to use in verifying // a presented peer certificate (e.g. server certificate for clusters or client certificate // for listeners). If not specified and a peer certificate is presented it will not be // verified. By default, a client certificate is optional, unless one of the additional // options (:ref:`require_client_certificate // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`, // :ref:`verify_certificate_spki // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`, // :ref:`verify_certificate_hash // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or // :ref:`match_typed_subject_alt_names // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also // specified. // // It can optionally contain certificate revocation lists, in which case Envoy will verify // that the presented peer certificate has not been revoked by one of the included CRLs. Note // that if a CRL is provided for any certificate authority in a trust chain, a CRL must be // provided for all certificate authorities in that chain. Failure to do so will result in // verification failure for both revoked and unrevoked certificates from that chain. // The behavior of requiring all certificates to contain CRLs can be altered by // setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` // true. If set to true, only the final certificate in the chain undergoes CRL verification. // // See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common // system CA locations. // // If “trusted_ca“ is a filesystem path, a watch will be added to the parent // directory for any file moves to support rotation. This currently only // applies to dynamic secrets, when the “CertificateValidationContext“ is // delivered via SDS. // // X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in “trusted_ca“ // can be treated as trust anchor as well. It allows verification with building valid partial chain instead // of a full chain. // // Only one of “trusted_ca“ and “ca_certificate_provider_instance“ may be specified. // // [#next-major-version: This field and watched_directory below should ideally be moved into a // separate sub-message, since there's no point in specifying the latter field without this one.] TrustedCa *v3.DataSource // Certificate provider instance for fetching TLS certificates. // // Only one of “trusted_ca“ and “ca_certificate_provider_instance“ may be specified. // [#not-implemented-hide:] CaCertificateProviderInstance *CertificateProviderPluginInstance // If specified, updates of a file-based “trusted_ca“ source will be triggered // by this watch. This allows explicit control over the path watched, by // default the parent directory of the filesystem path in “trusted_ca“ is // watched if this field is not specified. This only applies when a // “CertificateValidationContext“ is delivered by SDS with references to // filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>` // documentation for further details. WatchedDirectory *v3.WatchedDirectory // An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the // SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate // matches one of the specified values. // // A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate // can be generated with the following command: // // .. code-block:: bash // // $ openssl x509 -in path/to/client.crt -noout -pubkey // | openssl pkey -pubin -outform DER // | openssl dgst -sha256 -binary // | openssl enc -base64 // NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= // // This is the format used in HTTP Public Key Pinning. // // When both: // :ref:`verify_certificate_hash // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and // :ref:`verify_certificate_spki // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, // a hash matching value from either of the lists will result in the certificate being accepted. // // .. attention:: // // This option is preferred over :ref:`verify_certificate_hash // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, // because SPKI is tied to a private key, so it doesn't change when the certificate // is renewed using the same private key. VerifyCertificateSpki []string // An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that // the SHA-256 of the DER-encoded presented certificate matches one of the specified values. // // A hex-encoded SHA-256 of the certificate can be generated with the following command: // // .. code-block:: bash // // $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 // df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a // // A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate // can be generated with the following command: // // .. code-block:: bash // // $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 // DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A // // Both of those formats are acceptable. // // When both: // :ref:`verify_certificate_hash // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and // :ref:`verify_certificate_spki // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified, // a hash matching value from either of the lists will result in the certificate being accepted. VerifyCertificateHash []string // An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the // Subject Alternative Name of the presented certificate matches one of the specified matchers. // The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is // matched. // // When a certificate has wildcard DNS SAN entries, to match a specific client, it should be // configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. // For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", // it should be configured as shown below. // // .. code-block:: yaml // // match_typed_subject_alt_names: // - san_type: DNS // matcher: // exact: "api.example.com" // // .. attention:: // // Subject Alternative Names are easily spoofable and verifying only them is insecure, // therefore this option must be used together with :ref:`trusted_ca // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`. MatchTypedSubjectAltNames []*SubjectAltNameMatcher // This field is deprecated in favor of // :ref:`match_typed_subject_alt_names // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`. // Note that if both this field and :ref:`match_typed_subject_alt_names // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` // are specified, the former (deprecated field) is ignored. // // Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/common.proto. MatchSubjectAltNames []*v31.StringMatcher // [#not-implemented-hide:] Must present signed certificate time-stamp. RequireSignedCertificateTimestamp *wrapperspb.BoolValue // An optional `certificate revocation list // <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_ // (in PEM format). If specified, Envoy will verify that the presented peer // certificate has not been revoked by this CRL. If this DataSource contains // multiple CRLs, all of them will be used. Note that if a CRL is provided // for any certificate authority in a trust chain, a CRL must be provided // for all certificate authorities in that chain. Failure to do so will // result in verification failure for both revoked and unrevoked certificates // from that chain. This default behavior can be altered by setting // :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to // true. // // If “crl“ is a filesystem path, a watch will be added to the parent // directory for any file moves to support rotation. This currently only // applies to dynamic secrets, when the “CertificateValidationContext“ is // delivered via SDS. Crl *v3.DataSource // If specified, Envoy will not reject expired certificates. AllowExpiredCertificate bool // Certificate trust chain verification mode. TrustChainVerification CertificateValidationContext_TrustChainVerification // The configuration of an extension specific certificate validator. // If specified, all validation is done by the specified validator, // and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). // Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. // [#extension-category: envoy.tls.cert_validator] CustomValidatorConfig *v3.TypedExtensionConfig // If this option is set to true, only the certificate at the end of the // certificate chain will be subject to validation by :ref:`CRL <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.crl>`. OnlyVerifyLeafCertCrl bool // Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. // This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer // appears in the chain, but in a depth larger than configured, the certificate validation will fail. // This matches the semantics of “SSL_CTX_set_verify_depth“ in OpenSSL 1.0.x and older versions of BoringSSL. It differs from “SSL_CTX_set_verify_depth“ // in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. // Trusted issues are specified by setting :ref:`trusted_ca <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>` MaxVerifyDepth *wrapperspb.UInt32Value // contains filtered or unexported fields }
func (CertificateValidationContext_builder) Build ¶
func (b0 CertificateValidationContext_builder) Build() *CertificateValidationContext
type CommonTlsContext ¶
type CommonTlsContext struct { // TLS protocol versions, cipher suites etc. TlsParams *TlsParameters `protobuf:"bytes,1,opt,name=tls_params,json=tlsParams,proto3" json:"tls_params,omitempty"` // Only a single TLS certificate is supported in client contexts. In server contexts, // :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>` can be associated with the // same context to allow both RSA and ECDSA certificates and support SNI-based selection. // // Only one of “tls_certificates“, “tls_certificate_sds_secret_configs“, // and “tls_certificate_provider_instance“ may be used. // [#next-major-version: These mutually exclusive fields should ideally be in a oneof, but it's // not legal to put a repeated field in a oneof. In the next major version, we should rework // this to avoid this problem.] TlsCertificates []*TlsCertificate `protobuf:"bytes,2,rep,name=tls_certificates,json=tlsCertificates,proto3" json:"tls_certificates,omitempty"` // Configs for fetching TLS certificates via SDS API. Note SDS API allows certificates to be // fetched/refreshed over the network asynchronously with respect to the TLS handshake. // // The same number and types of certificates as :ref:`tls_certificates <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CommonTlsContext.tls_certificates>` // are valid in the the certificates fetched through this setting. // // Only one of “tls_certificates“, “tls_certificate_sds_secret_configs“, // and “tls_certificate_provider_instance“ may be used. // [#next-major-version: These mutually exclusive fields should ideally be in a oneof, but it's // not legal to put a repeated field in a oneof. In the next major version, we should rework // this to avoid this problem.] TlsCertificateSdsSecretConfigs []*SdsSecretConfig `` /* 157-byte string literal not displayed */ // Certificate provider instance for fetching TLS certs. // // Only one of “tls_certificates“, “tls_certificate_sds_secret_configs“, // and “tls_certificate_provider_instance“ may be used. // [#not-implemented-hide:] TlsCertificateProviderInstance *CertificateProviderPluginInstance `` /* 156-byte string literal not displayed */ // Certificate provider for fetching TLS certificates. // [#not-implemented-hide:] // // Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto. TlsCertificateCertificateProvider *CommonTlsContext_CertificateProvider `` /* 164-byte string literal not displayed */ // Certificate provider instance for fetching TLS certificates. // [#not-implemented-hide:] // // Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto. TlsCertificateCertificateProviderInstance *CommonTlsContext_CertificateProviderInstance `` /* 191-byte string literal not displayed */ // Types that are valid to be assigned to ValidationContextType: // // *CommonTlsContext_ValidationContext // *CommonTlsContext_ValidationContextSdsSecretConfig // *CommonTlsContext_CombinedValidationContext // *CommonTlsContext_ValidationContextCertificateProvider // *CommonTlsContext_ValidationContextCertificateProviderInstance ValidationContextType isCommonTlsContext_ValidationContextType `protobuf_oneof:"validation_context_type"` // Supplies the list of ALPN protocols that the listener should expose. In // practice this is likely to be set to one of two values (see the // :ref:`codec_type // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.codec_type>` // parameter in the HTTP connection manager for more information): // // * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1. // * "http/1.1" If the listener is only going to support HTTP/1.1. // // There is no default for this parameter. If empty, Envoy will not expose ALPN. AlpnProtocols []string `protobuf:"bytes,4,rep,name=alpn_protocols,json=alpnProtocols,proto3" json:"alpn_protocols,omitempty"` // Custom TLS handshaker. If empty, defaults to native TLS handshaking // behavior. CustomHandshaker *v3.TypedExtensionConfig `protobuf:"bytes,13,opt,name=custom_handshaker,json=customHandshaker,proto3" json:"custom_handshaker,omitempty"` // TLS key log configuration KeyLog *TlsKeyLog `protobuf:"bytes,15,opt,name=key_log,json=keyLog,proto3" json:"key_log,omitempty"` // contains filtered or unexported fields }
TLS context shared by both client and server TLS contexts. [#next-free-field: 16]
func (*CommonTlsContext) ClearCombinedValidationContext ¶
func (x *CommonTlsContext) ClearCombinedValidationContext()
func (*CommonTlsContext) ClearCustomHandshaker ¶
func (x *CommonTlsContext) ClearCustomHandshaker()
func (*CommonTlsContext) ClearKeyLog ¶
func (x *CommonTlsContext) ClearKeyLog()
func (*CommonTlsContext) ClearTlsCertificateCertificateProvider
deprecated
func (x *CommonTlsContext) ClearTlsCertificateCertificateProvider()
Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto.
func (*CommonTlsContext) ClearTlsCertificateCertificateProviderInstance
deprecated
func (x *CommonTlsContext) ClearTlsCertificateCertificateProviderInstance()
Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto.
func (*CommonTlsContext) ClearTlsCertificateProviderInstance ¶
func (x *CommonTlsContext) ClearTlsCertificateProviderInstance()
func (*CommonTlsContext) ClearTlsParams ¶
func (x *CommonTlsContext) ClearTlsParams()
func (*CommonTlsContext) ClearValidationContext ¶
func (x *CommonTlsContext) ClearValidationContext()
func (*CommonTlsContext) ClearValidationContextCertificateProvider
deprecated
func (x *CommonTlsContext) ClearValidationContextCertificateProvider()
Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto.
func (*CommonTlsContext) ClearValidationContextCertificateProviderInstance
deprecated
func (x *CommonTlsContext) ClearValidationContextCertificateProviderInstance()
Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto.
func (*CommonTlsContext) ClearValidationContextSdsSecretConfig ¶
func (x *CommonTlsContext) ClearValidationContextSdsSecretConfig()
func (*CommonTlsContext) ClearValidationContextType ¶
func (x *CommonTlsContext) ClearValidationContextType()
func (*CommonTlsContext) GetAlpnProtocols ¶
func (x *CommonTlsContext) GetAlpnProtocols() []string
func (*CommonTlsContext) GetCombinedValidationContext ¶
func (x *CommonTlsContext) GetCombinedValidationContext() *CommonTlsContext_CombinedCertificateValidationContext
func (*CommonTlsContext) GetCustomHandshaker ¶
func (x *CommonTlsContext) GetCustomHandshaker() *v3.TypedExtensionConfig
func (*CommonTlsContext) GetKeyLog ¶
func (x *CommonTlsContext) GetKeyLog() *TlsKeyLog
func (*CommonTlsContext) GetTlsCertificateCertificateProvider
deprecated
func (x *CommonTlsContext) GetTlsCertificateCertificateProvider() *CommonTlsContext_CertificateProvider
Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto.
func (*CommonTlsContext) GetTlsCertificateCertificateProviderInstance
deprecated
func (x *CommonTlsContext) GetTlsCertificateCertificateProviderInstance() *CommonTlsContext_CertificateProviderInstance
Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto.
func (*CommonTlsContext) GetTlsCertificateProviderInstance ¶
func (x *CommonTlsContext) GetTlsCertificateProviderInstance() *CertificateProviderPluginInstance
func (*CommonTlsContext) GetTlsCertificateSdsSecretConfigs ¶
func (x *CommonTlsContext) GetTlsCertificateSdsSecretConfigs() []*SdsSecretConfig
func (*CommonTlsContext) GetTlsCertificates ¶
func (x *CommonTlsContext) GetTlsCertificates() []*TlsCertificate
func (*CommonTlsContext) GetTlsParams ¶
func (x *CommonTlsContext) GetTlsParams() *TlsParameters
func (*CommonTlsContext) GetValidationContext ¶
func (x *CommonTlsContext) GetValidationContext() *CertificateValidationContext
func (*CommonTlsContext) GetValidationContextCertificateProvider
deprecated
func (x *CommonTlsContext) GetValidationContextCertificateProvider() *CommonTlsContext_CertificateProvider
Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto.
func (*CommonTlsContext) GetValidationContextCertificateProviderInstance
deprecated
func (x *CommonTlsContext) GetValidationContextCertificateProviderInstance() *CommonTlsContext_CertificateProviderInstance
Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto.
func (*CommonTlsContext) GetValidationContextSdsSecretConfig ¶
func (x *CommonTlsContext) GetValidationContextSdsSecretConfig() *SdsSecretConfig
func (*CommonTlsContext) GetValidationContextType ¶
func (x *CommonTlsContext) GetValidationContextType() isCommonTlsContext_ValidationContextType
func (*CommonTlsContext) HasCombinedValidationContext ¶
func (x *CommonTlsContext) HasCombinedValidationContext() bool
func (*CommonTlsContext) HasCustomHandshaker ¶
func (x *CommonTlsContext) HasCustomHandshaker() bool
func (*CommonTlsContext) HasKeyLog ¶
func (x *CommonTlsContext) HasKeyLog() bool
func (*CommonTlsContext) HasTlsCertificateCertificateProvider
deprecated
func (x *CommonTlsContext) HasTlsCertificateCertificateProvider() bool
Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto.
func (*CommonTlsContext) HasTlsCertificateCertificateProviderInstance
deprecated
func (x *CommonTlsContext) HasTlsCertificateCertificateProviderInstance() bool
Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto.
func (*CommonTlsContext) HasTlsCertificateProviderInstance ¶
func (x *CommonTlsContext) HasTlsCertificateProviderInstance() bool
func (*CommonTlsContext) HasTlsParams ¶
func (x *CommonTlsContext) HasTlsParams() bool
func (*CommonTlsContext) HasValidationContext ¶
func (x *CommonTlsContext) HasValidationContext() bool
func (*CommonTlsContext) HasValidationContextCertificateProvider
deprecated
func (x *CommonTlsContext) HasValidationContextCertificateProvider() bool
Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto.
func (*CommonTlsContext) HasValidationContextCertificateProviderInstance
deprecated
func (x *CommonTlsContext) HasValidationContextCertificateProviderInstance() bool
Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto.
func (*CommonTlsContext) HasValidationContextSdsSecretConfig ¶
func (x *CommonTlsContext) HasValidationContextSdsSecretConfig() bool
func (*CommonTlsContext) HasValidationContextType ¶
func (x *CommonTlsContext) HasValidationContextType() bool
func (*CommonTlsContext) ProtoMessage ¶
func (*CommonTlsContext) ProtoMessage()
func (*CommonTlsContext) ProtoReflect ¶
func (x *CommonTlsContext) ProtoReflect() protoreflect.Message
func (*CommonTlsContext) Reset ¶
func (x *CommonTlsContext) Reset()
func (*CommonTlsContext) SetAlpnProtocols ¶
func (x *CommonTlsContext) SetAlpnProtocols(v []string)
func (*CommonTlsContext) SetCombinedValidationContext ¶
func (x *CommonTlsContext) SetCombinedValidationContext(v *CommonTlsContext_CombinedCertificateValidationContext)
func (*CommonTlsContext) SetCustomHandshaker ¶
func (x *CommonTlsContext) SetCustomHandshaker(v *v3.TypedExtensionConfig)
func (*CommonTlsContext) SetKeyLog ¶
func (x *CommonTlsContext) SetKeyLog(v *TlsKeyLog)
func (*CommonTlsContext) SetTlsCertificateCertificateProvider
deprecated
func (x *CommonTlsContext) SetTlsCertificateCertificateProvider(v *CommonTlsContext_CertificateProvider)
Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto.
func (*CommonTlsContext) SetTlsCertificateCertificateProviderInstance
deprecated
func (x *CommonTlsContext) SetTlsCertificateCertificateProviderInstance(v *CommonTlsContext_CertificateProviderInstance)
Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto.
func (*CommonTlsContext) SetTlsCertificateProviderInstance ¶
func (x *CommonTlsContext) SetTlsCertificateProviderInstance(v *CertificateProviderPluginInstance)
func (*CommonTlsContext) SetTlsCertificateSdsSecretConfigs ¶
func (x *CommonTlsContext) SetTlsCertificateSdsSecretConfigs(v []*SdsSecretConfig)
func (*CommonTlsContext) SetTlsCertificates ¶
func (x *CommonTlsContext) SetTlsCertificates(v []*TlsCertificate)
func (*CommonTlsContext) SetTlsParams ¶
func (x *CommonTlsContext) SetTlsParams(v *TlsParameters)
func (*CommonTlsContext) SetValidationContext ¶
func (x *CommonTlsContext) SetValidationContext(v *CertificateValidationContext)
func (*CommonTlsContext) SetValidationContextCertificateProvider
deprecated
func (x *CommonTlsContext) SetValidationContextCertificateProvider(v *CommonTlsContext_CertificateProvider)
Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto.
func (*CommonTlsContext) SetValidationContextCertificateProviderInstance
deprecated
func (x *CommonTlsContext) SetValidationContextCertificateProviderInstance(v *CommonTlsContext_CertificateProviderInstance)
Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto.
func (*CommonTlsContext) SetValidationContextSdsSecretConfig ¶
func (x *CommonTlsContext) SetValidationContextSdsSecretConfig(v *SdsSecretConfig)
func (*CommonTlsContext) String ¶
func (x *CommonTlsContext) String() string
func (*CommonTlsContext) WhichValidationContextType ¶
func (x *CommonTlsContext) WhichValidationContextType() case_CommonTlsContext_ValidationContextType
type CommonTlsContext_CertificateProvider ¶
type CommonTlsContext_CertificateProvider struct { // opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify // a root-certificate (validation context) or "TLS" to specify a new tls-certificate. Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` // Provider specific config. // Note: an implementation is expected to dedup multiple instances of the same config // to maintain a single certificate-provider instance. The sharing can happen, for // example, among multiple clusters or between the tls_certificate and validation_context // certificate providers of a cluster. // This config could be supplied inline or (in future) a named xDS resource. // // Types that are valid to be assigned to Config: // // *CommonTlsContext_CertificateProvider_TypedConfig Config isCommonTlsContext_CertificateProvider_Config `protobuf_oneof:"config"` // contains filtered or unexported fields }
Config for Certificate provider to get certificates. This provider should allow certificates to be fetched/refreshed over the network asynchronously with respect to the TLS handshake.
DEPRECATED: This message is not currently used, but if we ever do need it, we will want to move it out of CommonTlsContext and into common.proto, similar to the existing CertificateProviderPluginInstance message.
[#not-implemented-hide:]
func (*CommonTlsContext_CertificateProvider) ClearConfig ¶
func (x *CommonTlsContext_CertificateProvider) ClearConfig()
func (*CommonTlsContext_CertificateProvider) ClearTypedConfig ¶
func (x *CommonTlsContext_CertificateProvider) ClearTypedConfig()
func (*CommonTlsContext_CertificateProvider) GetConfig ¶
func (x *CommonTlsContext_CertificateProvider) GetConfig() isCommonTlsContext_CertificateProvider_Config
func (*CommonTlsContext_CertificateProvider) GetName ¶
func (x *CommonTlsContext_CertificateProvider) GetName() string
func (*CommonTlsContext_CertificateProvider) GetTypedConfig ¶
func (x *CommonTlsContext_CertificateProvider) GetTypedConfig() *v3.TypedExtensionConfig
func (*CommonTlsContext_CertificateProvider) HasConfig ¶
func (x *CommonTlsContext_CertificateProvider) HasConfig() bool
func (*CommonTlsContext_CertificateProvider) HasTypedConfig ¶
func (x *CommonTlsContext_CertificateProvider) HasTypedConfig() bool
func (*CommonTlsContext_CertificateProvider) ProtoMessage ¶
func (*CommonTlsContext_CertificateProvider) ProtoMessage()
func (*CommonTlsContext_CertificateProvider) ProtoReflect ¶
func (x *CommonTlsContext_CertificateProvider) ProtoReflect() protoreflect.Message
func (*CommonTlsContext_CertificateProvider) Reset ¶
func (x *CommonTlsContext_CertificateProvider) Reset()
func (*CommonTlsContext_CertificateProvider) SetName ¶
func (x *CommonTlsContext_CertificateProvider) SetName(v string)
func (*CommonTlsContext_CertificateProvider) SetTypedConfig ¶
func (x *CommonTlsContext_CertificateProvider) SetTypedConfig(v *v3.TypedExtensionConfig)
func (*CommonTlsContext_CertificateProvider) String ¶
func (x *CommonTlsContext_CertificateProvider) String() string
func (*CommonTlsContext_CertificateProvider) WhichConfig ¶
func (x *CommonTlsContext_CertificateProvider) WhichConfig() case_CommonTlsContext_CertificateProvider_Config
type CommonTlsContext_CertificateProviderInstance ¶
type CommonTlsContext_CertificateProviderInstance struct { // Provider instance name. This name must be defined in the client's configuration (e.g., a // bootstrap file) to correspond to a provider instance (i.e., the same data in the typed_config // field that would be sent in the CertificateProvider message if the config was sent by the // control plane). If not present, defaults to "default". // // Instance names should generally be defined not in terms of the underlying provider // implementation (e.g., "file_watcher") but rather in terms of the function of the // certificates (e.g., "foo_deployment_identity"). InstanceName string `protobuf:"bytes,1,opt,name=instance_name,json=instanceName,proto3" json:"instance_name,omitempty"` // Opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify // a root-certificate (validation context) or "example.com" to specify a certificate for a // particular domain. Not all provider instances will actually use this field, so the value // defaults to the empty string. CertificateName string `protobuf:"bytes,2,opt,name=certificate_name,json=certificateName,proto3" json:"certificate_name,omitempty"` // contains filtered or unexported fields }
Similar to CertificateProvider above, but allows the provider instances to be configured on the client side instead of being sent from the control plane.
DEPRECATED: This message was moved outside of CommonTlsContext and now lives in common.proto.
[#not-implemented-hide:]
func (*CommonTlsContext_CertificateProviderInstance) GetCertificateName ¶
func (x *CommonTlsContext_CertificateProviderInstance) GetCertificateName() string
func (*CommonTlsContext_CertificateProviderInstance) GetInstanceName ¶
func (x *CommonTlsContext_CertificateProviderInstance) GetInstanceName() string
func (*CommonTlsContext_CertificateProviderInstance) ProtoMessage ¶
func (*CommonTlsContext_CertificateProviderInstance) ProtoMessage()
func (*CommonTlsContext_CertificateProviderInstance) ProtoReflect ¶
func (x *CommonTlsContext_CertificateProviderInstance) ProtoReflect() protoreflect.Message
func (*CommonTlsContext_CertificateProviderInstance) Reset ¶
func (x *CommonTlsContext_CertificateProviderInstance) Reset()
func (*CommonTlsContext_CertificateProviderInstance) SetCertificateName ¶
func (x *CommonTlsContext_CertificateProviderInstance) SetCertificateName(v string)
func (*CommonTlsContext_CertificateProviderInstance) SetInstanceName ¶
func (x *CommonTlsContext_CertificateProviderInstance) SetInstanceName(v string)
func (*CommonTlsContext_CertificateProviderInstance) String ¶
func (x *CommonTlsContext_CertificateProviderInstance) String() string
type CommonTlsContext_CertificateProviderInstance_builder ¶
type CommonTlsContext_CertificateProviderInstance_builder struct { // Provider instance name. This name must be defined in the client's configuration (e.g., a // bootstrap file) to correspond to a provider instance (i.e., the same data in the typed_config // field that would be sent in the CertificateProvider message if the config was sent by the // control plane). If not present, defaults to "default". // // Instance names should generally be defined not in terms of the underlying provider // implementation (e.g., "file_watcher") but rather in terms of the function of the // certificates (e.g., "foo_deployment_identity"). InstanceName string // Opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify // a root-certificate (validation context) or "example.com" to specify a certificate for a // particular domain. Not all provider instances will actually use this field, so the value // defaults to the empty string. CertificateName string // contains filtered or unexported fields }
func (CommonTlsContext_CertificateProviderInstance_builder) Build ¶
type CommonTlsContext_CertificateProvider_TypedConfig ¶
type CommonTlsContext_CertificateProvider_TypedConfig struct {
TypedConfig *v3.TypedExtensionConfig `protobuf:"bytes,2,opt,name=typed_config,json=typedConfig,proto3,oneof"`
}
type CommonTlsContext_CertificateProvider_builder ¶
type CommonTlsContext_CertificateProvider_builder struct { // opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify // a root-certificate (validation context) or "TLS" to specify a new tls-certificate. Name string // Fields of oneof Config: TypedConfig *v3.TypedExtensionConfig // contains filtered or unexported fields }
func (CommonTlsContext_CertificateProvider_builder) Build ¶
func (b0 CommonTlsContext_CertificateProvider_builder) Build() *CommonTlsContext_CertificateProvider
type CommonTlsContext_CombinedCertificateValidationContext ¶
type CommonTlsContext_CombinedCertificateValidationContext struct { // How to validate peer certificates. DefaultValidationContext *CertificateValidationContext `` /* 135-byte string literal not displayed */ // Config for fetching validation context via SDS API. Note SDS API allows certificates to be // fetched/refreshed over the network asynchronously with respect to the TLS handshake. ValidationContextSdsSecretConfig *SdsSecretConfig `` /* 163-byte string literal not displayed */ // Certificate provider for fetching CA certs. This will populate the // “default_validation_context.trusted_ca“ field. // [#not-implemented-hide:] // // Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto. ValidationContextCertificateProvider *CommonTlsContext_CertificateProvider `` /* 173-byte string literal not displayed */ // Certificate provider instance for fetching CA certs. This will populate the // “default_validation_context.trusted_ca“ field. // [#not-implemented-hide:] // // Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto. ValidationContextCertificateProviderInstance *CommonTlsContext_CertificateProviderInstance `` /* 199-byte string literal not displayed */ // contains filtered or unexported fields }
func (*CommonTlsContext_CombinedCertificateValidationContext) ClearDefaultValidationContext ¶
func (x *CommonTlsContext_CombinedCertificateValidationContext) ClearDefaultValidationContext()
func (*CommonTlsContext_CombinedCertificateValidationContext) ClearValidationContextCertificateProvider
deprecated
func (x *CommonTlsContext_CombinedCertificateValidationContext) ClearValidationContextCertificateProvider()
Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto.
func (*CommonTlsContext_CombinedCertificateValidationContext) ClearValidationContextCertificateProviderInstance
deprecated
func (x *CommonTlsContext_CombinedCertificateValidationContext) ClearValidationContextCertificateProviderInstance()
Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto.
func (*CommonTlsContext_CombinedCertificateValidationContext) ClearValidationContextSdsSecretConfig ¶
func (x *CommonTlsContext_CombinedCertificateValidationContext) ClearValidationContextSdsSecretConfig()
func (*CommonTlsContext_CombinedCertificateValidationContext) GetDefaultValidationContext ¶
func (x *CommonTlsContext_CombinedCertificateValidationContext) GetDefaultValidationContext() *CertificateValidationContext
func (*CommonTlsContext_CombinedCertificateValidationContext) GetValidationContextCertificateProvider
deprecated
func (x *CommonTlsContext_CombinedCertificateValidationContext) GetValidationContextCertificateProvider() *CommonTlsContext_CertificateProvider
Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto.
func (*CommonTlsContext_CombinedCertificateValidationContext) GetValidationContextCertificateProviderInstance
deprecated
func (x *CommonTlsContext_CombinedCertificateValidationContext) GetValidationContextCertificateProviderInstance() *CommonTlsContext_CertificateProviderInstance
Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto.
func (*CommonTlsContext_CombinedCertificateValidationContext) GetValidationContextSdsSecretConfig ¶
func (x *CommonTlsContext_CombinedCertificateValidationContext) GetValidationContextSdsSecretConfig() *SdsSecretConfig
func (*CommonTlsContext_CombinedCertificateValidationContext) HasDefaultValidationContext ¶
func (x *CommonTlsContext_CombinedCertificateValidationContext) HasDefaultValidationContext() bool
func (*CommonTlsContext_CombinedCertificateValidationContext) HasValidationContextCertificateProvider
deprecated
func (x *CommonTlsContext_CombinedCertificateValidationContext) HasValidationContextCertificateProvider() bool
Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto.
func (*CommonTlsContext_CombinedCertificateValidationContext) HasValidationContextCertificateProviderInstance
deprecated
func (x *CommonTlsContext_CombinedCertificateValidationContext) HasValidationContextCertificateProviderInstance() bool
Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto.
func (*CommonTlsContext_CombinedCertificateValidationContext) HasValidationContextSdsSecretConfig ¶
func (x *CommonTlsContext_CombinedCertificateValidationContext) HasValidationContextSdsSecretConfig() bool
func (*CommonTlsContext_CombinedCertificateValidationContext) ProtoMessage ¶
func (*CommonTlsContext_CombinedCertificateValidationContext) ProtoMessage()
func (*CommonTlsContext_CombinedCertificateValidationContext) ProtoReflect ¶
func (x *CommonTlsContext_CombinedCertificateValidationContext) ProtoReflect() protoreflect.Message
func (*CommonTlsContext_CombinedCertificateValidationContext) Reset ¶
func (x *CommonTlsContext_CombinedCertificateValidationContext) Reset()
func (*CommonTlsContext_CombinedCertificateValidationContext) SetDefaultValidationContext ¶
func (x *CommonTlsContext_CombinedCertificateValidationContext) SetDefaultValidationContext(v *CertificateValidationContext)
func (*CommonTlsContext_CombinedCertificateValidationContext) SetValidationContextCertificateProvider
deprecated
func (x *CommonTlsContext_CombinedCertificateValidationContext) SetValidationContextCertificateProvider(v *CommonTlsContext_CertificateProvider)
Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto.
func (*CommonTlsContext_CombinedCertificateValidationContext) SetValidationContextCertificateProviderInstance
deprecated
func (x *CommonTlsContext_CombinedCertificateValidationContext) SetValidationContextCertificateProviderInstance(v *CommonTlsContext_CertificateProviderInstance)
Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto.
func (*CommonTlsContext_CombinedCertificateValidationContext) SetValidationContextSdsSecretConfig ¶
func (x *CommonTlsContext_CombinedCertificateValidationContext) SetValidationContextSdsSecretConfig(v *SdsSecretConfig)
func (*CommonTlsContext_CombinedCertificateValidationContext) String ¶
func (x *CommonTlsContext_CombinedCertificateValidationContext) String() string
type CommonTlsContext_CombinedCertificateValidationContext_builder ¶
type CommonTlsContext_CombinedCertificateValidationContext_builder struct { // How to validate peer certificates. DefaultValidationContext *CertificateValidationContext // Config for fetching validation context via SDS API. Note SDS API allows certificates to be // fetched/refreshed over the network asynchronously with respect to the TLS handshake. ValidationContextSdsSecretConfig *SdsSecretConfig // Certificate provider for fetching CA certs. This will populate the // “default_validation_context.trusted_ca“ field. // [#not-implemented-hide:] // // Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto. ValidationContextCertificateProvider *CommonTlsContext_CertificateProvider // Certificate provider instance for fetching CA certs. This will populate the // “default_validation_context.trusted_ca“ field. // [#not-implemented-hide:] // // Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto. ValidationContextCertificateProviderInstance *CommonTlsContext_CertificateProviderInstance // contains filtered or unexported fields }
func (CommonTlsContext_CombinedCertificateValidationContext_builder) Build ¶
type CommonTlsContext_CombinedValidationContext ¶
type CommonTlsContext_CombinedValidationContext struct { // Combined certificate validation context holds a default CertificateValidationContext // and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic // and default CertificateValidationContext are merged into a new CertificateValidationContext // for validation. This merge is done by Message::MergeFrom(), so dynamic // CertificateValidationContext overwrites singular fields in default // CertificateValidationContext, and concatenates repeated fields to default // CertificateValidationContext, and logical OR is applied to boolean fields. CombinedValidationContext *CommonTlsContext_CombinedCertificateValidationContext `protobuf:"bytes,8,opt,name=combined_validation_context,json=combinedValidationContext,proto3,oneof"` }
type CommonTlsContext_ValidationContext ¶
type CommonTlsContext_ValidationContext struct { // How to validate peer certificates. ValidationContext *CertificateValidationContext `protobuf:"bytes,3,opt,name=validation_context,json=validationContext,proto3,oneof"` }
type CommonTlsContext_ValidationContextCertificateProvider ¶
type CommonTlsContext_ValidationContextCertificateProvider struct { // Certificate provider for fetching validation context. // [#not-implemented-hide:] // // Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto. ValidationContextCertificateProvider *CommonTlsContext_CertificateProvider `protobuf:"bytes,10,opt,name=validation_context_certificate_provider,json=validationContextCertificateProvider,proto3,oneof"` }
type CommonTlsContext_ValidationContextCertificateProviderInstance ¶
type CommonTlsContext_ValidationContextCertificateProviderInstance struct { // Certificate provider instance for fetching validation context. // [#not-implemented-hide:] // // Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto. ValidationContextCertificateProviderInstance *CommonTlsContext_CertificateProviderInstance `` /* 140-byte string literal not displayed */ }
type CommonTlsContext_ValidationContextSdsSecretConfig ¶
type CommonTlsContext_ValidationContextSdsSecretConfig struct { // Config for fetching validation context via SDS API. Note SDS API allows certificates to be // fetched/refreshed over the network asynchronously with respect to the TLS handshake. ValidationContextSdsSecretConfig *SdsSecretConfig `protobuf:"bytes,7,opt,name=validation_context_sds_secret_config,json=validationContextSdsSecretConfig,proto3,oneof"` }
type CommonTlsContext_builder ¶
type CommonTlsContext_builder struct { // TLS protocol versions, cipher suites etc. TlsParams *TlsParameters // Only a single TLS certificate is supported in client contexts. In server contexts, // :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>` can be associated with the // same context to allow both RSA and ECDSA certificates and support SNI-based selection. // // Only one of “tls_certificates“, “tls_certificate_sds_secret_configs“, // and “tls_certificate_provider_instance“ may be used. // [#next-major-version: These mutually exclusive fields should ideally be in a oneof, but it's // not legal to put a repeated field in a oneof. In the next major version, we should rework // this to avoid this problem.] TlsCertificates []*TlsCertificate // Configs for fetching TLS certificates via SDS API. Note SDS API allows certificates to be // fetched/refreshed over the network asynchronously with respect to the TLS handshake. // // The same number and types of certificates as :ref:`tls_certificates <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CommonTlsContext.tls_certificates>` // are valid in the the certificates fetched through this setting. // // Only one of “tls_certificates“, “tls_certificate_sds_secret_configs“, // and “tls_certificate_provider_instance“ may be used. // [#next-major-version: These mutually exclusive fields should ideally be in a oneof, but it's // not legal to put a repeated field in a oneof. In the next major version, we should rework // this to avoid this problem.] TlsCertificateSdsSecretConfigs []*SdsSecretConfig // Certificate provider instance for fetching TLS certs. // // Only one of “tls_certificates“, “tls_certificate_sds_secret_configs“, // and “tls_certificate_provider_instance“ may be used. // [#not-implemented-hide:] TlsCertificateProviderInstance *CertificateProviderPluginInstance // Certificate provider for fetching TLS certificates. // [#not-implemented-hide:] // // Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto. TlsCertificateCertificateProvider *CommonTlsContext_CertificateProvider // Certificate provider instance for fetching TLS certificates. // [#not-implemented-hide:] // // Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto. TlsCertificateCertificateProviderInstance *CommonTlsContext_CertificateProviderInstance // Fields of oneof ValidationContextType: // How to validate peer certificates. ValidationContext *CertificateValidationContext // Config for fetching validation context via SDS API. Note SDS API allows certificates to be // fetched/refreshed over the network asynchronously with respect to the TLS handshake. ValidationContextSdsSecretConfig *SdsSecretConfig // Combined certificate validation context holds a default CertificateValidationContext // and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic // and default CertificateValidationContext are merged into a new CertificateValidationContext // for validation. This merge is done by Message::MergeFrom(), so dynamic // CertificateValidationContext overwrites singular fields in default // CertificateValidationContext, and concatenates repeated fields to default // CertificateValidationContext, and logical OR is applied to boolean fields. CombinedValidationContext *CommonTlsContext_CombinedCertificateValidationContext // Certificate provider for fetching validation context. // [#not-implemented-hide:] // // Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto. ValidationContextCertificateProvider *CommonTlsContext_CertificateProvider // Certificate provider instance for fetching validation context. // [#not-implemented-hide:] // // Deprecated: Marked as deprecated in envoy/extensions/transport_sockets/tls/v3/tls.proto. ValidationContextCertificateProviderInstance *CommonTlsContext_CertificateProviderInstance // -- end of ValidationContextType // Supplies the list of ALPN protocols that the listener should expose. In // practice this is likely to be set to one of two values (see the // :ref:`codec_type // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.codec_type>` // parameter in the HTTP connection manager for more information): // // * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1. // * "http/1.1" If the listener is only going to support HTTP/1.1. // // There is no default for this parameter. If empty, Envoy will not expose ALPN. AlpnProtocols []string // Custom TLS handshaker. If empty, defaults to native TLS handshaking // behavior. CustomHandshaker *v3.TypedExtensionConfig // TLS key log configuration KeyLog *TlsKeyLog // contains filtered or unexported fields }
func (CommonTlsContext_builder) Build ¶
func (b0 CommonTlsContext_builder) Build() *CommonTlsContext
type DownstreamTlsContext ¶
type DownstreamTlsContext struct { // Common TLS context settings. CommonTlsContext *CommonTlsContext `protobuf:"bytes,1,opt,name=common_tls_context,json=commonTlsContext,proto3" json:"common_tls_context,omitempty"` // If specified, Envoy will reject connections without a valid client // certificate. RequireClientCertificate *wrapperspb.BoolValue `` /* 135-byte string literal not displayed */ // If specified, Envoy will reject connections without a valid and matching SNI. // [#not-implemented-hide:] RequireSni *wrapperspb.BoolValue `protobuf:"bytes,3,opt,name=require_sni,json=requireSni,proto3" json:"require_sni,omitempty"` // Types that are valid to be assigned to SessionTicketKeysType: // // *DownstreamTlsContext_SessionTicketKeys // *DownstreamTlsContext_SessionTicketKeysSdsSecretConfig // *DownstreamTlsContext_DisableStatelessSessionResumption SessionTicketKeysType isDownstreamTlsContext_SessionTicketKeysType `protobuf_oneof:"session_ticket_keys_type"` // If set to true, the TLS server will not maintain a session cache of TLS sessions. (This is // relevant only for TLSv1.2 and earlier.) DisableStatefulSessionResumption bool `` /* 163-byte string literal not displayed */ // If specified, “session_timeout“ will change the maximum lifetime (in seconds) of the TLS session. // Currently this value is used as a hint for the `TLS session ticket lifetime (for TLSv1.2) <https://tools.ietf.org/html/rfc5077#section-5.6>`_. // Only seconds can be specified (fractional seconds are ignored). SessionTimeout *durationpb.Duration `protobuf:"bytes,6,opt,name=session_timeout,json=sessionTimeout,proto3" json:"session_timeout,omitempty"` // Config for whether to use certificates if they do not have // an accompanying OCSP response or if the response expires at runtime. // Defaults to LENIENT_STAPLING OcspStaplePolicy DownstreamTlsContext_OcspStaplePolicy `` /* 197-byte string literal not displayed */ // Multiple certificates are allowed in Downstream transport socket to serve different SNI. // If the client provides SNI but no such cert matched, it will decide to full scan certificates or not based on this config. // Defaults to false. See more details in :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>`. FullScanCertsOnSniMismatch *wrapperspb.BoolValue `` /* 147-byte string literal not displayed */ // contains filtered or unexported fields }
[#next-free-field: 11]
func (*DownstreamTlsContext) ClearCommonTlsContext ¶
func (x *DownstreamTlsContext) ClearCommonTlsContext()
func (*DownstreamTlsContext) ClearDisableStatelessSessionResumption ¶
func (x *DownstreamTlsContext) ClearDisableStatelessSessionResumption()
func (*DownstreamTlsContext) ClearFullScanCertsOnSniMismatch ¶
func (x *DownstreamTlsContext) ClearFullScanCertsOnSniMismatch()
func (*DownstreamTlsContext) ClearRequireClientCertificate ¶
func (x *DownstreamTlsContext) ClearRequireClientCertificate()
func (*DownstreamTlsContext) ClearRequireSni ¶
func (x *DownstreamTlsContext) ClearRequireSni()
func (*DownstreamTlsContext) ClearSessionTicketKeys ¶
func (x *DownstreamTlsContext) ClearSessionTicketKeys()
func (*DownstreamTlsContext) ClearSessionTicketKeysSdsSecretConfig ¶
func (x *DownstreamTlsContext) ClearSessionTicketKeysSdsSecretConfig()
func (*DownstreamTlsContext) ClearSessionTicketKeysType ¶
func (x *DownstreamTlsContext) ClearSessionTicketKeysType()
func (*DownstreamTlsContext) ClearSessionTimeout ¶
func (x *DownstreamTlsContext) ClearSessionTimeout()
func (*DownstreamTlsContext) GetCommonTlsContext ¶
func (x *DownstreamTlsContext) GetCommonTlsContext() *CommonTlsContext
func (*DownstreamTlsContext) GetDisableStatefulSessionResumption ¶
func (x *DownstreamTlsContext) GetDisableStatefulSessionResumption() bool
func (*DownstreamTlsContext) GetDisableStatelessSessionResumption ¶
func (x *DownstreamTlsContext) GetDisableStatelessSessionResumption() bool
func (*DownstreamTlsContext) GetFullScanCertsOnSniMismatch ¶
func (x *DownstreamTlsContext) GetFullScanCertsOnSniMismatch() *wrapperspb.BoolValue
func (*DownstreamTlsContext) GetOcspStaplePolicy ¶
func (x *DownstreamTlsContext) GetOcspStaplePolicy() DownstreamTlsContext_OcspStaplePolicy
func (*DownstreamTlsContext) GetRequireClientCertificate ¶
func (x *DownstreamTlsContext) GetRequireClientCertificate() *wrapperspb.BoolValue
func (*DownstreamTlsContext) GetRequireSni ¶
func (x *DownstreamTlsContext) GetRequireSni() *wrapperspb.BoolValue
func (*DownstreamTlsContext) GetSessionTicketKeys ¶
func (x *DownstreamTlsContext) GetSessionTicketKeys() *TlsSessionTicketKeys
func (*DownstreamTlsContext) GetSessionTicketKeysSdsSecretConfig ¶
func (x *DownstreamTlsContext) GetSessionTicketKeysSdsSecretConfig() *SdsSecretConfig
func (*DownstreamTlsContext) GetSessionTicketKeysType ¶
func (x *DownstreamTlsContext) GetSessionTicketKeysType() isDownstreamTlsContext_SessionTicketKeysType
func (*DownstreamTlsContext) GetSessionTimeout ¶
func (x *DownstreamTlsContext) GetSessionTimeout() *durationpb.Duration
func (*DownstreamTlsContext) HasCommonTlsContext ¶
func (x *DownstreamTlsContext) HasCommonTlsContext() bool
func (*DownstreamTlsContext) HasDisableStatelessSessionResumption ¶
func (x *DownstreamTlsContext) HasDisableStatelessSessionResumption() bool
func (*DownstreamTlsContext) HasFullScanCertsOnSniMismatch ¶
func (x *DownstreamTlsContext) HasFullScanCertsOnSniMismatch() bool
func (*DownstreamTlsContext) HasRequireClientCertificate ¶
func (x *DownstreamTlsContext) HasRequireClientCertificate() bool
func (*DownstreamTlsContext) HasRequireSni ¶
func (x *DownstreamTlsContext) HasRequireSni() bool
func (*DownstreamTlsContext) HasSessionTicketKeys ¶
func (x *DownstreamTlsContext) HasSessionTicketKeys() bool
func (*DownstreamTlsContext) HasSessionTicketKeysSdsSecretConfig ¶
func (x *DownstreamTlsContext) HasSessionTicketKeysSdsSecretConfig() bool
func (*DownstreamTlsContext) HasSessionTicketKeysType ¶
func (x *DownstreamTlsContext) HasSessionTicketKeysType() bool
func (*DownstreamTlsContext) HasSessionTimeout ¶
func (x *DownstreamTlsContext) HasSessionTimeout() bool
func (*DownstreamTlsContext) ProtoMessage ¶
func (*DownstreamTlsContext) ProtoMessage()
func (*DownstreamTlsContext) ProtoReflect ¶
func (x *DownstreamTlsContext) ProtoReflect() protoreflect.Message
func (*DownstreamTlsContext) Reset ¶
func (x *DownstreamTlsContext) Reset()
func (*DownstreamTlsContext) SetCommonTlsContext ¶
func (x *DownstreamTlsContext) SetCommonTlsContext(v *CommonTlsContext)
func (*DownstreamTlsContext) SetDisableStatefulSessionResumption ¶
func (x *DownstreamTlsContext) SetDisableStatefulSessionResumption(v bool)
func (*DownstreamTlsContext) SetDisableStatelessSessionResumption ¶
func (x *DownstreamTlsContext) SetDisableStatelessSessionResumption(v bool)
func (*DownstreamTlsContext) SetFullScanCertsOnSniMismatch ¶
func (x *DownstreamTlsContext) SetFullScanCertsOnSniMismatch(v *wrapperspb.BoolValue)
func (*DownstreamTlsContext) SetOcspStaplePolicy ¶
func (x *DownstreamTlsContext) SetOcspStaplePolicy(v DownstreamTlsContext_OcspStaplePolicy)
func (*DownstreamTlsContext) SetRequireClientCertificate ¶
func (x *DownstreamTlsContext) SetRequireClientCertificate(v *wrapperspb.BoolValue)
func (*DownstreamTlsContext) SetRequireSni ¶
func (x *DownstreamTlsContext) SetRequireSni(v *wrapperspb.BoolValue)
func (*DownstreamTlsContext) SetSessionTicketKeys ¶
func (x *DownstreamTlsContext) SetSessionTicketKeys(v *TlsSessionTicketKeys)
func (*DownstreamTlsContext) SetSessionTicketKeysSdsSecretConfig ¶
func (x *DownstreamTlsContext) SetSessionTicketKeysSdsSecretConfig(v *SdsSecretConfig)
func (*DownstreamTlsContext) SetSessionTimeout ¶
func (x *DownstreamTlsContext) SetSessionTimeout(v *durationpb.Duration)
func (*DownstreamTlsContext) String ¶
func (x *DownstreamTlsContext) String() string
func (*DownstreamTlsContext) WhichSessionTicketKeysType ¶
func (x *DownstreamTlsContext) WhichSessionTicketKeysType() case_DownstreamTlsContext_SessionTicketKeysType
type DownstreamTlsContext_DisableStatelessSessionResumption ¶
type DownstreamTlsContext_DisableStatelessSessionResumption struct { // Config for controlling stateless TLS session resumption: setting this to true will cause the TLS // server to not issue TLS session tickets for the purposes of stateless TLS session resumption. // If set to false, the TLS server will issue TLS session tickets and encrypt/decrypt them using // the keys specified through either :ref:`session_ticket_keys <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.session_ticket_keys>` // or :ref:`session_ticket_keys_sds_secret_config <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.session_ticket_keys_sds_secret_config>`. // If this config is set to false and no keys are explicitly configured, the TLS server will issue // TLS session tickets and encrypt/decrypt them using an internally-generated and managed key, with the // implication that sessions cannot be resumed across hot restarts or on different hosts. DisableStatelessSessionResumption bool `protobuf:"varint,7,opt,name=disable_stateless_session_resumption,json=disableStatelessSessionResumption,proto3,oneof"` }
type DownstreamTlsContext_OcspStaplePolicy ¶
type DownstreamTlsContext_OcspStaplePolicy int32
const ( // OCSP responses are optional. If an OCSP response is absent // or expired, the associated certificate will be used for // connections without an OCSP staple. DownstreamTlsContext_LENIENT_STAPLING DownstreamTlsContext_OcspStaplePolicy = 0 // OCSP responses are optional. If an OCSP response is absent, // the associated certificate will be used without an // OCSP staple. If a response is provided but is expired, // the associated certificate will not be used for // subsequent connections. If no suitable certificate is found, // the connection is rejected. DownstreamTlsContext_STRICT_STAPLING DownstreamTlsContext_OcspStaplePolicy = 1 // OCSP responses are required. Configuration will fail if // a certificate is provided without an OCSP response. If a // response expires, the associated certificate will not be // used connections. If no suitable certificate is found, the // connection is rejected. DownstreamTlsContext_MUST_STAPLE DownstreamTlsContext_OcspStaplePolicy = 2 )
func (DownstreamTlsContext_OcspStaplePolicy) Descriptor ¶
func (DownstreamTlsContext_OcspStaplePolicy) Descriptor() protoreflect.EnumDescriptor
func (DownstreamTlsContext_OcspStaplePolicy) Enum ¶
func (DownstreamTlsContext_OcspStaplePolicy) Number ¶
func (x DownstreamTlsContext_OcspStaplePolicy) Number() protoreflect.EnumNumber
func (DownstreamTlsContext_OcspStaplePolicy) String ¶
func (x DownstreamTlsContext_OcspStaplePolicy) String() string
func (DownstreamTlsContext_OcspStaplePolicy) Type ¶
func (DownstreamTlsContext_OcspStaplePolicy) Type() protoreflect.EnumType
type DownstreamTlsContext_SessionTicketKeys ¶
type DownstreamTlsContext_SessionTicketKeys struct { // TLS session ticket key settings. SessionTicketKeys *TlsSessionTicketKeys `protobuf:"bytes,4,opt,name=session_ticket_keys,json=sessionTicketKeys,proto3,oneof"` }
type DownstreamTlsContext_SessionTicketKeysSdsSecretConfig ¶
type DownstreamTlsContext_SessionTicketKeysSdsSecretConfig struct { // Config for fetching TLS session ticket keys via SDS API. SessionTicketKeysSdsSecretConfig *SdsSecretConfig `protobuf:"bytes,5,opt,name=session_ticket_keys_sds_secret_config,json=sessionTicketKeysSdsSecretConfig,proto3,oneof"` }
type DownstreamTlsContext_builder ¶
type DownstreamTlsContext_builder struct { // Common TLS context settings. CommonTlsContext *CommonTlsContext // If specified, Envoy will reject connections without a valid client // certificate. RequireClientCertificate *wrapperspb.BoolValue // If specified, Envoy will reject connections without a valid and matching SNI. // [#not-implemented-hide:] RequireSni *wrapperspb.BoolValue // Fields of oneof SessionTicketKeysType: // TLS session ticket key settings. SessionTicketKeys *TlsSessionTicketKeys // Config for fetching TLS session ticket keys via SDS API. SessionTicketKeysSdsSecretConfig *SdsSecretConfig // Config for controlling stateless TLS session resumption: setting this to true will cause the TLS // server to not issue TLS session tickets for the purposes of stateless TLS session resumption. // If set to false, the TLS server will issue TLS session tickets and encrypt/decrypt them using // the keys specified through either :ref:`session_ticket_keys <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.session_ticket_keys>` // or :ref:`session_ticket_keys_sds_secret_config <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.session_ticket_keys_sds_secret_config>`. // If this config is set to false and no keys are explicitly configured, the TLS server will issue // TLS session tickets and encrypt/decrypt them using an internally-generated and managed key, with the // implication that sessions cannot be resumed across hot restarts or on different hosts. DisableStatelessSessionResumption *bool // -- end of SessionTicketKeysType // If set to true, the TLS server will not maintain a session cache of TLS sessions. (This is // relevant only for TLSv1.2 and earlier.) DisableStatefulSessionResumption bool // If specified, “session_timeout“ will change the maximum lifetime (in seconds) of the TLS session. // Currently this value is used as a hint for the `TLS session ticket lifetime (for TLSv1.2) <https://tools.ietf.org/html/rfc5077#section-5.6>`_. // Only seconds can be specified (fractional seconds are ignored). SessionTimeout *durationpb.Duration // Config for whether to use certificates if they do not have // an accompanying OCSP response or if the response expires at runtime. // Defaults to LENIENT_STAPLING OcspStaplePolicy DownstreamTlsContext_OcspStaplePolicy // Multiple certificates are allowed in Downstream transport socket to serve different SNI. // If the client provides SNI but no such cert matched, it will decide to full scan certificates or not based on this config. // Defaults to false. See more details in :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>`. FullScanCertsOnSniMismatch *wrapperspb.BoolValue // contains filtered or unexported fields }
func (DownstreamTlsContext_builder) Build ¶
func (b0 DownstreamTlsContext_builder) Build() *DownstreamTlsContext
type GenericSecret ¶
type GenericSecret struct { // Secret of generic type and is available to filters. Secret *v3.DataSource `protobuf:"bytes,1,opt,name=secret,proto3" json:"secret,omitempty"` // contains filtered or unexported fields }
func (*GenericSecret) ClearSecret ¶
func (x *GenericSecret) ClearSecret()
func (*GenericSecret) GetSecret ¶
func (x *GenericSecret) GetSecret() *v3.DataSource
func (*GenericSecret) HasSecret ¶
func (x *GenericSecret) HasSecret() bool
func (*GenericSecret) ProtoMessage ¶
func (*GenericSecret) ProtoMessage()
func (*GenericSecret) ProtoReflect ¶
func (x *GenericSecret) ProtoReflect() protoreflect.Message
func (*GenericSecret) Reset ¶
func (x *GenericSecret) Reset()
func (*GenericSecret) SetSecret ¶
func (x *GenericSecret) SetSecret(v *v3.DataSource)
func (*GenericSecret) String ¶
func (x *GenericSecret) String() string
type GenericSecret_builder ¶
type GenericSecret_builder struct { // Secret of generic type and is available to filters. Secret *v3.DataSource // contains filtered or unexported fields }
func (GenericSecret_builder) Build ¶
func (b0 GenericSecret_builder) Build() *GenericSecret
type PrivateKeyProvider ¶
type PrivateKeyProvider struct { // Private key method provider name. The name must match a // supported private key method provider type. ProviderName string `protobuf:"bytes,1,opt,name=provider_name,json=providerName,proto3" json:"provider_name,omitempty"` // Private key method provider specific configuration. // // Types that are valid to be assigned to ConfigType: // // *PrivateKeyProvider_TypedConfig ConfigType isPrivateKeyProvider_ConfigType `protobuf_oneof:"config_type"` // If the private key provider isn't available (eg. the required hardware capability doesn't existed), // Envoy will fallback to the BoringSSL default implementation when the “fallback“ is true. // The default value is “false“. Fallback bool `protobuf:"varint,4,opt,name=fallback,proto3" json:"fallback,omitempty"` // contains filtered or unexported fields }
BoringSSL private key method configuration. The private key methods are used for external (potentially asynchronous) signing and decryption operations. Some use cases for private key methods would be TPM support and TLS acceleration.
func (*PrivateKeyProvider) ClearConfigType ¶
func (x *PrivateKeyProvider) ClearConfigType()
func (*PrivateKeyProvider) ClearTypedConfig ¶
func (x *PrivateKeyProvider) ClearTypedConfig()
func (*PrivateKeyProvider) GetConfigType ¶
func (x *PrivateKeyProvider) GetConfigType() isPrivateKeyProvider_ConfigType
func (*PrivateKeyProvider) GetFallback ¶
func (x *PrivateKeyProvider) GetFallback() bool
func (*PrivateKeyProvider) GetProviderName ¶
func (x *PrivateKeyProvider) GetProviderName() string
func (*PrivateKeyProvider) GetTypedConfig ¶
func (x *PrivateKeyProvider) GetTypedConfig() *anypb.Any
func (*PrivateKeyProvider) HasConfigType ¶
func (x *PrivateKeyProvider) HasConfigType() bool
func (*PrivateKeyProvider) HasTypedConfig ¶
func (x *PrivateKeyProvider) HasTypedConfig() bool
func (*PrivateKeyProvider) ProtoMessage ¶
func (*PrivateKeyProvider) ProtoMessage()
func (*PrivateKeyProvider) ProtoReflect ¶
func (x *PrivateKeyProvider) ProtoReflect() protoreflect.Message
func (*PrivateKeyProvider) Reset ¶
func (x *PrivateKeyProvider) Reset()
func (*PrivateKeyProvider) SetFallback ¶
func (x *PrivateKeyProvider) SetFallback(v bool)
func (*PrivateKeyProvider) SetProviderName ¶
func (x *PrivateKeyProvider) SetProviderName(v string)
func (*PrivateKeyProvider) SetTypedConfig ¶
func (x *PrivateKeyProvider) SetTypedConfig(v *anypb.Any)
func (*PrivateKeyProvider) String ¶
func (x *PrivateKeyProvider) String() string
func (*PrivateKeyProvider) WhichConfigType ¶
func (x *PrivateKeyProvider) WhichConfigType() case_PrivateKeyProvider_ConfigType
type PrivateKeyProvider_TypedConfig ¶
type PrivateKeyProvider_builder ¶
type PrivateKeyProvider_builder struct { // Private key method provider name. The name must match a // supported private key method provider type. ProviderName string // Fields of oneof ConfigType: TypedConfig *anypb.Any // -- end of ConfigType // If the private key provider isn't available (eg. the required hardware capability doesn't existed), // Envoy will fallback to the BoringSSL default implementation when the “fallback“ is true. // The default value is “false“. Fallback bool // contains filtered or unexported fields }
func (PrivateKeyProvider_builder) Build ¶
func (b0 PrivateKeyProvider_builder) Build() *PrivateKeyProvider
type SPIFFECertValidatorConfig ¶
type SPIFFECertValidatorConfig struct { // This field specifies trust domains used for validating incoming X.509-SVID(s). TrustDomains []*SPIFFECertValidatorConfig_TrustDomain `protobuf:"bytes,1,rep,name=trust_domains,json=trustDomains,proto3" json:"trust_domains,omitempty"` // contains filtered or unexported fields }
Configuration specific to the `SPIFFE <https://github.com/spiffe/spiffe>`_ certificate validator.
Example:
.. validated-code-block:: yaml
:type-name: envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext custom_validator_config: name: envoy.tls.cert_validator.spiffe typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig trust_domains: - name: foo.com trust_bundle: filename: "foo.pem" - name: envoy.com trust_bundle: filename: "envoy.pem"
In this example, a presented peer certificate whose SAN matches “spiffe://foo.com/**“ is validated against the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint a SVID belonging to another trust domain. That means, in this example, a SVID signed by “envoy.com“'s CA with “spiffe://foo.com/**“ SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate.
Note that SPIFFE validator inherits and uses the following options from :ref:`CertificateValidationContext <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.CertificateValidationContext>`.
- :ref:`allow_expired_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.allow_expired_certificate>` to allow expired certificates. - :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` to match **URI** SAN of certificates. Unlike the default validator, SPIFFE validator only matches **URI** SAN (which equals to SVID in SPIFFE terminology) and ignore other SAN types.
func (*SPIFFECertValidatorConfig) GetTrustDomains ¶
func (x *SPIFFECertValidatorConfig) GetTrustDomains() []*SPIFFECertValidatorConfig_TrustDomain
func (*SPIFFECertValidatorConfig) ProtoMessage ¶
func (*SPIFFECertValidatorConfig) ProtoMessage()
func (*SPIFFECertValidatorConfig) ProtoReflect ¶
func (x *SPIFFECertValidatorConfig) ProtoReflect() protoreflect.Message
func (*SPIFFECertValidatorConfig) Reset ¶
func (x *SPIFFECertValidatorConfig) Reset()
func (*SPIFFECertValidatorConfig) SetTrustDomains ¶
func (x *SPIFFECertValidatorConfig) SetTrustDomains(v []*SPIFFECertValidatorConfig_TrustDomain)
func (*SPIFFECertValidatorConfig) String ¶
func (x *SPIFFECertValidatorConfig) String() string
type SPIFFECertValidatorConfig_TrustDomain ¶
type SPIFFECertValidatorConfig_TrustDomain struct { // Name of the trust domain, “example.com“, “foo.bar.gov“ for example. // Note that this must *not* have "spiffe://" prefix. Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` // Specify a data source holding x.509 trust bundle used for validating incoming SVID(s) in this trust domain. TrustBundle *v3.DataSource `protobuf:"bytes,2,opt,name=trust_bundle,json=trustBundle,proto3" json:"trust_bundle,omitempty"` // contains filtered or unexported fields }
func (*SPIFFECertValidatorConfig_TrustDomain) ClearTrustBundle ¶
func (x *SPIFFECertValidatorConfig_TrustDomain) ClearTrustBundle()
func (*SPIFFECertValidatorConfig_TrustDomain) GetName ¶
func (x *SPIFFECertValidatorConfig_TrustDomain) GetName() string
func (*SPIFFECertValidatorConfig_TrustDomain) GetTrustBundle ¶
func (x *SPIFFECertValidatorConfig_TrustDomain) GetTrustBundle() *v3.DataSource
func (*SPIFFECertValidatorConfig_TrustDomain) HasTrustBundle ¶
func (x *SPIFFECertValidatorConfig_TrustDomain) HasTrustBundle() bool
func (*SPIFFECertValidatorConfig_TrustDomain) ProtoMessage ¶
func (*SPIFFECertValidatorConfig_TrustDomain) ProtoMessage()
func (*SPIFFECertValidatorConfig_TrustDomain) ProtoReflect ¶
func (x *SPIFFECertValidatorConfig_TrustDomain) ProtoReflect() protoreflect.Message
func (*SPIFFECertValidatorConfig_TrustDomain) Reset ¶
func (x *SPIFFECertValidatorConfig_TrustDomain) Reset()
func (*SPIFFECertValidatorConfig_TrustDomain) SetName ¶
func (x *SPIFFECertValidatorConfig_TrustDomain) SetName(v string)
func (*SPIFFECertValidatorConfig_TrustDomain) SetTrustBundle ¶
func (x *SPIFFECertValidatorConfig_TrustDomain) SetTrustBundle(v *v3.DataSource)
func (*SPIFFECertValidatorConfig_TrustDomain) String ¶
func (x *SPIFFECertValidatorConfig_TrustDomain) String() string
type SPIFFECertValidatorConfig_TrustDomain_builder ¶
type SPIFFECertValidatorConfig_TrustDomain_builder struct { // Name of the trust domain, “example.com“, “foo.bar.gov“ for example. // Note that this must *not* have "spiffe://" prefix. Name string // Specify a data source holding x.509 trust bundle used for validating incoming SVID(s) in this trust domain. TrustBundle *v3.DataSource // contains filtered or unexported fields }
func (SPIFFECertValidatorConfig_TrustDomain_builder) Build ¶
type SPIFFECertValidatorConfig_builder ¶
type SPIFFECertValidatorConfig_builder struct { // This field specifies trust domains used for validating incoming X.509-SVID(s). TrustDomains []*SPIFFECertValidatorConfig_TrustDomain // contains filtered or unexported fields }
func (SPIFFECertValidatorConfig_builder) Build ¶
func (b0 SPIFFECertValidatorConfig_builder) Build() *SPIFFECertValidatorConfig
type SdsSecretConfig ¶
type SdsSecretConfig struct { // Name by which the secret can be uniquely referred to. When both name and config are specified, // then secret can be fetched and/or reloaded via SDS. When only name is specified, then secret // will be loaded from static resources. Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` SdsConfig *v3.ConfigSource `protobuf:"bytes,2,opt,name=sds_config,json=sdsConfig,proto3" json:"sds_config,omitempty"` // contains filtered or unexported fields }
func (*SdsSecretConfig) ClearSdsConfig ¶
func (x *SdsSecretConfig) ClearSdsConfig()
func (*SdsSecretConfig) GetName ¶
func (x *SdsSecretConfig) GetName() string
func (*SdsSecretConfig) GetSdsConfig ¶
func (x *SdsSecretConfig) GetSdsConfig() *v3.ConfigSource
func (*SdsSecretConfig) HasSdsConfig ¶
func (x *SdsSecretConfig) HasSdsConfig() bool
func (*SdsSecretConfig) ProtoMessage ¶
func (*SdsSecretConfig) ProtoMessage()
func (*SdsSecretConfig) ProtoReflect ¶
func (x *SdsSecretConfig) ProtoReflect() protoreflect.Message
func (*SdsSecretConfig) Reset ¶
func (x *SdsSecretConfig) Reset()
func (*SdsSecretConfig) SetName ¶
func (x *SdsSecretConfig) SetName(v string)
func (*SdsSecretConfig) SetSdsConfig ¶
func (x *SdsSecretConfig) SetSdsConfig(v *v3.ConfigSource)
func (*SdsSecretConfig) String ¶
func (x *SdsSecretConfig) String() string
type SdsSecretConfig_builder ¶
type SdsSecretConfig_builder struct { // Name by which the secret can be uniquely referred to. When both name and config are specified, // then secret can be fetched and/or reloaded via SDS. When only name is specified, then secret // will be loaded from static resources. Name string SdsConfig *v3.ConfigSource // contains filtered or unexported fields }
func (SdsSecretConfig_builder) Build ¶
func (b0 SdsSecretConfig_builder) Build() *SdsSecretConfig
type Secret ¶
type Secret struct { // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to. Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` // Types that are valid to be assigned to Type: // // *Secret_TlsCertificate // *Secret_SessionTicketKeys // *Secret_ValidationContext // *Secret_GenericSecret Type isSecret_Type `protobuf_oneof:"type"` // contains filtered or unexported fields }
[#next-free-field: 6]
func (*Secret) GetGenericSecret ¶
func (x *Secret) GetGenericSecret() *GenericSecret
func (*Secret) GetSessionTicketKeys ¶
func (x *Secret) GetSessionTicketKeys() *TlsSessionTicketKeys
func (*Secret) GetTlsCertificate ¶
func (x *Secret) GetTlsCertificate() *TlsCertificate
func (*Secret) GetValidationContext ¶
func (x *Secret) GetValidationContext() *CertificateValidationContext
func (*Secret) ProtoReflect ¶
func (x *Secret) ProtoReflect() protoreflect.Message
func (*Secret) SetGenericSecret ¶
func (x *Secret) SetGenericSecret(v *GenericSecret)
func (*Secret) SetSessionTicketKeys ¶
func (x *Secret) SetSessionTicketKeys(v *TlsSessionTicketKeys)
func (*Secret) SetTlsCertificate ¶
func (x *Secret) SetTlsCertificate(v *TlsCertificate)
func (*Secret) SetValidationContext ¶
func (x *Secret) SetValidationContext(v *CertificateValidationContext)
type Secret_GenericSecret ¶
type Secret_GenericSecret struct {
GenericSecret *GenericSecret `protobuf:"bytes,5,opt,name=generic_secret,json=genericSecret,proto3,oneof"`
}
type Secret_SessionTicketKeys ¶
type Secret_SessionTicketKeys struct {
SessionTicketKeys *TlsSessionTicketKeys `protobuf:"bytes,3,opt,name=session_ticket_keys,json=sessionTicketKeys,proto3,oneof"`
}
type Secret_TlsCertificate ¶
type Secret_TlsCertificate struct {
TlsCertificate *TlsCertificate `protobuf:"bytes,2,opt,name=tls_certificate,json=tlsCertificate,proto3,oneof"`
}
type Secret_ValidationContext ¶
type Secret_ValidationContext struct {
ValidationContext *CertificateValidationContext `protobuf:"bytes,4,opt,name=validation_context,json=validationContext,proto3,oneof"`
}
type Secret_builder ¶
type Secret_builder struct { // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to. Name string // Fields of oneof Type: TlsCertificate *TlsCertificate SessionTicketKeys *TlsSessionTicketKeys ValidationContext *CertificateValidationContext GenericSecret *GenericSecret // contains filtered or unexported fields }
func (Secret_builder) Build ¶
func (b0 Secret_builder) Build() *Secret
type SubjectAltNameMatcher ¶
type SubjectAltNameMatcher struct { // Specification of type of SAN. Note that the default enum value is an invalid choice. SanType SubjectAltNameMatcher_SanType `` /* 160-byte string literal not displayed */ // Matcher for SAN value. Matcher *v31.StringMatcher `protobuf:"bytes,2,opt,name=matcher,proto3" json:"matcher,omitempty"` // contains filtered or unexported fields }
Matcher for subject alternative names, to match both type and value of the SAN.
func (*SubjectAltNameMatcher) ClearMatcher ¶
func (x *SubjectAltNameMatcher) ClearMatcher()
func (*SubjectAltNameMatcher) GetMatcher ¶
func (x *SubjectAltNameMatcher) GetMatcher() *v31.StringMatcher
func (*SubjectAltNameMatcher) GetSanType ¶
func (x *SubjectAltNameMatcher) GetSanType() SubjectAltNameMatcher_SanType
func (*SubjectAltNameMatcher) HasMatcher ¶
func (x *SubjectAltNameMatcher) HasMatcher() bool
func (*SubjectAltNameMatcher) ProtoMessage ¶
func (*SubjectAltNameMatcher) ProtoMessage()
func (*SubjectAltNameMatcher) ProtoReflect ¶
func (x *SubjectAltNameMatcher) ProtoReflect() protoreflect.Message
func (*SubjectAltNameMatcher) Reset ¶
func (x *SubjectAltNameMatcher) Reset()
func (*SubjectAltNameMatcher) SetMatcher ¶
func (x *SubjectAltNameMatcher) SetMatcher(v *v31.StringMatcher)
func (*SubjectAltNameMatcher) SetSanType ¶
func (x *SubjectAltNameMatcher) SetSanType(v SubjectAltNameMatcher_SanType)
func (*SubjectAltNameMatcher) String ¶
func (x *SubjectAltNameMatcher) String() string
type SubjectAltNameMatcher_SanType ¶
type SubjectAltNameMatcher_SanType int32
Indicates the choice of GeneralName as defined in section 4.2.1.5 of RFC 5280 to match against.
const ( SubjectAltNameMatcher_SAN_TYPE_UNSPECIFIED SubjectAltNameMatcher_SanType = 0 SubjectAltNameMatcher_EMAIL SubjectAltNameMatcher_SanType = 1 SubjectAltNameMatcher_DNS SubjectAltNameMatcher_SanType = 2 SubjectAltNameMatcher_URI SubjectAltNameMatcher_SanType = 3 SubjectAltNameMatcher_IP_ADDRESS SubjectAltNameMatcher_SanType = 4 )
func (SubjectAltNameMatcher_SanType) Descriptor ¶
func (SubjectAltNameMatcher_SanType) Descriptor() protoreflect.EnumDescriptor
func (SubjectAltNameMatcher_SanType) Enum ¶
func (x SubjectAltNameMatcher_SanType) Enum() *SubjectAltNameMatcher_SanType
func (SubjectAltNameMatcher_SanType) Number ¶
func (x SubjectAltNameMatcher_SanType) Number() protoreflect.EnumNumber
func (SubjectAltNameMatcher_SanType) String ¶
func (x SubjectAltNameMatcher_SanType) String() string
func (SubjectAltNameMatcher_SanType) Type ¶
func (SubjectAltNameMatcher_SanType) Type() protoreflect.EnumType
type SubjectAltNameMatcher_builder ¶
type SubjectAltNameMatcher_builder struct { // Specification of type of SAN. Note that the default enum value is an invalid choice. SanType SubjectAltNameMatcher_SanType // Matcher for SAN value. Matcher *v31.StringMatcher // contains filtered or unexported fields }
func (SubjectAltNameMatcher_builder) Build ¶
func (b0 SubjectAltNameMatcher_builder) Build() *SubjectAltNameMatcher
type TlsCertificate ¶
type TlsCertificate struct { // The TLS certificate chain. // // If “certificate_chain“ is a filesystem path, a watch will be added to the // parent directory for any file moves to support rotation. This currently // only applies to dynamic secrets, when the “TlsCertificate“ is delivered via // SDS. CertificateChain *v3.DataSource `protobuf:"bytes,1,opt,name=certificate_chain,json=certificateChain,proto3" json:"certificate_chain,omitempty"` // The TLS private key. // // If “private_key“ is a filesystem path, a watch will be added to the parent // directory for any file moves to support rotation. This currently only // applies to dynamic secrets, when the “TlsCertificate“ is delivered via SDS. PrivateKey *v3.DataSource `protobuf:"bytes,2,opt,name=private_key,json=privateKey,proto3" json:"private_key,omitempty"` // “Pkcs12“ data containing TLS certificate, chain, and private key. // // If “pkcs12“ is a filesystem path, the file will be read, but no watch will // be added to the parent directory, since “pkcs12“ isn't used by SDS. // This field is mutually exclusive with “certificate_chain“, “private_key“ and “private_key_provider“. // This can't be marked as “oneof“ due to API compatibility reasons. Setting // both :ref:`private_key <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>`, // :ref:`certificate_chain <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.certificate_chain>`, // or :ref:`private_key_provider <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key_provider>` // and :ref:`pkcs12 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.pkcs12>` // fields will result in an error. Use :ref:`password // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.password>` // to specify the password to unprotect the “PKCS12“ data, if necessary. Pkcs12 *v3.DataSource `protobuf:"bytes,8,opt,name=pkcs12,proto3" json:"pkcs12,omitempty"` // If specified, updates of file-based “certificate_chain“ and “private_key“ // sources will be triggered by this watch. The certificate/key pair will be // read together and validated for atomic read consistency (i.e. no // intervening modification occurred between cert/key read, verified by file // hash comparisons). This allows explicit control over the path watched, by // default the parent directories of the filesystem paths in // “certificate_chain“ and “private_key“ are watched if this field is not // specified. This only applies when a “TlsCertificate“ is delivered by SDS // with references to filesystem paths. See the :ref:`SDS key rotation // <sds_key_rotation>` documentation for further details. WatchedDirectory *v3.WatchedDirectory `protobuf:"bytes,7,opt,name=watched_directory,json=watchedDirectory,proto3" json:"watched_directory,omitempty"` // BoringSSL private key method provider. This is an alternative to :ref:`private_key // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>` field. This can't be // marked as “oneof“ due to API compatibility reasons. Setting both :ref:`private_key // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>` and // :ref:`private_key_provider // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key_provider>` fields will result in an // error. PrivateKeyProvider *PrivateKeyProvider `protobuf:"bytes,6,opt,name=private_key_provider,json=privateKeyProvider,proto3" json:"private_key_provider,omitempty"` // The password to decrypt the TLS private key. If this field is not set, it is assumed that the // TLS private key is not password encrypted. Password *v3.DataSource `protobuf:"bytes,3,opt,name=password,proto3" json:"password,omitempty"` // The OCSP response to be stapled with this certificate during the handshake. // The response must be DER-encoded and may only be provided via “filename“ or // “inline_bytes“. The response may pertain to only one certificate. OcspStaple *v3.DataSource `protobuf:"bytes,4,opt,name=ocsp_staple,json=ocspStaple,proto3" json:"ocsp_staple,omitempty"` // [#not-implemented-hide:] SignedCertificateTimestamp []*v3.DataSource `` /* 141-byte string literal not displayed */ // contains filtered or unexported fields }
[#next-free-field: 9]
func (*TlsCertificate) ClearCertificateChain ¶
func (x *TlsCertificate) ClearCertificateChain()
func (*TlsCertificate) ClearOcspStaple ¶
func (x *TlsCertificate) ClearOcspStaple()
func (*TlsCertificate) ClearPassword ¶
func (x *TlsCertificate) ClearPassword()
func (*TlsCertificate) ClearPkcs12 ¶
func (x *TlsCertificate) ClearPkcs12()
func (*TlsCertificate) ClearPrivateKey ¶
func (x *TlsCertificate) ClearPrivateKey()
func (*TlsCertificate) ClearPrivateKeyProvider ¶
func (x *TlsCertificate) ClearPrivateKeyProvider()
func (*TlsCertificate) ClearWatchedDirectory ¶
func (x *TlsCertificate) ClearWatchedDirectory()
func (*TlsCertificate) GetCertificateChain ¶
func (x *TlsCertificate) GetCertificateChain() *v3.DataSource
func (*TlsCertificate) GetOcspStaple ¶
func (x *TlsCertificate) GetOcspStaple() *v3.DataSource
func (*TlsCertificate) GetPassword ¶
func (x *TlsCertificate) GetPassword() *v3.DataSource
func (*TlsCertificate) GetPkcs12 ¶
func (x *TlsCertificate) GetPkcs12() *v3.DataSource
func (*TlsCertificate) GetPrivateKey ¶
func (x *TlsCertificate) GetPrivateKey() *v3.DataSource
func (*TlsCertificate) GetPrivateKeyProvider ¶
func (x *TlsCertificate) GetPrivateKeyProvider() *PrivateKeyProvider
func (*TlsCertificate) GetSignedCertificateTimestamp ¶
func (x *TlsCertificate) GetSignedCertificateTimestamp() []*v3.DataSource
func (*TlsCertificate) GetWatchedDirectory ¶
func (x *TlsCertificate) GetWatchedDirectory() *v3.WatchedDirectory
func (*TlsCertificate) HasCertificateChain ¶
func (x *TlsCertificate) HasCertificateChain() bool
func (*TlsCertificate) HasOcspStaple ¶
func (x *TlsCertificate) HasOcspStaple() bool
func (*TlsCertificate) HasPassword ¶
func (x *TlsCertificate) HasPassword() bool
func (*TlsCertificate) HasPkcs12 ¶
func (x *TlsCertificate) HasPkcs12() bool
func (*TlsCertificate) HasPrivateKey ¶
func (x *TlsCertificate) HasPrivateKey() bool
func (*TlsCertificate) HasPrivateKeyProvider ¶
func (x *TlsCertificate) HasPrivateKeyProvider() bool
func (*TlsCertificate) HasWatchedDirectory ¶
func (x *TlsCertificate) HasWatchedDirectory() bool
func (*TlsCertificate) ProtoMessage ¶
func (*TlsCertificate) ProtoMessage()
func (*TlsCertificate) ProtoReflect ¶
func (x *TlsCertificate) ProtoReflect() protoreflect.Message
func (*TlsCertificate) Reset ¶
func (x *TlsCertificate) Reset()
func (*TlsCertificate) SetCertificateChain ¶
func (x *TlsCertificate) SetCertificateChain(v *v3.DataSource)
func (*TlsCertificate) SetOcspStaple ¶
func (x *TlsCertificate) SetOcspStaple(v *v3.DataSource)
func (*TlsCertificate) SetPassword ¶
func (x *TlsCertificate) SetPassword(v *v3.DataSource)
func (*TlsCertificate) SetPkcs12 ¶
func (x *TlsCertificate) SetPkcs12(v *v3.DataSource)
func (*TlsCertificate) SetPrivateKey ¶
func (x *TlsCertificate) SetPrivateKey(v *v3.DataSource)
func (*TlsCertificate) SetPrivateKeyProvider ¶
func (x *TlsCertificate) SetPrivateKeyProvider(v *PrivateKeyProvider)
func (*TlsCertificate) SetSignedCertificateTimestamp ¶
func (x *TlsCertificate) SetSignedCertificateTimestamp(v []*v3.DataSource)
func (*TlsCertificate) SetWatchedDirectory ¶
func (x *TlsCertificate) SetWatchedDirectory(v *v3.WatchedDirectory)
func (*TlsCertificate) String ¶
func (x *TlsCertificate) String() string
type TlsCertificate_builder ¶
type TlsCertificate_builder struct { // The TLS certificate chain. // // If “certificate_chain“ is a filesystem path, a watch will be added to the // parent directory for any file moves to support rotation. This currently // only applies to dynamic secrets, when the “TlsCertificate“ is delivered via // SDS. CertificateChain *v3.DataSource // The TLS private key. // // If “private_key“ is a filesystem path, a watch will be added to the parent // directory for any file moves to support rotation. This currently only // applies to dynamic secrets, when the “TlsCertificate“ is delivered via SDS. PrivateKey *v3.DataSource // “Pkcs12“ data containing TLS certificate, chain, and private key. // // If “pkcs12“ is a filesystem path, the file will be read, but no watch will // be added to the parent directory, since “pkcs12“ isn't used by SDS. // This field is mutually exclusive with “certificate_chain“, “private_key“ and “private_key_provider“. // This can't be marked as “oneof“ due to API compatibility reasons. Setting // both :ref:`private_key <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>`, // :ref:`certificate_chain <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.certificate_chain>`, // or :ref:`private_key_provider <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key_provider>` // and :ref:`pkcs12 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.pkcs12>` // fields will result in an error. Use :ref:`password // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.password>` // to specify the password to unprotect the “PKCS12“ data, if necessary. Pkcs12 *v3.DataSource // If specified, updates of file-based “certificate_chain“ and “private_key“ // sources will be triggered by this watch. The certificate/key pair will be // read together and validated for atomic read consistency (i.e. no // intervening modification occurred between cert/key read, verified by file // hash comparisons). This allows explicit control over the path watched, by // default the parent directories of the filesystem paths in // “certificate_chain“ and “private_key“ are watched if this field is not // specified. This only applies when a “TlsCertificate“ is delivered by SDS // with references to filesystem paths. See the :ref:`SDS key rotation // <sds_key_rotation>` documentation for further details. WatchedDirectory *v3.WatchedDirectory // BoringSSL private key method provider. This is an alternative to :ref:`private_key // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>` field. This can't be // marked as “oneof“ due to API compatibility reasons. Setting both :ref:`private_key // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>` and // :ref:`private_key_provider // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key_provider>` fields will result in an // error. PrivateKeyProvider *PrivateKeyProvider // The password to decrypt the TLS private key. If this field is not set, it is assumed that the // TLS private key is not password encrypted. Password *v3.DataSource // The OCSP response to be stapled with this certificate during the handshake. // The response must be DER-encoded and may only be provided via “filename“ or // “inline_bytes“. The response may pertain to only one certificate. OcspStaple *v3.DataSource // [#not-implemented-hide:] SignedCertificateTimestamp []*v3.DataSource // contains filtered or unexported fields }
func (TlsCertificate_builder) Build ¶
func (b0 TlsCertificate_builder) Build() *TlsCertificate
type TlsKeyLog ¶
type TlsKeyLog struct { // The path to save the TLS key log. Path string `protobuf:"bytes,1,opt,name=path,proto3" json:"path,omitempty"` // The local IP address that will be used to filter the connection which should save the TLS key log // If it is not set, any local IP address will be matched. LocalAddressRange []*v3.CidrRange `protobuf:"bytes,2,rep,name=local_address_range,json=localAddressRange,proto3" json:"local_address_range,omitempty"` // The remote IP address that will be used to filter the connection which should save the TLS key log // If it is not set, any remote IP address will be matched. RemoteAddressRange []*v3.CidrRange `protobuf:"bytes,3,rep,name=remote_address_range,json=remoteAddressRange,proto3" json:"remote_address_range,omitempty"` // contains filtered or unexported fields }
TLS key log configuration. The key log file format is "format used by NSS for its SSLKEYLOGFILE debugging output" (text taken from openssl man page)
func (*TlsKeyLog) GetRemoteAddressRange ¶
func (*TlsKeyLog) ProtoReflect ¶
func (x *TlsKeyLog) ProtoReflect() protoreflect.Message
func (*TlsKeyLog) SetLocalAddressRange ¶
func (*TlsKeyLog) SetRemoteAddressRange ¶
type TlsKeyLog_builder ¶
type TlsKeyLog_builder struct { // The path to save the TLS key log. Path string // The local IP address that will be used to filter the connection which should save the TLS key log // If it is not set, any local IP address will be matched. LocalAddressRange []*v3.CidrRange // The remote IP address that will be used to filter the connection which should save the TLS key log // If it is not set, any remote IP address will be matched. RemoteAddressRange []*v3.CidrRange // contains filtered or unexported fields }
func (TlsKeyLog_builder) Build ¶
func (b0 TlsKeyLog_builder) Build() *TlsKeyLog
type TlsParameters ¶
type TlsParameters struct { // Minimum TLS protocol version. By default, it's “TLSv1_2“ for both clients and servers. // // TLS protocol versions below TLSv1_2 require setting compatible ciphers with the // “cipher_suites“ setting as the default ciphers no longer include compatible ciphers. // // .. attention:: // // Using TLS protocol versions below TLSv1_2 has serious security considerations and risks. TlsMinimumProtocolVersion TlsParameters_TlsProtocol `` /* 214-byte string literal not displayed */ // Maximum TLS protocol version. By default, it's “TLSv1_2“ for clients and “TLSv1_3“ for // servers. TlsMaximumProtocolVersion TlsParameters_TlsProtocol `` /* 214-byte string literal not displayed */ // If specified, the TLS listener will only support the specified `cipher list // <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_ // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). // // If not specified, a default list will be used. Defaults are different for server (downstream) and // client (upstream) TLS configurations. // Defaults will change over time in response to security considerations; If you care, configure // it instead of using the default. // // In non-FIPS builds, the default server cipher list is: // // .. code-block:: none // // [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] // [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] // ECDHE-ECDSA-AES256-GCM-SHA384 // ECDHE-RSA-AES256-GCM-SHA384 // // In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default server cipher list is: // // .. code-block:: none // // ECDHE-ECDSA-AES128-GCM-SHA256 // ECDHE-RSA-AES128-GCM-SHA256 // ECDHE-ECDSA-AES256-GCM-SHA384 // ECDHE-RSA-AES256-GCM-SHA384 // // In non-FIPS builds, the default client cipher list is: // // .. code-block:: none // // [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] // [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] // ECDHE-ECDSA-AES256-GCM-SHA384 // ECDHE-RSA-AES256-GCM-SHA384 // // In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default client cipher list is: // // .. code-block:: none // // ECDHE-ECDSA-AES128-GCM-SHA256 // ECDHE-RSA-AES128-GCM-SHA256 // ECDHE-ECDSA-AES256-GCM-SHA384 // ECDHE-RSA-AES256-GCM-SHA384 CipherSuites []string `protobuf:"bytes,3,rep,name=cipher_suites,json=cipherSuites,proto3" json:"cipher_suites,omitempty"` // If specified, the TLS connection will only support the specified ECDH // curves. If not specified, the default curves will be used. // // In non-FIPS builds, the default curves are: // // .. code-block:: none // // X25519 // P-256 // // In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default curve is: // // .. code-block:: none // // P-256 EcdhCurves []string `protobuf:"bytes,4,rep,name=ecdh_curves,json=ecdhCurves,proto3" json:"ecdh_curves,omitempty"` // If specified, the TLS connection will only support the specified signature algorithms. // The list is ordered by preference. // If not specified, the default signature algorithms defined by BoringSSL will be used. // // Default signature algorithms selected by BoringSSL (may be out of date): // // .. code-block:: none // // ecdsa_secp256r1_sha256 // rsa_pss_rsae_sha256 // rsa_pkcs1_sha256 // ecdsa_secp384r1_sha384 // rsa_pss_rsae_sha384 // rsa_pkcs1_sha384 // rsa_pss_rsae_sha512 // rsa_pkcs1_sha512 // rsa_pkcs1_sha1 // // Signature algorithms supported by BoringSSL (may be out of date): // // .. code-block:: none // // rsa_pkcs1_sha256 // rsa_pkcs1_sha384 // rsa_pkcs1_sha512 // ecdsa_secp256r1_sha256 // ecdsa_secp384r1_sha384 // ecdsa_secp521r1_sha512 // rsa_pss_rsae_sha256 // rsa_pss_rsae_sha384 // rsa_pss_rsae_sha512 // ed25519 // rsa_pkcs1_sha1 // ecdsa_sha1 SignatureAlgorithms []string `protobuf:"bytes,5,rep,name=signature_algorithms,json=signatureAlgorithms,proto3" json:"signature_algorithms,omitempty"` // contains filtered or unexported fields }
[#next-free-field: 6]
func (*TlsParameters) GetCipherSuites ¶
func (x *TlsParameters) GetCipherSuites() []string
func (*TlsParameters) GetEcdhCurves ¶
func (x *TlsParameters) GetEcdhCurves() []string
func (*TlsParameters) GetSignatureAlgorithms ¶
func (x *TlsParameters) GetSignatureAlgorithms() []string
func (*TlsParameters) GetTlsMaximumProtocolVersion ¶
func (x *TlsParameters) GetTlsMaximumProtocolVersion() TlsParameters_TlsProtocol
func (*TlsParameters) GetTlsMinimumProtocolVersion ¶
func (x *TlsParameters) GetTlsMinimumProtocolVersion() TlsParameters_TlsProtocol
func (*TlsParameters) ProtoMessage ¶
func (*TlsParameters) ProtoMessage()
func (*TlsParameters) ProtoReflect ¶
func (x *TlsParameters) ProtoReflect() protoreflect.Message
func (*TlsParameters) Reset ¶
func (x *TlsParameters) Reset()
func (*TlsParameters) SetCipherSuites ¶
func (x *TlsParameters) SetCipherSuites(v []string)
func (*TlsParameters) SetEcdhCurves ¶
func (x *TlsParameters) SetEcdhCurves(v []string)
func (*TlsParameters) SetSignatureAlgorithms ¶
func (x *TlsParameters) SetSignatureAlgorithms(v []string)
func (*TlsParameters) SetTlsMaximumProtocolVersion ¶
func (x *TlsParameters) SetTlsMaximumProtocolVersion(v TlsParameters_TlsProtocol)
func (*TlsParameters) SetTlsMinimumProtocolVersion ¶
func (x *TlsParameters) SetTlsMinimumProtocolVersion(v TlsParameters_TlsProtocol)
func (*TlsParameters) String ¶
func (x *TlsParameters) String() string
type TlsParameters_TlsProtocol ¶
type TlsParameters_TlsProtocol int32
const ( // Envoy will choose the optimal TLS version. TlsParameters_TLS_AUTO TlsParameters_TlsProtocol = 0 // TLS 1.0 TlsParameters_TLSv1_0 TlsParameters_TlsProtocol = 1 // TLS 1.1 TlsParameters_TLSv1_1 TlsParameters_TlsProtocol = 2 // TLS 1.2 TlsParameters_TLSv1_2 TlsParameters_TlsProtocol = 3 // TLS 1.3 TlsParameters_TLSv1_3 TlsParameters_TlsProtocol = 4 )
func (TlsParameters_TlsProtocol) Descriptor ¶
func (TlsParameters_TlsProtocol) Descriptor() protoreflect.EnumDescriptor
func (TlsParameters_TlsProtocol) Enum ¶
func (x TlsParameters_TlsProtocol) Enum() *TlsParameters_TlsProtocol
func (TlsParameters_TlsProtocol) Number ¶
func (x TlsParameters_TlsProtocol) Number() protoreflect.EnumNumber
func (TlsParameters_TlsProtocol) String ¶
func (x TlsParameters_TlsProtocol) String() string
func (TlsParameters_TlsProtocol) Type ¶
func (TlsParameters_TlsProtocol) Type() protoreflect.EnumType
type TlsParameters_builder ¶
type TlsParameters_builder struct { // Minimum TLS protocol version. By default, it's “TLSv1_2“ for both clients and servers. // // TLS protocol versions below TLSv1_2 require setting compatible ciphers with the // “cipher_suites“ setting as the default ciphers no longer include compatible ciphers. // // .. attention:: // // Using TLS protocol versions below TLSv1_2 has serious security considerations and risks. TlsMinimumProtocolVersion TlsParameters_TlsProtocol // Maximum TLS protocol version. By default, it's “TLSv1_2“ for clients and “TLSv1_3“ for // servers. TlsMaximumProtocolVersion TlsParameters_TlsProtocol // If specified, the TLS listener will only support the specified `cipher list // <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_ // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). // // If not specified, a default list will be used. Defaults are different for server (downstream) and // client (upstream) TLS configurations. // Defaults will change over time in response to security considerations; If you care, configure // it instead of using the default. // // In non-FIPS builds, the default server cipher list is: // // .. code-block:: none // // [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] // [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] // ECDHE-ECDSA-AES256-GCM-SHA384 // ECDHE-RSA-AES256-GCM-SHA384 // // In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default server cipher list is: // // .. code-block:: none // // ECDHE-ECDSA-AES128-GCM-SHA256 // ECDHE-RSA-AES128-GCM-SHA256 // ECDHE-ECDSA-AES256-GCM-SHA384 // ECDHE-RSA-AES256-GCM-SHA384 // // In non-FIPS builds, the default client cipher list is: // // .. code-block:: none // // [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] // [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] // ECDHE-ECDSA-AES256-GCM-SHA384 // ECDHE-RSA-AES256-GCM-SHA384 // // In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default client cipher list is: // // .. code-block:: none // // ECDHE-ECDSA-AES128-GCM-SHA256 // ECDHE-RSA-AES128-GCM-SHA256 // ECDHE-ECDSA-AES256-GCM-SHA384 // ECDHE-RSA-AES256-GCM-SHA384 CipherSuites []string // If specified, the TLS connection will only support the specified ECDH // curves. If not specified, the default curves will be used. // // In non-FIPS builds, the default curves are: // // .. code-block:: none // // X25519 // P-256 // // In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default curve is: // // .. code-block:: none // // P-256 EcdhCurves []string // If specified, the TLS connection will only support the specified signature algorithms. // The list is ordered by preference. // If not specified, the default signature algorithms defined by BoringSSL will be used. // // Default signature algorithms selected by BoringSSL (may be out of date): // // .. code-block:: none // // ecdsa_secp256r1_sha256 // rsa_pss_rsae_sha256 // rsa_pkcs1_sha256 // ecdsa_secp384r1_sha384 // rsa_pss_rsae_sha384 // rsa_pkcs1_sha384 // rsa_pss_rsae_sha512 // rsa_pkcs1_sha512 // rsa_pkcs1_sha1 // // Signature algorithms supported by BoringSSL (may be out of date): // // .. code-block:: none // // rsa_pkcs1_sha256 // rsa_pkcs1_sha384 // rsa_pkcs1_sha512 // ecdsa_secp256r1_sha256 // ecdsa_secp384r1_sha384 // ecdsa_secp521r1_sha512 // rsa_pss_rsae_sha256 // rsa_pss_rsae_sha384 // rsa_pss_rsae_sha512 // ed25519 // rsa_pkcs1_sha1 // ecdsa_sha1 SignatureAlgorithms []string // contains filtered or unexported fields }
func (TlsParameters_builder) Build ¶
func (b0 TlsParameters_builder) Build() *TlsParameters
type TlsSessionTicketKeys ¶
type TlsSessionTicketKeys struct { // Keys for encrypting and decrypting TLS session tickets. The // first key in the array contains the key to encrypt all new sessions created by this context. // All keys are candidates for decrypting received tickets. This allows for easy rotation of keys // by, for example, putting the new key first, and the previous key second. // // If :ref:`session_ticket_keys <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.session_ticket_keys>` // is not specified, the TLS library will still support resuming sessions via tickets, but it will // use an internally-generated and managed key, so sessions cannot be resumed across hot restarts // or on different hosts. // // Each key must contain exactly 80 bytes of cryptographically-secure random data. For // example, the output of “openssl rand 80“. // // .. attention:: // // Using this feature has serious security considerations and risks. Improper handling of keys // may result in loss of secrecy in connections, even if ciphers supporting perfect forward // secrecy are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some // discussion. To minimize the risk, you must: // // * Keep the session ticket keys at least as secure as your TLS certificate private keys // * Rotate session ticket keys at least daily, and preferably hourly // * Always generate keys using a cryptographically-secure random data source Keys []*v3.DataSource `protobuf:"bytes,1,rep,name=keys,proto3" json:"keys,omitempty"` // contains filtered or unexported fields }
func (*TlsSessionTicketKeys) GetKeys ¶
func (x *TlsSessionTicketKeys) GetKeys() []*v3.DataSource
func (*TlsSessionTicketKeys) ProtoMessage ¶
func (*TlsSessionTicketKeys) ProtoMessage()
func (*TlsSessionTicketKeys) ProtoReflect ¶
func (x *TlsSessionTicketKeys) ProtoReflect() protoreflect.Message
func (*TlsSessionTicketKeys) Reset ¶
func (x *TlsSessionTicketKeys) Reset()
func (*TlsSessionTicketKeys) SetKeys ¶
func (x *TlsSessionTicketKeys) SetKeys(v []*v3.DataSource)
func (*TlsSessionTicketKeys) String ¶
func (x *TlsSessionTicketKeys) String() string
type TlsSessionTicketKeys_builder ¶
type TlsSessionTicketKeys_builder struct { // Keys for encrypting and decrypting TLS session tickets. The // first key in the array contains the key to encrypt all new sessions created by this context. // All keys are candidates for decrypting received tickets. This allows for easy rotation of keys // by, for example, putting the new key first, and the previous key second. // // If :ref:`session_ticket_keys <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.session_ticket_keys>` // is not specified, the TLS library will still support resuming sessions via tickets, but it will // use an internally-generated and managed key, so sessions cannot be resumed across hot restarts // or on different hosts. // // Each key must contain exactly 80 bytes of cryptographically-secure random data. For // example, the output of “openssl rand 80“. // // .. attention:: // // Using this feature has serious security considerations and risks. Improper handling of keys // may result in loss of secrecy in connections, even if ciphers supporting perfect forward // secrecy are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some // discussion. To minimize the risk, you must: // // * Keep the session ticket keys at least as secure as your TLS certificate private keys // * Rotate session ticket keys at least daily, and preferably hourly // * Always generate keys using a cryptographically-secure random data source Keys []*v3.DataSource // contains filtered or unexported fields }
func (TlsSessionTicketKeys_builder) Build ¶
func (b0 TlsSessionTicketKeys_builder) Build() *TlsSessionTicketKeys
type UpstreamTlsContext ¶
type UpstreamTlsContext struct { // Common TLS context settings. // // .. attention:: // // Server certificate verification is not enabled by default. Configure // :ref:`trusted_ca<envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>` to enable // verification. CommonTlsContext *CommonTlsContext `protobuf:"bytes,1,opt,name=common_tls_context,json=commonTlsContext,proto3" json:"common_tls_context,omitempty"` // SNI string to use when creating TLS backend connections. Sni string `protobuf:"bytes,2,opt,name=sni,proto3" json:"sni,omitempty"` // If true, server-initiated TLS renegotiation will be allowed. // // .. attention:: // // TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary. AllowRenegotiation bool `protobuf:"varint,3,opt,name=allow_renegotiation,json=allowRenegotiation,proto3" json:"allow_renegotiation,omitempty"` // Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets // for TLSv1.2 and older) to store for the purpose of session resumption. // // Defaults to 1, setting this to 0 disables session resumption. MaxSessionKeys *wrapperspb.UInt32Value `protobuf:"bytes,4,opt,name=max_session_keys,json=maxSessionKeys,proto3" json:"max_session_keys,omitempty"` // This field is used to control the enforcement, whereby the handshake will fail if the keyUsage extension // is present and incompatible with the TLS usage. Currently, the default value is false (i.e., enforcement off) // but it is expected to be changed to true by default in a future release. // “ssl.was_key_usage_invalid“ in :ref:`listener metrics <config_listener_stats>` will be set for certificate // configurations that would fail if this option were set to true. EnforceRsaKeyUsage *wrapperspb.BoolValue `protobuf:"bytes,5,opt,name=enforce_rsa_key_usage,json=enforceRsaKeyUsage,proto3" json:"enforce_rsa_key_usage,omitempty"` // contains filtered or unexported fields }
[#next-free-field: 6]
func (*UpstreamTlsContext) ClearCommonTlsContext ¶
func (x *UpstreamTlsContext) ClearCommonTlsContext()
func (*UpstreamTlsContext) ClearEnforceRsaKeyUsage ¶
func (x *UpstreamTlsContext) ClearEnforceRsaKeyUsage()
func (*UpstreamTlsContext) ClearMaxSessionKeys ¶
func (x *UpstreamTlsContext) ClearMaxSessionKeys()
func (*UpstreamTlsContext) GetAllowRenegotiation ¶
func (x *UpstreamTlsContext) GetAllowRenegotiation() bool
func (*UpstreamTlsContext) GetCommonTlsContext ¶
func (x *UpstreamTlsContext) GetCommonTlsContext() *CommonTlsContext
func (*UpstreamTlsContext) GetEnforceRsaKeyUsage ¶
func (x *UpstreamTlsContext) GetEnforceRsaKeyUsage() *wrapperspb.BoolValue
func (*UpstreamTlsContext) GetMaxSessionKeys ¶
func (x *UpstreamTlsContext) GetMaxSessionKeys() *wrapperspb.UInt32Value
func (*UpstreamTlsContext) GetSni ¶
func (x *UpstreamTlsContext) GetSni() string
func (*UpstreamTlsContext) HasCommonTlsContext ¶
func (x *UpstreamTlsContext) HasCommonTlsContext() bool
func (*UpstreamTlsContext) HasEnforceRsaKeyUsage ¶
func (x *UpstreamTlsContext) HasEnforceRsaKeyUsage() bool
func (*UpstreamTlsContext) HasMaxSessionKeys ¶
func (x *UpstreamTlsContext) HasMaxSessionKeys() bool
func (*UpstreamTlsContext) ProtoMessage ¶
func (*UpstreamTlsContext) ProtoMessage()
func (*UpstreamTlsContext) ProtoReflect ¶
func (x *UpstreamTlsContext) ProtoReflect() protoreflect.Message
func (*UpstreamTlsContext) Reset ¶
func (x *UpstreamTlsContext) Reset()
func (*UpstreamTlsContext) SetAllowRenegotiation ¶
func (x *UpstreamTlsContext) SetAllowRenegotiation(v bool)
func (*UpstreamTlsContext) SetCommonTlsContext ¶
func (x *UpstreamTlsContext) SetCommonTlsContext(v *CommonTlsContext)
func (*UpstreamTlsContext) SetEnforceRsaKeyUsage ¶
func (x *UpstreamTlsContext) SetEnforceRsaKeyUsage(v *wrapperspb.BoolValue)
func (*UpstreamTlsContext) SetMaxSessionKeys ¶
func (x *UpstreamTlsContext) SetMaxSessionKeys(v *wrapperspb.UInt32Value)
func (*UpstreamTlsContext) SetSni ¶
func (x *UpstreamTlsContext) SetSni(v string)
func (*UpstreamTlsContext) String ¶
func (x *UpstreamTlsContext) String() string
type UpstreamTlsContext_builder ¶
type UpstreamTlsContext_builder struct { // Common TLS context settings. // // .. attention:: // // Server certificate verification is not enabled by default. Configure // :ref:`trusted_ca<envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>` to enable // verification. CommonTlsContext *CommonTlsContext // SNI string to use when creating TLS backend connections. Sni string // If true, server-initiated TLS renegotiation will be allowed. // // .. attention:: // // TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary. AllowRenegotiation bool // Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets // for TLSv1.2 and older) to store for the purpose of session resumption. // // Defaults to 1, setting this to 0 disables session resumption. MaxSessionKeys *wrapperspb.UInt32Value // This field is used to control the enforcement, whereby the handshake will fail if the keyUsage extension // is present and incompatible with the TLS usage. Currently, the default value is false (i.e., enforcement off) // but it is expected to be changed to true by default in a future release. // “ssl.was_key_usage_invalid“ in :ref:`listener metrics <config_listener_stats>` will be set for certificate // configurations that would fail if this option were set to true. EnforceRsaKeyUsage *wrapperspb.BoolValue // contains filtered or unexported fields }
func (UpstreamTlsContext_builder) Build ¶
func (b0 UpstreamTlsContext_builder) Build() *UpstreamTlsContext