tlsv3

package
v0.10.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 28, 2022 License: Apache-2.0 Imports: 24 Imported by: 215

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	TlsParameters_TlsProtocol_name = map[int32]string{
		0: "TLS_AUTO",
		1: "TLSv1_0",
		2: "TLSv1_1",
		3: "TLSv1_2",
		4: "TLSv1_3",
	}
	TlsParameters_TlsProtocol_value = map[string]int32{
		"TLS_AUTO": 0,
		"TLSv1_0":  1,
		"TLSv1_1":  2,
		"TLSv1_2":  3,
		"TLSv1_3":  4,
	}
)

Enum value maps for TlsParameters_TlsProtocol.

View Source
var (
	SubjectAltNameMatcher_SanType_name = map[int32]string{
		0: "SAN_TYPE_UNSPECIFIED",
		1: "EMAIL",
		2: "DNS",
		3: "URI",
		4: "IP_ADDRESS",
	}
	SubjectAltNameMatcher_SanType_value = map[string]int32{
		"SAN_TYPE_UNSPECIFIED": 0,
		"EMAIL":                1,
		"DNS":                  2,
		"URI":                  3,
		"IP_ADDRESS":           4,
	}
)

Enum value maps for SubjectAltNameMatcher_SanType.

View Source
var (
	CertificateValidationContext_TrustChainVerification_name = map[int32]string{
		0: "VERIFY_TRUST_CHAIN",
		1: "ACCEPT_UNTRUSTED",
	}
	CertificateValidationContext_TrustChainVerification_value = map[string]int32{
		"VERIFY_TRUST_CHAIN": 0,
		"ACCEPT_UNTRUSTED":   1,
	}
)

Enum value maps for CertificateValidationContext_TrustChainVerification.

View Source
var (
	DownstreamTlsContext_OcspStaplePolicy_name = map[int32]string{
		0: "LENIENT_STAPLING",
		1: "STRICT_STAPLING",
		2: "MUST_STAPLE",
	}
	DownstreamTlsContext_OcspStaplePolicy_value = map[string]int32{
		"LENIENT_STAPLING": 0,
		"STRICT_STAPLING":  1,
		"MUST_STAPLE":      2,
	}
)

Enum value maps for DownstreamTlsContext_OcspStaplePolicy.

View Source
var File_envoy_extensions_transport_sockets_tls_v3_cert_proto protoreflect.FileDescriptor
View Source
var File_envoy_extensions_transport_sockets_tls_v3_common_proto protoreflect.FileDescriptor
View Source
var File_envoy_extensions_transport_sockets_tls_v3_secret_proto protoreflect.FileDescriptor
View Source
var File_envoy_extensions_transport_sockets_tls_v3_tls_proto protoreflect.FileDescriptor
View Source
var File_envoy_extensions_transport_sockets_tls_v3_tls_spiffe_validator_config_proto protoreflect.FileDescriptor

Functions

This section is empty.

Types

type CertificateProviderPluginInstance added in v0.10.0

type CertificateProviderPluginInstance struct {

	// Provider instance name. If not present, defaults to "default".
	//
	// Instance names should generally be defined not in terms of the underlying provider
	// implementation (e.g., "file_watcher") but rather in terms of the function of the
	// certificates (e.g., "foo_deployment_identity").
	InstanceName string `protobuf:"bytes,1,opt,name=instance_name,json=instanceName,proto3" json:"instance_name,omitempty"`
	// Opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify
	// a root-certificate (validation context) or "example.com" to specify a certificate for a
	// particular domain. Not all provider instances will actually use this field, so the value
	// defaults to the empty string.
	CertificateName string `protobuf:"bytes,2,opt,name=certificate_name,json=certificateName,proto3" json:"certificate_name,omitempty"`
	// contains filtered or unexported fields
}

Indicates a certificate to be obtained from a named CertificateProvider plugin instance. The plugin instances are defined in the client's bootstrap file. The plugin allows certificates to be fetched/refreshed over the network asynchronously with respect to the TLS handshake. [#not-implemented-hide:]

func (*CertificateProviderPluginInstance) Descriptor deprecated added in v0.10.0

func (*CertificateProviderPluginInstance) Descriptor() ([]byte, []int)

Deprecated: Use CertificateProviderPluginInstance.ProtoReflect.Descriptor instead.

func (*CertificateProviderPluginInstance) GetCertificateName added in v0.10.0

func (x *CertificateProviderPluginInstance) GetCertificateName() string

func (*CertificateProviderPluginInstance) GetInstanceName added in v0.10.0

func (x *CertificateProviderPluginInstance) GetInstanceName() string

func (*CertificateProviderPluginInstance) ProtoMessage added in v0.10.0

func (*CertificateProviderPluginInstance) ProtoMessage()

func (*CertificateProviderPluginInstance) ProtoReflect added in v0.10.0

func (*CertificateProviderPluginInstance) Reset added in v0.10.0

func (*CertificateProviderPluginInstance) String added in v0.10.0

func (*CertificateProviderPluginInstance) Validate added in v0.10.0

Validate checks the field values on CertificateProviderPluginInstance with the rules defined in the proto definition for this message. If any rules are violated, the first error encountered is returned, or nil if there are no violations.

func (*CertificateProviderPluginInstance) ValidateAll added in v0.10.0

func (m *CertificateProviderPluginInstance) ValidateAll() error

ValidateAll checks the field values on CertificateProviderPluginInstance with the rules defined in the proto definition for this message. If any rules are violated, the result is a list of violation errors wrapped in CertificateProviderPluginInstanceMultiError, or nil if none found.

type CertificateProviderPluginInstanceMultiError added in v0.10.0

type CertificateProviderPluginInstanceMultiError []error

CertificateProviderPluginInstanceMultiError is an error wrapping multiple validation errors returned by CertificateProviderPluginInstance.ValidateAll() if the designated constraints aren't met.

func (CertificateProviderPluginInstanceMultiError) AllErrors added in v0.10.0

AllErrors returns a list of validation violation errors.

func (CertificateProviderPluginInstanceMultiError) Error added in v0.10.0

Error returns a concatenation of all the error messages it wraps.

type CertificateProviderPluginInstanceValidationError added in v0.10.0

type CertificateProviderPluginInstanceValidationError struct {
	// contains filtered or unexported fields
}

CertificateProviderPluginInstanceValidationError is the validation error returned by CertificateProviderPluginInstance.Validate if the designated constraints aren't met.

func (CertificateProviderPluginInstanceValidationError) Cause added in v0.10.0

Cause function returns cause value.

func (CertificateProviderPluginInstanceValidationError) Error added in v0.10.0

Error satisfies the builtin error interface

func (CertificateProviderPluginInstanceValidationError) ErrorName added in v0.10.0

ErrorName returns error name.

func (CertificateProviderPluginInstanceValidationError) Field added in v0.10.0

Field function returns field value.

func (CertificateProviderPluginInstanceValidationError) Key added in v0.10.0

Key function returns key value.

func (CertificateProviderPluginInstanceValidationError) Reason added in v0.10.0

Reason function returns reason value.

type CertificateValidationContext

type CertificateValidationContext struct {

	// TLS certificate data containing certificate authority certificates to use in verifying
	// a presented peer certificate (e.g. server certificate for clusters or client certificate
	// for listeners). If not specified and a peer certificate is presented it will not be
	// verified. By default, a client certificate is optional, unless one of the additional
	// options (:ref:`require_client_certificate
	// <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`,
	// :ref:`verify_certificate_spki
	// <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`,
	// :ref:`verify_certificate_hash
	// <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or
	// :ref:`match_typed_subject_alt_names
	// <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also
	// specified.
	//
	// It can optionally contain certificate revocation lists, in which case Envoy will verify
	// that the presented peer certificate has not been revoked by one of the included CRLs. Note
	// that if a CRL is provided for any certificate authority in a trust chain, a CRL must be
	// provided for all certificate authorities in that chain. Failure to do so will result in
	// verification failure for both revoked and unrevoked certificates from that chain.
	// The behavior of requiring all certificates to contain CRLs if any do can be altered by
	// setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>`
	// true. If set to true, only the final certificate in the chain undergoes CRL verification.
	//
	// See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
	// system CA locations.
	//
	// If *trusted_ca* is a filesystem path, a watch will be added to the parent
	// directory for any file moves to support rotation. This currently only
	// applies to dynamic secrets, when the *CertificateValidationContext* is
	// delivered via SDS.
	//
	// Only one of *trusted_ca* and *ca_certificate_provider_instance* may be specified.
	//
	// [#next-major-version: This field and watched_directory below should ideally be moved into a
	// separate sub-message, since there's no point in specifying the latter field without this one.]
	TrustedCa *v3.DataSource `protobuf:"bytes,1,opt,name=trusted_ca,json=trustedCa,proto3" json:"trusted_ca,omitempty"`
	// Certificate provider instance for fetching TLS certificates.
	//
	// Only one of *trusted_ca* and *ca_certificate_provider_instance* may be specified.
	// [#not-implemented-hide:]
	CaCertificateProviderInstance *CertificateProviderPluginInstance `` /* 153-byte string literal not displayed */
	// If specified, updates of a file-based *trusted_ca* source will be triggered
	// by this watch. This allows explicit control over the path watched, by
	// default the parent directory of the filesystem path in *trusted_ca* is
	// watched if this field is not specified. This only applies when a
	// *CertificateValidationContext* is delivered by SDS with references to
	// filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
	// documentation for further details.
	WatchedDirectory *v3.WatchedDirectory `protobuf:"bytes,11,opt,name=watched_directory,json=watchedDirectory,proto3" json:"watched_directory,omitempty"`
	// An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
	// SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
	// matches one of the specified values.
	//
	// A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
	// can be generated with the following command:
	//
	// .. code-block:: bash
	//
	//   $ openssl x509 -in path/to/client.crt -noout -pubkey
	//     | openssl pkey -pubin -outform DER
	//     | openssl dgst -sha256 -binary
	//     | openssl enc -base64
	//   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
	//
	// This is the format used in HTTP Public Key Pinning.
	//
	// When both:
	// :ref:`verify_certificate_hash
	// <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
	// :ref:`verify_certificate_spki
	// <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
	// a hash matching value from either of the lists will result in the certificate being accepted.
	//
	// .. attention::
	//
	//   This option is preferred over :ref:`verify_certificate_hash
	//   <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`,
	//   because SPKI is tied to a private key, so it doesn't change when the certificate
	//   is renewed using the same private key.
	VerifyCertificateSpki []string `` /* 126-byte string literal not displayed */
	// An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
	// the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
	//
	// A hex-encoded SHA-256 of the certificate can be generated with the following command:
	//
	// .. code-block:: bash
	//
	//   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
	//   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
	//
	// A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
	// can be generated with the following command:
	//
	// .. code-block:: bash
	//
	//   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
	//   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
	//
	// Both of those formats are acceptable.
	//
	// When both:
	// :ref:`verify_certificate_hash
	// <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
	// :ref:`verify_certificate_spki
	// <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
	// a hash matching value from either of the lists will result in the certificate being accepted.
	VerifyCertificateHash []string `` /* 126-byte string literal not displayed */
	// An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the
	// Subject Alternative Name of the presented certificate matches one of the specified matchers.
	// The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is
	// matched.
	//
	// When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
	// configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.
	// For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
	// it should be configured as shown below.
	//
	// .. code-block:: yaml
	//
	//  match_typed_subject_alt_names:
	//  - san_type: DNS
	//    matcher:
	//      exact: "api.example.com"
	//
	// .. attention::
	//
	//   Subject Alternative Names are easily spoofable and verifying only them is insecure,
	//   therefore this option must be used together with :ref:`trusted_ca
	//   <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
	MatchTypedSubjectAltNames []*SubjectAltNameMatcher `` /* 143-byte string literal not displayed */
	// This field is deprecated in favor of
	// :ref:`match_typed_subject_alt_names
	// <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
	// Note that if both this field and :ref:`match_typed_subject_alt_names
	// <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
	// are specified, the former (deprecated field) is ignored.
	//
	// Deprecated: Do not use.
	MatchSubjectAltNames []*v31.StringMatcher `protobuf:"bytes,9,rep,name=match_subject_alt_names,json=matchSubjectAltNames,proto3" json:"match_subject_alt_names,omitempty"`
	// [#not-implemented-hide:] Must present signed certificate time-stamp.
	RequireSignedCertificateTimestamp *wrappers.BoolValue `` /* 164-byte string literal not displayed */
	// An optional `certificate revocation list
	// <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
	// (in PEM format). If specified, Envoy will verify that the presented peer
	// certificate has not been revoked by this CRL. If this DataSource contains
	// multiple CRLs, all of them will be used. Note that if a CRL is provided
	// for any certificate authority in a trust chain, a CRL must be provided
	// for all certificate authorities in that chain. Failure to do so will
	// result in verification failure for both revoked and unrevoked certificates
	// from that chain. This default behavior can be altered by setting
	// :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to
	// true.
	Crl *v3.DataSource `protobuf:"bytes,7,opt,name=crl,proto3" json:"crl,omitempty"`
	// If specified, Envoy will not reject expired certificates.
	AllowExpiredCertificate bool `` /* 133-byte string literal not displayed */
	// Certificate trust chain verification mode.
	TrustChainVerification CertificateValidationContext_TrustChainVerification `` /* 230-byte string literal not displayed */
	// The configuration of an extension specific certificate validator.
	// If specified, all validation is done by the specified validator,
	// and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated).
	// Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field.
	// [#extension-category: envoy.tls.cert_validator]
	CustomValidatorConfig *v3.TypedExtensionConfig `` /* 127-byte string literal not displayed */
	// If this option is set to true, only the certificate at the end of the
	// certificate chain will be subject to validation by :ref:`CRL <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.crl>`.
	OnlyVerifyLeafCertCrl bool `` /* 132-byte string literal not displayed */
	// Config for the max number of intermediate certificates in chain that are parsed during verification.
	// This does not include the leaf certificate. If configured, and the certificate chain is longer than allowed, the certificates
	// above the limit are ignored, and certificate validation will fail. The default limit is 100,
	// though this can be system-dependent.
	// https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_verify_depth.html
	MaxVerifyDepth *wrappers.UInt32Value `protobuf:"bytes,16,opt,name=max_verify_depth,json=maxVerifyDepth,proto3" json:"max_verify_depth,omitempty"`
	// contains filtered or unexported fields
}

[#next-free-field: 17]

func (*CertificateValidationContext) Descriptor deprecated

func (*CertificateValidationContext) Descriptor() ([]byte, []int)

Deprecated: Use CertificateValidationContext.ProtoReflect.Descriptor instead.

func (*CertificateValidationContext) GetAllowExpiredCertificate

func (x *CertificateValidationContext) GetAllowExpiredCertificate() bool

func (*CertificateValidationContext) GetCaCertificateProviderInstance added in v0.10.0

func (x *CertificateValidationContext) GetCaCertificateProviderInstance() *CertificateProviderPluginInstance

func (*CertificateValidationContext) GetCrl

func (*CertificateValidationContext) GetCustomValidatorConfig added in v0.9.9

func (x *CertificateValidationContext) GetCustomValidatorConfig() *v3.TypedExtensionConfig

func (*CertificateValidationContext) GetMatchSubjectAltNames deprecated

func (x *CertificateValidationContext) GetMatchSubjectAltNames() []*v31.StringMatcher

Deprecated: Do not use.

func (*CertificateValidationContext) GetMatchTypedSubjectAltNames added in v0.10.2

func (x *CertificateValidationContext) GetMatchTypedSubjectAltNames() []*SubjectAltNameMatcher

func (*CertificateValidationContext) GetMaxVerifyDepth added in v0.10.2

func (x *CertificateValidationContext) GetMaxVerifyDepth() *wrappers.UInt32Value

func (*CertificateValidationContext) GetOnlyVerifyLeafCertCrl added in v0.10.1

func (x *CertificateValidationContext) GetOnlyVerifyLeafCertCrl() bool

func (*CertificateValidationContext) GetRequireSignedCertificateTimestamp

func (x *CertificateValidationContext) GetRequireSignedCertificateTimestamp() *wrappers.BoolValue

func (*CertificateValidationContext) GetTrustChainVerification

func (*CertificateValidationContext) GetTrustedCa

func (x *CertificateValidationContext) GetTrustedCa() *v3.DataSource

func (*CertificateValidationContext) GetVerifyCertificateHash

func (x *CertificateValidationContext) GetVerifyCertificateHash() []string

func (*CertificateValidationContext) GetVerifyCertificateSpki

func (x *CertificateValidationContext) GetVerifyCertificateSpki() []string

func (*CertificateValidationContext) GetWatchedDirectory added in v0.9.8

func (x *CertificateValidationContext) GetWatchedDirectory() *v3.WatchedDirectory

func (*CertificateValidationContext) ProtoMessage

func (*CertificateValidationContext) ProtoMessage()

func (*CertificateValidationContext) ProtoReflect added in v0.9.6

func (*CertificateValidationContext) Reset

func (x *CertificateValidationContext) Reset()

func (*CertificateValidationContext) String

func (*CertificateValidationContext) Validate

func (m *CertificateValidationContext) Validate() error

Validate checks the field values on CertificateValidationContext with the rules defined in the proto definition for this message. If any rules are violated, the first error encountered is returned, or nil if there are no violations.

func (*CertificateValidationContext) ValidateAll added in v0.10.0

func (m *CertificateValidationContext) ValidateAll() error

ValidateAll checks the field values on CertificateValidationContext with the rules defined in the proto definition for this message. If any rules are violated, the result is a list of violation errors wrapped in CertificateValidationContextMultiError, or nil if none found.

type CertificateValidationContextMultiError added in v0.10.0

type CertificateValidationContextMultiError []error

CertificateValidationContextMultiError is an error wrapping multiple validation errors returned by CertificateValidationContext.ValidateAll() if the designated constraints aren't met.

func (CertificateValidationContextMultiError) AllErrors added in v0.10.0

AllErrors returns a list of validation violation errors.

func (CertificateValidationContextMultiError) Error added in v0.10.0

Error returns a concatenation of all the error messages it wraps.

type CertificateValidationContextValidationError

type CertificateValidationContextValidationError struct {
	// contains filtered or unexported fields
}

CertificateValidationContextValidationError is the validation error returned by CertificateValidationContext.Validate if the designated constraints aren't met.

func (CertificateValidationContextValidationError) Cause

Cause function returns cause value.

func (CertificateValidationContextValidationError) Error

Error satisfies the builtin error interface

func (CertificateValidationContextValidationError) ErrorName

ErrorName returns error name.

func (CertificateValidationContextValidationError) Field

Field function returns field value.

func (CertificateValidationContextValidationError) Key

Key function returns key value.

func (CertificateValidationContextValidationError) Reason

Reason function returns reason value.

type CertificateValidationContext_TrustChainVerification

type CertificateValidationContext_TrustChainVerification int32

Peer certificate verification mode.

const (
	// Perform default certificate verification (e.g., against CA / verification lists)
	CertificateValidationContext_VERIFY_TRUST_CHAIN CertificateValidationContext_TrustChainVerification = 0
	// Connections where the certificate fails verification will be permitted.
	// For HTTP connections, the result of certificate verification can be used in route matching. (
	// see :ref:`validated <envoy_v3_api_field_config.route.v3.RouteMatch.TlsContextMatchOptions.validated>` ).
	CertificateValidationContext_ACCEPT_UNTRUSTED CertificateValidationContext_TrustChainVerification = 1
)

func (CertificateValidationContext_TrustChainVerification) Descriptor added in v0.9.6

func (CertificateValidationContext_TrustChainVerification) Enum added in v0.9.6

func (CertificateValidationContext_TrustChainVerification) EnumDescriptor deprecated

Deprecated: Use CertificateValidationContext_TrustChainVerification.Descriptor instead.

func (CertificateValidationContext_TrustChainVerification) Number added in v0.9.6

func (CertificateValidationContext_TrustChainVerification) String

func (CertificateValidationContext_TrustChainVerification) Type added in v0.9.6

type CommonTlsContext

type CommonTlsContext struct {

	// TLS protocol versions, cipher suites etc.
	TlsParams *TlsParameters `protobuf:"bytes,1,opt,name=tls_params,json=tlsParams,proto3" json:"tls_params,omitempty"`
	// :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>` can be associated with the
	// same context to allow both RSA and ECDSA certificates.
	//
	// Only a single TLS certificate is supported in client contexts. In server contexts, the first
	// RSA certificate is used for clients that only support RSA and the first ECDSA certificate is
	// used for clients that support ECDSA.
	//
	// Only one of *tls_certificates*, *tls_certificate_sds_secret_configs*,
	// and *tls_certificate_provider_instance* may be used.
	// [#next-major-version: These mutually exclusive fields should ideally be in a oneof, but it's
	// not legal to put a repeated field in a oneof. In the next major version, we should rework
	// this to avoid this problem.]
	TlsCertificates []*TlsCertificate `protobuf:"bytes,2,rep,name=tls_certificates,json=tlsCertificates,proto3" json:"tls_certificates,omitempty"`
	// Configs for fetching TLS certificates via SDS API. Note SDS API allows certificates to be
	// fetched/refreshed over the network asynchronously with respect to the TLS handshake.
	//
	// The same number and types of certificates as :ref:`tls_certificates <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CommonTlsContext.tls_certificates>`
	// are valid in the the certificates fetched through this setting.
	//
	// Only one of *tls_certificates*, *tls_certificate_sds_secret_configs*,
	// and *tls_certificate_provider_instance* may be used.
	// [#next-major-version: These mutually exclusive fields should ideally be in a oneof, but it's
	// not legal to put a repeated field in a oneof. In the next major version, we should rework
	// this to avoid this problem.]
	TlsCertificateSdsSecretConfigs []*SdsSecretConfig `` /* 157-byte string literal not displayed */
	// Certificate provider instance for fetching TLS certs.
	//
	// Only one of *tls_certificates*, *tls_certificate_sds_secret_configs*,
	// and *tls_certificate_provider_instance* may be used.
	// [#not-implemented-hide:]
	TlsCertificateProviderInstance *CertificateProviderPluginInstance `` /* 156-byte string literal not displayed */
	// Certificate provider for fetching TLS certificates.
	// [#not-implemented-hide:]
	//
	// Deprecated: Do not use.
	TlsCertificateCertificateProvider *CommonTlsContext_CertificateProvider `` /* 164-byte string literal not displayed */
	// Certificate provider instance for fetching TLS certificates.
	// [#not-implemented-hide:]
	//
	// Deprecated: Do not use.
	TlsCertificateCertificateProviderInstance *CommonTlsContext_CertificateProviderInstance `` /* 191-byte string literal not displayed */
	// Types that are assignable to ValidationContextType:
	//	*CommonTlsContext_ValidationContext
	//	*CommonTlsContext_ValidationContextSdsSecretConfig
	//	*CommonTlsContext_CombinedValidationContext
	//	*CommonTlsContext_ValidationContextCertificateProvider
	//	*CommonTlsContext_ValidationContextCertificateProviderInstance
	ValidationContextType isCommonTlsContext_ValidationContextType `protobuf_oneof:"validation_context_type"`
	// Supplies the list of ALPN protocols that the listener should expose. In
	// practice this is likely to be set to one of two values (see the
	// :ref:`codec_type
	// <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.codec_type>`
	// parameter in the HTTP connection manager for more information):
	//
	// * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1.
	// * "http/1.1" If the listener is only going to support HTTP/1.1.
	//
	// There is no default for this parameter. If empty, Envoy will not expose ALPN.
	AlpnProtocols []string `protobuf:"bytes,4,rep,name=alpn_protocols,json=alpnProtocols,proto3" json:"alpn_protocols,omitempty"`
	// Custom TLS handshaker. If empty, defaults to native TLS handshaking
	// behavior.
	CustomHandshaker *v3.TypedExtensionConfig `protobuf:"bytes,13,opt,name=custom_handshaker,json=customHandshaker,proto3" json:"custom_handshaker,omitempty"`
	// TLS key log configuration
	KeyLog *TlsKeyLog `protobuf:"bytes,15,opt,name=key_log,json=keyLog,proto3" json:"key_log,omitempty"`
	// contains filtered or unexported fields
}

TLS context shared by both client and server TLS contexts. [#next-free-field: 16]

func (*CommonTlsContext) Descriptor deprecated

func (*CommonTlsContext) Descriptor() ([]byte, []int)

Deprecated: Use CommonTlsContext.ProtoReflect.Descriptor instead.

func (*CommonTlsContext) GetAlpnProtocols

func (x *CommonTlsContext) GetAlpnProtocols() []string

func (*CommonTlsContext) GetCombinedValidationContext

func (*CommonTlsContext) GetCustomHandshaker added in v0.9.7

func (x *CommonTlsContext) GetCustomHandshaker() *v3.TypedExtensionConfig

func (*CommonTlsContext) GetKeyLog added in v0.10.2

func (x *CommonTlsContext) GetKeyLog() *TlsKeyLog

func (*CommonTlsContext) GetTlsCertificateCertificateProvider deprecated added in v0.9.6

func (x *CommonTlsContext) GetTlsCertificateCertificateProvider() *CommonTlsContext_CertificateProvider

Deprecated: Do not use.

func (*CommonTlsContext) GetTlsCertificateCertificateProviderInstance deprecated added in v0.9.7

func (x *CommonTlsContext) GetTlsCertificateCertificateProviderInstance() *CommonTlsContext_CertificateProviderInstance

Deprecated: Do not use.

func (*CommonTlsContext) GetTlsCertificateProviderInstance added in v0.10.0

func (x *CommonTlsContext) GetTlsCertificateProviderInstance() *CertificateProviderPluginInstance

func (*CommonTlsContext) GetTlsCertificateSdsSecretConfigs

func (x *CommonTlsContext) GetTlsCertificateSdsSecretConfigs() []*SdsSecretConfig

func (*CommonTlsContext) GetTlsCertificates

func (x *CommonTlsContext) GetTlsCertificates() []*TlsCertificate

func (*CommonTlsContext) GetTlsParams

func (x *CommonTlsContext) GetTlsParams() *TlsParameters

func (*CommonTlsContext) GetValidationContext

func (x *CommonTlsContext) GetValidationContext() *CertificateValidationContext

func (*CommonTlsContext) GetValidationContextCertificateProvider deprecated added in v0.9.6

func (x *CommonTlsContext) GetValidationContextCertificateProvider() *CommonTlsContext_CertificateProvider

Deprecated: Do not use.

func (*CommonTlsContext) GetValidationContextCertificateProviderInstance deprecated added in v0.9.7

func (x *CommonTlsContext) GetValidationContextCertificateProviderInstance() *CommonTlsContext_CertificateProviderInstance

Deprecated: Do not use.

func (*CommonTlsContext) GetValidationContextSdsSecretConfig

func (x *CommonTlsContext) GetValidationContextSdsSecretConfig() *SdsSecretConfig

func (*CommonTlsContext) GetValidationContextType

func (m *CommonTlsContext) GetValidationContextType() isCommonTlsContext_ValidationContextType

func (*CommonTlsContext) ProtoMessage

func (*CommonTlsContext) ProtoMessage()

func (*CommonTlsContext) ProtoReflect added in v0.9.6

func (x *CommonTlsContext) ProtoReflect() protoreflect.Message

func (*CommonTlsContext) Reset

func (x *CommonTlsContext) Reset()

func (*CommonTlsContext) String

func (x *CommonTlsContext) String() string

func (*CommonTlsContext) Validate

func (m *CommonTlsContext) Validate() error

Validate checks the field values on CommonTlsContext with the rules defined in the proto definition for this message. If any rules are violated, the first error encountered is returned, or nil if there are no violations.

func (*CommonTlsContext) ValidateAll added in v0.10.0

func (m *CommonTlsContext) ValidateAll() error

ValidateAll checks the field values on CommonTlsContext with the rules defined in the proto definition for this message. If any rules are violated, the result is a list of violation errors wrapped in CommonTlsContextMultiError, or nil if none found.

type CommonTlsContextMultiError added in v0.10.0

type CommonTlsContextMultiError []error

CommonTlsContextMultiError is an error wrapping multiple validation errors returned by CommonTlsContext.ValidateAll() if the designated constraints aren't met.

func (CommonTlsContextMultiError) AllErrors added in v0.10.0

func (m CommonTlsContextMultiError) AllErrors() []error

AllErrors returns a list of validation violation errors.

func (CommonTlsContextMultiError) Error added in v0.10.0

Error returns a concatenation of all the error messages it wraps.

type CommonTlsContextValidationError

type CommonTlsContextValidationError struct {
	// contains filtered or unexported fields
}

CommonTlsContextValidationError is the validation error returned by CommonTlsContext.Validate if the designated constraints aren't met.

func (CommonTlsContextValidationError) Cause

Cause function returns cause value.

func (CommonTlsContextValidationError) Error

Error satisfies the builtin error interface

func (CommonTlsContextValidationError) ErrorName

ErrorName returns error name.

func (CommonTlsContextValidationError) Field

Field function returns field value.

func (CommonTlsContextValidationError) Key

Key function returns key value.

func (CommonTlsContextValidationError) Reason

Reason function returns reason value.

type CommonTlsContext_CertificateProvider added in v0.9.6

type CommonTlsContext_CertificateProvider struct {

	// opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify
	// a root-certificate (validation context) or "TLS" to specify a new tls-certificate.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// Provider specific config.
	// Note: an implementation is expected to dedup multiple instances of the same config
	// to maintain a single certificate-provider instance. The sharing can happen, for
	// example, among multiple clusters or between the tls_certificate and validation_context
	// certificate providers of a cluster.
	// This config could be supplied inline or (in future) a named xDS resource.
	//
	// Types that are assignable to Config:
	//	*CommonTlsContext_CertificateProvider_TypedConfig
	Config isCommonTlsContext_CertificateProvider_Config `protobuf_oneof:"config"`
	// contains filtered or unexported fields
}

Config for Certificate provider to get certificates. This provider should allow certificates to be fetched/refreshed over the network asynchronously with respect to the TLS handshake.

DEPRECATED: This message is not currently used, but if we ever do need it, we will want to move it out of CommonTlsContext and into common.proto, similar to the existing CertificateProviderPluginInstance message.

[#not-implemented-hide:]

func (*CommonTlsContext_CertificateProvider) Descriptor deprecated added in v0.9.6

func (*CommonTlsContext_CertificateProvider) Descriptor() ([]byte, []int)

Deprecated: Use CommonTlsContext_CertificateProvider.ProtoReflect.Descriptor instead.

func (*CommonTlsContext_CertificateProvider) GetConfig added in v0.9.6

func (m *CommonTlsContext_CertificateProvider) GetConfig() isCommonTlsContext_CertificateProvider_Config

func (*CommonTlsContext_CertificateProvider) GetName added in v0.9.6

func (*CommonTlsContext_CertificateProvider) GetTypedConfig added in v0.9.6

func (*CommonTlsContext_CertificateProvider) ProtoMessage added in v0.9.6

func (*CommonTlsContext_CertificateProvider) ProtoMessage()

func (*CommonTlsContext_CertificateProvider) ProtoReflect added in v0.9.6

func (*CommonTlsContext_CertificateProvider) Reset added in v0.9.6

func (*CommonTlsContext_CertificateProvider) String added in v0.9.6

func (*CommonTlsContext_CertificateProvider) Validate added in v0.9.6

Validate checks the field values on CommonTlsContext_CertificateProvider with the rules defined in the proto definition for this message. If any rules are violated, the first error encountered is returned, or nil if there are no violations.

func (*CommonTlsContext_CertificateProvider) ValidateAll added in v0.10.0

ValidateAll checks the field values on CommonTlsContext_CertificateProvider with the rules defined in the proto definition for this message. If any rules are violated, the result is a list of violation errors wrapped in CommonTlsContext_CertificateProviderMultiError, or nil if none found.

type CommonTlsContext_CertificateProviderInstance added in v0.9.7

type CommonTlsContext_CertificateProviderInstance struct {

	// Provider instance name. This name must be defined in the client's configuration (e.g., a
	// bootstrap file) to correspond to a provider instance (i.e., the same data in the typed_config
	// field that would be sent in the CertificateProvider message if the config was sent by the
	// control plane). If not present, defaults to "default".
	//
	// Instance names should generally be defined not in terms of the underlying provider
	// implementation (e.g., "file_watcher") but rather in terms of the function of the
	// certificates (e.g., "foo_deployment_identity").
	InstanceName string `protobuf:"bytes,1,opt,name=instance_name,json=instanceName,proto3" json:"instance_name,omitempty"`
	// Opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify
	// a root-certificate (validation context) or "example.com" to specify a certificate for a
	// particular domain. Not all provider instances will actually use this field, so the value
	// defaults to the empty string.
	CertificateName string `protobuf:"bytes,2,opt,name=certificate_name,json=certificateName,proto3" json:"certificate_name,omitempty"`
	// contains filtered or unexported fields
}

Similar to CertificateProvider above, but allows the provider instances to be configured on the client side instead of being sent from the control plane.

DEPRECATED: This message was moved outside of CommonTlsContext and now lives in common.proto.

[#not-implemented-hide:]

func (*CommonTlsContext_CertificateProviderInstance) Descriptor deprecated added in v0.9.7

Deprecated: Use CommonTlsContext_CertificateProviderInstance.ProtoReflect.Descriptor instead.

func (*CommonTlsContext_CertificateProviderInstance) GetCertificateName added in v0.9.7

func (x *CommonTlsContext_CertificateProviderInstance) GetCertificateName() string

func (*CommonTlsContext_CertificateProviderInstance) GetInstanceName added in v0.9.7

func (*CommonTlsContext_CertificateProviderInstance) ProtoMessage added in v0.9.7

func (*CommonTlsContext_CertificateProviderInstance) ProtoReflect added in v0.9.7

func (*CommonTlsContext_CertificateProviderInstance) Reset added in v0.9.7

func (*CommonTlsContext_CertificateProviderInstance) String added in v0.9.7

func (*CommonTlsContext_CertificateProviderInstance) Validate added in v0.9.7

Validate checks the field values on CommonTlsContext_CertificateProviderInstance with the rules defined in the proto definition for this message. If any rules are violated, the first error encountered is returned, or nil if there are no violations.

func (*CommonTlsContext_CertificateProviderInstance) ValidateAll added in v0.10.0

ValidateAll checks the field values on CommonTlsContext_CertificateProviderInstance with the rules defined in the proto definition for this message. If any rules are violated, the result is a list of violation errors wrapped in CommonTlsContext_CertificateProviderInstanceMultiError, or nil if none found.

type CommonTlsContext_CertificateProviderInstanceMultiError added in v0.10.0

type CommonTlsContext_CertificateProviderInstanceMultiError []error

CommonTlsContext_CertificateProviderInstanceMultiError is an error wrapping multiple validation errors returned by CommonTlsContext_CertificateProviderInstance.ValidateAll() if the designated constraints aren't met.

func (CommonTlsContext_CertificateProviderInstanceMultiError) AllErrors added in v0.10.0

AllErrors returns a list of validation violation errors.

func (CommonTlsContext_CertificateProviderInstanceMultiError) Error added in v0.10.0

Error returns a concatenation of all the error messages it wraps.

type CommonTlsContext_CertificateProviderInstanceValidationError added in v0.9.7

type CommonTlsContext_CertificateProviderInstanceValidationError struct {
	// contains filtered or unexported fields
}

CommonTlsContext_CertificateProviderInstanceValidationError is the validation error returned by CommonTlsContext_CertificateProviderInstance.Validate if the designated constraints aren't met.

func (CommonTlsContext_CertificateProviderInstanceValidationError) Cause added in v0.9.7

Cause function returns cause value.

func (CommonTlsContext_CertificateProviderInstanceValidationError) Error added in v0.9.7

Error satisfies the builtin error interface

func (CommonTlsContext_CertificateProviderInstanceValidationError) ErrorName added in v0.9.7

ErrorName returns error name.

func (CommonTlsContext_CertificateProviderInstanceValidationError) Field added in v0.9.7

Field function returns field value.

func (CommonTlsContext_CertificateProviderInstanceValidationError) Key added in v0.9.7

Key function returns key value.

func (CommonTlsContext_CertificateProviderInstanceValidationError) Reason added in v0.9.7

Reason function returns reason value.

type CommonTlsContext_CertificateProviderMultiError added in v0.10.0

type CommonTlsContext_CertificateProviderMultiError []error

CommonTlsContext_CertificateProviderMultiError is an error wrapping multiple validation errors returned by CommonTlsContext_CertificateProvider.ValidateAll() if the designated constraints aren't met.

func (CommonTlsContext_CertificateProviderMultiError) AllErrors added in v0.10.0

AllErrors returns a list of validation violation errors.

func (CommonTlsContext_CertificateProviderMultiError) Error added in v0.10.0

Error returns a concatenation of all the error messages it wraps.

type CommonTlsContext_CertificateProviderValidationError added in v0.9.6

type CommonTlsContext_CertificateProviderValidationError struct {
	// contains filtered or unexported fields
}

CommonTlsContext_CertificateProviderValidationError is the validation error returned by CommonTlsContext_CertificateProvider.Validate if the designated constraints aren't met.

func (CommonTlsContext_CertificateProviderValidationError) Cause added in v0.9.6

Cause function returns cause value.

func (CommonTlsContext_CertificateProviderValidationError) Error added in v0.9.6

Error satisfies the builtin error interface

func (CommonTlsContext_CertificateProviderValidationError) ErrorName added in v0.9.6

ErrorName returns error name.

func (CommonTlsContext_CertificateProviderValidationError) Field added in v0.9.6

Field function returns field value.

func (CommonTlsContext_CertificateProviderValidationError) Key added in v0.9.6

Key function returns key value.

func (CommonTlsContext_CertificateProviderValidationError) Reason added in v0.9.6

Reason function returns reason value.

type CommonTlsContext_CertificateProvider_TypedConfig added in v0.9.6

type CommonTlsContext_CertificateProvider_TypedConfig struct {
	TypedConfig *v3.TypedExtensionConfig `protobuf:"bytes,2,opt,name=typed_config,json=typedConfig,proto3,oneof"`
}

type CommonTlsContext_CombinedCertificateValidationContext

type CommonTlsContext_CombinedCertificateValidationContext struct {

	// How to validate peer certificates.
	DefaultValidationContext *CertificateValidationContext `` /* 135-byte string literal not displayed */
	// Config for fetching validation context via SDS API. Note SDS API allows certificates to be
	// fetched/refreshed over the network asynchronously with respect to the TLS handshake.
	ValidationContextSdsSecretConfig *SdsSecretConfig `` /* 163-byte string literal not displayed */
	// Certificate provider for fetching CA certs. This will populate the
	// *default_validation_context.trusted_ca* field.
	// [#not-implemented-hide:]
	//
	// Deprecated: Do not use.
	ValidationContextCertificateProvider *CommonTlsContext_CertificateProvider `` /* 173-byte string literal not displayed */
	// Certificate provider instance for fetching CA certs. This will populate the
	// *default_validation_context.trusted_ca* field.
	// [#not-implemented-hide:]
	//
	// Deprecated: Do not use.
	ValidationContextCertificateProviderInstance *CommonTlsContext_CertificateProviderInstance `` /* 199-byte string literal not displayed */
	// contains filtered or unexported fields
}

func (*CommonTlsContext_CombinedCertificateValidationContext) Descriptor deprecated

Deprecated: Use CommonTlsContext_CombinedCertificateValidationContext.ProtoReflect.Descriptor instead.

func (*CommonTlsContext_CombinedCertificateValidationContext) GetDefaultValidationContext

func (*CommonTlsContext_CombinedCertificateValidationContext) GetValidationContextCertificateProvider deprecated added in v0.9.6

Deprecated: Do not use.

func (*CommonTlsContext_CombinedCertificateValidationContext) GetValidationContextCertificateProviderInstance deprecated added in v0.9.7

Deprecated: Do not use.

func (*CommonTlsContext_CombinedCertificateValidationContext) GetValidationContextSdsSecretConfig

func (x *CommonTlsContext_CombinedCertificateValidationContext) GetValidationContextSdsSecretConfig() *SdsSecretConfig

func (*CommonTlsContext_CombinedCertificateValidationContext) ProtoMessage

func (*CommonTlsContext_CombinedCertificateValidationContext) ProtoReflect added in v0.9.6

func (*CommonTlsContext_CombinedCertificateValidationContext) Reset

func (*CommonTlsContext_CombinedCertificateValidationContext) String

func (*CommonTlsContext_CombinedCertificateValidationContext) Validate

Validate checks the field values on CommonTlsContext_CombinedCertificateValidationContext with the rules defined in the proto definition for this message. If any rules are violated, the first error encountered is returned, or nil if there are no violations.

func (*CommonTlsContext_CombinedCertificateValidationContext) ValidateAll added in v0.10.0

ValidateAll checks the field values on CommonTlsContext_CombinedCertificateValidationContext with the rules defined in the proto definition for this message. If any rules are violated, the result is a list of violation errors wrapped in CommonTlsContext_CombinedCertificateValidationContextMultiError, or nil if none found.

type CommonTlsContext_CombinedCertificateValidationContextMultiError added in v0.10.0

type CommonTlsContext_CombinedCertificateValidationContextMultiError []error

CommonTlsContext_CombinedCertificateValidationContextMultiError is an error wrapping multiple validation errors returned by CommonTlsContext_CombinedCertificateValidationContext.ValidateAll() if the designated constraints aren't met.

func (CommonTlsContext_CombinedCertificateValidationContextMultiError) AllErrors added in v0.10.0

AllErrors returns a list of validation violation errors.

func (CommonTlsContext_CombinedCertificateValidationContextMultiError) Error added in v0.10.0

Error returns a concatenation of all the error messages it wraps.

type CommonTlsContext_CombinedCertificateValidationContextValidationError

type CommonTlsContext_CombinedCertificateValidationContextValidationError struct {
	// contains filtered or unexported fields
}

CommonTlsContext_CombinedCertificateValidationContextValidationError is the validation error returned by CommonTlsContext_CombinedCertificateValidationContext.Validate if the designated constraints aren't met.

func (CommonTlsContext_CombinedCertificateValidationContextValidationError) Cause

Cause function returns cause value.

func (CommonTlsContext_CombinedCertificateValidationContextValidationError) Error

Error satisfies the builtin error interface

func (CommonTlsContext_CombinedCertificateValidationContextValidationError) ErrorName

ErrorName returns error name.

func (CommonTlsContext_CombinedCertificateValidationContextValidationError) Field

Field function returns field value.

func (CommonTlsContext_CombinedCertificateValidationContextValidationError) Key

Key function returns key value.

func (CommonTlsContext_CombinedCertificateValidationContextValidationError) Reason

Reason function returns reason value.

type CommonTlsContext_CombinedValidationContext

type CommonTlsContext_CombinedValidationContext struct {
	// Combined certificate validation context holds a default CertificateValidationContext
	// and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic
	// and default CertificateValidationContext are merged into a new CertificateValidationContext
	// for validation. This merge is done by Message::MergeFrom(), so dynamic
	// CertificateValidationContext overwrites singular fields in default
	// CertificateValidationContext, and concatenates repeated fields to default
	// CertificateValidationContext, and logical OR is applied to boolean fields.
	CombinedValidationContext *CommonTlsContext_CombinedCertificateValidationContext `protobuf:"bytes,8,opt,name=combined_validation_context,json=combinedValidationContext,proto3,oneof"`
}

type CommonTlsContext_ValidationContext

type CommonTlsContext_ValidationContext struct {
	// How to validate peer certificates.
	ValidationContext *CertificateValidationContext `protobuf:"bytes,3,opt,name=validation_context,json=validationContext,proto3,oneof"`
}

type CommonTlsContext_ValidationContextCertificateProvider added in v0.9.6

type CommonTlsContext_ValidationContextCertificateProvider struct {
	// Certificate provider for fetching validation context.
	// [#not-implemented-hide:]
	//
	// Deprecated: Do not use.
	ValidationContextCertificateProvider *CommonTlsContext_CertificateProvider `protobuf:"bytes,10,opt,name=validation_context_certificate_provider,json=validationContextCertificateProvider,proto3,oneof"`
}

type CommonTlsContext_ValidationContextCertificateProviderInstance added in v0.9.7

type CommonTlsContext_ValidationContextCertificateProviderInstance struct {
	// Certificate provider instance for fetching validation context.
	// [#not-implemented-hide:]
	//
	// Deprecated: Do not use.
	ValidationContextCertificateProviderInstance *CommonTlsContext_CertificateProviderInstance `` /* 140-byte string literal not displayed */
}

type CommonTlsContext_ValidationContextSdsSecretConfig

type CommonTlsContext_ValidationContextSdsSecretConfig struct {
	// Config for fetching validation context via SDS API. Note SDS API allows certificates to be
	// fetched/refreshed over the network asynchronously with respect to the TLS handshake.
	ValidationContextSdsSecretConfig *SdsSecretConfig `protobuf:"bytes,7,opt,name=validation_context_sds_secret_config,json=validationContextSdsSecretConfig,proto3,oneof"`
}

type DownstreamTlsContext

type DownstreamTlsContext struct {

	// Common TLS context settings.
	CommonTlsContext *CommonTlsContext `protobuf:"bytes,1,opt,name=common_tls_context,json=commonTlsContext,proto3" json:"common_tls_context,omitempty"`
	// If specified, Envoy will reject connections without a valid client
	// certificate.
	RequireClientCertificate *wrappers.BoolValue `` /* 135-byte string literal not displayed */
	// If specified, Envoy will reject connections without a valid and matching SNI.
	// [#not-implemented-hide:]
	RequireSni *wrappers.BoolValue `protobuf:"bytes,3,opt,name=require_sni,json=requireSni,proto3" json:"require_sni,omitempty"`
	// Types that are assignable to SessionTicketKeysType:
	//	*DownstreamTlsContext_SessionTicketKeys
	//	*DownstreamTlsContext_SessionTicketKeysSdsSecretConfig
	//	*DownstreamTlsContext_DisableStatelessSessionResumption
	SessionTicketKeysType isDownstreamTlsContext_SessionTicketKeysType `protobuf_oneof:"session_ticket_keys_type"`
	// If specified, “session_timeout“ will change the maximum lifetime (in seconds) of the TLS session.
	// Currently this value is used as a hint for the `TLS session ticket lifetime (for TLSv1.2) <https://tools.ietf.org/html/rfc5077#section-5.6>`_.
	// Only seconds can be specified (fractional seconds are ignored).
	SessionTimeout *duration.Duration `protobuf:"bytes,6,opt,name=session_timeout,json=sessionTimeout,proto3" json:"session_timeout,omitempty"`
	// Config for whether to use certificates if they do not have
	// an accompanying OCSP response or if the response expires at runtime.
	// Defaults to LENIENT_STAPLING
	OcspStaplePolicy DownstreamTlsContext_OcspStaplePolicy `` /* 197-byte string literal not displayed */
	// contains filtered or unexported fields
}

[#next-free-field: 9]

func (*DownstreamTlsContext) Descriptor deprecated

func (*DownstreamTlsContext) Descriptor() ([]byte, []int)

Deprecated: Use DownstreamTlsContext.ProtoReflect.Descriptor instead.

func (*DownstreamTlsContext) GetCommonTlsContext

func (x *DownstreamTlsContext) GetCommonTlsContext() *CommonTlsContext

func (*DownstreamTlsContext) GetDisableStatelessSessionResumption added in v0.9.6

func (x *DownstreamTlsContext) GetDisableStatelessSessionResumption() bool

func (*DownstreamTlsContext) GetOcspStaplePolicy added in v0.9.7

func (*DownstreamTlsContext) GetRequireClientCertificate

func (x *DownstreamTlsContext) GetRequireClientCertificate() *wrappers.BoolValue

func (*DownstreamTlsContext) GetRequireSni

func (x *DownstreamTlsContext) GetRequireSni() *wrappers.BoolValue

func (*DownstreamTlsContext) GetSessionTicketKeys

func (x *DownstreamTlsContext) GetSessionTicketKeys() *TlsSessionTicketKeys

func (*DownstreamTlsContext) GetSessionTicketKeysSdsSecretConfig

func (x *DownstreamTlsContext) GetSessionTicketKeysSdsSecretConfig() *SdsSecretConfig

func (*DownstreamTlsContext) GetSessionTicketKeysType

func (m *DownstreamTlsContext) GetSessionTicketKeysType() isDownstreamTlsContext_SessionTicketKeysType

func (*DownstreamTlsContext) GetSessionTimeout

func (x *DownstreamTlsContext) GetSessionTimeout() *duration.Duration

func (*DownstreamTlsContext) ProtoMessage

func (*DownstreamTlsContext) ProtoMessage()

func (*DownstreamTlsContext) ProtoReflect added in v0.9.6

func (x *DownstreamTlsContext) ProtoReflect() protoreflect.Message

func (*DownstreamTlsContext) Reset

func (x *DownstreamTlsContext) Reset()

func (*DownstreamTlsContext) String

func (x *DownstreamTlsContext) String() string

func (*DownstreamTlsContext) Validate

func (m *DownstreamTlsContext) Validate() error

Validate checks the field values on DownstreamTlsContext with the rules defined in the proto definition for this message. If any rules are violated, the first error encountered is returned, or nil if there are no violations.

func (*DownstreamTlsContext) ValidateAll added in v0.10.0

func (m *DownstreamTlsContext) ValidateAll() error

ValidateAll checks the field values on DownstreamTlsContext with the rules defined in the proto definition for this message. If any rules are violated, the result is a list of violation errors wrapped in DownstreamTlsContextMultiError, or nil if none found.

type DownstreamTlsContextMultiError added in v0.10.0

type DownstreamTlsContextMultiError []error

DownstreamTlsContextMultiError is an error wrapping multiple validation errors returned by DownstreamTlsContext.ValidateAll() if the designated constraints aren't met.

func (DownstreamTlsContextMultiError) AllErrors added in v0.10.0

func (m DownstreamTlsContextMultiError) AllErrors() []error

AllErrors returns a list of validation violation errors.

func (DownstreamTlsContextMultiError) Error added in v0.10.0

Error returns a concatenation of all the error messages it wraps.

type DownstreamTlsContextValidationError

type DownstreamTlsContextValidationError struct {
	// contains filtered or unexported fields
}

DownstreamTlsContextValidationError is the validation error returned by DownstreamTlsContext.Validate if the designated constraints aren't met.

func (DownstreamTlsContextValidationError) Cause

Cause function returns cause value.

func (DownstreamTlsContextValidationError) Error

Error satisfies the builtin error interface

func (DownstreamTlsContextValidationError) ErrorName

ErrorName returns error name.

func (DownstreamTlsContextValidationError) Field

Field function returns field value.

func (DownstreamTlsContextValidationError) Key

Key function returns key value.

func (DownstreamTlsContextValidationError) Reason

Reason function returns reason value.

type DownstreamTlsContext_DisableStatelessSessionResumption added in v0.9.6

type DownstreamTlsContext_DisableStatelessSessionResumption struct {
	// Config for controlling stateless TLS session resumption: setting this to true will cause the TLS
	// server to not issue TLS session tickets for the purposes of stateless TLS session resumption.
	// If set to false, the TLS server will issue TLS session tickets and encrypt/decrypt them using
	// the keys specified through either :ref:`session_ticket_keys <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.session_ticket_keys>`
	// or :ref:`session_ticket_keys_sds_secret_config <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.session_ticket_keys_sds_secret_config>`.
	// If this config is set to false and no keys are explicitly configured, the TLS server will issue
	// TLS session tickets and encrypt/decrypt them using an internally-generated and managed key, with the
	// implication that sessions cannot be resumed across hot restarts or on different hosts.
	DisableStatelessSessionResumption bool `protobuf:"varint,7,opt,name=disable_stateless_session_resumption,json=disableStatelessSessionResumption,proto3,oneof"`
}

type DownstreamTlsContext_OcspStaplePolicy added in v0.9.7

type DownstreamTlsContext_OcspStaplePolicy int32
const (
	// OCSP responses are optional. If an OCSP response is absent
	// or expired, the associated certificate will be used for
	// connections without an OCSP staple.
	DownstreamTlsContext_LENIENT_STAPLING DownstreamTlsContext_OcspStaplePolicy = 0
	// OCSP responses are optional. If an OCSP response is absent,
	// the associated certificate will be used without an
	// OCSP staple. If a response is provided but is expired,
	// the associated certificate will not be used for
	// subsequent connections. If no suitable certificate is found,
	// the connection is rejected.
	DownstreamTlsContext_STRICT_STAPLING DownstreamTlsContext_OcspStaplePolicy = 1
	// OCSP responses are required. Configuration will fail if
	// a certificate is provided without an OCSP response. If a
	// response expires, the associated certificate will not be
	// used connections. If no suitable certificate is found, the
	// connection is rejected.
	DownstreamTlsContext_MUST_STAPLE DownstreamTlsContext_OcspStaplePolicy = 2
)

func (DownstreamTlsContext_OcspStaplePolicy) Descriptor added in v0.9.7

func (DownstreamTlsContext_OcspStaplePolicy) Enum added in v0.9.7

func (DownstreamTlsContext_OcspStaplePolicy) EnumDescriptor deprecated added in v0.9.7

func (DownstreamTlsContext_OcspStaplePolicy) EnumDescriptor() ([]byte, []int)

Deprecated: Use DownstreamTlsContext_OcspStaplePolicy.Descriptor instead.

func (DownstreamTlsContext_OcspStaplePolicy) Number added in v0.9.7

func (DownstreamTlsContext_OcspStaplePolicy) String added in v0.9.7

func (DownstreamTlsContext_OcspStaplePolicy) Type added in v0.9.7

type DownstreamTlsContext_SessionTicketKeys

type DownstreamTlsContext_SessionTicketKeys struct {
	// TLS session ticket key settings.
	SessionTicketKeys *TlsSessionTicketKeys `protobuf:"bytes,4,opt,name=session_ticket_keys,json=sessionTicketKeys,proto3,oneof"`
}

type DownstreamTlsContext_SessionTicketKeysSdsSecretConfig

type DownstreamTlsContext_SessionTicketKeysSdsSecretConfig struct {
	// Config for fetching TLS session ticket keys via SDS API.
	SessionTicketKeysSdsSecretConfig *SdsSecretConfig `protobuf:"bytes,5,opt,name=session_ticket_keys_sds_secret_config,json=sessionTicketKeysSdsSecretConfig,proto3,oneof"`
}

type GenericSecret

type GenericSecret struct {

	// Secret of generic type and is available to filters.
	Secret *v3.DataSource `protobuf:"bytes,1,opt,name=secret,proto3" json:"secret,omitempty"`
	// contains filtered or unexported fields
}

func (*GenericSecret) Descriptor deprecated

func (*GenericSecret) Descriptor() ([]byte, []int)

Deprecated: Use GenericSecret.ProtoReflect.Descriptor instead.

func (*GenericSecret) GetSecret

func (x *GenericSecret) GetSecret() *v3.DataSource

func (*GenericSecret) ProtoMessage

func (*GenericSecret) ProtoMessage()

func (*GenericSecret) ProtoReflect added in v0.9.6

func (x *GenericSecret) ProtoReflect() protoreflect.Message

func (*GenericSecret) Reset

func (x *GenericSecret) Reset()

func (*GenericSecret) String

func (x *GenericSecret) String() string

func (*GenericSecret) Validate

func (m *GenericSecret) Validate() error

Validate checks the field values on GenericSecret with the rules defined in the proto definition for this message. If any rules are violated, the first error encountered is returned, or nil if there are no violations.

func (*GenericSecret) ValidateAll added in v0.10.0

func (m *GenericSecret) ValidateAll() error

ValidateAll checks the field values on GenericSecret with the rules defined in the proto definition for this message. If any rules are violated, the result is a list of violation errors wrapped in GenericSecretMultiError, or nil if none found.

type GenericSecretMultiError added in v0.10.0

type GenericSecretMultiError []error

GenericSecretMultiError is an error wrapping multiple validation errors returned by GenericSecret.ValidateAll() if the designated constraints aren't met.

func (GenericSecretMultiError) AllErrors added in v0.10.0

func (m GenericSecretMultiError) AllErrors() []error

AllErrors returns a list of validation violation errors.

func (GenericSecretMultiError) Error added in v0.10.0

func (m GenericSecretMultiError) Error() string

Error returns a concatenation of all the error messages it wraps.

type GenericSecretValidationError

type GenericSecretValidationError struct {
	// contains filtered or unexported fields
}

GenericSecretValidationError is the validation error returned by GenericSecret.Validate if the designated constraints aren't met.

func (GenericSecretValidationError) Cause

Cause function returns cause value.

func (GenericSecretValidationError) Error

Error satisfies the builtin error interface

func (GenericSecretValidationError) ErrorName

func (e GenericSecretValidationError) ErrorName() string

ErrorName returns error name.

func (GenericSecretValidationError) Field

Field function returns field value.

func (GenericSecretValidationError) Key

Key function returns key value.

func (GenericSecretValidationError) Reason

Reason function returns reason value.

type PrivateKeyProvider

type PrivateKeyProvider struct {

	// Private key method provider name. The name must match a
	// supported private key method provider type.
	ProviderName string `protobuf:"bytes,1,opt,name=provider_name,json=providerName,proto3" json:"provider_name,omitempty"`
	// Private key method provider specific configuration.
	//
	// Types that are assignable to ConfigType:
	//	*PrivateKeyProvider_TypedConfig
	ConfigType isPrivateKeyProvider_ConfigType `protobuf_oneof:"config_type"`
	// contains filtered or unexported fields
}

BoringSSL private key method configuration. The private key methods are used for external (potentially asynchronous) signing and decryption operations. Some use cases for private key methods would be TPM support and TLS acceleration.

func (*PrivateKeyProvider) Descriptor deprecated

func (*PrivateKeyProvider) Descriptor() ([]byte, []int)

Deprecated: Use PrivateKeyProvider.ProtoReflect.Descriptor instead.

func (*PrivateKeyProvider) GetConfigType

func (m *PrivateKeyProvider) GetConfigType() isPrivateKeyProvider_ConfigType

func (*PrivateKeyProvider) GetProviderName

func (x *PrivateKeyProvider) GetProviderName() string

func (*PrivateKeyProvider) GetTypedConfig

func (x *PrivateKeyProvider) GetTypedConfig() *any.Any

func (*PrivateKeyProvider) ProtoMessage

func (*PrivateKeyProvider) ProtoMessage()

func (*PrivateKeyProvider) ProtoReflect added in v0.9.6

func (x *PrivateKeyProvider) ProtoReflect() protoreflect.Message

func (*PrivateKeyProvider) Reset

func (x *PrivateKeyProvider) Reset()

func (*PrivateKeyProvider) String

func (x *PrivateKeyProvider) String() string

func (*PrivateKeyProvider) Validate

func (m *PrivateKeyProvider) Validate() error

Validate checks the field values on PrivateKeyProvider with the rules defined in the proto definition for this message. If any rules are violated, the first error encountered is returned, or nil if there are no violations.

func (*PrivateKeyProvider) ValidateAll added in v0.10.0

func (m *PrivateKeyProvider) ValidateAll() error

ValidateAll checks the field values on PrivateKeyProvider with the rules defined in the proto definition for this message. If any rules are violated, the result is a list of violation errors wrapped in PrivateKeyProviderMultiError, or nil if none found.

type PrivateKeyProviderMultiError added in v0.10.0

type PrivateKeyProviderMultiError []error

PrivateKeyProviderMultiError is an error wrapping multiple validation errors returned by PrivateKeyProvider.ValidateAll() if the designated constraints aren't met.

func (PrivateKeyProviderMultiError) AllErrors added in v0.10.0

func (m PrivateKeyProviderMultiError) AllErrors() []error

AllErrors returns a list of validation violation errors.

func (PrivateKeyProviderMultiError) Error added in v0.10.0

Error returns a concatenation of all the error messages it wraps.

type PrivateKeyProviderValidationError

type PrivateKeyProviderValidationError struct {
	// contains filtered or unexported fields
}

PrivateKeyProviderValidationError is the validation error returned by PrivateKeyProvider.Validate if the designated constraints aren't met.

func (PrivateKeyProviderValidationError) Cause

Cause function returns cause value.

func (PrivateKeyProviderValidationError) Error

Error satisfies the builtin error interface

func (PrivateKeyProviderValidationError) ErrorName

ErrorName returns error name.

func (PrivateKeyProviderValidationError) Field

Field function returns field value.

func (PrivateKeyProviderValidationError) Key

Key function returns key value.

func (PrivateKeyProviderValidationError) Reason

Reason function returns reason value.

type PrivateKeyProvider_TypedConfig

type PrivateKeyProvider_TypedConfig struct {
	TypedConfig *any.Any `protobuf:"bytes,3,opt,name=typed_config,json=typedConfig,proto3,oneof"`
}

type SPIFFECertValidatorConfig added in v0.9.9

type SPIFFECertValidatorConfig struct {

	// This field specifies trust domains used for validating incoming X.509-SVID(s).
	TrustDomains []*SPIFFECertValidatorConfig_TrustDomain `protobuf:"bytes,1,rep,name=trust_domains,json=trustDomains,proto3" json:"trust_domains,omitempty"`
	// contains filtered or unexported fields
}

Configuration specific to the `SPIFFE <https://github.com/spiffe/spiffe>`_ certificate validator.

Example:

.. validated-code-block:: yaml

:type-name: envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext

custom_validator_config:
  name: envoy.tls.cert_validator.spiffe
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig
    trust_domains:
    - name: foo.com
      trust_bundle:
        filename: "foo.pem"
    - name: envoy.com
      trust_bundle:
        filename: "envoy.pem"

In this example, a presented peer certificate whose SAN matches `spiffe//foo.com/**` is validated against the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint a SVID belonging to another trust domain. That means, in this example, a SVID signed by `envoy.com`'s CA with `spiffe//foo.com/**` SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate.

Note that SPIFFE validator inherits and uses the following options from :ref:`CertificateValidationContext <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.CertificateValidationContext>`.

- :ref:`allow_expired_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.allow_expired_certificate>` to allow expired certificates. - :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` to match **URI** SAN of certificates. Unlike the default validator, SPIFFE validator only matches **URI** SAN (which equals to SVID in SPIFFE terminology) and ignore other SAN types.

func (*SPIFFECertValidatorConfig) Descriptor deprecated added in v0.9.9

func (*SPIFFECertValidatorConfig) Descriptor() ([]byte, []int)

Deprecated: Use SPIFFECertValidatorConfig.ProtoReflect.Descriptor instead.

func (*SPIFFECertValidatorConfig) GetTrustDomains added in v0.9.9

func (*SPIFFECertValidatorConfig) ProtoMessage added in v0.9.9

func (*SPIFFECertValidatorConfig) ProtoMessage()

func (*SPIFFECertValidatorConfig) ProtoReflect added in v0.9.9

func (*SPIFFECertValidatorConfig) Reset added in v0.9.9

func (x *SPIFFECertValidatorConfig) Reset()

func (*SPIFFECertValidatorConfig) String added in v0.9.9

func (x *SPIFFECertValidatorConfig) String() string

func (*SPIFFECertValidatorConfig) Validate added in v0.9.9

func (m *SPIFFECertValidatorConfig) Validate() error

Validate checks the field values on SPIFFECertValidatorConfig with the rules defined in the proto definition for this message. If any rules are violated, the first error encountered is returned, or nil if there are no violations.

func (*SPIFFECertValidatorConfig) ValidateAll added in v0.10.0

func (m *SPIFFECertValidatorConfig) ValidateAll() error

ValidateAll checks the field values on SPIFFECertValidatorConfig with the rules defined in the proto definition for this message. If any rules are violated, the result is a list of violation errors wrapped in SPIFFECertValidatorConfigMultiError, or nil if none found.

type SPIFFECertValidatorConfigMultiError added in v0.10.0

type SPIFFECertValidatorConfigMultiError []error

SPIFFECertValidatorConfigMultiError is an error wrapping multiple validation errors returned by SPIFFECertValidatorConfig.ValidateAll() if the designated constraints aren't met.

func (SPIFFECertValidatorConfigMultiError) AllErrors added in v0.10.0

AllErrors returns a list of validation violation errors.

func (SPIFFECertValidatorConfigMultiError) Error added in v0.10.0

Error returns a concatenation of all the error messages it wraps.

type SPIFFECertValidatorConfigValidationError added in v0.9.9

type SPIFFECertValidatorConfigValidationError struct {
	// contains filtered or unexported fields
}

SPIFFECertValidatorConfigValidationError is the validation error returned by SPIFFECertValidatorConfig.Validate if the designated constraints aren't met.

func (SPIFFECertValidatorConfigValidationError) Cause added in v0.9.9

Cause function returns cause value.

func (SPIFFECertValidatorConfigValidationError) Error added in v0.9.9

Error satisfies the builtin error interface

func (SPIFFECertValidatorConfigValidationError) ErrorName added in v0.9.9

ErrorName returns error name.

func (SPIFFECertValidatorConfigValidationError) Field added in v0.9.9

Field function returns field value.

func (SPIFFECertValidatorConfigValidationError) Key added in v0.9.9

Key function returns key value.

func (SPIFFECertValidatorConfigValidationError) Reason added in v0.9.9

Reason function returns reason value.

type SPIFFECertValidatorConfig_TrustDomain added in v0.9.9

type SPIFFECertValidatorConfig_TrustDomain struct {

	// Name of the trust domain, `example.com`, `foo.bar.gov` for example.
	// Note that this must *not* have "spiffe://" prefix.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// Specify a data source holding x.509 trust bundle used for validating incoming SVID(s) in this trust domain.
	TrustBundle *v3.DataSource `protobuf:"bytes,2,opt,name=trust_bundle,json=trustBundle,proto3" json:"trust_bundle,omitempty"`
	// contains filtered or unexported fields
}

func (*SPIFFECertValidatorConfig_TrustDomain) Descriptor deprecated added in v0.9.9

func (*SPIFFECertValidatorConfig_TrustDomain) Descriptor() ([]byte, []int)

Deprecated: Use SPIFFECertValidatorConfig_TrustDomain.ProtoReflect.Descriptor instead.

func (*SPIFFECertValidatorConfig_TrustDomain) GetName added in v0.9.9

func (*SPIFFECertValidatorConfig_TrustDomain) GetTrustBundle added in v0.9.9

func (*SPIFFECertValidatorConfig_TrustDomain) ProtoMessage added in v0.9.9

func (*SPIFFECertValidatorConfig_TrustDomain) ProtoMessage()

func (*SPIFFECertValidatorConfig_TrustDomain) ProtoReflect added in v0.9.9

func (*SPIFFECertValidatorConfig_TrustDomain) Reset added in v0.9.9

func (*SPIFFECertValidatorConfig_TrustDomain) String added in v0.9.9

func (*SPIFFECertValidatorConfig_TrustDomain) Validate added in v0.9.9

Validate checks the field values on SPIFFECertValidatorConfig_TrustDomain with the rules defined in the proto definition for this message. If any rules are violated, the first error encountered is returned, or nil if there are no violations.

func (*SPIFFECertValidatorConfig_TrustDomain) ValidateAll added in v0.10.0

ValidateAll checks the field values on SPIFFECertValidatorConfig_TrustDomain with the rules defined in the proto definition for this message. If any rules are violated, the result is a list of violation errors wrapped in SPIFFECertValidatorConfig_TrustDomainMultiError, or nil if none found.

type SPIFFECertValidatorConfig_TrustDomainMultiError added in v0.10.0

type SPIFFECertValidatorConfig_TrustDomainMultiError []error

SPIFFECertValidatorConfig_TrustDomainMultiError is an error wrapping multiple validation errors returned by SPIFFECertValidatorConfig_TrustDomain.ValidateAll() if the designated constraints aren't met.

func (SPIFFECertValidatorConfig_TrustDomainMultiError) AllErrors added in v0.10.0

AllErrors returns a list of validation violation errors.

func (SPIFFECertValidatorConfig_TrustDomainMultiError) Error added in v0.10.0

Error returns a concatenation of all the error messages it wraps.

type SPIFFECertValidatorConfig_TrustDomainValidationError added in v0.9.9

type SPIFFECertValidatorConfig_TrustDomainValidationError struct {
	// contains filtered or unexported fields
}

SPIFFECertValidatorConfig_TrustDomainValidationError is the validation error returned by SPIFFECertValidatorConfig_TrustDomain.Validate if the designated constraints aren't met.

func (SPIFFECertValidatorConfig_TrustDomainValidationError) Cause added in v0.9.9

Cause function returns cause value.

func (SPIFFECertValidatorConfig_TrustDomainValidationError) Error added in v0.9.9

Error satisfies the builtin error interface

func (SPIFFECertValidatorConfig_TrustDomainValidationError) ErrorName added in v0.9.9

ErrorName returns error name.

func (SPIFFECertValidatorConfig_TrustDomainValidationError) Field added in v0.9.9

Field function returns field value.

func (SPIFFECertValidatorConfig_TrustDomainValidationError) Key added in v0.9.9

Key function returns key value.

func (SPIFFECertValidatorConfig_TrustDomainValidationError) Reason added in v0.9.9

Reason function returns reason value.

type SdsSecretConfig

type SdsSecretConfig struct {

	// Name by which the secret can be uniquely referred to. When both name and config are specified,
	// then secret can be fetched and/or reloaded via SDS. When only name is specified, then secret
	// will be loaded from static resources.
	Name      string           `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	SdsConfig *v3.ConfigSource `protobuf:"bytes,2,opt,name=sds_config,json=sdsConfig,proto3" json:"sds_config,omitempty"`
	// contains filtered or unexported fields
}

func (*SdsSecretConfig) Descriptor deprecated

func (*SdsSecretConfig) Descriptor() ([]byte, []int)

Deprecated: Use SdsSecretConfig.ProtoReflect.Descriptor instead.

func (*SdsSecretConfig) GetName

func (x *SdsSecretConfig) GetName() string

func (*SdsSecretConfig) GetSdsConfig

func (x *SdsSecretConfig) GetSdsConfig() *v3.ConfigSource

func (*SdsSecretConfig) ProtoMessage

func (*SdsSecretConfig) ProtoMessage()

func (*SdsSecretConfig) ProtoReflect added in v0.9.6

func (x *SdsSecretConfig) ProtoReflect() protoreflect.Message

func (*SdsSecretConfig) Reset

func (x *SdsSecretConfig) Reset()

func (*SdsSecretConfig) String

func (x *SdsSecretConfig) String() string

func (*SdsSecretConfig) Validate

func (m *SdsSecretConfig) Validate() error

Validate checks the field values on SdsSecretConfig with the rules defined in the proto definition for this message. If any rules are violated, the first error encountered is returned, or nil if there are no violations.

func (*SdsSecretConfig) ValidateAll added in v0.10.0

func (m *SdsSecretConfig) ValidateAll() error

ValidateAll checks the field values on SdsSecretConfig with the rules defined in the proto definition for this message. If any rules are violated, the result is a list of violation errors wrapped in SdsSecretConfigMultiError, or nil if none found.

type SdsSecretConfigMultiError added in v0.10.0

type SdsSecretConfigMultiError []error

SdsSecretConfigMultiError is an error wrapping multiple validation errors returned by SdsSecretConfig.ValidateAll() if the designated constraints aren't met.

func (SdsSecretConfigMultiError) AllErrors added in v0.10.0

func (m SdsSecretConfigMultiError) AllErrors() []error

AllErrors returns a list of validation violation errors.

func (SdsSecretConfigMultiError) Error added in v0.10.0

Error returns a concatenation of all the error messages it wraps.

type SdsSecretConfigValidationError

type SdsSecretConfigValidationError struct {
	// contains filtered or unexported fields
}

SdsSecretConfigValidationError is the validation error returned by SdsSecretConfig.Validate if the designated constraints aren't met.

func (SdsSecretConfigValidationError) Cause

Cause function returns cause value.

func (SdsSecretConfigValidationError) Error

Error satisfies the builtin error interface

func (SdsSecretConfigValidationError) ErrorName

func (e SdsSecretConfigValidationError) ErrorName() string

ErrorName returns error name.

func (SdsSecretConfigValidationError) Field

Field function returns field value.

func (SdsSecretConfigValidationError) Key

Key function returns key value.

func (SdsSecretConfigValidationError) Reason

Reason function returns reason value.

type Secret

type Secret struct {

	// Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// Types that are assignable to Type:
	//	*Secret_TlsCertificate
	//	*Secret_SessionTicketKeys
	//	*Secret_ValidationContext
	//	*Secret_GenericSecret
	Type isSecret_Type `protobuf_oneof:"type"`
	// contains filtered or unexported fields
}

[#next-free-field: 6]

func (*Secret) Descriptor deprecated

func (*Secret) Descriptor() ([]byte, []int)

Deprecated: Use Secret.ProtoReflect.Descriptor instead.

func (*Secret) GetGenericSecret

func (x *Secret) GetGenericSecret() *GenericSecret

func (*Secret) GetName

func (x *Secret) GetName() string

func (*Secret) GetSessionTicketKeys

func (x *Secret) GetSessionTicketKeys() *TlsSessionTicketKeys

func (*Secret) GetTlsCertificate

func (x *Secret) GetTlsCertificate() *TlsCertificate

func (*Secret) GetType

func (m *Secret) GetType() isSecret_Type

func (*Secret) GetValidationContext

func (x *Secret) GetValidationContext() *CertificateValidationContext

func (*Secret) ProtoMessage

func (*Secret) ProtoMessage()

func (*Secret) ProtoReflect added in v0.9.6

func (x *Secret) ProtoReflect() protoreflect.Message

func (*Secret) Reset

func (x *Secret) Reset()

func (*Secret) String

func (x *Secret) String() string

func (*Secret) Validate

func (m *Secret) Validate() error

Validate checks the field values on Secret with the rules defined in the proto definition for this message. If any rules are violated, the first error encountered is returned, or nil if there are no violations.

func (*Secret) ValidateAll added in v0.10.0

func (m *Secret) ValidateAll() error

ValidateAll checks the field values on Secret with the rules defined in the proto definition for this message. If any rules are violated, the result is a list of violation errors wrapped in SecretMultiError, or nil if none found.

type SecretMultiError added in v0.10.0

type SecretMultiError []error

SecretMultiError is an error wrapping multiple validation errors returned by Secret.ValidateAll() if the designated constraints aren't met.

func (SecretMultiError) AllErrors added in v0.10.0

func (m SecretMultiError) AllErrors() []error

AllErrors returns a list of validation violation errors.

func (SecretMultiError) Error added in v0.10.0

func (m SecretMultiError) Error() string

Error returns a concatenation of all the error messages it wraps.

type SecretValidationError

type SecretValidationError struct {
	// contains filtered or unexported fields
}

SecretValidationError is the validation error returned by Secret.Validate if the designated constraints aren't met.

func (SecretValidationError) Cause

func (e SecretValidationError) Cause() error

Cause function returns cause value.

func (SecretValidationError) Error

func (e SecretValidationError) Error() string

Error satisfies the builtin error interface

func (SecretValidationError) ErrorName

func (e SecretValidationError) ErrorName() string

ErrorName returns error name.

func (SecretValidationError) Field

func (e SecretValidationError) Field() string

Field function returns field value.

func (SecretValidationError) Key

func (e SecretValidationError) Key() bool

Key function returns key value.

func (SecretValidationError) Reason

func (e SecretValidationError) Reason() string

Reason function returns reason value.

type Secret_GenericSecret

type Secret_GenericSecret struct {
	GenericSecret *GenericSecret `protobuf:"bytes,5,opt,name=generic_secret,json=genericSecret,proto3,oneof"`
}

type Secret_SessionTicketKeys

type Secret_SessionTicketKeys struct {
	SessionTicketKeys *TlsSessionTicketKeys `protobuf:"bytes,3,opt,name=session_ticket_keys,json=sessionTicketKeys,proto3,oneof"`
}

type Secret_TlsCertificate

type Secret_TlsCertificate struct {
	TlsCertificate *TlsCertificate `protobuf:"bytes,2,opt,name=tls_certificate,json=tlsCertificate,proto3,oneof"`
}

type Secret_ValidationContext

type Secret_ValidationContext struct {
	ValidationContext *CertificateValidationContext `protobuf:"bytes,4,opt,name=validation_context,json=validationContext,proto3,oneof"`
}

type SubjectAltNameMatcher added in v0.10.2

type SubjectAltNameMatcher struct {

	// Specification of type of SAN. Note that the default enum value is an invalid choice.
	SanType SubjectAltNameMatcher_SanType `` /* 160-byte string literal not displayed */
	// Matcher for SAN value.
	Matcher *v31.StringMatcher `protobuf:"bytes,2,opt,name=matcher,proto3" json:"matcher,omitempty"`
	// contains filtered or unexported fields
}

Matcher for subject alternative names, to match both type and value of the SAN.

func (*SubjectAltNameMatcher) Descriptor deprecated added in v0.10.2

func (*SubjectAltNameMatcher) Descriptor() ([]byte, []int)

Deprecated: Use SubjectAltNameMatcher.ProtoReflect.Descriptor instead.

func (*SubjectAltNameMatcher) GetMatcher added in v0.10.2

func (x *SubjectAltNameMatcher) GetMatcher() *v31.StringMatcher

func (*SubjectAltNameMatcher) GetSanType added in v0.10.2

func (*SubjectAltNameMatcher) ProtoMessage added in v0.10.2

func (*SubjectAltNameMatcher) ProtoMessage()

func (*SubjectAltNameMatcher) ProtoReflect added in v0.10.2

func (x *SubjectAltNameMatcher) ProtoReflect() protoreflect.Message

func (*SubjectAltNameMatcher) Reset added in v0.10.2

func (x *SubjectAltNameMatcher) Reset()

func (*SubjectAltNameMatcher) String added in v0.10.2

func (x *SubjectAltNameMatcher) String() string

func (*SubjectAltNameMatcher) Validate added in v0.10.2

func (m *SubjectAltNameMatcher) Validate() error

Validate checks the field values on SubjectAltNameMatcher with the rules defined in the proto definition for this message. If any rules are violated, the first error encountered is returned, or nil if there are no violations.

func (*SubjectAltNameMatcher) ValidateAll added in v0.10.2

func (m *SubjectAltNameMatcher) ValidateAll() error

ValidateAll checks the field values on SubjectAltNameMatcher with the rules defined in the proto definition for this message. If any rules are violated, the result is a list of violation errors wrapped in SubjectAltNameMatcherMultiError, or nil if none found.

type SubjectAltNameMatcherMultiError added in v0.10.2

type SubjectAltNameMatcherMultiError []error

SubjectAltNameMatcherMultiError is an error wrapping multiple validation errors returned by SubjectAltNameMatcher.ValidateAll() if the designated constraints aren't met.

func (SubjectAltNameMatcherMultiError) AllErrors added in v0.10.2

func (m SubjectAltNameMatcherMultiError) AllErrors() []error

AllErrors returns a list of validation violation errors.

func (SubjectAltNameMatcherMultiError) Error added in v0.10.2

Error returns a concatenation of all the error messages it wraps.

type SubjectAltNameMatcherValidationError added in v0.10.2

type SubjectAltNameMatcherValidationError struct {
	// contains filtered or unexported fields
}

SubjectAltNameMatcherValidationError is the validation error returned by SubjectAltNameMatcher.Validate if the designated constraints aren't met.

func (SubjectAltNameMatcherValidationError) Cause added in v0.10.2

Cause function returns cause value.

func (SubjectAltNameMatcherValidationError) Error added in v0.10.2

Error satisfies the builtin error interface

func (SubjectAltNameMatcherValidationError) ErrorName added in v0.10.2

ErrorName returns error name.

func (SubjectAltNameMatcherValidationError) Field added in v0.10.2

Field function returns field value.

func (SubjectAltNameMatcherValidationError) Key added in v0.10.2

Key function returns key value.

func (SubjectAltNameMatcherValidationError) Reason added in v0.10.2

Reason function returns reason value.

type SubjectAltNameMatcher_SanType added in v0.10.2

type SubjectAltNameMatcher_SanType int32

Indicates the choice of GeneralName as defined in section 4.2.1.5 of RFC 5280 to match against.

const (
	SubjectAltNameMatcher_SAN_TYPE_UNSPECIFIED SubjectAltNameMatcher_SanType = 0
	SubjectAltNameMatcher_EMAIL                SubjectAltNameMatcher_SanType = 1
	SubjectAltNameMatcher_DNS                  SubjectAltNameMatcher_SanType = 2
	SubjectAltNameMatcher_URI                  SubjectAltNameMatcher_SanType = 3
	SubjectAltNameMatcher_IP_ADDRESS           SubjectAltNameMatcher_SanType = 4
)

func (SubjectAltNameMatcher_SanType) Descriptor added in v0.10.2

func (SubjectAltNameMatcher_SanType) Enum added in v0.10.2

func (SubjectAltNameMatcher_SanType) EnumDescriptor deprecated added in v0.10.2

func (SubjectAltNameMatcher_SanType) EnumDescriptor() ([]byte, []int)

Deprecated: Use SubjectAltNameMatcher_SanType.Descriptor instead.

func (SubjectAltNameMatcher_SanType) Number added in v0.10.2

func (SubjectAltNameMatcher_SanType) String added in v0.10.2

func (SubjectAltNameMatcher_SanType) Type added in v0.10.2

type TlsCertificate

type TlsCertificate struct {

	// The TLS certificate chain.
	//
	// If *certificate_chain* is a filesystem path, a watch will be added to the
	// parent directory for any file moves to support rotation. This currently
	// only applies to dynamic secrets, when the *TlsCertificate* is delivered via
	// SDS.
	CertificateChain *v3.DataSource `protobuf:"bytes,1,opt,name=certificate_chain,json=certificateChain,proto3" json:"certificate_chain,omitempty"`
	// The TLS private key.
	//
	// If *private_key* is a filesystem path, a watch will be added to the parent
	// directory for any file moves to support rotation. This currently only
	// applies to dynamic secrets, when the *TlsCertificate* is delivered via SDS.
	PrivateKey *v3.DataSource `protobuf:"bytes,2,opt,name=private_key,json=privateKey,proto3" json:"private_key,omitempty"`
	// `Pkcs12` data containing TLS certificate, chain, and private key.
	//
	// If *pkcs12* is a filesystem path, the file will be read, but no watch will
	// be added to the parent directory, since *pkcs12* isn't used by SDS.
	// This field is mutually exclusive with *certificate_chain*, *private_key* and *private_key_provider*.
	// This can't be marked as “oneof“ due to API compatibility reasons. Setting
	// both :ref:`private_key <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>`,
	// :ref:`certificate_chain <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.certificate_chain>`,
	// or :ref:`private_key_provider <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key_provider>`
	// and :ref:`pkcs12 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.pkcs12>`
	// fields will result in an error. Use :ref:`password
	// <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.password>`
	// to specify the password to unprotect the `PKCS12` data, if necessary.
	Pkcs12 *v3.DataSource `protobuf:"bytes,8,opt,name=pkcs12,proto3" json:"pkcs12,omitempty"`
	// If specified, updates of file-based *certificate_chain* and *private_key*
	// sources will be triggered by this watch. The certificate/key pair will be
	// read together and validated for atomic read consistency (i.e. no
	// intervening modification occurred between cert/key read, verified by file
	// hash comparisons). This allows explicit control over the path watched, by
	// default the parent directories of the filesystem paths in
	// *certificate_chain* and *private_key* are watched if this field is not
	// specified. This only applies when a *TlsCertificate* is delivered by SDS
	// with references to filesystem paths. See the :ref:`SDS key rotation
	// <sds_key_rotation>` documentation for further details.
	WatchedDirectory *v3.WatchedDirectory `protobuf:"bytes,7,opt,name=watched_directory,json=watchedDirectory,proto3" json:"watched_directory,omitempty"`
	// BoringSSL private key method provider. This is an alternative to :ref:`private_key
	// <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>` field. This can't be
	// marked as “oneof“ due to API compatibility reasons. Setting both :ref:`private_key
	// <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>` and
	// :ref:`private_key_provider
	// <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key_provider>` fields will result in an
	// error.
	PrivateKeyProvider *PrivateKeyProvider `protobuf:"bytes,6,opt,name=private_key_provider,json=privateKeyProvider,proto3" json:"private_key_provider,omitempty"`
	// The password to decrypt the TLS private key. If this field is not set, it is assumed that the
	// TLS private key is not password encrypted.
	Password *v3.DataSource `protobuf:"bytes,3,opt,name=password,proto3" json:"password,omitempty"`
	// The OCSP response to be stapled with this certificate during the handshake.
	// The response must be DER-encoded and may only be  provided via “filename“ or
	// “inline_bytes“. The response may pertain to only one certificate.
	OcspStaple *v3.DataSource `protobuf:"bytes,4,opt,name=ocsp_staple,json=ocspStaple,proto3" json:"ocsp_staple,omitempty"`
	// [#not-implemented-hide:]
	SignedCertificateTimestamp []*v3.DataSource `` /* 141-byte string literal not displayed */
	// contains filtered or unexported fields
}

[#next-free-field: 9]

func (*TlsCertificate) Descriptor deprecated

func (*TlsCertificate) Descriptor() ([]byte, []int)

Deprecated: Use TlsCertificate.ProtoReflect.Descriptor instead.

func (*TlsCertificate) GetCertificateChain

func (x *TlsCertificate) GetCertificateChain() *v3.DataSource

func (*TlsCertificate) GetOcspStaple

func (x *TlsCertificate) GetOcspStaple() *v3.DataSource

func (*TlsCertificate) GetPassword

func (x *TlsCertificate) GetPassword() *v3.DataSource

func (*TlsCertificate) GetPkcs12 added in v0.10.1

func (x *TlsCertificate) GetPkcs12() *v3.DataSource

func (*TlsCertificate) GetPrivateKey

func (x *TlsCertificate) GetPrivateKey() *v3.DataSource

func (*TlsCertificate) GetPrivateKeyProvider

func (x *TlsCertificate) GetPrivateKeyProvider() *PrivateKeyProvider

func (*TlsCertificate) GetSignedCertificateTimestamp

func (x *TlsCertificate) GetSignedCertificateTimestamp() []*v3.DataSource

func (*TlsCertificate) GetWatchedDirectory added in v0.9.8

func (x *TlsCertificate) GetWatchedDirectory() *v3.WatchedDirectory

func (*TlsCertificate) ProtoMessage

func (*TlsCertificate) ProtoMessage()

func (*TlsCertificate) ProtoReflect added in v0.9.6

func (x *TlsCertificate) ProtoReflect() protoreflect.Message

func (*TlsCertificate) Reset

func (x *TlsCertificate) Reset()

func (*TlsCertificate) String

func (x *TlsCertificate) String() string

func (*TlsCertificate) Validate

func (m *TlsCertificate) Validate() error

Validate checks the field values on TlsCertificate with the rules defined in the proto definition for this message. If any rules are violated, the first error encountered is returned, or nil if there are no violations.

func (*TlsCertificate) ValidateAll added in v0.10.0

func (m *TlsCertificate) ValidateAll() error

ValidateAll checks the field values on TlsCertificate with the rules defined in the proto definition for this message. If any rules are violated, the result is a list of violation errors wrapped in TlsCertificateMultiError, or nil if none found.

type TlsCertificateMultiError added in v0.10.0

type TlsCertificateMultiError []error

TlsCertificateMultiError is an error wrapping multiple validation errors returned by TlsCertificate.ValidateAll() if the designated constraints aren't met.

func (TlsCertificateMultiError) AllErrors added in v0.10.0

func (m TlsCertificateMultiError) AllErrors() []error

AllErrors returns a list of validation violation errors.

func (TlsCertificateMultiError) Error added in v0.10.0

func (m TlsCertificateMultiError) Error() string

Error returns a concatenation of all the error messages it wraps.

type TlsCertificateValidationError

type TlsCertificateValidationError struct {
	// contains filtered or unexported fields
}

TlsCertificateValidationError is the validation error returned by TlsCertificate.Validate if the designated constraints aren't met.

func (TlsCertificateValidationError) Cause

Cause function returns cause value.

func (TlsCertificateValidationError) Error

Error satisfies the builtin error interface

func (TlsCertificateValidationError) ErrorName

func (e TlsCertificateValidationError) ErrorName() string

ErrorName returns error name.

func (TlsCertificateValidationError) Field

Field function returns field value.

func (TlsCertificateValidationError) Key

Key function returns key value.

func (TlsCertificateValidationError) Reason

Reason function returns reason value.

type TlsKeyLog added in v0.10.2

type TlsKeyLog struct {

	// The path to save the TLS key log.
	Path string `protobuf:"bytes,1,opt,name=path,proto3" json:"path,omitempty"`
	// The local IP address that will be used to filter the connection which should save the TLS key log
	// If it is not set, any local IP address  will be matched.
	LocalAddressRange []*v3.CidrRange `protobuf:"bytes,2,rep,name=local_address_range,json=localAddressRange,proto3" json:"local_address_range,omitempty"`
	// The remote IP address that will be used to filter the connection which should save the TLS key log
	// If it is not set, any remote IP address will be matched.
	RemoteAddressRange []*v3.CidrRange `protobuf:"bytes,3,rep,name=remote_address_range,json=remoteAddressRange,proto3" json:"remote_address_range,omitempty"`
	// contains filtered or unexported fields
}

TLS key log configuration. The key log file format is "format used by NSS for its SSLKEYLOGFILE debugging output" (text taken from openssl man page)

func (*TlsKeyLog) Descriptor deprecated added in v0.10.2

func (*TlsKeyLog) Descriptor() ([]byte, []int)

Deprecated: Use TlsKeyLog.ProtoReflect.Descriptor instead.

func (*TlsKeyLog) GetLocalAddressRange added in v0.10.2

func (x *TlsKeyLog) GetLocalAddressRange() []*v3.CidrRange

func (*TlsKeyLog) GetPath added in v0.10.2

func (x *TlsKeyLog) GetPath() string

func (*TlsKeyLog) GetRemoteAddressRange added in v0.10.2

func (x *TlsKeyLog) GetRemoteAddressRange() []*v3.CidrRange

func (*TlsKeyLog) ProtoMessage added in v0.10.2

func (*TlsKeyLog) ProtoMessage()

func (*TlsKeyLog) ProtoReflect added in v0.10.2

func (x *TlsKeyLog) ProtoReflect() protoreflect.Message

func (*TlsKeyLog) Reset added in v0.10.2

func (x *TlsKeyLog) Reset()

func (*TlsKeyLog) String added in v0.10.2

func (x *TlsKeyLog) String() string

func (*TlsKeyLog) Validate added in v0.10.2

func (m *TlsKeyLog) Validate() error

Validate checks the field values on TlsKeyLog with the rules defined in the proto definition for this message. If any rules are violated, the first error encountered is returned, or nil if there are no violations.

func (*TlsKeyLog) ValidateAll added in v0.10.2

func (m *TlsKeyLog) ValidateAll() error

ValidateAll checks the field values on TlsKeyLog with the rules defined in the proto definition for this message. If any rules are violated, the result is a list of violation errors wrapped in TlsKeyLogMultiError, or nil if none found.

type TlsKeyLogMultiError added in v0.10.2

type TlsKeyLogMultiError []error

TlsKeyLogMultiError is an error wrapping multiple validation errors returned by TlsKeyLog.ValidateAll() if the designated constraints aren't met.

func (TlsKeyLogMultiError) AllErrors added in v0.10.2

func (m TlsKeyLogMultiError) AllErrors() []error

AllErrors returns a list of validation violation errors.

func (TlsKeyLogMultiError) Error added in v0.10.2

func (m TlsKeyLogMultiError) Error() string

Error returns a concatenation of all the error messages it wraps.

type TlsKeyLogValidationError added in v0.10.2

type TlsKeyLogValidationError struct {
	// contains filtered or unexported fields
}

TlsKeyLogValidationError is the validation error returned by TlsKeyLog.Validate if the designated constraints aren't met.

func (TlsKeyLogValidationError) Cause added in v0.10.2

func (e TlsKeyLogValidationError) Cause() error

Cause function returns cause value.

func (TlsKeyLogValidationError) Error added in v0.10.2

func (e TlsKeyLogValidationError) Error() string

Error satisfies the builtin error interface

func (TlsKeyLogValidationError) ErrorName added in v0.10.2

func (e TlsKeyLogValidationError) ErrorName() string

ErrorName returns error name.

func (TlsKeyLogValidationError) Field added in v0.10.2

func (e TlsKeyLogValidationError) Field() string

Field function returns field value.

func (TlsKeyLogValidationError) Key added in v0.10.2

Key function returns key value.

func (TlsKeyLogValidationError) Reason added in v0.10.2

func (e TlsKeyLogValidationError) Reason() string

Reason function returns reason value.

type TlsParameters

type TlsParameters struct {

	// Minimum TLS protocol version. By default, it's “TLSv1_2“ for both clients and servers.
	TlsMinimumProtocolVersion TlsParameters_TlsProtocol `` /* 214-byte string literal not displayed */
	// Maximum TLS protocol version. By default, it's “TLSv1_2“ for clients and “TLSv1_3“ for
	// servers.
	TlsMaximumProtocolVersion TlsParameters_TlsProtocol `` /* 214-byte string literal not displayed */
	// If specified, the TLS listener will only support the specified `cipher list
	// <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_
	// when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3).
	//
	// If not specified, a default list will be used. Defaults are different for server (downstream) and
	// client (upstream) TLS configurations.
	// Defaults will change over time in response to security considerations; If you care, configure
	// it instead of using the default.
	//
	// In non-FIPS builds, the default server cipher list is:
	//
	// .. code-block:: none
	//
	//   [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
	//   [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
	//   ECDHE-ECDSA-AES256-GCM-SHA384
	//   ECDHE-RSA-AES256-GCM-SHA384
	//
	// In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default server cipher list is:
	//
	// .. code-block:: none
	//
	//   ECDHE-ECDSA-AES128-GCM-SHA256
	//   ECDHE-RSA-AES128-GCM-SHA256
	//   ECDHE-ECDSA-AES256-GCM-SHA384
	//   ECDHE-RSA-AES256-GCM-SHA384
	//
	// In non-FIPS builds, the default client cipher list is:
	//
	// .. code-block:: none
	//
	//   [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
	//   [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
	//   ECDHE-ECDSA-AES256-GCM-SHA384
	//   ECDHE-RSA-AES256-GCM-SHA384
	//
	// In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default client cipher list is:
	//
	// .. code-block:: none
	//
	//   ECDHE-ECDSA-AES128-GCM-SHA256
	//   ECDHE-RSA-AES128-GCM-SHA256
	//   ECDHE-ECDSA-AES256-GCM-SHA384
	//   ECDHE-RSA-AES256-GCM-SHA384
	CipherSuites []string `protobuf:"bytes,3,rep,name=cipher_suites,json=cipherSuites,proto3" json:"cipher_suites,omitempty"`
	// If specified, the TLS connection will only support the specified ECDH
	// curves. If not specified, the default curves will be used.
	//
	// In non-FIPS builds, the default curves are:
	//
	// .. code-block:: none
	//
	//   X25519
	//   P-256
	//
	// In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default curve is:
	//
	// .. code-block:: none
	//
	//   P-256
	EcdhCurves []string `protobuf:"bytes,4,rep,name=ecdh_curves,json=ecdhCurves,proto3" json:"ecdh_curves,omitempty"`
	// contains filtered or unexported fields
}

func (*TlsParameters) Descriptor deprecated

func (*TlsParameters) Descriptor() ([]byte, []int)

Deprecated: Use TlsParameters.ProtoReflect.Descriptor instead.

func (*TlsParameters) GetCipherSuites

func (x *TlsParameters) GetCipherSuites() []string

func (*TlsParameters) GetEcdhCurves

func (x *TlsParameters) GetEcdhCurves() []string

func (*TlsParameters) GetTlsMaximumProtocolVersion

func (x *TlsParameters) GetTlsMaximumProtocolVersion() TlsParameters_TlsProtocol

func (*TlsParameters) GetTlsMinimumProtocolVersion

func (x *TlsParameters) GetTlsMinimumProtocolVersion() TlsParameters_TlsProtocol

func (*TlsParameters) ProtoMessage

func (*TlsParameters) ProtoMessage()

func (*TlsParameters) ProtoReflect added in v0.9.6

func (x *TlsParameters) ProtoReflect() protoreflect.Message

func (*TlsParameters) Reset

func (x *TlsParameters) Reset()

func (*TlsParameters) String

func (x *TlsParameters) String() string

func (*TlsParameters) Validate

func (m *TlsParameters) Validate() error

Validate checks the field values on TlsParameters with the rules defined in the proto definition for this message. If any rules are violated, the first error encountered is returned, or nil if there are no violations.

func (*TlsParameters) ValidateAll added in v0.10.0

func (m *TlsParameters) ValidateAll() error

ValidateAll checks the field values on TlsParameters with the rules defined in the proto definition for this message. If any rules are violated, the result is a list of violation errors wrapped in TlsParametersMultiError, or nil if none found.

type TlsParametersMultiError added in v0.10.0

type TlsParametersMultiError []error

TlsParametersMultiError is an error wrapping multiple validation errors returned by TlsParameters.ValidateAll() if the designated constraints aren't met.

func (TlsParametersMultiError) AllErrors added in v0.10.0

func (m TlsParametersMultiError) AllErrors() []error

AllErrors returns a list of validation violation errors.

func (TlsParametersMultiError) Error added in v0.10.0

func (m TlsParametersMultiError) Error() string

Error returns a concatenation of all the error messages it wraps.

type TlsParametersValidationError

type TlsParametersValidationError struct {
	// contains filtered or unexported fields
}

TlsParametersValidationError is the validation error returned by TlsParameters.Validate if the designated constraints aren't met.

func (TlsParametersValidationError) Cause

Cause function returns cause value.

func (TlsParametersValidationError) Error

Error satisfies the builtin error interface

func (TlsParametersValidationError) ErrorName

func (e TlsParametersValidationError) ErrorName() string

ErrorName returns error name.

func (TlsParametersValidationError) Field

Field function returns field value.

func (TlsParametersValidationError) Key

Key function returns key value.

func (TlsParametersValidationError) Reason

Reason function returns reason value.

type TlsParameters_TlsProtocol

type TlsParameters_TlsProtocol int32
const (
	// Envoy will choose the optimal TLS version.
	TlsParameters_TLS_AUTO TlsParameters_TlsProtocol = 0
	// TLS 1.0
	TlsParameters_TLSv1_0 TlsParameters_TlsProtocol = 1
	// TLS 1.1
	TlsParameters_TLSv1_1 TlsParameters_TlsProtocol = 2
	// TLS 1.2
	TlsParameters_TLSv1_2 TlsParameters_TlsProtocol = 3
	// TLS 1.3
	TlsParameters_TLSv1_3 TlsParameters_TlsProtocol = 4
)

func (TlsParameters_TlsProtocol) Descriptor added in v0.9.6

func (TlsParameters_TlsProtocol) Enum added in v0.9.6

func (TlsParameters_TlsProtocol) EnumDescriptor deprecated

func (TlsParameters_TlsProtocol) EnumDescriptor() ([]byte, []int)

Deprecated: Use TlsParameters_TlsProtocol.Descriptor instead.

func (TlsParameters_TlsProtocol) Number added in v0.9.6

func (TlsParameters_TlsProtocol) String

func (x TlsParameters_TlsProtocol) String() string

func (TlsParameters_TlsProtocol) Type added in v0.9.6

type TlsSessionTicketKeys

type TlsSessionTicketKeys struct {

	// Keys for encrypting and decrypting TLS session tickets. The
	// first key in the array contains the key to encrypt all new sessions created by this context.
	// All keys are candidates for decrypting received tickets. This allows for easy rotation of keys
	// by, for example, putting the new key first, and the previous key second.
	//
	// If :ref:`session_ticket_keys <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.session_ticket_keys>`
	// is not specified, the TLS library will still support resuming sessions via tickets, but it will
	// use an internally-generated and managed key, so sessions cannot be resumed across hot restarts
	// or on different hosts.
	//
	// Each key must contain exactly 80 bytes of cryptographically-secure random data. For
	// example, the output of “openssl rand 80“.
	//
	// .. attention::
	//
	//   Using this feature has serious security considerations and risks. Improper handling of keys
	//   may result in loss of secrecy in connections, even if ciphers supporting perfect forward
	//   secrecy are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some
	//   discussion. To minimize the risk, you must:
	//
	//   * Keep the session ticket keys at least as secure as your TLS certificate private keys
	//   * Rotate session ticket keys at least daily, and preferably hourly
	//   * Always generate keys using a cryptographically-secure random data source
	Keys []*v3.DataSource `protobuf:"bytes,1,rep,name=keys,proto3" json:"keys,omitempty"`
	// contains filtered or unexported fields
}

func (*TlsSessionTicketKeys) Descriptor deprecated

func (*TlsSessionTicketKeys) Descriptor() ([]byte, []int)

Deprecated: Use TlsSessionTicketKeys.ProtoReflect.Descriptor instead.

func (*TlsSessionTicketKeys) GetKeys

func (x *TlsSessionTicketKeys) GetKeys() []*v3.DataSource

func (*TlsSessionTicketKeys) ProtoMessage

func (*TlsSessionTicketKeys) ProtoMessage()

func (*TlsSessionTicketKeys) ProtoReflect added in v0.9.6

func (x *TlsSessionTicketKeys) ProtoReflect() protoreflect.Message

func (*TlsSessionTicketKeys) Reset

func (x *TlsSessionTicketKeys) Reset()

func (*TlsSessionTicketKeys) String

func (x *TlsSessionTicketKeys) String() string

func (*TlsSessionTicketKeys) Validate

func (m *TlsSessionTicketKeys) Validate() error

Validate checks the field values on TlsSessionTicketKeys with the rules defined in the proto definition for this message. If any rules are violated, the first error encountered is returned, or nil if there are no violations.

func (*TlsSessionTicketKeys) ValidateAll added in v0.10.0

func (m *TlsSessionTicketKeys) ValidateAll() error

ValidateAll checks the field values on TlsSessionTicketKeys with the rules defined in the proto definition for this message. If any rules are violated, the result is a list of violation errors wrapped in TlsSessionTicketKeysMultiError, or nil if none found.

type TlsSessionTicketKeysMultiError added in v0.10.0

type TlsSessionTicketKeysMultiError []error

TlsSessionTicketKeysMultiError is an error wrapping multiple validation errors returned by TlsSessionTicketKeys.ValidateAll() if the designated constraints aren't met.

func (TlsSessionTicketKeysMultiError) AllErrors added in v0.10.0

func (m TlsSessionTicketKeysMultiError) AllErrors() []error

AllErrors returns a list of validation violation errors.

func (TlsSessionTicketKeysMultiError) Error added in v0.10.0

Error returns a concatenation of all the error messages it wraps.

type TlsSessionTicketKeysValidationError

type TlsSessionTicketKeysValidationError struct {
	// contains filtered or unexported fields
}

TlsSessionTicketKeysValidationError is the validation error returned by TlsSessionTicketKeys.Validate if the designated constraints aren't met.

func (TlsSessionTicketKeysValidationError) Cause

Cause function returns cause value.

func (TlsSessionTicketKeysValidationError) Error

Error satisfies the builtin error interface

func (TlsSessionTicketKeysValidationError) ErrorName

ErrorName returns error name.

func (TlsSessionTicketKeysValidationError) Field

Field function returns field value.

func (TlsSessionTicketKeysValidationError) Key

Key function returns key value.

func (TlsSessionTicketKeysValidationError) Reason

Reason function returns reason value.

type UpstreamTlsContext

type UpstreamTlsContext struct {

	// Common TLS context settings.
	//
	// .. attention::
	//
	//   Server certificate verification is not enabled by default. Configure
	//   :ref:`trusted_ca<envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>` to enable
	//   verification.
	CommonTlsContext *CommonTlsContext `protobuf:"bytes,1,opt,name=common_tls_context,json=commonTlsContext,proto3" json:"common_tls_context,omitempty"`
	// SNI string to use when creating TLS backend connections.
	Sni string `protobuf:"bytes,2,opt,name=sni,proto3" json:"sni,omitempty"`
	// If true, server-initiated TLS renegotiation will be allowed.
	//
	// .. attention::
	//
	//   TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary.
	AllowRenegotiation bool `protobuf:"varint,3,opt,name=allow_renegotiation,json=allowRenegotiation,proto3" json:"allow_renegotiation,omitempty"`
	// Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets
	// for TLSv1.2 and older) to store for the purpose of session resumption.
	//
	// Defaults to 1, setting this to 0 disables session resumption.
	MaxSessionKeys *wrappers.UInt32Value `protobuf:"bytes,4,opt,name=max_session_keys,json=maxSessionKeys,proto3" json:"max_session_keys,omitempty"`
	// contains filtered or unexported fields
}

func (*UpstreamTlsContext) Descriptor deprecated

func (*UpstreamTlsContext) Descriptor() ([]byte, []int)

Deprecated: Use UpstreamTlsContext.ProtoReflect.Descriptor instead.

func (*UpstreamTlsContext) GetAllowRenegotiation

func (x *UpstreamTlsContext) GetAllowRenegotiation() bool

func (*UpstreamTlsContext) GetCommonTlsContext

func (x *UpstreamTlsContext) GetCommonTlsContext() *CommonTlsContext

func (*UpstreamTlsContext) GetMaxSessionKeys

func (x *UpstreamTlsContext) GetMaxSessionKeys() *wrappers.UInt32Value

func (*UpstreamTlsContext) GetSni

func (x *UpstreamTlsContext) GetSni() string

func (*UpstreamTlsContext) ProtoMessage

func (*UpstreamTlsContext) ProtoMessage()

func (*UpstreamTlsContext) ProtoReflect added in v0.9.6

func (x *UpstreamTlsContext) ProtoReflect() protoreflect.Message

func (*UpstreamTlsContext) Reset

func (x *UpstreamTlsContext) Reset()

func (*UpstreamTlsContext) String

func (x *UpstreamTlsContext) String() string

func (*UpstreamTlsContext) Validate

func (m *UpstreamTlsContext) Validate() error

Validate checks the field values on UpstreamTlsContext with the rules defined in the proto definition for this message. If any rules are violated, the first error encountered is returned, or nil if there are no violations.

func (*UpstreamTlsContext) ValidateAll added in v0.10.0

func (m *UpstreamTlsContext) ValidateAll() error

ValidateAll checks the field values on UpstreamTlsContext with the rules defined in the proto definition for this message. If any rules are violated, the result is a list of violation errors wrapped in UpstreamTlsContextMultiError, or nil if none found.

type UpstreamTlsContextMultiError added in v0.10.0

type UpstreamTlsContextMultiError []error

UpstreamTlsContextMultiError is an error wrapping multiple validation errors returned by UpstreamTlsContext.ValidateAll() if the designated constraints aren't met.

func (UpstreamTlsContextMultiError) AllErrors added in v0.10.0

func (m UpstreamTlsContextMultiError) AllErrors() []error

AllErrors returns a list of validation violation errors.

func (UpstreamTlsContextMultiError) Error added in v0.10.0

Error returns a concatenation of all the error messages it wraps.

type UpstreamTlsContextValidationError

type UpstreamTlsContextValidationError struct {
	// contains filtered or unexported fields
}

UpstreamTlsContextValidationError is the validation error returned by UpstreamTlsContext.Validate if the designated constraints aren't met.

func (UpstreamTlsContextValidationError) Cause

Cause function returns cause value.

func (UpstreamTlsContextValidationError) Error

Error satisfies the builtin error interface

func (UpstreamTlsContextValidationError) ErrorName

ErrorName returns error name.

func (UpstreamTlsContextValidationError) Field

Field function returns field value.

func (UpstreamTlsContextValidationError) Key

Key function returns key value.

func (UpstreamTlsContextValidationError) Reason

Reason function returns reason value.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL