auth

package
v0.6.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 6, 2018 License: Apache-2.0 Imports: 17 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	ErrInvalidLengthCert = fmt.Errorf("proto: negative length found during unmarshaling")
	ErrIntOverflowCert   = fmt.Errorf("proto: integer overflow")
)
View Source
var TlsParameters_TlsProtocol_name = map[int32]string{
	0: "TLS_AUTO",
	1: "TLSv1_0",
	2: "TLSv1_1",
	3: "TLSv1_2",
	4: "TLSv1_3",
}
View Source
var TlsParameters_TlsProtocol_value = map[string]int32{
	"TLS_AUTO": 0,
	"TLSv1_0":  1,
	"TLSv1_1":  2,
	"TLSv1_2":  3,
	"TLSv1_3":  4,
}

Functions

This section is empty.

Types

type CertificateValidationContext

type CertificateValidationContext struct {
	// TLS certificate data containing certificate authority certificates to use in verifying
	// a presented peer certificate (e.g. server certificate for clusters or client certificate
	// for listeners). If not specified and a peer certificate is presented it will not be
	// verified. By default, a client certificate is optional, unless one of the additional
	// options (:ref:`require_client_certificate
	// <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
	// :ref:`verify_certificate_spki
	// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
	// :ref:`verify_certificate_hash
	// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
	// :ref:`verify_subject_alt_name
	// <envoy_api_field_auth.CertificateValidationContext.verify_subject_alt_name>`) is also
	// specified.
	//
	// It can optionally contain certificate revocation lists, in which case Envoy will verify
	// that the presented peer certificate has not been revoked by one of the included CRLs.
	//
	// See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
	// system CA locations.
	TrustedCa *core.DataSource `protobuf:"bytes,1,opt,name=trusted_ca,json=trustedCa" json:"trusted_ca,omitempty"`
	// An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
	// SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
	// matches one of the specified values.
	//
	// A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
	// can be generated with the following command:
	//
	// .. code-block:: bash
	//
	//   $ openssl x509 -in path/to/client.crt -noout -pubkey \
	//     | openssl pkey -pubin -outform DER \
	//     | openssl dgst -sha256 -binary \
	//     | openssl enc -base64
	//   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
	//
	// This is the format used in HTTP Public Key Pinning.
	//
	// When both:
	// :ref:`verify_certificate_hash
	// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
	// :ref:`verify_certificate_spki
	// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
	// a hash matching value from either of the lists will result in the certificate being accepted.
	//
	// .. attention::
	//
	//   This option is preferred over :ref:`verify_certificate_hash
	//   <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
	//   because SPKI is tied to a private key, so it doesn't change when the certificate
	//   is renewed using the same private key.
	VerifyCertificateSpki []string `protobuf:"bytes,3,rep,name=verify_certificate_spki,json=verifyCertificateSpki" json:"verify_certificate_spki,omitempty"`
	// An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
	// the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
	//
	// A hex-encoded SHA-256 of the certificate can be generated with the following command:
	//
	// .. code-block:: bash
	//
	//   $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
	//   df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
	//
	// A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
	// can be generated with the following command:
	//
	// .. code-block:: bash
	//
	//   $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
	//   DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
	//
	// Both of those formats are acceptable.
	//
	// When both:
	// :ref:`verify_certificate_hash
	// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
	// :ref:`verify_certificate_spki
	// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
	// a hash matching value from either of the lists will result in the certificate being accepted.
	VerifyCertificateHash []string `protobuf:"bytes,2,rep,name=verify_certificate_hash,json=verifyCertificateHash" json:"verify_certificate_hash,omitempty"`
	// An optional list of Subject Alternative Names. If specified, Envoy will verify that the
	// Subject Alternative Name of the presented certificate matches one of the specified values.
	//
	// .. attention::
	//
	//   Subject Alternative Names are easily spoofable and verifying only them is insecure,
	//   therefore this option must be used together with :ref:`trusted_ca
	//   <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
	VerifySubjectAltName []string `protobuf:"bytes,4,rep,name=verify_subject_alt_name,json=verifySubjectAltName" json:"verify_subject_alt_name,omitempty"`
	// [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
	RequireOcspStaple *types.BoolValue `protobuf:"bytes,5,opt,name=require_ocsp_staple,json=requireOcspStaple" json:"require_ocsp_staple,omitempty"`
	// [#not-implemented-hide:] Must present signed certificate time-stamp.
	RequireSignedCertificateTimestamp *types.BoolValue `` /* 157-byte string literal not displayed */
	// An optional `certificate revocation list
	// <http://https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
	// (in PEM format). If specified, Envoy will verify that the presented peer
	// certificate has not been revoked by this CRL. If this DataSource contains
	// multiple CRLs, all of them will be used.
	Crl *core.DataSource `protobuf:"bytes,7,opt,name=crl" json:"crl,omitempty"`
	// If specified, Envoy will not reject expired certificates.
	AllowExpiredCertificate bool     `` /* 133-byte string literal not displayed */
	XXX_NoUnkeyedLiteral    struct{} `json:"-"`
	XXX_unrecognized        []byte   `json:"-"`
	XXX_sizecache           int32    `json:"-"`
}

func (*CertificateValidationContext) Descriptor

func (*CertificateValidationContext) Descriptor() ([]byte, []int)

func (*CertificateValidationContext) Equal

func (this *CertificateValidationContext) Equal(that interface{}) bool

func (*CertificateValidationContext) GetAllowExpiredCertificate

func (m *CertificateValidationContext) GetAllowExpiredCertificate() bool

func (*CertificateValidationContext) GetCrl

func (*CertificateValidationContext) GetRequireOcspStaple

func (m *CertificateValidationContext) GetRequireOcspStaple() *types.BoolValue

func (*CertificateValidationContext) GetRequireSignedCertificateTimestamp

func (m *CertificateValidationContext) GetRequireSignedCertificateTimestamp() *types.BoolValue

func (*CertificateValidationContext) GetTrustedCa

func (m *CertificateValidationContext) GetTrustedCa() *core.DataSource

func (*CertificateValidationContext) GetVerifyCertificateHash

func (m *CertificateValidationContext) GetVerifyCertificateHash() []string

func (*CertificateValidationContext) GetVerifyCertificateSpki

func (m *CertificateValidationContext) GetVerifyCertificateSpki() []string

func (*CertificateValidationContext) GetVerifySubjectAltName

func (m *CertificateValidationContext) GetVerifySubjectAltName() []string

func (*CertificateValidationContext) Marshal

func (m *CertificateValidationContext) Marshal() (dAtA []byte, err error)

func (*CertificateValidationContext) MarshalTo

func (m *CertificateValidationContext) MarshalTo(dAtA []byte) (int, error)

func (*CertificateValidationContext) ProtoMessage

func (*CertificateValidationContext) ProtoMessage()

func (*CertificateValidationContext) Reset

func (m *CertificateValidationContext) Reset()

func (*CertificateValidationContext) Size

func (m *CertificateValidationContext) Size() (n int)

func (*CertificateValidationContext) String

func (*CertificateValidationContext) Unmarshal

func (m *CertificateValidationContext) Unmarshal(dAtA []byte) error

func (*CertificateValidationContext) Validate

func (m *CertificateValidationContext) Validate() error

Validate checks the field values on CertificateValidationContext with the rules defined in the proto definition for this message. If any rules are violated, an error is returned.

func (*CertificateValidationContext) XXX_DiscardUnknown

func (m *CertificateValidationContext) XXX_DiscardUnknown()

func (*CertificateValidationContext) XXX_Marshal

func (m *CertificateValidationContext) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*CertificateValidationContext) XXX_Merge

func (dst *CertificateValidationContext) XXX_Merge(src proto.Message)

func (*CertificateValidationContext) XXX_Size

func (m *CertificateValidationContext) XXX_Size() int

func (*CertificateValidationContext) XXX_Unmarshal

func (m *CertificateValidationContext) XXX_Unmarshal(b []byte) error

type CertificateValidationContextValidationError

type CertificateValidationContextValidationError struct {
	Field  string
	Reason string
	Cause  error
	Key    bool
}

CertificateValidationContextValidationError is the validation error returned by CertificateValidationContext.Validate if the designated constraints aren't met.

func (CertificateValidationContextValidationError) Error

Error satisfies the builtin error interface

type CommonTlsContext

type CommonTlsContext struct {
	// TLS protocol versions, cipher suites etc.
	TlsParams *TlsParameters `protobuf:"bytes,1,opt,name=tls_params,json=tlsParams" json:"tls_params,omitempty"`
	// Multiple TLS certificates can be associated with the same context.
	// E.g. to allow both RSA and ECDSA certificates, two TLS certificates can be configured.
	//
	// .. attention::
	//
	//   Although this is a list, currently only a single certificate is supported. This will be
	//   relaxed in the future.
	TlsCertificates []*TlsCertificate `protobuf:"bytes,2,rep,name=tls_certificates,json=tlsCertificates" json:"tls_certificates,omitempty"`
	// Configs for fetching TLS certificates via SDS API.
	TlsCertificateSdsSecretConfigs []*SdsSecretConfig `` /* 150-byte string literal not displayed */
	// Types that are valid to be assigned to ValidationContextType:
	//	*CommonTlsContext_ValidationContext
	//	*CommonTlsContext_ValidationContextSdsSecretConfig
	ValidationContextType isCommonTlsContext_ValidationContextType `protobuf_oneof:"validation_context_type"`
	// Supplies the list of ALPN protocols that the listener should expose. In
	// practice this is likely to be set to one of two values (see the
	// :ref:`codec_type
	// <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.codec_type>`
	// parameter in the HTTP connection manager for more information):
	//
	// * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1.
	// * "http/1.1" If the listener is only going to support HTTP/1.1.
	//
	// There is no default for this parameter. If empty, Envoy will not expose ALPN.
	AlpnProtocols        []string `protobuf:"bytes,4,rep,name=alpn_protocols,json=alpnProtocols" json:"alpn_protocols,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

TLS context shared by both client and server TLS contexts.

func (*CommonTlsContext) Descriptor

func (*CommonTlsContext) Descriptor() ([]byte, []int)

func (*CommonTlsContext) Equal

func (this *CommonTlsContext) Equal(that interface{}) bool

func (*CommonTlsContext) GetAlpnProtocols

func (m *CommonTlsContext) GetAlpnProtocols() []string

func (*CommonTlsContext) GetTlsCertificateSdsSecretConfigs

func (m *CommonTlsContext) GetTlsCertificateSdsSecretConfigs() []*SdsSecretConfig

func (*CommonTlsContext) GetTlsCertificates

func (m *CommonTlsContext) GetTlsCertificates() []*TlsCertificate

func (*CommonTlsContext) GetTlsParams

func (m *CommonTlsContext) GetTlsParams() *TlsParameters

func (*CommonTlsContext) GetValidationContext

func (m *CommonTlsContext) GetValidationContext() *CertificateValidationContext

func (*CommonTlsContext) GetValidationContextSdsSecretConfig

func (m *CommonTlsContext) GetValidationContextSdsSecretConfig() *SdsSecretConfig

func (*CommonTlsContext) GetValidationContextType

func (m *CommonTlsContext) GetValidationContextType() isCommonTlsContext_ValidationContextType

func (*CommonTlsContext) Marshal

func (m *CommonTlsContext) Marshal() (dAtA []byte, err error)

func (*CommonTlsContext) MarshalTo

func (m *CommonTlsContext) MarshalTo(dAtA []byte) (int, error)

func (*CommonTlsContext) ProtoMessage

func (*CommonTlsContext) ProtoMessage()

func (*CommonTlsContext) Reset

func (m *CommonTlsContext) Reset()

func (*CommonTlsContext) Size

func (m *CommonTlsContext) Size() (n int)

func (*CommonTlsContext) String

func (m *CommonTlsContext) String() string

func (*CommonTlsContext) Unmarshal

func (m *CommonTlsContext) Unmarshal(dAtA []byte) error

func (*CommonTlsContext) Validate

func (m *CommonTlsContext) Validate() error

Validate checks the field values on CommonTlsContext with the rules defined in the proto definition for this message. If any rules are violated, an error is returned.

func (*CommonTlsContext) XXX_DiscardUnknown

func (m *CommonTlsContext) XXX_DiscardUnknown()

func (*CommonTlsContext) XXX_Marshal

func (m *CommonTlsContext) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*CommonTlsContext) XXX_Merge

func (dst *CommonTlsContext) XXX_Merge(src proto.Message)

func (*CommonTlsContext) XXX_OneofFuncs

func (*CommonTlsContext) XXX_OneofFuncs() (func(msg proto.Message, b *proto.Buffer) error, func(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error), func(msg proto.Message) (n int), []interface{})

XXX_OneofFuncs is for the internal use of the proto package.

func (*CommonTlsContext) XXX_Size

func (m *CommonTlsContext) XXX_Size() int

func (*CommonTlsContext) XXX_Unmarshal

func (m *CommonTlsContext) XXX_Unmarshal(b []byte) error

type CommonTlsContextValidationError

type CommonTlsContextValidationError struct {
	Field  string
	Reason string
	Cause  error
	Key    bool
}

CommonTlsContextValidationError is the validation error returned by CommonTlsContext.Validate if the designated constraints aren't met.

func (CommonTlsContextValidationError) Error

Error satisfies the builtin error interface

type CommonTlsContext_ValidationContext

type CommonTlsContext_ValidationContext struct {
	ValidationContext *CertificateValidationContext `protobuf:"bytes,3,opt,name=validation_context,json=validationContext,oneof"`
}

func (*CommonTlsContext_ValidationContext) Equal

func (this *CommonTlsContext_ValidationContext) Equal(that interface{}) bool

func (*CommonTlsContext_ValidationContext) MarshalTo

func (m *CommonTlsContext_ValidationContext) MarshalTo(dAtA []byte) (int, error)

func (*CommonTlsContext_ValidationContext) Size

type CommonTlsContext_ValidationContextSdsSecretConfig

type CommonTlsContext_ValidationContextSdsSecretConfig struct {
	ValidationContextSdsSecretConfig *SdsSecretConfig `protobuf:"bytes,7,opt,name=validation_context_sds_secret_config,json=validationContextSdsSecretConfig,oneof"`
}

func (*CommonTlsContext_ValidationContextSdsSecretConfig) Equal

func (this *CommonTlsContext_ValidationContextSdsSecretConfig) Equal(that interface{}) bool

func (*CommonTlsContext_ValidationContextSdsSecretConfig) MarshalTo

func (*CommonTlsContext_ValidationContextSdsSecretConfig) Size

type DownstreamTlsContext

type DownstreamTlsContext struct {
	// Common TLS context settings.
	CommonTlsContext *CommonTlsContext `protobuf:"bytes,1,opt,name=common_tls_context,json=commonTlsContext" json:"common_tls_context,omitempty"`
	// If specified, Envoy will reject connections without a valid client
	// certificate.
	RequireClientCertificate *types.BoolValue `` /* 128-byte string literal not displayed */
	// If specified, Envoy will reject connections without a valid and matching SNI.
	// [#not-implemented-hide:]
	RequireSni *types.BoolValue `protobuf:"bytes,3,opt,name=require_sni,json=requireSni" json:"require_sni,omitempty"`
	// Types that are valid to be assigned to SessionTicketKeysType:
	//	*DownstreamTlsContext_SessionTicketKeys
	//	*DownstreamTlsContext_SessionTicketKeysSdsSecretConfig
	SessionTicketKeysType isDownstreamTlsContext_SessionTicketKeysType `protobuf_oneof:"session_ticket_keys_type"`
	XXX_NoUnkeyedLiteral  struct{}                                     `json:"-"`
	XXX_unrecognized      []byte                                       `json:"-"`
	XXX_sizecache         int32                                        `json:"-"`
}

func (*DownstreamTlsContext) Descriptor

func (*DownstreamTlsContext) Descriptor() ([]byte, []int)

func (*DownstreamTlsContext) Equal

func (this *DownstreamTlsContext) Equal(that interface{}) bool

func (*DownstreamTlsContext) GetCommonTlsContext

func (m *DownstreamTlsContext) GetCommonTlsContext() *CommonTlsContext

func (*DownstreamTlsContext) GetRequireClientCertificate

func (m *DownstreamTlsContext) GetRequireClientCertificate() *types.BoolValue

func (*DownstreamTlsContext) GetRequireSni

func (m *DownstreamTlsContext) GetRequireSni() *types.BoolValue

func (*DownstreamTlsContext) GetSessionTicketKeys

func (m *DownstreamTlsContext) GetSessionTicketKeys() *TlsSessionTicketKeys

func (*DownstreamTlsContext) GetSessionTicketKeysSdsSecretConfig

func (m *DownstreamTlsContext) GetSessionTicketKeysSdsSecretConfig() *SdsSecretConfig

func (*DownstreamTlsContext) GetSessionTicketKeysType

func (m *DownstreamTlsContext) GetSessionTicketKeysType() isDownstreamTlsContext_SessionTicketKeysType

func (*DownstreamTlsContext) Marshal

func (m *DownstreamTlsContext) Marshal() (dAtA []byte, err error)

func (*DownstreamTlsContext) MarshalTo

func (m *DownstreamTlsContext) MarshalTo(dAtA []byte) (int, error)

func (*DownstreamTlsContext) ProtoMessage

func (*DownstreamTlsContext) ProtoMessage()

func (*DownstreamTlsContext) Reset

func (m *DownstreamTlsContext) Reset()

func (*DownstreamTlsContext) Size

func (m *DownstreamTlsContext) Size() (n int)

func (*DownstreamTlsContext) String

func (m *DownstreamTlsContext) String() string

func (*DownstreamTlsContext) Unmarshal

func (m *DownstreamTlsContext) Unmarshal(dAtA []byte) error

func (*DownstreamTlsContext) Validate

func (m *DownstreamTlsContext) Validate() error

Validate checks the field values on DownstreamTlsContext with the rules defined in the proto definition for this message. If any rules are violated, an error is returned.

func (*DownstreamTlsContext) XXX_DiscardUnknown

func (m *DownstreamTlsContext) XXX_DiscardUnknown()

func (*DownstreamTlsContext) XXX_Marshal

func (m *DownstreamTlsContext) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*DownstreamTlsContext) XXX_Merge

func (dst *DownstreamTlsContext) XXX_Merge(src proto.Message)

func (*DownstreamTlsContext) XXX_OneofFuncs

func (*DownstreamTlsContext) XXX_OneofFuncs() (func(msg proto.Message, b *proto.Buffer) error, func(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error), func(msg proto.Message) (n int), []interface{})

XXX_OneofFuncs is for the internal use of the proto package.

func (*DownstreamTlsContext) XXX_Size

func (m *DownstreamTlsContext) XXX_Size() int

func (*DownstreamTlsContext) XXX_Unmarshal

func (m *DownstreamTlsContext) XXX_Unmarshal(b []byte) error

type DownstreamTlsContextValidationError

type DownstreamTlsContextValidationError struct {
	Field  string
	Reason string
	Cause  error
	Key    bool
}

DownstreamTlsContextValidationError is the validation error returned by DownstreamTlsContext.Validate if the designated constraints aren't met.

func (DownstreamTlsContextValidationError) Error

Error satisfies the builtin error interface

type DownstreamTlsContext_SessionTicketKeys

type DownstreamTlsContext_SessionTicketKeys struct {
	SessionTicketKeys *TlsSessionTicketKeys `protobuf:"bytes,4,opt,name=session_ticket_keys,json=sessionTicketKeys,oneof"`
}

func (*DownstreamTlsContext_SessionTicketKeys) Equal

func (this *DownstreamTlsContext_SessionTicketKeys) Equal(that interface{}) bool

func (*DownstreamTlsContext_SessionTicketKeys) MarshalTo

func (m *DownstreamTlsContext_SessionTicketKeys) MarshalTo(dAtA []byte) (int, error)

func (*DownstreamTlsContext_SessionTicketKeys) Size

type DownstreamTlsContext_SessionTicketKeysSdsSecretConfig

type DownstreamTlsContext_SessionTicketKeysSdsSecretConfig struct {
	SessionTicketKeysSdsSecretConfig *SdsSecretConfig `protobuf:"bytes,5,opt,name=session_ticket_keys_sds_secret_config,json=sessionTicketKeysSdsSecretConfig,oneof"`
}

func (*DownstreamTlsContext_SessionTicketKeysSdsSecretConfig) Equal

func (this *DownstreamTlsContext_SessionTicketKeysSdsSecretConfig) Equal(that interface{}) bool

func (*DownstreamTlsContext_SessionTicketKeysSdsSecretConfig) MarshalTo

func (*DownstreamTlsContext_SessionTicketKeysSdsSecretConfig) Size

type SdsSecretConfig

type SdsSecretConfig struct {
	// Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
	// When both name and config are specified, then secret can be fetched and/or reloaded via SDS.
	// When only name is specified, then secret will be loaded from static resources [V2-API-DIFF].
	Name                 string             `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	SdsConfig            *core.ConfigSource `protobuf:"bytes,2,opt,name=sds_config,json=sdsConfig" json:"sds_config,omitempty"`
	XXX_NoUnkeyedLiteral struct{}           `json:"-"`
	XXX_unrecognized     []byte             `json:"-"`
	XXX_sizecache        int32              `json:"-"`
}

[#proto-status: experimental]

func (*SdsSecretConfig) Descriptor

func (*SdsSecretConfig) Descriptor() ([]byte, []int)

func (*SdsSecretConfig) Equal

func (this *SdsSecretConfig) Equal(that interface{}) bool

func (*SdsSecretConfig) GetName

func (m *SdsSecretConfig) GetName() string

func (*SdsSecretConfig) GetSdsConfig

func (m *SdsSecretConfig) GetSdsConfig() *core.ConfigSource

func (*SdsSecretConfig) Marshal

func (m *SdsSecretConfig) Marshal() (dAtA []byte, err error)

func (*SdsSecretConfig) MarshalTo

func (m *SdsSecretConfig) MarshalTo(dAtA []byte) (int, error)

func (*SdsSecretConfig) ProtoMessage

func (*SdsSecretConfig) ProtoMessage()

func (*SdsSecretConfig) Reset

func (m *SdsSecretConfig) Reset()

func (*SdsSecretConfig) Size

func (m *SdsSecretConfig) Size() (n int)

func (*SdsSecretConfig) String

func (m *SdsSecretConfig) String() string

func (*SdsSecretConfig) Unmarshal

func (m *SdsSecretConfig) Unmarshal(dAtA []byte) error

func (*SdsSecretConfig) Validate

func (m *SdsSecretConfig) Validate() error

Validate checks the field values on SdsSecretConfig with the rules defined in the proto definition for this message. If any rules are violated, an error is returned.

func (*SdsSecretConfig) XXX_DiscardUnknown

func (m *SdsSecretConfig) XXX_DiscardUnknown()

func (*SdsSecretConfig) XXX_Marshal

func (m *SdsSecretConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*SdsSecretConfig) XXX_Merge

func (dst *SdsSecretConfig) XXX_Merge(src proto.Message)

func (*SdsSecretConfig) XXX_Size

func (m *SdsSecretConfig) XXX_Size() int

func (*SdsSecretConfig) XXX_Unmarshal

func (m *SdsSecretConfig) XXX_Unmarshal(b []byte) error

type SdsSecretConfigValidationError

type SdsSecretConfigValidationError struct {
	Field  string
	Reason string
	Cause  error
	Key    bool
}

SdsSecretConfigValidationError is the validation error returned by SdsSecretConfig.Validate if the designated constraints aren't met.

func (SdsSecretConfigValidationError) Error

Error satisfies the builtin error interface

type Secret

type Secret struct {
	// Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// Types that are valid to be assigned to Type:
	//	*Secret_TlsCertificate
	//	*Secret_SessionTicketKeys
	//	*Secret_ValidationContext
	Type                 isSecret_Type `protobuf_oneof:"type"`
	XXX_NoUnkeyedLiteral struct{}      `json:"-"`
	XXX_unrecognized     []byte        `json:"-"`
	XXX_sizecache        int32         `json:"-"`
}

[#proto-status: experimental]

func (*Secret) Descriptor

func (*Secret) Descriptor() ([]byte, []int)

func (*Secret) Equal

func (this *Secret) Equal(that interface{}) bool

func (*Secret) GetName

func (m *Secret) GetName() string

func (*Secret) GetSessionTicketKeys

func (m *Secret) GetSessionTicketKeys() *TlsSessionTicketKeys

func (*Secret) GetTlsCertificate

func (m *Secret) GetTlsCertificate() *TlsCertificate

func (*Secret) GetType

func (m *Secret) GetType() isSecret_Type

func (*Secret) GetValidationContext

func (m *Secret) GetValidationContext() *CertificateValidationContext

func (*Secret) Marshal

func (m *Secret) Marshal() (dAtA []byte, err error)

func (*Secret) MarshalTo

func (m *Secret) MarshalTo(dAtA []byte) (int, error)

func (*Secret) ProtoMessage

func (*Secret) ProtoMessage()

func (*Secret) Reset

func (m *Secret) Reset()

func (*Secret) Size

func (m *Secret) Size() (n int)

func (*Secret) String

func (m *Secret) String() string

func (*Secret) Unmarshal

func (m *Secret) Unmarshal(dAtA []byte) error

func (*Secret) Validate

func (m *Secret) Validate() error

Validate checks the field values on Secret with the rules defined in the proto definition for this message. If any rules are violated, an error is returned.

func (*Secret) XXX_DiscardUnknown

func (m *Secret) XXX_DiscardUnknown()

func (*Secret) XXX_Marshal

func (m *Secret) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*Secret) XXX_Merge

func (dst *Secret) XXX_Merge(src proto.Message)

func (*Secret) XXX_OneofFuncs

func (*Secret) XXX_OneofFuncs() (func(msg proto.Message, b *proto.Buffer) error, func(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error), func(msg proto.Message) (n int), []interface{})

XXX_OneofFuncs is for the internal use of the proto package.

func (*Secret) XXX_Size

func (m *Secret) XXX_Size() int

func (*Secret) XXX_Unmarshal

func (m *Secret) XXX_Unmarshal(b []byte) error

type SecretValidationError

type SecretValidationError struct {
	Field  string
	Reason string
	Cause  error
	Key    bool
}

SecretValidationError is the validation error returned by Secret.Validate if the designated constraints aren't met.

func (SecretValidationError) Error

func (e SecretValidationError) Error() string

Error satisfies the builtin error interface

type Secret_SessionTicketKeys

type Secret_SessionTicketKeys struct {
	SessionTicketKeys *TlsSessionTicketKeys `protobuf:"bytes,3,opt,name=session_ticket_keys,json=sessionTicketKeys,oneof"`
}

func (*Secret_SessionTicketKeys) Equal

func (this *Secret_SessionTicketKeys) Equal(that interface{}) bool

func (*Secret_SessionTicketKeys) MarshalTo

func (m *Secret_SessionTicketKeys) MarshalTo(dAtA []byte) (int, error)

func (*Secret_SessionTicketKeys) Size

func (m *Secret_SessionTicketKeys) Size() (n int)

type Secret_TlsCertificate

type Secret_TlsCertificate struct {
	TlsCertificate *TlsCertificate `protobuf:"bytes,2,opt,name=tls_certificate,json=tlsCertificate,oneof"`
}

func (*Secret_TlsCertificate) Equal

func (this *Secret_TlsCertificate) Equal(that interface{}) bool

func (*Secret_TlsCertificate) MarshalTo

func (m *Secret_TlsCertificate) MarshalTo(dAtA []byte) (int, error)

func (*Secret_TlsCertificate) Size

func (m *Secret_TlsCertificate) Size() (n int)

type Secret_ValidationContext

type Secret_ValidationContext struct {
	ValidationContext *CertificateValidationContext `protobuf:"bytes,4,opt,name=validation_context,json=validationContext,oneof"`
}

func (*Secret_ValidationContext) Equal

func (this *Secret_ValidationContext) Equal(that interface{}) bool

func (*Secret_ValidationContext) MarshalTo

func (m *Secret_ValidationContext) MarshalTo(dAtA []byte) (int, error)

func (*Secret_ValidationContext) Size

func (m *Secret_ValidationContext) Size() (n int)

type TlsCertificate

type TlsCertificate struct {
	// The TLS certificate chain.
	CertificateChain *core.DataSource `protobuf:"bytes,1,opt,name=certificate_chain,json=certificateChain" json:"certificate_chain,omitempty"`
	// The TLS private key.
	PrivateKey *core.DataSource `protobuf:"bytes,2,opt,name=private_key,json=privateKey" json:"private_key,omitempty"`
	// [#not-implemented-hide:]
	Password *core.DataSource `protobuf:"bytes,3,opt,name=password" json:"password,omitempty"`
	// [#not-implemented-hide:]
	OcspStaple *core.DataSource `protobuf:"bytes,4,opt,name=ocsp_staple,json=ocspStaple" json:"ocsp_staple,omitempty"`
	// [#not-implemented-hide:]
	SignedCertificateTimestamp []*core.DataSource `` /* 134-byte string literal not displayed */
	XXX_NoUnkeyedLiteral       struct{}           `json:"-"`
	XXX_unrecognized           []byte             `json:"-"`
	XXX_sizecache              int32              `json:"-"`
}

func (*TlsCertificate) Descriptor

func (*TlsCertificate) Descriptor() ([]byte, []int)

func (*TlsCertificate) Equal

func (this *TlsCertificate) Equal(that interface{}) bool

func (*TlsCertificate) GetCertificateChain

func (m *TlsCertificate) GetCertificateChain() *core.DataSource

func (*TlsCertificate) GetOcspStaple

func (m *TlsCertificate) GetOcspStaple() *core.DataSource

func (*TlsCertificate) GetPassword

func (m *TlsCertificate) GetPassword() *core.DataSource

func (*TlsCertificate) GetPrivateKey

func (m *TlsCertificate) GetPrivateKey() *core.DataSource

func (*TlsCertificate) GetSignedCertificateTimestamp

func (m *TlsCertificate) GetSignedCertificateTimestamp() []*core.DataSource

func (*TlsCertificate) Marshal

func (m *TlsCertificate) Marshal() (dAtA []byte, err error)

func (*TlsCertificate) MarshalTo

func (m *TlsCertificate) MarshalTo(dAtA []byte) (int, error)

func (*TlsCertificate) ProtoMessage

func (*TlsCertificate) ProtoMessage()

func (*TlsCertificate) Reset

func (m *TlsCertificate) Reset()

func (*TlsCertificate) Size

func (m *TlsCertificate) Size() (n int)

func (*TlsCertificate) String

func (m *TlsCertificate) String() string

func (*TlsCertificate) Unmarshal

func (m *TlsCertificate) Unmarshal(dAtA []byte) error

func (*TlsCertificate) Validate

func (m *TlsCertificate) Validate() error

Validate checks the field values on TlsCertificate with the rules defined in the proto definition for this message. If any rules are violated, an error is returned.

func (*TlsCertificate) XXX_DiscardUnknown

func (m *TlsCertificate) XXX_DiscardUnknown()

func (*TlsCertificate) XXX_Marshal

func (m *TlsCertificate) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*TlsCertificate) XXX_Merge

func (dst *TlsCertificate) XXX_Merge(src proto.Message)

func (*TlsCertificate) XXX_Size

func (m *TlsCertificate) XXX_Size() int

func (*TlsCertificate) XXX_Unmarshal

func (m *TlsCertificate) XXX_Unmarshal(b []byte) error

type TlsCertificateValidationError

type TlsCertificateValidationError struct {
	Field  string
	Reason string
	Cause  error
	Key    bool
}

TlsCertificateValidationError is the validation error returned by TlsCertificate.Validate if the designated constraints aren't met.

func (TlsCertificateValidationError) Error

Error satisfies the builtin error interface

type TlsParameters

type TlsParameters struct {
	// Minimum TLS protocol version.
	TlsMinimumProtocolVersion TlsParameters_TlsProtocol `` /* 190-byte string literal not displayed */
	// Maximum TLS protocol version.
	TlsMaximumProtocolVersion TlsParameters_TlsProtocol `` /* 190-byte string literal not displayed */
	// If specified, the TLS listener will only support the specified `cipher list
	// <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_.
	// If not specified, the default list:
	//
	// .. code-block:: none
	//
	//   [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
	//   [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
	//   ECDHE-ECDSA-AES128-SHA
	//   ECDHE-RSA-AES128-SHA
	//   AES128-GCM-SHA256
	//   AES128-SHA
	//   ECDHE-ECDSA-AES256-GCM-SHA384
	//   ECDHE-RSA-AES256-GCM-SHA384
	//   ECDHE-ECDSA-AES256-SHA
	//   ECDHE-RSA-AES256-SHA
	//   AES256-GCM-SHA384
	//   AES256-SHA
	//
	// will be used.
	CipherSuites []string `protobuf:"bytes,3,rep,name=cipher_suites,json=cipherSuites" json:"cipher_suites,omitempty"`
	// If specified, the TLS connection will only support the specified ECDH
	// curves. If not specified, the default curves (X25519, P-256) will be used.
	EcdhCurves           []string `protobuf:"bytes,4,rep,name=ecdh_curves,json=ecdhCurves" json:"ecdh_curves,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (*TlsParameters) Descriptor

func (*TlsParameters) Descriptor() ([]byte, []int)

func (*TlsParameters) Equal

func (this *TlsParameters) Equal(that interface{}) bool

func (*TlsParameters) GetCipherSuites

func (m *TlsParameters) GetCipherSuites() []string

func (*TlsParameters) GetEcdhCurves

func (m *TlsParameters) GetEcdhCurves() []string

func (*TlsParameters) GetTlsMaximumProtocolVersion

func (m *TlsParameters) GetTlsMaximumProtocolVersion() TlsParameters_TlsProtocol

func (*TlsParameters) GetTlsMinimumProtocolVersion

func (m *TlsParameters) GetTlsMinimumProtocolVersion() TlsParameters_TlsProtocol

func (*TlsParameters) Marshal

func (m *TlsParameters) Marshal() (dAtA []byte, err error)

func (*TlsParameters) MarshalTo

func (m *TlsParameters) MarshalTo(dAtA []byte) (int, error)

func (*TlsParameters) ProtoMessage

func (*TlsParameters) ProtoMessage()

func (*TlsParameters) Reset

func (m *TlsParameters) Reset()

func (*TlsParameters) Size

func (m *TlsParameters) Size() (n int)

func (*TlsParameters) String

func (m *TlsParameters) String() string

func (*TlsParameters) Unmarshal

func (m *TlsParameters) Unmarshal(dAtA []byte) error

func (*TlsParameters) Validate

func (m *TlsParameters) Validate() error

Validate checks the field values on TlsParameters with the rules defined in the proto definition for this message. If any rules are violated, an error is returned.

func (*TlsParameters) XXX_DiscardUnknown

func (m *TlsParameters) XXX_DiscardUnknown()

func (*TlsParameters) XXX_Marshal

func (m *TlsParameters) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*TlsParameters) XXX_Merge

func (dst *TlsParameters) XXX_Merge(src proto.Message)

func (*TlsParameters) XXX_Size

func (m *TlsParameters) XXX_Size() int

func (*TlsParameters) XXX_Unmarshal

func (m *TlsParameters) XXX_Unmarshal(b []byte) error

type TlsParametersValidationError

type TlsParametersValidationError struct {
	Field  string
	Reason string
	Cause  error
	Key    bool
}

TlsParametersValidationError is the validation error returned by TlsParameters.Validate if the designated constraints aren't met.

func (TlsParametersValidationError) Error

Error satisfies the builtin error interface

type TlsParameters_TlsProtocol

type TlsParameters_TlsProtocol int32
const (
	// Envoy will choose the optimal TLS version.
	TlsParameters_TLS_AUTO TlsParameters_TlsProtocol = 0
	// TLS 1.0
	TlsParameters_TLSv1_0 TlsParameters_TlsProtocol = 1
	// TLS 1.1
	TlsParameters_TLSv1_1 TlsParameters_TlsProtocol = 2
	// TLS 1.2
	TlsParameters_TLSv1_2 TlsParameters_TlsProtocol = 3
	// TLS 1.3
	TlsParameters_TLSv1_3 TlsParameters_TlsProtocol = 4
)

func (TlsParameters_TlsProtocol) EnumDescriptor

func (TlsParameters_TlsProtocol) EnumDescriptor() ([]byte, []int)

func (TlsParameters_TlsProtocol) String

func (x TlsParameters_TlsProtocol) String() string

type TlsSessionTicketKeys

type TlsSessionTicketKeys struct {
	// Keys for encrypting and decrypting TLS session tickets. The
	// first key in the array contains the key to encrypt all new sessions created by this context.
	// All keys are candidates for decrypting received tickets. This allows for easy rotation of keys
	// by, for example, putting the new key first, and the previous key second.
	//
	// If :ref:`session_ticket_keys <envoy_api_field_auth.DownstreamTlsContext.session_ticket_keys>`
	// is not specified, the TLS library will still support resuming sessions via tickets, but it will
	// use an internally-generated and managed key, so sessions cannot be resumed across hot restarts
	// or on different hosts.
	//
	// Each key must contain exactly 80 bytes of cryptographically-secure random data. For
	// example, the output of “openssl rand 80“.
	//
	// .. attention::
	//
	//   Using this feature has serious security considerations and risks. Improper handling of keys
	//   may result in loss of secrecy in connections, even if ciphers supporting perfect forward
	//   secrecy are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some
	//   discussion. To minimize the risk, you must:
	//
	//   * Keep the session ticket keys at least as secure as your TLS certificate private keys
	//   * Rotate session ticket keys at least daily, and preferably hourly
	//   * Always generate keys using a cryptographically-secure random data source
	Keys                 []*core.DataSource `protobuf:"bytes,1,rep,name=keys" json:"keys,omitempty"`
	XXX_NoUnkeyedLiteral struct{}           `json:"-"`
	XXX_unrecognized     []byte             `json:"-"`
	XXX_sizecache        int32              `json:"-"`
}

func (*TlsSessionTicketKeys) Descriptor

func (*TlsSessionTicketKeys) Descriptor() ([]byte, []int)

func (*TlsSessionTicketKeys) Equal

func (this *TlsSessionTicketKeys) Equal(that interface{}) bool

func (*TlsSessionTicketKeys) GetKeys

func (m *TlsSessionTicketKeys) GetKeys() []*core.DataSource

func (*TlsSessionTicketKeys) Marshal

func (m *TlsSessionTicketKeys) Marshal() (dAtA []byte, err error)

func (*TlsSessionTicketKeys) MarshalTo

func (m *TlsSessionTicketKeys) MarshalTo(dAtA []byte) (int, error)

func (*TlsSessionTicketKeys) ProtoMessage

func (*TlsSessionTicketKeys) ProtoMessage()

func (*TlsSessionTicketKeys) Reset

func (m *TlsSessionTicketKeys) Reset()

func (*TlsSessionTicketKeys) Size

func (m *TlsSessionTicketKeys) Size() (n int)

func (*TlsSessionTicketKeys) String

func (m *TlsSessionTicketKeys) String() string

func (*TlsSessionTicketKeys) Unmarshal

func (m *TlsSessionTicketKeys) Unmarshal(dAtA []byte) error

func (*TlsSessionTicketKeys) Validate

func (m *TlsSessionTicketKeys) Validate() error

Validate checks the field values on TlsSessionTicketKeys with the rules defined in the proto definition for this message. If any rules are violated, an error is returned.

func (*TlsSessionTicketKeys) XXX_DiscardUnknown

func (m *TlsSessionTicketKeys) XXX_DiscardUnknown()

func (*TlsSessionTicketKeys) XXX_Marshal

func (m *TlsSessionTicketKeys) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*TlsSessionTicketKeys) XXX_Merge

func (dst *TlsSessionTicketKeys) XXX_Merge(src proto.Message)

func (*TlsSessionTicketKeys) XXX_Size

func (m *TlsSessionTicketKeys) XXX_Size() int

func (*TlsSessionTicketKeys) XXX_Unmarshal

func (m *TlsSessionTicketKeys) XXX_Unmarshal(b []byte) error

type TlsSessionTicketKeysValidationError

type TlsSessionTicketKeysValidationError struct {
	Field  string
	Reason string
	Cause  error
	Key    bool
}

TlsSessionTicketKeysValidationError is the validation error returned by TlsSessionTicketKeys.Validate if the designated constraints aren't met.

func (TlsSessionTicketKeysValidationError) Error

Error satisfies the builtin error interface

type UpstreamTlsContext

type UpstreamTlsContext struct {
	// Common TLS context settings.
	CommonTlsContext *CommonTlsContext `protobuf:"bytes,1,opt,name=common_tls_context,json=commonTlsContext" json:"common_tls_context,omitempty"`
	// SNI string to use when creating TLS backend connections.
	Sni string `protobuf:"bytes,2,opt,name=sni,proto3" json:"sni,omitempty"`
	// If true, server-initiated TLS renegotiation will be allowed.
	//
	// .. attention::
	//
	//   TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary.
	AllowRenegotiation   bool     `protobuf:"varint,3,opt,name=allow_renegotiation,json=allowRenegotiation,proto3" json:"allow_renegotiation,omitempty"`
	XXX_NoUnkeyedLiteral struct{} `json:"-"`
	XXX_unrecognized     []byte   `json:"-"`
	XXX_sizecache        int32    `json:"-"`
}

func (*UpstreamTlsContext) Descriptor

func (*UpstreamTlsContext) Descriptor() ([]byte, []int)

func (*UpstreamTlsContext) Equal

func (this *UpstreamTlsContext) Equal(that interface{}) bool

func (*UpstreamTlsContext) GetAllowRenegotiation

func (m *UpstreamTlsContext) GetAllowRenegotiation() bool

func (*UpstreamTlsContext) GetCommonTlsContext

func (m *UpstreamTlsContext) GetCommonTlsContext() *CommonTlsContext

func (*UpstreamTlsContext) GetSni

func (m *UpstreamTlsContext) GetSni() string

func (*UpstreamTlsContext) Marshal

func (m *UpstreamTlsContext) Marshal() (dAtA []byte, err error)

func (*UpstreamTlsContext) MarshalTo

func (m *UpstreamTlsContext) MarshalTo(dAtA []byte) (int, error)

func (*UpstreamTlsContext) ProtoMessage

func (*UpstreamTlsContext) ProtoMessage()

func (*UpstreamTlsContext) Reset

func (m *UpstreamTlsContext) Reset()

func (*UpstreamTlsContext) Size

func (m *UpstreamTlsContext) Size() (n int)

func (*UpstreamTlsContext) String

func (m *UpstreamTlsContext) String() string

func (*UpstreamTlsContext) Unmarshal

func (m *UpstreamTlsContext) Unmarshal(dAtA []byte) error

func (*UpstreamTlsContext) Validate

func (m *UpstreamTlsContext) Validate() error

Validate checks the field values on UpstreamTlsContext with the rules defined in the proto definition for this message. If any rules are violated, an error is returned.

func (*UpstreamTlsContext) XXX_DiscardUnknown

func (m *UpstreamTlsContext) XXX_DiscardUnknown()

func (*UpstreamTlsContext) XXX_Marshal

func (m *UpstreamTlsContext) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)

func (*UpstreamTlsContext) XXX_Merge

func (dst *UpstreamTlsContext) XXX_Merge(src proto.Message)

func (*UpstreamTlsContext) XXX_Size

func (m *UpstreamTlsContext) XXX_Size() int

func (*UpstreamTlsContext) XXX_Unmarshal

func (m *UpstreamTlsContext) XXX_Unmarshal(b []byte) error

type UpstreamTlsContextValidationError

type UpstreamTlsContextValidationError struct {
	Field  string
	Reason string
	Cause  error
	Key    bool
}

UpstreamTlsContextValidationError is the validation error returned by UpstreamTlsContext.Validate if the designated constraints aren't met.

func (UpstreamTlsContextValidationError) Error

Error satisfies the builtin error interface

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL