ssl

package
v1.15.0-beta16 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 30, 2023 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	SslConfig_OcspStaplePolicy_name = map[int32]string{
		0: "LENIENT_STAPLING",
		1: "STRICT_STAPLING",
		2: "MUST_STAPLE",
	}
	SslConfig_OcspStaplePolicy_value = map[string]int32{
		"LENIENT_STAPLING": 0,
		"STRICT_STAPLING":  1,
		"MUST_STAPLE":      2,
	}
)

Enum value maps for SslConfig_OcspStaplePolicy.

View Source
var (
	SslParameters_ProtocolVersion_name = map[int32]string{
		0: "TLS_AUTO",
		1: "TLSv1_0",
		2: "TLSv1_1",
		3: "TLSv1_2",
		4: "TLSv1_3",
	}
	SslParameters_ProtocolVersion_value = map[string]int32{
		"TLS_AUTO": 0,
		"TLSv1_0":  1,
		"TLSv1_1":  2,
		"TLSv1_2":  3,
		"TLSv1_3":  4,
	}
)

Enum value maps for SslParameters_ProtocolVersion.

View Source
var File_github_com_solo_io_gloo_projects_gloo_api_v1_ssl_ssl_proto protoreflect.FileDescriptor

Functions

This section is empty.

Types

type CallCredentials

type CallCredentials struct {

	// Call credentials are coming from a file,
	FileCredentialSource *CallCredentials_FileCredentialSource `protobuf:"bytes,1,opt,name=file_credential_source,json=fileCredentialSource,proto3" json:"file_credential_source,omitempty"`
	// contains filtered or unexported fields
}

func (*CallCredentials) Clone

func (m *CallCredentials) Clone() proto.Message

Clone function

func (*CallCredentials) Descriptor deprecated

func (*CallCredentials) Descriptor() ([]byte, []int)

Deprecated: Use CallCredentials.ProtoReflect.Descriptor instead.

func (*CallCredentials) Equal

func (m *CallCredentials) Equal(that interface{}) bool

Equal function

func (*CallCredentials) GetFileCredentialSource

func (x *CallCredentials) GetFileCredentialSource() *CallCredentials_FileCredentialSource

func (*CallCredentials) Hash

func (m *CallCredentials) Hash(hasher hash.Hash64) (uint64, error)

Hash function

func (*CallCredentials) ProtoMessage

func (*CallCredentials) ProtoMessage()

func (*CallCredentials) ProtoReflect

func (x *CallCredentials) ProtoReflect() protoreflect.Message

func (*CallCredentials) Reset

func (x *CallCredentials) Reset()

func (*CallCredentials) String

func (x *CallCredentials) String() string

type CallCredentials_FileCredentialSource

type CallCredentials_FileCredentialSource struct {

	// File containing auth token.
	TokenFileName string `protobuf:"bytes,1,opt,name=token_file_name,json=tokenFileName,proto3" json:"token_file_name,omitempty"`
	// Header to carry the token.
	Header string `protobuf:"bytes,2,opt,name=header,proto3" json:"header,omitempty"`
	// contains filtered or unexported fields
}

func (*CallCredentials_FileCredentialSource) Clone

Clone function

func (*CallCredentials_FileCredentialSource) Descriptor deprecated

func (*CallCredentials_FileCredentialSource) Descriptor() ([]byte, []int)

Deprecated: Use CallCredentials_FileCredentialSource.ProtoReflect.Descriptor instead.

func (*CallCredentials_FileCredentialSource) Equal

func (m *CallCredentials_FileCredentialSource) Equal(that interface{}) bool

Equal function

func (*CallCredentials_FileCredentialSource) GetHeader

func (*CallCredentials_FileCredentialSource) GetTokenFileName

func (x *CallCredentials_FileCredentialSource) GetTokenFileName() string

func (*CallCredentials_FileCredentialSource) Hash

Hash function

func (*CallCredentials_FileCredentialSource) ProtoMessage

func (*CallCredentials_FileCredentialSource) ProtoMessage()

func (*CallCredentials_FileCredentialSource) ProtoReflect

func (*CallCredentials_FileCredentialSource) Reset

func (*CallCredentials_FileCredentialSource) String

type SDSConfig

type SDSConfig struct {

	// Target uri for the sds channel. currently only a unix domain socket is supported.
	TargetUri string `protobuf:"bytes,1,opt,name=target_uri,json=targetUri,proto3" json:"target_uri,omitempty"`
	// Types that are assignable to SdsBuilder:
	//
	//	*SDSConfig_CallCredentials
	//	*SDSConfig_ClusterName
	SdsBuilder isSDSConfig_SdsBuilder `protobuf_oneof:"sds_builder"`
	// The name of the secret containing the certificate
	CertificatesSecretName string `` /* 129-byte string literal not displayed */
	// The name of secret containing the validation context (i.e. root ca)
	ValidationContextName string `` /* 126-byte string literal not displayed */
	// contains filtered or unexported fields
}

func (*SDSConfig) Clone

func (m *SDSConfig) Clone() proto.Message

Clone function

func (*SDSConfig) Descriptor deprecated

func (*SDSConfig) Descriptor() ([]byte, []int)

Deprecated: Use SDSConfig.ProtoReflect.Descriptor instead.

func (*SDSConfig) Equal

func (m *SDSConfig) Equal(that interface{}) bool

Equal function

func (*SDSConfig) GetCallCredentials

func (x *SDSConfig) GetCallCredentials() *CallCredentials

func (*SDSConfig) GetCertificatesSecretName

func (x *SDSConfig) GetCertificatesSecretName() string

func (*SDSConfig) GetClusterName

func (x *SDSConfig) GetClusterName() string

func (*SDSConfig) GetSdsBuilder

func (m *SDSConfig) GetSdsBuilder() isSDSConfig_SdsBuilder

func (*SDSConfig) GetTargetUri

func (x *SDSConfig) GetTargetUri() string

func (*SDSConfig) GetValidationContextName

func (x *SDSConfig) GetValidationContextName() string

func (*SDSConfig) Hash

func (m *SDSConfig) Hash(hasher hash.Hash64) (uint64, error)

Hash function

func (*SDSConfig) ProtoMessage

func (*SDSConfig) ProtoMessage()

func (*SDSConfig) ProtoReflect

func (x *SDSConfig) ProtoReflect() protoreflect.Message

func (*SDSConfig) Reset

func (x *SDSConfig) Reset()

func (*SDSConfig) String

func (x *SDSConfig) String() string

type SDSConfig_CallCredentials

type SDSConfig_CallCredentials struct {
	// Call credentials.
	CallCredentials *CallCredentials `protobuf:"bytes,2,opt,name=call_credentials,json=callCredentials,proto3,oneof"`
}

type SDSConfig_ClusterName

type SDSConfig_ClusterName struct {
	// The name of the sds cluster in envoy
	ClusterName string `protobuf:"bytes,5,opt,name=cluster_name,json=clusterName,proto3,oneof"`
}

type SSLFiles

type SSLFiles struct {
	TlsCert string `protobuf:"bytes,1,opt,name=tls_cert,json=tlsCert,proto3" json:"tls_cert,omitempty"`
	TlsKey  string `protobuf:"bytes,2,opt,name=tls_key,json=tlsKey,proto3" json:"tls_key,omitempty"`
	// for client cert validation. optional
	RootCa string `protobuf:"bytes,3,opt,name=root_ca,json=rootCa,proto3" json:"root_ca,omitempty"`
	// stapled ocsp response. optional
	// should be der-encoded
	OcspStaple string `protobuf:"bytes,4,opt,name=ocsp_staple,json=ocspStaple,proto3" json:"ocsp_staple,omitempty"`
	// contains filtered or unexported fields
}

SSLFiles reference paths to certificates which can be read by the proxy off of its local filesystem

func (*SSLFiles) Clone

func (m *SSLFiles) Clone() proto.Message

Clone function

func (*SSLFiles) Descriptor deprecated

func (*SSLFiles) Descriptor() ([]byte, []int)

Deprecated: Use SSLFiles.ProtoReflect.Descriptor instead.

func (*SSLFiles) Equal

func (m *SSLFiles) Equal(that interface{}) bool

Equal function

func (*SSLFiles) GetOcspStaple added in v1.14.2

func (x *SSLFiles) GetOcspStaple() string

func (*SSLFiles) GetRootCa

func (x *SSLFiles) GetRootCa() string

func (*SSLFiles) GetTlsCert

func (x *SSLFiles) GetTlsCert() string

func (*SSLFiles) GetTlsKey

func (x *SSLFiles) GetTlsKey() string

func (*SSLFiles) Hash

func (m *SSLFiles) Hash(hasher hash.Hash64) (uint64, error)

Hash function

func (*SSLFiles) ProtoMessage

func (*SSLFiles) ProtoMessage()

func (*SSLFiles) ProtoReflect

func (x *SSLFiles) ProtoReflect() protoreflect.Message

func (*SSLFiles) Reset

func (x *SSLFiles) Reset()

func (*SSLFiles) String

func (x *SSLFiles) String() string

type SslConfig

type SslConfig struct {

	// Types that are assignable to SslSecrets:
	//
	//	*SslConfig_SecretRef
	//	*SslConfig_SslFiles
	//	*SslConfig_Sds
	SslSecrets isSslConfig_SslSecrets `protobuf_oneof:"ssl_secrets"`
	// optional. the SNI domains that should be considered for TLS connections
	SniDomains []string `protobuf:"bytes,3,rep,name=sni_domains,json=sniDomains,proto3" json:"sni_domains,omitempty"`
	// Verify that the Subject Alternative Name in the peer certificate is one of the specified values.
	// note that a root_ca must be provided if this option is used.
	VerifySubjectAltName []string       `protobuf:"bytes,5,rep,name=verify_subject_alt_name,json=verifySubjectAltName,proto3" json:"verify_subject_alt_name,omitempty"`
	Parameters           *SslParameters `protobuf:"bytes,6,opt,name=parameters,proto3" json:"parameters,omitempty"`
	// Set Application Level Protocol Negotiation
	// If empty, defaults to ["h2", "http/1.1"].
	// As an advanced option you may use ["allow_empty"] to avoid defaults and set alpn to have no alpn set (ie pass empty slice).
	AlpnProtocols []string `protobuf:"bytes,7,rep,name=alpn_protocols,json=alpnProtocols,proto3" json:"alpn_protocols,omitempty"`
	// If the SSL config has the ca.crt (root CA) provided, Gloo uses it to perform mTLS by default.
	// Set oneWayTls to true to disable mTLS in favor of server-only TLS (one-way TLS), even if Gloo has the root CA.
	// If unset, defaults to false.
	OneWayTls *wrappers.BoolValue `protobuf:"bytes,8,opt,name=one_way_tls,json=oneWayTls,proto3" json:"one_way_tls,omitempty"`
	// If set to true, the TLS session resumption will be deactivated, note that it deactivates only the tickets based tls session resumption (not the cache).
	DisableTlsSessionResumption *wrappers.BoolValue `` /* 146-byte string literal not displayed */
	// If present and nonzero, the amount of time to allow incoming connections to complete any
	// transport socket negotiations. If this expires before the transport reports connection
	// establishment, the connection is summarily closed.
	TransportSocketConnectTimeout *duration.Duration `` /* 153-byte string literal not displayed */
	// The OCSP staple policy to use for this listener.
	// Defaults to `LENIENT_STAPLING`.
	// https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/tls.proto#enum-extensions-transport-sockets-tls-v3-downstreamtlscontext-ocspstaplepolicy
	OcspStaplePolicy SslConfig_OcspStaplePolicy `` /* 158-byte string literal not displayed */
	// contains filtered or unexported fields
}

SslConfig contains the options necessary to configure a virtual host or listener to use TLS termination

func (*SslConfig) Clone

func (m *SslConfig) Clone() proto.Message

Clone function

func (*SslConfig) Descriptor deprecated

func (*SslConfig) Descriptor() ([]byte, []int)

Deprecated: Use SslConfig.ProtoReflect.Descriptor instead.

func (*SslConfig) Equal

func (m *SslConfig) Equal(that interface{}) bool

Equal function

func (*SslConfig) GetAlpnProtocols

func (x *SslConfig) GetAlpnProtocols() []string

func (*SslConfig) GetDisableTlsSessionResumption

func (x *SslConfig) GetDisableTlsSessionResumption() *wrappers.BoolValue

func (*SslConfig) GetOcspStaplePolicy added in v1.14.2

func (x *SslConfig) GetOcspStaplePolicy() SslConfig_OcspStaplePolicy

func (*SslConfig) GetOneWayTls

func (x *SslConfig) GetOneWayTls() *wrappers.BoolValue

func (*SslConfig) GetParameters

func (x *SslConfig) GetParameters() *SslParameters

func (*SslConfig) GetSds

func (x *SslConfig) GetSds() *SDSConfig

func (*SslConfig) GetSecretRef

func (x *SslConfig) GetSecretRef() *core.ResourceRef

func (*SslConfig) GetSniDomains

func (x *SslConfig) GetSniDomains() []string

func (*SslConfig) GetSslFiles

func (x *SslConfig) GetSslFiles() *SSLFiles

func (*SslConfig) GetSslSecrets

func (m *SslConfig) GetSslSecrets() isSslConfig_SslSecrets

func (*SslConfig) GetTransportSocketConnectTimeout

func (x *SslConfig) GetTransportSocketConnectTimeout() *duration.Duration

func (*SslConfig) GetVerifySubjectAltName

func (x *SslConfig) GetVerifySubjectAltName() []string

func (*SslConfig) Hash

func (m *SslConfig) Hash(hasher hash.Hash64) (uint64, error)

Hash function

func (*SslConfig) ProtoMessage

func (*SslConfig) ProtoMessage()

func (*SslConfig) ProtoReflect

func (x *SslConfig) ProtoReflect() protoreflect.Message

func (*SslConfig) Reset

func (x *SslConfig) Reset()

func (*SslConfig) String

func (x *SslConfig) String() string

type SslConfig_OcspStaplePolicy added in v1.14.2

type SslConfig_OcspStaplePolicy int32
const (
	// OCSP responses are optional. If none is provided, or the provided response is expired, the associated certificate will be used without the OCSP response.
	SslConfig_LENIENT_STAPLING SslConfig_OcspStaplePolicy = 0
	// OCSP responses are optional. If none is provided, the associated certificate will be used without the OCSP response.
	// If a response is present, but expired, the certificate will not be used for connections.
	// If no suitable certificate is found, the connection is rejected.
	SslConfig_STRICT_STAPLING SslConfig_OcspStaplePolicy = 1
	// OCSP responses are required. If no `ocsp_staple` is set on a certificate, configuration will fail.
	// If a response is expired, the associated certificate will not be used.
	// If no suitable certificate is found, the connection is rejected.
	SslConfig_MUST_STAPLE SslConfig_OcspStaplePolicy = 2
)

func (SslConfig_OcspStaplePolicy) Descriptor added in v1.14.2

func (SslConfig_OcspStaplePolicy) Enum added in v1.14.2

func (SslConfig_OcspStaplePolicy) EnumDescriptor deprecated added in v1.14.2

func (SslConfig_OcspStaplePolicy) EnumDescriptor() ([]byte, []int)

Deprecated: Use SslConfig_OcspStaplePolicy.Descriptor instead.

func (SslConfig_OcspStaplePolicy) Number added in v1.14.2

func (SslConfig_OcspStaplePolicy) String added in v1.14.2

func (SslConfig_OcspStaplePolicy) Type added in v1.14.2

type SslConfig_Sds

type SslConfig_Sds struct {
	// Use secret discovery service.
	Sds *SDSConfig `protobuf:"bytes,4,opt,name=sds,proto3,oneof"`
}

type SslConfig_SecretRef

type SslConfig_SecretRef struct {
	// SecretRef contains the secret ref to a gloo tls secret or a kubernetes tls secret.
	// gloo tls secret can contain a root ca as well if verification is needed.
	SecretRef *core.ResourceRef `protobuf:"bytes,1,opt,name=secret_ref,json=secretRef,proto3,oneof"`
}

type SslConfig_SslFiles

type SslConfig_SslFiles struct {
	// SSLFiles reference paths to certificates which are local to the proxy
	SslFiles *SSLFiles `protobuf:"bytes,2,opt,name=ssl_files,json=sslFiles,proto3,oneof"`
}

type SslParameters

type SslParameters struct {
	MinimumProtocolVersion SslParameters_ProtocolVersion `` /* 178-byte string literal not displayed */
	MaximumProtocolVersion SslParameters_ProtocolVersion `` /* 178-byte string literal not displayed */
	CipherSuites           []string                      `protobuf:"bytes,3,rep,name=cipher_suites,json=cipherSuites,proto3" json:"cipher_suites,omitempty"`
	EcdhCurves             []string                      `protobuf:"bytes,4,rep,name=ecdh_curves,json=ecdhCurves,proto3" json:"ecdh_curves,omitempty"`
	// contains filtered or unexported fields
}

General TLS parameters. See the [envoy docs](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlsparameters) for more information on the meaning of these values.

func (*SslParameters) Clone

func (m *SslParameters) Clone() proto.Message

Clone function

func (*SslParameters) Descriptor deprecated

func (*SslParameters) Descriptor() ([]byte, []int)

Deprecated: Use SslParameters.ProtoReflect.Descriptor instead.

func (*SslParameters) Equal

func (m *SslParameters) Equal(that interface{}) bool

Equal function

func (*SslParameters) GetCipherSuites

func (x *SslParameters) GetCipherSuites() []string

func (*SslParameters) GetEcdhCurves

func (x *SslParameters) GetEcdhCurves() []string

func (*SslParameters) GetMaximumProtocolVersion

func (x *SslParameters) GetMaximumProtocolVersion() SslParameters_ProtocolVersion

func (*SslParameters) GetMinimumProtocolVersion

func (x *SslParameters) GetMinimumProtocolVersion() SslParameters_ProtocolVersion

func (*SslParameters) Hash

func (m *SslParameters) Hash(hasher hash.Hash64) (uint64, error)

Hash function

func (*SslParameters) ProtoMessage

func (*SslParameters) ProtoMessage()

func (*SslParameters) ProtoReflect

func (x *SslParameters) ProtoReflect() protoreflect.Message

func (*SslParameters) Reset

func (x *SslParameters) Reset()

func (*SslParameters) String

func (x *SslParameters) String() string

type SslParameters_ProtocolVersion

type SslParameters_ProtocolVersion int32
const (
	// Envoy will choose the optimal TLS version.
	SslParameters_TLS_AUTO SslParameters_ProtocolVersion = 0
	// TLS 1.0
	SslParameters_TLSv1_0 SslParameters_ProtocolVersion = 1
	// TLS 1.1
	SslParameters_TLSv1_1 SslParameters_ProtocolVersion = 2
	// TLS 1.2
	SslParameters_TLSv1_2 SslParameters_ProtocolVersion = 3
	// TLS 1.3
	SslParameters_TLSv1_3 SslParameters_ProtocolVersion = 4
)

func (SslParameters_ProtocolVersion) Descriptor

func (SslParameters_ProtocolVersion) Enum

func (SslParameters_ProtocolVersion) EnumDescriptor deprecated

func (SslParameters_ProtocolVersion) EnumDescriptor() ([]byte, []int)

Deprecated: Use SslParameters_ProtocolVersion.Descriptor instead.

func (SslParameters_ProtocolVersion) Number

func (SslParameters_ProtocolVersion) String

func (SslParameters_ProtocolVersion) Type

type UpstreamSslConfig

type UpstreamSslConfig struct {

	// Types that are assignable to SslSecrets:
	//
	//	*UpstreamSslConfig_SecretRef
	//	*UpstreamSslConfig_SslFiles
	//	*UpstreamSslConfig_Sds
	SslSecrets isUpstreamSslConfig_SslSecrets `protobuf_oneof:"ssl_secrets"`
	// optional. the SNI domains that should be considered for TLS connections
	Sni string `protobuf:"bytes,3,opt,name=sni,proto3" json:"sni,omitempty"`
	// Verify that the Subject Alternative Name in the peer certificate is one of the specified values.
	// note that a root_ca must be provided if this option is used.
	VerifySubjectAltName []string       `protobuf:"bytes,5,rep,name=verify_subject_alt_name,json=verifySubjectAltName,proto3" json:"verify_subject_alt_name,omitempty"`
	Parameters           *SslParameters `protobuf:"bytes,7,opt,name=parameters,proto3" json:"parameters,omitempty"`
	// Set Application Level Protocol Negotiation.
	// If empty, it is not set.
	AlpnProtocols []string `protobuf:"bytes,8,rep,name=alpn_protocols,json=alpnProtocols,proto3" json:"alpn_protocols,omitempty"`
	// Allow Tls renegotiation, the default value is false.
	// TLS renegotiation is considered insecure and shouldn’t be used unless absolutely necessary.
	AllowRenegotiation *wrappers.BoolValue `protobuf:"bytes,10,opt,name=allow_renegotiation,json=allowRenegotiation,proto3" json:"allow_renegotiation,omitempty"`
	// contains filtered or unexported fields
}

SslConfig contains the options necessary to configure an upstream to use TLS origination

func (*UpstreamSslConfig) Clone

func (m *UpstreamSslConfig) Clone() proto.Message

Clone function

func (*UpstreamSslConfig) Descriptor deprecated

func (*UpstreamSslConfig) Descriptor() ([]byte, []int)

Deprecated: Use UpstreamSslConfig.ProtoReflect.Descriptor instead.

func (*UpstreamSslConfig) Equal

func (m *UpstreamSslConfig) Equal(that interface{}) bool

Equal function

func (*UpstreamSslConfig) GetAllowRenegotiation

func (x *UpstreamSslConfig) GetAllowRenegotiation() *wrappers.BoolValue

func (*UpstreamSslConfig) GetAlpnProtocols

func (x *UpstreamSslConfig) GetAlpnProtocols() []string

func (*UpstreamSslConfig) GetParameters

func (x *UpstreamSslConfig) GetParameters() *SslParameters

func (*UpstreamSslConfig) GetSds

func (x *UpstreamSslConfig) GetSds() *SDSConfig

func (*UpstreamSslConfig) GetSecretRef

func (x *UpstreamSslConfig) GetSecretRef() *core.ResourceRef

func (*UpstreamSslConfig) GetSni

func (x *UpstreamSslConfig) GetSni() string

func (*UpstreamSslConfig) GetSslFiles

func (x *UpstreamSslConfig) GetSslFiles() *SSLFiles

func (*UpstreamSslConfig) GetSslSecrets

func (m *UpstreamSslConfig) GetSslSecrets() isUpstreamSslConfig_SslSecrets

func (*UpstreamSslConfig) GetVerifySubjectAltName

func (x *UpstreamSslConfig) GetVerifySubjectAltName() []string

func (*UpstreamSslConfig) Hash

func (m *UpstreamSslConfig) Hash(hasher hash.Hash64) (uint64, error)

Hash function

func (*UpstreamSslConfig) ProtoMessage

func (*UpstreamSslConfig) ProtoMessage()

func (*UpstreamSslConfig) ProtoReflect

func (x *UpstreamSslConfig) ProtoReflect() protoreflect.Message

func (*UpstreamSslConfig) Reset

func (x *UpstreamSslConfig) Reset()

func (*UpstreamSslConfig) String

func (x *UpstreamSslConfig) String() string

type UpstreamSslConfig_Sds

type UpstreamSslConfig_Sds struct {
	// Use secret discovery service.
	Sds *SDSConfig `protobuf:"bytes,4,opt,name=sds,proto3,oneof"`
}

type UpstreamSslConfig_SecretRef

type UpstreamSslConfig_SecretRef struct {
	// SecretRef contains the secret ref to a gloo tls secret or a kubernetes tls secret.
	// gloo tls secret can contain a root ca as well if verification is needed.
	SecretRef *core.ResourceRef `protobuf:"bytes,1,opt,name=secret_ref,json=secretRef,proto3,oneof"`
}

type UpstreamSslConfig_SslFiles

type UpstreamSslConfig_SslFiles struct {
	// SSLFiles reference paths to certificates which are local to the proxy
	SslFiles *SSLFiles `protobuf:"bytes,2,opt,name=ssl_files,json=sslFiles,proto3,oneof"`
}

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL