Navigation :

ssl.proto

Package: `gloo.solo.io`

Types:

SslConfig
OcspStaplePolicy
SSLFiles
UpstreamSslConfig
SDSConfig
CallCredentials
FileCredentialSource
SslParameters
ProtocolVersion

Source File: github.com/solo-io/gloo/projects/gloo/api/v1/ssl/ssl.proto

SslConfig

SslConfig contains the options necessary to configure a virtual host or listener to use TLS termination

"secretRef": .core.solo.io.ResourceRef
"sslFiles": .gloo.solo.io.SSLFiles
"sds": .gloo.solo.io.SDSConfig
"sniDomains": []string
"verifySubjectAltName": []string
"parameters": .gloo.solo.io.SslParameters
"alpnProtocols": []string
"oneWayTls": .google.protobuf.BoolValue
"disableTlsSessionResumption": .google.protobuf.BoolValue
"transportSocketConnectTimeout": .google.protobuf.Duration
"ocspStaplePolicy": .gloo.solo.io.SslConfig.OcspStaplePolicy

Field	Type	Description
`secretRef`	.core.solo.io.ResourceRef	SecretRef contains the secret ref to a gloo tls secret or a kubernetes tls secret. gloo tls secret can contain a root ca as well if verification is needed. Only one of `secretRef`, `sslFiles`, or `sds` can be set.
`sslFiles`	.gloo.solo.io.SSLFiles	SSLFiles reference paths to certificates which are local to the proxy. Only one of `sslFiles`, `secretRef`, or `sds` can be set.
`sds`	.gloo.solo.io.SDSConfig	Use secret discovery service. Only one of `sds`, `secretRef`, or `sslFiles` can be set.
`sniDomains`	`[]string`	optional. the SNI domains that should be considered for TLS connections.
`verifySubjectAltName`	`[]string`	Verify that the Subject Alternative Name in the peer certificate is one of the specified values. note that a root_ca must be provided if this option is used.
`parameters`	.gloo.solo.io.SslParameters
`alpnProtocols`	`[]string`	Set Application Level Protocol Negotiation If empty, defaults to [“h2”, “http/1.1”]. As an advanced option you may use [“allow_empty”] to avoid defaults and set alpn to have no alpn set (ie pass empty slice).
`oneWayTls`	.google.protobuf.BoolValue	If the SSL config has the ca.crt (root CA) provided, Gloo uses it to perform mTLS by default. Set oneWayTls to true to disable mTLS in favor of server-only TLS (one-way TLS), even if Gloo has the root CA. If unset, defaults to false.
`disableTlsSessionResumption`	.google.protobuf.BoolValue	If set to true, the TLS session resumption will be deactivated, note that it deactivates only the tickets based tls session resumption (not the cache).
`transportSocketConnectTimeout`	.google.protobuf.Duration	If present and nonzero, the amount of time to allow incoming connections to complete any transport socket negotiations. If this expires before the transport reports connection establishment, the connection is summarily closed.
`ocspStaplePolicy`	.gloo.solo.io.SslConfig.OcspStaplePolicy	The OCSP staple policy to use for this listener. Defaults to `LENIENT_STAPLING`. https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/tls.proto#enum-extensions-transport-sockets-tls-v3-downstreamtlscontext-ocspstaplepolicy.

OcspStaplePolicy

Name	Description
`LENIENT_STAPLING`	OCSP responses are optional. If none is provided, or the provided response is expired, the associated certificate will be used without the OCSP response.
`STRICT_STAPLING`	OCSP responses are optional. If none is provided, the associated certificate will be used without the OCSP response. If a response is present, but expired, the certificate will not be used for connections. If no suitable certificate is found, the connection is rejected.
`MUST_STAPLE`	OCSP responses are required. If no `ocsp_staple` is set on a certificate, configuration will fail. If a response is expired, the associated certificate will not be used. If no suitable certificate is found, the connection is rejected.

SSLFiles

SSLFiles reference paths to certificates which can be read by the proxy off of its local filesystem

"tlsCert": string
"tlsKey": string
"rootCa": string
"ocspStaple": string

Field	Type	Description
`tlsCert`	`string`
`tlsKey`	`string`
`rootCa`	`string`	for client cert validation. optional.
`ocspStaple`	`string`	stapled ocsp response. optional should be der-encoded.

UpstreamSslConfig

SslConfig contains the options necessary to configure an upstream to use TLS origination

"secretRef": .core.solo.io.ResourceRef
"sslFiles": .gloo.solo.io.SSLFiles
"sds": .gloo.solo.io.SDSConfig
"sni": string
"verifySubjectAltName": []string
"parameters": .gloo.solo.io.SslParameters
"alpnProtocols": []string
"allowRenegotiation": .google.protobuf.BoolValue

Field	Type	Description
`secretRef`	.core.solo.io.ResourceRef	SecretRef contains the secret ref to a gloo tls secret or a kubernetes tls secret. gloo tls secret can contain a root ca as well if verification is needed. Only one of `secretRef`, `sslFiles`, or `sds` can be set.
`sslFiles`	.gloo.solo.io.SSLFiles	SSLFiles reference paths to certificates which are local to the proxy. Only one of `sslFiles`, `secretRef`, or `sds` can be set.
`sds`	.gloo.solo.io.SDSConfig	Use secret discovery service. Only one of `sds`, `secretRef`, or `sslFiles` can be set.
`sni`	`string`	optional. the SNI domains that should be considered for TLS connections.
`verifySubjectAltName`	`[]string`	Verify that the Subject Alternative Name in the peer certificate is one of the specified values. note that a root_ca must be provided if this option is used.
`parameters`	.gloo.solo.io.SslParameters
`alpnProtocols`	`[]string`	Set Application Level Protocol Negotiation. If empty, it is not set.
`allowRenegotiation`	.google.protobuf.BoolValue	Allow Tls renegotiation, the default value is false. TLS renegotiation is considered insecure and shouldn’t be used unless absolutely necessary.

SDSConfig

"targetUri": string
"callCredentials": .gloo.solo.io.CallCredentials
"clusterName": string
"certificatesSecretName": string
"validationContextName": string

Field	Type	Description
`targetUri`	`string`	Target uri for the sds channel. currently only a unix domain socket is supported.
`callCredentials`	.gloo.solo.io.CallCredentials	Call credentials. Only one of `callCredentials` or `clusterName` can be set.
`clusterName`	`string`	The name of the sds cluster in envoy. Only one of `clusterName` or `callCredentials` can be set.
`certificatesSecretName`	`string`	The name of the secret containing the certificate.
`validationContextName`	`string`	The name of secret containing the validation context (i.e. root ca).

CallCredentials

"fileCredentialSource": .gloo.solo.io.CallCredentials.FileCredentialSource

Field	Type	Description
`fileCredentialSource`	.gloo.solo.io.CallCredentials.FileCredentialSource	Call credentials are coming from a file,.

FileCredentialSource

"tokenFileName": string
"header": string

Field	Type	Description
`tokenFileName`	`string`	File containing auth token.
`header`	`string`	Header to carry the token.

SslParameters

General TLS parameters. See the envoy docs for more information on the meaning of these values.

"minimumProtocolVersion": .gloo.solo.io.SslParameters.ProtocolVersion
"maximumProtocolVersion": .gloo.solo.io.SslParameters.ProtocolVersion
"cipherSuites": []string
"ecdhCurves": []string

Field	Type	Description
`minimumProtocolVersion`	.gloo.solo.io.SslParameters.ProtocolVersion
`maximumProtocolVersion`	.gloo.solo.io.SslParameters.ProtocolVersion
`cipherSuites`	`[]string`
`ecdhCurves`	`[]string`

ProtocolVersion

Name	Description
`TLS_AUTO`	Envoy will choose the optimal TLS version.
`TLSv1_0`	TLS 1.0
`TLSv1_1`	TLS 1.1
`TLSv1_2`	TLS 1.2
`TLSv1_3`	TLS 1.3