ssl.proto

Package: gloo.solo.io

Types:

Source File: github.com/solo-io/gloo/projects/gloo/api/v1/ssl/ssl.proto

SslConfig

SslConfig contains the options necessary to configure a virtual host or listener to use TLS termination

"secretRef": .core.solo.io.ResourceRef
"sslFiles": .gloo.solo.io.SSLFiles
"sds": .gloo.solo.io.SDSConfig
"sniDomains": []string
"verifySubjectAltName": []string
"parameters": .gloo.solo.io.SslParameters
"alpnProtocols": []string
"oneWayTls": .google.protobuf.BoolValue
"disableTlsSessionResumption": .google.protobuf.BoolValue
"transportSocketConnectTimeout": .google.protobuf.Duration
"ocspStaplePolicy": .gloo.solo.io.SslConfig.OcspStaplePolicy

Field Type Description
secretRef .core.solo.io.ResourceRef SecretRef contains the secret ref to a gloo tls secret or a kubernetes tls secret. gloo tls secret can contain a root ca as well if verification is needed. Only one of secretRef, sslFiles, or sds can be set.
sslFiles .gloo.solo.io.SSLFiles SSLFiles reference paths to certificates which are local to the proxy. Only one of sslFiles, secretRef, or sds can be set.
sds .gloo.solo.io.SDSConfig Use secret discovery service. Only one of sds, secretRef, or sslFiles can be set.
sniDomains []string optional. the SNI domains that should be considered for TLS connections.
verifySubjectAltName []string Verify that the Subject Alternative Name in the peer certificate is one of the specified values. note that a root_ca must be provided if this option is used.
parameters .gloo.solo.io.SslParameters
alpnProtocols []string Set Application Level Protocol Negotiation If empty, defaults to [“h2”, “http/1.1”]. As an advanced option you may use [“allow_empty”] to avoid defaults and set alpn to have no alpn set (ie pass empty slice).
oneWayTls .google.protobuf.BoolValue If the SSL config has the ca.crt (root CA) provided, Gloo uses it to perform mTLS by default. Set oneWayTls to true to disable mTLS in favor of server-only TLS (one-way TLS), even if Gloo has the root CA. If unset, defaults to false.
disableTlsSessionResumption .google.protobuf.BoolValue If set to true, the TLS session resumption will be deactivated, note that it deactivates only the tickets based tls session resumption (not the cache).
transportSocketConnectTimeout .google.protobuf.Duration If present and nonzero, the amount of time to allow incoming connections to complete any transport socket negotiations. If this expires before the transport reports connection establishment, the connection is summarily closed.
ocspStaplePolicy .gloo.solo.io.SslConfig.OcspStaplePolicy The OCSP staple policy to use for this listener. Defaults to LENIENT_STAPLING. https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/tls.proto#enum-extensions-transport-sockets-tls-v3-downstreamtlscontext-ocspstaplepolicy.

OcspStaplePolicy

Name Description
LENIENT_STAPLING OCSP responses are optional. If none is provided, or the provided response is expired, the associated certificate will be used without the OCSP response.
STRICT_STAPLING OCSP responses are optional. If none is provided, the associated certificate will be used without the OCSP response. If a response is present, but expired, the certificate will not be used for connections. If no suitable certificate is found, the connection is rejected.
MUST_STAPLE OCSP responses are required. If no ocsp_staple is set on a certificate, configuration will fail. If a response is expired, the associated certificate will not be used. If no suitable certificate is found, the connection is rejected.

SSLFiles

SSLFiles reference paths to certificates which can be read by the proxy off of its local filesystem

"tlsCert": string
"tlsKey": string
"rootCa": string
"ocspStaple": string

Field Type Description
tlsCert string
tlsKey string
rootCa string for client cert validation. optional.
ocspStaple string stapled ocsp response. optional should be der-encoded.

UpstreamSslConfig

SslConfig contains the options necessary to configure an upstream to use TLS origination

"secretRef": .core.solo.io.ResourceRef
"sslFiles": .gloo.solo.io.SSLFiles
"sds": .gloo.solo.io.SDSConfig
"sni": string
"verifySubjectAltName": []string
"parameters": .gloo.solo.io.SslParameters
"alpnProtocols": []string
"allowRenegotiation": .google.protobuf.BoolValue

Field Type Description
secretRef .core.solo.io.ResourceRef SecretRef contains the secret ref to a gloo tls secret or a kubernetes tls secret. gloo tls secret can contain a root ca as well if verification is needed. Only one of secretRef, sslFiles, or sds can be set.
sslFiles .gloo.solo.io.SSLFiles SSLFiles reference paths to certificates which are local to the proxy. Only one of sslFiles, secretRef, or sds can be set.
sds .gloo.solo.io.SDSConfig Use secret discovery service. Only one of sds, secretRef, or sslFiles can be set.
sni string optional. the SNI domains that should be considered for TLS connections.
verifySubjectAltName []string Verify that the Subject Alternative Name in the peer certificate is one of the specified values. note that a root_ca must be provided if this option is used.
parameters .gloo.solo.io.SslParameters
alpnProtocols []string Set Application Level Protocol Negotiation. If empty, it is not set.
allowRenegotiation .google.protobuf.BoolValue Allow Tls renegotiation, the default value is false. TLS renegotiation is considered insecure and shouldn’t be used unless absolutely necessary.

SDSConfig

"targetUri": string
"callCredentials": .gloo.solo.io.CallCredentials
"clusterName": string
"certificatesSecretName": string
"validationContextName": string

Field Type Description
targetUri string Target uri for the sds channel. currently only a unix domain socket is supported.
callCredentials .gloo.solo.io.CallCredentials Call credentials. Only one of callCredentials or clusterName can be set.
clusterName string The name of the sds cluster in envoy. Only one of clusterName or callCredentials can be set.
certificatesSecretName string The name of the secret containing the certificate.
validationContextName string The name of secret containing the validation context (i.e. root ca).

CallCredentials

"fileCredentialSource": .gloo.solo.io.CallCredentials.FileCredentialSource

Field Type Description
fileCredentialSource .gloo.solo.io.CallCredentials.FileCredentialSource Call credentials are coming from a file,.

FileCredentialSource

"tokenFileName": string
"header": string

Field Type Description
tokenFileName string File containing auth token.
header string Header to carry the token.

SslParameters

General TLS parameters. See the envoy docs for more information on the meaning of these values.

"minimumProtocolVersion": .gloo.solo.io.SslParameters.ProtocolVersion
"maximumProtocolVersion": .gloo.solo.io.SslParameters.ProtocolVersion
"cipherSuites": []string
"ecdhCurves": []string

Field Type Description
minimumProtocolVersion .gloo.solo.io.SslParameters.ProtocolVersion
maximumProtocolVersion .gloo.solo.io.SslParameters.ProtocolVersion
cipherSuites []string
ecdhCurves []string

ProtocolVersion

Name Description
TLS_AUTO Envoy will choose the optimal TLS version.
TLSv1_0 TLS 1.0
TLSv1_1 TLS 1.1
TLSv1_2 TLS 1.2
TLSv1_3 TLS 1.3