SecretRef contains the secret ref to a gloo tls secret or a kubernetes tls secret. gloo tls secret can contain a root ca as well if verification is needed. Only one of secretRef, sslFiles, or sds can be set.
Use secret discovery service. Only one of sds, secretRef, or sslFiles can be set.
sniDomains
[]string
optional. the SNI domains that should be considered for TLS connections.
verifySubjectAltName
[]string
Verify that the Subject Alternative Name in the peer certificate is one of the specified values. note that a root_ca must be provided if this option is used.
Set Application Level Protocol Negotiation If empty, defaults to [“h2”, “http/1.1”]. As an advanced option you may use [“allow_empty”] to avoid defaults and set alpn to have no alpn set (ie pass empty slice).
If the SSL config has the ca.crt (root CA) provided, Gloo uses it to perform mTLS by default. Set oneWayTls to true to disable mTLS in favor of server-only TLS (one-way TLS), even if Gloo has the root CA. If unset, defaults to false.
If set to true, the TLS session resumption will be deactivated, note that it deactivates only the tickets based tls session resumption (not the cache).
If present and nonzero, the amount of time to allow incoming connections to complete any transport socket negotiations. If this expires before the transport reports connection establishment, the connection is summarily closed.
OCSP responses are optional. If none is provided, or the provided response is expired, the associated certificate will be used without the OCSP response.
STRICT_STAPLING
OCSP responses are optional. If none is provided, the associated certificate will be used without the OCSP response. If a response is present, but expired, the certificate will not be used for connections. If no suitable certificate is found, the connection is rejected.
MUST_STAPLE
OCSP responses are required. If no ocsp_staple is set on a certificate, configuration will fail. If a response is expired, the associated certificate will not be used. If no suitable certificate is found, the connection is rejected.
SSLFiles
SSLFiles reference paths to certificates which can be read by the proxy off of its local filesystem
SecretRef contains the secret ref to a gloo tls secret or a kubernetes tls secret. gloo tls secret can contain a root ca as well if verification is needed. Only one of secretRef, sslFiles, or sds can be set.
Use secret discovery service. Only one of sds, secretRef, or sslFiles can be set.
sni
string
optional. the SNI domains that should be considered for TLS connections.
verifySubjectAltName
[]string
Verify that the Subject Alternative Name in the peer certificate is one of the specified values. note that a root_ca must be provided if this option is used.
If the SSL config has the ca.crt (root CA) provided, Gloo uses it to perform mTLS by default. Set oneWayTls to true to disable mTLS in favor of server-only TLS (one-way TLS), even if Gloo has the root CA. This flag does nothing if SDS is configured. If unset, defaults to false.