ClientTlsPolicy

Proto: client_tls_policy.proto

Package: security.policy.gloo.solo.io

Types:

ClientTLSPolicyReport

Field Description
workspaces (repeated ClientTLSPolicyReport.WorkspacesEntry)

The status of the resource in each workspace that it exists in.
selectedDestinationPorts (repeated common.gloo.solo.io.DestinationReference)

A list of destination ports selected by the policy.

ClientTLSPolicyReport.WorkspacesEntry

Field Description
key (string)

value (common.gloo.solo.io.Report)

ClientTLSPolicySpec

ClientTLSPolicy explicitly controls the TLS/mTLS configuration for upstream connections

Field Description
applyToDestinations (repeated common.gloo.solo.io.DestinationSelector)

disable (ClientTLSPolicySpec.Disable)

simple (ClientTLSPolicySpec.Simple)

mutual (ClientTLSPolicySpec.Mutual)

istioMutual (ClientTLSPolicySpec.IstioMutual)

ClientTLSPolicySpec.Disable

Explicitly do not establish a TLS connection to the destination

ClientTLSPolicySpec.IstioMutual

Initiate a mutual TLS connection using the Istio provided certificates. This is useful if a more broad policy/configuration has disabled Istio mTLS but you need it enabled for a specific destination.

ClientTLSPolicySpec.Mutual

Initiate a mutual TLS connection and present client certificates via the provided credential/secret. This is separate from any TLS/mTLS provided by Istio.

Field Description
config (TLSConfig)

ClientTLSPolicySpec.Simple

Initiate a basic TLS connection, and possibly verify the server certificate if provided a CA via credential/secret. This is separate from any TLS/mTLS provided by Istio.

Field Description
config (TLSConfig)

ClientTLSPolicyStatus

Field Description
common (common.gloo.solo.io.Status)

The state and workspace conditions of the applied resource.
numSelectedDestinationPorts (uint32)

The number of destination ports selected by the policy.

TLSConfig

Field Description
sni (google.protobuf.StringValue)

SNI string to present to the server during TLS handshake. Recommended to be set, however if omitted, the first hostname associated with the destination will be used
credentialName (string)

The name of the secret that holds the TLS certs for the client including the CA certificates. Secret must exist in the same namespace with the proxy using the certificates. The secret (of type generic) should contain the following keys and values: key: , cert: , cacert: . Here CACertificate is used to verify the server certificate. Secret of type tls for client certificates along with ca.crt key for CA certificates is also supported. see: https://istio.io/latest/docs/reference/config/networking/destination-rule/#ClientTLSSettings