ssl.proto

Package: gloo.solo.io

Types:

Source File: github.com/solo-io/gloo/projects/gloo/api/v1/ssl.proto

SslConfig

SslConfig contains the options necessary to configure a virtual host or listener to use TLS

"secretRef": .core.solo.io.ResourceRef
"sslFiles": .gloo.solo.io.SSLFiles
"sds": .gloo.solo.io.SDSConfig
"sniDomains": []string
"verifySubjectAltName": []string
"parameters": .gloo.solo.io.SslParameters
Field Type Description Default
secretRef .core.solo.io.ResourceRef SecretRef contains the secret ref to a gloo tls secret or a kubernetes tls secret. gloo tls secret can contain a root ca as well if verification is needed.
sslFiles .gloo.solo.io.SSLFiles SSLFiles reference paths to certificates which are local to the proxy
sds .gloo.solo.io.SDSConfig Use secret discovery service.
sniDomains []string optional. the SNI domains that should be considered for TLS connections
verifySubjectAltName []string Verify that the Subject Alternative Name in the peer certificate is one of the specified values. note that a root_ca must be provided if this option is used.
parameters .gloo.solo.io.SslParameters

SSLFiles

SSLFiles reference paths to certificates which can be read by the proxy off of its local filesystem

"tlsCert": string
"tlsKey": string
"rootCa": string
Field Type Description Default
tlsCert string
tlsKey string
rootCa string for client cert validation. optional

UpstreamSslConfig

SslConfig contains the options necessary to configure a virtual host or listener to use TLS

"secretRef": .core.solo.io.ResourceRef
"sslFiles": .gloo.solo.io.SSLFiles
"sds": .gloo.solo.io.SDSConfig
"sni": string
"verifySubjectAltName": []string
"parameters": .gloo.solo.io.SslParameters
Field Type Description Default
secretRef .core.solo.io.ResourceRef SecretRef contains the secret ref to a gloo tls secret or a kubernetes tls secret. gloo tls secret can contain a root ca as well if verification is needed.
sslFiles .gloo.solo.io.SSLFiles SSLFiles reference paths to certificates which are local to the proxy
sds .gloo.solo.io.SDSConfig Use secret discovery service.
sni string optional. the SNI domains that should be considered for TLS connections
verifySubjectAltName []string Verify that the Subject Alternative Name in the peer certificate is one of the specified values. note that a root_ca must be provided if this option is used.
parameters .gloo.solo.io.SslParameters

SDSConfig

"targetUri": string
"callCredentials": .gloo.solo.io.CallCredentials
"certificatesSecretName": string
"validationContextName": string
Field Type Description Default
targetUri string Target uri for the sds channel. currently only a unix domain socket is supported.
callCredentials .gloo.solo.io.CallCredentials Call credentials.
certificatesSecretName string The name of the secret containing the certificate
validationContextName string The name of secret containing the validation context (i.e. root ca)

CallCredentials

"fileCredentialSource": .gloo.solo.io.CallCredentials.FileCredentialSource
Field Type Description Default
fileCredentialSource .gloo.solo.io.CallCredentials.FileCredentialSource Call credentials are coming from a file,

FileCredentialSource

"tokenFileName": string
"header": string
Field Type Description Default
tokenFileName string File containing auth token.
header string Header to carry the token.

SslParameters

General TLS parameters. See the envoy docs for more information on the meaning of these values.

"minimumProtocolVersion": .gloo.solo.io.SslParameters.ProtocolVersion
"maximumProtocolVersion": .gloo.solo.io.SslParameters.ProtocolVersion
"cipherSuites": []string
"ecdhCurves": []string
Field Type Description Default
minimumProtocolVersion .gloo.solo.io.SslParameters.ProtocolVersion
maximumProtocolVersion .gloo.solo.io.SslParameters.ProtocolVersion
cipherSuites []string
ecdhCurves []string

ProtocolVersion

Name Description
TLS_AUTO Envoy will choose the optimal TLS version.
TLSv1_0 TLS 1.0
TLSv1_1 TLS 1.1
TLSv1_2 TLS 1.2
TLSv1_3 TLS 1.3