Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

108 lines (89 sloc) 3.7 KB
syntax = "proto3";
package gloo.solo.io;
option go_package = "github.com/solo-io/gloo/projects/gloo/pkg/api/v1";
import "gogoproto/gogo.proto";
option (gogoproto.equal_all) = true;
import "github.com/solo-io/solo-kit/api/v1/ref.proto";
// SslConfig contains the options necessary to configure a virtual host or listener to use TLS
message SslConfig {
oneof ssl_secrets {
// SecretRef contains the secret ref to a gloo tls secret or a kubernetes tls secret.
// gloo tls secret can contain a root ca as well if verification is needed.
core.solo.io.ResourceRef secret_ref = 1;
// SSLFiles reference paths to certificates which are local to the proxy
SSLFiles ssl_files = 2;
// Use secret discovery service.
SDSConfig sds = 4;
}
// optional. the SNI domains that should be considered for TLS connections
repeated string sni_domains = 3;
// Verify that the Subject Alternative Name in the peer certificate is one of the specified values.
// note that a root_ca must be provided if this option is used.
repeated string verify_subject_alt_name = 5;
SslParameters parameters = 6;
}
// SSLFiles reference paths to certificates which can be read by the proxy off of its local filesystem
message SSLFiles {
string tls_cert = 1;
string tls_key = 2;
// for client cert validation. optional
string root_ca = 3;
}
// SslConfig contains the options necessary to configure a virtual host or listener to use TLS
message UpstreamSslConfig {
oneof ssl_secrets {
// SecretRef contains the secret ref to a gloo tls secret or a kubernetes tls secret.
// gloo tls secret can contain a root ca as well if verification is needed.
core.solo.io.ResourceRef secret_ref = 1;
// SSLFiles reference paths to certificates which are local to the proxy
SSLFiles ssl_files = 2;
// Use secret discovery service.
SDSConfig sds = 4;
}
// optional. the SNI domains that should be considered for TLS connections
string sni = 3;
// Verify that the Subject Alternative Name in the peer certificate is one of the specified values.
// note that a root_ca must be provided if this option is used.
repeated string verify_subject_alt_name = 5;
SslParameters parameters = 7;
}
message SDSConfig {
// Target uri for the sds channel. currently only a unix domain socket is supported.
string target_uri = 1;
// Call credentials.
CallCredentials call_credentials = 2;
// The name of the secret containing the certificate
string certificates_secret_name = 3;
// The name of secret containing the validation context (i.e. root ca)
string validation_context_name= 4;
}
message CallCredentials {
message FileCredentialSource {
// File containing auth token.
string token_file_name = 1;
// Header to carry the token.
string header = 2;
}
// Call credentials are coming from a file,
FileCredentialSource file_credential_source = 1;
}
// General TLS parameters. See the [envoy docs](https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/auth/cert.proto#envoy-api-enum-auth-tlsparameters-tlsprotocol)
// for more information on the meaning of these values.
message SslParameters {
enum ProtocolVersion {
// Envoy will choose the optimal TLS version.
TLS_AUTO = 0;
// TLS 1.0
TLSv1_0 = 1;
// TLS 1.1
TLSv1_1 = 2;
// TLS 1.2
TLSv1_2 = 3;
// TLS 1.3
TLSv1_3 = 4;
}
ProtocolVersion minimum_protocol_version = 1;
ProtocolVersion maximum_protocol_version = 2;
repeated string cipher_suites = 3;
repeated string ecdh_curves = 4;
}
You can’t perform that action at this time.