solo-io · soloio-bulldozer · Mar 26, 2019 · Mar 26, 2019 · Mar 26, 2019 · Mar 26, 2019
diff --git a/changelog/v0.13.3/circuit_breakers.yaml b/changelog/v0.13.3/circuit_breakers.yaml
@@ -0,0 +1,4 @@
+changelog:
+  - type: NEW_FEATURE
+    description: Allow fine tuning ssl settings and circuit breakers
+    issueLink: https://github.com/solo-io/gloo/issues/609
diff --git a/docs/v1/github.com/solo-io/gloo/projects/gloo/api/v1/circuite_breakers.proto.sk.md b/docs/v1/github.com/solo-io/gloo/projects/gloo/api/v1/circuite_breakers.proto.sk.md
diff --git a/docs/v1/github.com/solo-io/gloo/projects/gloo/api/v1/plugins.proto.sk.md b/docs/v1/github.com/solo-io/gloo/projects/gloo/api/v1/plugins.proto.sk.md
diff --git a/docs/v1/github.com/solo-io/gloo/projects/gloo/api/v1/settings.proto.sk.md b/docs/v1/github.com/solo-io/gloo/projects/gloo/api/v1/settings.proto.sk.md
diff --git a/docs/v1/github.com/solo-io/gloo/projects/gloo/api/v1/ssl.proto.sk.md b/docs/v1/github.com/solo-io/gloo/projects/gloo/api/v1/ssl.proto.sk.md
diff --git a/projects/gloo/api/v1/circuite_breakers.proto b/projects/gloo/api/v1/circuite_breakers.proto
@@ -0,0 +1,20 @@
+syntax = "proto3";
+package gloo.solo.io;
+option go_package = "github.com/solo-io/gloo/projects/gloo/pkg/api/v1";
+
+import "gogoproto/gogo.proto";
+import "google/protobuf/wrappers.proto";
+
+option (gogoproto.equal_all) = true;
+
+
+
+// SslConfig contains the options necessary to configure a virtual host or listener to use TLS
+// See the [envoy docs](https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/cluster/circuit_breaker.proto#envoy-api-msg-cluster-circuitbreakers)
+// for the meaning of these values.
+message CircuitBreakerConfig {
+    google.protobuf.UInt32Value max_connections = 1;
+    google.protobuf.UInt32Value max_pending_requests = 2;
+    google.protobuf.UInt32Value max_requests = 3;
+    google.protobuf.UInt32Value max_retries = 4;
+}
diff --git a/projects/gloo/api/v1/plugins.proto b/projects/gloo/api/v1/plugins.proto
@@ -9,6 +9,7 @@ option (gogoproto.equal_all) = true;
 
 import "github.com/solo-io/gloo/projects/gloo/api/v1/ssl.proto";
 import "github.com/solo-io/gloo/projects/gloo/api/v1/extensions.proto";
+import "github.com/solo-io/gloo/projects/gloo/api/v1/circuite_breakers.proto";
 
 import "github.com/solo-io/gloo/projects/gloo/api/v1/plugins/aws/aws.proto";
 import "github.com/solo-io/gloo/projects/gloo/api/v1/plugins/rest/rest.proto";
@@ -74,6 +75,11 @@ message UpstreamSpec {
 
     UpstreamSslConfig ssl_config = 6;
 
+    // Circuite breakers for this upstream. if not set, the defaults ones from the Gloo settings will be used.
+    // if those are not set,  [envoy's defaults](https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/cluster/circuit_breaker.proto#envoy-api-msg-cluster-circuitbreakers) 
+    // will be used.
+    CircuitBreakerConfig circuit_breakers = 7;
+
     // Note to developers: new Upstream Plugins must be added to this oneof field
     // to be usable by Gloo.
     oneof upstream_type {

diff --git a/projects/gloo/api/v1/settings.proto b/projects/gloo/api/v1/settings.proto
@@ -9,6 +9,7 @@ import "github.com/solo-io/solo-kit/api/v1/metadata.proto";
 import "github.com/solo-io/solo-kit/api/v1/status.proto";
 
 import "github.com/solo-io/gloo/projects/gloo/api/v1/extensions.proto";
+import "github.com/solo-io/gloo/projects/gloo/api/v1/circuite_breakers.proto";
 
 import "google/protobuf/duration.proto";
 
@@ -60,6 +61,9 @@ message Settings {
     } // watch a directory
 
 
+    // Default circuit breakers when not set in a specific upstream.
+    CircuitBreakerConfig circuit_breakers = 3;
+
     // Settings for extensions
     Extensions extensions = 16;
 

diff --git a/projects/gloo/api/v1/ssl.proto b/projects/gloo/api/v1/ssl.proto
@@ -24,6 +24,8 @@ message SslConfig {
     // Verify that the Subject Alternative Name in the peer certificate is one of the specified values.
     // note that a root_ca must be provided if this option is used.
     repeated string verify_subject_alt_name = 5;
+
+    SslParameters parameters = 6;
 }
 
 // SSLFiles reference paths to certificates which can be read by the proxy off of its local filesystem
@@ -52,6 +54,8 @@ message UpstreamSslConfig {
     // Verify that the Subject Alternative Name in the peer certificate is one of the specified values.
     // note that a root_ca must be provided if this option is used.
     repeated string verify_subject_alt_name = 5;
+
+    SslParameters parameters = 7;
 }
 
 message SDSConfig {
@@ -74,4 +78,31 @@ message CallCredentials {
     }
     // Call credentials are coming from a file,
     FileCredentialSource file_credential_source = 1;
+}
+
+// General TLS parameters. See the [envoy docs](https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/auth/cert.proto#envoy-api-enum-auth-tlsparameters-tlsprotocol)
+// for more information on the meaning of these values.
+message SslParameters {
+    enum ProtocolVersion {
+        // Envoy will choose the optimal TLS version.
+        TLS_AUTO = 0;
+
+        // TLS 1.0
+        TLSv1_0 = 1;
+
+        // TLS 1.1
+        TLSv1_1 = 2;
+
+        // TLS 1.2
+        TLSv1_2 = 3;
+
+        // TLS 1.3
+        TLSv1_3 = 4;
+      }
+
+
+    ProtocolVersion minimum_protocol_version = 1;
+    ProtocolVersion maximum_protocol_version = 2;
+    repeated string cipher_suites = 3;
+    repeated string ecdh_curves = 4;
 }