From f2337b409dfc1fcd2054193e95cb2e82dfdb8e70 Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Wed, 27 Sep 2017 03:32:38 -0700 Subject: [PATCH 1/7] kds: key discovery service. Signed-off-by: Piotr Sikora --- api/BUILD | 12 ++++++++++++ api/bootstrap.proto | 2 ++ api/kds.proto | 26 ++++++++++++++++++++++++++ api/tls_context.proto | 9 +++++++++ 4 files changed, 49 insertions(+) create mode 100644 api/kds.proto diff --git a/api/BUILD b/api/BUILD index 4cfadb473..bfd74e2b4 100644 --- a/api/BUILD +++ b/api/BUILD @@ -21,6 +21,7 @@ api_proto_library( ":base", ":discovery", ":cds", + ":kds", ":lds", ], ) @@ -34,6 +35,7 @@ api_proto_library( api_proto_library( name = "tls_context", srcs = ["tls_context.proto"], + deps = [":base"], ) api_proto_library( @@ -79,6 +81,16 @@ api_proto_library( ], ) +api_proto_library( + name = "kds", + srcs = ["kds.proto"], + has_services = 1, + deps = [ + ":discovery", + ":tls_context", + ], +) + api_proto_library( name = "lds", srcs = ["lds.proto"], diff --git a/api/bootstrap.proto b/api/bootstrap.proto index fb4c73f74..b6e1f470b 100644 --- a/api/bootstrap.proto +++ b/api/bootstrap.proto @@ -11,6 +11,7 @@ import "api/base.proto"; import "api/discovery.proto"; import "api/cds.proto"; import "api/lds.proto"; +import "api/kds.proto"; import "google/protobuf/duration.proto"; import "google/protobuf/struct.proto"; @@ -231,6 +232,7 @@ message Bootstrap { // to know how to speak to the management server. These cluster definitions // may not use EDS (i.e. they should be static IP or DNS-based). repeated Cluster clusters = 2; + repeated Secret secrets = 3; } StaticResources static_resources = 2; diff --git a/api/kds.proto b/api/kds.proto new file mode 100644 index 000000000..3c81d607d --- /dev/null +++ b/api/kds.proto @@ -0,0 +1,26 @@ +syntax = "proto3"; + +package envoy.api.v2; + +import "api/discovery.proto"; +import "api/tls_context.proto"; + +import "google/api/annotations.proto"; + +service KeyDiscoveryService{ + rpc StreamSecrets(stream DiscoveryRequest) + returns (stream DiscoveryResponse) { + } + + rpc FetchSecrets(DiscoveryRequest) + returns (DiscoveryResponse) { + option (google.api.http) = { + post: "/v2/discovery:secrets" + body: "*" + }; + } +} + +message Secret { + TlsCertificate tls_certificate = 1; +} diff --git a/api/tls_context.proto b/api/tls_context.proto index 6926f9781..17dea54a0 100644 --- a/api/tls_context.proto +++ b/api/tls_context.proto @@ -2,6 +2,8 @@ syntax = "proto3"; package envoy.api.v2; +import "api/base.proto"; + import "google/protobuf/wrappers.proto"; message DataSource { @@ -39,6 +41,13 @@ message TlsCertificate { DataSource password = 3; DataSource ocsp_staple = 4; repeated DataSource signed_certificate_timestamp = 5; + + // Optional name (e.g. FQDN, UUID, SPKI) by which the certificate can be referred to. + // When both: name and kds_config are specified, certificate can be fetched and/or reloaded + // via KDS. When name is specified, but kds_config is empty, the certificate will be loaded + // from static resources [V2-API-DIFF]. + string name = 6; + ConfigSource kds_config = 7; } message CertificateValidationContext { From 8cf70cfc6647e958843268fece7ba596632e897f Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Wed, 27 Sep 2017 16:03:15 -0700 Subject: [PATCH 2/7] review: add KdsSecretConfig. Signed-off-by: Piotr Sikora --- api/base.proto | 8 ++++++++ api/tls_context.proto | 8 ++------ 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/api/base.proto b/api/base.proto index 683200490..b2c30c991 100644 --- a/api/base.proto +++ b/api/base.proto @@ -137,6 +137,14 @@ message ApiConfigSource { message AggregatedConfigSource { } +message KdsSecretConfig { + // Optional name (e.g. FQDN, UUID, SPKI) by which the secret can be referred to [V2-API-DIFF]. + // When both name and config are specified, then secret can be fetched and/or reloaded via KDS. + // When only name is specified, then secret will be loaded from static resources. + string secret_name = 1; + ConfigSource kds_config = 2; +} + // Configuration for listeners, clusters, routes, endpoints etc. may either be // sourced from the filesystem or from an API source. Filesystem configs are // watched with inotify for updates. diff --git a/api/tls_context.proto b/api/tls_context.proto index 17dea54a0..59baa9348 100644 --- a/api/tls_context.proto +++ b/api/tls_context.proto @@ -42,12 +42,8 @@ message TlsCertificate { DataSource ocsp_staple = 4; repeated DataSource signed_certificate_timestamp = 5; - // Optional name (e.g. FQDN, UUID, SPKI) by which the certificate can be referred to. - // When both: name and kds_config are specified, certificate can be fetched and/or reloaded - // via KDS. When name is specified, but kds_config is empty, the certificate will be loaded - // from static resources [V2-API-DIFF]. - string name = 6; - ConfigSource kds_config = 7; + // KDS configuration which allows to fetch and/or reload this TLS certificates. + KdsSecretConfig kds_secret_config = 6; } message CertificateValidationContext { From de3db12899622842b900f0c4c62a42f91142b696 Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Wed, 27 Sep 2017 17:38:49 -0700 Subject: [PATCH 3/7] review: KDS is now SDS. Signed-off-by: Piotr Sikora --- README.md | 7 ++++--- api/BUILD | 22 +++++++++++----------- api/base.proto | 10 +++++----- api/bootstrap.proto | 2 +- api/{kds.proto => sds.proto} | 2 +- api/tls_context.proto | 4 ++-- 6 files changed, 24 insertions(+), 23 deletions(-) rename api/{kds.proto => sds.proto} (93%) diff --git a/README.md b/README.md index 4d1f360cd..95de9dd75 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ The LDS/CDS/EDS/RDS APIs are now frozen and will maintain backwards compatibility according to standard proto rules (e.g. new fields will not reuse tags, field types will not change, fields will not be renumbered, etc.). -The remainder of the API (ADS, HDS, RLS, filter fragments other than HTTP +The remainder of the API (ADS, HDS, RLS, SDS, filter fragments other than HTTP connection manager, the bootstrap proto) are draft work-in-progress. Input is welcome via issue filing. Small, localized PRs are also welcome, but any major changes or suggestions should be coordinated in a tracking issue with the @@ -74,7 +74,7 @@ closed issue should also be included. this repository. * REST-JSON API equivalents will be provided for the basic singleton xDS - subscription services CDS/EDS/LDS/EDS. Advanced APIs such as HDS, ADS and + subscription services CDS/EDS/LDS/RDS/SDS. Advanced APIs such as HDS, ADS and EDS multi-dimensional LB will be gRPC only. This avoids having to map complicated bidirectional stream semantics onto REST. @@ -110,6 +110,7 @@ Unless otherwise stated, the APIs with the same names as v1 APIs have a similar * [Listener Discovery Service (LDS)](api/lds.proto). This new API supports dynamic discovery of the listener configuration (which ports to bind to, TLS details, filter chains, etc.). * [Rate Limit Service (RLS)](api/rls.proto) * [Route Discovery Service (RDS)](api/rds.proto). +* [Secret Discovery Service (SDS)](api/sds.proto). In addition to the above APIs, an aggregation API will be provided to allow for fine grained control over the sequencing of API updates across discovery @@ -166,6 +167,6 @@ repeated below and some new v2 terms introduced. * Upstream: An upstream host receives connections and requests from Envoy and returns responses. -* xDS: CDS/EDS/HDS/LDS/RLS/RDS APIs. +* xDS: CDS/EDS/HDS/LDS/RLS/RDS/SDS APIs. * Zone: Availability Zone (AZ) in AWS, Zone in GCP. diff --git a/api/BUILD b/api/BUILD index bfd74e2b4..b4c3c5da1 100644 --- a/api/BUILD +++ b/api/BUILD @@ -21,8 +21,8 @@ api_proto_library( ":base", ":discovery", ":cds", - ":kds", ":lds", + ":sds", ], ) @@ -81,16 +81,6 @@ api_proto_library( ], ) -api_proto_library( - name = "kds", - srcs = ["kds.proto"], - has_services = 1, - deps = [ - ":discovery", - ":tls_context", - ], -) - api_proto_library( name = "lds", srcs = ["lds.proto"], @@ -123,3 +113,13 @@ api_proto_library( ":discovery", ], ) + +api_proto_library( + name = "sds", + srcs = ["sds.proto"], + has_services = 1, + deps = [ + ":discovery", + ":tls_context", + ], +) diff --git a/api/base.proto b/api/base.proto index b2c30c991..dd5958180 100644 --- a/api/base.proto +++ b/api/base.proto @@ -137,12 +137,12 @@ message ApiConfigSource { message AggregatedConfigSource { } -message KdsSecretConfig { - // Optional name (e.g. FQDN, UUID, SPKI) by which the secret can be referred to [V2-API-DIFF]. - // When both name and config are specified, then secret can be fetched and/or reloaded via KDS. - // When only name is specified, then secret will be loaded from static resources. +message SdsSecretConfig { + // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to. + // When both name and config are specified, then secret can be fetched and/or reloaded via SDS. + // When only name is specified, then secret will be loaded from static resources [V2-API-DIFF]. string secret_name = 1; - ConfigSource kds_config = 2; + ConfigSource sds_config = 2; } // Configuration for listeners, clusters, routes, endpoints etc. may either be diff --git a/api/bootstrap.proto b/api/bootstrap.proto index b6e1f470b..8b9fb7671 100644 --- a/api/bootstrap.proto +++ b/api/bootstrap.proto @@ -11,7 +11,7 @@ import "api/base.proto"; import "api/discovery.proto"; import "api/cds.proto"; import "api/lds.proto"; -import "api/kds.proto"; +import "api/sds.proto"; import "google/protobuf/duration.proto"; import "google/protobuf/struct.proto"; diff --git a/api/kds.proto b/api/sds.proto similarity index 93% rename from api/kds.proto rename to api/sds.proto index 3c81d607d..bcc9e315d 100644 --- a/api/kds.proto +++ b/api/sds.proto @@ -7,7 +7,7 @@ import "api/tls_context.proto"; import "google/api/annotations.proto"; -service KeyDiscoveryService{ +service SecretDiscoveryService{ rpc StreamSecrets(stream DiscoveryRequest) returns (stream DiscoveryResponse) { } diff --git a/api/tls_context.proto b/api/tls_context.proto index 59baa9348..84f3fe425 100644 --- a/api/tls_context.proto +++ b/api/tls_context.proto @@ -42,8 +42,8 @@ message TlsCertificate { DataSource ocsp_staple = 4; repeated DataSource signed_certificate_timestamp = 5; - // KDS configuration which allows to fetch and/or reload this TLS certificates. - KdsSecretConfig kds_secret_config = 6; + // SDS configuration which allows to fetch and/or reload this TLS certificates. + SdsSecretConfig sds_secret_config = 6; } message CertificateValidationContext { From 253bf8562244d75b6bf9df1e898be2a645364ddd Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Tue, 3 Oct 2017 04:10:37 -0700 Subject: [PATCH 4/7] review: move SdsSecretConfig out of TlsCertificate. Signed-off-by: Piotr Sikora --- api/tls_context.proto | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/api/tls_context.proto b/api/tls_context.proto index 84f3fe425..e79a6278f 100644 --- a/api/tls_context.proto +++ b/api/tls_context.proto @@ -41,9 +41,6 @@ message TlsCertificate { DataSource password = 3; DataSource ocsp_staple = 4; repeated DataSource signed_certificate_timestamp = 5; - - // SDS configuration which allows to fetch and/or reload this TLS certificates. - SdsSecretConfig sds_secret_config = 6; } message CertificateValidationContext { @@ -79,7 +76,9 @@ message CommonTlsContext { // Multiple TLS certificates can be associated with the same context, // e.g. to allow both RSA and ECDSA certificates [V2-API-DIFF]. + // TLS certificates can be either configured locally or fetched from SDS. repeated TlsCertificate tls_certificates = 2; + repeated SdsSecretConfig sds_secret_configs = 6; // How to validate peer certificates. CertificateValidationContext validation_context = 3; From 44831c20ca3edbe83bc2171a75348598865c349b Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Tue, 3 Oct 2017 04:11:23 -0700 Subject: [PATCH 5/7] review: add name and type to the Secret. Signed-off-by: Piotr Sikora --- api/sds.proto | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/api/sds.proto b/api/sds.proto index bcc9e315d..7a48f9404 100644 --- a/api/sds.proto +++ b/api/sds.proto @@ -22,5 +22,8 @@ service SecretDiscoveryService{ } message Secret { - TlsCertificate tls_certificate = 1; + string name = 1; + oneof type { + TlsCertificate tls_certificate = 2; + } } From 00a0904e64d35b481def42f142da6fd4a38c820e Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Tue, 3 Oct 2017 04:12:16 -0700 Subject: [PATCH 6/7] review: merge tls_context.proto into sds.proto. Signed-off-by: Piotr Sikora --- api/BUILD | 12 ++--- api/base.proto | 8 --- api/cds.proto | 2 +- api/lds.proto | 2 +- api/sds.proto | 121 +++++++++++++++++++++++++++++++++++++++++- api/tls_context.proto | 117 ---------------------------------------- 6 files changed, 125 insertions(+), 137 deletions(-) delete mode 100644 api/tls_context.proto diff --git a/api/BUILD b/api/BUILD index b4c3c5da1..c5ca8f869 100644 --- a/api/BUILD +++ b/api/BUILD @@ -32,12 +32,6 @@ api_proto_library( deps = [":base"], ) -api_proto_library( - name = "tls_context", - srcs = ["tls_context.proto"], - deps = [":base"], -) - api_proto_library( name = "cds", srcs = ["cds.proto"], @@ -48,7 +42,7 @@ api_proto_library( ":discovery", ":health_check", ":protocol", - ":tls_context", + ":sds", ], ) @@ -89,7 +83,7 @@ api_proto_library( ":address", ":base", ":discovery", - ":tls_context", + ":sds", ], ) @@ -119,7 +113,7 @@ api_proto_library( srcs = ["sds.proto"], has_services = 1, deps = [ + ":base", ":discovery", - ":tls_context", ], ) diff --git a/api/base.proto b/api/base.proto index dd5958180..683200490 100644 --- a/api/base.proto +++ b/api/base.proto @@ -137,14 +137,6 @@ message ApiConfigSource { message AggregatedConfigSource { } -message SdsSecretConfig { - // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to. - // When both name and config are specified, then secret can be fetched and/or reloaded via SDS. - // When only name is specified, then secret will be loaded from static resources [V2-API-DIFF]. - string secret_name = 1; - ConfigSource sds_config = 2; -} - // Configuration for listeners, clusters, routes, endpoints etc. may either be // sourced from the filesystem or from an API source. Filesystem configs are // watched with inotify for updates. diff --git a/api/cds.proto b/api/cds.proto index 1b19268c8..78b77c2e0 100644 --- a/api/cds.proto +++ b/api/cds.proto @@ -7,7 +7,7 @@ import "api/base.proto"; import "api/discovery.proto"; import "api/health_check.proto"; import "api/protocol.proto"; -import "api/tls_context.proto"; +import "api/sds.proto"; import "google/api/annotations.proto"; import "google/protobuf/duration.proto"; diff --git a/api/lds.proto b/api/lds.proto index aa9f71366..eeff7dff2 100644 --- a/api/lds.proto +++ b/api/lds.proto @@ -9,7 +9,7 @@ package envoy.api.v2; import "api/address.proto"; import "api/base.proto"; import "api/discovery.proto"; -import "api/tls_context.proto"; +import "api/sds.proto"; import "google/api/annotations.proto"; import "google/protobuf/struct.proto"; diff --git a/api/sds.proto b/api/sds.proto index 7a48f9404..736597a1c 100644 --- a/api/sds.proto +++ b/api/sds.proto @@ -2,10 +2,11 @@ syntax = "proto3"; package envoy.api.v2; +import "api/base.proto"; import "api/discovery.proto"; -import "api/tls_context.proto"; import "google/api/annotations.proto"; +import "google/protobuf/wrappers.proto"; service SecretDiscoveryService{ rpc StreamSecrets(stream DiscoveryRequest) @@ -21,6 +22,124 @@ service SecretDiscoveryService{ } } +message DataSource { + oneof specifier { + string filename = 1; + bytes inline = 2; + } +} + +message TlsParameters { + enum TlsProtocol { + TLS_AUTO = 0; + TLSv1_0 = 1; + TLSv1_1 = 2; + TLSv1_2 = 3; + TLSv1_3 = 4; + } + // Allowed TLS protocols. + TlsProtocol tls_minimum_protocol_version = 1; + TlsProtocol tls_maximum_protocol_version = 2; + + // If specified, the TLS listener will only support the specified cipher list. + repeated string cipher_suites = 3; + + // If specified, the TLS connection will only support the specified ECDH + // curves. If not specified, the default curves (X25519, P-256) will be used. + repeated string ecdh_curves = 4; +} + +// TLS certs can be loaded from file or delivered inline [V2-API-DIFF]. Individual fields may +// be loaded from either. +message TlsCertificate { + DataSource certificate_chain = 1; + DataSource private_key = 2; + DataSource password = 3; + DataSource ocsp_staple = 4; + repeated DataSource signed_certificate_timestamp = 5; +} + +message CertificateValidationContext { + // TLS certificate data containing certificate authority certificates to use + // in verifying a presented certificate. If not specified and a certificate is + // presented it will not be verified. + DataSource trusted_ca = 1; + + // If specified, Envoy will verify (pin) hex-encoded SHA-256 hash of + // the presented certificate. + repeated string verify_certificate_hash = 2; + + // If specified, Envoy will verify (pin) base64-encoded SHA-256 hash of + // the Subject Public Key Information (SPKI) of the presented certificate. + // This is the same format as used in HTTP Public Key Pinning. + repeated string verify_spki_sha256 = 3; + + // An optional list of subject alt names. If specified, Envoy will verify that + // the certificate’s subject alt name matches one of the specified values. + repeated string verify_subject_alt_name = 4; + + // Must present a signed time-stamped OCSP response. + google.protobuf.BoolValue require_ocsp_staple = 5; + + // Must present signed certificate time-stamp. + google.protobuf.BoolValue require_signed_certificate_timestamp = 6; +} + +// TLS context shared by both client and server TLS contexts. +message CommonTlsContext { + // TLS protocol versions, cipher suites etc. + TlsParameters tls_params = 1; + + // Multiple TLS certificates can be associated with the same context, + // e.g. to allow both RSA and ECDSA certificates [V2-API-DIFF]. + // TLS certificates can be either configured locally or fetched from SDS. + repeated TlsCertificate tls_certificates = 2; + repeated SdsSecretConfig sds_secret_configs = 6; + + // How to validate peer certificates. + CertificateValidationContext validation_context = 3; + + // Protocols to negotiate over ALPN + repeated string alpn_protocols = 4; + + // These fields are deprecated and only are used during the interim v1 -> v2 + // transition period for internal purposes. They should not be used outside of + // the Envoy binary. + message DeprecatedV1 { + string alt_alpn_protocols = 1; + } + DeprecatedV1 deprecated_v1 = 5; +} + +message UpstreamTlsContext { + CommonTlsContext common_tls_context = 1; + + // SNI string to use when creating TLS backend connections. + string sni = 2; +} + +// [V2-API-DIFF] This has been reworked to support alternative modes of +// certificate/key delivery, for consistency with the upstream TLS context and +// to segregate the client/server aspects of the TLS context. +message DownstreamTlsContext { + CommonTlsContext common_tls_context = 1; + + // If specified, Envoy will reject connections without a valid client + // certificate. + google.protobuf.BoolValue require_client_certificate = 2; + + // If specified, Envoy will reject connections without a valid and matching SNI. + google.protobuf.BoolValue require_sni = 3; +} + +message SdsSecretConfig { + // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to. + // When both name and config are specified, then secret can be fetched and/or reloaded via SDS. + // When only name is specified, then secret will be loaded from static resources [V2-API-DIFF]. + string name = 1; + ConfigSource sds_config = 2; +} + message Secret { string name = 1; oneof type { diff --git a/api/tls_context.proto b/api/tls_context.proto deleted file mode 100644 index e79a6278f..000000000 --- a/api/tls_context.proto +++ /dev/null @@ -1,117 +0,0 @@ -syntax = "proto3"; - -package envoy.api.v2; - -import "api/base.proto"; - -import "google/protobuf/wrappers.proto"; - -message DataSource { - oneof specifier { - string filename = 1; - bytes inline = 2; - } -} - -message TlsParameters { - enum TlsProtocol { - TLS_AUTO = 0; - TLSv1_0 = 1; - TLSv1_1 = 2; - TLSv1_2 = 3; - TLSv1_3 = 4; - } - // Allowed TLS protocols. - TlsProtocol tls_minimum_protocol_version = 1; - TlsProtocol tls_maximum_protocol_version = 2; - - // If specified, the TLS listener will only support the specified cipher list. - repeated string cipher_suites = 3; - - // If specified, the TLS connection will only support the specified ECDH - // curves. If not specified, the default curves (X25519, P-256) will be used. - repeated string ecdh_curves = 4; -} - -// TLS certs can be loaded from file or delivered inline [V2-API-DIFF]. Individual fields may -// be loaded from either. -message TlsCertificate { - DataSource certificate_chain = 1; - DataSource private_key = 2; - DataSource password = 3; - DataSource ocsp_staple = 4; - repeated DataSource signed_certificate_timestamp = 5; -} - -message CertificateValidationContext { - // TLS certificate data containing certificate authority certificates to use - // in verifying a presented certificate. If not specified and a certificate is - // presented it will not be verified. - DataSource trusted_ca = 1; - - // If specified, Envoy will verify (pin) hex-encoded SHA-256 hash of - // the presented certificate. - repeated string verify_certificate_hash = 2; - - // If specified, Envoy will verify (pin) base64-encoded SHA-256 hash of - // the Subject Public Key Information (SPKI) of the presented certificate. - // This is the same format as used in HTTP Public Key Pinning. - repeated string verify_spki_sha256 = 3; - - // An optional list of subject alt names. If specified, Envoy will verify that - // the certificate’s subject alt name matches one of the specified values. - repeated string verify_subject_alt_name = 4; - - // Must present a signed time-stamped OCSP response. - google.protobuf.BoolValue require_ocsp_staple = 5; - - // Must present signed certificate time-stamp. - google.protobuf.BoolValue require_signed_certificate_timestamp = 6; -} - -// TLS context shared by both client and server TLS contexts. -message CommonTlsContext { - // TLS protocol versions, cipher suites etc. - TlsParameters tls_params = 1; - - // Multiple TLS certificates can be associated with the same context, - // e.g. to allow both RSA and ECDSA certificates [V2-API-DIFF]. - // TLS certificates can be either configured locally or fetched from SDS. - repeated TlsCertificate tls_certificates = 2; - repeated SdsSecretConfig sds_secret_configs = 6; - - // How to validate peer certificates. - CertificateValidationContext validation_context = 3; - - // Protocols to negotiate over ALPN - repeated string alpn_protocols = 4; - - // These fields are deprecated and only are used during the interim v1 -> v2 - // transition period for internal purposes. They should not be used outside of - // the Envoy binary. - message DeprecatedV1 { - string alt_alpn_protocols = 1; - } - DeprecatedV1 deprecated_v1 = 5; -} - -message UpstreamTlsContext { - CommonTlsContext common_tls_context = 1; - - // SNI string to use when creating TLS backend connections. - string sni = 2; -} - -// [V2-API-DIFF] This has been reworked to support alternative modes of -// certificate/key delivery, for consistency with the upstream TLS context and -// to segregate the client/server aspects of the TLS context. -message DownstreamTlsContext { - CommonTlsContext common_tls_context = 1; - - // If specified, Envoy will reject connections without a valid client - // certificate. - google.protobuf.BoolValue require_client_certificate = 2; - - // If specified, Envoy will reject connections without a valid and matching SNI. - google.protobuf.BoolValue require_sni = 3; -} From 90afc07f0716848d915c8c2627c085a96bd07ac2 Mon Sep 17 00:00:00 2001 From: Piotr Sikora Date: Tue, 3 Oct 2017 04:35:03 -0700 Subject: [PATCH 7/7] review: add comment. Signed-off-by: Piotr Sikora --- api/sds.proto | 1 + 1 file changed, 1 insertion(+) diff --git a/api/sds.proto b/api/sds.proto index 736597a1c..f4773bea0 100644 --- a/api/sds.proto +++ b/api/sds.proto @@ -141,6 +141,7 @@ message SdsSecretConfig { } message Secret { + // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to. string name = 1; oneof type { TlsCertificate tls_certificate = 2;