diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml
index 211532393c..c49f8d8d69 100644
--- a/kubernetes/customresourcedefinitions.gen.yaml
+++ b/kubernetes/customresourcedefinitions.gen.yaml
@@ -6594,6 +6594,13 @@ spec:
of the secret that holds the TLS certs including the CA
certificates.
type: string
+ credentialNames:
+ description: Same as CredentialName but for multiple certificates.
+ items:
+ type: string
+ maxItems: 2
+ minItems: 1
+ type: array
httpsRedirect:
description: If set to true, the load balancer will send
a 301 redirect for all http connections, asking the clients
@@ -6648,6 +6655,25 @@ spec:
items:
type: string
type: array
+ tlsCertificates:
+ description: Only one of `server_certificate`, `private_key`,
+ `ca_certificates` or `credential_name` or `credential_names`
+ or `tls_certificates` should be specified.
+ items:
+ properties:
+ caCertificates:
+ description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ serverCertificate:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ type: object
+ maxItems: 2
+ minItems: 1
+ type: array
verifyCertificateHash:
description: An optional list of hex-encoded SHA-256 hashes
of the authorized client certificates.
@@ -6661,6 +6687,19 @@ spec:
type: string
type: array
type: object
+ x-kubernetes-validations:
+ - message: only one of credentialNames or tlsCertificates can
+ be set
+ rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames)
+ ? 1 : 0) <= 1'
+ - message: only one of credentialName or credentialNames can
+ be set
+ rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames)
+ ? 1 : 0) <= 1'
+ - message: only one of credentialName or tlsCertificates can
+ be set
+ rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates)
+ ? 1 : 0) <= 1'
required:
- port
- hosts
@@ -6827,6 +6866,13 @@ spec:
of the secret that holds the TLS certs including the CA
certificates.
type: string
+ credentialNames:
+ description: Same as CredentialName but for multiple certificates.
+ items:
+ type: string
+ maxItems: 2
+ minItems: 1
+ type: array
httpsRedirect:
description: If set to true, the load balancer will send
a 301 redirect for all http connections, asking the clients
@@ -6881,6 +6927,25 @@ spec:
items:
type: string
type: array
+ tlsCertificates:
+ description: Only one of `server_certificate`, `private_key`,
+ `ca_certificates` or `credential_name` or `credential_names`
+ or `tls_certificates` should be specified.
+ items:
+ properties:
+ caCertificates:
+ description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ serverCertificate:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ type: object
+ maxItems: 2
+ minItems: 1
+ type: array
verifyCertificateHash:
description: An optional list of hex-encoded SHA-256 hashes
of the authorized client certificates.
@@ -6894,6 +6959,19 @@ spec:
type: string
type: array
type: object
+ x-kubernetes-validations:
+ - message: only one of credentialNames or tlsCertificates can
+ be set
+ rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames)
+ ? 1 : 0) <= 1'
+ - message: only one of credentialName or credentialNames can
+ be set
+ rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames)
+ ? 1 : 0) <= 1'
+ - message: only one of credentialName or tlsCertificates can
+ be set
+ rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates)
+ ? 1 : 0) <= 1'
required:
- port
- hosts
@@ -7060,6 +7138,13 @@ spec:
of the secret that holds the TLS certs including the CA
certificates.
type: string
+ credentialNames:
+ description: Same as CredentialName but for multiple certificates.
+ items:
+ type: string
+ maxItems: 2
+ minItems: 1
+ type: array
httpsRedirect:
description: If set to true, the load balancer will send
a 301 redirect for all http connections, asking the clients
@@ -7114,6 +7199,25 @@ spec:
items:
type: string
type: array
+ tlsCertificates:
+ description: Only one of `server_certificate`, `private_key`,
+ `ca_certificates` or `credential_name` or `credential_names`
+ or `tls_certificates` should be specified.
+ items:
+ properties:
+ caCertificates:
+ description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ serverCertificate:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ type: object
+ maxItems: 2
+ minItems: 1
+ type: array
verifyCertificateHash:
description: An optional list of hex-encoded SHA-256 hashes
of the authorized client certificates.
@@ -7127,6 +7231,19 @@ spec:
type: string
type: array
type: object
+ x-kubernetes-validations:
+ - message: only one of credentialNames or tlsCertificates can
+ be set
+ rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames)
+ ? 1 : 0) <= 1'
+ - message: only one of credentialName or credentialNames can
+ be set
+ rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames)
+ ? 1 : 0) <= 1'
+ - message: only one of credentialName or tlsCertificates can
+ be set
+ rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates)
+ ? 1 : 0) <= 1'
required:
- port
- hosts
@@ -8643,6 +8760,13 @@ spec:
of the secret that holds the TLS certs including the CA
certificates.
type: string
+ credentialNames:
+ description: Same as CredentialName but for multiple certificates.
+ items:
+ type: string
+ maxItems: 2
+ minItems: 1
+ type: array
httpsRedirect:
description: If set to true, the load balancer will send
a 301 redirect for all http connections, asking the clients
@@ -8697,6 +8821,25 @@ spec:
items:
type: string
type: array
+ tlsCertificates:
+ description: Only one of `server_certificate`, `private_key`,
+ `ca_certificates` or `credential_name` or `credential_names`
+ or `tls_certificates` should be specified.
+ items:
+ properties:
+ caCertificates:
+ description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ serverCertificate:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ type: object
+ maxItems: 2
+ minItems: 1
+ type: array
verifyCertificateHash:
description: An optional list of hex-encoded SHA-256 hashes
of the authorized client certificates.
@@ -8710,6 +8853,19 @@ spec:
type: string
type: array
type: object
+ x-kubernetes-validations:
+ - message: only one of credentialNames or tlsCertificates can
+ be set
+ rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames)
+ ? 1 : 0) <= 1'
+ - message: only one of credentialName or credentialNames can
+ be set
+ rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames)
+ ? 1 : 0) <= 1'
+ - message: only one of credentialName or tlsCertificates can
+ be set
+ rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates)
+ ? 1 : 0) <= 1'
required:
- port
type: object
@@ -9179,6 +9335,13 @@ spec:
of the secret that holds the TLS certs including the CA
certificates.
type: string
+ credentialNames:
+ description: Same as CredentialName but for multiple certificates.
+ items:
+ type: string
+ maxItems: 2
+ minItems: 1
+ type: array
httpsRedirect:
description: If set to true, the load balancer will send
a 301 redirect for all http connections, asking the clients
@@ -9233,6 +9396,25 @@ spec:
items:
type: string
type: array
+ tlsCertificates:
+ description: Only one of `server_certificate`, `private_key`,
+ `ca_certificates` or `credential_name` or `credential_names`
+ or `tls_certificates` should be specified.
+ items:
+ properties:
+ caCertificates:
+ description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ serverCertificate:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ type: object
+ maxItems: 2
+ minItems: 1
+ type: array
verifyCertificateHash:
description: An optional list of hex-encoded SHA-256 hashes
of the authorized client certificates.
@@ -9246,6 +9428,19 @@ spec:
type: string
type: array
type: object
+ x-kubernetes-validations:
+ - message: only one of credentialNames or tlsCertificates can
+ be set
+ rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames)
+ ? 1 : 0) <= 1'
+ - message: only one of credentialName or credentialNames can
+ be set
+ rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames)
+ ? 1 : 0) <= 1'
+ - message: only one of credentialName or tlsCertificates can
+ be set
+ rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates)
+ ? 1 : 0) <= 1'
required:
- port
type: object
@@ -9715,6 +9910,13 @@ spec:
of the secret that holds the TLS certs including the CA
certificates.
type: string
+ credentialNames:
+ description: Same as CredentialName but for multiple certificates.
+ items:
+ type: string
+ maxItems: 2
+ minItems: 1
+ type: array
httpsRedirect:
description: If set to true, the load balancer will send
a 301 redirect for all http connections, asking the clients
@@ -9769,6 +9971,25 @@ spec:
items:
type: string
type: array
+ tlsCertificates:
+ description: Only one of `server_certificate`, `private_key`,
+ `ca_certificates` or `credential_name` or `credential_names`
+ or `tls_certificates` should be specified.
+ items:
+ properties:
+ caCertificates:
+ description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
+ type: string
+ privateKey:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ serverCertificate:
+ description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
+ type: string
+ type: object
+ maxItems: 2
+ minItems: 1
+ type: array
verifyCertificateHash:
description: An optional list of hex-encoded SHA-256 hashes
of the authorized client certificates.
@@ -9782,6 +10003,19 @@ spec:
type: string
type: array
type: object
+ x-kubernetes-validations:
+ - message: only one of credentialNames or tlsCertificates can
+ be set
+ rule: '(has(self.tlsCertificates) ? 1 : 0) + (has(self.credentialNames)
+ ? 1 : 0) <= 1'
+ - message: only one of credentialName or credentialNames can
+ be set
+ rule: '(has(self.credentialName) ? 1 : 0) + (has(self.credentialNames)
+ ? 1 : 0) <= 1'
+ - message: only one of credentialName or tlsCertificates can
+ be set
+ rule: '(has(self.credentialNames) ? 1 : 0) + (has(self.tlsCertificates)
+ ? 1 : 0) <= 1'
required:
- port
type: object
diff --git a/networking/v1/gateway_alias.gen.go b/networking/v1/gateway_alias.gen.go
index b07e7b1801..464da5acab 100644
--- a/networking/v1/gateway_alias.gen.go
+++ b/networking/v1/gateway_alias.gen.go
@@ -101,8 +101,15 @@ type Server = v1alpha3.Server
// Port describes the properties of a specific port of a service.
type Port = v1alpha3.Port
+
+// +kubebuilder:validation:XValidation:message="only one of credentialNames or tlsCertificates can be set",rule="oneof(self.tlsCertificates, self.credentialNames)"
+// +kubebuilder:validation:XValidation:message="only one of credentialName or credentialNames can be set",rule="oneof(self.credentialName, self.credentialNames)"
+// +kubebuilder:validation:XValidation:message="only one of credentialName or tlsCertificates can be set",rule="oneof(self.credentialNames, self.tlsCertificates)"
type ServerTLSSettings = v1alpha3.ServerTLSSettings
+// TLSCertificate describes the server's TLS certificate.
+type ServerTLSSettings_TLSCertificate = v1alpha3.ServerTLSSettings_TLSCertificate
+
// TLS modes enforced by the proxy
type ServerTLSSettings_TLSmode = v1alpha3.ServerTLSSettings_TLSmode
diff --git a/networking/v1alpha3/gateway.pb.go b/networking/v1alpha3/gateway.pb.go
index 3a52188183..22b3a67aed 100644
--- a/networking/v1alpha3/gateway.pb.go
+++ b/networking/v1alpha3/gateway.pb.go
@@ -737,6 +737,9 @@ func (x *Port) GetTargetPort() uint32 {
return 0
}
+// +kubebuilder:validation:XValidation:message="only one of credentialNames or tlsCertificates can be set",rule="oneof(self.tlsCertificates, self.credentialNames)"
+// +kubebuilder:validation:XValidation:message="only one of credentialName or credentialNames can be set",rule="oneof(self.credentialName, self.credentialNames)"
+// +kubebuilder:validation:XValidation:message="only one of credentialName or tlsCertificates can be set",rule="oneof(self.credentialNames, self.tlsCertificates)"
type ServerTLSSettings struct {
state protoimpl.MessageState `protogen:"open.v1"`
// If set to true, the load balancer will send a 301 redirect for
@@ -775,9 +778,22 @@ type ServerTLSSettings struct {
// Only one of server certificates and CA certificate
// or credentialName can be specified.
CredentialName string `protobuf:"bytes,10,opt,name=credential_name,json=credentialName,proto3" json:"credential_name,omitempty"`
+ // Same as CredentialName but for multiple certificates. Mainly used for specifying
+ // RSA and ECDSA certificates for the same server.
+ // +kubebuilder:validation:MaxItems=2
+ // +kubebuilder:validation:MinItems=1
+ CredentialNames []string `protobuf:"bytes,14,rep,name=credential_names,json=credentialNames,proto3" json:"credential_names,omitempty"`
+ // Only one of `server_certificate`, `private_key`, `ca_certificates` or `credential_name`
+ // or `credential_names` or `tls_certificates` should be specified.
+ // This is mainly used for specifying RSA and ECDSA certificates for the same server.
+ // +kubebuilder:validation:MaxItems=2
+ // +kubebuilder:validation:MinItems=1
+ TlsCertificates []*ServerTLSSettings_TLSCertificate `protobuf:"bytes,15,rep,name=tls_certificates,json=tlsCertificates,proto3" json:"tls_certificates,omitempty"`
// A list of alternate names to verify the subject identity in the
// certificate presented by the client.
// Requires TLS mode to be set to `MUTUAL`.
+ // When multiple certificates are provided via `credential_names` or `tls_certificates`,
+ // the subject alternate names are validated against the selected certificate.
SubjectAltNames []string `protobuf:"bytes,6,rep,name=subject_alt_names,json=subjectAltNames,proto3" json:"subject_alt_names,omitempty"`
// An optional list of base64-encoded SHA-256 hashes of the SPKIs of
// authorized client certificates.
@@ -903,6 +919,20 @@ func (x *ServerTLSSettings) GetCredentialName() string {
return ""
}
+func (x *ServerTLSSettings) GetCredentialNames() []string {
+ if x != nil {
+ return x.CredentialNames
+ }
+ return nil
+}
+
+func (x *ServerTLSSettings) GetTlsCertificates() []*ServerTLSSettings_TLSCertificate {
+ if x != nil {
+ return x.TlsCertificates
+ }
+ return nil
+}
+
func (x *ServerTLSSettings) GetSubjectAltNames() []string {
if x != nil {
return x.SubjectAltNames
@@ -945,6 +975,74 @@ func (x *ServerTLSSettings) GetCipherSuites() []string {
return nil
}
+// TLSCertificate describes the server's TLS certificate.
+type ServerTLSSettings_TLSCertificate struct {
+ state protoimpl.MessageState `protogen:"open.v1"`
+ // REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
+ // holding the server-side TLS certificate to use.
+ ServerCertificate string `protobuf:"bytes,1,opt,name=server_certificate,json=serverCertificate,proto3" json:"server_certificate,omitempty"`
+ // REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
+ // holding the server's private key.
+ PrivateKey string `protobuf:"bytes,2,opt,name=private_key,json=privateKey,proto3" json:"private_key,omitempty"`
+ // REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. The path to a file
+ // containing certificate authority certificates to use in verifying a presented
+ // client side certificate.
+ CaCertificates string `protobuf:"bytes,3,opt,name=ca_certificates,json=caCertificates,proto3" json:"ca_certificates,omitempty"`
+ unknownFields protoimpl.UnknownFields
+ sizeCache protoimpl.SizeCache
+}
+
+func (x *ServerTLSSettings_TLSCertificate) Reset() {
+ *x = ServerTLSSettings_TLSCertificate{}
+ mi := &file_networking_v1alpha3_gateway_proto_msgTypes[5]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+}
+
+func (x *ServerTLSSettings_TLSCertificate) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ServerTLSSettings_TLSCertificate) ProtoMessage() {}
+
+func (x *ServerTLSSettings_TLSCertificate) ProtoReflect() protoreflect.Message {
+ mi := &file_networking_v1alpha3_gateway_proto_msgTypes[5]
+ if x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use ServerTLSSettings_TLSCertificate.ProtoReflect.Descriptor instead.
+func (*ServerTLSSettings_TLSCertificate) Descriptor() ([]byte, []int) {
+ return file_networking_v1alpha3_gateway_proto_rawDescGZIP(), []int{3, 0}
+}
+
+func (x *ServerTLSSettings_TLSCertificate) GetServerCertificate() string {
+ if x != nil {
+ return x.ServerCertificate
+ }
+ return ""
+}
+
+func (x *ServerTLSSettings_TLSCertificate) GetPrivateKey() string {
+ if x != nil {
+ return x.PrivateKey
+ }
+ return ""
+}
+
+func (x *ServerTLSSettings_TLSCertificate) GetCaCertificates() string {
+ if x != nil {
+ return x.CaCertificates
+ }
+ return ""
+}
+
var File_networking_v1alpha3_gateway_proto protoreflect.FileDescriptor
var file_networking_v1alpha3_gateway_proto_rawDesc = string([]byte{
@@ -991,7 +1089,7 @@ var file_networking_v1alpha3_gateway_proto_rawDesc = string([]byte{
0x04, 0xe2, 0x41, 0x01, 0x02, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x23, 0x0a, 0x0b, 0x74,
0x61, 0x72, 0x67, 0x65, 0x74, 0x5f, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0d,
0x42, 0x02, 0x18, 0x01, 0x52, 0x0a, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x50, 0x6f, 0x72, 0x74,
- 0x22, 0x98, 0x07, 0x0a, 0x11, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x4c, 0x53, 0x53, 0x65,
+ 0x22, 0xb7, 0x09, 0x0a, 0x11, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x4c, 0x53, 0x53, 0x65,
0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x68, 0x74, 0x74, 0x70, 0x73, 0x5f,
0x72, 0x65, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0d,
0x68, 0x74, 0x74, 0x70, 0x73, 0x52, 0x65, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x12, 0x48, 0x0a,
@@ -1011,47 +1109,65 @@ var file_networking_v1alpha3_gateway_proto_rawDesc = string([]byte{
0x52, 0x05, 0x63, 0x61, 0x43, 0x72, 0x6c, 0x12, 0x27, 0x0a, 0x0f, 0x63, 0x72, 0x65, 0x64, 0x65,
0x6e, 0x74, 0x69, 0x61, 0x6c, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09,
0x52, 0x0e, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x4e, 0x61, 0x6d, 0x65,
- 0x12, 0x2a, 0x0a, 0x11, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x61, 0x6c, 0x74, 0x5f,
- 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0f, 0x73, 0x75, 0x62,
- 0x6a, 0x65, 0x63, 0x74, 0x41, 0x6c, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x36, 0x0a, 0x17,
- 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
- 0x74, 0x65, 0x5f, 0x73, 0x70, 0x6b, 0x69, 0x18, 0x0b, 0x20, 0x03, 0x28, 0x09, 0x52, 0x15, 0x76,
- 0x65, 0x72, 0x69, 0x66, 0x79, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65,
- 0x53, 0x70, 0x6b, 0x69, 0x12, 0x36, 0x0a, 0x17, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x5f, 0x63,
- 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x68, 0x61, 0x73, 0x68, 0x18,
- 0x0c, 0x20, 0x03, 0x28, 0x09, 0x52, 0x15, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x43, 0x65, 0x72,
- 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x48, 0x61, 0x73, 0x68, 0x12, 0x6a, 0x0a, 0x14,
- 0x6d, 0x69, 0x6e, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x5f, 0x76, 0x65, 0x72,
- 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x38, 0x2e, 0x69, 0x73, 0x74,
- 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31,
- 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x4c, 0x53,
- 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x2e, 0x54, 0x4c, 0x53, 0x50, 0x72, 0x6f, 0x74,
- 0x6f, 0x63, 0x6f, 0x6c, 0x52, 0x12, 0x6d, 0x69, 0x6e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f,
- 0x6c, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x6a, 0x0a, 0x14, 0x6d, 0x61, 0x78, 0x5f,
- 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e,
- 0x18, 0x08, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x38, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e,
- 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68,
- 0x61, 0x33, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x4c, 0x53, 0x53, 0x65, 0x74, 0x74,
- 0x69, 0x6e, 0x67, 0x73, 0x2e, 0x54, 0x4c, 0x53, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c,
- 0x52, 0x12, 0x6d, 0x61, 0x78, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x56, 0x65, 0x72,
- 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x23, 0x0a, 0x0d, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x5f, 0x73,
- 0x75, 0x69, 0x74, 0x65, 0x73, 0x18, 0x09, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x63, 0x69, 0x70,
- 0x68, 0x65, 0x72, 0x53, 0x75, 0x69, 0x74, 0x65, 0x73, 0x22, 0x6f, 0x0a, 0x07, 0x54, 0x4c, 0x53,
- 0x6d, 0x6f, 0x64, 0x65, 0x12, 0x0f, 0x0a, 0x0b, 0x50, 0x41, 0x53, 0x53, 0x54, 0x48, 0x52, 0x4f,
- 0x55, 0x47, 0x48, 0x10, 0x00, 0x12, 0x0a, 0x0a, 0x06, 0x53, 0x49, 0x4d, 0x50, 0x4c, 0x45, 0x10,
- 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x4d, 0x55, 0x54, 0x55, 0x41, 0x4c, 0x10, 0x02, 0x12, 0x14, 0x0a,
- 0x10, 0x41, 0x55, 0x54, 0x4f, 0x5f, 0x50, 0x41, 0x53, 0x53, 0x54, 0x48, 0x52, 0x4f, 0x55, 0x47,
- 0x48, 0x10, 0x03, 0x12, 0x10, 0x0a, 0x0c, 0x49, 0x53, 0x54, 0x49, 0x4f, 0x5f, 0x4d, 0x55, 0x54,
- 0x55, 0x41, 0x4c, 0x10, 0x04, 0x12, 0x13, 0x0a, 0x0f, 0x4f, 0x50, 0x54, 0x49, 0x4f, 0x4e, 0x41,
- 0x4c, 0x5f, 0x4d, 0x55, 0x54, 0x55, 0x41, 0x4c, 0x10, 0x05, 0x22, 0x4f, 0x0a, 0x0b, 0x54, 0x4c,
- 0x53, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x0c, 0x0a, 0x08, 0x54, 0x4c, 0x53,
- 0x5f, 0x41, 0x55, 0x54, 0x4f, 0x10, 0x00, 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31,
- 0x5f, 0x30, 0x10, 0x01, 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x31, 0x10,
- 0x02, 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x32, 0x10, 0x03, 0x12, 0x0b,
- 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x33, 0x10, 0x04, 0x42, 0x22, 0x5a, 0x20, 0x69,
- 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x6e, 0x65, 0x74, 0x77,
- 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x62,
- 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+ 0x12, 0x29, 0x0a, 0x10, 0x63, 0x72, 0x65, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x5f, 0x6e,
+ 0x61, 0x6d, 0x65, 0x73, 0x18, 0x0e, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0f, 0x63, 0x72, 0x65, 0x64,
+ 0x65, 0x6e, 0x74, 0x69, 0x61, 0x6c, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x66, 0x0a, 0x10, 0x74,
+ 0x6c, 0x73, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x18,
+ 0x0f, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x3b, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65,
+ 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61,
+ 0x33, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x4c, 0x53, 0x53, 0x65, 0x74, 0x74, 0x69,
+ 0x6e, 0x67, 0x73, 0x2e, 0x54, 0x4c, 0x53, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
+ 0x74, 0x65, 0x52, 0x0f, 0x74, 0x6c, 0x73, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
+ 0x74, 0x65, 0x73, 0x12, 0x2a, 0x0a, 0x11, 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x5f, 0x61,
+ 0x6c, 0x74, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0f,
+ 0x73, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x41, 0x6c, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12,
+ 0x36, 0x0a, 0x17, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66,
+ 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x73, 0x70, 0x6b, 0x69, 0x18, 0x0b, 0x20, 0x03, 0x28, 0x09,
+ 0x52, 0x15, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63,
+ 0x61, 0x74, 0x65, 0x53, 0x70, 0x6b, 0x69, 0x12, 0x36, 0x0a, 0x17, 0x76, 0x65, 0x72, 0x69, 0x66,
+ 0x79, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x5f, 0x68, 0x61,
+ 0x73, 0x68, 0x18, 0x0c, 0x20, 0x03, 0x28, 0x09, 0x52, 0x15, 0x76, 0x65, 0x72, 0x69, 0x66, 0x79,
+ 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x48, 0x61, 0x73, 0x68, 0x12,
+ 0x6a, 0x0a, 0x14, 0x6d, 0x69, 0x6e, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x5f,
+ 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x38, 0x2e,
+ 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67,
+ 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
+ 0x54, 0x4c, 0x53, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x2e, 0x54, 0x4c, 0x53, 0x50,
+ 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52, 0x12, 0x6d, 0x69, 0x6e, 0x50, 0x72, 0x6f, 0x74,
+ 0x6f, 0x63, 0x6f, 0x6c, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x6a, 0x0a, 0x14, 0x6d,
+ 0x61, 0x78, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x5f, 0x76, 0x65, 0x72, 0x73,
+ 0x69, 0x6f, 0x6e, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x38, 0x2e, 0x69, 0x73, 0x74, 0x69,
+ 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61,
+ 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x4c, 0x53, 0x53,
+ 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x2e, 0x54, 0x4c, 0x53, 0x50, 0x72, 0x6f, 0x74, 0x6f,
+ 0x63, 0x6f, 0x6c, 0x52, 0x12, 0x6d, 0x61, 0x78, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c,
+ 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x23, 0x0a, 0x0d, 0x63, 0x69, 0x70, 0x68, 0x65,
+ 0x72, 0x5f, 0x73, 0x75, 0x69, 0x74, 0x65, 0x73, 0x18, 0x09, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c,
+ 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x53, 0x75, 0x69, 0x74, 0x65, 0x73, 0x1a, 0x89, 0x01, 0x0a,
+ 0x0e, 0x54, 0x4c, 0x53, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12,
+ 0x2d, 0x0a, 0x12, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66,
+ 0x69, 0x63, 0x61, 0x74, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x73, 0x65, 0x72,
+ 0x76, 0x65, 0x72, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x1f,
+ 0x0a, 0x0b, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20,
+ 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12,
+ 0x27, 0x0a, 0x0f, 0x63, 0x61, 0x5f, 0x63, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74,
+ 0x65, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x63, 0x61, 0x43, 0x65, 0x72, 0x74,
+ 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x22, 0x6f, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x6d,
+ 0x6f, 0x64, 0x65, 0x12, 0x0f, 0x0a, 0x0b, 0x50, 0x41, 0x53, 0x53, 0x54, 0x48, 0x52, 0x4f, 0x55,
+ 0x47, 0x48, 0x10, 0x00, 0x12, 0x0a, 0x0a, 0x06, 0x53, 0x49, 0x4d, 0x50, 0x4c, 0x45, 0x10, 0x01,
+ 0x12, 0x0a, 0x0a, 0x06, 0x4d, 0x55, 0x54, 0x55, 0x41, 0x4c, 0x10, 0x02, 0x12, 0x14, 0x0a, 0x10,
+ 0x41, 0x55, 0x54, 0x4f, 0x5f, 0x50, 0x41, 0x53, 0x53, 0x54, 0x48, 0x52, 0x4f, 0x55, 0x47, 0x48,
+ 0x10, 0x03, 0x12, 0x10, 0x0a, 0x0c, 0x49, 0x53, 0x54, 0x49, 0x4f, 0x5f, 0x4d, 0x55, 0x54, 0x55,
+ 0x41, 0x4c, 0x10, 0x04, 0x12, 0x13, 0x0a, 0x0f, 0x4f, 0x50, 0x54, 0x49, 0x4f, 0x4e, 0x41, 0x4c,
+ 0x5f, 0x4d, 0x55, 0x54, 0x55, 0x41, 0x4c, 0x10, 0x05, 0x22, 0x4f, 0x0a, 0x0b, 0x54, 0x4c, 0x53,
+ 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x0c, 0x0a, 0x08, 0x54, 0x4c, 0x53, 0x5f,
+ 0x41, 0x55, 0x54, 0x4f, 0x10, 0x00, 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f,
+ 0x30, 0x10, 0x01, 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x31, 0x10, 0x02,
+ 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x32, 0x10, 0x03, 0x12, 0x0b, 0x0a,
+ 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x33, 0x10, 0x04, 0x42, 0x22, 0x5a, 0x20, 0x69, 0x73,
+ 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x6e, 0x65, 0x74, 0x77, 0x6f,
+ 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x62, 0x06,
+ 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
})
var (
@@ -1067,15 +1183,16 @@ func file_networking_v1alpha3_gateway_proto_rawDescGZIP() []byte {
}
var file_networking_v1alpha3_gateway_proto_enumTypes = make([]protoimpl.EnumInfo, 2)
-var file_networking_v1alpha3_gateway_proto_msgTypes = make([]protoimpl.MessageInfo, 5)
+var file_networking_v1alpha3_gateway_proto_msgTypes = make([]protoimpl.MessageInfo, 6)
var file_networking_v1alpha3_gateway_proto_goTypes = []any{
- (ServerTLSSettings_TLSmode)(0), // 0: istio.networking.v1alpha3.ServerTLSSettings.TLSmode
- (ServerTLSSettings_TLSProtocol)(0), // 1: istio.networking.v1alpha3.ServerTLSSettings.TLSProtocol
- (*Gateway)(nil), // 2: istio.networking.v1alpha3.Gateway
- (*Server)(nil), // 3: istio.networking.v1alpha3.Server
- (*Port)(nil), // 4: istio.networking.v1alpha3.Port
- (*ServerTLSSettings)(nil), // 5: istio.networking.v1alpha3.ServerTLSSettings
- nil, // 6: istio.networking.v1alpha3.Gateway.SelectorEntry
+ (ServerTLSSettings_TLSmode)(0), // 0: istio.networking.v1alpha3.ServerTLSSettings.TLSmode
+ (ServerTLSSettings_TLSProtocol)(0), // 1: istio.networking.v1alpha3.ServerTLSSettings.TLSProtocol
+ (*Gateway)(nil), // 2: istio.networking.v1alpha3.Gateway
+ (*Server)(nil), // 3: istio.networking.v1alpha3.Server
+ (*Port)(nil), // 4: istio.networking.v1alpha3.Port
+ (*ServerTLSSettings)(nil), // 5: istio.networking.v1alpha3.ServerTLSSettings
+ nil, // 6: istio.networking.v1alpha3.Gateway.SelectorEntry
+ (*ServerTLSSettings_TLSCertificate)(nil), // 7: istio.networking.v1alpha3.ServerTLSSettings.TLSCertificate
}
var file_networking_v1alpha3_gateway_proto_depIdxs = []int32{
3, // 0: istio.networking.v1alpha3.Gateway.servers:type_name -> istio.networking.v1alpha3.Server
@@ -1083,13 +1200,14 @@ var file_networking_v1alpha3_gateway_proto_depIdxs = []int32{
4, // 2: istio.networking.v1alpha3.Server.port:type_name -> istio.networking.v1alpha3.Port
5, // 3: istio.networking.v1alpha3.Server.tls:type_name -> istio.networking.v1alpha3.ServerTLSSettings
0, // 4: istio.networking.v1alpha3.ServerTLSSettings.mode:type_name -> istio.networking.v1alpha3.ServerTLSSettings.TLSmode
- 1, // 5: istio.networking.v1alpha3.ServerTLSSettings.min_protocol_version:type_name -> istio.networking.v1alpha3.ServerTLSSettings.TLSProtocol
- 1, // 6: istio.networking.v1alpha3.ServerTLSSettings.max_protocol_version:type_name -> istio.networking.v1alpha3.ServerTLSSettings.TLSProtocol
- 7, // [7:7] is the sub-list for method output_type
- 7, // [7:7] is the sub-list for method input_type
- 7, // [7:7] is the sub-list for extension type_name
- 7, // [7:7] is the sub-list for extension extendee
- 0, // [0:7] is the sub-list for field type_name
+ 7, // 5: istio.networking.v1alpha3.ServerTLSSettings.tls_certificates:type_name -> istio.networking.v1alpha3.ServerTLSSettings.TLSCertificate
+ 1, // 6: istio.networking.v1alpha3.ServerTLSSettings.min_protocol_version:type_name -> istio.networking.v1alpha3.ServerTLSSettings.TLSProtocol
+ 1, // 7: istio.networking.v1alpha3.ServerTLSSettings.max_protocol_version:type_name -> istio.networking.v1alpha3.ServerTLSSettings.TLSProtocol
+ 8, // [8:8] is the sub-list for method output_type
+ 8, // [8:8] is the sub-list for method input_type
+ 8, // [8:8] is the sub-list for extension type_name
+ 8, // [8:8] is the sub-list for extension extendee
+ 0, // [0:8] is the sub-list for field type_name
}
func init() { file_networking_v1alpha3_gateway_proto_init() }
@@ -1103,7 +1221,7 @@ func file_networking_v1alpha3_gateway_proto_init() {
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: unsafe.Slice(unsafe.StringData(file_networking_v1alpha3_gateway_proto_rawDesc), len(file_networking_v1alpha3_gateway_proto_rawDesc)),
NumEnums: 2,
- NumMessages: 5,
+ NumMessages: 6,
NumExtensions: 0,
NumServices: 0,
},
diff --git a/networking/v1alpha3/gateway.pb.html b/networking/v1alpha3/gateway.pb.html
index be2b7d2e44..fbcbfa8710 100644
--- a/networking/v1alpha3/gateway.pb.html
+++ b/networking/v1alpha3/gateway.pb.html
@@ -6,7 +6,7 @@
generator: protoc-gen-docs
schema: istio.networking.v1alpha3.Gateway
aliases: [/docs/reference/config/networking/v1alpha3/gateway]
-number_of_entries: 6
+number_of_entries: 7
---
Gateway describes a load balancer operating at the edge of the mesh
receiving incoming or outgoing HTTP/TCP connections. The specification
@@ -409,6 +409,7 @@
Port
ServerTLSSettings
+
@@ -500,6 +501,27 @@ ServerTLSSettings
Only one of server certificates and CA certificate
or credentialName can be specified.
+
+
+
+ |
+
+ Same as CredentialName but for multiple certificates. Mainly used for specifying
+RSA and ECDSA certificates for the same server.
+
+ |
+
+
+ |
+
+ Only one of server_certificate, private_key, ca_certificates or credential_name
+or credential_names or tls_certificates should be specified.
+This is mainly used for specifying RSA and ECDSA certificates for the same server.
+
|
@@ -509,7 +531,9 @@ ServerTLSSettings
A list of alternate names to verify the subject identity in the
certificate presented by the client.
-Requires TLS mode to be set to MUTUAL.
+Requires TLS mode to be set to MUTUAL.
+When multiple certificates are provided via credential_names or tls_certificates,
+the subject alternate names are validated against the selected certificate.
|
@@ -588,6 +612,52 @@ ServerTLSSettings
DES-CBC3-SHA
+
+
+
+
+
+TLSCertificate
+
+TLSCertificate describes the server’s TLS certificate.
+
+
+
+
+| Field |
+Description |
+
+
+
+
+ |
+
+ REQUIRED if mode is SIMPLE or MUTUAL. The path to the file
+holding the server-side TLS certificate to use.
+
+ |
+
+
+ |
+
+ REQUIRED if mode is SIMPLE or MUTUAL. The path to the file
+holding the server’s private key.
+
+ |
+
+
+ |
+
+ REQUIRED if mode is MUTUAL or OPTIONAL_MUTUAL. The path to a file
+containing certificate authority certificates to use in verifying a presented
+client side certificate.
+
|
diff --git a/networking/v1alpha3/gateway.proto b/networking/v1alpha3/gateway.proto
index 448824a42b..4c8e9047f1 100644
--- a/networking/v1alpha3/gateway.proto
+++ b/networking/v1alpha3/gateway.proto
@@ -380,6 +380,9 @@ message Port {
uint32 target_port = 4 [deprecated=true];
}
+// +kubebuilder:validation:XValidation:message="only one of credentialNames or tlsCertificates can be set",rule="oneof(self.tlsCertificates, self.credentialNames)"
+// +kubebuilder:validation:XValidation:message="only one of credentialName or credentialNames can be set",rule="oneof(self.credentialName, self.credentialNames)"
+// +kubebuilder:validation:XValidation:message="only one of credentialName or tlsCertificates can be set",rule="oneof(self.credentialNames, self.tlsCertificates)"
message ServerTLSSettings {
// If set to true, the load balancer will send a 301 redirect for
// all http connections, asking the clients to use HTTPS.
@@ -471,9 +474,40 @@ message ServerTLSSettings {
// or credentialName can be specified.
string credential_name = 10;
+ // Same as CredentialName but for multiple certificates. Mainly used for specifying
+ // RSA and ECDSA certificates for the same server.
+ // +kubebuilder:validation:MaxItems=2
+ // +kubebuilder:validation:MinItems=1
+ repeated string credential_names = 14;
+
+ // TLSCertificate describes the server's TLS certificate.
+ message TLSCertificate {
+ // REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
+ // holding the server-side TLS certificate to use.
+ string server_certificate = 1;
+
+ // REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
+ // holding the server's private key.
+ string private_key = 2;
+
+ // REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. The path to a file
+ // containing certificate authority certificates to use in verifying a presented
+ // client side certificate.
+ string ca_certificates = 3;
+ }
+
+ // Only one of `server_certificate`, `private_key`, `ca_certificates` or `credential_name`
+ // or `credential_names` or `tls_certificates` should be specified.
+ // This is mainly used for specifying RSA and ECDSA certificates for the same server.
+ // +kubebuilder:validation:MaxItems=2
+ // +kubebuilder:validation:MinItems=1
+ repeated TLSCertificate tls_certificates = 15;
+
// A list of alternate names to verify the subject identity in the
// certificate presented by the client.
// Requires TLS mode to be set to `MUTUAL`.
+ // When multiple certificates are provided via `credential_names` or `tls_certificates`,
+ // the subject alternate names are validated against the selected certificate.
repeated string subject_alt_names = 6;
// An optional list of base64-encoded SHA-256 hashes of the SPKIs of
diff --git a/networking/v1alpha3/gateway_deepcopy.gen.go b/networking/v1alpha3/gateway_deepcopy.gen.go
index 9abd995802..17875c9a64 100644
--- a/networking/v1alpha3/gateway_deepcopy.gen.go
+++ b/networking/v1alpha3/gateway_deepcopy.gen.go
@@ -88,3 +88,24 @@ func (in *ServerTLSSettings) DeepCopy() *ServerTLSSettings {
func (in *ServerTLSSettings) DeepCopyInterface() interface{} {
return in.DeepCopy()
}
+
+// DeepCopyInto supports using ServerTLSSettings_TLSCertificate within kubernetes types, where deepcopy-gen is used.
+func (in *ServerTLSSettings_TLSCertificate) DeepCopyInto(out *ServerTLSSettings_TLSCertificate) {
+ p := proto.Clone(in).(*ServerTLSSettings_TLSCertificate)
+ *out = *p
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerTLSSettings_TLSCertificate. Required by controller-gen.
+func (in *ServerTLSSettings_TLSCertificate) DeepCopy() *ServerTLSSettings_TLSCertificate {
+ if in == nil {
+ return nil
+ }
+ out := new(ServerTLSSettings_TLSCertificate)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new ServerTLSSettings_TLSCertificate. Required by controller-gen.
+func (in *ServerTLSSettings_TLSCertificate) DeepCopyInterface() interface{} {
+ return in.DeepCopy()
+}
diff --git a/networking/v1alpha3/gateway_json.gen.go b/networking/v1alpha3/gateway_json.gen.go
index 8dd2ce87ee..0a38246326 100644
--- a/networking/v1alpha3/gateway_json.gen.go
+++ b/networking/v1alpha3/gateway_json.gen.go
@@ -50,6 +50,17 @@ func (this *ServerTLSSettings) UnmarshalJSON(b []byte) error {
return GatewayUnmarshaler.Unmarshal(bytes.NewReader(b), this)
}
+// MarshalJSON is a custom marshaler for ServerTLSSettings_TLSCertificate
+func (this *ServerTLSSettings_TLSCertificate) MarshalJSON() ([]byte, error) {
+ str, err := GatewayMarshaler.MarshalToString(this)
+ return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for ServerTLSSettings_TLSCertificate
+func (this *ServerTLSSettings_TLSCertificate) UnmarshalJSON(b []byte) error {
+ return GatewayUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
var (
GatewayMarshaler = &jsonpb.Marshaler{}
GatewayUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true}
diff --git a/networking/v1beta1/gateway_alias.gen.go b/networking/v1beta1/gateway_alias.gen.go
index e855f331d0..063b55808e 100644
--- a/networking/v1beta1/gateway_alias.gen.go
+++ b/networking/v1beta1/gateway_alias.gen.go
@@ -101,8 +101,15 @@ type Server = v1alpha3.Server
// Port describes the properties of a specific port of a service.
type Port = v1alpha3.Port
+
+// +kubebuilder:validation:XValidation:message="only one of credentialNames or tlsCertificates can be set",rule="oneof(self.tlsCertificates, self.credentialNames)"
+// +kubebuilder:validation:XValidation:message="only one of credentialName or credentialNames can be set",rule="oneof(self.credentialName, self.credentialNames)"
+// +kubebuilder:validation:XValidation:message="only one of credentialName or tlsCertificates can be set",rule="oneof(self.credentialNames, self.tlsCertificates)"
type ServerTLSSettings = v1alpha3.ServerTLSSettings
+// TLSCertificate describes the server's TLS certificate.
+type ServerTLSSettings_TLSCertificate = v1alpha3.ServerTLSSettings_TLSCertificate
+
// TLS modes enforced by the proxy
type ServerTLSSettings_TLSmode = v1alpha3.ServerTLSSettings_TLSmode