On-demand secret certificate selector (proto)

This extension has the qualified name envoy.tls.certificate_selectors.on_demand_secret

Note

This extension is functional but has not had substantial production burn time, use only with this caveat.

This extension has an unknown security posture and should only be used in deployments where both the downstream and upstream are trusted.

Tip

This extension extends and can be used with the following extension categories:

• envoy.tls.certificate_selectors

• envoy.tls.upstream_certificate_selectors

This extension must be configured with one of the following type URLs:

• type.googleapis.com/envoy.extensions.transport_sockets.tls.cert_selectors.on_demand_secret.v3.Config

extensions.transport_sockets.tls.cert_selectors.on_demand_secret.v3.Config

[extensions.transport_sockets.tls.cert_selectors.on_demand_secret.v3.Config proto]

Fetches the secret on-demand while allowing the parent cluster or listener to accept connections without warming. During the handshake, a secret name is derived from the peer hello message, an SDS resource request starts, and the handshake is paused. Once an SDS response is received with a resource, the handshake is resumed with the provided certificate. If the SDS server indicates the resource removal, the handshake is failed, and the SDS subscription to the resource is stopped.

Similar to the regular SDS, the certificate is configured using the outer common TLS context, e.g. by setting the FIPS compliance policy on the loaded certificate.

{
  "config_source": {...},
  "certificate_mapper": {...},
  "prefetch_secret_names": []
}

config_source

(config.core.v3.ConfigSource, REQUIRED) Defines the configuration source of the secrets.

certificate_mapper

(config.core.v3.TypedExtensionConfig, REQUIRED) Extension point to specify a function to compute the secret name. The extension is called during the TLS handshake after receiving the CLIENT HELLO message from the client for the downstream certificate selector, and using the transport socket options and SERVER HELLO for the upstream certificate selector.

Tip

This extension category has the following known extensions:

• envoy.tls.certificate_mappers.sni

• envoy.tls.certificate_mappers.static_name

Tip

This extension category has the following known extensions:

• envoy.tls.certificate_mappers.static_name

• envoy.tls.upstream_certificate_mappers.filter_state_override

prefetch_secret_names

(repeated string) A list of secret resource names to start fetching on configuration load (prior to receiving any requests). The parent resource initializes immediately without waiting for the fetch to complete.