ALTS

This documentation is for the Envoy v3 API.

As of Envoy v1.18 the v2 API has been removed and is no longer supported.

If you are upgrading from v2 API config you may wish to view the v2 API documentation:

This extension may be referenced by the qualified name envoy.transport_sockets.alts

Note

This extension is intended to be robust against both untrusted downstream and upstream traffic.

Tip

This extension extends and can be used with the following extension categories:

extensions.transport_sockets.alts.v3.Alts

[extensions.transport_sockets.alts.v3.Alts proto]

Configuration for ALTS transport socket. This provides Google’s ALTS protocol to Envoy. Store the peer identity in dynamic metadata, namespace is “envoy.transport_socket.peer_information”, key is “peer_identity”. https://cloud.google.com/security/encryption-in-transit/application-layer-transport-security/

{
  "handshaker_service": "...",
  "peer_service_accounts": []
}
handshaker_service

(string, REQUIRED) The location of a handshaker service, this is usually 169.254.169.254:8080 on GCE.

peer_service_accounts

(repeated string) The acceptable service accounts from peer, peers not in the list will be rejected in the handshake validation step. If empty, no validation will be performed.