diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml
index 7c2948565d2..fad9ab952c3 100644
--- a/kubernetes/customresourcedefinitions.gen.yaml
+++ b/kubernetes/customresourcedefinitions.gen.yaml
@@ -3338,6 +3338,20 @@ spec:
- AUTO_PASSTHROUGH
- ISTIO_MUTUAL
type: string
+ ocsp:
+ properties:
+ stapling:
+ properties:
+ mode:
+ enum:
+ - OPTIONAL
+ - PREFERRED
+ - MANDATORY
+ type: string
+ path:
+ type: string
+ type: object
+ type: object
privateKey:
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
type: string
@@ -3454,6 +3468,20 @@ spec:
- AUTO_PASSTHROUGH
- ISTIO_MUTUAL
type: string
+ ocsp:
+ properties:
+ stapling:
+ properties:
+ mode:
+ enum:
+ - OPTIONAL
+ - PREFERRED
+ - MANDATORY
+ type: string
+ path:
+ type: string
+ type: object
+ type: object
privateKey:
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
type: string
@@ -3961,6 +3989,20 @@ spec:
- AUTO_PASSTHROUGH
- ISTIO_MUTUAL
type: string
+ ocsp:
+ properties:
+ stapling:
+ properties:
+ mode:
+ enum:
+ - OPTIONAL
+ - PREFERRED
+ - MANDATORY
+ type: string
+ path:
+ type: string
+ type: object
+ type: object
privateKey:
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
type: string
@@ -4134,6 +4176,20 @@ spec:
- AUTO_PASSTHROUGH
- ISTIO_MUTUAL
type: string
+ ocsp:
+ properties:
+ stapling:
+ properties:
+ mode:
+ enum:
+ - OPTIONAL
+ - PREFERRED
+ - MANDATORY
+ type: string
+ path:
+ type: string
+ type: object
+ type: object
privateKey:
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
type: string
diff --git a/networking/v1alpha3/gateway.gen.json b/networking/v1alpha3/gateway.gen.json
index 467d48967fd..fdda55bc114 100644
--- a/networking/v1alpha3/gateway.gen.json
+++ b/networking/v1alpha3/gateway.gen.json
@@ -139,9 +139,42 @@
"items": {
"type": "string"
}
+ },
+ "ocsp": {
+ "$ref": "#/components/schemas/istio.networking.v1alpha3.ServerTLSSettings.OCSP"
+ }
+ }
+ },
+ "istio.networking.v1alpha3.ServerTLSSettings.OCSP": {
+ "description": "OCSP Settings",
+ "type": "object",
+ "properties": {
+ "stapling": {
+ "$ref": "#/components/schemas/istio.networking.v1alpha3.ServerTLSSettings.OCSP.Stapling"
+ }
+ }
+ },
+ "istio.networking.v1alpha3.ServerTLSSettings.OCSP.Stapling": {
+ "description": "Settings for OCSP Stapling",
+ "type": "object",
+ "properties": {
+ "mode": {
+ "$ref": "#/components/schemas/istio.networking.v1alpha3.ServerTLSSettings.OCSP.Stapling.StaplingMode"
+ },
+ "path": {
+ "description": "Path at which the staple bytes will be stored in the Secret",
+ "type": "string"
}
}
},
+ "istio.networking.v1alpha3.ServerTLSSettings.OCSP.Stapling.StaplingMode": {
+ "type": "string",
+ "enum": [
+ "OPTIONAL",
+ "PREFERRED",
+ "MANDATORY"
+ ]
+ },
"istio.networking.v1alpha3.ServerTLSSettings.TLSProtocol": {
"description": "TLS protocol versions.",
"type": "string",
diff --git a/networking/v1alpha3/gateway.pb.go b/networking/v1alpha3/gateway.pb.go
index 61740448420..f99d5d35b06 100644
--- a/networking/v1alpha3/gateway.pb.go
+++ b/networking/v1alpha3/gateway.pb.go
@@ -507,6 +507,58 @@ func (ServerTLSSettings_TLSProtocol) EnumDescriptor() ([]byte, []int) {
return file_networking_v1alpha3_gateway_proto_rawDescGZIP(), []int{3, 1}
}
+type ServerTLSSettings_OCSP_Stapling_StaplingMode int32
+
+const (
+ // Matches the LENIENT_STAPLING mode of Envoy
+ ServerTLSSettings_OCSP_Stapling_OPTIONAL ServerTLSSettings_OCSP_Stapling_StaplingMode = 0
+ // Matches the STRICT_STAPLING mode of Envoy
+ ServerTLSSettings_OCSP_Stapling_PREFERRED ServerTLSSettings_OCSP_Stapling_StaplingMode = 1
+ // Matches the MUST_STAPLE mode of Envoy
+ ServerTLSSettings_OCSP_Stapling_MANDATORY ServerTLSSettings_OCSP_Stapling_StaplingMode = 2
+)
+
+// Enum value maps for ServerTLSSettings_OCSP_Stapling_StaplingMode.
+var (
+ ServerTLSSettings_OCSP_Stapling_StaplingMode_name = map[int32]string{
+ 0: "OPTIONAL",
+ 1: "PREFERRED",
+ 2: "MANDATORY",
+ }
+ ServerTLSSettings_OCSP_Stapling_StaplingMode_value = map[string]int32{
+ "OPTIONAL": 0,
+ "PREFERRED": 1,
+ "MANDATORY": 2,
+ }
+)
+
+func (x ServerTLSSettings_OCSP_Stapling_StaplingMode) Enum() *ServerTLSSettings_OCSP_Stapling_StaplingMode {
+ p := new(ServerTLSSettings_OCSP_Stapling_StaplingMode)
+ *p = x
+ return p
+}
+
+func (x ServerTLSSettings_OCSP_Stapling_StaplingMode) String() string {
+ return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (ServerTLSSettings_OCSP_Stapling_StaplingMode) Descriptor() protoreflect.EnumDescriptor {
+ return file_networking_v1alpha3_gateway_proto_enumTypes[2].Descriptor()
+}
+
+func (ServerTLSSettings_OCSP_Stapling_StaplingMode) Type() protoreflect.EnumType {
+ return &file_networking_v1alpha3_gateway_proto_enumTypes[2]
+}
+
+func (x ServerTLSSettings_OCSP_Stapling_StaplingMode) Number() protoreflect.EnumNumber {
+ return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use ServerTLSSettings_OCSP_Stapling_StaplingMode.Descriptor instead.
+func (ServerTLSSettings_OCSP_Stapling_StaplingMode) EnumDescriptor() ([]byte, []int) {
+ return file_networking_v1alpha3_gateway_proto_rawDescGZIP(), []int{3, 0, 0, 0}
+}
+
// Gateway describes a load balancer operating at the edge of the mesh
// receiving incoming or outgoing HTTP/TCP connections.
//
@@ -1037,6 +1089,8 @@ type ServerTLSSettings struct {
// Optional: If specified, only support the specified cipher list.
// Otherwise default to the default cipher list supported by Envoy.
CipherSuites []string `protobuf:"bytes,9,rep,name=cipher_suites,json=cipherSuites,proto3" json:"cipher_suites,omitempty"`
+ // Optional: settings for OCSP and OCSP Stapling
+ Ocsp *ServerTLSSettings_OCSP `protobuf:"bytes,13,opt,name=ocsp,proto3" json:"ocsp,omitempty"`
}
func (x *ServerTLSSettings) Reset() {
@@ -1155,6 +1209,119 @@ func (x *ServerTLSSettings) GetCipherSuites() []string {
return nil
}
+func (x *ServerTLSSettings) GetOcsp() *ServerTLSSettings_OCSP {
+ if x != nil {
+ return x.Ocsp
+ }
+ return nil
+}
+
+// OCSP Settings
+type ServerTLSSettings_OCSP struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ Stapling *ServerTLSSettings_OCSP_Stapling `protobuf:"bytes,1,opt,name=stapling,proto3" json:"stapling,omitempty"`
+}
+
+func (x *ServerTLSSettings_OCSP) Reset() {
+ *x = ServerTLSSettings_OCSP{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_networking_v1alpha3_gateway_proto_msgTypes[5]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *ServerTLSSettings_OCSP) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ServerTLSSettings_OCSP) ProtoMessage() {}
+
+func (x *ServerTLSSettings_OCSP) ProtoReflect() protoreflect.Message {
+ mi := &file_networking_v1alpha3_gateway_proto_msgTypes[5]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use ServerTLSSettings_OCSP.ProtoReflect.Descriptor instead.
+func (*ServerTLSSettings_OCSP) Descriptor() ([]byte, []int) {
+ return file_networking_v1alpha3_gateway_proto_rawDescGZIP(), []int{3, 0}
+}
+
+func (x *ServerTLSSettings_OCSP) GetStapling() *ServerTLSSettings_OCSP_Stapling {
+ if x != nil {
+ return x.Stapling
+ }
+ return nil
+}
+
+// Settings for OCSP Stapling
+type ServerTLSSettings_OCSP_Stapling struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ // OCSP Stapling mode for Envoy
+ Mode ServerTLSSettings_OCSP_Stapling_StaplingMode `protobuf:"varint,1,opt,name=mode,proto3,enum=istio.networking.v1alpha3.ServerTLSSettings_OCSP_Stapling_StaplingMode" json:"mode,omitempty"`
+ // Path at which the staple bytes will be stored in the Secret
+ Path string `protobuf:"bytes,2,opt,name=path,proto3" json:"path,omitempty"`
+}
+
+func (x *ServerTLSSettings_OCSP_Stapling) Reset() {
+ *x = ServerTLSSettings_OCSP_Stapling{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_networking_v1alpha3_gateway_proto_msgTypes[6]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *ServerTLSSettings_OCSP_Stapling) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ServerTLSSettings_OCSP_Stapling) ProtoMessage() {}
+
+func (x *ServerTLSSettings_OCSP_Stapling) ProtoReflect() protoreflect.Message {
+ mi := &file_networking_v1alpha3_gateway_proto_msgTypes[6]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use ServerTLSSettings_OCSP_Stapling.ProtoReflect.Descriptor instead.
+func (*ServerTLSSettings_OCSP_Stapling) Descriptor() ([]byte, []int) {
+ return file_networking_v1alpha3_gateway_proto_rawDescGZIP(), []int{3, 0, 0}
+}
+
+func (x *ServerTLSSettings_OCSP_Stapling) GetMode() ServerTLSSettings_OCSP_Stapling_StaplingMode {
+ if x != nil {
+ return x.Mode
+ }
+ return ServerTLSSettings_OCSP_Stapling_OPTIONAL
+}
+
+func (x *ServerTLSSettings_OCSP_Stapling) GetPath() string {
+ if x != nil {
+ return x.Path
+ }
+ return ""
+}
+
var File_networking_v1alpha3_gateway_proto protoreflect.FileDescriptor
var file_networking_v1alpha3_gateway_proto_rawDesc = []byte{
@@ -1201,7 +1368,7 @@ var file_networking_v1alpha3_gateway_proto_rawDesc = []byte{
0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x42, 0x04, 0xe2, 0x41, 0x01,
0x02, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x23, 0x0a, 0x0b, 0x74, 0x61, 0x72, 0x67, 0x65,
0x74, 0x5f, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0d, 0x42, 0x02, 0x18, 0x01,
- 0x52, 0x0a, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x50, 0x6f, 0x72, 0x74, 0x22, 0xec, 0x06, 0x0a,
+ 0x52, 0x0a, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x50, 0x6f, 0x72, 0x74, 0x22, 0xce, 0x09, 0x0a,
0x11, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x4c, 0x53, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e,
0x67, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x68, 0x74, 0x74, 0x70, 0x73, 0x5f, 0x72, 0x65, 0x64, 0x69,
0x72, 0x65, 0x63, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x68, 0x74, 0x74, 0x70,
@@ -1245,21 +1412,43 @@ var file_networking_v1alpha3_gateway_proto_rawDesc = []byte{
0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52, 0x12, 0x6d, 0x61, 0x78, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63,
0x6f, 0x6c, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x23, 0x0a, 0x0d, 0x63, 0x69, 0x70,
0x68, 0x65, 0x72, 0x5f, 0x73, 0x75, 0x69, 0x74, 0x65, 0x73, 0x18, 0x09, 0x20, 0x03, 0x28, 0x09,
- 0x52, 0x0c, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x53, 0x75, 0x69, 0x74, 0x65, 0x73, 0x22, 0x5a,
- 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x6d, 0x6f, 0x64, 0x65, 0x12, 0x0f, 0x0a, 0x0b, 0x50, 0x41, 0x53,
- 0x53, 0x54, 0x48, 0x52, 0x4f, 0x55, 0x47, 0x48, 0x10, 0x00, 0x12, 0x0a, 0x0a, 0x06, 0x53, 0x49,
- 0x4d, 0x50, 0x4c, 0x45, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x4d, 0x55, 0x54, 0x55, 0x41, 0x4c,
- 0x10, 0x02, 0x12, 0x14, 0x0a, 0x10, 0x41, 0x55, 0x54, 0x4f, 0x5f, 0x50, 0x41, 0x53, 0x53, 0x54,
- 0x48, 0x52, 0x4f, 0x55, 0x47, 0x48, 0x10, 0x03, 0x12, 0x10, 0x0a, 0x0c, 0x49, 0x53, 0x54, 0x49,
- 0x4f, 0x5f, 0x4d, 0x55, 0x54, 0x55, 0x41, 0x4c, 0x10, 0x04, 0x22, 0x4f, 0x0a, 0x0b, 0x54, 0x4c,
- 0x53, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x0c, 0x0a, 0x08, 0x54, 0x4c, 0x53,
- 0x5f, 0x41, 0x55, 0x54, 0x4f, 0x10, 0x00, 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31,
- 0x5f, 0x30, 0x10, 0x01, 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x31, 0x10,
- 0x02, 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x32, 0x10, 0x03, 0x12, 0x0b,
- 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x33, 0x10, 0x04, 0x42, 0x22, 0x5a, 0x20, 0x69,
- 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x6e, 0x65, 0x74, 0x77,
- 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x62,
- 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+ 0x52, 0x0c, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x53, 0x75, 0x69, 0x74, 0x65, 0x73, 0x12, 0x45,
+ 0x0a, 0x04, 0x6f, 0x63, 0x73, 0x70, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x31, 0x2e, 0x69,
+ 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e,
+ 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54,
+ 0x4c, 0x53, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x2e, 0x4f, 0x43, 0x53, 0x50, 0x52,
+ 0x04, 0x6f, 0x63, 0x73, 0x70, 0x1a, 0x98, 0x02, 0x0a, 0x04, 0x4f, 0x43, 0x53, 0x50, 0x12, 0x56,
+ 0x0a, 0x08, 0x73, 0x74, 0x61, 0x70, 0x6c, 0x69, 0x6e, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b,
+ 0x32, 0x3a, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b,
+ 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x53, 0x65, 0x72,
+ 0x76, 0x65, 0x72, 0x54, 0x4c, 0x53, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x2e, 0x4f,
+ 0x43, 0x53, 0x50, 0x2e, 0x53, 0x74, 0x61, 0x70, 0x6c, 0x69, 0x6e, 0x67, 0x52, 0x08, 0x73, 0x74,
+ 0x61, 0x70, 0x6c, 0x69, 0x6e, 0x67, 0x1a, 0xb7, 0x01, 0x0a, 0x08, 0x53, 0x74, 0x61, 0x70, 0x6c,
+ 0x69, 0x6e, 0x67, 0x12, 0x5b, 0x0a, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28,
+ 0x0e, 0x32, 0x47, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72,
+ 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x33, 0x2e, 0x53, 0x65,
+ 0x72, 0x76, 0x65, 0x72, 0x54, 0x4c, 0x53, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x2e,
+ 0x4f, 0x43, 0x53, 0x50, 0x2e, 0x53, 0x74, 0x61, 0x70, 0x6c, 0x69, 0x6e, 0x67, 0x2e, 0x53, 0x74,
+ 0x61, 0x70, 0x6c, 0x69, 0x6e, 0x67, 0x4d, 0x6f, 0x64, 0x65, 0x52, 0x04, 0x6d, 0x6f, 0x64, 0x65,
+ 0x12, 0x12, 0x0a, 0x04, 0x70, 0x61, 0x74, 0x68, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
+ 0x70, 0x61, 0x74, 0x68, 0x22, 0x3a, 0x0a, 0x0c, 0x53, 0x74, 0x61, 0x70, 0x6c, 0x69, 0x6e, 0x67,
+ 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x0c, 0x0a, 0x08, 0x4f, 0x50, 0x54, 0x49, 0x4f, 0x4e, 0x41, 0x4c,
+ 0x10, 0x00, 0x12, 0x0d, 0x0a, 0x09, 0x50, 0x52, 0x45, 0x46, 0x45, 0x52, 0x52, 0x45, 0x44, 0x10,
+ 0x01, 0x12, 0x0d, 0x0a, 0x09, 0x4d, 0x41, 0x4e, 0x44, 0x41, 0x54, 0x4f, 0x52, 0x59, 0x10, 0x02,
+ 0x22, 0x5a, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x6d, 0x6f, 0x64, 0x65, 0x12, 0x0f, 0x0a, 0x0b, 0x50,
+ 0x41, 0x53, 0x53, 0x54, 0x48, 0x52, 0x4f, 0x55, 0x47, 0x48, 0x10, 0x00, 0x12, 0x0a, 0x0a, 0x06,
+ 0x53, 0x49, 0x4d, 0x50, 0x4c, 0x45, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x4d, 0x55, 0x54, 0x55,
+ 0x41, 0x4c, 0x10, 0x02, 0x12, 0x14, 0x0a, 0x10, 0x41, 0x55, 0x54, 0x4f, 0x5f, 0x50, 0x41, 0x53,
+ 0x53, 0x54, 0x48, 0x52, 0x4f, 0x55, 0x47, 0x48, 0x10, 0x03, 0x12, 0x10, 0x0a, 0x0c, 0x49, 0x53,
+ 0x54, 0x49, 0x4f, 0x5f, 0x4d, 0x55, 0x54, 0x55, 0x41, 0x4c, 0x10, 0x04, 0x22, 0x4f, 0x0a, 0x0b,
+ 0x54, 0x4c, 0x53, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x0c, 0x0a, 0x08, 0x54,
+ 0x4c, 0x53, 0x5f, 0x41, 0x55, 0x54, 0x4f, 0x10, 0x00, 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53,
+ 0x56, 0x31, 0x5f, 0x30, 0x10, 0x01, 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f,
+ 0x31, 0x10, 0x02, 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x32, 0x10, 0x03,
+ 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x33, 0x10, 0x04, 0x42, 0x22, 0x5a,
+ 0x20, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x6e, 0x65,
+ 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61,
+ 0x33, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (
@@ -1274,30 +1463,36 @@ func file_networking_v1alpha3_gateway_proto_rawDescGZIP() []byte {
return file_networking_v1alpha3_gateway_proto_rawDescData
}
-var file_networking_v1alpha3_gateway_proto_enumTypes = make([]protoimpl.EnumInfo, 2)
-var file_networking_v1alpha3_gateway_proto_msgTypes = make([]protoimpl.MessageInfo, 5)
+var file_networking_v1alpha3_gateway_proto_enumTypes = make([]protoimpl.EnumInfo, 3)
+var file_networking_v1alpha3_gateway_proto_msgTypes = make([]protoimpl.MessageInfo, 7)
var file_networking_v1alpha3_gateway_proto_goTypes = []interface{}{
- (ServerTLSSettings_TLSmode)(0), // 0: istio.networking.v1alpha3.ServerTLSSettings.TLSmode
- (ServerTLSSettings_TLSProtocol)(0), // 1: istio.networking.v1alpha3.ServerTLSSettings.TLSProtocol
- (*Gateway)(nil), // 2: istio.networking.v1alpha3.Gateway
- (*Server)(nil), // 3: istio.networking.v1alpha3.Server
- (*Port)(nil), // 4: istio.networking.v1alpha3.Port
- (*ServerTLSSettings)(nil), // 5: istio.networking.v1alpha3.ServerTLSSettings
- nil, // 6: istio.networking.v1alpha3.Gateway.SelectorEntry
+ (ServerTLSSettings_TLSmode)(0), // 0: istio.networking.v1alpha3.ServerTLSSettings.TLSmode
+ (ServerTLSSettings_TLSProtocol)(0), // 1: istio.networking.v1alpha3.ServerTLSSettings.TLSProtocol
+ (ServerTLSSettings_OCSP_Stapling_StaplingMode)(0), // 2: istio.networking.v1alpha3.ServerTLSSettings.OCSP.Stapling.StaplingMode
+ (*Gateway)(nil), // 3: istio.networking.v1alpha3.Gateway
+ (*Server)(nil), // 4: istio.networking.v1alpha3.Server
+ (*Port)(nil), // 5: istio.networking.v1alpha3.Port
+ (*ServerTLSSettings)(nil), // 6: istio.networking.v1alpha3.ServerTLSSettings
+ nil, // 7: istio.networking.v1alpha3.Gateway.SelectorEntry
+ (*ServerTLSSettings_OCSP)(nil), // 8: istio.networking.v1alpha3.ServerTLSSettings.OCSP
+ (*ServerTLSSettings_OCSP_Stapling)(nil), // 9: istio.networking.v1alpha3.ServerTLSSettings.OCSP.Stapling
}
var file_networking_v1alpha3_gateway_proto_depIdxs = []int32{
- 3, // 0: istio.networking.v1alpha3.Gateway.servers:type_name -> istio.networking.v1alpha3.Server
- 6, // 1: istio.networking.v1alpha3.Gateway.selector:type_name -> istio.networking.v1alpha3.Gateway.SelectorEntry
- 4, // 2: istio.networking.v1alpha3.Server.port:type_name -> istio.networking.v1alpha3.Port
- 5, // 3: istio.networking.v1alpha3.Server.tls:type_name -> istio.networking.v1alpha3.ServerTLSSettings
- 0, // 4: istio.networking.v1alpha3.ServerTLSSettings.mode:type_name -> istio.networking.v1alpha3.ServerTLSSettings.TLSmode
- 1, // 5: istio.networking.v1alpha3.ServerTLSSettings.min_protocol_version:type_name -> istio.networking.v1alpha3.ServerTLSSettings.TLSProtocol
- 1, // 6: istio.networking.v1alpha3.ServerTLSSettings.max_protocol_version:type_name -> istio.networking.v1alpha3.ServerTLSSettings.TLSProtocol
- 7, // [7:7] is the sub-list for method output_type
- 7, // [7:7] is the sub-list for method input_type
- 7, // [7:7] is the sub-list for extension type_name
- 7, // [7:7] is the sub-list for extension extendee
- 0, // [0:7] is the sub-list for field type_name
+ 4, // 0: istio.networking.v1alpha3.Gateway.servers:type_name -> istio.networking.v1alpha3.Server
+ 7, // 1: istio.networking.v1alpha3.Gateway.selector:type_name -> istio.networking.v1alpha3.Gateway.SelectorEntry
+ 5, // 2: istio.networking.v1alpha3.Server.port:type_name -> istio.networking.v1alpha3.Port
+ 6, // 3: istio.networking.v1alpha3.Server.tls:type_name -> istio.networking.v1alpha3.ServerTLSSettings
+ 0, // 4: istio.networking.v1alpha3.ServerTLSSettings.mode:type_name -> istio.networking.v1alpha3.ServerTLSSettings.TLSmode
+ 1, // 5: istio.networking.v1alpha3.ServerTLSSettings.min_protocol_version:type_name -> istio.networking.v1alpha3.ServerTLSSettings.TLSProtocol
+ 1, // 6: istio.networking.v1alpha3.ServerTLSSettings.max_protocol_version:type_name -> istio.networking.v1alpha3.ServerTLSSettings.TLSProtocol
+ 8, // 7: istio.networking.v1alpha3.ServerTLSSettings.ocsp:type_name -> istio.networking.v1alpha3.ServerTLSSettings.OCSP
+ 9, // 8: istio.networking.v1alpha3.ServerTLSSettings.OCSP.stapling:type_name -> istio.networking.v1alpha3.ServerTLSSettings.OCSP.Stapling
+ 2, // 9: istio.networking.v1alpha3.ServerTLSSettings.OCSP.Stapling.mode:type_name -> istio.networking.v1alpha3.ServerTLSSettings.OCSP.Stapling.StaplingMode
+ 10, // [10:10] is the sub-list for method output_type
+ 10, // [10:10] is the sub-list for method input_type
+ 10, // [10:10] is the sub-list for extension type_name
+ 10, // [10:10] is the sub-list for extension extendee
+ 0, // [0:10] is the sub-list for field type_name
}
func init() { file_networking_v1alpha3_gateway_proto_init() }
@@ -1354,14 +1549,38 @@ func file_networking_v1alpha3_gateway_proto_init() {
return nil
}
}
+ file_networking_v1alpha3_gateway_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*ServerTLSSettings_OCSP); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_networking_v1alpha3_gateway_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*ServerTLSSettings_OCSP_Stapling); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
}
type x struct{}
out := protoimpl.TypeBuilder{
File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_networking_v1alpha3_gateway_proto_rawDesc,
- NumEnums: 2,
- NumMessages: 5,
+ NumEnums: 3,
+ NumMessages: 7,
NumExtensions: 0,
NumServices: 0,
},
diff --git a/networking/v1alpha3/gateway.pb.html b/networking/v1alpha3/gateway.pb.html
index 28a591957e3..c5e59fd1238 100644
--- a/networking/v1alpha3/gateway.pb.html
+++ b/networking/v1alpha3/gateway.pb.html
@@ -6,7 +6,7 @@
generator: protoc-gen-docs
schema: istio.networking.v1alpha3.Gateway
aliases: [/docs/reference/config/networking/v1alpha3/gateway]
-number_of_entries: 6
+number_of_entries: 9
---
Gateway describes a load balancer operating at the edge of the mesh
receiving incoming or outgoing HTTP/TCP connections. The specification
@@ -813,6 +813,116 @@
ServerTLSSettings
No
+ |
+
+
+ocsp |
+OCSP |
+
+ Optional: settings for OCSP and OCSP Stapling
+
+ |
+
+No
+ |
+
+
+
+
+ServerTLSSettings.OCSP
+
+OCSP Settings
+
+
+
+
+| Field |
+Type |
+Description |
+Required |
+
+
+
+
+stapling |
+Stapling |
+
+ |
+
+No
+ |
+
+
+
+
+ServerTLSSettings.OCSP.Stapling
+
+Settings for OCSP Stapling
+
+
+
+
+| Field |
+Type |
+Description |
+Required |
+
+
+
+
+mode |
+StaplingMode |
+
+ OCSP Stapling mode for Envoy
+
+ |
+
+No
+ |
+
+
+path |
+string |
+
+ Path at which the staple bytes will be stored in the Secret
+
+ |
+
+No
+ |
+
+
+
+
+ServerTLSSettings.OCSP.Stapling.StaplingMode
+
+
+
+
+| Name |
+Description |
+
+
+
+
+OPTIONAL |
+
+ Matches the LENIENT_STAPLING mode of Envoy
+
+ |
+
+
+PREFERRED |
+
+ Matches the STRICT_STAPLING mode of Envoy
+
+ |
+
+
+MANDATORY |
+
+ Matches the MUST_STAPLE mode of Envoy
+
|
diff --git a/networking/v1alpha3/gateway.proto b/networking/v1alpha3/gateway.proto
index 27c2a85fc0a..2d3b593733b 100644
--- a/networking/v1alpha3/gateway.proto
+++ b/networking/v1alpha3/gateway.proto
@@ -733,4 +733,34 @@ message ServerTLSSettings {
// Optional: If specified, only support the specified cipher list.
// Otherwise default to the default cipher list supported by Envoy.
repeated string cipher_suites = 9;
-}
+
+ // OCSP Settings
+ message OCSP {
+
+ Stapling stapling = 1;
+
+ // Settings for OCSP Stapling
+ message Stapling {
+
+ enum StaplingMode {
+ // Matches the LENIENT_STAPLING mode of Envoy
+ OPTIONAL = 0;
+
+ // Matches the STRICT_STAPLING mode of Envoy
+ PREFERRED = 1;
+
+ // Matches the MUST_STAPLE mode of Envoy
+ MANDATORY = 2;
+ }
+
+ // OCSP Stapling mode for Envoy
+ StaplingMode mode = 1;
+
+ // Path at which the staple bytes will be stored in the Secret
+ string path = 2;
+ }
+ }
+
+ // Optional: settings for OCSP and OCSP Stapling
+ OCSP ocsp = 13;
+}
\ No newline at end of file
diff --git a/networking/v1alpha3/gateway_deepcopy.gen.go b/networking/v1alpha3/gateway_deepcopy.gen.go
index 9abd995802a..86fdf4d5d3a 100644
--- a/networking/v1alpha3/gateway_deepcopy.gen.go
+++ b/networking/v1alpha3/gateway_deepcopy.gen.go
@@ -88,3 +88,45 @@ func (in *ServerTLSSettings) DeepCopy() *ServerTLSSettings {
func (in *ServerTLSSettings) DeepCopyInterface() interface{} {
return in.DeepCopy()
}
+
+// DeepCopyInto supports using ServerTLSSettings_OCSP within kubernetes types, where deepcopy-gen is used.
+func (in *ServerTLSSettings_OCSP) DeepCopyInto(out *ServerTLSSettings_OCSP) {
+ p := proto.Clone(in).(*ServerTLSSettings_OCSP)
+ *out = *p
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerTLSSettings_OCSP. Required by controller-gen.
+func (in *ServerTLSSettings_OCSP) DeepCopy() *ServerTLSSettings_OCSP {
+ if in == nil {
+ return nil
+ }
+ out := new(ServerTLSSettings_OCSP)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new ServerTLSSettings_OCSP. Required by controller-gen.
+func (in *ServerTLSSettings_OCSP) DeepCopyInterface() interface{} {
+ return in.DeepCopy()
+}
+
+// DeepCopyInto supports using ServerTLSSettings_OCSP_Stapling within kubernetes types, where deepcopy-gen is used.
+func (in *ServerTLSSettings_OCSP_Stapling) DeepCopyInto(out *ServerTLSSettings_OCSP_Stapling) {
+ p := proto.Clone(in).(*ServerTLSSettings_OCSP_Stapling)
+ *out = *p
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerTLSSettings_OCSP_Stapling. Required by controller-gen.
+func (in *ServerTLSSettings_OCSP_Stapling) DeepCopy() *ServerTLSSettings_OCSP_Stapling {
+ if in == nil {
+ return nil
+ }
+ out := new(ServerTLSSettings_OCSP_Stapling)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new ServerTLSSettings_OCSP_Stapling. Required by controller-gen.
+func (in *ServerTLSSettings_OCSP_Stapling) DeepCopyInterface() interface{} {
+ return in.DeepCopy()
+}
diff --git a/networking/v1alpha3/gateway_json.gen.go b/networking/v1alpha3/gateway_json.gen.go
index 8dd2ce87eee..8e419670a9f 100644
--- a/networking/v1alpha3/gateway_json.gen.go
+++ b/networking/v1alpha3/gateway_json.gen.go
@@ -50,6 +50,28 @@ func (this *ServerTLSSettings) UnmarshalJSON(b []byte) error {
return GatewayUnmarshaler.Unmarshal(bytes.NewReader(b), this)
}
+// MarshalJSON is a custom marshaler for ServerTLSSettings_OCSP
+func (this *ServerTLSSettings_OCSP) MarshalJSON() ([]byte, error) {
+ str, err := GatewayMarshaler.MarshalToString(this)
+ return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for ServerTLSSettings_OCSP
+func (this *ServerTLSSettings_OCSP) UnmarshalJSON(b []byte) error {
+ return GatewayUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for ServerTLSSettings_OCSP_Stapling
+func (this *ServerTLSSettings_OCSP_Stapling) MarshalJSON() ([]byte, error) {
+ str, err := GatewayMarshaler.MarshalToString(this)
+ return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for ServerTLSSettings_OCSP_Stapling
+func (this *ServerTLSSettings_OCSP_Stapling) UnmarshalJSON(b []byte) error {
+ return GatewayUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
var (
GatewayMarshaler = &jsonpb.Marshaler{}
GatewayUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true}
diff --git a/networking/v1alpha3/sidecar.gen.json b/networking/v1alpha3/sidecar.gen.json
index 77d012b07ca..6c2815b0eac 100644
--- a/networking/v1alpha3/sidecar.gen.json
+++ b/networking/v1alpha3/sidecar.gen.json
@@ -189,9 +189,42 @@
"items": {
"type": "string"
}
+ },
+ "ocsp": {
+ "$ref": "#/components/schemas/istio.networking.v1alpha3.ServerTLSSettings.OCSP"
+ }
+ }
+ },
+ "istio.networking.v1alpha3.ServerTLSSettings.OCSP": {
+ "description": "OCSP Settings",
+ "type": "object",
+ "properties": {
+ "stapling": {
+ "$ref": "#/components/schemas/istio.networking.v1alpha3.ServerTLSSettings.OCSP.Stapling"
+ }
+ }
+ },
+ "istio.networking.v1alpha3.ServerTLSSettings.OCSP.Stapling": {
+ "description": "Settings for OCSP Stapling",
+ "type": "object",
+ "properties": {
+ "mode": {
+ "$ref": "#/components/schemas/istio.networking.v1alpha3.ServerTLSSettings.OCSP.Stapling.StaplingMode"
+ },
+ "path": {
+ "description": "Path at which the staple bytes will be stored in the Secret",
+ "type": "string"
}
}
},
+ "istio.networking.v1alpha3.ServerTLSSettings.OCSP.Stapling.StaplingMode": {
+ "type": "string",
+ "enum": [
+ "OPTIONAL",
+ "PREFERRED",
+ "MANDATORY"
+ ]
+ },
"istio.networking.v1alpha3.ServerTLSSettings.TLSProtocol": {
"description": "TLS protocol versions.",
"type": "string",
diff --git a/networking/v1beta1/gateway.gen.json b/networking/v1beta1/gateway.gen.json
index e5014de0b16..c974b04b9e9 100644
--- a/networking/v1beta1/gateway.gen.json
+++ b/networking/v1beta1/gateway.gen.json
@@ -139,9 +139,42 @@
"items": {
"type": "string"
}
+ },
+ "ocsp": {
+ "$ref": "#/components/schemas/istio.networking.v1beta1.ServerTLSSettings.OCSP"
+ }
+ }
+ },
+ "istio.networking.v1beta1.ServerTLSSettings.OCSP": {
+ "description": "OCSP Settings",
+ "type": "object",
+ "properties": {
+ "stapling": {
+ "$ref": "#/components/schemas/istio.networking.v1beta1.ServerTLSSettings.OCSP.Stapling"
+ }
+ }
+ },
+ "istio.networking.v1beta1.ServerTLSSettings.OCSP.Stapling": {
+ "description": "Settings for OCSP Stapling",
+ "type": "object",
+ "properties": {
+ "mode": {
+ "$ref": "#/components/schemas/istio.networking.v1beta1.ServerTLSSettings.OCSP.Stapling.StaplingMode"
+ },
+ "path": {
+ "description": "Path at which the staple bytes will be stored in the Secret",
+ "type": "string"
}
}
},
+ "istio.networking.v1beta1.ServerTLSSettings.OCSP.Stapling.StaplingMode": {
+ "type": "string",
+ "enum": [
+ "OPTIONAL",
+ "PREFERRED",
+ "MANDATORY"
+ ]
+ },
"istio.networking.v1beta1.ServerTLSSettings.TLSProtocol": {
"description": "TLS protocol versions.",
"type": "string",
diff --git a/networking/v1beta1/gateway.pb.go b/networking/v1beta1/gateway.pb.go
index 5d594b0a70a..4df8f37d2a0 100644
--- a/networking/v1beta1/gateway.pb.go
+++ b/networking/v1beta1/gateway.pb.go
@@ -508,6 +508,58 @@ func (ServerTLSSettings_TLSProtocol) EnumDescriptor() ([]byte, []int) {
return file_networking_v1beta1_gateway_proto_rawDescGZIP(), []int{3, 1}
}
+type ServerTLSSettings_OCSP_Stapling_StaplingMode int32
+
+const (
+ // Matches the LENIENT_STAPLING mode of Envoy
+ ServerTLSSettings_OCSP_Stapling_OPTIONAL ServerTLSSettings_OCSP_Stapling_StaplingMode = 0
+ // Matches the STRICT_STAPLING mode of Envoy
+ ServerTLSSettings_OCSP_Stapling_PREFERRED ServerTLSSettings_OCSP_Stapling_StaplingMode = 1
+ // Matches the MUST_STAPLE mode of Envoy
+ ServerTLSSettings_OCSP_Stapling_MANDATORY ServerTLSSettings_OCSP_Stapling_StaplingMode = 2
+)
+
+// Enum value maps for ServerTLSSettings_OCSP_Stapling_StaplingMode.
+var (
+ ServerTLSSettings_OCSP_Stapling_StaplingMode_name = map[int32]string{
+ 0: "OPTIONAL",
+ 1: "PREFERRED",
+ 2: "MANDATORY",
+ }
+ ServerTLSSettings_OCSP_Stapling_StaplingMode_value = map[string]int32{
+ "OPTIONAL": 0,
+ "PREFERRED": 1,
+ "MANDATORY": 2,
+ }
+)
+
+func (x ServerTLSSettings_OCSP_Stapling_StaplingMode) Enum() *ServerTLSSettings_OCSP_Stapling_StaplingMode {
+ p := new(ServerTLSSettings_OCSP_Stapling_StaplingMode)
+ *p = x
+ return p
+}
+
+func (x ServerTLSSettings_OCSP_Stapling_StaplingMode) String() string {
+ return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (ServerTLSSettings_OCSP_Stapling_StaplingMode) Descriptor() protoreflect.EnumDescriptor {
+ return file_networking_v1beta1_gateway_proto_enumTypes[2].Descriptor()
+}
+
+func (ServerTLSSettings_OCSP_Stapling_StaplingMode) Type() protoreflect.EnumType {
+ return &file_networking_v1beta1_gateway_proto_enumTypes[2]
+}
+
+func (x ServerTLSSettings_OCSP_Stapling_StaplingMode) Number() protoreflect.EnumNumber {
+ return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use ServerTLSSettings_OCSP_Stapling_StaplingMode.Descriptor instead.
+func (ServerTLSSettings_OCSP_Stapling_StaplingMode) EnumDescriptor() ([]byte, []int) {
+ return file_networking_v1beta1_gateway_proto_rawDescGZIP(), []int{3, 0, 0, 0}
+}
+
// Gateway describes a load balancer operating at the edge of the mesh
// receiving incoming or outgoing HTTP/TCP connections.
//
@@ -1037,6 +1089,8 @@ type ServerTLSSettings struct {
// Optional: If specified, only support the specified cipher list.
// Otherwise default to the default cipher list supported by Envoy.
CipherSuites []string `protobuf:"bytes,9,rep,name=cipher_suites,json=cipherSuites,proto3" json:"cipher_suites,omitempty"`
+ // Optional: settings for OCSP and OCSP Stapling
+ Ocsp *ServerTLSSettings_OCSP `protobuf:"bytes,13,opt,name=ocsp,proto3" json:"ocsp,omitempty"`
}
func (x *ServerTLSSettings) Reset() {
@@ -1155,6 +1209,119 @@ func (x *ServerTLSSettings) GetCipherSuites() []string {
return nil
}
+func (x *ServerTLSSettings) GetOcsp() *ServerTLSSettings_OCSP {
+ if x != nil {
+ return x.Ocsp
+ }
+ return nil
+}
+
+// OCSP Settings
+type ServerTLSSettings_OCSP struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ Stapling *ServerTLSSettings_OCSP_Stapling `protobuf:"bytes,1,opt,name=stapling,proto3" json:"stapling,omitempty"`
+}
+
+func (x *ServerTLSSettings_OCSP) Reset() {
+ *x = ServerTLSSettings_OCSP{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_networking_v1beta1_gateway_proto_msgTypes[5]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *ServerTLSSettings_OCSP) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ServerTLSSettings_OCSP) ProtoMessage() {}
+
+func (x *ServerTLSSettings_OCSP) ProtoReflect() protoreflect.Message {
+ mi := &file_networking_v1beta1_gateway_proto_msgTypes[5]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use ServerTLSSettings_OCSP.ProtoReflect.Descriptor instead.
+func (*ServerTLSSettings_OCSP) Descriptor() ([]byte, []int) {
+ return file_networking_v1beta1_gateway_proto_rawDescGZIP(), []int{3, 0}
+}
+
+func (x *ServerTLSSettings_OCSP) GetStapling() *ServerTLSSettings_OCSP_Stapling {
+ if x != nil {
+ return x.Stapling
+ }
+ return nil
+}
+
+// Settings for OCSP Stapling
+type ServerTLSSettings_OCSP_Stapling struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ // OCSP Stapling mode for Envoy
+ Mode ServerTLSSettings_OCSP_Stapling_StaplingMode `protobuf:"varint,1,opt,name=mode,proto3,enum=istio.networking.v1beta1.ServerTLSSettings_OCSP_Stapling_StaplingMode" json:"mode,omitempty"`
+ // Path at which the staple bytes will be stored in the Secret
+ Path string `protobuf:"bytes,2,opt,name=path,proto3" json:"path,omitempty"`
+}
+
+func (x *ServerTLSSettings_OCSP_Stapling) Reset() {
+ *x = ServerTLSSettings_OCSP_Stapling{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_networking_v1beta1_gateway_proto_msgTypes[6]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *ServerTLSSettings_OCSP_Stapling) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ServerTLSSettings_OCSP_Stapling) ProtoMessage() {}
+
+func (x *ServerTLSSettings_OCSP_Stapling) ProtoReflect() protoreflect.Message {
+ mi := &file_networking_v1beta1_gateway_proto_msgTypes[6]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use ServerTLSSettings_OCSP_Stapling.ProtoReflect.Descriptor instead.
+func (*ServerTLSSettings_OCSP_Stapling) Descriptor() ([]byte, []int) {
+ return file_networking_v1beta1_gateway_proto_rawDescGZIP(), []int{3, 0, 0}
+}
+
+func (x *ServerTLSSettings_OCSP_Stapling) GetMode() ServerTLSSettings_OCSP_Stapling_StaplingMode {
+ if x != nil {
+ return x.Mode
+ }
+ return ServerTLSSettings_OCSP_Stapling_OPTIONAL
+}
+
+func (x *ServerTLSSettings_OCSP_Stapling) GetPath() string {
+ if x != nil {
+ return x.Path
+ }
+ return ""
+}
+
var File_networking_v1beta1_gateway_proto protoreflect.FileDescriptor
var file_networking_v1beta1_gateway_proto_rawDesc = []byte{
@@ -1201,7 +1368,7 @@ var file_networking_v1beta1_gateway_proto_rawDesc = []byte{
0x03, 0x20, 0x01, 0x28, 0x09, 0x42, 0x04, 0xe2, 0x41, 0x01, 0x02, 0x52, 0x04, 0x6e, 0x61, 0x6d,
0x65, 0x12, 0x23, 0x0a, 0x0b, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x5f, 0x70, 0x6f, 0x72, 0x74,
0x18, 0x04, 0x20, 0x01, 0x28, 0x0d, 0x42, 0x02, 0x18, 0x01, 0x52, 0x0a, 0x74, 0x61, 0x72, 0x67,
- 0x65, 0x74, 0x50, 0x6f, 0x72, 0x74, 0x22, 0xe9, 0x06, 0x0a, 0x11, 0x53, 0x65, 0x72, 0x76, 0x65,
+ 0x65, 0x74, 0x50, 0x6f, 0x72, 0x74, 0x22, 0xc8, 0x09, 0x0a, 0x11, 0x53, 0x65, 0x72, 0x76, 0x65,
0x72, 0x54, 0x4c, 0x53, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73, 0x12, 0x25, 0x0a, 0x0e,
0x68, 0x74, 0x74, 0x70, 0x73, 0x5f, 0x72, 0x65, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74, 0x18, 0x01,
0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x68, 0x74, 0x74, 0x70, 0x73, 0x52, 0x65, 0x64, 0x69, 0x72,
@@ -1245,20 +1412,42 @@ var file_networking_v1beta1_gateway_proto_rawDesc = []byte{
0x78, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e,
0x12, 0x23, 0x0a, 0x0d, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x5f, 0x73, 0x75, 0x69, 0x74, 0x65,
0x73, 0x18, 0x09, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0c, 0x63, 0x69, 0x70, 0x68, 0x65, 0x72, 0x53,
- 0x75, 0x69, 0x74, 0x65, 0x73, 0x22, 0x5a, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x6d, 0x6f, 0x64, 0x65,
- 0x12, 0x0f, 0x0a, 0x0b, 0x50, 0x41, 0x53, 0x53, 0x54, 0x48, 0x52, 0x4f, 0x55, 0x47, 0x48, 0x10,
- 0x00, 0x12, 0x0a, 0x0a, 0x06, 0x53, 0x49, 0x4d, 0x50, 0x4c, 0x45, 0x10, 0x01, 0x12, 0x0a, 0x0a,
- 0x06, 0x4d, 0x55, 0x54, 0x55, 0x41, 0x4c, 0x10, 0x02, 0x12, 0x14, 0x0a, 0x10, 0x41, 0x55, 0x54,
- 0x4f, 0x5f, 0x50, 0x41, 0x53, 0x53, 0x54, 0x48, 0x52, 0x4f, 0x55, 0x47, 0x48, 0x10, 0x03, 0x12,
- 0x10, 0x0a, 0x0c, 0x49, 0x53, 0x54, 0x49, 0x4f, 0x5f, 0x4d, 0x55, 0x54, 0x55, 0x41, 0x4c, 0x10,
- 0x04, 0x22, 0x4f, 0x0a, 0x0b, 0x54, 0x4c, 0x53, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c,
- 0x12, 0x0c, 0x0a, 0x08, 0x54, 0x4c, 0x53, 0x5f, 0x41, 0x55, 0x54, 0x4f, 0x10, 0x00, 0x12, 0x0b,
- 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x30, 0x10, 0x01, 0x12, 0x0b, 0x0a, 0x07, 0x54,
- 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x31, 0x10, 0x02, 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56,
- 0x31, 0x5f, 0x32, 0x10, 0x03, 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x33,
- 0x10, 0x04, 0x42, 0x21, 0x5a, 0x1f, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61,
- 0x70, 0x69, 0x2f, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31,
- 0x62, 0x65, 0x74, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+ 0x75, 0x69, 0x74, 0x65, 0x73, 0x12, 0x44, 0x0a, 0x04, 0x6f, 0x63, 0x73, 0x70, 0x18, 0x0d, 0x20,
+ 0x01, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e, 0x65, 0x74, 0x77,
+ 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x53,
+ 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x4c, 0x53, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6e, 0x67, 0x73,
+ 0x2e, 0x4f, 0x43, 0x53, 0x50, 0x52, 0x04, 0x6f, 0x63, 0x73, 0x70, 0x1a, 0x96, 0x02, 0x0a, 0x04,
+ 0x4f, 0x43, 0x53, 0x50, 0x12, 0x55, 0x0a, 0x08, 0x73, 0x74, 0x61, 0x70, 0x6c, 0x69, 0x6e, 0x67,
+ 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x39, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e,
+ 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61,
+ 0x31, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x4c, 0x53, 0x53, 0x65, 0x74, 0x74, 0x69,
+ 0x6e, 0x67, 0x73, 0x2e, 0x4f, 0x43, 0x53, 0x50, 0x2e, 0x53, 0x74, 0x61, 0x70, 0x6c, 0x69, 0x6e,
+ 0x67, 0x52, 0x08, 0x73, 0x74, 0x61, 0x70, 0x6c, 0x69, 0x6e, 0x67, 0x1a, 0xb6, 0x01, 0x0a, 0x08,
+ 0x53, 0x74, 0x61, 0x70, 0x6c, 0x69, 0x6e, 0x67, 0x12, 0x5a, 0x0a, 0x04, 0x6d, 0x6f, 0x64, 0x65,
+ 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x46, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6e,
+ 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61,
+ 0x31, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x54, 0x4c, 0x53, 0x53, 0x65, 0x74, 0x74, 0x69,
+ 0x6e, 0x67, 0x73, 0x2e, 0x4f, 0x43, 0x53, 0x50, 0x2e, 0x53, 0x74, 0x61, 0x70, 0x6c, 0x69, 0x6e,
+ 0x67, 0x2e, 0x53, 0x74, 0x61, 0x70, 0x6c, 0x69, 0x6e, 0x67, 0x4d, 0x6f, 0x64, 0x65, 0x52, 0x04,
+ 0x6d, 0x6f, 0x64, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x70, 0x61, 0x74, 0x68, 0x18, 0x02, 0x20, 0x01,
+ 0x28, 0x09, 0x52, 0x04, 0x70, 0x61, 0x74, 0x68, 0x22, 0x3a, 0x0a, 0x0c, 0x53, 0x74, 0x61, 0x70,
+ 0x6c, 0x69, 0x6e, 0x67, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x0c, 0x0a, 0x08, 0x4f, 0x50, 0x54, 0x49,
+ 0x4f, 0x4e, 0x41, 0x4c, 0x10, 0x00, 0x12, 0x0d, 0x0a, 0x09, 0x50, 0x52, 0x45, 0x46, 0x45, 0x52,
+ 0x52, 0x45, 0x44, 0x10, 0x01, 0x12, 0x0d, 0x0a, 0x09, 0x4d, 0x41, 0x4e, 0x44, 0x41, 0x54, 0x4f,
+ 0x52, 0x59, 0x10, 0x02, 0x22, 0x5a, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x6d, 0x6f, 0x64, 0x65, 0x12,
+ 0x0f, 0x0a, 0x0b, 0x50, 0x41, 0x53, 0x53, 0x54, 0x48, 0x52, 0x4f, 0x55, 0x47, 0x48, 0x10, 0x00,
+ 0x12, 0x0a, 0x0a, 0x06, 0x53, 0x49, 0x4d, 0x50, 0x4c, 0x45, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06,
+ 0x4d, 0x55, 0x54, 0x55, 0x41, 0x4c, 0x10, 0x02, 0x12, 0x14, 0x0a, 0x10, 0x41, 0x55, 0x54, 0x4f,
+ 0x5f, 0x50, 0x41, 0x53, 0x53, 0x54, 0x48, 0x52, 0x4f, 0x55, 0x47, 0x48, 0x10, 0x03, 0x12, 0x10,
+ 0x0a, 0x0c, 0x49, 0x53, 0x54, 0x49, 0x4f, 0x5f, 0x4d, 0x55, 0x54, 0x55, 0x41, 0x4c, 0x10, 0x04,
+ 0x22, 0x4f, 0x0a, 0x0b, 0x54, 0x4c, 0x53, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12,
+ 0x0c, 0x0a, 0x08, 0x54, 0x4c, 0x53, 0x5f, 0x41, 0x55, 0x54, 0x4f, 0x10, 0x00, 0x12, 0x0b, 0x0a,
+ 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x30, 0x10, 0x01, 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c,
+ 0x53, 0x56, 0x31, 0x5f, 0x31, 0x10, 0x02, 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31,
+ 0x5f, 0x32, 0x10, 0x03, 0x12, 0x0b, 0x0a, 0x07, 0x54, 0x4c, 0x53, 0x56, 0x31, 0x5f, 0x33, 0x10,
+ 0x04, 0x42, 0x21, 0x5a, 0x1f, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70,
+ 0x69, 0x2f, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x69, 0x6e, 0x67, 0x2f, 0x76, 0x31, 0x62,
+ 0x65, 0x74, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (
@@ -1273,30 +1462,36 @@ func file_networking_v1beta1_gateway_proto_rawDescGZIP() []byte {
return file_networking_v1beta1_gateway_proto_rawDescData
}
-var file_networking_v1beta1_gateway_proto_enumTypes = make([]protoimpl.EnumInfo, 2)
-var file_networking_v1beta1_gateway_proto_msgTypes = make([]protoimpl.MessageInfo, 5)
+var file_networking_v1beta1_gateway_proto_enumTypes = make([]protoimpl.EnumInfo, 3)
+var file_networking_v1beta1_gateway_proto_msgTypes = make([]protoimpl.MessageInfo, 7)
var file_networking_v1beta1_gateway_proto_goTypes = []interface{}{
- (ServerTLSSettings_TLSmode)(0), // 0: istio.networking.v1beta1.ServerTLSSettings.TLSmode
- (ServerTLSSettings_TLSProtocol)(0), // 1: istio.networking.v1beta1.ServerTLSSettings.TLSProtocol
- (*Gateway)(nil), // 2: istio.networking.v1beta1.Gateway
- (*Server)(nil), // 3: istio.networking.v1beta1.Server
- (*Port)(nil), // 4: istio.networking.v1beta1.Port
- (*ServerTLSSettings)(nil), // 5: istio.networking.v1beta1.ServerTLSSettings
- nil, // 6: istio.networking.v1beta1.Gateway.SelectorEntry
+ (ServerTLSSettings_TLSmode)(0), // 0: istio.networking.v1beta1.ServerTLSSettings.TLSmode
+ (ServerTLSSettings_TLSProtocol)(0), // 1: istio.networking.v1beta1.ServerTLSSettings.TLSProtocol
+ (ServerTLSSettings_OCSP_Stapling_StaplingMode)(0), // 2: istio.networking.v1beta1.ServerTLSSettings.OCSP.Stapling.StaplingMode
+ (*Gateway)(nil), // 3: istio.networking.v1beta1.Gateway
+ (*Server)(nil), // 4: istio.networking.v1beta1.Server
+ (*Port)(nil), // 5: istio.networking.v1beta1.Port
+ (*ServerTLSSettings)(nil), // 6: istio.networking.v1beta1.ServerTLSSettings
+ nil, // 7: istio.networking.v1beta1.Gateway.SelectorEntry
+ (*ServerTLSSettings_OCSP)(nil), // 8: istio.networking.v1beta1.ServerTLSSettings.OCSP
+ (*ServerTLSSettings_OCSP_Stapling)(nil), // 9: istio.networking.v1beta1.ServerTLSSettings.OCSP.Stapling
}
var file_networking_v1beta1_gateway_proto_depIdxs = []int32{
- 3, // 0: istio.networking.v1beta1.Gateway.servers:type_name -> istio.networking.v1beta1.Server
- 6, // 1: istio.networking.v1beta1.Gateway.selector:type_name -> istio.networking.v1beta1.Gateway.SelectorEntry
- 4, // 2: istio.networking.v1beta1.Server.port:type_name -> istio.networking.v1beta1.Port
- 5, // 3: istio.networking.v1beta1.Server.tls:type_name -> istio.networking.v1beta1.ServerTLSSettings
- 0, // 4: istio.networking.v1beta1.ServerTLSSettings.mode:type_name -> istio.networking.v1beta1.ServerTLSSettings.TLSmode
- 1, // 5: istio.networking.v1beta1.ServerTLSSettings.min_protocol_version:type_name -> istio.networking.v1beta1.ServerTLSSettings.TLSProtocol
- 1, // 6: istio.networking.v1beta1.ServerTLSSettings.max_protocol_version:type_name -> istio.networking.v1beta1.ServerTLSSettings.TLSProtocol
- 7, // [7:7] is the sub-list for method output_type
- 7, // [7:7] is the sub-list for method input_type
- 7, // [7:7] is the sub-list for extension type_name
- 7, // [7:7] is the sub-list for extension extendee
- 0, // [0:7] is the sub-list for field type_name
+ 4, // 0: istio.networking.v1beta1.Gateway.servers:type_name -> istio.networking.v1beta1.Server
+ 7, // 1: istio.networking.v1beta1.Gateway.selector:type_name -> istio.networking.v1beta1.Gateway.SelectorEntry
+ 5, // 2: istio.networking.v1beta1.Server.port:type_name -> istio.networking.v1beta1.Port
+ 6, // 3: istio.networking.v1beta1.Server.tls:type_name -> istio.networking.v1beta1.ServerTLSSettings
+ 0, // 4: istio.networking.v1beta1.ServerTLSSettings.mode:type_name -> istio.networking.v1beta1.ServerTLSSettings.TLSmode
+ 1, // 5: istio.networking.v1beta1.ServerTLSSettings.min_protocol_version:type_name -> istio.networking.v1beta1.ServerTLSSettings.TLSProtocol
+ 1, // 6: istio.networking.v1beta1.ServerTLSSettings.max_protocol_version:type_name -> istio.networking.v1beta1.ServerTLSSettings.TLSProtocol
+ 8, // 7: istio.networking.v1beta1.ServerTLSSettings.ocsp:type_name -> istio.networking.v1beta1.ServerTLSSettings.OCSP
+ 9, // 8: istio.networking.v1beta1.ServerTLSSettings.OCSP.stapling:type_name -> istio.networking.v1beta1.ServerTLSSettings.OCSP.Stapling
+ 2, // 9: istio.networking.v1beta1.ServerTLSSettings.OCSP.Stapling.mode:type_name -> istio.networking.v1beta1.ServerTLSSettings.OCSP.Stapling.StaplingMode
+ 10, // [10:10] is the sub-list for method output_type
+ 10, // [10:10] is the sub-list for method input_type
+ 10, // [10:10] is the sub-list for extension type_name
+ 10, // [10:10] is the sub-list for extension extendee
+ 0, // [0:10] is the sub-list for field type_name
}
func init() { file_networking_v1beta1_gateway_proto_init() }
@@ -1353,14 +1548,38 @@ func file_networking_v1beta1_gateway_proto_init() {
return nil
}
}
+ file_networking_v1beta1_gateway_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*ServerTLSSettings_OCSP); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
+ file_networking_v1beta1_gateway_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*ServerTLSSettings_OCSP_Stapling); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
}
type x struct{}
out := protoimpl.TypeBuilder{
File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_networking_v1beta1_gateway_proto_rawDesc,
- NumEnums: 2,
- NumMessages: 5,
+ NumEnums: 3,
+ NumMessages: 7,
NumExtensions: 0,
NumServices: 0,
},
diff --git a/networking/v1beta1/gateway.proto b/networking/v1beta1/gateway.proto
index 4683809aed0..5f110252a7e 100644
--- a/networking/v1beta1/gateway.proto
+++ b/networking/v1beta1/gateway.proto
@@ -733,4 +733,34 @@ message ServerTLSSettings {
// Optional: If specified, only support the specified cipher list.
// Otherwise default to the default cipher list supported by Envoy.
repeated string cipher_suites = 9;
+
+ // OCSP Settings
+ message OCSP {
+
+ Stapling stapling = 1;
+
+ // Settings for OCSP Stapling
+ message Stapling {
+
+ enum StaplingMode {
+ // Matches the LENIENT_STAPLING mode of Envoy
+ OPTIONAL = 0;
+
+ // Matches the STRICT_STAPLING mode of Envoy
+ PREFERRED = 1;
+
+ // Matches the MUST_STAPLE mode of Envoy
+ MANDATORY = 2;
+ }
+
+ // OCSP Stapling mode for Envoy
+ StaplingMode mode = 1;
+
+ // Path at which the staple bytes will be stored in the Secret
+ string path = 2;
+ }
+ }
+
+ // Optional: settings for OCSP and OCSP Stapling
+ OCSP ocsp = 13;
}
diff --git a/networking/v1beta1/gateway_deepcopy.gen.go b/networking/v1beta1/gateway_deepcopy.gen.go
index 0318f99bb50..61823d3b620 100644
--- a/networking/v1beta1/gateway_deepcopy.gen.go
+++ b/networking/v1beta1/gateway_deepcopy.gen.go
@@ -88,3 +88,45 @@ func (in *ServerTLSSettings) DeepCopy() *ServerTLSSettings {
func (in *ServerTLSSettings) DeepCopyInterface() interface{} {
return in.DeepCopy()
}
+
+// DeepCopyInto supports using ServerTLSSettings_OCSP within kubernetes types, where deepcopy-gen is used.
+func (in *ServerTLSSettings_OCSP) DeepCopyInto(out *ServerTLSSettings_OCSP) {
+ p := proto.Clone(in).(*ServerTLSSettings_OCSP)
+ *out = *p
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerTLSSettings_OCSP. Required by controller-gen.
+func (in *ServerTLSSettings_OCSP) DeepCopy() *ServerTLSSettings_OCSP {
+ if in == nil {
+ return nil
+ }
+ out := new(ServerTLSSettings_OCSP)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new ServerTLSSettings_OCSP. Required by controller-gen.
+func (in *ServerTLSSettings_OCSP) DeepCopyInterface() interface{} {
+ return in.DeepCopy()
+}
+
+// DeepCopyInto supports using ServerTLSSettings_OCSP_Stapling within kubernetes types, where deepcopy-gen is used.
+func (in *ServerTLSSettings_OCSP_Stapling) DeepCopyInto(out *ServerTLSSettings_OCSP_Stapling) {
+ p := proto.Clone(in).(*ServerTLSSettings_OCSP_Stapling)
+ *out = *p
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerTLSSettings_OCSP_Stapling. Required by controller-gen.
+func (in *ServerTLSSettings_OCSP_Stapling) DeepCopy() *ServerTLSSettings_OCSP_Stapling {
+ if in == nil {
+ return nil
+ }
+ out := new(ServerTLSSettings_OCSP_Stapling)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new ServerTLSSettings_OCSP_Stapling. Required by controller-gen.
+func (in *ServerTLSSettings_OCSP_Stapling) DeepCopyInterface() interface{} {
+ return in.DeepCopy()
+}
diff --git a/networking/v1beta1/gateway_json.gen.go b/networking/v1beta1/gateway_json.gen.go
index 7f6c0b55f3b..e40271caea8 100644
--- a/networking/v1beta1/gateway_json.gen.go
+++ b/networking/v1beta1/gateway_json.gen.go
@@ -50,6 +50,28 @@ func (this *ServerTLSSettings) UnmarshalJSON(b []byte) error {
return GatewayUnmarshaler.Unmarshal(bytes.NewReader(b), this)
}
+// MarshalJSON is a custom marshaler for ServerTLSSettings_OCSP
+func (this *ServerTLSSettings_OCSP) MarshalJSON() ([]byte, error) {
+ str, err := GatewayMarshaler.MarshalToString(this)
+ return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for ServerTLSSettings_OCSP
+func (this *ServerTLSSettings_OCSP) UnmarshalJSON(b []byte) error {
+ return GatewayUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
+// MarshalJSON is a custom marshaler for ServerTLSSettings_OCSP_Stapling
+func (this *ServerTLSSettings_OCSP_Stapling) MarshalJSON() ([]byte, error) {
+ str, err := GatewayMarshaler.MarshalToString(this)
+ return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for ServerTLSSettings_OCSP_Stapling
+func (this *ServerTLSSettings_OCSP_Stapling) UnmarshalJSON(b []byte) error {
+ return GatewayUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
var (
GatewayMarshaler = &jsonpb.Marshaler{}
GatewayUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true}
diff --git a/networking/v1beta1/sidecar.gen.json b/networking/v1beta1/sidecar.gen.json
index 8fee00d372f..c7f2a49b6cf 100644
--- a/networking/v1beta1/sidecar.gen.json
+++ b/networking/v1beta1/sidecar.gen.json
@@ -189,9 +189,42 @@
"items": {
"type": "string"
}
+ },
+ "ocsp": {
+ "$ref": "#/components/schemas/istio.networking.v1beta1.ServerTLSSettings.OCSP"
+ }
+ }
+ },
+ "istio.networking.v1beta1.ServerTLSSettings.OCSP": {
+ "description": "OCSP Settings",
+ "type": "object",
+ "properties": {
+ "stapling": {
+ "$ref": "#/components/schemas/istio.networking.v1beta1.ServerTLSSettings.OCSP.Stapling"
+ }
+ }
+ },
+ "istio.networking.v1beta1.ServerTLSSettings.OCSP.Stapling": {
+ "description": "Settings for OCSP Stapling",
+ "type": "object",
+ "properties": {
+ "mode": {
+ "$ref": "#/components/schemas/istio.networking.v1beta1.ServerTLSSettings.OCSP.Stapling.StaplingMode"
+ },
+ "path": {
+ "description": "Path at which the staple bytes will be stored in the Secret",
+ "type": "string"
}
}
},
+ "istio.networking.v1beta1.ServerTLSSettings.OCSP.Stapling.StaplingMode": {
+ "type": "string",
+ "enum": [
+ "OPTIONAL",
+ "PREFERRED",
+ "MANDATORY"
+ ]
+ },
"istio.networking.v1beta1.ServerTLSSettings.TLSProtocol": {
"description": "TLS protocol versions.",
"type": "string",
diff --git a/proto.lock b/proto.lock
index 7f5ef8742b0..fab550cdb33 100644
--- a/proto.lock
+++ b/proto.lock
@@ -37719,6 +37719,22 @@
"integer": 4
}
]
+ },
+ {
+ "name": "Stapling.StaplingMode",
+ "enum_fields": [
+ {
+ "name": "OPTIONAL"
+ },
+ {
+ "name": "PREFERRED",
+ "integer": 1
+ },
+ {
+ "name": "MANDATORY",
+ "integer": 2
+ }
+ ]
}
],
"messages": [
@@ -37918,6 +37934,40 @@
"name": "cipher_suites",
"type": "string",
"is_repeated": true
+ },
+ {
+ "id": 13,
+ "name": "ocsp",
+ "type": "OCSP"
+ }
+ ],
+ "messages": [
+ {
+ "name": "OCSP",
+ "fields": [
+ {
+ "id": 1,
+ "name": "stapling",
+ "type": "Stapling"
+ }
+ ],
+ "messages": [
+ {
+ "name": "Stapling",
+ "fields": [
+ {
+ "id": 1,
+ "name": "mode",
+ "type": "StaplingMode"
+ },
+ {
+ "id": 2,
+ "name": "path",
+ "type": "string"
+ }
+ ]
+ }
+ ]
}
]
}
@@ -40199,6 +40249,22 @@
"integer": 4
}
]
+ },
+ {
+ "name": "Stapling.StaplingMode",
+ "enum_fields": [
+ {
+ "name": "OPTIONAL"
+ },
+ {
+ "name": "PREFERRED",
+ "integer": 1
+ },
+ {
+ "name": "MANDATORY",
+ "integer": 2
+ }
+ ]
}
],
"messages": [
@@ -40398,6 +40464,40 @@
"name": "cipher_suites",
"type": "string",
"is_repeated": true
+ },
+ {
+ "id": 13,
+ "name": "ocsp",
+ "type": "OCSP"
+ }
+ ],
+ "messages": [
+ {
+ "name": "OCSP",
+ "fields": [
+ {
+ "id": 1,
+ "name": "stapling",
+ "type": "Stapling"
+ }
+ ],
+ "messages": [
+ {
+ "name": "Stapling",
+ "fields": [
+ {
+ "id": 1,
+ "name": "mode",
+ "type": "StaplingMode"
+ },
+ {
+ "id": 2,
+ "name": "path",
+ "type": "string"
+ }
+ ]
+ }
+ ]
}
]
}