secret

Summary

Example object

{
  "secret_key": "web-secret",
  "secret_name": "spiffe://greymatter.io/web_proxy/mTLS",
  "secret_validation_name": "spiffe://greymatter.io",
  "subject_names": "spiffe://greymatter.io/echo_proxy/mTLS",
  "ecdh_curves": [
    "X25519:P-256:P-521:P-384"
  ],
  "forward_client_cert_details": "SANITIZE",
  "set_current_client_cert_details": {
    "uri": false
  }
}

Fields

secret_key

String key that uniquely identifies this secret configuration in the Secret Discovery Service.

secret_name

Secret names are identities that live within the cert pool of Envoy. A name should correspond to one certificate that Envoy has registered, and will be used when querying the SDS API.

secret_validation_name

ValidationNames are used to verify a certificate in the Envoy cert pool against a Certificate Authority.

subject_names

When performing 2-Way SSL, Subject Alternative Names are required for client certificate verification. Without this configuration option, Envoy will not understand what certificate to verify when it attempts to connect to it's upstream/downstream host.

ecdh_curves

If specified, the TLS connection established when using secrets, will only support the specified ECDH curves. If not specified, the default curves will be used within Envoy.

forward_client_cert_details

This field specifies how to handle the x-forwarded-client-cert (XFCC) HTTP header.

The possible options when forwarding client cert details are:

• "SANITIZE"

• "SANITIZE_SET"

• "FORWARD_ONLY"

• "APPEND_FORWARD"

• "ALWAYS_FORWARD_ONLY"

set_current_client_cert_details

Valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET and the client connection is mTLS. It specifies the fields in the client certificate to be forwarded. Note that in the x-forwarded-client-cert header, Hash is always set, and By is always set when the client certificate presents the URI type Subject Alternative Name value.