Transport layer security config

Transport layer security config specifies configuration of a TLS client.

ClientTransportSecurity

ClientTransportSecurity specifies transport layer security configuration.

Field	Description	Validation Rule
tls	tetrateio.api.onboarding.config.types.config.v1alpha1.TlsClient ^{oneof kind} TLS client configuration.	–
none	tetrateio.api.onboarding.config.types.config.v1alpha1.PlainTextClient ^{oneof kind} Plain-text client configuration.	–

TlsClient

TlsClient specifies configuration of a TLS client.

Field Description Validation Rule

Field	Description	Validation Rule
sni	string SNI string to present to the server during TLS handshake instead of the default value (host address). Defaults to empty string, in which case the default SNI value (host address) will be used. This setting is meant for use in non-production scenarios, such as: when the server is not reachable by a DNS name (e.g., because user has no means to create a DNS record) when the server is only reachable by a DNS name different from the name TLS certificate was issued for When set to a non-empty string, TLS client will validate certificate presented by the server against the SNI value rather than host address. TODO(yaro): add [(validate.rules).string = { address: true, ignore_empty: true } ]	–
insecureSkipVerify	bool once `protoc-gen-validate` tool is updated up to 0.5.0+ that support `ignore_empty` option When set to `true`, TLS client will not verify validity of the server certificate (:warning:). Defaults to `false`. :warning: `WARNING`: This setting makes TLS connections insecure because client does not validate identity of the server and might end up sending security-sensitive information to an attacker (man-in-the-middle). :warning: `NEVER` use this setting in production scenarios! This setting is meant for use in non-production scenarios, such as: getting started guides disposable test and demo environments local development environments	–

sni

string
SNI string to present to the server during TLS handshake instead of the default value (host address).

Defaults to empty string, in which case the default SNI value (host address) will be used.

This setting is meant for use in non-production scenarios, such as:

when the server is not reachable by a DNS name (e.g., because user has no means to create a DNS record)
when the server is only reachable by a DNS name different from the name TLS certificate was issued for

When set to a non-empty string, TLS client will validate certificate presented by the server against the SNI value rather than host address.

TODO(yaro): add [(validate.rules).string = { address: true, ignore_empty: true } ]

–

insecureSkipVerify

bool
once protoc-gen-validate tool is updated up to 0.5.0+ that support ignore_empty option When set to true, TLS client will not verify validity of the server certificate (:warning:).

Defaults to false.

:warning: WARNING: This setting makes TLS connections insecure because client does not validate identity of the server and might end up sending security-sensitive information to an attacker (man-in-the-middle).

:warning: NEVER use this setting in production scenarios!

This setting is meant for use in non-production scenarios, such as:

getting started guides
disposable test and demo environments
local development environments

–

TSB

最近更新于 2023-09-19