package envoy.extensions.transport_sockets.tls.cert_selectors.on_demand_secret.v3

Get desktop application:
View/edit binary Protocol Buffers messages

Fetches the secret on-demand while allowing the parent cluster or listener to accept connections without warming. During the handshake, a secret name is derived from the peer hello message, an SDS resource request starts, and the handshake is paused. Once an SDS response is received with a resource, the handshake is resumed with the provided certificate. If the SDS server indicates the resource removal, the handshake is failed, and the SDS subscription to the resource is stopped. Similar to the regular SDS, the certificate is configured using the outer common TLS context, e.g. by setting the FIPS compliance policy on the loaded certificate.

optional config.core.v3.ConfigSource config_source = 1
Defines the configuration source of the secrets.
optional config.core.v3.TypedExtensionConfig certificate_mapper = 2
Extension point to specify a function to compute the secret name. The extension is called during the TLS handshake after receiving the *CLIENT HELLO* message from the client for the downstream certificate selector, and using the transport socket options and *SERVER HELLO* for the upstream certificate selector. [#extension-category: envoy.tls.certificate_mappers,envoy.tls.upstream_certificate_mappers]
repeated string prefetch_secret_names = 3
A list of secret resource names to start fetching on configuration load (prior to receiving any requests). The parent resource initializes immediately without waiting for the fetch to complete.

package envoy.extensions.transport_sockets.tls.cert_selectors.on_demand_secret.v3

message Config

optional config.core.v3.ConfigSource config_source = 1

optional config.core.v3.TypedExtensionConfig certificate_mapper = 2

repeated string prefetch_secret_names = 3