From 7f02edf40318bd45aa42f05bf291512c0f4a095e Mon Sep 17 00:00:00 2001 From: Guy Daich Date: Wed, 25 Sep 2024 11:29:32 -0500 Subject: [PATCH] change api Signed-off-by: Guy Daich --- api/v1alpha1/tls_types.go | 64 +++++----- api/v1alpha1/zz_generated.deepcopy.go | 75 +++--------- ...y.envoyproxy.io_clienttrafficpolicies.yaml | 113 ++++-------------- site/content/en/latest/api/extension_types.md | 61 +++++----- site/content/zh/latest/api/extension_types.md | 61 +++++----- 5 files changed, 126 insertions(+), 248 deletions(-) diff --git a/api/v1alpha1/tls_types.go b/api/v1alpha1/tls_types.go index 507df8097f6..5428ed41402 100644 --- a/api/v1alpha1/tls_types.go +++ b/api/v1alpha1/tls_types.go @@ -19,16 +19,15 @@ type ClientTLSSettings struct { // SessionTimeout determines the maximum lifetime of a TLS session. // https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_DEFAULT_SESSION_TIMEOUT // Default: 7200s + // +notImplementedHide // +optional SessionTimeout *gwapiv1.Duration `json:"sessionTimeout,omitempty"` - // StatelessSessionResumption defines setting for stateless (session-ticket based) session resumption - // +optional - StatelessSessionResumption *StatelessSessionResumptionSettings `json:"statelessSessionResumption,omitempty"` - - // StatefulSessionResumption defines setting for stateful (session-id based) session resumption - // +optional - StatefulSessionResumption *StatefulSessionResumptionSettings `json:"statefulSessionResumptionSettings,omitempty"` + // SessionResumptionSettings determine the proxy's supported TLS session resumption option. + // By default, Envoy Gateway does not support session resumption. Users can enable stateful + // and stateless session resumption by including them in the sessionResumption list. + // +notImplementedHide + SessionResumptionSettings []SessionResumptionSettings `json:"sessionResumption,omitempty"` } // +kubebuilder:validation:XValidation:rule="has(self.minVersion) && self.minVersion == '1.3' ? !has(self.ciphers) : true", message="setting ciphers has no effect if the minimum possible TLS version is 1.3" @@ -148,35 +147,30 @@ type ClientValidationContext struct { CACertificateRefs []gwapiv1.SecretObjectReference `json:"caCertificateRefs,omitempty"` } -// StatelessSessionResumptionSettings defines setting for stateless (session-ticket based) session resumption -// +kubebuilder:validation:XValidation:rule="(self.enabled == false && self.sessionTicketKeysRef.size() > 0)",message="sessionTicketKeysRef can only be set when enabled is true" -type StatelessSessionResumptionSettings struct { - // Enabled determines if stateless session resumption is supported. When Envoy Proxy is deployed with more than - // one replica, session ticket encryption keys are not synchronized between instances, possibly leading to resumption - // failures. Users can synchronize session ticket encryption keys be storing them in a secret and using the - // sessionTicketKeysRef option. - // Note that improper handling of session ticket encryption keys may result in loss of secrecy. - // https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlssessionticketkeys - // Default: true - Enabled *bool `json:"enabled,omitempty"` - // SessionTicketKeysRef is a reference to the secret containing the keys to use for encryption and decryption - // of session tickets. The first keys is used for encryption and all keys are candidate for decryption. - // Users are responsible for securely generating, storing and rotating keys. - // If empty, each Envoy Proxy instance will use local in-memory keys. - // https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlssessionticketkeys - // +kubebuilder:validation:MaxItems=16 - // +optional - SessionTicketKeysRef []gwapiv1.SecretObjectReference `json:"sessionTicketKeysRef,omitempty"` -} +// TLSSessionResumptionType defines the type of TLS session resumption +type TLSSessionResumptionType string -// StatefulSessionResumptionSettings defines setting for stateful (session-id based) session resumption -type StatefulSessionResumptionSettings struct { - // Enabled determines if stateful session resumption is supported. When Envoy Proxy is deployed with more than - // one replica, session caches are not synchronized between instances, possibly leading to resumption failures. - // Note that envoy does not re-validate client certificates upon session resumption. +const ( + // StatefulTLSSessionResumption defines the stateful (session-id based) type of TLS session resumption. + // Note: When Envoy Proxy is deployed with more than one replica, session caches are not synchronized + // between instances, possibly leading to resumption failures. + // Envoy does not re-validate client certificates upon session resumption. // https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#config-route-v3-routematch-tlscontextmatchoptions - // Default: true - // +optional - Enabled *bool `json:"enabled,omitempty"` + StatefulTLSSessionResumption TLSSessionResumptionType = "Stateful" + + // StatelessTLSSessionResumption defines the stateless (session-ticket based) type of TLS session resumption. + // Note: When Envoy Proxy is deployed with more than one replica, session ticket encryption keys are not + // synchronized between instances, possibly leading to resumption failures. + // In-memory session ticket encryption keys are rotated every 48 hours. + // https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlssessionticketkeys + // https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Session-tickets + StatelessTLSSessionResumption TLSSessionResumptionType = "Stateless" +) + +// SessionResumptionSettings defines supported tls session resumption methods and their associated configuration. +type SessionResumptionSettings struct { + // +kubebuilder:validation:Enum=Stateful;Stateless + // +kubebuilder:validation:Required + Type TLSSessionResumptionType `json:"type"` } diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 77fbecdfe6a..b15be406deb 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -753,15 +753,10 @@ func (in *ClientTLSSettings) DeepCopyInto(out *ClientTLSSettings) { *out = new(apisv1.Duration) **out = **in } - if in.StatelessSessionResumption != nil { - in, out := &in.StatelessSessionResumption, &out.StatelessSessionResumption - *out = new(StatelessSessionResumptionSettings) - (*in).DeepCopyInto(*out) - } - if in.StatefulSessionResumption != nil { - in, out := &in.StatefulSessionResumption, &out.StatefulSessionResumption - *out = new(StatefulSessionResumptionSettings) - (*in).DeepCopyInto(*out) + if in.SessionResumptionSettings != nil { + in, out := &in.SessionResumptionSettings, &out.SessionResumptionSettings + *out = make([]SessionResumptionSettings, len(*in)) + copy(*out, *in) } } @@ -4814,6 +4809,21 @@ func (in *SecurityPolicySpec) DeepCopy() *SecurityPolicySpec { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SessionResumptionSettings) DeepCopyInto(out *SessionResumptionSettings) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SessionResumptionSettings. +func (in *SessionResumptionSettings) DeepCopy() *SessionResumptionSettings { + if in == nil { + return nil + } + out := new(SessionResumptionSettings) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ShutdownConfig) DeepCopyInto(out *ShutdownConfig) { *out = *in @@ -4904,53 +4914,6 @@ func (in *SourceMatch) DeepCopy() *SourceMatch { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *StatefulSessionResumptionSettings) DeepCopyInto(out *StatefulSessionResumptionSettings) { - *out = *in - if in.Enabled != nil { - in, out := &in.Enabled, &out.Enabled - *out = new(bool) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatefulSessionResumptionSettings. -func (in *StatefulSessionResumptionSettings) DeepCopy() *StatefulSessionResumptionSettings { - if in == nil { - return nil - } - out := new(StatefulSessionResumptionSettings) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *StatelessSessionResumptionSettings) DeepCopyInto(out *StatelessSessionResumptionSettings) { - *out = *in - if in.Enabled != nil { - in, out := &in.Enabled, &out.Enabled - *out = new(bool) - **out = **in - } - if in.SessionTicketKeysRef != nil { - in, out := &in.SessionTicketKeysRef, &out.SessionTicketKeysRef - *out = make([]apisv1.SecretObjectReference, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatelessSessionResumptionSettings. -func (in *StatelessSessionResumptionSettings) DeepCopy() *StatelessSessionResumptionSettings { - if in == nil { - return nil - } - out := new(StatelessSessionResumptionSettings) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *StringMatch) DeepCopyInto(out *StringMatch) { *out = *in diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml index 3d0948f9950..7205f4266e6 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml @@ -808,6 +808,26 @@ spec: - "1.2" - "1.3" type: string + sessionResumption: + description: |- + SessionResumptionSettings determine the proxy's supported TLS session resumption option. + By default, Envoy Gateway does not support session resumption. Users can enable stateful + and stateless session resumption by including them in the sessionResumption list. + items: + description: SessionResumptionSettings defines supported tls + session resumption methods and their associated configuration. + properties: + type: + description: TLSSessionResumptionType defines the type of + TLS session resumption + enum: + - Stateful + - Stateless + type: string + required: + - type + type: object + type: array sessionTimeout: description: |- SessionTimeout determines the maximum lifetime of a TLS session. @@ -822,99 +842,6 @@ spec: items: type: string type: array - statefulSessionResumptionSettings: - description: StatefulSessionResumption defines setting for stateful - (session-id based) session resumption - properties: - enabled: - description: |- - Enabled determines if stateful session resumption is supported. When Envoy Proxy is deployed with more than - one replica, session caches are not synchronized between instances, possibly leading to resumption failures. - Note that envoy does not re-validate client certificates upon session resumption. - https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#config-route-v3-routematch-tlscontextmatchoptions - Default: true - type: boolean - type: object - statelessSessionResumption: - description: StatelessSessionResumption defines setting for stateless - (session-ticket based) session resumption - properties: - enabled: - description: |- - Enabled determines if stateless session resumption is supported. When Envoy Proxy is deployed with more than - one replica, session ticket encryption keys are not synchronized between instances, possibly leading to resumption - failures. Users can synchronize session ticket encryption keys be storing them in a secret and using the - sessionTicketKeysRef option. - Note that improper handling of session ticket encryption keys may result in loss of secrecy. - https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlssessionticketkeys - Default: true - type: boolean - sessionTicketKeysRef: - description: |- - SessionTicketKeysRef is a reference to the secret containing the keys to use for encryption and decryption - of session tickets. The first keys is used for encryption and all keys are candidate for decryption. - Users are responsible for securely generating, storing and rotating keys. - If empty, each Envoy Proxy instance will use local in-memory keys. - https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlssessionticketkeys - items: - description: |- - SecretObjectReference identifies an API object including its namespace, - defaulting to Secret. - - The API object must be valid in the cluster; the Group and Kind must - be registered in the cluster for this reference to be valid. - - References to objects with invalid Group and Kind are not valid, and must - be rejected by the implementation, with appropriate Conditions set - on the containing object. - properties: - group: - default: "" - description: |- - Group is the group of the referent. For example, "gateway.networking.k8s.io". - When unspecified or empty string, core API group is inferred. - maxLength: 253 - pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ - type: string - kind: - default: Secret - description: Kind is kind of the referent. For example - "Secret". - maxLength: 63 - minLength: 1 - pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ - type: string - name: - description: Name is the name of the referent. - maxLength: 253 - minLength: 1 - type: string - namespace: - description: |- - Namespace is the namespace of the referenced object. When unspecified, the local - namespace is inferred. - - Note that when a namespace different than the local namespace is specified, - a ReferenceGrant object is required in the referent namespace to allow that - namespace's owner to accept the reference. See the ReferenceGrant - documentation for details. - - Support: Core - maxLength: 63 - minLength: 1 - pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ - type: string - required: - - name - type: object - maxItems: 16 - type: array - type: object - x-kubernetes-validations: - - message: sessionTicketKeysRef can only be set when enabled is - true - rule: (self.enabled == false && self.sessionTicketKeysRef.size() - > 0) type: object x-kubernetes-validations: - message: setting ciphers has no effect if the minimum possible TLS diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 0db802fdea1..5acd13464a4 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -610,9 +610,6 @@ _Appears in:_ | `ecdhCurves` | _string array_ | false | ECDHCurves specifies the set of supported ECDH curves.
In non-FIPS Envoy Proxy builds the default curves are:
- X25519
- P-256
In builds using BoringSSL FIPS the default curve is:
- P-256 | | `signatureAlgorithms` | _string array_ | false | SignatureAlgorithms specifies which signature algorithms the listener should
support. | | `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener. By default h2 and http/1.1 are enabled.
Supported values are:
- http/1.0
- http/1.1
- h2 | -| `sessionTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | SessionTimeout determines the maximum lifetime of a TLS session.
https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_DEFAULT_SESSION_TIMEOUT
Default: 7200s | -| `statelessSessionResumption` | _[StatelessSessionResumptionSettings](#statelesssessionresumptionsettings)_ | false | StatelessSessionResumption defines setting for stateless (session-ticket based) session resumption | -| `statefulSessionResumptionSettings` | _[StatefulSessionResumptionSettings](#statefulsessionresumptionsettings)_ | false | StatefulSessionResumption defines setting for stateful (session-id based) session resumption | #### ClientTimeout @@ -3575,6 +3572,20 @@ _Appears in:_ | `NodePort` | ServiceTypeNodePort means a service will be exposed on each Kubernetes Node
at a static Port, common across all Nodes.
| +#### SessionResumptionSettings + + + +SessionResumptionSettings defines supported tls session resumption methods and their associated configuration. + +_Appears in:_ +- [ClientTLSSettings](#clienttlssettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[TLSSessionResumptionType](#tlssessionresumptiontype)_ | true | | + + #### ShutdownConfig @@ -3635,35 +3646,6 @@ _Appears in:_ | `Distinct` | SourceMatchDistinct Each IP Address within the specified Source IP CIDR is treated as a distinct client selector
and uses a separate rate limit bucket/counter.
Note: This is only supported for Global Rate Limits.
| -#### StatefulSessionResumptionSettings - - - -StatefulSessionResumptionSettings defines setting for stateful (session-id based) session resumption - -_Appears in:_ -- [ClientTLSSettings](#clienttlssettings) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `enabled` | _boolean_ | false | Enabled determines if stateful session resumption is supported. When Envoy Proxy is deployed with more than
one replica, session caches are not synchronized between instances, possibly leading to resumption failures.
Note that envoy does not re-validate client certificates upon session resumption.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#config-route-v3-routematch-tlscontextmatchoptions
Default: true | - - -#### StatelessSessionResumptionSettings - - - -StatelessSessionResumptionSettings defines setting for stateless (session-ticket based) session resumption - -_Appears in:_ -- [ClientTLSSettings](#clienttlssettings) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `enabled` | _boolean_ | true | Enabled determines if stateless session resumption is supported. When Envoy Proxy is deployed with more than
one replica, session ticket encryption keys are not synchronized between instances, possibly leading to resumption
failures. Users can synchronize session ticket encryption keys be storing them in a secret and using the
sessionTicketKeysRef option.
Note that improper handling of session ticket encryption keys may result in loss of secrecy.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlssessionticketkeys
Default: true | -| `sessionTicketKeysRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference) array_ | false | SessionTicketKeysRef is a reference to the secret containing the keys to use for encryption and decryption
of session tickets. The first keys is used for encryption and all keys are candidate for decryption.
Users are responsible for securely generating, storing and rotating keys.
If empty, each Envoy Proxy instance will use local in-memory keys.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlssessionticketkeys | - - #### StringMatch @@ -3744,6 +3726,21 @@ _Appears in:_ | `connectTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The timeout for network connection establishment, including TCP and TLS handshakes.
Default: 10 seconds. | +#### TLSSessionResumptionType + +_Underlying type:_ _string_ + +TLSSessionResumptionType defines the type of TLS session resumption + +_Appears in:_ +- [SessionResumptionSettings](#sessionresumptionsettings) + +| Value | Description | +| ----- | ----------- | +| `Stateful` | StatefulTLSSessionResumption defines the stateful (session-id based) type of TLS session resumption.
Note: When Envoy Proxy is deployed with more than one replica, session caches are not synchronized
between instances, possibly leading to resumption failures.
Envoy does not re-validate client certificates upon session resumption.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#config-route-v3-routematch-tlscontextmatchoptions
| +| `Stateless` | StatelessTLSSessionResumption defines the stateless (session-ticket based) type of TLS session resumption.
Note: When Envoy Proxy is deployed with more than one replica, session ticket encryption keys are not
synchronized between instances, possibly leading to resumption failures.
In-memory session ticket encryption keys are rotated every 48 hours.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlssessionticketkeys
https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Session-tickets
| + + #### TLSSettings diff --git a/site/content/zh/latest/api/extension_types.md b/site/content/zh/latest/api/extension_types.md index 0db802fdea1..5acd13464a4 100644 --- a/site/content/zh/latest/api/extension_types.md +++ b/site/content/zh/latest/api/extension_types.md @@ -610,9 +610,6 @@ _Appears in:_ | `ecdhCurves` | _string array_ | false | ECDHCurves specifies the set of supported ECDH curves.
In non-FIPS Envoy Proxy builds the default curves are:
- X25519
- P-256
In builds using BoringSSL FIPS the default curve is:
- P-256 | | `signatureAlgorithms` | _string array_ | false | SignatureAlgorithms specifies which signature algorithms the listener should
support. | | `alpnProtocols` | _[ALPNProtocol](#alpnprotocol) array_ | false | ALPNProtocols supplies the list of ALPN protocols that should be
exposed by the listener. By default h2 and http/1.1 are enabled.
Supported values are:
- http/1.0
- http/1.1
- h2 | -| `sessionTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | SessionTimeout determines the maximum lifetime of a TLS session.
https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#SSL_DEFAULT_SESSION_TIMEOUT
Default: 7200s | -| `statelessSessionResumption` | _[StatelessSessionResumptionSettings](#statelesssessionresumptionsettings)_ | false | StatelessSessionResumption defines setting for stateless (session-ticket based) session resumption | -| `statefulSessionResumptionSettings` | _[StatefulSessionResumptionSettings](#statefulsessionresumptionsettings)_ | false | StatefulSessionResumption defines setting for stateful (session-id based) session resumption | #### ClientTimeout @@ -3575,6 +3572,20 @@ _Appears in:_ | `NodePort` | ServiceTypeNodePort means a service will be exposed on each Kubernetes Node
at a static Port, common across all Nodes.
| +#### SessionResumptionSettings + + + +SessionResumptionSettings defines supported tls session resumption methods and their associated configuration. + +_Appears in:_ +- [ClientTLSSettings](#clienttlssettings) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `type` | _[TLSSessionResumptionType](#tlssessionresumptiontype)_ | true | | + + #### ShutdownConfig @@ -3635,35 +3646,6 @@ _Appears in:_ | `Distinct` | SourceMatchDistinct Each IP Address within the specified Source IP CIDR is treated as a distinct client selector
and uses a separate rate limit bucket/counter.
Note: This is only supported for Global Rate Limits.
| -#### StatefulSessionResumptionSettings - - - -StatefulSessionResumptionSettings defines setting for stateful (session-id based) session resumption - -_Appears in:_ -- [ClientTLSSettings](#clienttlssettings) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `enabled` | _boolean_ | false | Enabled determines if stateful session resumption is supported. When Envoy Proxy is deployed with more than
one replica, session caches are not synchronized between instances, possibly leading to resumption failures.
Note that envoy does not re-validate client certificates upon session resumption.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#config-route-v3-routematch-tlscontextmatchoptions
Default: true | - - -#### StatelessSessionResumptionSettings - - - -StatelessSessionResumptionSettings defines setting for stateless (session-ticket based) session resumption - -_Appears in:_ -- [ClientTLSSettings](#clienttlssettings) - -| Field | Type | Required | Description | -| --- | --- | --- | --- | -| `enabled` | _boolean_ | true | Enabled determines if stateless session resumption is supported. When Envoy Proxy is deployed with more than
one replica, session ticket encryption keys are not synchronized between instances, possibly leading to resumption
failures. Users can synchronize session ticket encryption keys be storing them in a secret and using the
sessionTicketKeysRef option.
Note that improper handling of session ticket encryption keys may result in loss of secrecy.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlssessionticketkeys
Default: true | -| `sessionTicketKeysRef` | _[SecretObjectReference](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io/v1.SecretObjectReference) array_ | false | SessionTicketKeysRef is a reference to the secret containing the keys to use for encryption and decryption
of session tickets. The first keys is used for encryption and all keys are candidate for decryption.
Users are responsible for securely generating, storing and rotating keys.
If empty, each Envoy Proxy instance will use local in-memory keys.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlssessionticketkeys | - - #### StringMatch @@ -3744,6 +3726,21 @@ _Appears in:_ | `connectTimeout` | _[Duration](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Duration)_ | false | The timeout for network connection establishment, including TCP and TLS handshakes.
Default: 10 seconds. | +#### TLSSessionResumptionType + +_Underlying type:_ _string_ + +TLSSessionResumptionType defines the type of TLS session resumption + +_Appears in:_ +- [SessionResumptionSettings](#sessionresumptionsettings) + +| Value | Description | +| ----- | ----------- | +| `Stateful` | StatefulTLSSessionResumption defines the stateful (session-id based) type of TLS session resumption.
Note: When Envoy Proxy is deployed with more than one replica, session caches are not synchronized
between instances, possibly leading to resumption failures.
Envoy does not re-validate client certificates upon session resumption.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#config-route-v3-routematch-tlscontextmatchoptions
| +| `Stateless` | StatelessTLSSessionResumption defines the stateless (session-ticket based) type of TLS session resumption.
Note: When Envoy Proxy is deployed with more than one replica, session ticket encryption keys are not
synchronized between instances, possibly leading to resumption failures.
In-memory session ticket encryption keys are rotated every 48 hours.
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto#extensions-transport-sockets-tls-v3-tlssessionticketkeys
https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Session-tickets
| + + #### TLSSettings