Skip to content

Commit

Permalink
docs: fix TLSSettings format (envoyproxy#2428)
Browse files Browse the repository at this point in the history 
Signed-off-by: Ardika Bagus <me@ardikabs.com>
  • Loading branch information
@ardikabs
ardikabs authored Jan 10, 2024
1 parent e1f745f commit c9d5e33
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 33 deletions.
8 changes: 2 additions & 6 deletions api/v1alpha1/tls_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,26 +10,24 @@ package v1alpha1
type TLSSettings struct {

// Min specifies the minimal TLS protocol version to allow.
//
// The default is TLS 1.2 if this is not specified.
//
// +optional
MinVersion *TLSVersion `json:"minVersion,omitempty"`

// Max specifies the maximal TLS protocol version to allow
//
// The default is TLS 1.3 if this is not specified.
//
// +optional
MaxVersion *TLSVersion `json:"maxVersion,omitempty"`

// Ciphers specifies the set of cipher suites supported when
// negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
//
// In non-FIPS Envoy Proxy builds the default cipher list is:
// - [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
// - [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
// - ECDHE-ECDSA-AES256-GCM-SHA384
// - ECDHE-RSA-AES256-GCM-SHA384
//
// In builds using BoringSSL FIPS the default cipher list is:
// - ECDHE-ECDSA-AES128-GCM-SHA256
// - ECDHE-RSA-AES128-GCM-SHA256
Expand All @@ -43,7 +41,6 @@ type TLSSettings struct {
// In non-FIPS Envoy Proxy builds the default curves are:
// - X25519
// - P-256
//
// In builds using BoringSSL FIPS the default curve is:
// - P-256
//
Expand All @@ -58,7 +55,6 @@ type TLSSettings struct {

// ALPNProtocols supplies the list of ALPN protocols that should be
// exposed by the listener. By default h2 and http/1.1 are enabled.
//
// Supported values are:
// - http/1.0
// - http/1.1
Expand Down
31 changes: 15 additions & 16 deletions charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -162,10 +162,9 @@ spec:
the downstream client.
properties:
alpnProtocols:
description: "ALPNProtocols supplies the list of ALPN protocols
description: 'ALPNProtocols supplies the list of ALPN protocols
that should be exposed by the listener. By default h2 and http/1.1
are enabled. \n Supported values are: - http/1.0 - http/1.1
- h2"
are enabled. Supported values are: - http/1.0 - http/1.1 - h2'
items:
description: ALPNProtocol specifies the protocol to be negotiated
using ALPN
Expand All @@ -176,29 +175,29 @@ spec:
type: string
type: array
ciphers:
description: "Ciphers specifies the set of cipher suites supported
description: 'Ciphers specifies the set of cipher suites supported
when negotiating TLS 1.0 - 1.2. This setting has no effect for
TLS 1.3. \n In non-FIPS Envoy Proxy builds the default cipher
list is: - [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
TLS 1.3. In non-FIPS Envoy Proxy builds the default cipher list
is: - [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
- [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
- ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384
\n In builds using BoringSSL FIPS the default cipher list is:
- ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384"
In builds using BoringSSL FIPS the default cipher list is: -
ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384'
items:
type: string
type: array
ecdhCurves:
description: "ECDHCurves specifies the set of supported ECDH curves.
description: 'ECDHCurves specifies the set of supported ECDH curves.
In non-FIPS Envoy Proxy builds the default curves are: - X25519
- P-256 \n In builds using BoringSSL FIPS the default curve
is: - P-256"
- P-256 In builds using BoringSSL FIPS the default curve is:
- P-256'
items:
type: string
type: array
maxVersion:
description: "Max specifies the maximal TLS protocol version to
allow \n The default is TLS 1.3 if this is not specified."
description: Max specifies the maximal TLS protocol version to
allow The default is TLS 1.3 if this is not specified.
enum:
- Auto
- "1.0"
Expand All @@ -207,8 +206,8 @@ spec:
- "1.3"
type: string
minVersion:
description: "Min specifies the minimal TLS protocol version to
allow. \n The default is TLS 1.2 if this is not specified."
description: Min specifies the minimal TLS protocol version to
allow. The default is TLS 1.2 if this is not specified.
enum:
- Auto
- "1.0"
Expand Down
16 changes: 5 additions & 11 deletions site/content/en/latest/api/extension_types.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2010,18 +2010,12 @@ _Appears in:_

| Field | Description |
| --- | --- |
| `minVersion` _[TLSVersion](#tlsversion)_ | Min specifies the minimal TLS protocol version to allow.
The default is TLS 1.2 if this is not specified. |
| `maxVersion` _[TLSVersion](#tlsversion)_ | Max specifies the maximal TLS protocol version to allow
The default is TLS 1.3 if this is not specified. |
| `ciphers` _string array_ | Ciphers specifies the set of cipher suites supported when negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3.
In non-FIPS Envoy Proxy builds the default cipher list is: - [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] - [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384
In builds using BoringSSL FIPS the default cipher list is: - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 |
| `ecdhCurves` _string array_ | ECDHCurves specifies the set of supported ECDH curves. In non-FIPS Envoy Proxy builds the default curves are: - X25519 - P-256
In builds using BoringSSL FIPS the default curve is: - P-256 |
| `minVersion` _[TLSVersion](#tlsversion)_ | Min specifies the minimal TLS protocol version to allow. The default is TLS 1.2 if this is not specified. |
| `maxVersion` _[TLSVersion](#tlsversion)_ | Max specifies the maximal TLS protocol version to allow The default is TLS 1.3 if this is not specified. |
| `ciphers` _string array_ | Ciphers specifies the set of cipher suites supported when negotiating TLS 1.0 - 1.2. This setting has no effect for TLS 1.3. In non-FIPS Envoy Proxy builds the default cipher list is: - [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] - [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 In builds using BoringSSL FIPS the default cipher list is: - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 |
| `ecdhCurves` _string array_ | ECDHCurves specifies the set of supported ECDH curves. In non-FIPS Envoy Proxy builds the default curves are: - X25519 - P-256 In builds using BoringSSL FIPS the default curve is: - P-256 |
| `signatureAlgorithms` _string array_ | SignatureAlgorithms specifies which signature algorithms the listener should support. |
| `alpnProtocols` _[ALPNProtocol](#alpnprotocol) array_ | ALPNProtocols supplies the list of ALPN protocols that should be exposed by the listener. By default h2 and http/1.1 are enabled.
Supported values are: - http/1.0 - http/1.1 - h2 |
| `alpnProtocols` _[ALPNProtocol](#alpnprotocol) array_ | ALPNProtocols supplies the list of ALPN protocols that should be exposed by the listener. By default h2 and http/1.1 are enabled. Supported values are: - http/1.0 - http/1.1 - h2 |


#### TLSVersion
Expand Down

0 comments on commit c9d5e33

Please sign in to comment.