Resource: ServerTlsPolicy
ServerTlsPolicy is a resource that specifies how a server should authenticate incoming requests. This resource itself does not affect configuration unless it is attached to a target HTTPS proxy or endpoint config selector resource.
ServerTlsPolicy in the form accepted by external HTTPS load balancers can be attached only to TargetHttpsProxy with an EXTERNAL
or EXTERNAL_MANAGED
load balancing scheme. Traffic Director compatible ServerTlsPolicies can be attached to EndpointPolicy and TargetHttpsProxy with Traffic Director INTERNAL_SELF_MANAGED
load balancing scheme.
JSON representation |
---|
{ "name": string, "description": string, "createTime": string, "updateTime": string, "labels": { string: string, ... }, "allowOpen": boolean, "serverCertificate": { object ( |
Fields | |
---|---|
name |
Required. Name of the ServerTlsPolicy resource. It matches the pattern |
description |
Free-text description of the resource. |
createTime |
Output only. The timestamp when the resource was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
updateTime |
Output only. The timestamp when the resource was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
labels |
Set of label tags associated with the resource. An object containing a list of |
allowOpen |
This field applies only for Traffic Director policies. It is must be set to false for external HTTPS load balancer policies. Determines if server allows plaintext connections. If set to true, server allows plain text connections. By default, it is set to false. This setting is not exclusive of other encryption modes. For example, if Consider using it if you wish to upgrade in place your deployment to TLS while having mixed TLS and non-TLS traffic reaching port :80. |
serverCertificate |
Optional if policy is to be used with Traffic Director. For external HTTPS load balancer must be empty. Defines a mechanism to provision server identity (public and private keys). Cannot be combined with |
mtlsPolicy |
This field is required if the policy is used with external HTTPS load balancers. This field can be empty for Traffic Director. Defines a mechanism to provision peer validation certificates for peer to peer authentication (Mutual TLS - mTLS). If not specified, client certificate will not be requested. The connection is treated as TLS and not mTLS. If |
internalCaller |
Optional. A flag set to identify internal controllers Setting this will trigger a P4SA check to validate the caller is from an allowlisted service's P4SA even if other optional fields are unset. |
minTlsVersion |
Optional. TLS min version used only for Envoy. If not specified, Envoy will use default version. Envoy latest: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto |
maxTlsVersion |
Optional. TLS max version used only for Envoy. If not specified, Envoy will use default version. Envoy latest: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto |
cipherSuites[] |
Optional. TLS custom cipher suites used only in CSM. Following ciphers are supported: ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA AES256-SHA DES-CBC3-SHA |
subjectAltNames[] |
Optional. Server side validation for client SAN, only used in CSM. If not specified, the client SAN will not be checked by the server. |
MTLSPolicy
Specification of the MTLSPolicy.
JSON representation |
---|
{ "clientValidationMode": enum ( |
Fields | |
---|---|
clientValidationMode |
When the client presents an invalid certificate or no certificate to the load balancer, the Required if the policy is to be used with the external HTTPS load balancing. For Traffic Director it must be empty. |
clientValidationCa[] |
Required if the policy is to be used with Traffic Director. For external HTTPS load balancers it must be empty. Defines the mechanism to obtain the Certificate Authority certificate to validate the client certificate. |
clientValidationTrustConfig |
Reference to the TrustConfig from certificatemanager.googleapis.com namespace. If specified, the chain validation will be performed against certificates configured in the given TrustConfig. Allowed only if the policy is to be used with external HTTPS load balancers. |
tier |
Mutual TLS tier. Allowed only if the policy is to be used with external HTTPS load balancers. |
ClientValidationMode
Mutual TLS certificate validation mode.
Enums | |
---|---|
CLIENT_VALIDATION_MODE_UNSPECIFIED |
Not allowed. |
ALLOW_INVALID_OR_MISSING_CLIENT_CERT |
Allow connection even if certificate chain validation of the client certificate failed or no client certificate was presented. The proof of possession of the private key is always checked if client certificate was presented. This mode requires the backend to implement processing of data extracted from a client certificate to authenticate the peer, or to reject connections if the client certificate fingerprint is missing. |
REJECT_INVALID |
Require a client certificate and allow connection to the backend only if validation of the client certificate passed. If set, requires a reference to non-empty TrustConfig specified in |
Tier
Mutual TLS tier for XLB.
Enums | |
---|---|
TIER_UNSPECIFIED |
If tier is unspecified in the request, the system will choose a default value - STANDARD tier at present. |
STANDARD |
Default Tier. Primarily for Software Providers (service to service/API communication). |
ADVANCED |
Advanced Tier. For customers in strongly regulated environments, specifying longer keys, complex certificate chains. |
TlsVersion
TLS version for CSM Gateway TLS version setting.
Enums | |
---|---|
TLS_VERSION_UNSPECIFIED |
|
TLS_V1_0 |
|
TLS_V1_1 |
|
TLS_V1_2 |
|
TLS_V1_3 |
Methods |
|
---|---|
|
Creates a new ServerTlsPolicy in a given project and location. |
|
Deletes a single ServerTlsPolicy. |
|
Gets details of a single ServerTlsPolicy. |
|
Gets the access control policy for a resource. |
|
Lists ServerTlsPolicies in a given project and location. |
|
Updates the parameters of a single ServerTlsPolicy. |
|
Sets the access control policy on the specified resource. |
|
Returns permissions that a caller has on the specified resource. |