certificate.tls

Simplest configuration:

[certificate#0]
type = tls
svcmgr -s <svcname> set --kw certificate#0.type=tls

certificate_chain_filename

scopable True
required False
provisioning False
default None
inheritance leaf > head
scope order specific > generic

Local filesystem data source of the TLS certificate chain.

certificate_chain_inline_string

scopable True
required False
provisioning False
default None
inheritance leaf > head
scope order specific > generic

String inlined data source of the TLS certificate chain.

certificate_secret

scopable True
required False
provisioning False
default None
inheritance leaf > head
scope order specific > generic

The name of the secret object name hosting the certificate files. The secret must have the certificate_chain and server_key keys set. This setting makes the certificate served to envoy via the secret discovery service, which allows its live rotation.

private_key_filename

scopable True
required False
provisioning False
default None
inheritance leaf > head
scope order specific > generic

Local filesystem data source of the TLS private key.

private_key_inline_string

scopable True
required False
provisioning False
default None
inheritance leaf > head
scope order specific > generic

String inlined filesystem data source of the TLS private key. A reference to a secret for example.

validation_secret

scopable True
required False
provisioning False
default None
inheritance leaf > head
scope order specific > generic

The name of the secret object name hosting the certificate autority files for certificate_secret validation. The secret must have the trusted_ca and verify_certificate_hash keys set. This setting makes the validation data served to envoy via the secret discovery service, which allows certificates live rotation.