certificate.tls

Simplest configuration:

[certificate#0]
type = tls
svcmgr -s <svcname> set --kw certificate#0.type=tls

certificate_chain_filename

scopable True
required False
provisioning False
default None
inheritance leaf > head
scope order specific > generic

Local filesystem data source of the TLS certificate chain.

certificate_chain_inline_string

scopable True
required False
provisioning False
default None
inheritance leaf > head
scope order specific > generic

String inlined data source of the TLS certificate chain.

certificate_secret

scopable True
required False
provisioning False
default None
inheritance leaf > head
scope order specific > generic

The name of the secret object name hosting the certificate files. The secret must have the certificate_chain and server_key keys set. This setting makes the certificate served to envoy via the secret discovery service, which allows its live rotation.

private_key_filename

scopable True
required False
provisioning False
default None
inheritance leaf > head
scope order specific > generic

Local filesystem data source of the TLS private key.

private_key_inline_string

scopable True
required False
provisioning False
default None
inheritance leaf > head
scope order specific > generic

String inlined filesystem data source of the TLS private key. A reference to a secret for example.

validation_secret

scopable True
required False
provisioning False
default None
inheritance leaf > head
scope order specific > generic

The name of the secret object name hosting the certificate autority files for certificate_secret validation. The secret must have the trusted_ca and verify_certificate_hash keys set. This setting makes the validation data served to envoy via the secret discovery service, which allows certificates live rotation.

comment

scopable False
required False
provisioning False
default  
inheritance leaf > head
scope order specific > generic

Helps users understand the role of the service and resources, which is nice to on-call support people having to operate on a service they are not usually responsible for.