certificate.tls

Simplest configuration:

[certificate#0]
type = tls
svcmgr -s <svcname> set --kw certificate#0.type=tls

certificate_chain_filename

scopable

True

required

False

provisioning

False

default

None

inheritance

leaf > head

scope order

specific > generic

Local filesystem data source of the TLS certificate chain.

certificate_chain_inline_string

scopable

True

required

False

provisioning

False

default

None

inheritance

leaf > head

scope order

specific > generic

String inlined data source of the TLS certificate chain.

certificate_secret

scopable

True

required

False

provisioning

False

default

None

inheritance

leaf > head

scope order

specific > generic

The name of the secret object name hosting the certificate files. The secret must have the certificate_chain and server_key keys set. This setting makes the certificate served to envoy via the secret discovery service, which allows its live rotation.

private_key_filename

scopable

True

required

False

provisioning

False

default

None

inheritance

leaf > head

scope order

specific > generic

Local filesystem data source of the TLS private key.

private_key_inline_string

scopable

True

required

False

provisioning

False

default

None

inheritance

leaf > head

scope order

specific > generic

String inlined filesystem data source of the TLS private key. A reference to a secret for example.

validation_secret

scopable

True

required

False

provisioning

False

default

None

inheritance

leaf > head

scope order

specific > generic

The name of the secret object name hosting the certificate autority files for certificate_secret validation. The secret must have the trusted_ca and verify_certificate_hash keys set. This setting makes the validation data served to envoy via the secret discovery service, which allows certificates live rotation.

comment

scopable

False

required

False

provisioning

False

default

inheritance

leaf > head

scope order

specific > generic

Helps users understand the role of the service and resources, which is nice to on-call support people having to operate on a service they are not usually responsible for.