ALTS (proto)

This extension has the qualified name envoy.transport_sockets.alts

Note

This extension is intended to be robust against both untrusted downstream and upstream traffic.

Tip

This extension extends and can be used with the following extension categories:

• envoy.transport_sockets.downstream

• envoy.transport_sockets.upstream

This extension must be configured with one of the following type URLs:

• type.googleapis.com/envoy.extensions.transport_sockets.alts.v3.Alts

extensions.transport_sockets.alts.v3.Alts

[extensions.transport_sockets.alts.v3.Alts proto]

Configuration for ALTS transport socket. This provides Google’s ALTS protocol to Envoy. Store the peer identity in dynamic metadata, namespace is “envoy.transport_socket.peer_information”, key is “peer_identity”. https://cloud.google.com/security/encryption-in-transit/application-layer-transport-security/

{
  "handshaker_service": ...,
  "peer_service_accounts": []
}

handshaker_service

(string, REQUIRED) The location of a handshaker service, this is usually 169.254.169.254:8080 on GCE.

peer_service_accounts

(repeated string) The acceptable service accounts from peer, peers not in the list will be rejected in the handshake validation step. If empty, no validation will be performed.