Sync APIs. @tag-name=gloo-internal-api-fix-eas-867

api/gloo/enterprise.gloo/v1/auth_config.proto

@@ -1504,16 +1504,14 @@ message PassThroughGrpc {
     // Timeout for the auth server to respond. Defaults to 5s
     google.protobuf.Duration connection_timeout = 2;
 
-    // TLS config for the Grpc passthrough, if not configured the connection will use insecure.
-    PassThroughGrpcTLSConfig tlsConfig =3;
+    // TLS config for the gRPC passthrough, if not configured the connection will use insecure.
+    // When specified, this supports configuration for either simple TLS or mTLS.
+    PassThroughGrpcTLSConfig tls_config = 3;
 
     // Indicates the retry policy for re-establishing the gRPC stream.
     // This field is optional and failed calls will not retry unless configured.
     RetryPolicy retry_policy = 4;
 }
-// TLS configuration for the extauth grpc passthrough connection
-message PassThroughGrpcTLSConfig {
-}
 
 // Authorizes requests by making a POST HTTP/1 request to a custom HTTP auth server
 // Assumes the request is authorized if the server returns a OK (200) status code,
@@ -1619,6 +1617,57 @@ message PassThroughHttp {
 
     // Timeout for the auth server to respond. Defaults to 5s
     google.protobuf.Duration connection_timeout = 8;
+
+    // TLS config for the HTTP passthrough, if not configured the connection will use insecure.
+    // When specified, this supports configuration for either simple TLS or mTLS.
+    PassThroughHttpTLSConfig tls_config = 9;
+}
+
+// TLS configuration for the extauth gRPC passthrough connection
+message PassThroughGrpcTLSConfig {
+    // SecretRef contains the secret ref to a Kubernetes tls secret.
+    // This secret can contain the certificate, key and CA bundle to establish mTLS.
+    // If CA is not provided it will attempt to perform a simple TLS.
+    core.solo.io.ResourceRef secret_ref = 1;
+
+    // Additional TLS parameters
+    SslParameters ssl_params = 2;
+}
+
+// TLS configuration for the extauth HTTP passthrough connection
+message PassThroughHttpTLSConfig {
+    // SecretRef contains the secret ref to a Kubernetes tls secret.
+    // This secret can contain the certificate, key and CA bundle to establish mTLS.
+    // If CA is not provided it will attempt to perform a simple TLS.
+    core.solo.io.ResourceRef secret_ref = 1;
+
+    // Additional TLS parameters
+    SslParameters ssl_params = 2;
+}
+
+message SslParameters {
+    enum ProtocolVersion {
+        // TLS auto select the optimal settings
+        TLS_AUTO = 0;
+
+        // TLS 1.1
+        TLSv1_1 = 1;
+
+        // TLS 1.2
+        TLSv1_2 = 2;
+
+        // TLS 1.3
+        TLSv1_3 = 3;
+    }
+
+    // Minimum TLS protocol version.
+    // If not explicitly set, the default protocol will be TLS 1.2.
+    // Avoid using TLS version earlier than 1.2, as this poses significant security risks. For more details, refer to https://www.ietf.org/rfc/rfc8996.html.
+    ProtocolVersion minimum_protocol_version = 1;
+
+    // Maximum TLS protocol version.
+    // If not explicitly set, the default protocol will be TLS 1.3.
+    ProtocolVersion maximum_protocol_version = 2;
 }
 
 // PortalAuth is used to authorize requests for credentials generated by the portal web server.

api/gloo/gloo/v1/enterprise/options/extauth/v1/extauth-internal.proto

@@ -698,10 +698,44 @@ message ExtAuthConfig {
         // Timeout for the portal web server to respond. Defaults to 200ms
         google.protobuf.Duration request_timeout = 5;
     }
+
     message InMemorySecretList {
         // list of username/password pairs taken from secrets during gloo-ee translation
         map<string, string> secret_list = 1 [(extproto.sensitive) = true];
     }
+
+    message PassthroughAuthInternalConfig {
+
+        // PassthroughAuthTlsConfigData defines the internal structure used to configure
+        // client-side TLS settings for passthrough authentication. This is not
+        // exposed externally and is used internally for constructing TLS client connections
+        // with support for certificates, private keys, and root CAs.
+        //
+        // All PEM fields are base64-encoded. The `ssl_params` field allows for specifying
+        // additional TLS properties such as protocol versions and cipher preferences.
+        //
+        // The fields `server_name`, `insecure_skip_verify`, and `require_client_cert`
+        // are currently not mapped to `tls.Config` but are retained for future compatibility
+        // and advanced configuration support.
+        message PassthroughAuthTlsConfigData {
+            // Base64-encoded PEM for the client certificate
+            string cert_pem = 1;
+            // Base64-encoded PEM for the client private key
+            string key_pem = 2;
+            // Base64-encoded PEM for the trusted root CA(s)
+            string root_ca_pem = 3;
+
+            // Optional: Includes additional TLS parameters
+            SslParameters ssl_params = 4;
+        }
+
+        // User defined passthrough configuration (any user supplied TLS configuration is masked from this)
+        PassThroughAuth pass_through_auth = 1;
+
+        // Mapped TLS configuration data that defines TLS certificates and advanced parameters
+        PassthroughAuthTlsConfigData tls_config_data = 2 [(extproto.sensitive) = true];
+    }
+
     message Config {
 
         reserved 1, 2;
@@ -727,10 +761,12 @@ message ExtAuthConfig {
             // If Jwt authentication is to be used in the [boolean expression](https://docs.solo.io/gloo-edge/latest/reference/api/github.com/solo-io/solo-apis/api/gloo/enterprise.gloo/v1/auth_config.proto.sk/#authconfig) in an AuthConfig, you can use this auth config type to include Jwt as an Auth config.
             // In addition, `allow_missing_or_failed_jwt` must be set on the Virtual Host or Route that uses JWT auth or else the JWT filter will short circuit this behaviour.
             google.protobuf.Empty jwt = 12;
+            // Deprecated - this is being replaced by "passthrough_internal" field which carries additional TLS configuration
             PassThroughAuth pass_through_auth = 13;
             HmacAuthConfig hmac_auth = 15;
             OpaServerAuthConfig opa_server_auth = 16;
             PortalAuthConfig portal_auth = 18;
+            PassthroughAuthInternalConfig passthrough_internal = 19;
         }
     }