REST Resource: projects.locations.clientTlsPolicies

Resource: ClientTlsPolicy

ClientTlsPolicy is a resource that specifies how a client should authenticate connections to backends of a service. This resource itself does not affect configuration unless it is attached to a backend service resource.

JSON representation 
{
  "name": string,
  "description": string,
  "createTime": string,
  "updateTime": string,
  "labels": {
    string: string,
    ...
  },
  "sni": string,
  "clientCertificate": {
    object (CertificateProvider)
  },
  "serverValidationCa": [
    {
      object (ValidationCA)
    }
  ],
  "targets": [
    string
  ],
  "workloadContextSelectors": [
    {
      object (WorkloadContextSelector)
    }
  ],
  "subjectAltNames": [
    string
  ],
  "internalCaller": boolean
}
Fields
name

string

Required. Name of the ClientTlsPolicy resource. It matches the pattern projects/*/locations/{location}/clientTlsPolicies/{clientTlsPolicy}
description

string

Optional. Free-text description of the resource.
createTime

string (Timestamp format)

Output only. The timestamp when the resource was created.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
updateTime

string (Timestamp format)

Output only. The timestamp when the resource was updated.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".
labels

map (key: string, value: string)

Optional. Set of label tags associated with the resource.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
sni

string

Optional. Server Name Indication string to present to the server during TLS handshake. E.g: "secure.example.com".
clientCertificate

object (CertificateProvider)

Optional. Defines a mechanism to provision client identity (public and private keys) for peer to peer authentication. The presence of this dictates mTLS.
serverValidationCa[]

object (ValidationCA)

Optional. Defines the mechanism to obtain the Certificate Authority certificate to validate the server certificate. If empty, client does not validate the server certificate.
targets[]

string

Optional. Define a list of targets this policy should serve. A target can only be a BackendService and it should be the fully qualified name of the BackendService, e.g.: projects/xxx/backendServices/locations/global/xxx NOTE: ClientTlsPolicy and the referenced BackendServices must be present in the same project. This is used only for Google Service Mesh (GSM) product.
workloadContextSelectors[]

object (WorkloadContextSelector)

Optional. Selects the workload where the policy should be applied to its targets. A policy without a WorkloadContextSelector should always be applied to its targets when there is no conflict. If there are multiple WorkloadContextSelectors then the policy will be applied to all targets if ANY of the WorkloadContextSelectors match. Therefore these selectors can be combined in an OR fashion.

If there are multiple ClientTlsPolicy targeted to the same BackendService, There should be only one effective ClientTlsPolicy and the precdence is as following: 1) ClientTlsPolicy with workloadContextSelectors will take precedence first. 2) If there are multiple ClientTlsPolicy with workloadContextSelectors matched, earliest created one will take take precedence. 3) Then ClientTlsPolicy without workloadSelector will take precedence. Right now we don't allow multiple ClientTlsPolicy without workloadSelector attached the same backendService.

NOTE: For GSM use only.
subjectAltNames[]

string

Optional. A list of alternate names to verify the server identity in the certificate. If specified, the client will verify that the server certificate’s subject alt name matches one of the specified values. If specified, this list overrides the value of subjectAltNames from the BackendService.securitySettings.subjectAltNames[]. The domain names can be either be exact match (e.g foo) or suffix matches (e.g foo* or foo/*)
internalCaller

boolean

Optional. A flag set to identify internal controllers Setting this will trigger a P4SA check to validate the caller is from an allowlisted service's P4SA even if other optional fields are unset.

WorkloadContextSelector

Determines which workloads a policy is applicable for.

JSON representation 
{
  "metadataSelectors": [
    {
      object (MetadataSelector)
    }
  ]
}
Fields
metadataSelectors[]

object (MetadataSelector)

Required. A map of metadata label values used to select workloads. If multiple MetadataSelectors are provided, all MetadataSelectors must match in order for the policy to be applied to this workload. Therefore these selectors must be combined in an AND fashion.

MetadataSelector

This message type exists as opposed to using a map to support additional fields in the future such as priority.

JSON representation 
{
  "key": string,
  "value": string
}
Fields
key

string

Required. The metadata field being selected on
value

string

Required. The value for this metadata field to be compared with

Methods

create

 Creates a new ClientTlsPolicy in a given project and location.

delete

 Deletes a single ClientTlsPolicy.

get

 Gets details of a single ClientTlsPolicy.

getIamPolicy

 Gets the access control policy for a resource.

list

 Lists ClientTlsPolicies in a given project and location.

patch

 Updates the parameters of a single ClientTlsPolicy.

setIamPolicy

 Sets the access control policy on the specified resource.

testIamPermissions

 Returns permissions that a caller has on the specified resource.