docs: Allow AWS IAM SigV4 for SDS AuthN (envoyproxy#8067)

Per envoyproxy#8042, update documentation to clarify authentication required for SDS connections, and add notes about credential types in use today. Risk Level: Low Testing: Previewed content layout using RST parser. Docs Changes: See description. Signed-off-by: Brian Celenza <[email protected]>
KNWBIN · Sep 16, 2019 · 11c5fa0 · 11c5fa0
1 parent 6ec15ce
commit 11c5fa0
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/docs/root/configuration/security/secret.rst b/docs/root/configuration/security/secret.rst
@@ -15,7 +15,10 @@ Upstream clusters are handled in a similar way, if a cluster client certificate
 
 If a static cluster is using SDS, and it needs to define a SDS cluster (unless Google gRPC is used which doesn't need a cluster), the SDS cluster has to be defined before the static clusters using it.
 
-The connection between Envoy proxy and SDS server has to be secure. One option is to run the SDS server on the same host and use Unix Domain Socket for the connection. Otherwise it requires mTLS between the proxy and SDS server. In this case, the client certificates for the SDS connection must be statically configured.
+The connection between Envoy proxy and SDS server has to be secure. One option is to run the SDS server on the same host and use Unix Domain Socket for the connection. Otherwise the connection requires TLS with authentication between the proxy and SDS server. Credential types in use today for authentication are:
+
+* mTLS -- In this case, the client certificates for the SDS connection must be statically configured.
+* AWS IAM SigV4
 
 SDS server
 ----------