spiffe: add support for spiffe bundle format #36190
Open
+294
−28
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
wbpcode
reviewed
Sep 18, 2024
api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto
Show resolved
Hide resolved
markdroth
reviewed
Sep 19, 2024
| @@ -57,4 +82,9 @@ message SPIFFECertValidatorConfig { | |||
|
|
|||
| // This field specifies trust domains used for validating incoming X.509-SVID(s). | |||
| repeated TrustDomain trust_domains = 1 [(validate.rules).repeated = {min_items: 1}]; | |||
|
|
|||
| // This field specifies a trust domain mapping as a json object. Mutually | |||
| // excluse with trust_domains. | |||
There was a problem hiding this comment.
For forward compatibility, instead of saying that the two fields are mutually exclusive, I think we should say that if both fields are set, then trust_bundle_map takes precedence. That way, control planes can set both fields, and things will work with both old clients that don't yet support this field and with new clients that do.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Commit Message: Adds alternative to "trust_domains" config for the spiffe validator—"trust_bundle_map".
Additional Description:
#35567
trust_bundle_map points to a local file containing a SPIFFE bundle. A file watcher is set up to trigger refreshes to the SPIFFE data when this file is modified. SPIFFE refresh hint and sequence number are currently ignored.
Risk Level: medium
Testing: WIP
Docs Changes: TBD
Release Notes: TBD