forked from maistra/envoy
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
MAISTRA-2242 Cherry-pick envoyproxy/envoy#14884
- Loading branch information
Showing
59 changed files
with
2,636 additions
and
14 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
54 changes: 54 additions & 0 deletions
54
api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
syntax = "proto3"; | ||
|
||
package envoy.extensions.transport_sockets.tls.v3; | ||
|
||
import "envoy/config/core/v3/base.proto"; | ||
|
||
import "udpa/annotations/sensitive.proto"; | ||
import "udpa/annotations/status.proto"; | ||
import "udpa/annotations/versioning.proto"; | ||
import "validate/validate.proto"; | ||
|
||
option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3"; | ||
option java_outer_classname = "TlsSpiffeValidatorConfigProto"; | ||
option java_multiple_files = true; | ||
option (udpa.annotations.file_status).package_version_status = ACTIVE; | ||
|
||
// [#protodoc-title: SPIFFE Certificate Validator] | ||
|
||
// Configuration specific to the SPIFFE certificate validator provided at | ||
// :ref:`envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.custom_validator_config<envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.custom_validator_config>`. | ||
// | ||
// Example: | ||
// | ||
// .. code-block:: yaml | ||
// | ||
// custom_validator_config: | ||
// name: envoy.tls.cert_validator.spiffe | ||
// typed_config: | ||
// "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig | ||
// trust_domains: | ||
// - name: foo.com | ||
// trust_bundle: | ||
// filename: "foo.pem" | ||
// - name: envoy.com | ||
// trust_bundle: | ||
// filename: "envoy.pem" | ||
// | ||
// In this example, a presented peer certificate whose SAN matches `spiffe//foo.com/**` is validated against | ||
// the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint | ||
// a SVID belonging to another trust domain. That means, in this example, a SVID signed by `envoy.com`'s CA with `spiffe//foo.com/**` | ||
// SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate. | ||
message SPIFFECertValidatorConfig { | ||
message TrustDomain { | ||
// Name of the trust domain, `example.com`, `foo.bar.gov` for example. | ||
// Note that this must *not* have "spiffe://" prefix. | ||
string name = 1 [(validate.rules).string = {min_len: 1}]; | ||
|
||
// Specify a data source holding x.509 trust bundle used for validating incoming SVID(s) in this trust domain. | ||
config.core.v3.DataSource trust_bundle = 2; | ||
} | ||
|
||
// This field specifies trust domains used for validating incoming X.509-SVID(s). | ||
repeated TrustDomain trust_domains = 1 [(validate.rules).repeated = {min_items: 1}]; | ||
} |
15 changes: 14 additions & 1 deletion
15
api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
60 changes: 60 additions & 0 deletions
60
api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
15 changes: 14 additions & 1 deletion
15
generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
54 changes: 54 additions & 0 deletions
54
...ed_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Oops, something went wrong.