From 4fd7cbf3291e7a504dc917c4f781359de48ed9ed Mon Sep 17 00:00:00 2001 From: "update-envoy[bot]" <135279899+update-envoy[bot]@users.noreply.github.com> Date: Fri, 17 Jan 2025 01:55:45 +0000 Subject: [PATCH] spiffe: add support for spiffe bundle format (#36190) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Commit Message: Adds alternative to "trust_domains" config for the spiffe validator—"trust_bundle_map". Additional Description: [#35567](https://github.com/envoyproxy/envoy/issues/35567) trust_bundle_map points to a local file containing a [SPIFFE bundle map](https://docs.google.com/document/d/13KHycYIfRC-g42aEfo4_4inF_WauCXOBgZAcUGuxdgs/edit#heading=h.o2sg9lu1e74v). A file watcher is set up to trigger refreshes to the SPIFFE data when this file is modified. SPIFFE refresh hint and sequence number are currently ignored. Risk Level: medium Testing: WIP Docs Changes: TBD Release Notes: TBD --------- Signed-off-by: Brian Sonnenberg Mirrored from https://github.com/envoyproxy/envoy @ c60d428b3d0ed568a96d30f4c91f77843a308c19 --- .../tls/v3/tls_spiffe_validator_config.proto | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto b/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto index 4b0e17c7a..73592f8a6 100644 --- a/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto +++ b/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto @@ -57,4 +57,11 @@ message SPIFFECertValidatorConfig { // This field specifies trust domains used for validating incoming X.509-SVID(s). repeated TrustDomain trust_domains = 1 [(validate.rules).repeated = {min_items: 1}]; + + // This field specifies all trust bundles as a single DataSource. If both + // trust_bundles and trust_domains are specified, trust_bundles will + // take precedence. Currently assumes file will be a SPIFFE Trust Bundle Map. + // If DataSource is a file, dynamic file watching will be enabled, + // and updates to the specified file will trigger a refresh of the trust_bundles. + config.core.v3.DataSource trust_bundles = 2; }