wasm abi: tls certificate information retrieval

[Shikugawa]

Signed-off-by: shikugawa Shikugawa@gmail.com

For an explanation of how to fill out the fields, please see the relevant section
in PULL_REQUESTS.md

Description: This is only a proposal implementation. I added instructions to retrieve local/peer certificate information. It is required to retrieve on AuthN filter wasm implementation. If there is no implementation to retrieve cert info via wasm VM, we should link upstream envoy connection info. It may cause the complexity of dependencies of AuthN wasm implementation.

istio/istio#15772

Risk Level: Low
Testing: N/A
Docs Changes: Required
Release Notes:
[Optional Fixes #Issue]
[Optional Deprecated:]

[PiotrSikora]

@Shikugawa thanks for the PR, but could you send a PR with the ABI changes to https://github.com/proxy-wasm/spec, or just create an issue there to discuss this feature?

Ultimately, I don't think that we need to have a separate function for each buffer/map, and this could be exposed either as a raw certificate via proxy_get_buffer(TlsCertificate{Local,Peer}, ...) or as a map with extracted values via proxy_get_map(TlsCertificate{Local,Peer}, ...).

cc @jplevyak

[kyessenov]

Why do we need this if we can use getValue({"connection", "subject_local_certificate"}, &value) from https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/rbac_filter#condition?

[Shikugawa]

@kyessenov If we use this, we must build rbac_filter with emscripten. But we'd not like to do what the number of dependencies related to upstream envoy will grow up. So we need this functionality.

[kyessenov]

@Shikugawa I don't follow. getValue lets you add more getters without bloating the API and we already added a bunch for TLS info for telemetry. There's no extra dependencies on rbac filter, it just uses the underlying code to match the property names.

[Shikugawa]

@kyessenov Thanks. I'll try it with this. But, this functionality may be required in the future. So I think that continuing a discussion with this is useful.

[kyessenov]

Sure, please take a look and we can decide how to grow the set of the attributes. I just don't want two different ways to get the same things.

[Shikugawa]

@kyessenov I tried it with getValue. But it has less functionality to solve our problem such as we can't retrieve whether peer certificate is presented. So still we need this.

[kyessenov]

@Shikugawa See connection.mtls: Indicates whether TLS is applied to the downstream connection and the peer ceritificate is presented. This is not entirely possible on the client by the way, there is my long failed attempt to implement it in envoy repo.

[jplevyak]

Instead of adding this as a core ABI, let's add it to getProperties.