/
tls_spiffe_validator_config.proto
59 lines (51 loc) · 2.91 KB
/
tls_spiffe_validator_config.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
syntax = "proto3";
package envoy.extensions.transport_sockets.tls.v3;
import "envoy/config/core/v3/base.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3";
option java_outer_classname = "TlsSpiffeValidatorConfigProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: SPIFFE Certificate Validator]
// [#extension: envoy.tls.cert_validator.spiffe]
// Configuration specific to the `SPIFFE <https://github.com/spiffe/spiffe>`_ certificate validator.
//
// Example:
//
// .. validated-code-block:: yaml
// :type-name: envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext
//
// custom_validator_config:
// name: envoy.tls.cert_validator.spiffe
// typed_config:
// "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig
// trust_domains:
// - name: foo.com
// trust_bundle:
// filename: "foo.pem"
// - name: envoy.com
// trust_bundle:
// filename: "envoy.pem"
//
// In this example, a presented peer certificate whose SAN matches `spiffe//foo.com/**` is validated against
// the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint
// a SVID belonging to another trust domain. That means, in this example, a SVID signed by `envoy.com`'s CA with `spiffe//foo.com/**`
// SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate.
//
// Note that SPIFFE validator inherits and uses the following options from :ref:`CertificateValidationContext <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.CertificateValidationContext>`.
//
// - :ref:`allow_expired_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.allow_expired_certificate>` to allow expired certificates.
// - :ref:`match_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_subject_alt_names>` to match **URI** SAN of certificates. Unlike the default validator, SPIFFE validator only matches **URI** SAN (which equals to SVID in SPIFFE terminology) and ignore other SAN types.
//
message SPIFFECertValidatorConfig {
message TrustDomain {
// Name of the trust domain, `example.com`, `foo.bar.gov` for example.
// Note that this must *not* have "spiffe://" prefix.
string name = 1 [(validate.rules).string = {min_len: 1}];
// Specify a data source holding x.509 trust bundle used for validating incoming SVID(s) in this trust domain.
config.core.v3.DataSource trust_bundle = 2;
}
// This field specifies trust domains used for validating incoming X.509-SVID(s).
repeated TrustDomain trust_domains = 1 [(validate.rules).repeated = {min_items: 1}];
}