SDS v3 endpoints support SPIFFE validator

[MarcosDY]

Update SDS v3 endpoints to use "SPIFFE Certificate Validator", it is used as default for Envoys from v1.18.0.
Add a new configurable to set default_all_bundles_name that i used to configure a validator config that contains Bundle together with all Federated Bundles.

Which issue this PR fixes
fixes #2420

[amartinezfayo]

Looking great! I have some small comments.

[amartinezfayo]

Suggested change

	| `default_all_bundle_sname` | The Validation Context resource name to use when fetching X.509 bundle together with federated bundles with Envoy SDS | ALL |
	| `default_all_bundles_name` | The Validation Context resource name to use when fetching X.509 bundle together with federated bundles with Envoy SDS | ALL |

[amartinezfayo]

Suggested change

	Another option is to request for `ALL` that creates a [SPIFFE Certificate Validator](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto) that contains TrustDomain together with all Federated Bundles. This feature is supported from Envoy v1.18.0.
	Another option is to request for `ALL` that creates a [SPIFFE Certificate Validator](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto) that contains TrustDomain together with all Federated Bundles. This feature is supported starting with Envoy v1.18.0.

[amartinezfayo]

Suggested change

	// Use RootCA as default, but replace for SPIFFE auth when envoy version is at least v1.18.0
	// Use RootCA as default, but replace with SPIFFE auth when Envoy version is at least v1.18.0

[amartinezfayo]

Suggested change

	return nil, status.Error(codes.Internal, `unable to use "SPIFFE validator" on envoy below 1.17`)
	return nil, status.Error(codes.Internal, `unable to use "SPIFFE validator" on Envoy below 1.17`)

[azdagron]

Thanks for putting this together @MarcosDY! I wonder if some of the "builder" stuff can be simplified.... I've left some comments to that effect.

[azdagron]

Maybe put this in another function, maybe named supportsSPIFFEAuthExtension?

[azdagron]

The builder interface doesn't seem very useful since we still check this boolean in most spots in order to set up the correct interface.

Perhaps, the builder interface looks like:

type validationContextBuilder interface {
    buildOne(resourceName, trustDomainID string) (*any.Any, error)
    buildAll(resourceName string, td string) (*any.Any, error)
}

Then that interface could be set once, up at top, once we determine if there is support for the SPIFFE Auth Extension. buildOne would be called in all cases except when the "ALL
name is requested, which would use buildAll. The buildAll method for the "root ca" builder would fail.

[azdagron]

Sorry for the additional back-and-forth on this, I noticed a few more things.

[azdagron]

Small suggestion on rewording emphasizing that the "all" configurable will be ignored and an added call to action.

Suggested change

	logger.Warn(`"default_bundle_name" and "default_all_bundles_name" has the same value, "default_bundle_name" will be used. In future versions this misconfiguration will cause agent to not start.`)
	logger.Warn(`The "default_bundle_name" and "default_all_bundles_name" configurables have the same value. "default_all_bundles_name" will be ignored. Please configure distinct values or use the defaults. This will be a configuration error In a future release.`)

[azdagron]

Suggested change

	# # default_all_bundles_name: The Validation Context resource name to use for when
	# # fetching X.509 bundle togehter with federated bundles with Envoy SDS
	# # default_all_bundles_name = "ALL"
	# # default_all_bundles_name: The Validation Context resource name to use to fetch
	# # all bundles (including federated bundles) with Envoy SDS. Cannot be used with
	# # Envoy releases prior to 1.18.
	# # default_all_bundles_name = "ALL"

[azdagron]

Suggested change

	| `default_all_bundles_name` | The Validation Context resource name to use when fetching X.509 bundle together with federated bundles with Envoy SDS | ALL |
	| `default_all_bundles_name` | The Validation Context resource name to use for all bundles (including federated) with Envoy SDS | ALL |

[azdagron]

Suggested change

	The default name is configurable (see `default_all_bundles_name` under [SDS Configuration](#sds-configuration)
	The default name is configurable (see `default_all_bundles_name` under [SDS Configuration](#sds-configuration).

[azdagron]

I think we should combine this and the previous paragraph, since it isn't exactly clear, at least with the current formatting, that this paragraph is still in reference to the validation context. My suggestion also has a little rewording:

[`auth.CertificateValidationContext`](https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/auth/cert.proto#auth-certificatevalidationcontext)
resources containing trusted CA certificates can be fetched using the SPIFFE ID
of the desired trust domain as the resource name (e.g. `spiffe://example.org`).
In addition, two other special resource names are available. The first, which
defaults to "ROOTCA", provides the CA certificates for the trust domain the
agent belongs to. The second, which defaults to "ALL", returns the trusted CA
certificates for both the trust domain the agent belongs to as well as any
federated trust domains applicable to the Envoy workload.  The default names
for these resource names are configurable via the `default_bundle_name` and
`default_all_bundles_name`, respectively. The "ALL" resource name requires
support for the [SPIFFE Certificate Validator](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto)
extension, which is only available starting with Envoy 1.18.

[azdagron]

This comment now seems out of place....

[azdagron]

I'm not sure this should be codes.Internal, it's easy for someone to make a request for a trust domain ID that they don't have access to. I'd recommend either codes.InvalidRequest or codes.NotFound.

[MarcosDY]

I choose codes.NotFound

[azdagron]

FWIW, tdBundle should never be nil. I'm ok with the defensive code, but we should adjust the comment so folks don't think it can be nil in normal circumstances.

Suggested change

	// Add td bundle if provided
	// Only include tdBundle if it is not nil, which shouldn't ever be the case. This is purely defensive.

[azdagron]

FWIW, tdBundle should never be nil. I'm ok with the defensive code, but we should adjust the comment so folks don't think it can be nil in normal circumstances.

Suggested change

	// Add td bundle if provided
	// Only include tdBundle if it is not nil, which shouldn't ever be the case. This is purely defensive.

[azdagron]

This check is potentially incorrect for Envoy 2.0 - 2.17 (which may or may not support the extension, but we can assume they do until we know better).

Suggested change

	return version.MajorNumber >= 1 && version.MinorNumber > 17
	return (version.MajorNumber == 1 && version.MinorNumber > 17) || version.MajorNumber > 1

[azdagron]

\o/, awesome work, @MarcosDY !