Implement Certificate Provider Framework (#19308)

[LuyaoZhong]

Implement Certificate Provider Framework

Constructing and managing the certificate provider instances in Bootstrap
Implement the ca_certificate_provider_instance in CertificateValidationContext
Implement mplement tls_certificate_provider_instance in CommonTlsContext

Risk Level: Low
Testing: Unit tests
Docs Changes: N/A
Release Notes: N/A
Fixes #19308

Signed-off-by: Luyao Zhong [email protected]

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @lizan
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #19582 was opened by LuyaoZhong.

see: more, trace.

[LuyaoZhong]

This PR is in WIP status, it's not ready for build and test. Please refer to #19308 and join our discussion.

[lizan]

@LuyaoZhong ping me when this is ready to review or you want an early feedback.

[LuyaoZhong]

@lizan @markdroth
This PR focus on certificate providers management, including initialization of all certificate providers configured. Please help review the overall infrastructure code, particularly the CertificateProvider interfaces definition. Afterwards I will continue further implementation details.

[rojkov]

To fix the CodeQL check you need to merge the main branch. Also check the other CI failures.

Please never use git --force push after a PR is set ready for review.

[LuyaoZhong]

@rojkov Thanks for your kind reminder. This PR is not ready for fully reviewed, I just force pushed my code to get some early feedback.

[LuyaoZhong]

@lizan I updated the PR. I forced pushed the code again, currently it's ready for review and I remove "WIP" from PR title.

[LuyaoZhong]

@ggreenway @lizan could you take a look at this PR?

[LuyaoZhong]

@lizan could you reopen this PR?

As we mentioned we have a concrete example called TLS bumping to utilize this certificate provider framework, currently the PoC is submitted #23192. I think we can move forward this PR as a separate feature, polishing the API design, adding more testcases, etc, does it make sense to you?

[alyssawilk]

/wait on CI and conflicts

[github-actions]

This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

[github-actions]

This pull request has been automatically closed because it has not had activity in the last 37 days. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

[botengyao]

Is this at main branch now? Thanks!

[LuyaoZhong]

@botengyao Not yet. Community would like concrete use case instead of only adding extension point. One use case is #18928 but we are still working on it.

cc @mattklein123

[vermajit]

@LuyaoZhong are you guys still pursuing this ?

[LuyaoZhong]

@vermajit yes, we use it in #18928 , do you require this feature as well?

[vermajit]

@LuyaoZhong - Thanks for the response. We do require something like this. I have been loosely following your PRs and I noticed that some of the PRs got closed without getting merged. Like #19582 and #22582 Any plans of pursuing their merger into Envoy ?

…

On Wed, Apr 5, 2023 at 7:13 PM Luyao Zhong ***@***.***> wrote: @vermajit <https://github.com/vermajit> yes, we use it in #18928 <#18928> , do you require this feature as well? — Reply to this email directly, view it on GitHub <#19582 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AJ3OY4VL3UH2OXLWXGCEJXDW7YRETANCNFSM5MGM5NSQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[LuyaoZhong]

@vermajit Community would like concrete use case instead of only adding extension point. We need end user to adopt our solution and support us to merge this change, so it might take a long time.

Which feature are you interested in? Only certificate provider or the whole TLS bumping (dynamic TLS-I)?

@mattklein123 It seems many people want this feature , could we evaluate if it could be supported as a common feature by maintainer instead of end user?

[mattklein123]

@mattklein123 It seems many people want this feature , could we evaluate if it could be supported as a common feature by maintainer instead of end user?

Let's come up with a concrete use case and then we can discuss.

[LuyaoZhong]

@mattklein123
One use case is TLS bumping(dynamic TLS-I/MITM), since we might want to filter the traffic when accessing external service. Envoy is a security guard in this use case. And the certificate provider here is used to get dynamic TLS certificate for downstream. Envoy can be egress gateway in cluster or just a standalone proxy.

According to the comments from other people, they would like to have similar functionalities.
#18928 (comment)
#20425
#20708

[mattklein123]

I don't remember where we landed on this conversation last time, but there is a fully working use case that can be implemented in OSS we are open to that. Just adding an extension point is not very useful.