Implement Certificate Provider Framework (#19308)

api/envoy/config/bootstrap/v3/bootstrap.proto

@@ -315,9 +315,8 @@ message Bootstrap {
 
   // Global map of CertificateProvider instances. These instances are referred to by name in the
   // :ref:`CommonTlsContext.CertificateProviderInstance.instance_name
-  // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CommonTlsContext.CertificateProviderInstance.instance_name>`
+  // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateProviderPluginInstance.instance_name>`
   // field.
-  // [#not-implemented-hide:]
   map<string, core.v3.TypedExtensionConfig> certificate_provider_instances = 25;
 
   // Specifies a set of headers that need to be registered as inline header. This configuration

api/envoy/extensions/transport_sockets/tls/v3/common.proto

@@ -239,7 +239,6 @@ message TlsSessionTicketKeys {
 // The plugin instances are defined in the client's bootstrap file.
 // The plugin allows certificates to be fetched/refreshed over the network asynchronously with
 // respect to the TLS handshake.
-// [#not-implemented-hide:]
 message CertificateProviderPluginInstance {
   // Provider instance name. If not present, defaults to "default".
   //
@@ -335,7 +334,6 @@ message CertificateValidationContext {
   // Certificate provider instance for fetching TLS certificates.
   //
   // Only one of ``trusted_ca`` and ``ca_certificate_provider_instance`` may be specified.
-  // [#not-implemented-hide:]
   CertificateProviderPluginInstance ca_certificate_provider_instance = 13
       [(udpa.annotations.field_migrate).oneof_promotion = "ca_cert_source"];
 

api/envoy/extensions/transport_sockets/tls/v3/tls.proto

@@ -259,7 +259,6 @@ message CommonTlsContext {
   //
   // Only one of ``tls_certificates``, ``tls_certificate_sds_secret_configs``,
   // and ``tls_certificate_provider_instance`` may be used.
-  // [#not-implemented-hide:]
   CertificateProviderPluginInstance tls_certificate_provider_instance = 14;
 
   // Certificate provider for fetching TLS certificates.

envoy/certificate_provider/BUILD

@@ -0,0 +1,46 @@
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_library",
+    "envoy_package",
+)
+
+licenses(["notice"])  # Apache 2
+
+envoy_package()
+
+envoy_cc_library(
+    name = "certificate_provider_interface",
+    hdrs = ["certificate_provider.h"],
+    external_deps = [
+        "ssl",
+    ],
+    deps = [
+        "//envoy/common:callback",
+        "@com_google_absl//absl/strings",
+        "@envoy_api//envoy/extensions/transport_sockets/tls/v3:pkg_cc_proto",
+    ],
+)
+
+envoy_cc_library(
+    name = "certificate_provider_manager_interface",
+    hdrs = [
+        "certificate_provider_manager.h",
+    ],
+    deps = [
+        ":certificate_provider_interface",
+        "@envoy_api//envoy/config/core/v3:pkg_cc_proto",
+    ],
+)
+
+envoy_cc_library(
+    name = "certificate_provider_factory_lib",
+    hdrs = [
+        "certificate_provider_factory.h",
+    ],
+    deps = [
+        ":certificate_provider_interface",
+        "//envoy/registry",
+        "@com_google_absl//absl/strings",
+        "@envoy_api//envoy/config/core/v3:pkg_cc_proto",
+    ],
+)

envoy/certificate_provider/certificate_provider.h

@@ -0,0 +1,74 @@
+#pragma once
+
+#include <list>
+
+#include "envoy/common/callback.h"
+#include "envoy/common/pure.h"
+#include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h"
+#include "envoy/ssl/connection.h"
+
+#include "absl/strings/string_view.h"
+#include "openssl/ssl.h"
+#include "openssl/x509v3.h"
+
+namespace Envoy {
+namespace CertificateProvider {
+
+class OnDemandUpdateMetadata {
+public:
+  virtual ~OnDemandUpdateMetadata() = default;
+
+  virtual Envoy::Ssl::ConnectionInfoConstSharedPtr connectionInfo() const PURE;
+};
+
+using OnDemandUpdateMetadataPtr = std::unique_ptr<OnDemandUpdateMetadata>;
+
+class CertificateProvider {
+public:
+  struct Capabilites {
+    /* whether or not a provider supports generating identity certificates on demand */
+    bool provide_on_demand_identity_certs = false;
+  };
+
+  virtual ~CertificateProvider() = default;
+
+  virtual Capabilites capabilities() const PURE;
+
+  /**
+   * @return CA certificate used for validation
+   */
+  virtual const std::string trustedCA(const std::string& cert_name) const PURE;
+
+  /**
+   * Certificate provider instance which used to get tls certificates
+   * should provide at least one tls certificate.
+   * @return Identity certificates used for handshake
+   */
+  virtual std::vector<const envoy::extensions::transport_sockets::tls::v3::TlsCertificate*>
+  tlsCertificates(const std::string& cert_name) const PURE;
+
+  /**
+   * Add on-demand callback into certificate provider, this function might be invoked from worker
+   * thread during runtime
+   *
+   * @param metadata is passed to provider for certs fetching/refreshing
+   * @return CallbackHandle the handle which can remove that update callback.
+   */
+  virtual Common::CallbackHandlePtr
+  addOnDemandUpdateCallback(const std::string& cert_name, OnDemandUpdateMetadataPtr metadata,
+                            std::function<void()> thread_local_callback) PURE;
+
+  /**
+   * Add certificate update callback into certificate provider for asychronous usage.
+   *
+   * @param callback callback that is executed by certificate provider.
+   * @return CallbackHandle the handle which can remove that update callback.
+   */
+  virtual Common::CallbackHandlePtr addUpdateCallback(const std::string& cert_name,
+                                                      std::function<void()> callback) PURE;
+};
+
+using CertificateProviderSharedPtr = std::shared_ptr<CertificateProvider>;
+
+} // namespace CertificateProvider
+} // namespace Envoy

envoy/certificate_provider/certificate_provider_factory.h

@@ -0,0 +1,29 @@
+#pragma once
+
+#include "envoy/certificate_provider/certificate_provider.h"
+#include "envoy/common/pure.h"
+#include "envoy/config/core/v3/extension.pb.h"
+#include "envoy/registry/registry.h"
+
+#include "absl/strings/string_view.h"
+
+namespace Envoy {
+namespace Server {
+namespace Configuration {
+class TransportSocketFactoryContext;
+} // namespace Configuration
+} // namespace Server
+namespace CertificateProvider {
+
+class CertificateProviderFactory : public Config::TypedFactory {
+public:
+  virtual Envoy::CertificateProvider::CertificateProviderSharedPtr
+  createCertificateProviderInstance(
+      const envoy::config::core::v3::TypedExtensionConfig& config,
+      Server::Configuration::TransportSocketFactoryContext& factory_context, Api::Api& api) PURE;
+
+  std::string category() const override { return "envoy.certificate_providers"; }
+};
+
+} // namespace CertificateProvider
+} // namespace Envoy

envoy/certificate_provider/certificate_provider_manager.h

@@ -0,0 +1,35 @@
+#pragma once
+
+#include <string>
+
+#include "envoy/certificate_provider/certificate_provider.h"
+#include "envoy/common/pure.h"
+#include "envoy/config/core/v3/extension.pb.h"
+#include "envoy/singleton/instance.h"
+
+namespace Envoy {
+namespace Server {
+namespace Configuration {
+class TransportSocketFactoryContext;
+} // namespace Configuration
+} // namespace Server
+namespace CertificateProvider {
+
+/**
+ * A manager for certificate provider instances.
+ */
+class CertificateProviderManager : public Singleton::Instance {
+public:
+  ~CertificateProviderManager() override = default;
+
+  virtual void addCertificateProvider(
+      absl::string_view name, const envoy::config::core::v3::TypedExtensionConfig& config,
+      Server::Configuration::TransportSocketFactoryContext& factory_context) PURE;
+
+  virtual CertificateProviderSharedPtr getCertificateProvider(absl::string_view name) PURE;
+};
+
+using CertificateProviderManagerPtr = std::unique_ptr<CertificateProviderManager>;
+
+} // namespace CertificateProvider
+} // namespace Envoy

envoy/server/BUILD

@@ -126,6 +126,7 @@ envoy_cc_library(
         ":options_interface",
         "//envoy/access_log:access_log_interface",
         "//envoy/api:api_interface",
+        "//envoy/certificate_provider:certificate_provider_manager_interface",
         "//envoy/common:mutex_tracer",
         "//envoy/event:timer_interface",
         "//envoy/http:context_interface",

envoy/server/instance.h

@@ -7,6 +7,7 @@
 
 #include "envoy/access_log/access_log.h"
 #include "envoy/api/api.h"
+#include "envoy/certificate_provider/certificate_provider_manager.h"
 #include "envoy/common/mutex_tracer.h"
 #include "envoy/common/random_generator.h"
 #include "envoy/config/trace/v3/http_tracer.pb.h"
@@ -142,6 +143,11 @@ class Instance {
    */
   virtual Secret::SecretManager& secretManager() PURE;
 
+  /**
+   * @return the server's certificate provider manager
+   */
+  virtual CertificateProvider::CertificateProviderManager& certificateProviderManager() PURE;
+
   /**
    * @return the server's CLI options.
    */

envoy/server/transport_socket_config.h

@@ -2,6 +2,7 @@
 
 #include <string>
 
+#include "envoy/certificate_provider/certificate_provider_manager.h"
 #include "envoy/config/core/v3/health_check.pb.h"
 #include "envoy/config/typed_config.h"
 #include "envoy/event/dispatcher.h"
@@ -104,6 +105,11 @@ class TransportSocketFactoryContext {
    * @return reference to the access log manager object
    */
   virtual AccessLog::AccessLogManager& accessLogManager() PURE;
+
+  /**
+   * @return the instance of certificate provider manager.
+   */
+  virtual CertificateProvider::CertificateProviderManager& certificateProviderManager() PURE;
 };
 
 using TransportSocketFactoryContextPtr = std::unique_ptr<TransportSocketFactoryContext>;

envoy/ssl/BUILD

@@ -63,6 +63,7 @@ envoy_cc_library(
     hdrs = ["certificate_validation_context_config.h"],
     external_deps = ["abseil_optional"],
     deps = [
+        "//envoy/certificate_provider:certificate_provider_interface",
         "@envoy_api//envoy/extensions/transport_sockets/tls/v3:pkg_cc_proto",
         "@envoy_api//envoy/type/matcher/v3:pkg_cc_proto",
     ],

envoy/ssl/certificate_validation_context_config.h

@@ -5,6 +5,7 @@
 #include <vector>
 
 #include "envoy/api/api.h"
+#include "envoy/certificate_provider/certificate_provider.h"
 #include "envoy/common/pure.h"
 #include "envoy/extensions/transport_sockets/tls/v3/cert.pb.h"
 #include "envoy/extensions/transport_sockets/tls/v3/common.pb.h"
@@ -94,6 +95,18 @@ class CertificateValidationContextConfig {
    * @return the max depth used when verifying the certificate-chain
    */
   virtual absl::optional<uint32_t> maxVerifyDepth() const PURE;
+
+  /**
+   * @return the CA provider which can provide CA certificate to use for peer validation
+   */
+  virtual Envoy::CertificateProvider::CertificateProviderSharedPtr caProvider() const PURE;
+
+  /**
+   * Add ca callback into validation context config. When trusted ca is refreshed from
+   * ca provider, this callback is invoked to update config.
+   * @param callback callback that is executed by validation context config.
+   */
+  virtual void setCAUpdateCallback(std::function<void()> callback) PURE;
 };
 
 using CertificateValidationContextConfigPtr = std::unique_ptr<CertificateValidationContextConfig>;

envoy/ssl/context_config.h

@@ -111,6 +111,11 @@ class ContextConfig {
    * @return the access log manager object reference
    */
   virtual AccessLog::AccessLogManager& accessLogManager() const PURE;
+
+  /**
+   * @return the set of capabilities for Certificate Provider instance specified in this context
+   */
+  virtual CertificateProvider::CertificateProvider::Capabilites certProviderCaps() const PURE;
 };
 
 class ClientContextConfig : public virtual ContextConfig {

envoy/upstream/BUILD

@@ -20,6 +20,7 @@ envoy_cc_library(
         ":thread_local_cluster_interface",
         ":upstream_interface",
         "//envoy/access_log:access_log_interface",
+        "//envoy/certificate_provider:certificate_provider_manager_interface",
         "//envoy/common:random_generator_interface",
         "//envoy/config:grpc_mux_interface",
         "//envoy/config:subscription_factory_interface",

envoy/upstream/cluster_manager.h

@@ -7,6 +7,7 @@
 
 #include "envoy/access_log/access_log.h"
 #include "envoy/api/api.h"
+#include "envoy/certificate_provider/certificate_provider_manager.h"
 #include "envoy/common/random_generator.h"
 #include "envoy/config/bootstrap/v3/bootstrap.pb.h"
 #include "envoy/config/cluster/v3/cluster.pb.h"
@@ -520,6 +521,11 @@ class ClusterManagerFactory {
    * Returns the singleton manager.
    */
   virtual Singleton::Manager& singletonManager() PURE;
+
+  /**
+   * Returns the certificate provider manager
+   */
+  virtual CertificateProvider::CertificateProviderManager& certificateProviderManager() PURE;
 };
 
 /**

source/common/certificate_provider/BUILD

@@ -0,0 +1,23 @@
+load(
+    "//bazel:envoy_build_system.bzl",
+    "envoy_cc_library",
+    "envoy_package",
+)
+
+licenses(["notice"])  # Apache 2
+
+envoy_package()
+
+envoy_cc_library(
+    name = "certificate_provider_manager_impl_lib",
+    srcs = ["certificate_provider_manager_impl.cc"],
+    hdrs = ["certificate_provider_manager_impl.h"],
+    deps = [
+        "//envoy/api:api_interface",
+        "//envoy/certificate_provider:certificate_provider_factory_lib",
+        "//envoy/certificate_provider:certificate_provider_manager_interface",
+        "//source/common/config:utility_lib",
+        "@com_google_absl//absl/container:flat_hash_map",
+        "@envoy_api//envoy/config/core/v3:pkg_cc_proto",
+    ],
+)