Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes MAISTRA-2324: Backport multi-root support for Envoy #92

Merged
merged 6 commits into from
May 10, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 14 additions & 1 deletion api/envoy/extensions/transport_sockets/tls/v3/common.proto
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ syntax = "proto3";
package envoy.extensions.transport_sockets.tls.v3;

import "envoy/config/core/v3/base.proto";
import "envoy/config/core/v3/extension.proto";
import "envoy/type/matcher/v3/string.proto";

import "google/protobuf/any.proto";
Expand Down Expand Up @@ -191,7 +192,7 @@ message TlsSessionTicketKeys {
[(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true];
}

// [#next-free-field: 11]
// [#next-free-field: 13]
message CertificateValidationContext {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.auth.CertificateValidationContext";
Expand Down Expand Up @@ -337,4 +338,16 @@ message CertificateValidationContext {
// Certificate trust chain verification mode.
TrustChainVerification trust_chain_verification = 10
[(validate.rules).enum = {defined_only: true}];

// The configuration of an extension specific certificate validator.
// If specified, all validation is done by the specified validator,
// and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated).
// Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field.
// The following names are available here:
//
// .. _extension_envoy.tls.cert_validator.spiffe:
//
// **envoy.tls.cert_validator.spiffe**: `SPIFFE <https://github.com/spiffe/spiffe>`_ certificate validator.
// Please refer to :ref:`envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig>` for more information.
config.core.v3.TypedExtensionConfig custom_validator_config = 12;
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
syntax = "proto3";

package envoy.extensions.transport_sockets.tls.v3;

import "envoy/config/core/v3/base.proto";

import "udpa/annotations/sensitive.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";

option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3";
option java_outer_classname = "TlsSpiffeValidatorConfigProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;

// [#protodoc-title: SPIFFE Certificate Validator]

// Configuration specific to the SPIFFE certificate validator provided at
// :ref:`envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.custom_validator_config<envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.custom_validator_config>`.
//
// Example:
//
// .. code-block:: yaml
//
// custom_validator_config:
// name: envoy.tls.cert_validator.spiffe
// typed_config:
// "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig
// trust_domains:
// - name: foo.com
// trust_bundle:
// filename: "foo.pem"
// - name: envoy.com
// trust_bundle:
// filename: "envoy.pem"
//
// In this example, a presented peer certificate whose SAN matches `spiffe//foo.com/**` is validated against
// the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint
// a SVID belonging to another trust domain. That means, in this example, a SVID signed by `envoy.com`'s CA with `spiffe//foo.com/**`
// SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate.
message SPIFFECertValidatorConfig {
message TrustDomain {
// Name of the trust domain, `example.com`, `foo.bar.gov` for example.
// Note that this must *not* have "spiffe://" prefix.
string name = 1 [(validate.rules).string = {min_len: 1}];

// Specify a data source holding x.509 trust bundle used for validating incoming SVID(s) in this trust domain.
config.core.v3.DataSource trust_bundle = 2;
}

// This field specifies trust domains used for validating incoming X.509-SVID(s).
repeated TrustDomain trust_domains = 1 [(validate.rules).repeated = {min_items: 1}];
}
15 changes: 14 additions & 1 deletion api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 2 additions & 0 deletions docs/root/version_history/current.rst
Original file line number Diff line number Diff line change
Expand Up @@ -108,5 +108,7 @@ New Features
* xds: added support for resource TTLs. A TTL is specified on the :ref:`Resource <envoy_api_msg_Resource>`. For SotW, a :ref:`Resource <envoy_api_msg_Resource>` can be embedded
in the list of resources to specify the TTL.

* tls peer certificate validation: added :ref:`SPIFFE validator <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig>` for supporting isolated multiple trust bundles in a single listener or cluster.

Deprecated
----------

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 1 addition & 3 deletions include/envoy/ssl/BUILD
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ envoy_cc_library(
envoy_cc_library(
name = "certificate_validation_context_config_interface",
hdrs = ["certificate_validation_context_config.h"],
external_deps = ["abseil_optional"],
deps = [
"//source/common/common:matchers_lib",
"@envoy_api//envoy/extensions/transport_sockets/tls/v3:pkg_cc_proto",
Expand All @@ -67,14 +68,11 @@ envoy_cc_library(
envoy_cc_library(
name = "ssl_socket_extended_info_interface",
hdrs = ["ssl_socket_extended_info.h"],
deps = [
],
)

envoy_cc_library(
name = "ssl_socket_state",
hdrs = ["ssl_socket_state.h"],
deps = [],
)

envoy_cc_library(
Expand Down
Loading