TLS: Allow specification of both typed and non-typed san matchers in config (#20529)

Allow configs with both typed and non typed san matchers specified to allow config servers to use the same config for Envoys across multiple versions. The match_subject_alt_names field is ignored if match_typed_subject_alt_names is set. Signed-off-by: Pradeep Rao <pcrao@google.com> Mirrored from https://github.com/envoyproxy/envoy @ ef08b1c3d0cf9c2af84d32529a11b3e2056e9dcb
3 years ago · 12eff143c6
parent 419533a5de
commit 12eff143c6
1 changed files with 5 additions and 1 deletions
--- a/envoy/extensions/transport_sockets/tls/v3/common.proto
+++ b/envoy/extensions/transport_sockets/tls/v3/common.proto
@ -448,8 +448,12 @@ message CertificateValidationContext {
  //   <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
  repeated SubjectAltNameMatcher match_typed_subject_alt_names = 15;

-  // This field is deprecated in favor of ref:`match_typed_subject_alt_names
+  // This field is deprecated in favor of
+  // :ref:`match_typed_subject_alt_names
+  // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.
+  // Note that if both this field and :ref:`match_typed_subject_alt_names
  // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`
+  // are specified, the former (deprecated field) is ignored.
  repeated type.matcher.v3.StringMatcher match_subject_alt_names = 9
      [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];