api: Add CertificateProviderInstance to CommonTlsContext. (#12237)

Signed-off-by: Mark D. Roth <roth@google.com>

Mirrored from https://github.com/envoyproxy/envoy @ 79d7d4ee917c4faff78b5ae8aa1b07cf2ff91cfc
master-ci-test
data-plane-api(CircleCI) 4 years ago
parent 35bcca117d
commit 2334d91df3
  1. 9
      envoy/config/bootstrap/v3/bootstrap.proto
  2. 9
      envoy/config/bootstrap/v4alpha/bootstrap.proto
  3. 45
      envoy/extensions/transport_sockets/tls/v3/tls.proto
  4. 47
      envoy/extensions/transport_sockets/tls/v4alpha/tls.proto

@ -40,7 +40,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
// <config_overview_bootstrap>` for more detail. // <config_overview_bootstrap>` for more detail.
// Bootstrap :ref:`configuration overview <config_overview_bootstrap>`. // Bootstrap :ref:`configuration overview <config_overview_bootstrap>`.
// [#next-free-field: 25] // [#next-free-field: 26]
message Bootstrap { message Bootstrap {
option (udpa.annotations.versioning).previous_message_type = option (udpa.annotations.versioning).previous_message_type =
"envoy.config.bootstrap.v2.Bootstrap"; "envoy.config.bootstrap.v2.Bootstrap";
@ -227,6 +227,13 @@ message Bootstrap {
// Optional overriding of default socket interface. The value must be the name of one of the // Optional overriding of default socket interface. The value must be the name of one of the
// socket interface factories initialized through a bootstrap extension // socket interface factories initialized through a bootstrap extension
string default_socket_interface = 24; string default_socket_interface = 24;
// Global map of CertificateProvider instances. These instances are referred to by name in the
// :ref:`CommonTlsContext.CertificateProviderInstance.instance_name
// <envoy_api_field_extensions.transport_sockets.tls.v3.CommonTlsContext.CertificateProviderInstance.instance_name>`
// field.
// [#not-implemented-hide:]
map<string, core.v3.TypedExtensionConfig> certificate_provider_instances = 25;
} }
// Administration interface :ref:`operations documentation // Administration interface :ref:`operations documentation

@ -38,7 +38,7 @@ option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSIO
// <config_overview_bootstrap>` for more detail. // <config_overview_bootstrap>` for more detail.
// Bootstrap :ref:`configuration overview <config_overview_bootstrap>`. // Bootstrap :ref:`configuration overview <config_overview_bootstrap>`.
// [#next-free-field: 25] // [#next-free-field: 26]
message Bootstrap { message Bootstrap {
option (udpa.annotations.versioning).previous_message_type = option (udpa.annotations.versioning).previous_message_type =
"envoy.config.bootstrap.v3.Bootstrap"; "envoy.config.bootstrap.v3.Bootstrap";
@ -218,6 +218,13 @@ message Bootstrap {
// Optional overriding of default socket interface. The value must be the name of one of the // Optional overriding of default socket interface. The value must be the name of one of the
// socket interface factories initialized through a bootstrap extension // socket interface factories initialized through a bootstrap extension
string default_socket_interface = 24; string default_socket_interface = 24;
// Global map of CertificateProvider instances. These instances are referred to by name in the
// :ref:`CommonTlsContext.CertificateProviderInstance.instance_name
// <envoy_api_field_extensions.transport_sockets.tls.v4alpha.CommonTlsContext.CertificateProviderInstance.instance_name>`
// field.
// [#not-implemented-hide:]
map<string, core.v4alpha.TypedExtensionConfig> certificate_provider_instances = 25;
} }
// Administration interface :ref:`operations documentation // Administration interface :ref:`operations documentation

@ -99,7 +99,7 @@ message DownstreamTlsContext {
} }
// TLS context shared by both client and server TLS contexts. // TLS context shared by both client and server TLS contexts.
// [#next-free-field: 11] // [#next-free-field: 13]
message CommonTlsContext { message CommonTlsContext {
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CommonTlsContext"; option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CommonTlsContext";
@ -123,6 +123,26 @@ message CommonTlsContext {
} }
} }
// Similar to CertificateProvider above, but allows the provider instances to be configured on
// the client side instead of being sent from the control plane.
message CertificateProviderInstance {
// Provider instance name. This name must be defined in the client's configuration (e.g., a
// bootstrap file) to correspond to a provider instance (i.e., the same data in the typed_config
// field that would be sent in the CertificateProvider message if the config was sent by the
// control plane). If not present, defaults to "default".
//
// Instance names should generally be defined not in terms of the underlying provider
// implementation (e.g., "file_watcher") but rather in terms of the function of the
// certificates (e.g., "foo_deployment_identity").
string instance_name = 1;
// Opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify
// a root-certificate (validation context) or "example.com" to specify a certificate for a
// particular domain. Not all provider instances will actually use this field, so the value
// defaults to the empty string.
string certificate_name = 2;
}
message CombinedCertificateValidationContext { message CombinedCertificateValidationContext {
option (udpa.annotations.versioning).previous_message_type = option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.auth.CommonTlsContext.CombinedCertificateValidationContext"; "envoy.api.v2.auth.CommonTlsContext.CombinedCertificateValidationContext";
@ -133,17 +153,26 @@ message CommonTlsContext {
// Config for fetching validation context via SDS API. Note SDS API allows certificates to be // Config for fetching validation context via SDS API. Note SDS API allows certificates to be
// fetched/refreshed over the network asynchronously with respect to the TLS handshake. // fetched/refreshed over the network asynchronously with respect to the TLS handshake.
// Only to be used when validation_context_certificate_provider is not used. // Only one of validation_context_sds_secret_config, validation_context_certificate_provider,
// or validation_context_certificate_provider_instance may be used.
SdsSecretConfig validation_context_sds_secret_config = 2 [ SdsSecretConfig validation_context_sds_secret_config = 2 [
(validate.rules).message = {required: true}, (validate.rules).message = {required: true},
(udpa.annotations.field_migrate).oneof_promotion = "dynamic_validation_context" (udpa.annotations.field_migrate).oneof_promotion = "dynamic_validation_context"
]; ];
// Certificate provider for fetching validation context - only to be used when // Certificate provider for fetching validation context.
// validation_context_sds_secret_config is not used. // Only one of validation_context_sds_secret_config, validation_context_certificate_provider,
// or validation_context_certificate_provider_instance may be used.
// [#not-implemented-hide:] // [#not-implemented-hide:]
CertificateProvider validation_context_certificate_provider = 3 CertificateProvider validation_context_certificate_provider = 3
[(udpa.annotations.field_migrate).oneof_promotion = "dynamic_validation_context"]; [(udpa.annotations.field_migrate).oneof_promotion = "dynamic_validation_context"];
// Certificate provider instance for fetching validation context.
// Only one of validation_context_sds_secret_config, validation_context_certificate_provider,
// or validation_context_certificate_provider_instance may be used.
// [#not-implemented-hide:]
CertificateProviderInstance validation_context_certificate_provider_instance = 4
[(udpa.annotations.field_migrate).oneof_promotion = "dynamic_validation_context"];
} }
reserved 5; reserved 5;
@ -168,6 +197,10 @@ message CommonTlsContext {
// [#not-implemented-hide:] // [#not-implemented-hide:]
CertificateProvider tls_certificate_certificate_provider = 9; CertificateProvider tls_certificate_certificate_provider = 9;
// Certificate provider instance for fetching TLS certificates.
// [#not-implemented-hide:]
CertificateProviderInstance tls_certificate_certificate_provider_instance = 11;
oneof validation_context_type { oneof validation_context_type {
// How to validate peer certificates. // How to validate peer certificates.
CertificateValidationContext validation_context = 3; CertificateValidationContext validation_context = 3;
@ -188,6 +221,10 @@ message CommonTlsContext {
// Certificate provider for fetching validation context. // Certificate provider for fetching validation context.
// [#not-implemented-hide:] // [#not-implemented-hide:]
CertificateProvider validation_context_certificate_provider = 10; CertificateProvider validation_context_certificate_provider = 10;
// Certificate provider instance for fetching validation context.
// [#not-implemented-hide:]
CertificateProviderInstance validation_context_certificate_provider_instance = 12;
} }
// Supplies the list of ALPN protocols that the listener should expose. In // Supplies the list of ALPN protocols that the listener should expose. In

@ -98,7 +98,7 @@ message DownstreamTlsContext {
} }
// TLS context shared by both client and server TLS contexts. // TLS context shared by both client and server TLS contexts.
// [#next-free-field: 11] // [#next-free-field: 13]
message CommonTlsContext { message CommonTlsContext {
option (udpa.annotations.versioning).previous_message_type = option (udpa.annotations.versioning).previous_message_type =
"envoy.extensions.transport_sockets.tls.v3.CommonTlsContext"; "envoy.extensions.transport_sockets.tls.v3.CommonTlsContext";
@ -126,6 +126,29 @@ message CommonTlsContext {
} }
} }
// Similar to CertificateProvider above, but allows the provider instances to be configured on
// the client side instead of being sent from the control plane.
message CertificateProviderInstance {
option (udpa.annotations.versioning).previous_message_type =
"envoy.extensions.transport_sockets.tls.v3.CommonTlsContext.CertificateProviderInstance";
// Provider instance name. This name must be defined in the client's configuration (e.g., a
// bootstrap file) to correspond to a provider instance (i.e., the same data in the typed_config
// field that would be sent in the CertificateProvider message if the config was sent by the
// control plane). If not present, defaults to "default".
//
// Instance names should generally be defined not in terms of the underlying provider
// implementation (e.g., "file_watcher") but rather in terms of the function of the
// certificates (e.g., "foo_deployment_identity").
string instance_name = 1;
// Opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify
// a root-certificate (validation context) or "example.com" to specify a certificate for a
// particular domain. Not all provider instances will actually use this field, so the value
// defaults to the empty string.
string certificate_name = 2;
}
message CombinedCertificateValidationContext { message CombinedCertificateValidationContext {
option (udpa.annotations.versioning).previous_message_type = option (udpa.annotations.versioning).previous_message_type =
"envoy.extensions.transport_sockets.tls.v3.CommonTlsContext." "envoy.extensions.transport_sockets.tls.v3.CommonTlsContext."
@ -138,14 +161,22 @@ message CommonTlsContext {
oneof dynamic_validation_context { oneof dynamic_validation_context {
// Config for fetching validation context via SDS API. Note SDS API allows certificates to be // Config for fetching validation context via SDS API. Note SDS API allows certificates to be
// fetched/refreshed over the network asynchronously with respect to the TLS handshake. // fetched/refreshed over the network asynchronously with respect to the TLS handshake.
// Only to be used when validation_context_certificate_provider is not used. // Only one of validation_context_sds_secret_config, validation_context_certificate_provider,
// or validation_context_certificate_provider_instance may be used.
SdsSecretConfig validation_context_sds_secret_config = 2 SdsSecretConfig validation_context_sds_secret_config = 2
[(validate.rules).message = {required: true}]; [(validate.rules).message = {required: true}];
// Certificate provider for fetching validation context - only to be used when // Certificate provider for fetching validation context.
// validation_context_sds_secret_config is not used. // Only one of validation_context_sds_secret_config, validation_context_certificate_provider,
// or validation_context_certificate_provider_instance may be used.
// [#not-implemented-hide:] // [#not-implemented-hide:]
CertificateProvider validation_context_certificate_provider = 3; CertificateProvider validation_context_certificate_provider = 3;
// Certificate provider instance for fetching validation context.
// Only one of validation_context_sds_secret_config, validation_context_certificate_provider,
// or validation_context_certificate_provider_instance may be used.
// [#not-implemented-hide:]
CertificateProviderInstance validation_context_certificate_provider_instance = 4;
} }
} }
@ -171,6 +202,10 @@ message CommonTlsContext {
// [#not-implemented-hide:] // [#not-implemented-hide:]
CertificateProvider tls_certificate_certificate_provider = 9; CertificateProvider tls_certificate_certificate_provider = 9;
// Certificate provider instance for fetching TLS certificates.
// [#not-implemented-hide:]
CertificateProviderInstance tls_certificate_certificate_provider_instance = 11;
oneof validation_context_type { oneof validation_context_type {
// How to validate peer certificates. // How to validate peer certificates.
CertificateValidationContext validation_context = 3; CertificateValidationContext validation_context = 3;
@ -191,6 +226,10 @@ message CommonTlsContext {
// Certificate provider for fetching validation context. // Certificate provider for fetching validation context.
// [#not-implemented-hide:] // [#not-implemented-hide:]
CertificateProvider validation_context_certificate_provider = 10; CertificateProvider validation_context_certificate_provider = 10;
// Certificate provider instance for fetching validation context.
// [#not-implemented-hide:]
CertificateProviderInstance validation_context_certificate_provider_instance = 12;
} }
// Supplies the list of ALPN protocols that the listener should expose. In // Supplies the list of ALPN protocols that the listener should expose. In

Loading…
Cancel
Save