Fetch certificate validation context using SDS service. (#4355)

Refactor SdsApi to support dynamic certificate validation context, and support Envoy to fetch certificate validation context from remote server via SDS API. Risk Level: Low Testing: Unit tests and integration tests. Fixes #1194 Signed-off-by: JimmyCYJ <jimmychen.0102@gmail.com> Mirrored from https://github.com/envoyproxy/envoy @ 15cfc5ad1a4d622126f642fa70699af753a2d310
6 years ago · 2783fad783
parent 76a6a891fb
commit 2783fad783
1 changed files with 2 additions and 4 deletions
--- a/envoy/api/v2/auth/cert.proto
+++ b/envoy/api/v2/auth/cert.proto
@ -232,14 +232,14 @@ message CommonTlsContext {
  //   relaxed in the future.
  repeated TlsCertificate tls_certificates = 2 [(validate.rules).repeated .max_items = 1];

-  // [#not-implemented-hide:]
+  // Configs for fetching TLS certificates via SDS API.
  repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6;

  oneof validation_context_type {
    // How to validate peer certificates.
    CertificateValidationContext validation_context = 3;

-    // [#not-implemented-hide:]
+    // Config for fetching validation context via SDS API.
    SdsSecretConfig validation_context_sds_secret_config = 7;
  }

@ -302,7 +302,6 @@ message DownstreamTlsContext {
 }

 // [#proto-status: experimental]
-// [#not-implemented-hide:]
 message SdsSecretConfig {
  // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
  // When both name and config are specified, then secret can be fetched and/or reloaded via SDS.
@ -312,7 +311,6 @@ message SdsSecretConfig {
 }

 // [#proto-status: experimental]
-// [#not-implemented-hide:]
 message Secret {
  // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
  string name = 1;