From 2783fad78371d15b9c3d353d84f78fc85bf07885 Mon Sep 17 00:00:00 2001 From: "data-plane-api(CircleCI)" Date: Mon, 17 Sep 2018 23:20:46 +0000 Subject: [PATCH] Fetch certificate validation context using SDS service. (#4355) Refactor SdsApi to support dynamic certificate validation context, and support Envoy to fetch certificate validation context from remote server via SDS API. Risk Level: Low Testing: Unit tests and integration tests. Fixes #1194 Signed-off-by: JimmyCYJ Mirrored from https://github.com/envoyproxy/envoy @ 15cfc5ad1a4d622126f642fa70699af753a2d310 --- envoy/api/v2/auth/cert.proto | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/envoy/api/v2/auth/cert.proto b/envoy/api/v2/auth/cert.proto index 880453e7..dca4c698 100644 --- a/envoy/api/v2/auth/cert.proto +++ b/envoy/api/v2/auth/cert.proto @@ -232,14 +232,14 @@ message CommonTlsContext { // relaxed in the future. repeated TlsCertificate tls_certificates = 2 [(validate.rules).repeated .max_items = 1]; - // [#not-implemented-hide:] + // Configs for fetching TLS certificates via SDS API. repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6; oneof validation_context_type { // How to validate peer certificates. CertificateValidationContext validation_context = 3; - // [#not-implemented-hide:] + // Config for fetching validation context via SDS API. SdsSecretConfig validation_context_sds_secret_config = 7; } @@ -302,7 +302,6 @@ message DownstreamTlsContext { } // [#proto-status: experimental] -// [#not-implemented-hide:] message SdsSecretConfig { // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to. // When both name and config are specified, then secret can be fetched and/or reloaded via SDS. @@ -312,7 +311,6 @@ message SdsSecretConfig { } // [#proto-status: experimental] -// [#not-implemented-hide:] message Secret { // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to. string name = 1;