tls: implement SPIFFE Certificate Validator for independent multiple trust domain support (#14884)

Adds the extension point for certificate validations, and its first implementation for SPIFFE multi trust domain support in a single listener or cluster. Resolves https://github.com/envoyproxy/envoy/issues/14614 and https://github.com/envoyproxy/envoy/issues/9284. Risk Level: low (only adding the new extension point and one implementation for it) Testing: unit tests and integration tests. Docs Changes: Release Notes: tls: implement SPIFFE Certificate Validator for independent multiple trust domain support. Signed-off-by: Takeshi Yoneda <takeshi@tetrate.io> Mirrored from https://github.com/envoyproxy/envoy @ 50e81276fd8f109ba3a6134e790f65c1cc5bdec9
4 years ago · 4e664ccffb
parent d962072e44
commit 4e664ccffb
4 changed files with 142 additions and 2 deletions
--- a/envoy/extensions/transport_sockets/tls/v3/common.proto
+++ b/envoy/extensions/transport_sockets/tls/v3/common.proto
@ -3,6 +3,7 @@ syntax = "proto3";
 package envoy.extensions.transport_sockets.tls.v3;
 import "envoy/config/core/v3/base.proto";
 import "envoy/config/core/v3/extension.proto";
 import "envoy/type/matcher/v3/string.proto";
 import "google/protobuf/any.proto";
@ -211,7 +212,7 @@ message TlsSessionTicketKeys {
      [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true];
 }
-// [#next-free-field: 12]
+// [#next-free-field: 13]
 message CertificateValidationContext {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.api.v2.auth.CertificateValidationContext";
@ -371,4 +372,16 @@ message CertificateValidationContext {
  // Certificate trust chain verification mode.
  TrustChainVerification trust_chain_verification = 10
      [(validate.rules).enum = {defined_only: true}];
  // The configuration of an extension specific certificate validator.
  // If specified, all validation is done by the specified validator,
  // and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated).
  // Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field.
  // The following names are available here:
  //
  // .. _extension_envoy.tls.cert_validator.spiffe:
  //
  // **envoy.tls.cert_validator.spiffe**: `SPIFFE <https://github.com/spiffe/spiffe>`_ certificate validator.
  // Please refer to :ref:`envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig>` for more information.
  config.core.v3.TypedExtensionConfig custom_validator_config = 12;
 }
--- a/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto
+++ b/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto
@ -0,0 +1,54 @@
 syntax = "proto3";
 package envoy.extensions.transport_sockets.tls.v3;
 import "envoy/config/core/v3/base.proto";
 import "udpa/annotations/sensitive.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3";
 option java_outer_classname = "TlsSpiffeValidatorConfigProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: SPIFFE Certificate Validator]
 // Configuration specific to the SPIFFE certificate validator provided at
 // :ref:`envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.custom_validator_config<envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.custom_validator_config>`.
 //
 // Example:
 //
 // .. code-block:: yaml
 //
 //  custom_validator_config:
 //    name: envoy.tls.cert_validator.spiffe
 //    typed_config:
 //      "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig
 //      trust_domains:
 //      - name: foo.com
 //        trust_bundle:
 //          filename: "foo.pem"
 //      - name: envoy.com
 //        trust_bundle:
 //          filename: "envoy.pem"
 //
 // In this example, a presented peer certificate whose SAN matches `spiffe//foo.com/**` is validated against
 // the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint
 // a SVID belonging to another trust domain. That means, in this example, a SVID signed by `envoy.com`'s CA with `spiffe//foo.com/**`
 // SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate.
 message SPIFFECertValidatorConfig {
  message TrustDomain {
    // Name of the trust domain, `example.com`, `foo.bar.gov` for example.
    // Note that this must *not* have "spiffe://" prefix.
    string name = 1 [(validate.rules).string = {min_len: 1}];
    // Specify a data source holding x.509 trust bundle used for validating incoming SVID(s) in this trust domain.
    config.core.v3.DataSource trust_bundle = 2;
  }
  // This field specifies trust domains used for validating incoming X.509-SVID(s).
  repeated TrustDomain trust_domains = 1 [(validate.rules).repeated = {min_items: 1}];
 }
--- a/envoy/extensions/transport_sockets/tls/v4alpha/common.proto
+++ b/envoy/extensions/transport_sockets/tls/v4alpha/common.proto
@ -3,6 +3,7 @@ syntax = "proto3";
 package envoy.extensions.transport_sockets.tls.v4alpha;
 import "envoy/config/core/v4alpha/base.proto";
 import "envoy/config/core/v4alpha/extension.proto";
 import "envoy/type/matcher/v4alpha/string.proto";
 import "google/protobuf/any.proto";
@ -213,7 +214,7 @@ message TlsSessionTicketKeys {
      [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true];
 }
-// [#next-free-field: 12]
+// [#next-free-field: 13]
 message CertificateValidationContext {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext";
@ -373,4 +374,16 @@ message CertificateValidationContext {
  // Certificate trust chain verification mode.
  TrustChainVerification trust_chain_verification = 10
      [(validate.rules).enum = {defined_only: true}];
  // The configuration of an extension specific certificate validator.
  // If specified, all validation is done by the specified validator,
  // and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated).
  // Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field.
  // The following names are available here:
  //
  // .. _extension_envoy.tls.cert_validator.spiffe:
  //
  // **envoy.tls.cert_validator.spiffe**: `SPIFFE <https://github.com/spiffe/spiffe>`_ certificate validator.
  // Please refer to :ref:`envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig>` for more information.
  config.core.v4alpha.TypedExtensionConfig custom_validator_config = 12;
 }
--- a/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto
+++ b/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto
@ -0,0 +1,60 @@
 syntax = "proto3";
 package envoy.extensions.transport_sockets.tls.v4alpha;
 import "envoy/config/core/v4alpha/base.proto";
 import "udpa/annotations/sensitive.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
 option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v4alpha";
 option java_outer_classname = "TlsSpiffeValidatorConfigProto";
 option java_multiple_files = true;
 option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE;
 // [#protodoc-title: SPIFFE Certificate Validator]
 // Configuration specific to the SPIFFE certificate validator provided at
 // :ref:`envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext.custom_validator_config<envoy_api_field_extensions.transport_sockets.tls.v4alpha.CertificateValidationContext.custom_validator_config>`.
 //
 // Example:
 //
 // .. code-block:: yaml
 //
 //  custom_validator_config:
 //    name: envoy.tls.cert_validator.spiffe
 //    typed_config:
 //      "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig
 //      trust_domains:
 //      - name: foo.com
 //        trust_bundle:
 //          filename: "foo.pem"
 //      - name: envoy.com
 //        trust_bundle:
 //          filename: "envoy.pem"
 //
 // In this example, a presented peer certificate whose SAN matches `spiffe//foo.com/**` is validated against
 // the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint
 // a SVID belonging to another trust domain. That means, in this example, a SVID signed by `envoy.com`'s CA with `spiffe//foo.com/**`
 // SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate.
 message SPIFFECertValidatorConfig {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig";
  message TrustDomain {
    option (udpa.annotations.versioning).previous_message_type =
        "envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain";
    // Name of the trust domain, `example.com`, `foo.bar.gov` for example.
    // Note that this must *not* have "spiffe://" prefix.
    string name = 1 [(validate.rules).string = {min_len: 1}];
    // Specify a data source holding x.509 trust bundle used for validating incoming SVID(s) in this trust domain.
    config.core.v4alpha.DataSource trust_bundle = 2;
  }
  // This field specifies trust domains used for validating incoming X.509-SVID(s).
  repeated TrustDomain trust_domains = 1 [(validate.rules).repeated = {min_items: 1}];
 }