spiffe: add support for spiffe bundle format (#36190)

Commit Message: Adds alternative to "trust_domains" config for the spiffe validator—"trust_bundle_map". Additional Description: [#35567](https://github.com/envoyproxy/envoy/issues/35567) trust_bundle_map points to a local file containing a [SPIFFE bundle map](https://docs.google.com/document/d/13KHycYIfRC-g42aEfo4_4inF_WauCXOBgZAcUGuxdgs/edit#heading=h.o2sg9lu1e74v). A file watcher is set up to trigger refreshes to the SPIFFE data when this file is modified. SPIFFE refresh hint and sequence number are currently ignored. Risk Level: medium Testing: WIP Docs Changes: TBD Release Notes: TBD --------- Signed-off-by: Brian Sonnenberg <bsonnenberg@google.com> Mirrored from https://github.com/envoyproxy/envoy @ c60d428b3d0ed568a96d30f4c91f77843a308c19
3 months ago · 4fd7cbf329
parent 416c83a117
commit 4fd7cbf329
1 changed files with 7 additions and 0 deletions
--- a/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto
+++ b/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto
@ -57,4 +57,11 @@ message SPIFFECertValidatorConfig {

  // This field specifies trust domains used for validating incoming X.509-SVID(s).
  repeated TrustDomain trust_domains = 1 [(validate.rules).repeated = {min_items: 1}];
+
+  // This field specifies all trust bundles as a single DataSource. If both
+  // trust_bundles and trust_domains are specified, trust_bundles will
+  // take precedence. Currently assumes file will be a SPIFFE Trust Bundle Map.
+  // If DataSource is a file, dynamic file watching will be enabled,
+  // and updates to the specified file will trigger a refresh of the trust_bundles.
+  config.core.v3.DataSource trust_bundles = 2;
 }