new extension for TLS cert selection (#32465)

fix https://github.com/envoyproxy/envoy/issues/30600 Commit Message: Add an extension point to allow overriding TLS certificate selection behavior. An extension can select certificate base on the incoming SNI, in both sync and async mode. Signed-off-by: doujiang24 <doujiang24@gmail.com> Mirrored from https://github.com/envoyproxy/envoy @ b1e3351d7f3147afab9d29596d324d93e2198ba3
4 months ago · 55bf57645f
parent be2bfc93f2
commit 55bf57645f
1 changed files with 8 additions and 1 deletions
--- a/envoy/extensions/transport_sockets/tls/v3/tls.proto
+++ b/envoy/extensions/transport_sockets/tls/v3/tls.proto
@ -163,7 +163,7 @@ message TlsKeyLog {
 }

 // TLS context shared by both client and server TLS contexts.
-// [#next-free-field: 16]
+// [#next-free-field: 17]
 message CommonTlsContext {
  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CommonTlsContext";

@ -274,6 +274,13 @@ message CommonTlsContext {
  // [#not-implemented-hide:]
  CertificateProviderPluginInstance tls_certificate_provider_instance = 14;

+  // Custom TLS certificate selector.
+  //
+  // Select TLS certificate based on TLS client hello.
+  // If empty, defaults to native TLS certificate selection behavior:
+  // DNS SANs or Subject Common Name in TLS certificates is extracted as server name pattern to match SNI.
+  config.core.v3.TypedExtensionConfig custom_tls_certificate_selector = 16;
+
  // Certificate provider for fetching TLS certificates.
  // [#not-implemented-hide:]
  CertificateProvider tls_certificate_certificate_provider = 9