sds: Add support to hot-reload CRL files (#27751)

* sds: Add support to hot-reload CRL files Signed-off-by: Tero Saarni <tero.saarni@est.tech> Mirrored from https://github.com/envoyproxy/envoy @ 08b7a8922702b49c0f2191ee58a48a4850206a35
2 years ago · e53e7bbd01
parent da10da821d
commit e53e7bbd01
1 changed files with 5 additions and 0 deletions
--- a/envoy/extensions/transport_sockets/tls/v3/common.proto
+++ b/envoy/extensions/transport_sockets/tls/v3/common.proto
@ -505,6 +505,11 @@ message CertificateValidationContext {
  // from that chain. This default behavior can be altered by setting
  // :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to
  // true.
+  //
+  // If ``crl`` is a filesystem path, a watch will be added to the parent
+  // directory for any file moves to support rotation. This currently only
+  // applies to dynamic secrets, when the ``CertificateValidationContext`` is
+  // delivered via SDS.
  config.core.v3.DataSource crl = 7;

  // If specified, Envoy will not reject expired certificates.