From e53e7bbd012f81965f2e79848ad9a58ceb67201f Mon Sep 17 00:00:00 2001
From: "update-envoy[bot]"
 <135279899+update-envoy[bot]@users.noreply.github.com>
Date: Sat, 3 Jun 2023 12:25:39 +0000
Subject: [PATCH] sds: Add support to hot-reload CRL files (#27751)

* sds: Add support to hot-reload CRL files

Signed-off-by: Tero Saarni <tero.saarni@est.tech>

Mirrored from https://github.com/envoyproxy/envoy @ 08b7a8922702b49c0f2191ee58a48a4850206a35
---
 envoy/extensions/transport_sockets/tls/v3/common.proto | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/envoy/extensions/transport_sockets/tls/v3/common.proto b/envoy/extensions/transport_sockets/tls/v3/common.proto
index 4780858e..66c8c797 100644
--- a/envoy/extensions/transport_sockets/tls/v3/common.proto
+++ b/envoy/extensions/transport_sockets/tls/v3/common.proto
@@ -505,6 +505,11 @@ message CertificateValidationContext {
   // from that chain. This default behavior can be altered by setting
   // :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to
   // true.
+  //
+  // If ``crl`` is a filesystem path, a watch will be added to the parent
+  // directory for any file moves to support rotation. This currently only
+  // applies to dynamic secrets, when the ``CertificateValidationContext`` is
+  // delivered via SDS.
   config.core.v3.DataSource crl = 7;
 
   // If specified, Envoy will not reject expired certificates.