.. _envoy_v3_api_file_envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto: SPIFFE Certificate Validator (proto) ==================================== .. _extension_envoy.tls.cert_validator.spiffe: This extension has the qualified name ``envoy.tls.cert_validator.spiffe`` .. note:: This extension is functional but has not had substantial production burn time, use only with this caveat. This extension is not hardened and should only be used in deployments where both the downstream and upstream are trusted. .. tip:: This extension extends and can be used with the following extension category: - :ref:`envoy.tls.cert_validator ` .. _envoy_v3_api_msg_extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig: extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig ------------------------------------------------------------- :repo:`[extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig proto] ` Configuration specific to the `SPIFFE `_ certificate validator. Example: .. validated-code-block:: yaml :type-name: envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext custom_validator_config: name: envoy.tls.cert_validator.spiffe typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig trust_domains: - name: foo.com trust_bundle: filename: "foo.pem" - name: envoy.com trust_bundle: filename: "envoy.pem" In this example, a presented peer certificate whose SAN matches ``spiffe://foo.com/**`` is validated against the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint a SVID belonging to another trust domain. That means, in this example, a SVID signed by ``envoy.com``'s CA with ``spiffe://foo.com/**`` SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate. Note that SPIFFE validator inherits and uses the following options from :ref:`CertificateValidationContext `. - :ref:`allow_expired_certificate ` to allow expired certificates. - :ref:`match_typed_subject_alt_names ` to match **URI** SAN of certificates. Unlike the default validator, SPIFFE validator only matches **URI** SAN (which equals to SVID in SPIFFE terminology) and ignore other SAN types. To support multi-tenant use cases, a filter state object ``envoy.tls.cert_validator.spiffe.workload_trust_domain`` should be used to define the per-connection workload trust domain. When matching a peer trust domain, both the workload and the peer trust domains are used in selecting the validation certificate. The filter state object should be shared with the upstream to be used in the upstream TLS context SPIFFE validation context. .. code-block:: json :force: { "trust_domains": [], "trust_bundles": {...} } .. _envoy_v3_api_field_extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.trust_domains: trust_domains (**repeated** :ref:`extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain `, *REQUIRED*) This field specifies trust domains used for validating incoming X.509-SVID(s). .. _envoy_v3_api_field_extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.trust_bundles: trust_bundles (:ref:`config.core.v3.DataSource `) This field specifies all trust bundles as a single DataSource. If both trust_bundles and trust_domains are specified, trust_bundles will take precedence. Currently assumes file will be a SPIFFE Trust Bundle Map. If DataSource is a file, dynamic file watching will be enabled, and updates to the specified file will trigger a refresh of the trust_bundles. .. _envoy_v3_api_msg_extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain: extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain ------------------------------------------------------------------------- :repo:`[extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain proto] ` .. code-block:: json :force: { "name": ..., "trust_bundle": {...}, "workload_trust_domain": ... } .. _envoy_v3_api_field_extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain.name: name (`string `_, *REQUIRED*) Name of the trust domain, ``example.com``, ``foo.bar.gov`` for example. Note that this must *not* have "spiffe://" prefix. .. _envoy_v3_api_field_extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain.trust_bundle: trust_bundle (:ref:`config.core.v3.DataSource `) Specify a data source holding x.509 trust bundle used for validating incoming SVID(s) in this trust domain. .. _envoy_v3_api_field_extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain.workload_trust_domain: workload_trust_domain (`string `_) Optional workload trust domain selection condition. The filter object ``envoy.tls.cert_validator.spiffe.workload_trust_domain`` must match exactly the value of this field. If not specified, the filter state object must be absent or be empty to match this trust domain.