spiffe: add support for spiffe bundle format (#36190)

Commit Message: Adds alternative to "trust_domains" config for the spiffe validator—"trust_bundle_map". Additional Description: [#35567](envoyproxy/envoy#35567) trust_bundle_map points to a local file containing a [SPIFFE bundle map](https://docs.google.com/document/d/13KHycYIfRC-g42aEfo4_4inF_WauCXOBgZAcUGuxdgs/edit#heading=h.o2sg9lu1e74v). A file watcher is set up to trigger refreshes to the SPIFFE data when this file is modified. SPIFFE refresh hint and sequence number are currently ignored. Risk Level: medium Testing: WIP Docs Changes: TBD Release Notes: TBD --------- Signed-off-by: Brian Sonnenberg <[email protected]> Mirrored from https://github.com/envoyproxy/envoy @ c60d428b3d0ed568a96d30f4c91f77843a308c19
envoyproxy · Jan 17, 2025 · 4fd7cbf · 4fd7cbf
1 parent 416c83a
commit 4fd7cbf
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto b/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto
@@ -57,4 +57,11 @@ message SPIFFECertValidatorConfig {
 
   // This field specifies trust domains used for validating incoming X.509-SVID(s).
   repeated TrustDomain trust_domains = 1 [(validate.rules).repeated = {min_items: 1}];
+
+  // This field specifies all trust bundles as a single DataSource. If both
+  // trust_bundles and trust_domains are specified, trust_bundles will
+  // take precedence. Currently assumes file will be a SPIFFE Trust Bundle Map.
+  // If DataSource is a file, dynamic file watching will be enabled,
+  // and updates to the specified file will trigger a refresh of the trust_bundles.
+  config.core.v3.DataSource trust_bundles = 2;
 }