-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
spiffe: add support for spiffe bundle format #36190
base: main
Are you sure you want to change the base?
Conversation
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto
Outdated
Show resolved
Hide resolved
api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto
Outdated
Show resolved
Hide resolved
/wait |
api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto
Outdated
Show resolved
Hide resolved
@@ -57,4 +82,9 @@ message SPIFFECertValidatorConfig { | |||
|
|||
// This field specifies trust domains used for validating incoming X.509-SVID(s). | |||
repeated TrustDomain trust_domains = 1 [(validate.rules).repeated = {min_items: 1}]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the min_items
validation should be removed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It still doesn't make sense to include trust_domains with no entries, so I think we should keep it. It only applies if trust_domains is specified in the config.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Considering the users who want to use the new trust_bundles
, they still need to configure at least one item at the trust_domains
, it's no doubt unexpected way.
Now, you need to do the validation in your code rather then the PGV. You need to check if the trust_bundles is set or not. If it's not set, then you should check the length of trust_domains to have at least one item. If the trust_bundles is set, then you can ignore the trust_domains.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They don't need to configure any trust_domains though? Unless I'm missing something in my testing, but I haven't had to configure any. It only applies if someone were to configure an empty list of trust_domains explicitly along with their trust_bundles.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I create a unit test in my local env with similar scenario. They throw same error:
TEST_F(RateLimitConfigTest, Test) {
const std::string yaml = R"EOF(
rate_limits: []
)EOF";
test::extensions::filters::common::ratelimit_config::TestRateLimitConfig proto_config;
TestUtility::loadFromYamlAndValidate(yaml, proto_config);
}
TEST_F(RateLimitConfigTest, Test2) {
const std::string yaml = R"EOF(
{}
)EOF";
test::extensions::filters::common::ratelimit_config::TestRateLimitConfig proto_config;
TestUtility::loadFromYamlAndValidate(yaml, proto_config);
}
C++ exception with description "Proto constraint validation failed (TestRateLimitConfigValidationError.RateLimits: value must contain at least 1 item(s)): " thrown in the test body.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe you may need to remove the PGV validation and add conditional check in your code.
And you also need to add some tests to ensure your new field is work as expected.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will remove the check, but this is the config I have been using and it's working:
validation_context:
allow_expired_certificate: true
custom_validator_config:
name: envoy.tls.cert_validator.spiffe
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig
trust_bundle_map:
filename: "<snip>/jwks_map.json"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
then, it's a little weird. 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the contribution. some new comments to the API to start the review. And please address the comment from @markdroth .
api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto
Outdated
Show resolved
Hide resolved
06a982e
to
b360f38
Compare
/lgtm api |
Please merge main. |
b360f38
to
28b5308
Compare
/wait on CI |
ff1fb7e
to
38f5dee
Compare
Commit Message: Adds alternative to "trust_domains" config for the spiffe validator—"trust_bundle_map".
Additional Description:
#35567
trust_bundle_map points to a local file containing a SPIFFE bundle map. A file watcher is set up to trigger refreshes to the SPIFFE data when this file is modified. SPIFFE refresh hint and sequence number are currently ignored.
Risk Level: medium
Testing: WIP
Docs Changes: TBD
Release Notes: TBD