spiffe: add support for spiffe bundle format

[briansonnenberg]

Commit Message: Adds alternative to "trust_domains" config for the spiffe validator—"trust_bundle_map".

Additional Description:

#35567
trust_bundle_map points to a local file containing a SPIFFE bundle map. A file watcher is set up to trigger refreshes to the SPIFFE data when this file is modified. SPIFFE refresh hint and sequence number are currently ignored.

Risk Level: medium
Testing: WIP
Docs Changes: TBD
Release Notes: TBD

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @markdroth
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #36190 was opened by briansonnenberg.

see: more, trace.

[jmarantz]

/wait

[wbpcode]

I think the min_items validation should be removed?

[briansonnenberg]

It still doesn't make sense to include trust_domains with no entries, so I think we should keep it. It only applies if trust_domains is specified in the config.

[wbpcode]

Considering the users who want to use the new trust_bundles, they still need to configure at least one item at the trust_domains, it's no doubt unexpected way.

Now, you need to do the validation in your code rather then the PGV. You need to check if the trust_bundles is set or not. If it's not set, then you should check the length of trust_domains to have at least one item. If the trust_bundles is set, then you can ignore the trust_domains.

[briansonnenberg]

They don't need to configure any trust_domains though? Unless I'm missing something in my testing, but I haven't had to configure any. It only applies if someone were to configure an empty list of trust_domains explicitly along with their trust_bundles.

[wbpcode]

I create a unit test in my local env with similar scenario. They throw same error:

TEST_F(RateLimitConfigTest, Test) {
  const std::string yaml = R"EOF(
  rate_limits: []
  )EOF";
  test::extensions::filters::common::ratelimit_config::TestRateLimitConfig proto_config;
  TestUtility::loadFromYamlAndValidate(yaml, proto_config);
}

TEST_F(RateLimitConfigTest, Test2) {
  const std::string yaml = R"EOF(
  {}
  )EOF";
  test::extensions::filters::common::ratelimit_config::TestRateLimitConfig proto_config;
  TestUtility::loadFromYamlAndValidate(yaml, proto_config);
}

C++ exception with description "Proto constraint validation failed (TestRateLimitConfigValidationError.RateLimits: value must contain at least 1 item(s)): " thrown in the test body.

[wbpcode]

I believe you may need to remove the PGV validation and add conditional check in your code.

And you also need to add some tests to ensure your new field is work as expected.

[briansonnenberg]

I will remove the check, but this is the config I have been using and it's working:

              validation_context:
                allow_expired_certificate: true
                custom_validator_config:
                  name: envoy.tls.cert_validator.spiffe
                  typed_config:
                    "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig
                    trust_bundle_map:
                      filename: "<snip>/jwks_map.json"

[wbpcode]

then, it's a little weird. 🤔

[wbpcode]

Thanks for the contribution. some new comments to the API to start the review. And please address the comment from @markdroth .

[markdroth]

/lgtm api

[kyessenov]

Please merge main.
/wait

[alyssawilk]

/wait on CI