From 09df67d75d86d3d959ec2c6fd1972cfd41c7ca97 Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Tue, 23 Mar 2021 15:06:30 +0900 Subject: [PATCH 1/2] docs: add comments about inherited options on SPIFFE validator Signed-off-by: Takeshi Yoneda --- .../tls/v3/tls_spiffe_validator_config.proto | 5 +++++ .../tls/v4alpha/tls_spiffe_validator_config.proto | 5 +++++ .../tls/v3/tls_spiffe_validator_config.proto | 5 +++++ .../tls/v4alpha/tls_spiffe_validator_config.proto | 5 +++++ 4 files changed, 20 insertions(+) diff --git a/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto b/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto index c9d699f54afa7..fb47532d95827 100644 --- a/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto +++ b/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto @@ -38,6 +38,11 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint // a SVID belonging to another trust domain. That means, in this example, a SVID signed by `envoy.com`'s CA with `spiffe//foo.com/**` // SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate. +// +// Note that SPIFFE validator inherits and uses the following options from :ref:`CertificateValidationContext `. +// - :ref:`allow_expired_certificate ` to allow expired certificates. +// - :ref:`match_subject_alt_names ` to match **URI** SAN of certificates. Unlike the default validator, +// SPIFFE validator only matches **URI** SAN (which equals to SVID in SPIFFE terminology) and ignore other SAN types. message SPIFFECertValidatorConfig { message TrustDomain { // Name of the trust domain, `example.com`, `foo.bar.gov` for example. diff --git a/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto b/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto index 90b85d34e6e79..c9c9a008379f4 100644 --- a/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto +++ b/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto @@ -39,6 +39,11 @@ option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSIO // the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint // a SVID belonging to another trust domain. That means, in this example, a SVID signed by `envoy.com`'s CA with `spiffe//foo.com/**` // SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate. +// +// Note that SPIFFE validator inherits and uses the following options from :ref:`CertificateValidationContext `. +// - :ref:`allow_expired_certificate ` to allow expired certificates. +// - :ref:`match_subject_alt_names ` to match **URI** SAN of certificates. Unlike the default validator, +// SPIFFE validator only matches **URI** SAN (which equals to SVID in SPIFFE terminology) and ignore other SAN types. message SPIFFECertValidatorConfig { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig"; diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto index c9d699f54afa7..fb47532d95827 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto @@ -38,6 +38,11 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint // a SVID belonging to another trust domain. That means, in this example, a SVID signed by `envoy.com`'s CA with `spiffe//foo.com/**` // SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate. +// +// Note that SPIFFE validator inherits and uses the following options from :ref:`CertificateValidationContext `. +// - :ref:`allow_expired_certificate ` to allow expired certificates. +// - :ref:`match_subject_alt_names ` to match **URI** SAN of certificates. Unlike the default validator, +// SPIFFE validator only matches **URI** SAN (which equals to SVID in SPIFFE terminology) and ignore other SAN types. message SPIFFECertValidatorConfig { message TrustDomain { // Name of the trust domain, `example.com`, `foo.bar.gov` for example. diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto index 90b85d34e6e79..c9c9a008379f4 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto @@ -39,6 +39,11 @@ option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSIO // the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint // a SVID belonging to another trust domain. That means, in this example, a SVID signed by `envoy.com`'s CA with `spiffe//foo.com/**` // SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate. +// +// Note that SPIFFE validator inherits and uses the following options from :ref:`CertificateValidationContext `. +// - :ref:`allow_expired_certificate ` to allow expired certificates. +// - :ref:`match_subject_alt_names ` to match **URI** SAN of certificates. Unlike the default validator, +// SPIFFE validator only matches **URI** SAN (which equals to SVID in SPIFFE terminology) and ignore other SAN types. message SPIFFECertValidatorConfig { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig"; From 6bfc7b9a72e46d7f847239b0ce803fd4924c1e7e Mon Sep 17 00:00:00 2001 From: Takeshi Yoneda Date: Tue, 23 Mar 2021 16:55:58 +0900 Subject: [PATCH 2/2] fix format Signed-off-by: Takeshi Yoneda --- .../tls/v3/tls_spiffe_validator_config.proto | 7 ++++--- .../tls/v4alpha/tls_spiffe_validator_config.proto | 7 ++++--- .../tls/v3/tls_spiffe_validator_config.proto | 7 ++++--- .../tls/v4alpha/tls_spiffe_validator_config.proto | 7 ++++--- 4 files changed, 16 insertions(+), 12 deletions(-) diff --git a/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto b/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto index fb47532d95827..3ee921e3f5dcd 100644 --- a/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto +++ b/api/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto @@ -40,9 +40,10 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate. // // Note that SPIFFE validator inherits and uses the following options from :ref:`CertificateValidationContext `. -// - :ref:`allow_expired_certificate ` to allow expired certificates. -// - :ref:`match_subject_alt_names ` to match **URI** SAN of certificates. Unlike the default validator, -// SPIFFE validator only matches **URI** SAN (which equals to SVID in SPIFFE terminology) and ignore other SAN types. +// +// - :ref:`allow_expired_certificate ` to allow expired certificates. +// - :ref:`match_subject_alt_names ` to match **URI** SAN of certificates. Unlike the default validator, SPIFFE validator only matches **URI** SAN (which equals to SVID in SPIFFE terminology) and ignore other SAN types. +// message SPIFFECertValidatorConfig { message TrustDomain { // Name of the trust domain, `example.com`, `foo.bar.gov` for example. diff --git a/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto b/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto index c9c9a008379f4..276b8ad6875be 100644 --- a/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto +++ b/api/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto @@ -41,9 +41,10 @@ option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSIO // SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate. // // Note that SPIFFE validator inherits and uses the following options from :ref:`CertificateValidationContext `. -// - :ref:`allow_expired_certificate ` to allow expired certificates. -// - :ref:`match_subject_alt_names ` to match **URI** SAN of certificates. Unlike the default validator, -// SPIFFE validator only matches **URI** SAN (which equals to SVID in SPIFFE terminology) and ignore other SAN types. +// +// - :ref:`allow_expired_certificate ` to allow expired certificates. +// - :ref:`match_subject_alt_names ` to match **URI** SAN of certificates. Unlike the default validator, SPIFFE validator only matches **URI** SAN (which equals to SVID in SPIFFE terminology) and ignore other SAN types. +// message SPIFFECertValidatorConfig { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig"; diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto index fb47532d95827..3ee921e3f5dcd 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto @@ -40,9 +40,10 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate. // // Note that SPIFFE validator inherits and uses the following options from :ref:`CertificateValidationContext `. -// - :ref:`allow_expired_certificate ` to allow expired certificates. -// - :ref:`match_subject_alt_names ` to match **URI** SAN of certificates. Unlike the default validator, -// SPIFFE validator only matches **URI** SAN (which equals to SVID in SPIFFE terminology) and ignore other SAN types. +// +// - :ref:`allow_expired_certificate ` to allow expired certificates. +// - :ref:`match_subject_alt_names ` to match **URI** SAN of certificates. Unlike the default validator, SPIFFE validator only matches **URI** SAN (which equals to SVID in SPIFFE terminology) and ignore other SAN types. +// message SPIFFECertValidatorConfig { message TrustDomain { // Name of the trust domain, `example.com`, `foo.bar.gov` for example. diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto index c9c9a008379f4..276b8ad6875be 100644 --- a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto +++ b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/tls_spiffe_validator_config.proto @@ -41,9 +41,10 @@ option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSIO // SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate. // // Note that SPIFFE validator inherits and uses the following options from :ref:`CertificateValidationContext `. -// - :ref:`allow_expired_certificate ` to allow expired certificates. -// - :ref:`match_subject_alt_names ` to match **URI** SAN of certificates. Unlike the default validator, -// SPIFFE validator only matches **URI** SAN (which equals to SVID in SPIFFE terminology) and ignore other SAN types. +// +// - :ref:`allow_expired_certificate ` to allow expired certificates. +// - :ref:`match_subject_alt_names ` to match **URI** SAN of certificates. Unlike the default validator, SPIFFE validator only matches **URI** SAN (which equals to SVID in SPIFFE terminology) and ignore other SAN types. +// message SPIFFECertValidatorConfig { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig";