SPIFFE Certificate Validator

This extension has the qualified name envoy.tls.cert_validator.spiffe

Note

This extension is functional but has not had substantial production burn time, use only with this caveat.

This extension is not hardened and should only be used in deployments where both the downstream and upstream are trusted.

Tip

This extension extends and can be used with the following extension category:

extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig

[extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig proto]

Configuration specific to the SPIFFE certificate validator.

Example:

custom_validator_config:
  name: envoy.tls.cert_validator.spiffe
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig
    trust_domains:
    - name: foo.com
      trust_bundle:
        filename: "foo.pem"
    - name: envoy.com
      trust_bundle:
        filename: "envoy.pem"

In this example, a presented peer certificate whose SAN matches spiffe//foo.com/** is validated against the “foo.pem” x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint a SVID belonging to another trust domain. That means, in this example, a SVID signed by envoy.com’s CA with spiffe//foo.com/** SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate.

Note that SPIFFE validator inherits and uses the following options from CertificateValidationContext.

{
  "trust_domains": []
}
trust_domains

(repeated extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain, REQUIRED) This field specifies trust domains used for validating incoming X.509-SVID(s).

extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain

[extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain proto]

{
  "name": "...",
  "trust_bundle": "{...}"
}
name

(string, REQUIRED) Name of the trust domain, example.com, foo.bar.gov for example. Note that this must not have “spiffe://” prefix.

trust_bundle

(config.core.v3.DataSource) Specify a data source holding x.509 trust bundle used for validating incoming SVID(s) in this trust domain.