.. _envoy_v3_api_file_envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto: SPIFFE Certificate Validator ============================ .. _extension_envoy.tls.cert_validator.spiffe: This extension may be referenced by the qualified name *envoy.tls.cert_validator.spiffe* .. note:: This extension is work-in-progress. Functionality is incomplete and it is not intended for production use. This extension has an unknown security posture and should only be used in deployments where both the downstream and upstream are trusted. .. tip:: This extension extends and can be used with the following extension category: - :ref:`envoy.tls.cert_validator ` .. _envoy_v3_api_msg_extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig: extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig ------------------------------------------------------------- `[extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig proto] `_ Configuration specific to the `SPIFFE `_ certificate validator. Example: .. validated-code-block:: yaml :type-name: envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext custom_validator_config: name: envoy.tls.cert_validator.spiffe typed_config: "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig trust_domains: - name: foo.com trust_bundle: filename: "foo.pem" - name: envoy.com trust_bundle: filename: "envoy.pem" In this example, a presented peer certificate whose SAN matches `spiffe//foo.com/**` is validated against the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint a SVID belonging to another trust domain. That means, in this example, a SVID signed by `envoy.com`'s CA with `spiffe//foo.com/**` SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate. Note that SPIFFE validator inherits and uses the following options from :ref:`CertificateValidationContext `. - :ref:`allow_expired_certificate ` to allow expired certificates. - :ref:`match_subject_alt_names ` to match **URI** SAN of certificates. Unlike the default validator, SPIFFE validator only matches **URI** SAN (which equals to SVID in SPIFFE terminology) and ignore other SAN types. .. code-block:: json { "trust_domains": [] } .. _envoy_v3_api_field_extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.trust_domains: trust_domains (**repeated** :ref:`extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain `, *REQUIRED*) This field specifies trust domains used for validating incoming X.509-SVID(s). .. _envoy_v3_api_msg_extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain: extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain ------------------------------------------------------------------------- `[extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain proto] `_ .. code-block:: json { "name": "...", "trust_bundle": "{...}" } .. _envoy_v3_api_field_extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain.name: name (`string `_, *REQUIRED*) Name of the trust domain, `example.com`, `foo.bar.gov` for example. Note that this must *not* have "spiffe://" prefix. .. _envoy_v3_api_field_extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain.trust_bundle: trust_bundle (:ref:`config.core.v3.DataSource `) Specify a data source holding x.509 trust bundle used for validating incoming SVID(s) in this trust domain.