SPIFFE Certificate Validator (proto)
This extension has the qualified name envoy.tls.cert_validator.spiffe
Note
This extension is functional but has not had substantial production burn time, use only with this caveat.
This extension is not hardened and should only be used in deployments where both the downstream and upstream are trusted.
Tip
This extension extends and can be used with the following extension category:
extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig
[extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig proto]
Configuration specific to the SPIFFE certificate validator.
Example:
custom_validator_config:
name: envoy.tls.cert_validator.spiffe
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig
trust_domains:
- name: foo.com
trust_bundle:
filename: "foo.pem"
- name: envoy.com
trust_bundle:
filename: "envoy.pem"
In this example, a presented peer certificate whose SAN matches spiffe//foo.com/**
is validated against
the “foo.pem” x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint
a SVID belonging to another trust domain. That means, in this example, a SVID signed by envoy.com
’s CA with spiffe//foo.com/**
SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate.
Note that SPIFFE validator inherits and uses the following options from CertificateValidationContext.
allow_expired_certificate to allow expired certificates.
match_typed_subject_alt_names to match URI SAN of certificates. Unlike the default validator, SPIFFE validator only matches URI SAN (which equals to SVID in SPIFFE terminology) and ignore other SAN types.
{
"trust_domains": []
}
- trust_domains
(repeated extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain, REQUIRED) This field specifies trust domains used for validating incoming X.509-SVID(s).
extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain
[extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain proto]
{
"name": ...,
"trust_bundle": {...}
}
- name
(string, REQUIRED) Name of the trust domain,
example.com
,foo.bar.gov
for example. Note that this must not have “spiffe://” prefix.
- trust_bundle
(config.core.v3.DataSource) Specify a data source holding x.509 trust bundle used for validating incoming SVID(s) in this trust domain.