SPIFFE Certificate Validator
- extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig
- extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain

SPIFFE Certificate Validator

This extension may be referenced by the qualified name envoy.tls.cert_validator.spiffe

Note

This extension is functional but has not had substantial production burn time, use only with this caveat.

This extension is not hardened and should only be used in deployments where both the downstream and upstream are trusted.

Tip

This extension extends and can be used with the following extension category:

envoy.tls.cert_validator

extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig

[extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig proto]

Configuration specific to the SPIFFE certificate validator.

Example:

custom_validator_config:
  name: envoy.tls.cert_validator.spiffe
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig
    trust_domains:
    - name: foo.com
      trust_bundle:
        filename: "foo.pem"
    - name: envoy.com
      trust_bundle:
        filename: "envoy.pem"

In this example, a presented peer certificate whose SAN matches spiffe//foo.com/** is validated against the “foo.pem” x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint a SVID belonging to another trust domain. That means, in this example, a SVID signed by envoy.com’s CA with spiffe//foo.com/** SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate.

Note that SPIFFE validator inherits and uses the following options from CertificateValidationContext.

allow_expired_certificate to allow expired certificates.
match_subject_alt_names to match URI SAN of certificates. Unlike the default validator, SPIFFE validator only matches URI SAN (which equals to SVID in SPIFFE terminology) and ignore other SAN types.

{
  "trust_domains": []
}

trust_domains

(repeated extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain, REQUIRED) This field specifies trust domains used for validating incoming X.509-SVID(s).

extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain

[extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain proto]

{
  "name": "...",
  "trust_bundle": "{...}"
}

name

(string, REQUIRED) Name of the trust domain, example.com, foo.bar.gov for example. Note that this must not have “spiffe://” prefix.

trust_bundle

(config.core.v3.DataSource) Specify a data source holding x.509 trust bundle used for validating incoming SVID(s) in this trust domain.