SPIFFE Certificate Validator

    Note

    This extension is functional but has not had substantial production burn time, use only with this caveat.

    This extension is not hardened and should only be used in deployments where both the downstream and upstream are trusted.

    Tip

    This extension extends and can be used with the following extension category:

    Configuration specific to the certificate validator.

    Example:

    In this example, a presented peer certificate whose SAN matches spiffe//foo.com/** is validated against the “foo.pem” x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint a SVID belonging to another trust domain. That means, in this example, a SVID signed by envoy.com’s CA with spiffe//foo.com/** SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate.

    Note that SPIFFE validator inherits and uses the following options from CertificateValidationContext.

    trust_domains

    (repeated , REQUIRED) This field specifies trust domains used for validating incoming X.509-SVID(s).

    extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain

    name

    (string, REQUIRED) Name of the trust domain, example.com, foo.bar.gov for example. Note that this must not have “spiffe://” prefix.

    () Specify a data source holding x.509 trust bundle used for validating incoming SVID(s) in this trust domain.