Package io.envoyproxy.envoy.extensions.transport_sockets.tls.v3

Class SPIFFECertValidatorConfig.Builder

java.lang.Object
com.google.protobuf.AbstractMessageLite.Builder
com.google.protobuf.AbstractMessage.Builder<BuilderT>
com.google.protobuf.GeneratedMessageV3.Builder<SPIFFECertValidatorConfig.Builder>
io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.Builder
All Implemented Interfaces:
com.google.protobuf.Message.Builder, com.google.protobuf.MessageLite.Builder, com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder, SPIFFECertValidatorConfigOrBuilder, Cloneable
Enclosing class:
SPIFFECertValidatorConfig
public static final class SPIFFECertValidatorConfig.Builder extends com.google.protobuf.GeneratedMessageV3.Builder<SPIFFECertValidatorConfig.Builder> implements SPIFFECertValidatorConfigOrBuilder
 Configuration specific to the `SPIFFE <https://github.com/spiffe/spiffe>`_ certificate validator.

 Example:

 .. validated-code-block:: yaml
   :type-name: envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext

   custom_validator_config:
     name: envoy.tls.cert_validator.spiffe
     typed_config:
       "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig
       trust_domains:
       - name: foo.com
         trust_bundle:
           filename: "foo.pem"
       - name: envoy.com
         trust_bundle:
           filename: "envoy.pem"

 In this example, a presented peer certificate whose SAN matches ``spiffe://foo.com/**`` is validated against
 the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint
 a SVID belonging to another trust domain. That means, in this example, a SVID signed by ``envoy.com``'s CA with ``spiffe://foo.com/**``
 SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate.

 Note that SPIFFE validator inherits and uses the following options from :ref:`CertificateValidationContext <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.CertificateValidationContext>`.

 - :ref:`allow_expired_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.allow_expired_certificate>` to allow expired certificates.
 - :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` to match **URI** SAN of certificates. Unlike the default validator, SPIFFE validator only matches **URI** SAN (which equals to SVID in SPIFFE terminology) and ignore other SAN types.
Protobuf type envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig

  • Method Details

    • getDescriptor

      public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()

    • internalGetFieldAccessorTable

      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
      Specified by:
      internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessageV3.Builder<SPIFFECertValidatorConfig.Builder>

    • clear

      public SPIFFECertValidatorConfig.Builder clear()
      Specified by:
      clear in interface com.google.protobuf.Message.Builder
      Specified by:
      clear in interface com.google.protobuf.MessageLite.Builder
      Overrides:
      clear in class com.google.protobuf.GeneratedMessageV3.Builder<SPIFFECertValidatorConfig.Builder>

    • getDescriptorForType

      public com.google.protobuf.Descriptors.Descriptor getDescriptorForType()
      Specified by:
      getDescriptorForType in interface com.google.protobuf.Message.Builder
      Specified by:
      getDescriptorForType in interface com.google.protobuf.MessageOrBuilder
      Overrides:
      getDescriptorForType in class com.google.protobuf.GeneratedMessageV3.Builder<SPIFFECertValidatorConfig.Builder>

    • getDefaultInstanceForType

      public SPIFFECertValidatorConfig getDefaultInstanceForType()
      Specified by:
      getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder
      Specified by:
      getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder

    • build

      public SPIFFECertValidatorConfig build()
      Specified by:
      build in interface com.google.protobuf.Message.Builder
      Specified by:
      build in interface com.google.protobuf.MessageLite.Builder

    • buildPartial

      public SPIFFECertValidatorConfig buildPartial()
      Specified by:
      buildPartial in interface com.google.protobuf.Message.Builder
      Specified by:
      buildPartial in interface com.google.protobuf.MessageLite.Builder

    • clone

      public SPIFFECertValidatorConfig.Builder clone()
      Specified by:
      clone in interface com.google.protobuf.Message.Builder
      Specified by:
      clone in interface com.google.protobuf.MessageLite.Builder
      Overrides:
      clone in class com.google.protobuf.GeneratedMessageV3.Builder<SPIFFECertValidatorConfig.Builder>

    • setField

      public SPIFFECertValidatorConfig.Builder setField(com.google.protobuf.Descriptors.FieldDescriptor field, Object value)
      Specified by:
      setField in interface com.google.protobuf.Message.Builder
      Overrides:
      setField in class com.google.protobuf.GeneratedMessageV3.Builder<SPIFFECertValidatorConfig.Builder>

    • clearField

      public SPIFFECertValidatorConfig.Builder clearField(com.google.protobuf.Descriptors.FieldDescriptor field)
      Specified by:
      clearField in interface com.google.protobuf.Message.Builder
      Overrides:
      clearField in class com.google.protobuf.GeneratedMessageV3.Builder<SPIFFECertValidatorConfig.Builder>

    • clearOneof

      public SPIFFECertValidatorConfig.Builder clearOneof(com.google.protobuf.Descriptors.OneofDescriptor oneof)
      Specified by:
      clearOneof in interface com.google.protobuf.Message.Builder
      Overrides:
      clearOneof in class com.google.protobuf.GeneratedMessageV3.Builder<SPIFFECertValidatorConfig.Builder>

    • setRepeatedField

      public SPIFFECertValidatorConfig.Builder setRepeatedField(com.google.protobuf.Descriptors.FieldDescriptor field, int index, Object value)
      Specified by:
      setRepeatedField in interface com.google.protobuf.Message.Builder
      Overrides:
      setRepeatedField in class com.google.protobuf.GeneratedMessageV3.Builder<SPIFFECertValidatorConfig.Builder>

    • addRepeatedField

      public SPIFFECertValidatorConfig.Builder addRepeatedField(com.google.protobuf.Descriptors.FieldDescriptor field, Object value)
      Specified by:
      addRepeatedField in interface com.google.protobuf.Message.Builder
      Overrides:
      addRepeatedField in class com.google.protobuf.GeneratedMessageV3.Builder<SPIFFECertValidatorConfig.Builder>

    • mergeFrom

      public SPIFFECertValidatorConfig.Builder mergeFrom(com.google.protobuf.Message other)
      Specified by:
      mergeFrom in interface com.google.protobuf.Message.Builder
      Overrides:
      mergeFrom in class com.google.protobuf.AbstractMessage.Builder<SPIFFECertValidatorConfig.Builder>

    • mergeFrom

      public SPIFFECertValidatorConfig.Builder mergeFrom(SPIFFECertValidatorConfig other)

    • isInitialized

      public final boolean isInitialized()
      Specified by:
      isInitialized in interface com.google.protobuf.MessageLiteOrBuilder
      Overrides:
      isInitialized in class com.google.protobuf.GeneratedMessageV3.Builder<SPIFFECertValidatorConfig.Builder>

    • mergeFrom

      public SPIFFECertValidatorConfig.Builder mergeFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Specified by:
      mergeFrom in interface com.google.protobuf.Message.Builder
      Specified by:
      mergeFrom in interface com.google.protobuf.MessageLite.Builder
      Overrides:
      mergeFrom in class com.google.protobuf.AbstractMessage.Builder<SPIFFECertValidatorConfig.Builder>
      Throws:
      IOException

    • getTrustDomainsList

      public List<SPIFFECertValidatorConfig.TrustDomain> getTrustDomainsList()
       This field specifies trust domains used for validating incoming X.509-SVID(s).
      repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }
      Specified by:
      getTrustDomainsList in interface SPIFFECertValidatorConfigOrBuilder

    • getTrustDomainsCount

      public int getTrustDomainsCount()
       This field specifies trust domains used for validating incoming X.509-SVID(s).
      repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }
      Specified by:
      getTrustDomainsCount in interface SPIFFECertValidatorConfigOrBuilder

    • getTrustDomains

      public SPIFFECertValidatorConfig.TrustDomain getTrustDomains(int index)
       This field specifies trust domains used for validating incoming X.509-SVID(s).
      repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }
      Specified by:
      getTrustDomains in interface SPIFFECertValidatorConfigOrBuilder

    • setTrustDomains

      public SPIFFECertValidatorConfig.Builder setTrustDomains(int index, SPIFFECertValidatorConfig.TrustDomain value)
       This field specifies trust domains used for validating incoming X.509-SVID(s).
      repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }

    • setTrustDomains

      public SPIFFECertValidatorConfig.Builder setTrustDomains(int index, SPIFFECertValidatorConfig.TrustDomain.Builder builderForValue)
       This field specifies trust domains used for validating incoming X.509-SVID(s).
      repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }

    • addTrustDomains

      public SPIFFECertValidatorConfig.Builder addTrustDomains(SPIFFECertValidatorConfig.TrustDomain value)
       This field specifies trust domains used for validating incoming X.509-SVID(s).
      repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }

    • addTrustDomains

      public SPIFFECertValidatorConfig.Builder addTrustDomains(int index, SPIFFECertValidatorConfig.TrustDomain value)
       This field specifies trust domains used for validating incoming X.509-SVID(s).
      repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }

    • addTrustDomains

      public SPIFFECertValidatorConfig.Builder addTrustDomains(SPIFFECertValidatorConfig.TrustDomain.Builder builderForValue)
       This field specifies trust domains used for validating incoming X.509-SVID(s).
      repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }

    • addTrustDomains

      public SPIFFECertValidatorConfig.Builder addTrustDomains(int index, SPIFFECertValidatorConfig.TrustDomain.Builder builderForValue)
       This field specifies trust domains used for validating incoming X.509-SVID(s).
      repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }

    • addAllTrustDomains

      public SPIFFECertValidatorConfig.Builder addAllTrustDomains(Iterable<? extends SPIFFECertValidatorConfig.TrustDomain> values)
       This field specifies trust domains used for validating incoming X.509-SVID(s).
      repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }

    • clearTrustDomains

      public SPIFFECertValidatorConfig.Builder clearTrustDomains()
       This field specifies trust domains used for validating incoming X.509-SVID(s).
      repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }

    • removeTrustDomains

      public SPIFFECertValidatorConfig.Builder removeTrustDomains(int index)
       This field specifies trust domains used for validating incoming X.509-SVID(s).
      repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }

    • getTrustDomainsBuilder

      public SPIFFECertValidatorConfig.TrustDomain.Builder getTrustDomainsBuilder(int index)
       This field specifies trust domains used for validating incoming X.509-SVID(s).
      repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }

    • getTrustDomainsOrBuilder

      public SPIFFECertValidatorConfig.TrustDomainOrBuilder getTrustDomainsOrBuilder(int index)
       This field specifies trust domains used for validating incoming X.509-SVID(s).
      repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }
      Specified by:
      getTrustDomainsOrBuilder in interface SPIFFECertValidatorConfigOrBuilder

    • getTrustDomainsOrBuilderList

      public List<? extends SPIFFECertValidatorConfig.TrustDomainOrBuilder> getTrustDomainsOrBuilderList()
       This field specifies trust domains used for validating incoming X.509-SVID(s).
      repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }
      Specified by:
      getTrustDomainsOrBuilderList in interface SPIFFECertValidatorConfigOrBuilder

    • addTrustDomainsBuilder

      public SPIFFECertValidatorConfig.TrustDomain.Builder addTrustDomainsBuilder()
       This field specifies trust domains used for validating incoming X.509-SVID(s).
      repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }

    • addTrustDomainsBuilder

      public SPIFFECertValidatorConfig.TrustDomain.Builder addTrustDomainsBuilder(int index)
       This field specifies trust domains used for validating incoming X.509-SVID(s).
      repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }

    • getTrustDomainsBuilderList

      public List<SPIFFECertValidatorConfig.TrustDomain.Builder> getTrustDomainsBuilderList()
       This field specifies trust domains used for validating incoming X.509-SVID(s).
      repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }

    • hasTrustBundles

      public boolean hasTrustBundles()
       This field specifies all trust bundles as a single DataSource. If both
 trust_bundles and trust_domains are specified, trust_bundles will
 take precedence. Currently assumes file will be a SPIFFE Trust Bundle Map.
 If DataSource is a file, dynamic file watching will be enabled,
 and updates to the specified file will trigger a refresh of the trust_bundles.
      .envoy.config.core.v3.DataSource trust_bundles = 2;
      Specified by:
      hasTrustBundles in interface SPIFFECertValidatorConfigOrBuilder
      Returns:
      Whether the trustBundles field is set.

    • getTrustBundles

      public DataSource getTrustBundles()
       This field specifies all trust bundles as a single DataSource. If both
 trust_bundles and trust_domains are specified, trust_bundles will
 take precedence. Currently assumes file will be a SPIFFE Trust Bundle Map.
 If DataSource is a file, dynamic file watching will be enabled,
 and updates to the specified file will trigger a refresh of the trust_bundles.
      .envoy.config.core.v3.DataSource trust_bundles = 2;
      Specified by:
      getTrustBundles in interface SPIFFECertValidatorConfigOrBuilder
      Returns:
      The trustBundles.

    • setTrustBundles

      public SPIFFECertValidatorConfig.Builder setTrustBundles(DataSource value)
       This field specifies all trust bundles as a single DataSource. If both
 trust_bundles and trust_domains are specified, trust_bundles will
 take precedence. Currently assumes file will be a SPIFFE Trust Bundle Map.
 If DataSource is a file, dynamic file watching will be enabled,
 and updates to the specified file will trigger a refresh of the trust_bundles.
      .envoy.config.core.v3.DataSource trust_bundles = 2;

    • setTrustBundles

      public SPIFFECertValidatorConfig.Builder setTrustBundles(DataSource.Builder builderForValue)
       This field specifies all trust bundles as a single DataSource. If both
 trust_bundles and trust_domains are specified, trust_bundles will
 take precedence. Currently assumes file will be a SPIFFE Trust Bundle Map.
 If DataSource is a file, dynamic file watching will be enabled,
 and updates to the specified file will trigger a refresh of the trust_bundles.
      .envoy.config.core.v3.DataSource trust_bundles = 2;

    • mergeTrustBundles

      public SPIFFECertValidatorConfig.Builder mergeTrustBundles(DataSource value)
       This field specifies all trust bundles as a single DataSource. If both
 trust_bundles and trust_domains are specified, trust_bundles will
 take precedence. Currently assumes file will be a SPIFFE Trust Bundle Map.
 If DataSource is a file, dynamic file watching will be enabled,
 and updates to the specified file will trigger a refresh of the trust_bundles.
      .envoy.config.core.v3.DataSource trust_bundles = 2;

    • clearTrustBundles

      public SPIFFECertValidatorConfig.Builder clearTrustBundles()
       This field specifies all trust bundles as a single DataSource. If both
 trust_bundles and trust_domains are specified, trust_bundles will
 take precedence. Currently assumes file will be a SPIFFE Trust Bundle Map.
 If DataSource is a file, dynamic file watching will be enabled,
 and updates to the specified file will trigger a refresh of the trust_bundles.
      .envoy.config.core.v3.DataSource trust_bundles = 2;

    • getTrustBundlesBuilder

      public DataSource.Builder getTrustBundlesBuilder()
       This field specifies all trust bundles as a single DataSource. If both
 trust_bundles and trust_domains are specified, trust_bundles will
 take precedence. Currently assumes file will be a SPIFFE Trust Bundle Map.
 If DataSource is a file, dynamic file watching will be enabled,
 and updates to the specified file will trigger a refresh of the trust_bundles.
      .envoy.config.core.v3.DataSource trust_bundles = 2;

    • getTrustBundlesOrBuilder

      public DataSourceOrBuilder getTrustBundlesOrBuilder()
       This field specifies all trust bundles as a single DataSource. If both
 trust_bundles and trust_domains are specified, trust_bundles will
 take precedence. Currently assumes file will be a SPIFFE Trust Bundle Map.
 If DataSource is a file, dynamic file watching will be enabled,
 and updates to the specified file will trigger a refresh of the trust_bundles.
      .envoy.config.core.v3.DataSource trust_bundles = 2;
      Specified by:
      getTrustBundlesOrBuilder in interface SPIFFECertValidatorConfigOrBuilder

    • setUnknownFields

      public final SPIFFECertValidatorConfig.Builder setUnknownFields(com.google.protobuf.UnknownFieldSet unknownFields)
      Specified by:
      setUnknownFields in interface com.google.protobuf.Message.Builder
      Overrides:
      setUnknownFields in class com.google.protobuf.GeneratedMessageV3.Builder<SPIFFECertValidatorConfig.Builder>

    • mergeUnknownFields

      public final SPIFFECertValidatorConfig.Builder mergeUnknownFields(com.google.protobuf.UnknownFieldSet unknownFields)
      Specified by:
      mergeUnknownFields in interface com.google.protobuf.Message.Builder
      Overrides:
      mergeUnknownFields in class com.google.protobuf.GeneratedMessageV3.Builder<SPIFFECertValidatorConfig.Builder>