Package io.envoyproxy.envoy.extensions.transport_sockets.tls.v3

Class SPIFFECertValidatorConfig.Builder

  • All Implemented Interfaces:
    com.google.protobuf.Message.Builder, com.google.protobuf.MessageLite.Builder, com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder, SPIFFECertValidatorConfigOrBuilder, Cloneable
    Enclosing class:
    SPIFFECertValidatorConfig
    public static final class SPIFFECertValidatorConfig.Builder
extends com.google.protobuf.GeneratedMessageV3.Builder<SPIFFECertValidatorConfig.Builder>
implements SPIFFECertValidatorConfigOrBuilder
     Configuration specific to the `SPIFFE <https://github.com/spiffe/spiffe>`_ certificate validator.
 Example:
 .. validated-code-block:: yaml
   :type-name: envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext
   custom_validator_config:
     name: envoy.tls.cert_validator.spiffe
     typed_config:
       "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig
       trust_domains:
       - name: foo.com
         trust_bundle:
           filename: "foo.pem"
       - name: envoy.com
         trust_bundle:
           filename: "envoy.pem"
 In this example, a presented peer certificate whose SAN matches ``spiffe//foo.com/**`` is validated against
 the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint
 a SVID belonging to another trust domain. That means, in this example, a SVID signed by ``envoy.com``'s CA with ``spiffe//foo.com/**``
 SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate.
 Note that SPIFFE validator inherits and uses the following options from :ref:`CertificateValidationContext <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.CertificateValidationContext>`.
 - :ref:`allow_expired_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.allow_expired_certificate>` to allow expired certificates.
 - :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` to match **URI** SAN of certificates. Unlike the default validator, SPIFFE validator only matches **URI** SAN (which equals to SVID in SPIFFE terminology) and ignore other SAN types.
    Protobuf type envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig

    • Method Detail

      • getDescriptor

        public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()

      • internalGetFieldAccessorTable

        protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
        Specified by:
        internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessageV3.Builder<SPIFFECertValidatorConfig.Builder>

      • getDescriptorForType

        public com.google.protobuf.Descriptors.Descriptor getDescriptorForType()
        Specified by:
        getDescriptorForType in interface com.google.protobuf.Message.Builder
        Specified by:
        getDescriptorForType in interface com.google.protobuf.MessageOrBuilder
        Overrides:
        getDescriptorForType in class com.google.protobuf.GeneratedMessageV3.Builder<SPIFFECertValidatorConfig.Builder>

      • getDefaultInstanceForType

        public SPIFFECertValidatorConfig getDefaultInstanceForType()
        Specified by:
        getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder
        Specified by:
        getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder

      • build

        public SPIFFECertValidatorConfig build()
        Specified by:
        build in interface com.google.protobuf.Message.Builder
        Specified by:
        build in interface com.google.protobuf.MessageLite.Builder

      • buildPartial

        public SPIFFECertValidatorConfig buildPartial()
        Specified by:
        buildPartial in interface com.google.protobuf.Message.Builder
        Specified by:
        buildPartial in interface com.google.protobuf.MessageLite.Builder

      • setRepeatedField

        public SPIFFECertValidatorConfig.Builder setRepeatedField​(com.google.protobuf.Descriptors.FieldDescriptor field,
                                                          int index,
                                                          Object value)
        Specified by:
        setRepeatedField in interface com.google.protobuf.Message.Builder
        Overrides:
        setRepeatedField in class com.google.protobuf.GeneratedMessageV3.Builder<SPIFFECertValidatorConfig.Builder>

      • isInitialized

        public final boolean isInitialized()
        Specified by:
        isInitialized in interface com.google.protobuf.MessageLiteOrBuilder
        Overrides:
        isInitialized in class com.google.protobuf.GeneratedMessageV3.Builder<SPIFFECertValidatorConfig.Builder>

      • mergeFrom

        public SPIFFECertValidatorConfig.Builder mergeFrom​(com.google.protobuf.CodedInputStream input,
                                                   com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                            throws IOException
        Specified by:
        mergeFrom in interface com.google.protobuf.Message.Builder
        Specified by:
        mergeFrom in interface com.google.protobuf.MessageLite.Builder
        Overrides:
        mergeFrom in class com.google.protobuf.AbstractMessage.Builder<SPIFFECertValidatorConfig.Builder>
        Throws:
        IOException

      • getTrustDomainsCount

        public int getTrustDomainsCount()
         This field specifies trust domains used for validating incoming X.509-SVID(s).
        repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }
        Specified by:
        getTrustDomainsCount in interface SPIFFECertValidatorConfigOrBuilder

      • setTrustDomains

        public SPIFFECertValidatorConfig.Builder setTrustDomains​(int index,
                                                         SPIFFECertValidatorConfig.TrustDomain value)
         This field specifies trust domains used for validating incoming X.509-SVID(s).
        repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }

      • addTrustDomains

        public SPIFFECertValidatorConfig.Builder addTrustDomains​(int index,
                                                         SPIFFECertValidatorConfig.TrustDomain value)
         This field specifies trust domains used for validating incoming X.509-SVID(s).
        repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }

      • clearTrustDomains

        public SPIFFECertValidatorConfig.Builder clearTrustDomains()
         This field specifies trust domains used for validating incoming X.509-SVID(s).
        repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }

      • removeTrustDomains

        public SPIFFECertValidatorConfig.Builder removeTrustDomains​(int index)
         This field specifies trust domains used for validating incoming X.509-SVID(s).
        repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }

      • getTrustDomainsBuilder

        public SPIFFECertValidatorConfig.TrustDomain.Builder getTrustDomainsBuilder​(int index)
         This field specifies trust domains used for validating incoming X.509-SVID(s).
        repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }

      • addTrustDomainsBuilder

        public SPIFFECertValidatorConfig.TrustDomain.Builder addTrustDomainsBuilder()
         This field specifies trust domains used for validating incoming X.509-SVID(s).
        repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }

      • addTrustDomainsBuilder

        public SPIFFECertValidatorConfig.TrustDomain.Builder addTrustDomainsBuilder​(int index)
         This field specifies trust domains used for validating incoming X.509-SVID(s).
        repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }

      • getTrustDomainsBuilderList

        public List<SPIFFECertValidatorConfig.TrustDomain.Builder> getTrustDomainsBuilderList()
         This field specifies trust domains used for validating incoming X.509-SVID(s).
        repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }

      • setUnknownFields

        public final SPIFFECertValidatorConfig.Builder setUnknownFields​(com.google.protobuf.UnknownFieldSet unknownFields)
        Specified by:
        setUnknownFields in interface com.google.protobuf.Message.Builder
        Overrides:
        setUnknownFields in class com.google.protobuf.GeneratedMessageV3.Builder<SPIFFECertValidatorConfig.Builder>

      • mergeUnknownFields

        public final SPIFFECertValidatorConfig.Builder mergeUnknownFields​(com.google.protobuf.UnknownFieldSet unknownFields)
        Specified by:
        mergeUnknownFields in interface com.google.protobuf.Message.Builder
        Overrides:
        mergeUnknownFields in class com.google.protobuf.GeneratedMessageV3.Builder<SPIFFECertValidatorConfig.Builder>