tls: support dual ECDSA/RSA certs via SDS

api/envoy/extensions/transport_sockets/tls/v3/tls.proto

@@ -216,8 +216,14 @@ message CommonTlsContext {
 
   // Configs for fetching TLS certificates via SDS API. Note SDS API allows certificates to be
   // fetched/refreshed over the network asynchronously with respect to the TLS handshake.
+  //
+  // The same number and types of certificates as :ref:`tls_certificates <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CommonTlsContext.tls_certificates>`
+  // are valid in the the certificates fetched through this setting.
+  //
+  // If :ref:`tls_certificates <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CommonTlsContext.tls_certificates>`
+  // is non-empty, this field is ignored.
   repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6
-      [(validate.rules).repeated = {max_items: 1}];
+      [(validate.rules).repeated = {max_items: 2}];
 
   // Certificate provider for fetching TLS certificates.
   // [#not-implemented-hide:]

docs/root/version_history/current.rst

@@ -76,6 +76,7 @@ New Features
 * metric service: added support for sending metric tags as labels. This can be enabled by setting the :ref:`emit_tags_as_labels <envoy_v3_api_field_config.metrics.v3.MetricsServiceConfig.emit_tags_as_labels>` field to true.
 * tcp: added support for :ref:`preconnecting <v1.18.0:envoy_v3_api_msg_config.cluster.v3.Cluster.PreconnectPolicy>`. Preconnecting is off by default, but recommended for clusters serving latency-sensitive traffic.
 * thrift_proxy: added per upstream metrics within the :ref:`thrift router <envoy_v3_api_msg_extensions.filters.network.thrift_proxy.router.v3.Router>` for request and response size histograms.
+* tls: allow dual ECDSA/RSA certs via SDS. Previously, SDS only supported a single certificate per context, and dual cert was only supported via non-SDS.
 * udp_proxy: added :ref:`key <envoy_v3_api_msg_extensions.filters.udp.udp_proxy.v3.UdpProxyConfig.HashPolicy>` as another hash policy to support hash based routing on any given key.
 
 Deprecated

source/extensions/transport_sockets/tls/context_config_impl.cc

@@ -26,8 +26,8 @@ namespace {
 std::vector<Secret::TlsCertificateConfigProviderSharedPtr> getTlsCertificateConfigProviders(
     const envoy::extensions::transport_sockets::tls::v3::CommonTlsContext& config,
     Server::Configuration::TransportSocketFactoryContext& factory_context) {
+  std::vector<Secret::TlsCertificateConfigProviderSharedPtr> providers;
   if (!config.tls_certificates().empty()) {
-    std::vector<Secret::TlsCertificateConfigProviderSharedPtr> providers;
     for (const auto& tls_certificate : config.tls_certificates()) {
       if (!tls_certificate.has_private_key_provider() && !tls_certificate.has_certificate_chain() &&
           !tls_certificate.has_private_key()) {
@@ -39,20 +39,22 @@ std::vector<Secret::TlsCertificateConfigProviderSharedPtr> getTlsCertificateConf
     return providers;
   }
   if (!config.tls_certificate_sds_secret_configs().empty()) {
-    const auto& sds_secret_config = config.tls_certificate_sds_secret_configs(0);
-    if (sds_secret_config.has_sds_config()) {
-      // Fetch dynamic secret.
-      return {factory_context.secretManager().findOrCreateTlsCertificateProvider(
-          sds_secret_config.sds_config(), sds_secret_config.name(), factory_context)};
-    } else {
-      // Load static secret.
-      auto secret_provider = factory_context.secretManager().findStaticTlsCertificateProvider(
-          sds_secret_config.name());
-      if (!secret_provider) {
-        throw EnvoyException(fmt::format("Unknown static secret: {}", sds_secret_config.name()));
+    for (const auto& sds_secret_config : config.tls_certificate_sds_secret_configs()) {
+      if (sds_secret_config.has_sds_config()) {
+        // Fetch dynamic secret.
+        providers.push_back(factory_context.secretManager().findOrCreateTlsCertificateProvider(
+            sds_secret_config.sds_config(), sds_secret_config.name(), factory_context));
+      } else {
+        // Load static secret.
+        auto secret_provider = factory_context.secretManager().findStaticTlsCertificateProvider(
+            sds_secret_config.name());
+        if (!secret_provider) {
+          throw EnvoyException(fmt::format("Unknown static secret: {}", sds_secret_config.name()));
+        }
+        providers.push_back(secret_provider);
       }
-      return {secret_provider};
     }
+    return providers;
   }
   return {};
 }
@@ -247,25 +249,27 @@ Ssl::CertificateValidationContextConfigPtr ContextConfigImpl::getCombinedValidat
 }
 
 void ContextConfigImpl::setSecretUpdateCallback(std::function<void()> callback) {
-  if (!tls_certificate_providers_.empty()) {
-    // Once tls_certificate_config_ receives new secret, this callback updates
-    // ContextConfigImpl::tls_certificate_config_ with new secret.
-    tc_update_callback_handle_ =
-        tls_certificate_providers_[0]->addUpdateCallback([this, callback]() {
-          // This breaks multiple certificate support, but today SDS is only single cert.
-          // TODO(htuch): Fix this when SDS goes multi-cert.
+  // When any of tls_certificate_providers_ receives a new secret, this callback updates
+  // ContextConfigImpl::tls_certificate_configs_ with new secret.
+  for (const auto& tls_certificate_provider : tls_certificate_providers_) {
+    tc_update_callback_handles_.push_back(
+        tls_certificate_provider->addUpdateCallback([this, callback]() {
           tls_certificate_configs_.clear();
-          tls_certificate_configs_.emplace_back(*tls_certificate_providers_[0]->secret(), nullptr,
-                                                api_);
+          for (const auto& tls_certificate_provider : tls_certificate_providers_) {
+            auto* secret = tls_certificate_provider->secret();
+            if (secret != nullptr) {
+              tls_certificate_configs_.emplace_back(*secret, nullptr, api_);
+            }
+          }
           callback();
-        });
+        }));
   }
   if (certificate_validation_context_provider_) {
     if (default_cvc_) {
       // Once certificate_validation_context_provider_ receives new secret, this callback updates
       // ContextConfigImpl::validation_context_config_ with a combined certificate validation
-      // context. The combined certificate validation context is created by merging new secret into
-      // default_cvc_.
+      // context. The combined certificate validation context is created by merging new secret
+      // into default_cvc_.
       cvc_update_callback_handle_ =
           certificate_validation_context_provider_->addUpdateCallback([this, callback]() {
             validation_context_config_ = getCombinedValidationContextConfig(

source/extensions/transport_sockets/tls/context_config_impl.h

@@ -87,7 +87,7 @@ class ContextConfigImpl : public virtual Ssl::ContextConfig {
       default_cvc_;
   std::vector<Secret::TlsCertificateConfigProviderSharedPtr> tls_certificate_providers_;
   // Handle for TLS certificate dynamic secret callback.
-  Envoy::Common::CallbackHandlePtr tc_update_callback_handle_;
+  std::vector<Envoy::Common::CallbackHandlePtr> tc_update_callback_handles_;
   Secret::CertificateValidationContextConfigProviderSharedPtr
       certificate_validation_context_provider_;
   // Handle for certificate validation context dynamic secret callback.