Fetch certificate validation context using SDS service.

api/envoy/api/v2/auth/cert.proto

@@ -232,14 +232,14 @@ message CommonTlsContext {
   //   relaxed in the future.
   repeated TlsCertificate tls_certificates = 2 [(validate.rules).repeated .max_items = 1];
 
-  // [#not-implemented-hide:]
+  // Configs for fetching TLS certificates via SDS API.
   repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6;
 
   oneof validation_context_type {
     // How to validate peer certificates.
     CertificateValidationContext validation_context = 3;
 
-    // [#not-implemented-hide:]
+    // Config for fetching validation context via SDS API.
     SdsSecretConfig validation_context_sds_secret_config = 7;
   }
 
@@ -302,7 +302,6 @@ message DownstreamTlsContext {
 }
 
 // [#proto-status: experimental]
-// [#not-implemented-hide:]
 message SdsSecretConfig {
   // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
   // When both name and config are specified, then secret can be fetched and/or reloaded via SDS.
@@ -312,7 +311,6 @@ message SdsSecretConfig {
 }
 
 // [#proto-status: experimental]
-// [#not-implemented-hide:]
 message Secret {
   // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
   string name = 1;

include/envoy/secret/secret_manager.h

@@ -75,6 +75,22 @@ class SecretManager {
   virtual TlsCertificateConfigProviderSharedPtr findOrCreateTlsCertificateProvider(
       const envoy::api::v2::core::ConfigSource& config_source, const std::string& config_name,
       Server::Configuration::TransportSocketFactoryContext& secret_provider_context) PURE;
+
+  /**
+   * Finds and returns a dynamic secret provider associated to SDS config. Create
+   * a new one if such provider does not exist.
+   *
+   * @param config_source a protobuf message object containing a SDS config source.
+   * @param config_name a name that uniquely refers to the SDS config source.
+   * @param secret_provider_context context that provides components for creating and initializing
+   * secret provider.
+   * @return CertificateValidationContextConfigProviderSharedPtr the dynamic certificate validation
+   * context secret provider.
+   */
+  virtual CertificateValidationContextConfigProviderSharedPtr
+  findOrCreateCertificateValidationContextProvider(
+      const envoy::api::v2::core::ConfigSource& config_source, const std::string& config_name,
+      Server::Configuration::TransportSocketFactoryContext& secret_provider_context) PURE;
 };
 
 } // namespace Secret

source/common/secret/BUILD

@@ -46,12 +46,14 @@ envoy_cc_library(
         "//include/envoy/local_info:local_info_interface",
         "//include/envoy/runtime:runtime_interface",
         "//include/envoy/secret:secret_provider_interface",
+        "//include/envoy/server:transport_socket_config_interface",
         "//include/envoy/stats:stats_interface",
         "//source/common/common:callback_impl_lib",
         "//source/common/common:cleanup_lib",
         "//source/common/config:resources_lib",
         "//source/common/config:subscription_factory_lib",
         "//source/common/protobuf:utility_lib",
+        "//source/common/ssl:certificate_validation_context_config_impl_lib",
         "//source/common/ssl:tls_certificate_config_impl_lib",
     ],
 )

source/common/secret/sds_api.cc

@@ -7,19 +7,18 @@
 #include "common/config/resources.h"
 #include "common/config/subscription_factory.h"
 #include "common/protobuf/utility.h"
-#include "common/ssl/tls_certificate_config_impl.h"
 
 namespace Envoy {
 namespace Secret {
 
 SdsApi::SdsApi(const LocalInfo::LocalInfo& local_info, Event::Dispatcher& dispatcher,
                Runtime::RandomGenerator& random, Stats::Store& stats,
                Upstream::ClusterManager& cluster_manager, Init::Manager& init_manager,
-               const envoy::api::v2::core::ConfigSource& sds_config, std::string sds_config_name,
-               std::function<void()> destructor_cb)
-    : local_info_(local_info), dispatcher_(dispatcher), random_(random), stats_(stats),
-      cluster_manager_(cluster_manager), sds_config_(sds_config), sds_config_name_(sds_config_name),
-      secret_hash_(0), clean_up_(destructor_cb) {
+               const envoy::api::v2::core::ConfigSource& sds_config,
+               const std::string& sds_config_name, std::function<void()> destructor_cb)
+    : secret_hash_(0), local_info_(local_info), dispatcher_(dispatcher), random_(random),
+      stats_(stats), cluster_manager_(cluster_manager), sds_config_(sds_config),
+      sds_config_name_(sds_config_name), clean_up_(destructor_cb) {
   Config::Utility::checkLocalInfo("sds", local_info_);
   // TODO(JimmyCYJ): Implement chained_init_manager, so that multiple init_manager
   // can be chained together to behave as one init_manager. In that way, we let
@@ -60,12 +59,9 @@ void SdsApi::onConfigUpdate(const ResourceVector& resources, const std::string&)
   }
 
   const uint64_t new_hash = MessageUtil::hash(secret);
-  if (new_hash != secret_hash_ &&
-      secret.type_case() == envoy::api::v2::auth::Secret::TypeCase::kTlsCertificate) {
+  if (new_hash != secret_hash_) {
     secret_hash_ = new_hash;
-    tls_certificate_secrets_ =
-        std::make_unique<Ssl::TlsCertificateConfigImpl>(secret.tls_certificate());
-
+    set_secret(secret);
     update_callback_manager_.runCallbacks();
   }
 

source/common/secret/sds_api.h

@@ -11,11 +11,14 @@
 #include "envoy/runtime/runtime.h"
 #include "envoy/secret/secret_callbacks.h"
 #include "envoy/secret/secret_provider.h"
+#include "envoy/server/transport_socket_config.h"
 #include "envoy/stats/stats.h"
 #include "envoy/upstream/cluster_manager.h"
 
 #include "common/common/callback_impl.h"
 #include "common/common/cleanup.h"
+#include "common/ssl/certificate_validation_context_config_impl.h"
+#include "common/ssl/tls_certificate_config_impl.h"
 
 namespace Envoy {
 namespace Secret {
@@ -24,13 +27,12 @@ namespace Secret {
  * SDS API implementation that fetches secrets from SDS server via Subscription.
  */
 class SdsApi : public Init::Target,
-               public TlsCertificateConfigProvider,
                public Config::SubscriptionCallbacks<envoy::api::v2::auth::Secret> {
 public:
   SdsApi(const LocalInfo::LocalInfo& local_info, Event::Dispatcher& dispatcher,
          Runtime::RandomGenerator& random, Stats::Store& stats,
          Upstream::ClusterManager& cluster_manager, Init::Manager& init_manager,
-         const envoy::api::v2::core::ConfigSource& sds_config, std::string sds_config_name,
+         const envoy::api::v2::core::ConfigSource& sds_config, const std::string& sds_config_name,
          std::function<void()> destructor_cb);
 
   // Init::Target
@@ -43,14 +45,11 @@ class SdsApi : public Init::Target,
     return MessageUtil::anyConvert<envoy::api::v2::auth::Secret>(resource).name();
   }
 
-  // SecretProvider
-  const Ssl::TlsCertificateConfig* secret() const override {
-    return tls_certificate_secrets_.get();
-  }
-
-  Common::CallbackHandle* addUpdateCallback(std::function<void()> callback) override {
-    return update_callback_manager_.add(callback);
-  }
+protected:
+  // Creates new secrets.
+  virtual void set_secret(const envoy::api::v2::auth::Secret&) PURE;
+  Common::CallbackManager<> update_callback_manager_;
+  uint64_t secret_hash_;
 
 private:
   void runInitializeCallbackIfAny();
@@ -66,13 +65,98 @@ class SdsApi : public Init::Target,
   std::function<void()> initialize_callback_;
   const std::string sds_config_name_;
 
-  uint64_t secret_hash_;
   Cleanup clean_up_;
+};
+
+typedef std::shared_ptr<SdsApi> SdsApiSharedPtr;
+
+/**
+ * TlsCertificateSdsApi implementation maintains and updates dynamic TLS certificate secrets.
+ */
+class TlsCertificateSdsApi : public SdsApi, public TlsCertificateConfigProvider {
+public:
+  static SdsApiSharedPtr
+  create(Server::Configuration::TransportSocketFactoryContext& secret_provider_context,
+         const envoy::api::v2::core::ConfigSource& sds_config, const std::string& sds_config_name,
+         std::function<void()> destructor_cb) {
+    return std::make_shared<TlsCertificateSdsApi>(
+        secret_provider_context.localInfo(), secret_provider_context.dispatcher(),
+        secret_provider_context.random(), secret_provider_context.stats(),
+        secret_provider_context.clusterManager(), *secret_provider_context.initManager(),
+        sds_config, sds_config_name, destructor_cb);
+  }
+
+  TlsCertificateSdsApi(const LocalInfo::LocalInfo& local_info, Event::Dispatcher& dispatcher,
+                       Runtime::RandomGenerator& random, Stats::Store& stats,
+                       Upstream::ClusterManager& cluster_manager, Init::Manager& init_manager,
+                       const envoy::api::v2::core::ConfigSource& sds_config,
+                       const std::string& sds_config_name, std::function<void()> destructor_cb)
+      : SdsApi(local_info, dispatcher, random, stats, cluster_manager, init_manager, sds_config,
+               sds_config_name, destructor_cb) {}
+
+  // SecretProvider
+  const Ssl::TlsCertificateConfig* secret() const override {
+    return tls_certificate_secrets_.get();
+  }
+  Common::CallbackHandle* addUpdateCallback(std::function<void()> callback) override {
+    return update_callback_manager_.add(callback);
+  }
+
+protected:
+  void set_secret(const envoy::api::v2::auth::Secret& secret) override {
+    tls_certificate_secrets_ =
+        std::make_unique<Ssl::TlsCertificateConfigImpl>(secret.tls_certificate());
+  }
+
+private:
   Ssl::TlsCertificateConfigPtr tls_certificate_secrets_;
-  Common::CallbackManager<> update_callback_manager_;
 };
 
-typedef std::unique_ptr<SdsApi> SdsApiPtr;
+/**
+ * CertificateValidationContextSdsApi implementation maintains and updates dynamic certificate
+ * validation context secrets.
+ */
+class CertificateValidationContextSdsApi : public SdsApi,
+                                           public CertificateValidationContextConfigProvider {
+public:
+  static SdsApiSharedPtr
+  create(Server::Configuration::TransportSocketFactoryContext& secret_provider_context,
+         const envoy::api::v2::core::ConfigSource& sds_config, const std::string& sds_config_name,
+         std::function<void()> destructor_cb) {
+    return std::make_shared<CertificateValidationContextSdsApi>(
+        secret_provider_context.localInfo(), secret_provider_context.dispatcher(),
+        secret_provider_context.random(), secret_provider_context.stats(),
+        secret_provider_context.clusterManager(), *secret_provider_context.initManager(),
+        sds_config, sds_config_name, destructor_cb);
+  }
+  CertificateValidationContextSdsApi(const LocalInfo::LocalInfo& local_info,
+                                     Event::Dispatcher& dispatcher,
+                                     Runtime::RandomGenerator& random, Stats::Store& stats,
+                                     Upstream::ClusterManager& cluster_manager,
+                                     Init::Manager& init_manager,
+                                     const envoy::api::v2::core::ConfigSource& sds_config,
+                                     std::string sds_config_name,
+                                     std::function<void()> destructor_cb)
+      : SdsApi(local_info, dispatcher, random, stats, cluster_manager, init_manager, sds_config,
+               sds_config_name, destructor_cb) {}
+
+  // SecretProvider
+  const Ssl::CertificateValidationContextConfig* secret() const override {
+    return certificate_validation_context_secrets_.get();
+  }
+  Common::CallbackHandle* addUpdateCallback(std::function<void()> callback) override {
+    return update_callback_manager_.add(callback);
+  }
+
+protected:
+  void set_secret(const envoy::api::v2::auth::Secret& secret) override {
+    certificate_validation_context_secrets_ =
+        std::make_unique<Ssl::CertificateValidationContextConfigImpl>(secret.validation_context());
+  }
+
+private:
+  Ssl::CertificateValidationContextConfigPtr certificate_validation_context_secrets_;
+};
 
 } // namespace Secret
 } // namespace Envoy

source/common/secret/secret_manager_impl.cc

@@ -65,37 +65,57 @@ SecretManagerImpl::createInlineCertificateValidationContextProvider(
 }
 
 void SecretManagerImpl::removeDynamicSecretProvider(const std::string& map_key) {
-  ENVOY_LOG(debug, "Unregister secret provider. hash key: {}", map_key);
+  ENVOY_LOG(debug, "Unregister tls certificate provider. hash key: {}", map_key);
 
   auto num_deleted = dynamic_secret_providers_.erase(map_key);
   ASSERT(num_deleted == 1, "");
 }
 
-TlsCertificateConfigProviderSharedPtr SecretManagerImpl::findOrCreateTlsCertificateProvider(
+SdsApiSharedPtr SecretManagerImpl::innerFindOrCreate(
     const envoy::api::v2::core::ConfigSource& sds_config_source, const std::string& config_name,
-    Server::Configuration::TransportSocketFactoryContext& secret_provider_context) {
+    std::function<SdsApiSharedPtr(std::function<void()> unregister_secret_provider)> create_fn) {
   const std::string map_key = sds_config_source.SerializeAsString() + config_name;
 
-  TlsCertificateConfigProviderSharedPtr secret_provider = dynamic_secret_providers_[map_key].lock();
+  SdsApiSharedPtr secret_provider = dynamic_secret_providers_[map_key].lock();
   if (!secret_provider) {
-    ASSERT(secret_provider_context.initManager() != nullptr);
-
     // SdsApi is owned by ListenerImpl and ClusterInfo which are destroyed before
     // SecretManagerImpl. It is safe to invoke this callback at the destructor of SdsApi.
     std::function<void()> unregister_secret_provider = [map_key, this]() {
       removeDynamicSecretProvider(map_key);
     };
 
-    secret_provider = std::make_shared<SdsApi>(
-        secret_provider_context.localInfo(), secret_provider_context.dispatcher(),
-        secret_provider_context.random(), secret_provider_context.stats(),
-        secret_provider_context.clusterManager(), *secret_provider_context.initManager(),
-        sds_config_source, config_name, unregister_secret_provider);
+    secret_provider = create_fn(unregister_secret_provider);
     dynamic_secret_providers_[map_key] = secret_provider;
   }
-
   return secret_provider;
 }
 
+TlsCertificateConfigProviderSharedPtr SecretManagerImpl::findOrCreateTlsCertificateProvider(
+    const envoy::api::v2::core::ConfigSource& sds_config_source, const std::string& config_name,
+    Server::Configuration::TransportSocketFactoryContext& secret_provider_context) {
+  auto create_fn = [&](std::function<void()> unregister_secret_provider) -> SdsApiSharedPtr {
+    ASSERT(secret_provider_context.initManager() != nullptr);
+    return TlsCertificateSdsApi::create(secret_provider_context, sds_config_source, config_name,
+                                        unregister_secret_provider);
+  };
+  SdsApiSharedPtr secret_provider = innerFindOrCreate(sds_config_source, config_name, create_fn);
+
+  return std::dynamic_pointer_cast<TlsCertificateConfigProvider>(secret_provider);
+}
+
+CertificateValidationContextConfigProviderSharedPtr
+SecretManagerImpl::findOrCreateCertificateValidationContextProvider(
+    const envoy::api::v2::core::ConfigSource& sds_config_source, const std::string& config_name,
+    Server::Configuration::TransportSocketFactoryContext& secret_provider_context) {
+  auto create_fn = [&](std::function<void()> unregister_secret_provider) -> SdsApiSharedPtr {
+    ASSERT(secret_provider_context.initManager() != nullptr);
+    return CertificateValidationContextSdsApi::create(secret_provider_context, sds_config_source,
+                                                      config_name, unregister_secret_provider);
+  };
+  SdsApiSharedPtr secret_provider = innerFindOrCreate(sds_config_source, config_name, create_fn);
+
+  return std::dynamic_pointer_cast<CertificateValidationContextConfigProvider>(secret_provider);
+}
+
 } // namespace Secret
 } // namespace Envoy

source/common/secret/secret_manager_impl.h

@@ -9,6 +9,7 @@
 #include "envoy/ssl/tls_certificate_config.h"
 
 #include "common/common/logger.h"
+#include "common/secret/sds_api.h"
 
 namespace Envoy {
 namespace Secret {
@@ -35,9 +36,18 @@ class SecretManagerImpl : public SecretManager, Logger::Loggable<Logger::Id::sec
       const envoy::api::v2::core::ConfigSource& config_source, const std::string& config_name,
       Server::Configuration::TransportSocketFactoryContext& secret_provider_context) override;
 
+  CertificateValidationContextConfigProviderSharedPtr
+  findOrCreateCertificateValidationContextProvider(
+      const envoy::api::v2::core::ConfigSource& config_source, const std::string& config_name,
+      Server::Configuration::TransportSocketFactoryContext& secret_provider_context) override;
+
 private:
-  // Remove dynamic secret provider which has been deleted.
+  // Removes dynamic secret provider which has been deleted.
   void removeDynamicSecretProvider(const std::string& map_key);
+  // Finds or creates SdsApi object.
+  SdsApiSharedPtr innerFindOrCreate(
+      const envoy::api::v2::core::ConfigSource& sds_config_source, const std::string& config_name,
+      std::function<SdsApiSharedPtr(std::function<void()> unregister_secret_provider)> create_fn);
 
   // Manages pairs of secret name and TlsCertificateConfigProviderSharedPtr.
   std::unordered_map<std::string, TlsCertificateConfigProviderSharedPtr>
@@ -48,8 +58,7 @@ class SecretManagerImpl : public SecretManager, Logger::Loggable<Logger::Id::sec
       static_certificate_validation_context_providers_;
 
   // map hash code of SDS config source and SdsApi object.
-  std::unordered_map<std::string, std::weak_ptr<TlsCertificateConfigProvider>>
-      dynamic_secret_providers_;
+  std::unordered_map<std::string, std::weak_ptr<SdsApi>> dynamic_secret_providers_;
 };
 
 } // namespace Secret

source/common/ssl/certificate_validation_context_config_impl.cc

@@ -44,4 +44,4 @@ CertificateValidationContextConfigImpl::CertificateValidationContextConfigImpl(
 }
 
 } // namespace Ssl
-} // namespace Envoy
+} // namespace Envoy