From eb6760df97445b9c2349e58be34c699916e188ea Mon Sep 17 00:00:00 2001 From: Clay Kauzlaric Date: Fri, 13 Oct 2023 10:56:45 -0400 Subject: [PATCH] internal: allow multiple SANs in upstream validation Signed-off-by: Clay Kauzlaric --- apis/projectcontour/v1/httpproxy.go | 10 +++ .../v1/zz_generated.deepcopy.go | 9 ++- .../v1alpha1/zz_generated.deepcopy.go | 2 +- examples/contour/01-crds.yaml | 67 ++++++++++++++++++- examples/render/contour-deployment.yaml | 67 ++++++++++++++++++- .../render/contour-gateway-provisioner.yaml | 67 ++++++++++++++++++- examples/render/contour-gateway.yaml | 67 ++++++++++++++++++- examples/render/contour.yaml | 67 ++++++++++++++++++- internal/dag/cache.go | 2 + internal/dag/dag.go | 19 ++++++ internal/envoy/v3/auth.go | 17 ++--- .../docs/main/config/api-reference.html | 17 ++++- 12 files changed, 394 insertions(+), 17 deletions(-) diff --git a/apis/projectcontour/v1/httpproxy.go b/apis/projectcontour/v1/httpproxy.go index 498be837a8b..a3d35af905e 100644 --- a/apis/projectcontour/v1/httpproxy.go +++ b/apis/projectcontour/v1/httpproxy.go @@ -1306,6 +1306,7 @@ type HeaderValue struct { } // UpstreamValidation defines how to verify the backend service's certificate +// +kubebuilder:validation:XValidation:message="subjectNames[0] must equal subjectName if set",rule="has(self.subjectNames) ? self.subjectNames[0] == self.subjectName : true" type UpstreamValidation struct { // Name or namespaced name of the Kubernetes secret used to validate the certificate presented by the backend. // The secret must contain key named ca.crt. @@ -1313,7 +1314,16 @@ type UpstreamValidation struct { // When cross-namespace reference is used, TLSCertificateDelegation resource must exist in the namespace to grant access to the secret. CACertificate string `json:"caSecret"` // Key which is expected to be present in the 'subjectAltName' of the presented certificate. + // Deprecated, migrate to using the plural field subjectNames. + // +kubebuilder:validation:MinLength=1 + // +kubebuilder:validation:MaxLength=256 SubjectName string `json:"subjectName"` + // List of keys, of which at least one is expected to be present in the 'subjectAltName of the + // presented certificate. + // +optional + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=8 + SubjectNames []string `json:"subjectNames"` } // DownstreamValidation defines how to verify the client certificate. diff --git a/apis/projectcontour/v1/zz_generated.deepcopy.go b/apis/projectcontour/v1/zz_generated.deepcopy.go index 3c3537ef24e..3207fef641a 100644 --- a/apis/projectcontour/v1/zz_generated.deepcopy.go +++ b/apis/projectcontour/v1/zz_generated.deepcopy.go @@ -919,7 +919,7 @@ func (in *RemoteJWKS) DeepCopyInto(out *RemoteJWKS) { if in.UpstreamValidation != nil { in, out := &in.UpstreamValidation, &out.UpstreamValidation *out = new(UpstreamValidation) - **out = **in + (*in).DeepCopyInto(*out) } } @@ -1155,7 +1155,7 @@ func (in *Service) DeepCopyInto(out *Service) { if in.UpstreamValidation != nil { in, out := &in.UpstreamValidation, &out.UpstreamValidation *out = new(UpstreamValidation) - **out = **in + (*in).DeepCopyInto(*out) } if in.RequestHeadersPolicy != nil { in, out := &in.RequestHeadersPolicy, &out.RequestHeadersPolicy @@ -1434,6 +1434,11 @@ func (in *TimeoutPolicy) DeepCopy() *TimeoutPolicy { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *UpstreamValidation) DeepCopyInto(out *UpstreamValidation) { *out = *in + if in.SubjectNames != nil { + in, out := &in.SubjectNames, &out.SubjectNames + *out = make([]string, len(*in)) + copy(*out, *in) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpstreamValidation. diff --git a/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go b/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go index c8a9d6776fe..2bca1fce176 100644 --- a/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go +++ b/apis/projectcontour/v1alpha1/zz_generated.deepcopy.go @@ -766,7 +766,7 @@ func (in *ExtensionServiceSpec) DeepCopyInto(out *ExtensionServiceSpec) { if in.UpstreamValidation != nil { in, out := &in.UpstreamValidation, &out.UpstreamValidation *out = new(v1.UpstreamValidation) - **out = **in + (*in).DeepCopyInto(*out) } if in.Protocol != nil { in, out := &in.Protocol, &out.Protocol diff --git a/examples/contour/01-crds.yaml b/examples/contour/01-crds.yaml index 7fb064b7c5a..ab8047e03a3 100644 --- a/examples/contour/01-crds.yaml +++ b/examples/contour/01-crds.yaml @@ -4750,12 +4750,27 @@ spec: type: string subjectName: description: Key which is expected to be present in the 'subjectAltName' - of the presented certificate. + of the presented certificate. Deprecated, migrate to using the + plural field subjectNames. + maxLength: 256 + minLength: 1 type: string + subjectNames: + description: List of keys, of which at least one is expected to + be present in the 'subjectAltName of the presented certificate. + items: + type: string + maxItems: 8 + minItems: 1 + type: array required: - caSecret - subjectName type: object + x-kubernetes-validations: + - message: subjectNames[0] must equal subjectName if set + rule: 'has(self.subjectNames) ? self.subjectNames[0] == self.subjectName + : true' required: - services type: object @@ -6382,11 +6397,27 @@ spec: subjectName: description: Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated, migrate to using the plural field subjectNames. + maxLength: 256 + minLength: 1 type: string + subjectNames: + description: List of keys, of which at least one is + expected to be present in the 'subjectAltName of + the presented certificate. + items: + type: string + maxItems: 8 + minItems: 1 + type: array required: - caSecret - subjectName type: object + x-kubernetes-validations: + - message: subjectNames[0] must equal subjectName if set + rule: 'has(self.subjectNames) ? self.subjectNames[0] + == self.subjectName : true' weight: description: Weight defines percentage of traffic to balance traffic @@ -6777,11 +6808,27 @@ spec: subjectName: description: Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated, migrate to using the plural field subjectNames. + maxLength: 256 + minLength: 1 type: string + subjectNames: + description: List of keys, of which at least one is + expected to be present in the 'subjectAltName of the + presented certificate. + items: + type: string + maxItems: 8 + minItems: 1 + type: array required: - caSecret - subjectName type: object + x-kubernetes-validations: + - message: subjectNames[0] must equal subjectName if set + rule: 'has(self.subjectNames) ? self.subjectNames[0] == + self.subjectName : true' weight: description: Weight defines percentage of traffic to balance traffic @@ -7099,11 +7146,29 @@ spec: subjectName: description: Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated, migrate to using the plural field + subjectNames. + maxLength: 256 + minLength: 1 type: string + subjectNames: + description: List of keys, of which at least one + is expected to be present in the 'subjectAltName + of the presented certificate. + items: + type: string + maxItems: 8 + minItems: 1 + type: array required: - caSecret - subjectName type: object + x-kubernetes-validations: + - message: subjectNames[0] must equal subjectName if + set + rule: 'has(self.subjectNames) ? self.subjectNames[0] + == self.subjectName : true' required: - uri type: object diff --git a/examples/render/contour-deployment.yaml b/examples/render/contour-deployment.yaml index 74d0938f238..ee6f6139b0f 100644 --- a/examples/render/contour-deployment.yaml +++ b/examples/render/contour-deployment.yaml @@ -4969,12 +4969,27 @@ spec: type: string subjectName: description: Key which is expected to be present in the 'subjectAltName' - of the presented certificate. + of the presented certificate. Deprecated, migrate to using the + plural field subjectNames. + maxLength: 256 + minLength: 1 type: string + subjectNames: + description: List of keys, of which at least one is expected to + be present in the 'subjectAltName of the presented certificate. + items: + type: string + maxItems: 8 + minItems: 1 + type: array required: - caSecret - subjectName type: object + x-kubernetes-validations: + - message: subjectNames[0] must equal subjectName if set + rule: 'has(self.subjectNames) ? self.subjectNames[0] == self.subjectName + : true' required: - services type: object @@ -6601,11 +6616,27 @@ spec: subjectName: description: Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated, migrate to using the plural field subjectNames. + maxLength: 256 + minLength: 1 type: string + subjectNames: + description: List of keys, of which at least one is + expected to be present in the 'subjectAltName of + the presented certificate. + items: + type: string + maxItems: 8 + minItems: 1 + type: array required: - caSecret - subjectName type: object + x-kubernetes-validations: + - message: subjectNames[0] must equal subjectName if set + rule: 'has(self.subjectNames) ? self.subjectNames[0] + == self.subjectName : true' weight: description: Weight defines percentage of traffic to balance traffic @@ -6996,11 +7027,27 @@ spec: subjectName: description: Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated, migrate to using the plural field subjectNames. + maxLength: 256 + minLength: 1 type: string + subjectNames: + description: List of keys, of which at least one is + expected to be present in the 'subjectAltName of the + presented certificate. + items: + type: string + maxItems: 8 + minItems: 1 + type: array required: - caSecret - subjectName type: object + x-kubernetes-validations: + - message: subjectNames[0] must equal subjectName if set + rule: 'has(self.subjectNames) ? self.subjectNames[0] == + self.subjectName : true' weight: description: Weight defines percentage of traffic to balance traffic @@ -7318,11 +7365,29 @@ spec: subjectName: description: Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated, migrate to using the plural field + subjectNames. + maxLength: 256 + minLength: 1 type: string + subjectNames: + description: List of keys, of which at least one + is expected to be present in the 'subjectAltName + of the presented certificate. + items: + type: string + maxItems: 8 + minItems: 1 + type: array required: - caSecret - subjectName type: object + x-kubernetes-validations: + - message: subjectNames[0] must equal subjectName if + set + rule: 'has(self.subjectNames) ? self.subjectNames[0] + == self.subjectName : true' required: - uri type: object diff --git a/examples/render/contour-gateway-provisioner.yaml b/examples/render/contour-gateway-provisioner.yaml index 0a100be8a90..2ddb4c715f9 100644 --- a/examples/render/contour-gateway-provisioner.yaml +++ b/examples/render/contour-gateway-provisioner.yaml @@ -4761,12 +4761,27 @@ spec: type: string subjectName: description: Key which is expected to be present in the 'subjectAltName' - of the presented certificate. + of the presented certificate. Deprecated, migrate to using the + plural field subjectNames. + maxLength: 256 + minLength: 1 type: string + subjectNames: + description: List of keys, of which at least one is expected to + be present in the 'subjectAltName of the presented certificate. + items: + type: string + maxItems: 8 + minItems: 1 + type: array required: - caSecret - subjectName type: object + x-kubernetes-validations: + - message: subjectNames[0] must equal subjectName if set + rule: 'has(self.subjectNames) ? self.subjectNames[0] == self.subjectName + : true' required: - services type: object @@ -6393,11 +6408,27 @@ spec: subjectName: description: Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated, migrate to using the plural field subjectNames. + maxLength: 256 + minLength: 1 type: string + subjectNames: + description: List of keys, of which at least one is + expected to be present in the 'subjectAltName of + the presented certificate. + items: + type: string + maxItems: 8 + minItems: 1 + type: array required: - caSecret - subjectName type: object + x-kubernetes-validations: + - message: subjectNames[0] must equal subjectName if set + rule: 'has(self.subjectNames) ? self.subjectNames[0] + == self.subjectName : true' weight: description: Weight defines percentage of traffic to balance traffic @@ -6788,11 +6819,27 @@ spec: subjectName: description: Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated, migrate to using the plural field subjectNames. + maxLength: 256 + minLength: 1 type: string + subjectNames: + description: List of keys, of which at least one is + expected to be present in the 'subjectAltName of the + presented certificate. + items: + type: string + maxItems: 8 + minItems: 1 + type: array required: - caSecret - subjectName type: object + x-kubernetes-validations: + - message: subjectNames[0] must equal subjectName if set + rule: 'has(self.subjectNames) ? self.subjectNames[0] == + self.subjectName : true' weight: description: Weight defines percentage of traffic to balance traffic @@ -7110,11 +7157,29 @@ spec: subjectName: description: Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated, migrate to using the plural field + subjectNames. + maxLength: 256 + minLength: 1 type: string + subjectNames: + description: List of keys, of which at least one + is expected to be present in the 'subjectAltName + of the presented certificate. + items: + type: string + maxItems: 8 + minItems: 1 + type: array required: - caSecret - subjectName type: object + x-kubernetes-validations: + - message: subjectNames[0] must equal subjectName if + set + rule: 'has(self.subjectNames) ? self.subjectNames[0] + == self.subjectName : true' required: - uri type: object diff --git a/examples/render/contour-gateway.yaml b/examples/render/contour-gateway.yaml index 3c2f4b1a9f5..3aa0911c6dd 100644 --- a/examples/render/contour-gateway.yaml +++ b/examples/render/contour-gateway.yaml @@ -4972,12 +4972,27 @@ spec: type: string subjectName: description: Key which is expected to be present in the 'subjectAltName' - of the presented certificate. + of the presented certificate. Deprecated, migrate to using the + plural field subjectNames. + maxLength: 256 + minLength: 1 type: string + subjectNames: + description: List of keys, of which at least one is expected to + be present in the 'subjectAltName of the presented certificate. + items: + type: string + maxItems: 8 + minItems: 1 + type: array required: - caSecret - subjectName type: object + x-kubernetes-validations: + - message: subjectNames[0] must equal subjectName if set + rule: 'has(self.subjectNames) ? self.subjectNames[0] == self.subjectName + : true' required: - services type: object @@ -6604,11 +6619,27 @@ spec: subjectName: description: Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated, migrate to using the plural field subjectNames. + maxLength: 256 + minLength: 1 type: string + subjectNames: + description: List of keys, of which at least one is + expected to be present in the 'subjectAltName of + the presented certificate. + items: + type: string + maxItems: 8 + minItems: 1 + type: array required: - caSecret - subjectName type: object + x-kubernetes-validations: + - message: subjectNames[0] must equal subjectName if set + rule: 'has(self.subjectNames) ? self.subjectNames[0] + == self.subjectName : true' weight: description: Weight defines percentage of traffic to balance traffic @@ -6999,11 +7030,27 @@ spec: subjectName: description: Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated, migrate to using the plural field subjectNames. + maxLength: 256 + minLength: 1 type: string + subjectNames: + description: List of keys, of which at least one is + expected to be present in the 'subjectAltName of the + presented certificate. + items: + type: string + maxItems: 8 + minItems: 1 + type: array required: - caSecret - subjectName type: object + x-kubernetes-validations: + - message: subjectNames[0] must equal subjectName if set + rule: 'has(self.subjectNames) ? self.subjectNames[0] == + self.subjectName : true' weight: description: Weight defines percentage of traffic to balance traffic @@ -7321,11 +7368,29 @@ spec: subjectName: description: Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated, migrate to using the plural field + subjectNames. + maxLength: 256 + minLength: 1 type: string + subjectNames: + description: List of keys, of which at least one + is expected to be present in the 'subjectAltName + of the presented certificate. + items: + type: string + maxItems: 8 + minItems: 1 + type: array required: - caSecret - subjectName type: object + x-kubernetes-validations: + - message: subjectNames[0] must equal subjectName if + set + rule: 'has(self.subjectNames) ? self.subjectNames[0] + == self.subjectName : true' required: - uri type: object diff --git a/examples/render/contour.yaml b/examples/render/contour.yaml index 7b7ffa08de3..4dfb763c1ab 100644 --- a/examples/render/contour.yaml +++ b/examples/render/contour.yaml @@ -4969,12 +4969,27 @@ spec: type: string subjectName: description: Key which is expected to be present in the 'subjectAltName' - of the presented certificate. + of the presented certificate. Deprecated, migrate to using the + plural field subjectNames. + maxLength: 256 + minLength: 1 type: string + subjectNames: + description: List of keys, of which at least one is expected to + be present in the 'subjectAltName of the presented certificate. + items: + type: string + maxItems: 8 + minItems: 1 + type: array required: - caSecret - subjectName type: object + x-kubernetes-validations: + - message: subjectNames[0] must equal subjectName if set + rule: 'has(self.subjectNames) ? self.subjectNames[0] == self.subjectName + : true' required: - services type: object @@ -6601,11 +6616,27 @@ spec: subjectName: description: Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated, migrate to using the plural field subjectNames. + maxLength: 256 + minLength: 1 type: string + subjectNames: + description: List of keys, of which at least one is + expected to be present in the 'subjectAltName of + the presented certificate. + items: + type: string + maxItems: 8 + minItems: 1 + type: array required: - caSecret - subjectName type: object + x-kubernetes-validations: + - message: subjectNames[0] must equal subjectName if set + rule: 'has(self.subjectNames) ? self.subjectNames[0] + == self.subjectName : true' weight: description: Weight defines percentage of traffic to balance traffic @@ -6996,11 +7027,27 @@ spec: subjectName: description: Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated, migrate to using the plural field subjectNames. + maxLength: 256 + minLength: 1 type: string + subjectNames: + description: List of keys, of which at least one is + expected to be present in the 'subjectAltName of the + presented certificate. + items: + type: string + maxItems: 8 + minItems: 1 + type: array required: - caSecret - subjectName type: object + x-kubernetes-validations: + - message: subjectNames[0] must equal subjectName if set + rule: 'has(self.subjectNames) ? self.subjectNames[0] == + self.subjectName : true' weight: description: Weight defines percentage of traffic to balance traffic @@ -7318,11 +7365,29 @@ spec: subjectName: description: Key which is expected to be present in the 'subjectAltName' of the presented certificate. + Deprecated, migrate to using the plural field + subjectNames. + maxLength: 256 + minLength: 1 type: string + subjectNames: + description: List of keys, of which at least one + is expected to be present in the 'subjectAltName + of the presented certificate. + items: + type: string + maxItems: 8 + minItems: 1 + type: array required: - caSecret - subjectName type: object + x-kubernetes-validations: + - message: subjectNames[0] must equal subjectName if + set + rule: 'has(self.subjectNames) ? self.subjectNames[0] + == self.subjectName : true' required: - uri type: object diff --git a/internal/dag/cache.go b/internal/dag/cache.go index ed79adfc572..2231605b725 100644 --- a/internal/dag/cache.go +++ b/internal/dag/cache.go @@ -676,6 +676,7 @@ func (kc *KubernetesCache) LookupUpstreamValidation(uv *contour_api_v1.UpstreamV } } + // CEL validation should enforce that SubjectName must be set if SubjectNames is used. So, SubjectName will always be present. if uv.SubjectName == "" { // UpstreamValidation is requested, but SAN is not provided return nil, errors.New("missing subject alternative name") @@ -684,6 +685,7 @@ func (kc *KubernetesCache) LookupUpstreamValidation(uv *contour_api_v1.UpstreamV return &PeerValidationContext{ CACertificate: cacert, SubjectName: uv.SubjectName, + SubjectNames: uv.SubjectNames, }, nil } diff --git a/internal/dag/dag.go b/internal/dag/dag.go index aea888e4b16..a80d74b4de5 100644 --- a/internal/dag/dag.go +++ b/internal/dag/dag.go @@ -672,6 +672,9 @@ type PeerValidationContext struct { // SubjectName holds an optional subject name which Envoy will check against the // certificate presented by the upstream. SubjectName string + // SubjectNames holds optional subject names which Envoy will check against the + // certificate presented by the upstream. The first entry must match the value of SubjectName + SubjectNames []string // SkipClientCertValidation when set to true will ensure Envoy requests but // does not verify peer certificates. SkipClientCertValidation bool @@ -704,9 +707,25 @@ func (pvc *PeerValidationContext) GetSubjectName() string { // No validation required. return "" } + return pvc.SubjectName } +// GetSubjectName returns the SubjectNames from PeerValidationContext. +func (pvc *PeerValidationContext) GetSubjectNames() []string { + if pvc == nil { + // No validation required. + return []string{} + } + + // CEL validation should enforce that if SubjectNames is used, the first entry must match the value of SubjectName. + if len(pvc.SubjectNames) > 0 { + return pvc.SubjectNames + } + + return []string{pvc.SubjectName} +} + // GetCRL returns the Certificate Revocation List. func (pvc *PeerValidationContext) GetCRL() []byte { if pvc == nil || pvc.CRL == nil { diff --git a/internal/envoy/v3/auth.go b/internal/envoy/v3/auth.go index c2af6d1db20..fc9ef5eb632 100644 --- a/internal/envoy/v3/auth.go +++ b/internal/envoy/v3/auth.go @@ -49,7 +49,7 @@ func UpstreamTLSContext(peerValidationContext *dag.PeerValidationContext, sni st // directly into this field boxes the nil into the unexported // type of this grpc OneOf field which causes proto marshaling // to explode later on. - vc := validationContext(peerValidationContext.GetCACertificate(), peerValidationContext.GetSubjectName(), false, nil, false) + vc := validationContext(peerValidationContext.GetCACertificate(), peerValidationContext.GetSubjectNames(), false, nil, false) if vc != nil { // TODO: update this for SDS (CommonTlsContext_ValidationContextSdsSecretConfig) instead of inlining it. context.CommonTlsContext.ValidationContextType = vc @@ -60,7 +60,7 @@ func UpstreamTLSContext(peerValidationContext *dag.PeerValidationContext, sni st } // TODO: update this for SDS (CommonTlsContext_ValidationContextSdsSecretConfig) instead of inlining it. -func validationContext(ca []byte, subjectName string, skipVerifyPeerCert bool, crl []byte, onlyVerifyLeafCertCrl bool) *envoy_v3_tls.CommonTlsContext_ValidationContext { +func validationContext(ca []byte, subjectNames []string, skipVerifyPeerCert bool, crl []byte, onlyVerifyLeafCertCrl bool) *envoy_v3_tls.CommonTlsContext_ValidationContext { vc := &envoy_v3_tls.CommonTlsContext_ValidationContext{ ValidationContext: &envoy_v3_tls.CertificateValidationContext{ TrustChainVerification: envoy_v3_tls.CertificateValidationContext_VERIFY_TRUST_CHAIN, @@ -79,17 +79,18 @@ func validationContext(ca []byte, subjectName string, skipVerifyPeerCert bool, c } } - if len(subjectName) > 0 { - vc.ValidationContext.MatchTypedSubjectAltNames = []*envoy_v3_tls.SubjectAltNameMatcher{ - { + for _, san := range subjectNames { + vc.ValidationContext.MatchTypedSubjectAltNames = append( + vc.ValidationContext.MatchTypedSubjectAltNames, + &envoy_v3_tls.SubjectAltNameMatcher{ SanType: envoy_v3_tls.SubjectAltNameMatcher_DNS, Matcher: &matcher.StringMatcher{ MatchPattern: &matcher.StringMatcher_Exact{ - Exact: subjectName, + Exact: san, }, }, }, - } + ) } if len(crl) > 0 { @@ -121,7 +122,7 @@ func DownstreamTLSContext(serverSecret *dag.Secret, tlsMinProtoVersion, tlsMaxPr }, } if peerValidationContext != nil { - vc := validationContext(peerValidationContext.GetCACertificate(), "", peerValidationContext.SkipClientCertValidation, + vc := validationContext(peerValidationContext.GetCACertificate(), []string{}, peerValidationContext.SkipClientCertValidation, peerValidationContext.GetCRL(), peerValidationContext.OnlyVerifyLeafCertCrl) if vc != nil { context.CommonTlsContext.ValidationContextType = vc diff --git a/site/content/docs/main/config/api-reference.html b/site/content/docs/main/config/api-reference.html index 672010fc223..ec4773dc64f 100644 --- a/site/content/docs/main/config/api-reference.html +++ b/site/content/docs/main/config/api-reference.html @@ -4706,7 +4706,22 @@

UpstreamValidation -

Key which is expected to be present in the ‘subjectAltName’ of the presented certificate.

+

Key which is expected to be present in the ‘subjectAltName’ of the presented certificate. +Deprecated, migrate to using the plural field subjectNames.

+ + + + +subjectNames +
+ +[]string + + + +(Optional) +

List of keys, of which at least one is expected to be present in the ‘subjectAltName of the +presented certificate.