Disabling custom validation per request/envoy-instance

[StupidScience]

So continuing this discussion in PR. Would be great to have an option to enable Envoy's SPIFFE custom validator based on request/envoy-instance.

I see the following options here:

1. Add one more option to config enable this per-instance behaviour and then look at envoy's node metadata for enable_spiffe_cert_validation key and if it is there and set to "true" enable custom validation for this envoy if it is absent or set to something else disable it
2. Add option to specify your own selector like key=value, if key is specified then same as in option above look for this key in envoy's node metadata and enable per-instance, if selector option is empty then validation enabled for all instances (if disable_spiffe_cert_validation not specified).

@azdagron WDYT?

• Version: any
• Platform: any
• Subsystem: agent

[azdagron]

I think my preference would be to enable the spiffe validator by default, since it is the preferred security posture.

Out of those options, i think we should go with the simplest approach and look for a fixed key in the node metadata. If this becomes problematic, we can always add a configurable later to allow for a custom key. I think we should go for an opt-out style of name that matches the configurable on the agent if possible (i.e. disable_spiffe_cert_validation). I don't know if it's conventional to have some sort of project prefix on those keys. If so, we could do spire.disable_spiffe_cert_validation or something.

[StupidScience]

@azdagron I'm thinking that would be good to have possibility to opt-in per instance as well if it is disabled on agent and you want to enable it for one envoy instance. So when disable_spiffe_cert_validation set to true on agent and to false in envoy node metadata. WDYT? Does it make sense?

[StupidScience]

I've sent PR #3020 to address this so please take a look if it make sense.