spiffe: add support for spiffe bundle format

[briansonnenberg]

Commit Message: Adds alternative to "trust_domains" config for the spiffe validator—"trust_bundle_map".

Additional Description:

#35567
trust_bundle_map points to a local file containing a SPIFFE bundle map. A file watcher is set up to trigger refreshes to the SPIFFE data when this file is modified. SPIFFE refresh hint and sequence number are currently ignored.

Risk Level: medium
Testing: WIP
Docs Changes: TBD
Release Notes: TBD

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @markdroth
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #36190 was opened by briansonnenberg.

see: more, trace.

[jmarantz]

/wait

[wbpcode]

Thanks for the contribution. some new comments to the API to start the review. And please address the comment from @markdroth .

[markdroth]

/lgtm api

[kyessenov]

Please merge main.
/wait

[alyssawilk]

/wait on CI

[wbpcode]

Thanks for the contribution and patience. And some comments are added.

[wbpcode]

Please also check the CI :)

[briansonnenberg]

@wbpcode @alyssawilk @markdroth

Finally have the CI passing. 😅

Would you folks mind taking another look?

[markdroth]

I'm still not thrilled that we're doing this instead of implementing the certificate provider framework, but at least this doesn't preclude us from doing that later.

/lgtm api

[adisuissa]

@wbpcode seems that latest comments were addressed, PTAL.

[wbpcode]

Will take a look before tomorrow night.

[wbpcode]

Thanks for the update and the long time investment. It's much better now. I add some comments new but should be easy to address. Thanks again.

[wbpcode]

LGTM overall now. Thanks so much for your update, It's near there, only some non-major comments are added.

And merry Christmas!!! 🎄

/wait

[wbpcode]

Suggested change

	ENVOY_LOG(error, "Failed to load SPIFFE bundle map from '{}': '{}'",
	trust_bundle_file_name_, new_trust_bundle.status());
	ENVOY_LOG(error, "Failed to load SPIFFE bundle map from '{}': '{}'",
	trust_bundle_file_name_, new_trust_bundle.status().message());

[wbpcode]

ping for this comment

[wbpcode]

Seems you only move the generated file to this directory. Sorry for the chaos, maybe keep your previous design is better if we cannot split all these out from the tls/test_data cleanly.

[briansonnenberg]

I moved the static files to the test directory and left the generated one in the directory that has the generator. I think this is ideal.

[wbpcode]

Fine, if you think that's OKay. Please also create a test_data sub directory for them.

[wbpcode]

And Please also merge the main and resolve the CI problem.

[wbpcode]

/wait

[wbpcode]

LGTM with some nit comments to improve the code quality (non-block).

And could you check the CI. Thanks.

[wbpcode]

ping for this comment

[wbpcode]

nit: remove this line.

[wbpcode]

Suggested change

	parsed_json_bundle = json_parse_result.value();
	Json::ObjectSharedPtr parsed_json_bundle = json_parse_result.value();

[wbpcode]

Suggested change

	spiffe_data_->trust_bundle_stores_.reserve(n_trust_domains);
	spiffe_data_->trust_bundle_stores_.reserve(message.trust_domains().size());

[wbpcode]

nit: remove this line.

[wbpcode]

cc @tyxia could you take another look when you have some free time?

[wbpcode]

If @tyxia no explict comments, I think we can merge this after the CI and nit comments are addressed. Thanks for all your time and investment. 🌹

[tyxia]

Thanks for contribution!