spiffe: add support for spiffe bundle format

[briansonnenberg]

Commit Message: Adds alternative to "trust_domains" config for the spiffe validator—"trust_bundle_map".

Additional Description:

#35567
trust_bundle_map points to a local file containing a SPIFFE bundle map. A file watcher is set up to trigger refreshes to the SPIFFE data when this file is modified. SPIFFE refresh hint and sequence number are currently ignored.

Risk Level: medium
Testing: WIP
Docs Changes: TBD
Release Notes: TBD

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @markdroth
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #36190 was opened by briansonnenberg.

see: more, trace.

[jmarantz]

/wait

[wbpcode]

Thanks for the contribution. some new comments to the API to start the review. And please address the comment from @markdroth .

[markdroth]

/lgtm api

[kyessenov]

Please merge main.
/wait

[alyssawilk]

/wait on CI

[wbpcode]

Thanks for the contribution and patience. And some comments are added.

[wbpcode]

Please also check the CI :)

[RyanTheOptimist]

Looks like CI is failing? https://github.com/envoyproxy/envoy/actions/runs/11979451058/job/33401707343

[RyanTheOptimist]

/wait

[briansonnenberg]

@wbpcode @alyssawilk @markdroth

Finally have the CI passing. 😅

Would you folks mind taking another look?

[markdroth]

I'm still not thrilled that we're doing this instead of implementing the certificate provider framework, but at least this doesn't preclude us from doing that later.

/lgtm api

[adisuissa]

@wbpcode seems that latest comments were addressed, PTAL.

[wbpcode]

Will take a look before tomorrow night.

[wbpcode]

Thanks for the update and the long time investment. It's much better now. I add some comments new but should be easy to address. Thanks again.

[wbpcode]

LGTM overall now. Thanks so much for your update, It's near there, only some non-major comments are added.

And merry Christmas!!! 🎄

/wait

[wbpcode]

I agree the check may be redundant. But there is a two-symbolism and may have potential problem. If the parsing_status is ok and status is not ok because the implementation change, what will happen?

Suggested change

	// json_object::iterate seems to always return ok(), so this check is
	// redundant...
	if (!status.ok() || !parsing_status.ok()) {
	return parsing_status;
	}
	// json_object::iterate seems to always return ok(), so this check is
	// redundant...
	RETURN_IF_NOT_OK_REF(status);
	RETURN_IF_NOT_OK_REF(parsing_status);

[wbpcode]

Suggested change

	ENVOY_LOG(error, "Failed to load SPIFFE bundle map from '{}': '{}'",
	trust_bundle_file_name_, new_trust_bundle.status());
	ENVOY_LOG(error, "Failed to load SPIFFE bundle map from '{}': '{}'",
	trust_bundle_file_name_, new_trust_bundle.status().message());

[wbpcode]

Suggested change

	if (!parse_result.ok()) {
	throw EnvoyException(
	fmt::format("Failed to load SPIFFE Bundle map: {}", parse_result.status()));
	THROW_IF_NOT_OK_REF(parse_result);

[wbpcode]

Seems you only move the generated file to this directory. Sorry for the chaos, maybe keep your previous design is better if we cannot split all these out from the tls/test_data cleanly.