config: move mTLS settings to new struct (#4442)

Move downstream mTLS settings to a nested config file object, under the key 'downstream_mtls', and add a new DownstreamMTLSSettings struct for these settings. Deprecate the existing ClientCA and ClientCAFile fields in the Options struct, but continue to honor them for now (log a warning if either is populated). Delete the ClientCRL and ClientCRLFile fields entirely (in current releases these cannot be set without causing an Envoy error, so this should not be a breaking change). Update the Settings proto to mirror this nested structure.
2025-06-02 19:04:14 +02:00 · 2023-08-08 10:22:48 -07:00 · 2023-08-08 10:22:48 -07:00 · 24b09186a4
commit 24b09186a4
parent a16bdd9cb0
14 changed files with 671 additions and 395 deletions
--- a/authorize/authorize.go
+++ b/authorize/authorize.go
@ -94,12 +94,12 @@ func newPolicyEvaluator(opts *config.Options, store *store.Store) (*evaluator.Ev
 	ctx, span := trace.StartSpan(ctx, "authorize.newPolicyEvaluator")
 	defer span.End()

-	clientCA, err := opts.GetClientCA()
+	clientCA, err := opts.DownstreamMTLS.GetCA()
 	if err != nil {
 		return nil, fmt.Errorf("authorize: invalid client CA: %w", err)
 	}

-	clientCRL, err := opts.GetClientCRL()
+	clientCRL, err := opts.DownstreamMTLS.GetCRL()
 	if err != nil {
 		return nil, fmt.Errorf("authorize: invalid client CRL: %w", err)
 	}