sds: improve watched directory documentation. (envoyproxy#14029)

Some followup docs tweaks to envoyproxy#13721. Signed-off-by: Harvey Tuch <[email protected]> Signed-off-by: Qin Qin <[email protected]>
qqustc · Nov 24, 2020 · 2fdd53c · 2fdd53c
1 parent 1eae330
commit 2fdd53c
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 10 deletions.
diff --git a/api/envoy/extensions/transport_sockets/tls/v3/common.proto b/api/envoy/extensions/transport_sockets/tls/v3/common.proto
@@ -155,7 +155,8 @@ message TlsCertificate {
   // default the parent directories of the filesystem paths in
   // *certificate_chain* and *private_key* are watched if this field is not
   // specified. This only applies when a *TlsCertificate* is delivered by SDS
-  // with references to filesystem paths.
+  // with references to filesystem paths. See the :ref:`SDS key rotation
+  // <sds_key_rotation>` documentation for further details.
   config.core.v3.WatchedDirectory watched_directory = 7;
 
   // BoringSSL private key method provider. This is an alternative to :ref:`private_key
@@ -265,7 +266,8 @@ message CertificateValidationContext {
   // default the parent directory of the filesystem path in *trusted_ca* is
   // watched if this field is not specified. This only applies when a
   // *CertificateValidationContext* is delivered by SDS with references to
-  // filesystem paths.
+  // filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`
+  // documentation for further details.
   config.core.v3.WatchedDirectory watched_directory = 11;
 
   // An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the

diff --git a/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto b/api/envoy/extensions/transport_sockets/tls/v4alpha/common.proto
diff --git a/docs/root/configuration/security/secret.rst b/docs/root/configuration/security/secret.rst
@@ -45,11 +45,15 @@ refer to filesystem paths. This currently is supported for the following secret
 * :ref:`TlsCertificate <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.TlsCertificate>`
 * :ref:`CertificateValidationContext <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.CertificateValidationContext>`
 
-By default, directories containing secrets are watched for filesystem move events. Explicit control over
-the watched directory is possible by specifying a *watched_directory* path in :ref:`TlsCertificate
+By default, directories containing secrets are watched for filesystem move events. For example, a
+key or trusted CA certificates at ``/foo/bar/baz/cert.pem`` will be watched at `/foo/bar/baz`.
+Explicit control over the watched directory is possible by specifying a *watched_directory* path in
+:ref:`TlsCertificate
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.watched_directory>` and
 :ref:`CertificateValidationContext
 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.watched_directory>`.
+This allows watches to be established at path predecessors, e.g. ``/foo/bar``; this capability is
+useful when implementing common key rotation schemes.
 
 An example of key rotation is provided :ref:`below <xds_certificate_rotation>`.
 

diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v3/common.proto
diff --git a/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto b/generated_api_shadow/envoy/extensions/transport_sockets/tls/v4alpha/common.proto