token-server: Make machine token minter config apply to subdomains.

tokenserver/api/admin/v1/config.proto

Index: tokenserver/api/admin/v1/config.proto
diff --git a/tokenserver/api/admin/v1/config.proto b/tokenserver/api/admin/v1/config.proto
index 10705b5bd5d003014d6d54eef953e36753019222..6c52e3bbe4a5050af4357feed973378d73aad145 100644
--- a/tokenserver/api/admin/v1/config.proto
+++ b/tokenserver/api/admin/v1/config.proto
@@ -24,7 +24,8 @@ message TokenServerConfig {
 // splits FQDN into a hostname ("slave43-c1") and a domain name
 // ("c.chromecompute.google.com.internal"), searches for a domain name in
 // "known_domains" set, and, if it is present, uses parameters described there
-// for generating a token with machine_id <hostname>@<token-server-url>.
+// for generating a token that contains machine's FQDN and certificate serial
+// number (among other things, see MachineTokenBody in machine_token.proto).
 message CertificateAuthorityConfig {
   int64  unique_id = 6; // ID of this CA, will be embedded into tokens.
   string cn = 1;        // CA Common Name, must match Subject CN in the cert
@@ -42,6 +43,10 @@ message DomainConfig {
   reserved 2, 3, 4, 6; // deleted fields, do not reuse.
 
   // Domain is domain names of hosts this config applies to.
+  //
+  // Machines that reside in a subdomain of given domain are also considered
+  // part of it, e.g. both FQDNs "host.example.com" and "host.abc.example.com"
+  // match domain "example.com".
   repeated string domain = 1;
 
   // MachineTokenLifetime is how long generated machine tokens live, in seconds.