Skip to content

[xDS] A65 mTLS credentials in bootstrap (part 2) #12255

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

[xDS] A65 mTLS credentials in bootstrap (part 2) #12255

wants to merge 10 commits into from

Conversation

Zgoda91
Copy link

@Zgoda91 Zgoda91 commented Aug 1, 2025
edited
Loading

implementing gRFC A65 grpc/proposal/pull/372

This change contains:

  1. Updated TlsChannelCredentials instantiation process, which involves reading trust certificates from paths provided in the bootstrap configuration file.
  2. Trust certificates polling mechanism is going to be closed once given TlsChannelCredentials are no longer used (as per [xDS] A65 mTLS credentials in bootstrap (part1) #12350)

@ejona86 ejona86 added the kokoro:run Add this label to a PR to tell Kokoro the code is safe and tests can be run label Aug 6, 2025
@grpc-kokoro grpc-kokoro removed the kokoro:run Add this label to a PR to tell Kokoro the code is safe and tests can be run label Aug 6, 2025
@ejona86 ejona86 self-requested a review August 6, 2025 21:54
@Zgoda91
Copy link
Author

Zgoda91 commented Aug 11, 2025

@ejona86 Could you please review this PR when you get a chance? Thanks!

kannanjgithub
kannanjgithub reviewed Aug 26, 2025
View reviewed changes
@Zgoda91 Zgoda91 requested a review from kannanjgithub August 27, 2025 13:31
kannanjgithub
kannanjgithub previously approved these changes Aug 28, 2025
View reviewed changes
@ejona86 ejona86 added the kokoro:run Add this label to a PR to tell Kokoro the code is safe and tests can be run label Aug 28, 2025
@grpc-kokoro grpc-kokoro removed the kokoro:run Add this label to a PR to tell Kokoro the code is safe and tests can be run label Aug 28, 2025
ejona86
ejona86 reviewed Aug 28, 2025
View reviewed changes
Copy link
Member

@ejona86 ejona86 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One quick/important comment. But I'll need to look over this a bit more before merging.

@kannanjgithub kannanjgithub dismissed their stale review August 29, 2025 12:00

Based on Eric's comment.

@Zgoda91 Zgoda91 force-pushed the A65_mtls_creds_in_bootstrap branch from 8248816 to faaa15c Compare September 3, 2025 11:09
ejona86
ejona86 reviewed Sep 4, 2025
View reviewed changes
@Zgoda91 Zgoda91 changed the title [xDS] A65 mTLS credentials in bootstrap [xDS] A65 mTLS credentials in bootstrap (part 2) Sep 10, 2025
@Zgoda91 Zgoda91 force-pushed the A65_mtls_creds_in_bootstrap branch 2 times, most recently from 5a59b20 to 46f7ddc Compare September 10, 2025 14:07
@Zgoda91 Zgoda91 force-pushed the A65_mtls_creds_in_bootstrap branch from 46f7ddc to 434579a Compare September 10, 2025 14:47
@Zgoda91
Copy link
Author

Zgoda91 commented Sep 11, 2025

@ejona86 - PR ready for the third round. Mind that there is a part 1 implemented separately here for visiblity

kannanjgithub
kannanjgithub reviewed Sep 15, 2025
View reviewed changes
xds/src/main/java/io/grpc/xds/internal/TlsXdsCredentialsProvider.java
private static final String CREDS_NAME = "tls";
private static final String CERT_FILE_KEY = "certificate_file";
Copy link
Contributor

@kannanjgithub kannanjgithub Sep 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The grfc says implementations should be able to reuse the FileWatcherCertificateProvider. It is a bit more work though - we could do similar to CertProvidersslContextProvider's usage here. (You can see it getting used during XdsClientServerSecurityTest)

  1. passing the plugin name as file_watcher and
  2. Make this class (TlsXdsCredentialsProvider) implement Watcher interface for the Watcher parameter that receives certificate updates
  3. Add the returned Handle to the list of Closeables in ResourceAllocationChannelProvider.
  4. This will require making CertificateProviderStore.Handle public.

@ejona86 WDYT?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ejona86 ejona86 ejona86 left review comments

@kannanjgithub kannanjgithub kannanjgithub left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Zgoda91 @ejona86 @kannanjgithub @grpc-kokoro