Skip to content

[xDS] A65 mTLS credentials in bootstrap (part 2) #12255

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 14 commits into
base: master
Choose a base branch
from
Open

[xDS] A65 mTLS credentials in bootstrap (part 2) #12255

wants to merge 14 commits into from

Conversation

@Zgoda91
Copy link

@Zgoda91 Zgoda91 commented Aug 1, 2025
edited
Loading

implementing gRFC A65 grpc/proposal/pull/372

This change contains:

  1. Updated TlsChannelCredentials instantiation process, which involves reading trust certificates from paths provided in the bootstrap configuration file.
  2. Trust certificates polling mechanism is going to be closed once given TlsChannelCredentials are no longer used (as per [xDS] A65 mTLS credentials in bootstrap (part1) #12350)

@ejona86 ejona86 added the kokoro:run Add this label to a PR to tell Kokoro the code is safe and tests can be run label Aug 6, 2025
@grpc-kokoro grpc-kokoro removed the kokoro:run Add this label to a PR to tell Kokoro the code is safe and tests can be run label Aug 6, 2025
@ejona86 ejona86 self-requested a review August 6, 2025 21:54
@Zgoda91
Copy link
Author

Zgoda91 commented Aug 11, 2025

@ejona86 Could you please review this PR when you get a chance? Thanks!

@Zgoda91 Zgoda91 requested a review from kannanjgithub August 27, 2025 13:31
kannanjgithub
kannanjgithub previously approved these changes Aug 28, 2025
View reviewed changes
@ejona86 ejona86 added the kokoro:run Add this label to a PR to tell Kokoro the code is safe and tests can be run label Aug 28, 2025
@grpc-kokoro grpc-kokoro removed the kokoro:run Add this label to a PR to tell Kokoro the code is safe and tests can be run label Aug 28, 2025
ejona86
ejona86 reviewed Aug 28, 2025
View reviewed changes
Copy link
Member

@ejona86 ejona86 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One quick/important comment. But I'll need to look over this a bit more before merging.

@kannanjgithub kannanjgithub dismissed their stale review August 29, 2025 12:00

Based on Eric's comment.

@Zgoda91 Zgoda91 force-pushed the A65_mtls_creds_in_bootstrap branch from 8248816 to faaa15c Compare September 3, 2025 11:09
ejona86
ejona86 reviewed Sep 4, 2025
View reviewed changes
@Zgoda91 Zgoda91 changed the title [xDS] A65 mTLS credentials in bootstrap [xDS] A65 mTLS credentials in bootstrap (part 2) Sep 10, 2025
@Zgoda91 Zgoda91 force-pushed the A65_mtls_creds_in_bootstrap branch 2 times, most recently from 5a59b20 to 46f7ddc Compare September 10, 2025 14:07
@Zgoda91 Zgoda91 force-pushed the A65_mtls_creds_in_bootstrap branch from 46f7ddc to 434579a Compare September 10, 2025 14:47
@Zgoda91
Copy link
Author

Zgoda91 commented Sep 11, 2025

@ejona86 - PR ready for the third round. Mind that there is a part 1 implemented separately here for visiblity

kannanjgithub
kannanjgithub reviewed Sep 15, 2025
View reviewed changes
xds/src/main/java/io/grpc/xds/internal/TlsXdsCredentialsProvider.java
public final class TlsXdsCredentialsProvider extends XdsCredentialsProvider {
private static final Logger logger = Logger.getLogger(TlsXdsCredentialsProvider.class.getName());
private static final String CREDS_NAME = "tls";
private static final String CERT_FILE_KEY = "certificate_file";
Copy link
Contributor

@kannanjgithub kannanjgithub Sep 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The grfc says implementations should be able to reuse the FileWatcherCertificateProvider. It is a bit more work though - we could do similar to CertProvidersslContextProvider's usage here. (You can see it getting used during XdsClientServerSecurityTest)

  1. passing the plugin name as file_watcher and
  2. Make this class (TlsXdsCredentialsProvider) implement Watcher interface for the Watcher parameter that receives certificate updates
  3. Add the returned Handle to the list of Closeables in ResourceAllocationChannelProvider.
  4. This will require making CertificateProviderStore.Handle public.

@ejona86 WDYT?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're reading C++-isms, which ignore everything that isn't C++. Java has two sets of classes: FileWatcherCertificateProvider and AdvancedTlsX509TrustManager/KeyManager. C++ only has one. I have no desire to use FileWatcherCertificateProvider and the abomination of plumbing to make that work. If anything, we should delete parts of FileWatcherCertificateProvider to use more of AdvancedTlsX509TrustManager/KeyManager (which were created later). The closest code in Java to FileWatcherCertificateProvider for this purpose is AdvancedTlsX509TrustManager/KeyManager.

@ejona86
Copy link
Member

ejona86 commented Sep 30, 2025

Please avoid the rebases until the reviewers agree it is a good time to rebase. I'd much rather have conflicts and be able to know what the new changes are than have to re-review the entire PR.

ejona86
ejona86 reviewed Sep 30, 2025
View reviewed changes
@Zgoda91
Copy link
Author

Zgoda91 commented Oct 14, 2025

@ejona86 - pushed newest changes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ejona86 ejona86 ejona86 left review comments

@kannanjgithub kannanjgithub kannanjgithub left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Zgoda91 @ejona86 @kannanjgithub @grpc-kokoro