A102: xDS GrpcService Support#510
Conversation
|
CC @sergiitk |
| - `envoy.extensions.grpc_service.channel_credentials.local.v3.LocalCredentials` | ||
| - `envoy.extensions.grpc_service.channel_credentials.tls.v3.TlsCredentials`: | ||
| In this message: | ||
| - `root_certificate_provider`: Required. References certificate |
There was a problem hiding this comment.
FYI: supporting the certificate providers here will be a bit hard in Java, because XdsChannelCredentials can delay the initial loading of credentials, but TlsChannelCredentials can't. We'll need to figure out a solution. (But it's not like there's any sensible alternatives, so we just have to figure something out. We'll probably create a new ChannelCredentials type specific to Netty for this.)
As per gRFC A102 (grpc/proposal#510). Closes #41253 PiperOrigin-RevId: 865432750
dfawley
left a comment
There was a problem hiding this comment.
Just a couple small nits & a question whose answer could potentially be explained better in the doc instead of just a response to the comment. But otherwise LGTM.
| [A77]: https://github.com/grpc/proposal/pull/414 | ||
| [A81]: A81-xds-authority-rewriting.md | ||
| [A92]: https://github.com/grpc/proposal/pull/481 | ||
| [A93]: https://github.com/grpc/proposal/pull/484 |
There was a problem hiding this comment.
All these PR links will want to be updated later. :(
Co-authored-by: Doug Fawley <dfawley@google.com>
ejona86
left a comment
There was a problem hiding this comment.
I have comments, but my biggest concern is still the security impact of arbitrary headers. It seems there's not been any discussion on that front.
…p changes for GrpcService (#12492) This commit introduces configuration objects for the external authorization (ExtAuthz) filter and the gRPC service and corresponding translations from XDS proto and Bootstrap. These classes provide a structured, immutable representation of the subset of the configuration defined in the xDS protobuf messages. This PR should mostly now (hopefully ) be compliant with grpc/proposal#510 but without - CallCredentials (since I don't see A97) being implemented yet and would prefer to do it in a followup , we return empty optional) - TlsCredentials( since it's non trivial to construct a TLS credentials object, we throw an exception) - LocalCredentials(Java does't support these, we throw an exception) The main new classes are: - `ExtAuthzConfig`: Represents the configuration for the `ExtAuthz` filter, including settings for the gRPC service, header mutation rules, and other filter behaviors. - `GrpcServiceConfig`: Represents the configuration for a gRPC service, including the target URI, credentials, and other settings. - `HeaderMutationRulesConfig`: Represents the configuration for header mutation rules. - `ChannelCredsConfig` and friends: To allow comparison between credential configuration , to allow caching based on creds which'll be needed in followup PRs for authz and proc. The relevant sections of the spec are - GrpcService: grpc/proposal#510 - ExtAuthz: https://github.com/grpc/proposal/pull/481/files#diff-6bb76a24aa142cc33db9218509688f01b30c8885d2fd8849f164244e68cd54eaR106-R190 This commit also includes parsers to create these configuration objects from the corresponding protobuf messages, as well as unit tests for the new classes.
…p changes for GrpcService (grpc#12492) This commit introduces configuration objects for the external authorization (ExtAuthz) filter and the gRPC service and corresponding translations from XDS proto and Bootstrap. These classes provide a structured, immutable representation of the subset of the configuration defined in the xDS protobuf messages. This PR should mostly now (hopefully ) be compliant with grpc/proposal#510 but without - CallCredentials (since I don't see A97) being implemented yet and would prefer to do it in a followup , we return empty optional) - TlsCredentials( since it's non trivial to construct a TLS credentials object, we throw an exception) - LocalCredentials(Java does't support these, we throw an exception) The main new classes are: - `ExtAuthzConfig`: Represents the configuration for the `ExtAuthz` filter, including settings for the gRPC service, header mutation rules, and other filter behaviors. - `GrpcServiceConfig`: Represents the configuration for a gRPC service, including the target URI, credentials, and other settings. - `HeaderMutationRulesConfig`: Represents the configuration for header mutation rules. - `ChannelCredsConfig` and friends: To allow comparison between credential configuration , to allow caching based on creds which'll be needed in followup PRs for authz and proc. The relevant sections of the spec are - GrpcService: grpc/proposal#510 - ExtAuthz: https://github.com/grpc/proposal/pull/481/files#diff-6bb76a24aa142cc33db9218509688f01b30c8885d2fd8849f164244e68cd54eaR106-R190 This commit also includes parsers to create these configuration objects from the corresponding protobuf messages, as well as unit tests for the new classes.
ejona86
left a comment
There was a problem hiding this comment.
Wonderful! Headers are solved once and for all.
No description provided.