Skip to content

A102: xDS GrpcService Support#510

Open
markdroth wants to merge 19 commits into
grpc:masterfrom
markdroth:xds_grpc_service
Open

A102: xDS GrpcService Support#510
markdroth wants to merge 19 commits into
grpc:masterfrom
markdroth:xds_grpc_service

Conversation

@markdroth

Copy link
Copy Markdown
Member

No description provided.

@markdroth markdroth requested review from dfawley and ejona86 August 22, 2025 00:01
@markdroth

Copy link
Copy Markdown
Member Author

CC @sergiitk

Comment thread A102-xds-grpc-service.md
Comment thread A102-xds-grpc-service.md
Comment thread A102-xds-grpc-service.md
Comment thread A102-xds-grpc-service.md
- `envoy.extensions.grpc_service.channel_credentials.local.v3.LocalCredentials`
- `envoy.extensions.grpc_service.channel_credentials.tls.v3.TlsCredentials`:
In this message:
- `root_certificate_provider`: Required. References certificate

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI: supporting the certificate providers here will be a bit hard in Java, because XdsChannelCredentials can delay the initial loading of credentials, but TlsChannelCredentials can't. We'll need to figure out a solution. (But it's not like there's any sensible alternatives, so we just have to figure something out. We'll probably create a new ChannelCredentials type specific to Netty for this.)

Comment thread A102-xds-grpc-service.md
ctiller pushed a commit to grpc/grpc that referenced this pull request Feb 4, 2026
As per gRFC A102 (grpc/proposal#510).

Closes #41253

PiperOrigin-RevId: 865432750

@dfawley dfawley left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a couple small nits & a question whose answer could potentially be explained better in the doc instead of just a response to the comment. But otherwise LGTM.

Comment thread A102-xds-grpc-service.md
Comment on lines +38 to +41
[A77]: https://github.com/grpc/proposal/pull/414
[A81]: A81-xds-authority-rewriting.md
[A92]: https://github.com/grpc/proposal/pull/481
[A93]: https://github.com/grpc/proposal/pull/484

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All these PR links will want to be updated later. :(

Comment thread A102-xds-grpc-service.md
Comment thread A102-xds-grpc-service.md Outdated
Comment thread A102-xds-grpc-service.md Outdated

@ejona86 ejona86 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have comments, but my biggest concern is still the security impact of arbitrary headers. It seems there's not been any discussion on that front.

Comment thread A102-xds-grpc-service.md
Comment thread A102-xds-grpc-service.md Outdated
Comment thread A102-xds-grpc-service.md Outdated
Comment thread A102-xds-grpc-service.md
Comment thread A102-xds-grpc-service.md
Comment thread A102-xds-grpc-service.md Outdated
Comment thread A102-xds-grpc-service.md Outdated
Comment thread A102-xds-grpc-service.md
kannanjgithub pushed a commit to grpc/grpc-java that referenced this pull request Apr 2, 2026
…p changes for GrpcService (#12492)

This commit introduces configuration objects for the external
authorization (ExtAuthz) filter and the gRPC service and corresponding
translations from XDS proto and Bootstrap. These classes provide a
structured, immutable representation of the subset of the configuration
defined in the xDS protobuf messages.

This PR should mostly now (hopefully ) be compliant with
grpc/proposal#510 but without
- CallCredentials (since I don't see A97) being implemented yet and
would prefer to do it in a followup , we return empty optional)
- TlsCredentials( since it's non trivial to construct a TLS credentials
object, we throw an exception)
- LocalCredentials(Java does't support these, we throw an exception)

The main new classes are:
- `ExtAuthzConfig`: Represents the configuration for the `ExtAuthz`
filter, including settings for the gRPC service, header mutation rules,
and other filter behaviors.
- `GrpcServiceConfig`: Represents the configuration for a gRPC service,
including the target URI, credentials, and other settings.
- `HeaderMutationRulesConfig`: Represents the configuration for header
mutation rules.
- `ChannelCredsConfig` and friends: To allow comparison between
credential configuration , to allow caching based on creds which'll be
needed in followup PRs for authz and proc.

The relevant sections of the spec are 
- GrpcService: grpc/proposal#510
- ExtAuthz:
https://github.com/grpc/proposal/pull/481/files#diff-6bb76a24aa142cc33db9218509688f01b30c8885d2fd8849f164244e68cd54eaR106-R190

This commit also includes parsers to create these configuration objects
from the corresponding protobuf messages, as well as unit tests for the
new classes.
kannanjgithub pushed a commit to kannanjgithub/grpc-java that referenced this pull request May 4, 2026
…p changes for GrpcService (grpc#12492)

This commit introduces configuration objects for the external
authorization (ExtAuthz) filter and the gRPC service and corresponding
translations from XDS proto and Bootstrap. These classes provide a
structured, immutable representation of the subset of the configuration
defined in the xDS protobuf messages.

This PR should mostly now (hopefully ) be compliant with
grpc/proposal#510 but without
- CallCredentials (since I don't see A97) being implemented yet and
would prefer to do it in a followup , we return empty optional)
- TlsCredentials( since it's non trivial to construct a TLS credentials
object, we throw an exception)
- LocalCredentials(Java does't support these, we throw an exception)

The main new classes are:
- `ExtAuthzConfig`: Represents the configuration for the `ExtAuthz`
filter, including settings for the gRPC service, header mutation rules,
and other filter behaviors.
- `GrpcServiceConfig`: Represents the configuration for a gRPC service,
including the target URI, credentials, and other settings.
- `HeaderMutationRulesConfig`: Represents the configuration for header
mutation rules.
- `ChannelCredsConfig` and friends: To allow comparison between
credential configuration , to allow caching based on creds which'll be
needed in followup PRs for authz and proc.

The relevant sections of the spec are
- GrpcService: grpc/proposal#510
- ExtAuthz:
https://github.com/grpc/proposal/pull/481/files#diff-6bb76a24aa142cc33db9218509688f01b30c8885d2fd8849f164244e68cd54eaR106-R190

This commit also includes parsers to create these configuration objects
from the corresponding protobuf messages, as well as unit tests for the
new classes.

@ejona86 ejona86 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wonderful! Headers are solved once and for all.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants