Skip to content

feat(tonic-xds): gRFC A29 TLS foundation - cert provider & control plane TLS#2593

Merged
YutaoMa merged 5 commits into
grpc:masterfrom
YutaoMa:ytma/a29-tls-foundation
Apr 21, 2026
Merged

feat(tonic-xds): gRFC A29 TLS foundation - cert provider & control plane TLS#2593
YutaoMa merged 5 commits into
grpc:masterfrom
YutaoMa:ytma/a29-tls-foundation

Conversation

@YutaoMa

@YutaoMa YutaoMa commented Apr 15, 2026

Copy link
Copy Markdown
Contributor

Motivation

Ref: #2444

PR 1 of 3 to implement gRFC A29 xDS TLS security support in tonic-xds.

Solution

  1. Add CertificateProvider trait and outline file_watcher plugin with its config shape. Background file watch refresher is not implemented yet.
  2. Feature flags gating setup in xds-client and tonic-xds. Allow optional use of one of the crypto backends from tonic.
  3. Extend TonicTransportBuilder with with_tls_config() to allow subsequent TLS changes.
  4. Parse bootstrap certificate_providers and enable TLS in xDS connection to xDS management server conditionally. Currently because the file watcher is not fully implemented, the setup only enables TLS with system root CA only, no custom certs yet.

Next Steps

Two more PRs are in plan to complete A29:

  1. PR 2: data-plane endpoint connection TLS support, by supporting CDS UpstreamTlsContext and SAN matching.
  2. PR 3: Background cert refresh to complete file_watcher.

@YutaoMa YutaoMa marked this pull request as ready for review April 16, 2026 21:39
@gu0keno0 gu0keno0 self-requested a review April 16, 2026 21:42
Comment thread tonic-xds/src/xds/cert_provider/file_watcher.rs
Comment thread tonic-xds/src/xds/cert_provider/file_watcher.rs Outdated
Comment thread tonic-xds/src/xds/cert_provider/mod.rs Outdated
Comment thread tonic-xds/src/xds/cert_provider/file_watcher.rs
@YutaoMa YutaoMa merged commit 9cef196 into grpc:master Apr 21, 2026
21 checks passed
YutaoMa added a commit that referenced this pull request May 12, 2026
## Motivation

Ref: #2444

Continues the gRFC A29 (xDS-Based TLS Security) work in `tonic-xds`. The
cert provider foundation merged in #2593 gives us a pluggable source of
trust roots and identity. The next step toward end-to-end mTLS in the
data plane is to parse the cluster's TLS config from xDS, validate
server certs against the configured trust roots, and apply SAN matching
on top of WebPKI chain validation.

This PR adds the building blocks for that validation. Integration with
the
connector factory is deferred to a follow-up PR — see below.

## Solution

- **StringMatcher extraction** (`xds/resource/string_matcher.rs`):
pulled out of `routing.rs` so it can be reused. The SAN matcher uses it
for the string-comparison primitives.
- **UpstreamTlsContext parsing** (`xds/resource/security.rs`): parses
`envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext` into a
typed config.
- **SAN matcher** (`xds/resource/san_matcher.rs`): RFC 6125 wildcard DNS
matching, RFC 5952 IP canonicalization, plus URI, EMAIL, and OTHER_NAME
paths matching using the above extracted `StringMatcher`.
- **A29 `ServerCertVerifier`** (`xds/cert_provider/verifier.rs`): wraps
`WebPkiServerVerifier` and applies SAN matching after standard chain
validation. Sources trust roots from the existing
`CertProviderRegistry`.

All new types are tested in isolation against synthetic certs.

### Why integration is deferred

The tonic-side hook for installing a custom rustls `ServerCertVerifier`
on a `Channel` is still in flight as #2612. Without that API, the
verifier can't be wired into the per-cluster connector from a downstream
crate.

---------

Co-authored-by: Jeff Jiang <jefjiang@linkedin.com>
YutaoMa added a commit that referenced this pull request May 26, 2026
## Motivation

Ref: #2444

Closes out gRFC A29 (xDS-Based TLS Security) in `tonic-xds`. The cert
provider foundation merged in #2593 and #2616 left the connector
integration deferred — its pre-req `Endpoint::tls_config_with_verifier`
landed in #2612.

With that hook available, this PR wires up the per-cluster TLS
connector.

## Solution

Five commits, each independently reviewable:

- `file_watcher` background refresh.
- Eager cert parsing in cert provider, verifier access it per handshake.
- Atomically swap `Connector` on CDS update. Existing endpoint channels
keep their connector; new connections pick up the latest. Invalid CDS
updates are logged and the previous-good connector is kept.
- **Data-plane `TlsConnector`** — for clusters with `Some(security)`,
the connector holds the A29 verifier plus an optional identity provider
(mTLS). `connect()` fetches identity per call, assembles a
`ClientTlsConfig`, and builds the endpoint.
- Docs + dead_code cleanup
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants