feat(tonic-xds): gRFC A29 TLS foundation - cert provider & control plane TLS#2593
Merged
Conversation
gu0keno0
reviewed
Apr 17, 2026
gu0keno0
reviewed
Apr 17, 2026
gu0keno0
reviewed
Apr 17, 2026
gu0keno0
reviewed
Apr 17, 2026
gu0keno0
approved these changes
Apr 21, 2026
YutaoMa
added a commit
that referenced
this pull request
May 12, 2026
## Motivation Ref: #2444 Continues the gRFC A29 (xDS-Based TLS Security) work in `tonic-xds`. The cert provider foundation merged in #2593 gives us a pluggable source of trust roots and identity. The next step toward end-to-end mTLS in the data plane is to parse the cluster's TLS config from xDS, validate server certs against the configured trust roots, and apply SAN matching on top of WebPKI chain validation. This PR adds the building blocks for that validation. Integration with the connector factory is deferred to a follow-up PR — see below. ## Solution - **StringMatcher extraction** (`xds/resource/string_matcher.rs`): pulled out of `routing.rs` so it can be reused. The SAN matcher uses it for the string-comparison primitives. - **UpstreamTlsContext parsing** (`xds/resource/security.rs`): parses `envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext` into a typed config. - **SAN matcher** (`xds/resource/san_matcher.rs`): RFC 6125 wildcard DNS matching, RFC 5952 IP canonicalization, plus URI, EMAIL, and OTHER_NAME paths matching using the above extracted `StringMatcher`. - **A29 `ServerCertVerifier`** (`xds/cert_provider/verifier.rs`): wraps `WebPkiServerVerifier` and applies SAN matching after standard chain validation. Sources trust roots from the existing `CertProviderRegistry`. All new types are tested in isolation against synthetic certs. ### Why integration is deferred The tonic-side hook for installing a custom rustls `ServerCertVerifier` on a `Channel` is still in flight as #2612. Without that API, the verifier can't be wired into the per-cluster connector from a downstream crate. --------- Co-authored-by: Jeff Jiang <jefjiang@linkedin.com>
YutaoMa
added a commit
that referenced
this pull request
May 26, 2026
## Motivation Ref: #2444 Closes out gRFC A29 (xDS-Based TLS Security) in `tonic-xds`. The cert provider foundation merged in #2593 and #2616 left the connector integration deferred — its pre-req `Endpoint::tls_config_with_verifier` landed in #2612. With that hook available, this PR wires up the per-cluster TLS connector. ## Solution Five commits, each independently reviewable: - `file_watcher` background refresh. - Eager cert parsing in cert provider, verifier access it per handshake. - Atomically swap `Connector` on CDS update. Existing endpoint channels keep their connector; new connections pick up the latest. Invalid CDS updates are logged and the previous-good connector is kept. - **Data-plane `TlsConnector`** — for clusters with `Some(security)`, the connector holds the A29 verifier plus an optional identity provider (mTLS). `connect()` fetches identity per call, assembles a `ClientTlsConfig`, and builds the endpoint. - Docs + dead_code cleanup
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Ref: #2444
PR 1 of 3 to implement gRFC A29 xDS TLS security support in
tonic-xds.Solution
CertificateProvidertrait and outlinefile_watcherplugin with its config shape. Background file watch refresher is not implemented yet.xds-clientandtonic-xds. Allow optional use of one of the crypto backends fromtonic.TonicTransportBuilderwithwith_tls_config()to allow subsequent TLS changes.certificate_providersand enable TLS in xDS connection to xDS management server conditionally. Currently because the file watcher is not fully implemented, the setup only enables TLS with system root CA only, no custom certs yet.Next Steps
Two more PRs are in plan to complete A29:
UpstreamTlsContextand SAN matching.file_watcher.