Skip to content

A82: xDS System Root Certificates #436

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
markdroth merged 7 commits into from
Jul 9, 2024
Merged

A82: xDS System Root Certificates #436

markdroth merged 7 commits into from
Jul 9, 2024

Conversation

@markdroth
Copy link
Member

@markdroth markdroth commented May 17, 2024

No description provided.

@markdroth markdroth requested review from dfawley and ejona86 May 17, 2024 22:26
@markdroth markdroth mentioned this pull request May 17, 2024
Merged
htuch pushed a commit to envoyproxy/envoy that referenced this pull request May 31, 2024
@markdroth
xds: add use_system_root_certs to CertificateValidationContext (#34235)
6364882 
This allows using system root certs in gRPC. For details, see grpc/proposal#436.

Risk Level: Low
Testing: N/A
Docs Changes: Included in PR

Signed-off-by: Mark D. Roth <roth@google.com>
update-envoy bot added a commit to envoyproxy/data-plane-api that referenced this pull request May 31, 2024
@update-envoy
xds: add use_system_root_certs to CertificateValidationContext (#34235)
61259ae 
This allows using system root certs in gRPC. For details, see grpc/proposal#436.

Risk Level: Low
Testing: N/A
Docs Changes: Included in PR

Signed-off-by: Mark D. Roth <roth@google.com>

Mirrored from https://github.com/envoyproxy/envoy @ 6364882088d5fce4b39d5ad3d0c0fac51c761b09
ejona86
ejona86 reviewed Jul 8, 2024
View reviewed changes
@markdroth markdroth mentioned this pull request Jul 8, 2024
Closed
@markdroth markdroth merged commit 62a1b7c into grpc:master Jul 9, 2024
@markdroth markdroth deleted the xds_system_root_certs branch July 9, 2024 15:30
copybara-service bot pushed a commit to grpc/grpc that referenced this pull request Jul 12, 2024
@markdroth @copybara-github
[xDS] implement system root cert support (#37185)
660101a 
As per gRFC A82 (grpc/proposal#436).

Closes #37185

COPYBARA_INTEGRATE_REVIEW=#37185 from markdroth:xds_system_root_certs 9ee1e82
PiperOrigin-RevId: 651896612
eugeneo pushed a commit to eugeneo/grpc that referenced this pull request Jul 22, 2024
@markdroth
[xDS] implement system root cert support (grpc#37185)
949244d 
As per gRFC A82 (grpc/proposal#436).

Closes grpc#37185

COPYBARA_INTEGRATE_REVIEW=grpc#37185 from markdroth:xds_system_root_certs 9ee1e82
PiperOrigin-RevId: 651896612
ejona86
ejona86 reviewed Aug 23, 2024
View reviewed changes
A82-xds-system-root-certs.md

### Temporary environment variable protection

Use of the `use_system_root_certs` field in CDS and LDS will be guarded
Copy link
Member

@ejona86 ejona86 Aug 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure I noticed that we were going to have different validation for client-side even though this is in a shared message with server-side. Up above it says "Note that LDS validation will be unchanged" which appears to disagree with this line. Only supporting it on client-side might be a bit harder to support, since this is in CommonTlsContext. I agree we don't need it on server-side, but can we add support for it anyway when there is shared code?

Also: s/use_system_root_certs/system_root_certs/

CC @kannanjgithub

Copy link
Member Author

@markdroth markdroth Aug 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We did talk about this question specifically before finalizing this gRFC. I had originally intended to support this option on both the client side and server side, just for consistency, but when I went to implement this in C-core, it turned out to be non-trivial, because we don't already have server-side code for using system root certs, so we decided to exclude it.

You're right about the typo. I'll send a separate PR to fix that.

Copy link
Member Author

@markdroth markdroth Aug 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sent #451 to fix this.

sourabhsinghs pushed a commit to sourabhsinghs/grpc that referenced this pull request Sep 26, 2024
@markdroth @sourabhsinghs
[xDS] implement system root cert support (grpc#37185)
188d764 
As per gRFC A82 (grpc/proposal#436).

Closes grpc#37185

COPYBARA_INTEGRATE_REVIEW=grpc#37185 from markdroth:xds_system_root_certs 9ee1e82
PiperOrigin-RevId: 651896612
paulosjca pushed a commit to paulosjca/grpc that referenced this pull request Nov 25, 2024
@markdroth @paulosjca
[xDS] implement system root cert support (grpc#37185)
7c071fb 
As per gRFC A82 (grpc/proposal#436).

Closes grpc#37185

COPYBARA_INTEGRATE_REVIEW=grpc#37185 from markdroth:xds_system_root_certs 9ee1e82
PiperOrigin-RevId: 651896612
@arjan-bal arjan-bal mentioned this pull request Jan 16, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ejona86 ejona86 ejona86 approved these changes

@dfawley dfawley dfawley approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@markdroth @ejona86 @dfawley