- Author(s): @markdroth
- Approver: @ejona86, @dfawley
- Status: {Draft, In Review, Ready for Implementation, Implemented}
- Implemented in: <language, ...>
- Last updated: 2024-07-08
- Discussion at: https://groups.google.com/g/grpc-io/c/BgqeUU0q4fU
We will add a new xDS option to use the system's default root certificates for TLS certificate validation.
Most service mesh workloads use mTLS, as described in gRFC A29. However, there are cases where it is useful for applications to use normal TLS rather than using certificates for workload identity, such as when a mesh wants to move some workloads behind a reverse proxy.
gRPC already has code to find the system root certificates on various platforms. However, there is currently no way for the xDS control plane to tell the client to use that functionality, at least not without the cumbersome setup of duplicating that functionality in a certificate provider config in the xDS bootstrap file.
We have added a system_root_certs
field
to the xDS CertificateValidationContext message (see
envoyproxy/envoy#34235). In the gRPC client, if this field is present
and the ca_certificate_provider_instance field is unset, system root
certificates will be used for validation.
When processing a CDS resource, we will look at this new field if
ca_certificate_provider_instance is unset. The parsed CDS resource
delivered to the XdsClient watcher will indicate if system root certs
should be used. If feasible, the parsed representation should be
structured such that it is not possible to indicate both a certificate
provider instance and using system root certs, since those options are
mutually exclusive.
The new system_root_certs field will not be supported on the gRPC
server side. If ca_certificate_provider_instance is unset and
system_root_certs is set, the LDS resource will be NACKed.
The xds_cluster_impl LB policy sets the configuration for the XdsCreds functionality based on the CDS resource. We will modify it such that if the CDS resource indicates that system root certs are to be used, it will configure XdsCreds to use system root certs.
The XdsCredentials code will be modified such that if it is configured to use system root certs, it will configure the TlsCreds code to do that.
Use of the system_root_certs field in CDS and LDS will be guarded
by the GRPC_EXPERIMENTAL_XDS_SYSTEM_ROOT_CERTS env var. The env var
guard will be removed once the feature passes interop tests.
We already have code in gRPC to find the system root certs for various platforms. We don't want to have to reproduce that functionality in a cert provider impl.
C-core implementation in grpc/grpc#37185.
Will also be implemented in Java, Go, and Node.