xds bootstrap: enable using JWT Call Credentials (part 2 for A97) #8536

dimpavloff · 2025-08-22T11:47:30Z

Part two for grpc/proposal#492 (A97). It's stacked on top of #8431

What this PR does is:

update internal/xds/bootstrap with support for loading multiple PerRPCCallCredentials specifed in a new call_creds field in the boostrap file as per A97
adjust xds/internal/xdsclient/clientimpl.goto use the call credentials when constructing the client
update xds/bootstrap to register the jwtcreds call credentials and make them available if GRPC_EXPERIMENTAL_XDS_BOOTSTRAP_CALL_CREDS is enabled

I have added DialOptionsWithCallCredsForTransport because, even though current and future call credentials are likely to all expect secure transport, I thought it would be safer to check of insecure transport just in case. If you prefer, I can just update DialOptions to use all call credentials regardless of the transport.

Relates to istio/istio#53532

RELEASE NOTES:

xds bootstrap: add support for loading a JWT token from file and use it as Call Credentials (A97). This is guarded by GRPC_EXPERIMENTAL_XDS_BOOTSTRAP_CALL_CREDS

codecov · 2025-08-22T15:10:25Z

Codecov Report

❌ Patch coverage is 93.50000% with 13 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.05%. Comparing base (b0bc6dc) to head (5673c18).

Files with missing lines	Patch %	Lines
internal/xds/bootstrap/bootstrap.go	88.88%	3 Missing and 1 partial ⚠️
credentials/jwt/jwt_token_file_call_creds.go	96.29%	2 Missing and 1 partial ⚠️
internal/xds/bootstrap/jwtcreds/bundle.go	88.88%	2 Missing and 1 partial ⚠️
xds/bootstrap/bootstrap.go	0.00%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #8536      +/-   ##
==========================================
- Coverage   82.09%   82.05%   -0.05%     
==========================================
  Files         412      415       +3     
  Lines       40453    40652     +199     
==========================================
+ Hits        33211    33355     +144     
- Misses       5869     5919      +50     
- Partials     1373     1378       +5

Files with missing lines	Coverage Δ
credentials/jwt/jwt_file_reader.go	`100.00% <100.00%> (ø)`
internal/xds/xdsclient/clientimpl.go	`82.69% <100.00%> (+0.16%)`	⬆️
xds/bootstrap/credentials.go	`100.00% <100.00%> (ø)`
credentials/jwt/jwt_token_file_call_creds.go	`96.29% <96.29%> (ø)`
internal/xds/bootstrap/jwtcreds/bundle.go	`88.88% <88.88%> (ø)`
xds/bootstrap/bootstrap.go	`70.00% <0.00%> (-30.00%)`	⬇️
internal/xds/bootstrap/bootstrap.go	`67.70% <88.88%> (+2.17%)`	⬆️

... and 18 files with indirect coverage changes

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

dimpavloff · 2025-08-22T15:14:28Z

xds/bootstrap/bootstrap.go

@@ -58,6 +59,9 @@ func RegisterCredentials(c Credentials) {
 // GetCredentials returns the credentials associated with a given name.
 // If no credentials are registered with the name, nil will be returned.
 func GetCredentials(name string) Credentials {
+	if name == "jwt_token_file" && !envconfig.XDSBootstrapCallCredsEnabled {


FYI, since the convention is to register the credentials via an init() function in xds/bootstrap/credentials.go, it's not possible to opt in or out of the registration there and at the same time to be able to unit test if the feature is guarded by XDSBootstrapCallCredsEnabled. Hence why the check has been moved here.

dimpavloff added 30 commits July 6, 2025 18:47

xds: read JWT credentials from file as per A97

6e63daa

remove example

3268ea5

refactor test creation

b18a1f5

refactor token string padding

eb391af

remove example; mark as experimental

d43893a

reorganise struct attributes

167b86e

rename methods with Locked suffix

439d28c

remove context param from refreshTokenSync

b36d4b6

reformat comments; remove redundant cachedErrorTime field

26e0451

add defaultTestTimeout const

da2de8c

refactor test to use wantErr string only

51ce34c

fix punctuation

f87f1f2

less prosaic subtest names

15dd057

remove unit test

54cbbcb

rename preemptiveRefresh to forceRefresh

9c5035d

remove unused context param

ec915dc

rename files

1d95fa2

use cond variable

a797ed9

refactor to no longer need cond

fd388d1

fix docstring comment

790a2d9

cache authorization header instead of token

6713190

remove internal/ and xds/ changes

3f563eb

remove xds/bootstrap

a38573b

fix comment docstrings

12fedd5

xds: read JWT credentials from file as per A97

2c80eab

comment punctuation

b344fdb

remove leftover

517c6ad

refactor test to use wantErr string only

34689c8

tidy comments

0d5d0a5

Merge remote-tracking branch 'origin/master' into a97-stacked-3

e465e7a

dimpavloff added 2 commits August 22, 2025 13:43

cleanup leftover files after rebase

63ff226

fix merge conflict

5673c18

dimpavloff commented Aug 22, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

xds bootstrap: enable using JWT Call Credentials (part 2 for A97) #8536

xds bootstrap: enable using JWT Call Credentials (part 2 for A97) #8536

dimpavloff commented Aug 22, 2025

Uh oh!

codecov bot commented Aug 22, 2025

Uh oh!

dimpavloff Aug 22, 2025

Uh oh!

Uh oh!

xds bootstrap: enable using JWT Call Credentials (part 2 for A97) #8536

Are you sure you want to change the base?

xds bootstrap: enable using JWT Call Credentials (part 2 for A97) #8536

Conversation

dimpavloff commented Aug 22, 2025

Uh oh!

codecov bot commented Aug 22, 2025

Codecov Report

Uh oh!

dimpavloff Aug 22, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!