From c691084cdd94e7ddbd6f0ff98bcee86950337a53 Mon Sep 17 00:00:00 2001 From: Pranjali-2501 Date: Mon, 3 Nov 2025 20:35:15 +0000 Subject: [PATCH 1/2] adding server_feature in bootstrap config --- internal/xds/bootstrap/bootstrap.go | 13 ++++++++++++ internal/xds/bootstrap/bootstrap_test.go | 27 ++++++++++++++++++++++++ 2 files changed, 40 insertions(+) diff --git a/internal/xds/bootstrap/bootstrap.go b/internal/xds/bootstrap/bootstrap.go index f3960defc7b2..9f63a48d7cd2 100644 --- a/internal/xds/bootstrap/bootstrap.go +++ b/internal/xds/bootstrap/bootstrap.go @@ -44,6 +44,7 @@ import ( const ( serverFeaturesIgnoreResourceDeletion = "ignore_resource_deletion" + serverFeatureTrustedXDSServer = "trusted_xds_server" gRPCUserAgentName = "gRPC Go" clientFeatureNoOverprovisioning = "envoy.lb.does_not_support_overprovisioning" clientFeatureResourceWrapper = "xds.config.resource-in-sotw" @@ -256,6 +257,18 @@ func (sc *ServerConfig) ServerFeaturesIgnoreResourceDeletion() bool { return false } +// ServerFeaturesTrustedXDSServer returns true if this server is trusted, +// and gRPC should accept security-config-affecting fields from the server +// as described in gRFC A81. +func (sc *ServerConfig) ServerFeaturesTrustedXDSServer() bool { + for _, sf := range sc.serverFeatures { + if sf == serverFeatureTrustedXDSServer { + return true + } + } + return false +} + // SelectedChannelCreds returns the selected credentials configuration for // communicating with this server. func (sc *ServerConfig) SelectedChannelCreds() ChannelCreds { diff --git a/internal/xds/bootstrap/bootstrap_test.go b/internal/xds/bootstrap/bootstrap_test.go index 4d5de6ccd9fb..3e4ab08e36e4 100644 --- a/internal/xds/bootstrap/bootstrap_test.go +++ b/internal/xds/bootstrap/bootstrap_test.go @@ -267,6 +267,22 @@ var ( "server_features" : ["xds_v3"] }] }`, + "serverSupportsTrustedXDSServer": ` + { + "node": { + "id": "ENVOY_NODE_ID", + "metadata": { + "TRAFFICDIRECTOR_GRPC_HOSTNAME": "trafficdirector" + } + }, + "xds_servers" : [{ + "server_uri": "trafficdirector.googleapis.com:443", + "channel_creds": [ + { "type": "google_default" } + ], + "server_features" : ["trusted_xds_server", "xds_v3"] + }] + }`, } metadata = &structpb.Struct{ Fields: map[string]*structpb.Value{ @@ -338,6 +354,16 @@ var ( node: v3Node, clientDefaultListenerResourceNameTemplate: "%s", } + configWithGoogleDefaultCredsAndTrustedXDSServer = &Config{ + xDSServers: []*ServerConfig{{ + serverURI: "trafficdirector.googleapis.com:443", + channelCreds: []ChannelCreds{{Type: "google_default"}}, + serverFeatures: []string{"trusted_xds_server", "xds_v3"}, + selectedChannelCreds: ChannelCreds{Type: "google_default"}, + }}, + node: v3Node, + clientDefaultListenerResourceNameTemplate: "%s", + } configWithGoogleDefaultCredsAndNoServerFeatures = &Config{ xDSServers: []*ServerConfig{{ serverURI: "trafficdirector.googleapis.com:443", @@ -539,6 +565,7 @@ func (s) TestGetConfiguration_Success(t *testing.T) { {"goodBootstrap", configWithGoogleDefaultCredsAndV3}, {"multipleXDSServers", configWithMultipleServers}, {"serverSupportsIgnoreResourceDeletion", configWithGoogleDefaultCredsAndIgnoreResourceDeletion}, + {"serverSupportsTrustedXDSServer", configWithGoogleDefaultCredsAndTrustedXDSServer}, {"istioStyleInsecureWithoutCallCreds", configWithIstioStyleNoCallCreds}, } From a421a01c046ac395f5efd147f0c82b244a9650c9 Mon Sep 17 00:00:00 2001 From: Pranjali-2501 Date: Mon, 3 Nov 2025 21:25:41 +0000 Subject: [PATCH 2/2] resolving vets --- internal/xds/bootstrap/bootstrap_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/internal/xds/bootstrap/bootstrap_test.go b/internal/xds/bootstrap/bootstrap_test.go index 3e4ab08e36e4..0dd87416a30c 100644 --- a/internal/xds/bootstrap/bootstrap_test.go +++ b/internal/xds/bootstrap/bootstrap_test.go @@ -356,9 +356,9 @@ var ( } configWithGoogleDefaultCredsAndTrustedXDSServer = &Config{ xDSServers: []*ServerConfig{{ - serverURI: "trafficdirector.googleapis.com:443", - channelCreds: []ChannelCreds{{Type: "google_default"}}, - serverFeatures: []string{"trusted_xds_server", "xds_v3"}, + serverURI: "trafficdirector.googleapis.com:443", + channelCreds: []ChannelCreds{{Type: "google_default"}}, + serverFeatures: []string{"trusted_xds_server", "xds_v3"}, selectedChannelCreds: ChannelCreds{Type: "google_default"}, }}, node: v3Node,