[Security][XDS] Support Verification with SPIFFE Bundle Maps#40321
Closed
gtcooke94 wants to merge 29 commits intogrpc:masterfrom
Closed
[Security][XDS] Support Verification with SPIFFE Bundle Maps#40321gtcooke94 wants to merge 29 commits intogrpc:masterfrom
gtcooke94 wants to merge 29 commits intogrpc:masterfrom
Conversation
yashykt
reviewed
Jul 28, 2025
| "No spiffe bundle found for trust domain %s", trust_domain)); | ||
| } | ||
|
|
||
| } // namespace grpc_core No newline at end of file |
test/cpp/end2end/BUILD
Outdated
| "//test/core/test_util:grpc_test_util", | ||
| "//test/cpp/util:test_util", | ||
| ], | ||
| ) No newline at end of file |
| const auto result = RUN_ALL_TESTS(); | ||
| grpc_shutdown(); | ||
| return result; | ||
| } No newline at end of file |
matthewstevenson88
approved these changes
Jul 29, 2025
Contributor
matthewstevenson88
left a comment
There was a problem hiding this comment.
Thanks for the PR! I already did a review when this was on your personal branch (linked below for posterity). LGTM, modulo a few small nits I noticed while doing a final pass on the PR.
Automated fix for refs/heads/spiffe_verification
Contributor
matthewstevenson88
left a comment
There was a problem hiding this comment.
Per request, did a review pass of the newly-added tests. No major concerns, just some nits and clarification suggestions. Deferring to Yash to review the xds_security_spiffe_end2end_test.cc file, as I am not qualified to review for the XDS logic.
pawbhard
approved these changes
Aug 9, 2025
Contributor
pawbhard
left a comment
There was a problem hiding this comment.
LGTM, from xds e2e test side .added some nit commrnts
test/cpp/end2end/xds/BUILD
Outdated
| "absl/log:check", | ||
| "gtest", | ||
| ], | ||
| # flaky = True, # TODO(b/144705388) |
test/cpp/end2end/xds/BUILD
Outdated
| "no_test_ios", | ||
| "no_windows", | ||
| "xds_end2end_test", | ||
| ], # TODO(jtattermusch): fix test on windows |
Contributor
There was a problem hiding this comment.
Does it need to fix on windows, or copy-paste ?
If yes add TODO on your name or existing person name
Contributor
Author
There was a problem hiding this comment.
Copy paste, removing TODO
| @@ -0,0 +1,38 @@ | |||
| All of the following files in this directory except `server_spiffebundle.json` | |||
| and `client_spiffebundle.json` are generated with the `generate.sh` and | |||
| `generate_intermediate.sh` script in this directory. | |||
Contributor
There was a problem hiding this comment.
nit: Do we need to generate them again , if yes when ? Should we add that in this README?
Contributor
Author
There was a problem hiding this comment.
Added, not sure the exact date, I believe the scripts usually do 10 years for cert expiry
| } | ||
|
|
||
| grpc_core::UniqueTypeName type() const override { | ||
| static grpc_core::UniqueTypeName::Factory kFactory("fake"); |
Contributor
There was a problem hiding this comment.
nit : use GRPC_UNIQUE_TYPE_NAME_HERE()
|
|
||
| private: | ||
| int CompareImpl(const grpc_tls_certificate_provider* other) const override { | ||
| // TODO(yashykt): Maybe do something better here. |
Contributor
There was a problem hiding this comment.
Maybe add TODO to yourself or existing gRPC member .
Same for rest of the PR
Contributor
Author
There was a problem hiding this comment.
These were copy paste TODOs, just removed them
| identity_pair_ = ReadTlsIdentityPair(kClientKeyPath, kClientCertPath); | ||
|
|
||
| // TODO(yashykt): Use different client certs here instead of reusing | ||
| // server certs after https://github.com/grpc/grpc/pull/24876 is merged |
eugeneo
pushed a commit
to eugeneo/grpc
that referenced
this pull request
Aug 11, 2025
) This PR adds APIs discussed in grpc/proposal#506 and https://github.com/grpc/proposal/blob/master/A87-mtls-spiffe-support.md to support verification with SPIFFE Bundle Map roots. RELEASE NOTES: * Adds support for SPIFFE Bundle Maps in as roots of trust per [gRFC A87](https://github.com/grpc/proposal/blob/master/A87-mtls-spiffe-support.md) and [gRFC L127](grpc/proposal#506) Closes grpc#40321 COPYBARA_INTEGRATE_REVIEW=grpc#40321 from gtcooke94:spiffe_verification 6ddc24e PiperOrigin-RevId: 793688101
gtcooke94
added a commit
to gtcooke94/grpc
that referenced
this pull request
Aug 14, 2025
…rpc#40321)" This reverts commit 65cdfba.
copybara-service bot
pushed a commit
that referenced
this pull request
Aug 18, 2025
Roll forward #40321 with fixes relating to OpenSSL 1.0.2 This roll forward fixes two things broken by the original commit: * OpenSSL 1.0.2 compatibility - `X509_up_ref` is not in 1.0.2, so `CRYPTO_add` is used along with compiler directives. * The macOS tests flatten trust bundles, and two files in different directories were both named `ca.pem` in the new `spiffe_bundle_map_end2end_test.cc`. One was from the existing test that this new test file was modeled after and was not needed, so it was removed from the BUILD file resolving the double naming conflict. Closes #40476 COPYBARA_INTEGRATE_REVIEW=#40476 from gtcooke94:spiffe_roll_forward e30b7e4 PiperOrigin-RevId: 796537764
gtcooke94
added a commit
to gtcooke94/grpc
that referenced
this pull request
Aug 21, 2025
Roll forward grpc#40321 with fixes relating to OpenSSL 1.0.2 This roll forward fixes two things broken by the original commit: * OpenSSL 1.0.2 compatibility - `X509_up_ref` is not in 1.0.2, so `CRYPTO_add` is used along with compiler directives. * The macOS tests flatten trust bundles, and two files in different directories were both named `ca.pem` in the new `spiffe_bundle_map_end2end_test.cc`. One was from the existing test that this new test file was modeled after and was not needed, so it was removed from the BUILD file resolving the double naming conflict. Closes grpc#40476 COPYBARA_INTEGRATE_REVIEW=grpc#40476 from gtcooke94:spiffe_roll_forward e30b7e4 PiperOrigin-RevId: 796537764
asheshvidyut
pushed a commit
to asheshvidyut/grpc
that referenced
this pull request
Aug 22, 2025
Roll forward grpc#40321 with fixes relating to OpenSSL 1.0.2 This roll forward fixes two things broken by the original commit: * OpenSSL 1.0.2 compatibility - `X509_up_ref` is not in 1.0.2, so `CRYPTO_add` is used along with compiler directives. * The macOS tests flatten trust bundles, and two files in different directories were both named `ca.pem` in the new `spiffe_bundle_map_end2end_test.cc`. One was from the existing test that this new test file was modeled after and was not needed, so it was removed from the BUILD file resolving the double naming conflict. Closes grpc#40476 COPYBARA_INTEGRATE_REVIEW=grpc#40476 from gtcooke94:spiffe_roll_forward e30b7e4 PiperOrigin-RevId: 796537764
paulosjca
pushed a commit
to paulosjca/grpc
that referenced
this pull request
Aug 23, 2025
) This PR adds APIs discussed in grpc/proposal#506 and https://github.com/grpc/proposal/blob/master/A87-mtls-spiffe-support.md to support verification with SPIFFE Bundle Map roots. RELEASE NOTES: * Adds support for SPIFFE Bundle Maps in as roots of trust per [gRFC A87](https://github.com/grpc/proposal/blob/master/A87-mtls-spiffe-support.md) and [gRFC L127](grpc/proposal#506) Closes grpc#40321 COPYBARA_INTEGRATE_REVIEW=grpc#40321 from gtcooke94:spiffe_verification 6ddc24e PiperOrigin-RevId: 793688101
paulosjca
pushed a commit
to paulosjca/grpc
that referenced
this pull request
Aug 23, 2025
Roll forward grpc#40321 with fixes relating to OpenSSL 1.0.2 This roll forward fixes two things broken by the original commit: * OpenSSL 1.0.2 compatibility - `X509_up_ref` is not in 1.0.2, so `CRYPTO_add` is used along with compiler directives. * The macOS tests flatten trust bundles, and two files in different directories were both named `ca.pem` in the new `spiffe_bundle_map_end2end_test.cc`. One was from the existing test that this new test file was modeled after and was not needed, so it was removed from the BUILD file resolving the double naming conflict. Closes grpc#40476 COPYBARA_INTEGRATE_REVIEW=grpc#40476 from gtcooke94:spiffe_roll_forward e30b7e4 PiperOrigin-RevId: 796537764
asheshvidyut
pushed a commit
to asheshvidyut/grpc
that referenced
this pull request
Sep 12, 2025
) This PR adds APIs discussed in grpc/proposal#506 and https://github.com/grpc/proposal/blob/master/A87-mtls-spiffe-support.md to support verification with SPIFFE Bundle Map roots. RELEASE NOTES: * Adds support for SPIFFE Bundle Maps in as roots of trust per [gRFC A87](https://github.com/grpc/proposal/blob/master/A87-mtls-spiffe-support.md) and [gRFC L127](grpc/proposal#506) Closes grpc#40321 COPYBARA_INTEGRATE_REVIEW=grpc#40321 from gtcooke94:spiffe_verification 6ddc24e PiperOrigin-RevId: 793688101
asheshvidyut
pushed a commit
to asheshvidyut/grpc
that referenced
this pull request
Sep 12, 2025
Roll forward grpc#40321 with fixes relating to OpenSSL 1.0.2 This roll forward fixes two things broken by the original commit: * OpenSSL 1.0.2 compatibility - `X509_up_ref` is not in 1.0.2, so `CRYPTO_add` is used along with compiler directives. * The macOS tests flatten trust bundles, and two files in different directories were both named `ca.pem` in the new `spiffe_bundle_map_end2end_test.cc`. One was from the existing test that this new test file was modeled after and was not needed, so it was removed from the BUILD file resolving the double naming conflict. Closes grpc#40476 COPYBARA_INTEGRATE_REVIEW=grpc#40476 from gtcooke94:spiffe_roll_forward e30b7e4 PiperOrigin-RevId: 796537764
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds APIs discussed in grpc/proposal#506 and https://github.com/grpc/proposal/blob/master/A87-mtls-spiffe-support.md to support verification with SPIFFE Bundle Map roots.
RELEASE NOTES: