xds: implement :authority header rewriting in xds_cluster_impl LB policy (gRFC A81)

[Pranjali-2501]

This PR implements the xDS :authority header rewriting feature as specified in gRFC A81

Key Changes:

• xds_cluster_impl LB Policy:

  • Updated the Picker to check for the auto_host_rewrite flag (passed via ConfigSelector).
  • If enabled, the picker retrieves the hostname attribute from the subchannel .
  • The picker populates the Metadata field in PickResult with the new :authority value.

• changes in stream.go:

  • Updated stream.go to inspect the PickResult metadata. If an :authority override is present and the user has not explicitly set an authority via CallOption, the callHdr.Authority is updated with hostname.

• PR relies on the following changes already merged:

  • Bootstrap config change (xds/bootstrap: add trusted_xds_server server feature #8692): Added the trusted_xds_server server feature to the bootstrap configuration.
  • xDS resource validation (xdsclient/xdsresource: add AutoHostRewrite and Endpoint Hostname support #8728): Implemented validation and extraction of the auto_host_rewrite field from RDS resources and the hostname field from EDS resources.
  • Endpoint Structure (xds: refactor xdsresource.Endpoint to add resolver.Endpoint (gRFC A81) #8750): Refactored xdsresource.Endpoint to use resolver.Endpoint, ensuring that attributes (like the endpoint's hostname) are correctly stored and accessible to the picker.
  • xDS ConfigSelector changes (xds/resolver: pass route's auto_host_rewrite to LB picker (gRFC A81) #8740): Updated the xDS resolver to propagate the auto_host_rewrite flag from the Route Configuration to the Load Balancer via the ConfigSelector.

RELEASE NOTES:

• xDS: Added support for the :authority rewriting (gRFC A81). When autoHostRewrite is enabled in the xDS RouteConfiguration, the client will rewrite the HTTP/2 :authority header to the value of the selected endpoint's hostname.

[codecov]

Codecov Report

❌ Patch coverage is 90.90909% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 83.40%. Comparing base (6ed8acb) to head (0856922).
⚠️ Report is 5 commits behind head on master.

Files with missing lines	Patch %	Lines
internal/xds/balancer/clusterimpl/picker.go	80.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@           Coverage Diff            @@
##           master    #8779    +/-   ##
========================================
  Coverage   83.39%   83.40%            
========================================
  Files         419      418     -1     
  Lines       32566    32910   +344     
========================================
+ Hits        27159    27449   +290     
- Misses       4023     4072    +49     
- Partials     1384     1389     +5     

Files with missing lines	Coverage Δ
internal/testutils/xds/e2e/bootstrap.go	70.11% <100.00%> (+0.34%)	⬆️
internal/testutils/xds/e2e/clientresources.go	97.80% <100.00%> (+<0.01%)	⬆️
internal/transport/transport.go	88.70% <ø> (ø)
internal/xds/balancer/clusterimpl/clusterimpl.go	83.87% <100.00%> (+0.15%)	⬆️
internal/xds/resolver/serviceconfig.go	88.14% <100.00%> (+0.08%)	⬆️
...nternal/xds/xdsclient/xdsresource/unmarshal_eds.go	94.73% <100.00%> (+1.97%)	⬆️
stream.go	81.63% <100.00%> (+0.06%)	⬆️
internal/xds/balancer/clusterimpl/picker.go	95.12% <80.00%> (-2.29%)	⬇️

... and 32 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[easwars]

Since this PR completes the implementation for the gRFC, this should probably contain a release note.

[easwars]

Make this const?

[Pranjali-2501]

Done.

[easwars]

Nit: nix newline

[Pranjali-2501]

Done.

[easwars]

Why do you need to set this to true?

[Pranjali-2501]

Update the test to use xdsCreds instead of tlsCreds.

[easwars]

I don't understand this. Why is the client presenting the serverCert and using x509/client_ca_cert.pem as the root cert to validate the server?

[Pranjali-2501]

This was not correct.

I have updated the test to use xdsCreds instead of directly using tlsConfig.

[easwars]

Can we also actually check if the RPC fails when:

• the host name override is not specified (as the test does not specify a serverNameOverride in the TLS creds)
• the host name override is invalid (i.e., is expected to be rejected by the TLS creds)

[easwars]

I think what you might need is the following:

• A server TLS credentials, where the certificate is presented for a domain name like x.test.exmaple.com
• A client TLS credentials, where the roots are set to x509/server_ca_cert.pem, and the serverNameOverride is set to something like *.test.example.com
• Send an xDS resource where the authority overwrite is set to x.test.exmaple.com and verify the connection works
• Send an xDS resource where the authority overwrite is set to y.test.exmaple.com and verify the connection fails. This failure should be because the TLS handshake fails.
• Send an xDS resource where the authority overwrite is set to xyz.exmaple.com and verify the connection fails. This failure should be because the TLS creds rejects the authority override.

[Pranjali-2501]

I have updated the test and check both cases with valid authority and invalid authorityxyz.exmaple.com.

Send an xDS resource where the authority overwrite is set to y.test.exmaple.com and verify the connection fails. This failure should be because the TLS handshake fails.

Test is using the xdsCreds which will use InsecureSkipVerify while configuring tlsConfig to skip the tls handshake check. So, I don't think we can test that case now.

[arjan-bal]

I don't think the authority override configuration should/will cause TLS handshakes to fail. The authority header is part of the HTTP/2 header frame that is sent after the transport credentials have already completed hanshaking.

The interaction b/w the transport credentials and the authority override is this: The transport credentials must validate the authority override header:

grpc-go/internal/transport/http2_client.go

Lines 767 to 778 in 88ac703

	if callHdr.Authority != "" {
	auth, ok := t.authInfo.(credentials.AuthorityValidator)
	if !ok {
	return nil, &NewStreamError{Err: status.Errorf(codes.Unavailable, "credentials type %q does not implement the AuthorityValidator interface, but authority override specified with CallAuthority call option", t.authInfo.AuthType())}
	}
	if err := auth.ValidateAuthority(callHdr.Authority); err != nil {
	return nil, &NewStreamError{Err: status.Errorf(codes.Unavailable, "failed to validate authority %q : %v", callHdr.Authority, err)}
	}
	newCallHdr := *callHdr
	newCallHdr.Host = callHdr.Authority
	callHdr = &newCallHdr
	}

When using xDS, we don't directly use TLS credentials on the client. Instead we use xdscredentials. The config for TLS needs to be set in the CDS resource.

See the following test as an example of configuring TLS using xDS:

grpc-go/internal/xds/balancer/cdsbalancer/cdsbalancer_security_test.go

Line 366 in 88ac703

func (s) TestGoodSecurityConfig(t *testing.T) {

On the server side, we can use the regular tlscreds like the CDS test above. We can can also use the xds creds and configure TLS in the LDS resource, similar to the following test:

grpc-go/test/xds/xds_server_integration_test.go

Lines 229 to 239 in 88ac703

	// TestServerSideXDS_FileWatcherCerts is an e2e test which verifies xDS
	// credentials with file watcher certificate provider.
	//
	// The following sequence of events happen as part of this test:
	// - An xDS-enabled gRPC server is created and xDS credentials are configured.
	// - xDS is enabled on the client by the use of the xds:/// scheme, and xDS
	// credentials are configured.
	// - Control plane is configured to send security configuration to both the
	// client and the server, pointing to the file watcher certificate provider.
	// We verify both TLS and mTLS scenarios.
	func (s) TestServerSideXDS_FileWatcherCerts(t *testing.T) {

---

It looks like the xDS creds don't implement the AuthorityValidator interface, so authority overriding will probably fail when using TLS with xDS.

grpc-go/internal/xds/bootstrap/tlscreds/bundle.go

Lines 114 to 158 in 88ac703

	// reloadingCreds is a credentials.TransportCredentials for client
	// side mTLS that reloads the server root CA certificate and the client
	// certificates from the provider on every client handshake. This is necessary
	// because the standard TLS credentials do not support reloading CA
	// certificates.
	type reloadingCreds struct {
	provider certprovider.Provider
	}
	func (c *reloadingCreds) ClientHandshake(ctx context.Context, authority string, rawConn net.Conn) (net.Conn, credentials.AuthInfo, error) {
	km, err := c.provider.KeyMaterial(ctx)
	if err != nil {
	return nil, nil, err
	}
	var config *tls.Config
	if km.SPIFFEBundleMap != nil {
	config = &tls.Config{
	InsecureSkipVerify: true,
	VerifyPeerCertificate: buildSPIFFEVerifyFunc(km.SPIFFEBundleMap),
	Certificates: km.Certs,
	}
	} else {
	config = &tls.Config{
	RootCAs: km.Roots,
	Certificates: km.Certs,
	}
	}
	return credentials.NewTLS(config).ClientHandshake(ctx, authority, rawConn)
	}
	func (c *reloadingCreds) Info() credentials.ProtocolInfo {
	return credentials.ProtocolInfo{SecurityProtocol: "tls"}
	}
	func (c *reloadingCreds) Clone() credentials.TransportCredentials {
	return &reloadingCreds{provider: c.provider}
	}
	func (c *reloadingCreds) OverrideServerName(string) error {
	return errors.New("overriding server name is not supported by xDS client TLS credentials")
	}
	func (c *reloadingCreds) ServerHandshake(net.Conn) (net.Conn, credentials.AuthInfo, error) {
	return nil, nil, errors.New("server handshake is not supported by xDS client TLS credentials")
	}

We would need to update the reloadingCreds to generate the required TLS credentials, similar to the ClientHandshake method and call ValidateAuthority on the tls creds object for things to work.

Once the xDS creds implement the AuthorityValidator interface, this test should use the CDS config along with xds credentials to test the authority override behaviour.

[arjan-bal]

@Pranjali-2501 apologies for the confusion. I misunderstood and thought that Credentials needed to implement the AuthorityValidator interface, but it is actually AuthInfo. Since XDSCredentials.ClientHandshake delegates to the TLS credentials (which return TLSAuthInfo), AuthorityValidator is effectively implemented when using xDS. The existing test seems correct.

[easwars]

We have functions that do all this work of reading from a file etc, right? Somewhere in testutils?

[Pranjali-2501]

Right, made the changes.

[mbissa]

Discussed offline, this needs to change.

[Pranjali-2501]

done.

[mbissa]

It would help if the description contains details of previous PRs that have already been merged.

[mbissa]

couple of nits, LGTM otherwise.

[arjan-bal]

I'm fine with removing the nil check from the other tests, though it's not strictly necessary.

[arjan-bal]

@Pranjali-2501 apologies for the confusion. I misunderstood and thought that Credentials needed to implement the AuthorityValidator interface, but it is actually AuthInfo. Since XDSCredentials.ClientHandshake delegates to the TLS credentials (which return TLSAuthInfo), AuthorityValidator is effectively implemented when using xDS. The existing test seems correct.

[arjan-bal]

We should avoid checking error messages in tests since they may change. See https://google.github.io/styleguide/go/decisions#test-error-semantics

I think checking the status code should be sufficient here.

[Pranjali-2501]

Done.

[arjan-bal]

Mostly LGTM, some minor comments.

[arjan-bal]

LGTM