proposal icon indicating copy to clipboard operation
proposal copied to clipboard

Published 20 hours ago verified publisher icon grpc

How does certificate provider plugin makes it independent of SDS?

Open ypatil-li opened this issue 1 year ago • 1 comments

I want to avoid restarting client/server when certificates/trust stores are updated periodically. I see certificate provider plugin framework using file_watcher can potentially help me achieve that.

I created the following bootstrap config

{
  "xds_servers": [
    {
      "server_uri": "127.0.0.1:33333",
      "channel_creds": [
        {
          "type": "insecure"
        }
      ],
      "server_features": [
        "xds_v3"
      ]
    }
  ],
  "node": {
    "id": "grpc-proxyless"
  },
  "certificate_providers": {
    "default": {
      "plugin_name": "file_watcher",
      "config": {
        "certificate_file": "/path/to/server-cert.pem",
        "private_key_file": "/path/to//server-key.pem",
        "ca_certificate_file": "/path/to//ca-cert.pem",
        "refresh_interval": "3600s"
      }
    }
  }
}

Since bootstrap file MUST include xds_servers address, I wonder how does this approach makes it a generic alternative to the SDS server/agent based solution and eliminates the dependency on the SDS protocol as claimed here. ANy example to demonstrate that, will help make it clear.

Also, I do NOT want to use xDS control plane. But I am trying to find a way to use file_watcher plugin independent xDS.

ypatil-li avatar Apr 14 '23 03:04 ypatil-li

... Since bootstrap file MUST include xds_servers address, I wonder how does this approach makes it a generic alternative to the SDS server/agent based solution and eliminates the dependency on the SDS protocol as claimed here. ANy example to demonstrate that, will help make it clear.

Also, I do NOT want to use xDS control plane. But I am trying to find a way to use file_watcher plugin independent xDS.

SDS - in spite of it sounding like part of xDS - is really a different "beast" . An SDS server is quite different from an xDS server and getting rid of SDS does not mean getting rid of xDS. xDS is still required as described in A29.

There are examples:

  • https://github.com/grpc/grpc-java/blob/master/examples/example-xds/README.md#run-the-example-with-xds-credentials
  • https://github.com/GoogleCloudPlatform/traffic-director-grpc-examples

Hope that answers your questions

sanjaypujare avatar Apr 24 '23 19:04 sanjaypujare