Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add experimental s2a-go integration #1874

Merged
merged 3 commits into from
Apr 5, 2023
Merged

feat: add experimental s2a-go integration #1874

merged 3 commits into from
Apr 5, 2023

Conversation

xmenxk
Copy link
Contributor

@xmenxk xmenxk commented Feb 23, 2023

s2a integration with grpc and http transport code.
With this change, client library will try establishing mtls with the google api's mtls endpoint, using credentials held by s2a.

  • also if dialing connection with s2a fails at runtime, it will fall back to dialing regular TLS to the regular endpoint.

The added code only changes the default behavior in a way that's transparent to customers; if other mtls approach is specified, e.g. DCA, this code will not run.

@xmenxk xmenxk requested review from a team and yoshi-approver as code owners February 23, 2023 21:15
@quartzmo quartzmo added the needs more info This issue needs more information from the customer to proceed. label Feb 28, 2023
@quartzmo
Copy link
Member

Hi @xmenxk,

Thank you for opening this pull request!

Can you please open a feature request issue explaining the motivation for this feature (the benefits for users) and providing some background on the stability of s2a-go and how it will work in the context of this HTTP client?

@quartzmo quartzmo mentioned this pull request Mar 4, 2023
Merged
@quartzmo
Copy link
Member

quartzmo commented Mar 4, 2023

@xmenxk Is this PR related to #1886 in any way?

@xmenxk
Copy link
Contributor Author

xmenxk commented Mar 4, 2023

@xmenxk Is this PR related to #1886 in any way?

thanks @quartzmo for the response.

Both touch the transport layer code, as far as I can tell, they are for different use cases.

#1886 looks like it's specifically for allowing configuring a http-client to talk to oauth2's mtls endpoint.

The s2a integration this PR adds is a way for cloud workloads to talk to all google apis using MTLS, in a transparent way. It only runs when no other MTLS approach is specified, so there should't be any conflict.
I'll provide more information on s2a next week. thanks again!

andyrzhao
andyrzhao suggested changes Mar 6, 2023
View reviewed changes
Copy link
Contributor

@andyrzhao andyrzhao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for putting up this PR Kui! Left some general comments. I'm not familiar with the S2A architecture and would love to see some more context around this PR to make sure it is integrated smoothly.

go.mod Outdated Show resolved Hide resolved
go.mod Outdated Show resolved Hide resolved
go.mod Show resolved Hide resolved
transport/grpc/dial.go Outdated Show resolved Hide resolved
transport/grpc/dial.go Outdated Show resolved Hide resolved
transport/internal/s2a/s2a.go Outdated Show resolved Hide resolved
andyrzhao
andyrzhao suggested changes Mar 13, 2023
View reviewed changes
transport/http/dial.go Outdated Show resolved Hide resolved
@xmenxk xmenxk force-pushed the zatar-mtls branch 2 times, most recently from 6859717 to 983292e Compare March 21, 2023 00:10
andyrzhao
andyrzhao suggested changes Mar 22, 2023
View reviewed changes
Copy link
Contributor

@andyrzhao andyrzhao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good overall - I added some comments mostly around naming and code comments. Thanks! Also, please get one of the Yoshi team members to sign off on the change.

internal/cba.go Outdated Show resolved Hide resolved
internal/cba.go Outdated Show resolved Hide resolved
transport/grpc/dial.go Outdated Show resolved Hide resolved
transport/http/dial.go Outdated Show resolved Hide resolved
internal/cba.go Outdated Show resolved Hide resolved
internal/cba.go Outdated Show resolved Hide resolved
internal/cba.go Outdated Show resolved Hide resolved
internal/cba.go Outdated Show resolved Hide resolved
internal/cert/default_cert.go Outdated Show resolved Hide resolved
internal/creds.go Show resolved Hide resolved
@xmenxk
Copy link
Contributor Author

xmenxk commented Mar 23, 2023

Looks good overall - I added some comments mostly around naming and code comments. Thanks! Also, please get one of the Yoshi team members to sign off on the change.

Hi @codyoss, could you take a look at the PR? thanks :)

@xmenxk xmenxk requested a review from andyrzhao March 23, 2023 18:31
@noahdietz noahdietz removed the needs more info This issue needs more information from the customer to proceed. label Mar 23, 2023
@noahdietz noahdietz requested review from codyoss and removed request for andyrzhao March 23, 2023 19:19
@noahdietz
Copy link
Contributor

Looks good overall - I added some comments mostly around naming and code comments. Thanks! Also, please get one of the Yoshi team members to sign off on the change.

Hi @codyoss, could you take a look at the PR? thanks :)

I've added @codyoss as a reviewer. I'm on rotation this week but I'd feel better with Cody reviewing this change anyways :)

@xmenxk xmenxk requested review from andyrzhao and removed request for codyoss March 23, 2023 20:17
andyrzhao
andyrzhao approved these changes Mar 23, 2023
View reviewed changes
Copy link
Contributor

@andyrzhao andyrzhao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM for CBA logic.

@noahdietz noahdietz requested a review from codyoss March 23, 2023 20:48
@noahdietz
Copy link
Contributor

Added cody back to reviewers

codyoss
codyoss reviewed Apr 3, 2023
View reviewed changes
Copy link
Member

@codyoss codyoss left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM overall, couple of small things

internal/cba.go Outdated
@@ -41,10 +52,12 @@ const (
mTLSModeAuto = "auto"
)

// GetClientCertificateSourceAndEndpoint is a convenience function that invokes
var useS2A = flag.Bool("use_s2a", false, "Experimental: if true, the code will try MTLS with S2A as the default for transport security.")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree that I think a envvar would be preferable here.

internal/cba.go Outdated Show resolved Hide resolved
@xmenxk xmenxk requested a review from codyoss April 3, 2023 18:36
codyoss
codyoss reviewed Apr 4, 2023
View reviewed changes
internal/cba.go Outdated Show resolved Hide resolved
@xmenxk xmenxk requested a review from codyoss April 4, 2023 14:56
@codyoss codyoss changed the title s2a-go integration feat: add experimental s2a-go integration Apr 4, 2023
@codyoss codyoss enabled auto-merge (squash) April 4, 2023 15:11
@codyoss codyoss added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Apr 5, 2023
@kokoro-team kokoro-team removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Apr 5, 2023
auto-merge was automatically disabled April 5, 2023 19:35

Head branch was pushed to by a user without write access

@codyoss codyoss added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Apr 5, 2023
@kokoro-team kokoro-team removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Apr 5, 2023
@codyoss codyoss merged commit 3c61729 into googleapis:main Apr 5, 2023
3 checks passed
@release-please release-please bot mentioned this pull request Apr 5, 2023
Merged
liggitt
liggitt reviewed Sep 1, 2023
View reviewed changes
go.mod Show resolved Hide resolved
@rmehta19 rmehta19 mentioned this pull request May 9, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@quartzmo quartzmo quartzmo left review comments

@liggitt liggitt liggitt left review comments

@codyoss codyoss codyoss approved these changes

@andyrzhao andyrzhao andyrzhao approved these changes

@yoshi-approver yoshi-approver Awaiting requested review from yoshi-approver

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@xmenxk @quartzmo @noahdietz @liggitt @codyoss @andyrzhao @kokoro-team