Merge pull request #2823 from murgatroid99/grpc-js-xds_file_watcher_p…

…lugin

grpc-js-xds: Add bootstrap certificate provider config handling

packages/grpc-js-xds/src/xds-bootstrap.ts

@@ -19,6 +19,11 @@ import * as fs from 'fs';
 import { EXPERIMENTAL_FEDERATION } from './environment';
 import { Struct } from './generated/google/protobuf/Struct';
 import { Value } from './generated/google/protobuf/Value';
+import { experimental } from '@grpc/grpc-js';
+
+import parseDuration = experimental.parseDuration;
+import durationToMs = experimental.durationToMs;
+import FileWatcherCertificateProviderConfig = experimental.FileWatcherCertificateProviderConfig;
 
 /* eslint-disable @typescript-eslint/no-explicit-any */
 
@@ -51,12 +56,20 @@ export interface Authority {
  xdsServers?: XdsServerConfig[];
 }
 
+export type PluginConfig = FileWatcherCertificateProviderConfig;
+
+export interface CertificateProviderConfig {
+ pluginName: string;
+ config: PluginConfig;
+}
+
 export interface BootstrapInfo {
  xdsServers: XdsServerConfig[];
  node: Node;
  authorities: {[authorityName: string]: Authority};
  clientDefaultListenerResourceNameTemplate: string;
  serverListenerResourceNameTemplate: string | null;
+ certificateProviders: {[instanceName: string]: CertificateProviderConfig};
 }
 
 const KNOWN_SERVER_FEATURES = ['ignore_resource_deletion'];
@@ -306,6 +319,71 @@ function validateAuthoritiesMap(obj: any): {[authorityName: string]: Authority}
  return result;
 }
 
+function validateFileWatcherPluginConfig(obj: any, instanceName: string): FileWatcherCertificateProviderConfig {
+ if ('certificate_file' in obj && typeof obj.certificate_file !== 'string') {
+ throw new Error(`certificate_providers[${instanceName}].config.certificate_file: expected string, got ${typeof obj.certificate_file}`);
+ }
+ if ('private_key_file' in obj && typeof obj.private_key_file !== 'string') {
+ throw new Error(`certificate_providers[${instanceName}].config.private_key_file: expected string, got ${typeof obj.private_key_file}`);
+ }
+ if ('ca_certificate_file' in obj && typeof obj.ca_certificate_file !== 'string') {
+ throw new Error(`certificate_providers[${instanceName}].config.ca_certificate_file: expected string, got ${typeof obj.ca_certificate_file}`);
+ }
+ if (typeof obj.refresh_interval !== 'string') {
+ throw new Error(`certificate_providers[${instanceName}].config.refresh_interval: expected string, got ${typeof obj.refresh_interval}`);
+ }
+ if (('private_key_file' in obj) !== ('certificate_file' in obj)) {
+ throw new Error(`certificate_providers[${instanceName}].config: private_key_file and certificate_file must be provided or omitted together`);
+ }
+ if (!('private_key_file' in obj) && !('ca_certificate_file' in obj)) {
+ throw new Error(`certificate_providers[${instanceName}].config: either private_key_file and certificate_file or ca_certificate_file must be set`);
+ }
+ const refreshDuration = parseDuration(obj.refresh_interval);
+ if (!refreshDuration) {
+ throw new Error(`certificate_providers[${instanceName}].config.refresh_interval: failed to parse duration from value ${obj.refresh_interval}`);
+ }
+ return {
+ certificateFile: obj.certificate_file,
+ privateKeyFile: obj.private_key_file,
+ caCertificateFile: obj.caCertificateFile,
+ refreshIntervalMs: durationToMs(refreshDuration)
+ };
+}
+
+const pluginConfigValidators: {[typeName: string]: (obj: any, instanceName: string) => PluginConfig} = {
+ 'file_watcher': validateFileWatcherPluginConfig
+};
+
+function validateCertificateProvider(obj: any, instanceName: string): CertificateProviderConfig {
+ if (!('plugin_name' in obj) || typeof obj.plugin_name !== 'string') {
+ throw new Error(`certificate_providers[${instanceName}].plugin_name: expected string, got ${typeof obj.plugin_name}`);
+ }
+ if (!(obj.plugin_name in pluginConfigValidators)) {
+ throw new Error(`certificate_providers[${instanceName}]: unknown plugin_name ${obj.plugin_name}`);
+ }
+ if (!obj.config) {
+ throw new Error(`certificate_providers[${instanceName}].config: expected object, got ${typeof obj.config}`);
+ }
+ if (!(obj.plugin_name in pluginConfigValidators)) {
+ throw new Error(`certificate_providers[${instanceName}].config: unknown plugin_name ${obj.plugin_name}`);
+ }
+ return {
+ pluginName: obj.plugin_name,
+ config: pluginConfigValidators[obj.plugin_name]!(obj.config, instanceName)
+ };
+}
+
+function validateCertificateProvidersMap(obj: any): {[instanceName: string]: CertificateProviderConfig} {
+ if (!obj) {
+ return {};
+ }
+ const result: {[instanceName: string]: CertificateProviderConfig} = {};
+ for (const [name, provider] of Object.entries(obj)) {
+ result[name] = validateCertificateProvider(provider, name);
+ }
+ return result;
+}
+
 export function validateBootstrapConfig(obj: any): BootstrapInfo {
  const xdsServers = obj.xds_servers.map(validateXdsServerConfig);
  const node = validateNode(obj.node);
@@ -325,15 +403,17 @@ export function validateBootstrapConfig(obj: any): BootstrapInfo {
  node: node,
  authorities: validateAuthoritiesMap(obj.authorities),
  clientDefaultListenerResourceNameTemplate: obj.client_default_listener_resource_name_template ?? '%s',
- serverListenerResourceNameTemplate: obj.server_listener_resource_name_template ?? null
+ serverListenerResourceNameTemplate: obj.server_listener_resource_name_template ?? null,
+ certificateProviders: validateCertificateProvidersMap(obj.certificate_providers)
  };
  } else {
  return {
  xdsServers: xdsServers,
  node: node,
  authorities: {},
  clientDefaultListenerResourceNameTemplate: '%s',
- serverListenerResourceNameTemplate: obj.server_listener_resource_name_template ?? null
+ serverListenerResourceNameTemplate: obj.server_listener_resource_name_template ?? null,
+ certificateProviders: validateCertificateProvidersMap(obj.certificate_providers)
  };
  }
 }

packages/grpc-js-xds/src/xds-client.ts

@@ -19,7 +19,7 @@ import { Channel, ChannelCredentials, ClientDuplexStream, Metadata, StatusObject
 import { XdsDecodeContext, XdsDecodeResult, XdsResourceType } from "./xds-resource-type/xds-resource-type";
 import { XdsResourceName, parseXdsResourceName, xdsResourceNameToString } from "./resources";
 import { Node } from "./generated/envoy/config/core/v3/Node";
-import { BootstrapInfo, XdsServerConfig, loadBootstrapInfo, serverConfigEqual } from "./xds-bootstrap";
+import { BootstrapInfo, CertificateProviderConfig, XdsServerConfig, loadBootstrapInfo, serverConfigEqual } from "./xds-bootstrap";
 import BackoffTimeout = experimental.BackoffTimeout;
 import { DiscoveryRequest } from "./generated/envoy/service/discovery/v3/DiscoveryRequest";
 import { DiscoveryResponse__Output } from "./generated/envoy/service/discovery/v3/DiscoveryResponse";
@@ -35,6 +35,8 @@ import { LoadStatsResponse__Output } from "./generated/envoy/service/load_stats/
 import { Locality, Locality__Output } from "./generated/envoy/config/core/v3/Locality";
 import { Duration } from "./generated/google/protobuf/Duration";
 import { registerXdsClientWithCsds } from "./csds";
+import CertificateProvider = experimental.CertificateProvider;
+import FileWatcherCertificateProvider = experimental.FileWatcherCertificateProvider;
 
 const TRACER_NAME = 'xds_client';
 
@@ -1111,6 +1113,15 @@ interface AuthorityState {
 
 const userAgentName = 'gRPC Node Pure JS';
 
+function createCertificateProvider(config: CertificateProviderConfig) {
+ switch (config.pluginName) {
+ case 'file_watcher':
+ return new FileWatcherCertificateProvider(config.config);
+ default:
+ throw new Error(`Unexpected certificate provider plugin name ${config.pluginName}`);
+ }
+}
+
 export class XdsClient {
  /**
  * authority -> authority state
@@ -1119,6 +1130,8 @@ export class XdsClient {
  private clients: ClientMapEntry[] = [];
  private typeRegistry: Map<string, XdsResourceType> = new Map();
  private bootstrapInfo: BootstrapInfo | null = null;
+ private certificateProviderRegistry: Map<string, CertificateProvider> = new Map();
+ private certificateProviderRegistryPopulated = false;
 
  constructor(bootstrapInfoOverride?: BootstrapInfo) {
  if (bootstrapInfoOverride) {
@@ -1298,6 +1311,16 @@ export class XdsClient {
  removeClusterLocalityStats(lrsServer: XdsServerConfig, clusterName: string, edsServiceName: string, locality: Locality__Output) {
  this.getClient(lrsServer)?.removeClusterLocalityStats(clusterName, edsServiceName, locality);
  }
+
+ getCertificateProvider(instanceName: string): CertificateProvider | undefined {
+ if (!this.certificateProviderRegistryPopulated) {
+ for (const [name, config] of Object.entries(this.getBootstrapInfo().certificateProviders)) {
+ this.certificateProviderRegistry.set(name, createCertificateProvider(config));
+ }
+ this.certificateProviderRegistryPopulated = true;
+ }
+ return this.certificateProviderRegistry.get(instanceName);
+ }
 }
 
 let singletonXdsClient: XdsClient | null = null;

packages/grpc-js/src/certificate-provider.ts

@@ -49,10 +49,6 @@ export interface CertificateProvider {
  removeIdentityCertificateListener(listener: IdentityCertificateUpdateListener): void;
 }
 
-export interface CertificateProviderProvider<Provider> {
- getInstance(): Provider;
-}
-
 export interface FileWatcherCertificateProviderConfig {
  certificateFile?: string | undefined;
  privateKeyFile?: string | undefined;

packages/grpc-js/src/duration.ts

@@ -34,3 +34,15 @@ export function durationToMs(duration: Duration): number {
 export function isDuration(value: any): value is Duration {
  return typeof value.seconds === 'number' && typeof value.nanos === 'number';
 }
+
+const durationRegex = /^(\d+)(?:\.(\d+))?s$/;
+export function parseDuration(value: string): Duration | null {
+ const match = value.match(durationRegex);
+ if (!match) {
+ return null;
+ }
+ return {
+ seconds: Number.parseInt(match[1], 10),
+ nanos: Number.parseInt(match[2].padEnd(9, '0'), 10)
+ };
+}

packages/grpc-js/src/experimental.ts

@@ -7,7 +7,7 @@ export {
  createResolver,
 } from './resolver';
 export { GrpcUri, uriToString, splitHostPort, HostPort } from './uri-parser';
-export { Duration, durationToMs } from './duration';
+export { Duration, durationToMs, parseDuration } from './duration';
 export { BackoffTimeout } from './backoff-timeout';
 export {
  LoadBalancer,