NewBundle returns a credentials.Bundle which implements mTLS Credentials in xDS Bootstrap File. It delegates certificate loading to a file_watcher provider if either client certificates or server root CA is specified. The second return value is a close func that should be called when the caller no l
(jd json.RawMessage)
| 52 | // needs this bundle. |
| 53 | // See gRFC A65: github.com/grpc/proposal/blob/master/A65-xds-mtls-creds-in-bootstrap.md |
| 54 | func NewBundle(jd json.RawMessage) (credentials.Bundle, func(), error) { |
| 55 | cfg := &struct { |
| 56 | CertificateFile string `json:"certificate_file"` |
| 57 | CACertificateFile string `json:"ca_certificate_file"` |
| 58 | PrivateKeyFile string `json:"private_key_file"` |
| 59 | SPIFFETrustBundleMapFile string `json:"spiffe_trust_bundle_map_file"` |
| 60 | }{} |
| 61 | |
| 62 | if jd != nil { |
| 63 | if err := json.Unmarshal(jd, cfg); err != nil { |
| 64 | return nil, nil, fmt.Errorf("failed to unmarshal config: %v", err) |
| 65 | } |
| 66 | } // Else the config field is absent. Treat it as an empty config. |
| 67 | |
| 68 | if !envconfig.XDSSPIFFEEnabled { |
| 69 | cfg.SPIFFETrustBundleMapFile = "" |
| 70 | } |
| 71 | if cfg.CACertificateFile == "" && cfg.CertificateFile == "" && cfg.PrivateKeyFile == "" && cfg.SPIFFETrustBundleMapFile == "" { |
| 72 | // We cannot use (and do not need) a file_watcher provider in this case, |
| 73 | // and can simply directly use the TLS transport credentials. |
| 74 | // Quoting A65: |
| 75 | // |
| 76 | // > The only difference between the file-watcher certificate provider |
| 77 | // > config and this one is that in the file-watcher certificate |
| 78 | // > provider, at least one of the "certificate_file" or |
| 79 | // > "ca_certificate_file" fields must be specified, whereas in this |
| 80 | // > configuration, it is acceptable to specify neither one. |
| 81 | // Further, with the introduction of SPIFFE Trust Map support, we also |
| 82 | // check for this value. |
| 83 | return &bundle{transportCredentials: credentials.NewTLS(&tls.Config{})}, func() {}, nil |
| 84 | } |
| 85 | // Otherwise we need to use a file_watcher provider to watch the CA, |
| 86 | // private and public keys. |
| 87 | |
| 88 | // The pemfile plugin (file_watcher) currently ignores BuildOptions. |
| 89 | provider, err := certprovider.GetProvider(pemfile.PluginName, jd, certprovider.BuildOptions{}) |
| 90 | if err != nil { |
| 91 | return nil, nil, err |
| 92 | } |
| 93 | return &bundle{ |
| 94 | transportCredentials: &reloadingCreds{provider: provider}, |
| 95 | }, sync.OnceFunc(func() { provider.Close() }), nil |
| 96 | } |
| 97 | |
| 98 | func (t *bundle) TransportCredentials() credentials.TransportCredentials { |
| 99 | return t.transportCredentials |