xds: don't fail channel/server startup when xds creds is specified, but bootstrap is missing certificate providers

[easwars]

We currently have checks in the xDS resolver and xDS-enabled gRPC server that verify that if xDS credentials are specified by the user, then the associated certificate providers configuration in the bootstrap is non-empty. If the check fails, then channel/server start-up fails. This is broken for a number of reasons:

• On the client, we could have multiple clusters, some of which specify valid security configuration (i.e certificate provider instance name that is present in the bootstrap) and some of which specify invalid security configuration (i.e certificate provider instance name that is not present in the bootstrap). In this scenario, the clusters with valid security configuration need to work and the ones with invalid security configuration should fail with TRANSIENT_FAILURE. The same applies on the server side where the security configuration is part of the listener resource. FYI: We currently handle this scenario correctly by NACKing the appropriate resource.
• Checking for the presence of the certificate provider configuration at channel/server startup is a very weak check and does not protect us from anything that the above check does not.
• C-core and Java do not have this check.

This PR fixes #6756, and brings the grpc-go implementation to be in sync with C-core and Java.

RELEASE NOTES:

• xds: don't fail channel/server startup when xds creds is specified, but bootstrap is missing certificate providers

[codecov]

Codecov Report

Merging #6848 (25050b6) into master (52baf16) will increase coverage by 0.09%.
Report is 12 commits behind head on master.
The diff coverage is 14.28%.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #6848      +/-   ##
==========================================
+ Coverage   83.43%   83.53%   +0.09%     
==========================================
  Files         286      286              
  Lines       30801    30756      -45     
==========================================
- Hits        25699    25692       -7     
+ Misses       4028     3993      -35     
+ Partials     1074     1071       -3     

Files	Coverage Δ
xds/internal/resolver/xds_resolver.go	78.93% <ø> (-0.04%)	⬇️
xds/internal/server/listener_wrapper.go	67.88% <ø> (-0.15%)	⬇️
xds/server.go	86.50% <ø> (+0.51%)	⬆️
xds/internal/balancer/cdsbalancer/cdsbalancer.go	80.80% <25.00%> (+0.43%)	⬆️
xds/internal/server/conn_wrapper.go	71.64% <0.00%> (-1.97%)	⬇️

... and 18 files with indirect coverage changes

[zasweq]

Can you please add an e2e test as to what the behavior should be e2e? (i.e. not fail, resolver NACKs, we handle in a graceful case). It used to be to fail, now what should it be? I see the component test for resolver only

[zasweq]

Server and Client side please for e2e test. Also, we only process security config from top level cluster incorrectly now, it needs to be for each specific cluster.

[easwars]

Added e2e style tests for both client and server now. PTAL.

[zasweq]

Will need to rebase my server fix onto this PR. Hopefully I can get that PR out by Thurs so you can take at least once pass before your leave for me to get back to next year.

[zasweq]

Would rather call modeCh. Also, this sends only once by closing it (and will panic if you close twice). Thinking about it, I made this an event for my server side e2e tests for the server side fix serving := grpcsync.NewEvent()...if args.Mode == connectivity.ServingModeServing {
serving.Fire()
}. I think that this semantically makes more sense here (and below).

[easwars]

Would rather call modeCh

It is called modeCh already. Don't understand this comment.

Also, this sends only once by closing it (and will panic if you close twice).

Since, we don't expect this to even happen once, I'm not too worried about a double close.

I think that this semantically makes more sense here (and below)

The grpcsync.Event provides a way to spot check if the event has fired and a way to block on the event firing. Since we only need the latter here, I feel a channel is more appropriate and it does not make the code harder to read in anyway. So, I would like to stick to using a channel here, unless you have a very good reason for using a grpcsync.Event instead.

[zasweq]

Sorry servingModeCh. Hmmmm I guess that a channel does make sense here since this is something we expect not to happen vs. to happen (i.e. wait till serving until RPC happens)

[easwars]

Renamed to servingModeCh.

[zasweq]

Optional: leave a t-test in case we add more failure modes for resolver construction in the future.

[easwars]

What is a t-test?

[zasweq]

Ah - Menghan/Doug described the functionality of defining test cases, then looping through each of them as a unity test as a "t-test'. So keep a slice of length 1. Optional though.

[zasweq]

This is a super long inline block of xDS resources. Is there not e2e helpers for these? Should we refactor some of the e2e helpers if not to pull out common functionality for these?

[easwars]

This is not used anywhere else so far, so we haven't needed helpers for this. But if it turns out that you will need something like this for your server side tests, maybe we can pull it out at that point. But its going to be a bit of work.

[zasweq]

https://github.com/grpc/grpc-go/blob/master/test/xds/xds_server_rbac_test.go#L323

[zasweq]

Ohhhh right, I was thinking as if my change was already in master with respect to Accept() + Close(), and not blocking as it is now. I'll probably switch this over (and I have tests for this Accept() + Close() - I thought hard about the invariant of a signal that a connection was Accepted + Closed - UNAVAILABLE with error string sgtm).

[zasweq]

LGTM

[zasweq]

[easwars]

DOne.