Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How does certificate provider plugin makes it independent of SDS? #354

Open
ypatil-li opened this issue Apr 14, 2023 · 1 comment
Open

How does certificate provider plugin makes it independent of SDS? #354

ypatil-li opened this issue Apr 14, 2023 · 1 comment

Comments

@ypatil-li
Copy link

I want to avoid restarting client/server when certificates/trust stores are updated periodically. I see certificate provider plugin framework using file_watcher can potentially help me achieve that.

I created the following bootstrap config

{
  "xds_servers": [
    {
      "server_uri": "127.0.0.1:33333",
      "channel_creds": [
        {
          "type": "insecure"
        }
      ],
      "server_features": [
        "xds_v3"
      ]
    }
  ],
  "node": {
    "id": "grpc-proxyless"
  },
  "certificate_providers": {
    "default": {
      "plugin_name": "file_watcher",
      "config": {
        "certificate_file": "/path/to/server-cert.pem",
        "private_key_file": "/path/to//server-key.pem",
        "ca_certificate_file": "/path/to//ca-cert.pem",
        "refresh_interval": "3600s"
      }
    }
  }
}

Since bootstrap file MUST include xds_servers address, I wonder how does this approach makes it a generic alternative to the SDS server/agent based solution and eliminates the dependency on the SDS protocol as claimed here. ANy example to demonstrate that, will help make it clear.

Also, I do NOT want to use xDS control plane. But I am trying to find a way to use file_watcher plugin independent xDS.
@sanjaypujare
Copy link
Contributor

...
Since bootstrap file MUST include xds_servers address, I wonder how does this approach makes it a generic alternative to the SDS server/agent based solution and eliminates the dependency on the SDS protocol as claimed here. ANy example to demonstrate that, will help make it clear.

Also, I do NOT want to use xDS control plane. But I am trying to find a way to use file_watcher plugin independent xDS.

SDS - in spite of it sounding like part of xDS - is really a different "beast" . An SDS server is quite different from an xDS server and getting rid of SDS does not mean getting rid of xDS. xDS is still required as described in A29.

There are examples:

Hope that answers your questions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sanjaypujare @ypatil-li