From 8510c4f0f1b12cc7206e541bf0623a846e91c83d Mon Sep 17 00:00:00 2001 From: Gregory Cooke Date: Tue, 15 Jul 2025 19:54:22 +0000 Subject: [PATCH 1/7] add file --- L123-cpp-spiffe-root-provider.md | 48 ++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 L123-cpp-spiffe-root-provider.md diff --git a/L123-cpp-spiffe-root-provider.md b/L123-cpp-spiffe-root-provider.md new file mode 100644 index 000000000..3362f7002 --- /dev/null +++ b/L123-cpp-spiffe-root-provider.md @@ -0,0 +1,48 @@ +L123: Spiffe Bundle Map support in Root Providers +---- +* Author(s): gtcooke94 +* Approver: markdroth +* Status: Draft +* Implemented in: core, cpp +* Last updated: 2025-07-15 +* Discussion at: TODO + +## Abstract + +The purpose of this proposal is to add public API support for SPIFFE bundle maps in root certificate file watcher providers. [gRFC A87](https://github.com/grpc/proposal/blob/master/A87-mtls-spiffe-support.md) details the broader internals for this support. + +## Background + +gRPC supports SPIFFE bundle maps as root certificate material per [gRFC A87](https://github.com/grpc/proposal/blob/master/A87-mtls-spiffe-support.md). Public APIs to configure these roots is needed. + +### Related Proposals: +* [gRFC A87](https://github.com/grpc/proposal/blob/master/A87-mtls-spiffe-support.md) + +## Proposal + +This document proposes to extend the C-Core and C++ APIs as follows: + + +### C-Core +C-Core APIs are always subject to change - we will simply add an argument to the existing constructor in https://github.com/grpc/grpc/blob/79769b35d04535259592ac1b0a98d65f63203f06/include/grpc/credentials.h#L663-L666. +``` +GRPCAPI grpc_tls_certificate_provider* +grpc_tls_certificate_provider_file_watcher_create( + const char* private_key_path, const char* identity_certificate_path, + const char* root_cert_path, const char* spiffe_bundle_map_path, unsigned int refresh_interval_sec); +``` + +### C++ +While the existing C++ API is marked experimental, we don't _want_ to break existing users. Thus, in https://github.com/grpc/grpc/blob/79769b35d04535259592ac1b0a98d65f63203f06/include/grpcpp/security/tls_certificate_provider.h#L109-L112, add a constructor with the `spiffe_bundle_map_path` argument. +In order to not break current users, we will make the existing constructors support this by supplying an empty SPIFFE bundle map path. +``` + +FileWatcherCertificateProvider(const std::string& private_key_path, + const std::string& identity_certificate_path, + const std::string& root_cert_path, + const std::string& spiffe_bundle_map_path, + unsigned int refresh_interval_sec); +``` + +### Other Providers +This proposal _only_ aims to support file-based SPIFFE Bundle Maps via the file watcher providers. The `StaticDataCertificateProvider` structure is left as future work - we do not want to expose our internal SPIFFE utilities. \ No newline at end of file From 8f289b7490ca5ba4674612d7906fef5387ff6137 Mon Sep 17 00:00:00 2001 From: Gregory Cooke Date: Tue, 15 Jul 2025 19:55:26 +0000 Subject: [PATCH 2/7] wording --- L123-cpp-spiffe-root-provider.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/L123-cpp-spiffe-root-provider.md b/L123-cpp-spiffe-root-provider.md index 3362f7002..4baa85372 100644 --- a/L123-cpp-spiffe-root-provider.md +++ b/L123-cpp-spiffe-root-provider.md @@ -33,7 +33,7 @@ grpc_tls_certificate_provider_file_watcher_create( ``` ### C++ -While the existing C++ API is marked experimental, we don't _want_ to break existing users. Thus, in https://github.com/grpc/grpc/blob/79769b35d04535259592ac1b0a98d65f63203f06/include/grpcpp/security/tls_certificate_provider.h#L109-L112, add a constructor with the `spiffe_bundle_map_path` argument. +While the existing C++ API is marked experimental, we don't _want_ to break existing users. Thus, in https://github.com/grpc/grpc/blob/79769b35d04535259592ac1b0a98d65f63203f06/include/grpcpp/security/tls_certificate_provider.h#L109-L112, we will add a constructor with the `spiffe_bundle_map_path` argument. In order to not break current users, we will make the existing constructors support this by supplying an empty SPIFFE bundle map path. ``` From e7df383d499506ca686ad85fead432dea4be39f9 Mon Sep 17 00:00:00 2001 From: Gregory Cooke Date: Wed, 16 Jul 2025 19:41:00 +0000 Subject: [PATCH 3/7] address comments --- ...-spiffe-root-provider.md => L127-cpp-spiffe-root-provider.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename L123-cpp-spiffe-root-provider.md => L127-cpp-spiffe-root-provider.md (97%) diff --git a/L123-cpp-spiffe-root-provider.md b/L127-cpp-spiffe-root-provider.md similarity index 97% rename from L123-cpp-spiffe-root-provider.md rename to L127-cpp-spiffe-root-provider.md index 4baa85372..4e1ebecce 100644 --- a/L123-cpp-spiffe-root-provider.md +++ b/L127-cpp-spiffe-root-provider.md @@ -1,4 +1,4 @@ -L123: Spiffe Bundle Map support in Root Providers +L127: Spiffe Bundle Map support in Root Providers ---- * Author(s): gtcooke94 * Approver: markdroth From 07a85a278b27adfa83529c0993f089d592db3461 Mon Sep 17 00:00:00 2001 From: Gregory Cooke Date: Thu, 17 Jul 2025 14:47:24 +0000 Subject: [PATCH 4/7] add correct file --- L127-cpp-spiffe-root-provider.md | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/L127-cpp-spiffe-root-provider.md b/L127-cpp-spiffe-root-provider.md index 4e1ebecce..3fac9b314 100644 --- a/L127-cpp-spiffe-root-provider.md +++ b/L127-cpp-spiffe-root-provider.md @@ -1,4 +1,4 @@ -L127: Spiffe Bundle Map support in Root Providers +L127: C++: SPIFFE Bundle Map support in Root Providers ---- * Author(s): gtcooke94 * Approver: markdroth @@ -9,14 +9,16 @@ L127: Spiffe Bundle Map support in Root Providers ## Abstract -The purpose of this proposal is to add public API support for SPIFFE bundle maps in root certificate file watcher providers. [gRFC A87](https://github.com/grpc/proposal/blob/master/A87-mtls-spiffe-support.md) details the broader internals for this support. +The purpose of this proposal is to add public API support for SPIFFE bundle maps in root certificate file watcher providers. [A87] details the broader internals for this support. ## Background -gRPC supports SPIFFE bundle maps as root certificate material per [gRFC A87](https://github.com/grpc/proposal/blob/master/A87-mtls-spiffe-support.md). Public APIs to configure these roots is needed. +gRPC supports SPIFFE bundle maps as root certificate material per [A87]. Public APIs to configure these roots are needed. ### Related Proposals: -* [gRFC A87](https://github.com/grpc/proposal/blob/master/A87-mtls-spiffe-support.md) +* [A87] + +[A87]: A87-mtls-spiffe-support.md ## Proposal @@ -24,7 +26,8 @@ This document proposes to extend the C-Core and C++ APIs as follows: ### C-Core -C-Core APIs are always subject to change - we will simply add an argument to the existing constructor in https://github.com/grpc/grpc/blob/79769b35d04535259592ac1b0a98d65f63203f06/include/grpc/credentials.h#L663-L666. +In the C-core API, we will add a new `spiffe_bundle_map_path` parameter to the `grpc_tls_certificate_provider_file_watcher_create()` function, which will now look like this: + ``` GRPCAPI grpc_tls_certificate_provider* grpc_tls_certificate_provider_file_watcher_create( @@ -32,8 +35,10 @@ grpc_tls_certificate_provider_file_watcher_create( const char* root_cert_path, const char* spiffe_bundle_map_path, unsigned int refresh_interval_sec); ``` +If the `spiffe_bundle_map_path` is set, the `root_cert_path` will be ignored. This holds even in the case where the `spiffe_bundle_map_path` ends up being invalid. + ### C++ -While the existing C++ API is marked experimental, we don't _want_ to break existing users. Thus, in https://github.com/grpc/grpc/blob/79769b35d04535259592ac1b0a98d65f63203f06/include/grpcpp/security/tls_certificate_provider.h#L109-L112, we will add a constructor with the `spiffe_bundle_map_path` argument. +While the existing C++ API is marked experimental, we don't _want_ to break existing users. Thus, we will add a constructor with the `spiffe_bundle_map_path` argument to the `FileWatcherCertificateProvider`. In order to not break current users, we will make the existing constructors support this by supplying an empty SPIFFE bundle map path. ``` @@ -45,4 +50,4 @@ FileWatcherCertificateProvider(const std::string& private_key_path, ``` ### Other Providers -This proposal _only_ aims to support file-based SPIFFE Bundle Maps via the file watcher providers. The `StaticDataCertificateProvider` structure is left as future work - we do not want to expose our internal SPIFFE utilities. \ No newline at end of file +This proposal _only_ aims to support file-based SPIFFE Bundle Maps via the file watcher providers. The `StaticDataCertificateProvider` structure is left as future work. This will involve broadening the API surface to expose a type for the SPIFFE bundle map. \ No newline at end of file From f3f99ffdf1f55d8404c104330e74e360f8c59ac1 Mon Sep 17 00:00:00 2001 From: Gregory Cooke Date: Thu, 17 Jul 2025 18:13:57 +0000 Subject: [PATCH 5/7] add google groups discussion link --- L127-cpp-spiffe-root-provider.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/L127-cpp-spiffe-root-provider.md b/L127-cpp-spiffe-root-provider.md index 3fac9b314..7d5ce9ecd 100644 --- a/L127-cpp-spiffe-root-provider.md +++ b/L127-cpp-spiffe-root-provider.md @@ -2,10 +2,10 @@ L127: C++: SPIFFE Bundle Map support in Root Providers ---- * Author(s): gtcooke94 * Approver: markdroth -* Status: Draft +* Status: In Review * Implemented in: core, cpp -* Last updated: 2025-07-15 -* Discussion at: TODO +* Last updated: 2025-07-17 +* Discussion at: https://groups.google.com/g/grpc-io/c/G47BjLsF4JQ ## Abstract @@ -50,4 +50,7 @@ FileWatcherCertificateProvider(const std::string& private_key_path, ``` ### Other Providers -This proposal _only_ aims to support file-based SPIFFE Bundle Maps via the file watcher providers. The `StaticDataCertificateProvider` structure is left as future work. This will involve broadening the API surface to expose a type for the SPIFFE bundle map. \ No newline at end of file +This proposal _only_ aims to support file-based SPIFFE Bundle Maps via the file watcher providers. The `StaticDataCertificateProvider` structure is left as future work. This will involve broadening the API surface to expose a type for the SPIFFE bundle map. + +## Implementation +PR will be linked when created. \ No newline at end of file From 1fbb1973b98ece6b3daf87a33086274a57c16f16 Mon Sep 17 00:00:00 2001 From: Gregory Cooke Date: Mon, 11 Aug 2025 18:33:07 +0000 Subject: [PATCH 6/7] add impl PRs --- L127-cpp-spiffe-root-provider.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/L127-cpp-spiffe-root-provider.md b/L127-cpp-spiffe-root-provider.md index 7d5ce9ecd..657f4c0d0 100644 --- a/L127-cpp-spiffe-root-provider.md +++ b/L127-cpp-spiffe-root-provider.md @@ -53,4 +53,7 @@ FileWatcherCertificateProvider(const std::string& private_key_path, This proposal _only_ aims to support file-based SPIFFE Bundle Maps via the file watcher providers. The `StaticDataCertificateProvider` structure is left as future work. This will involve broadening the API surface to expose a type for the SPIFFE bundle map. ## Implementation -PR will be linked when created. \ No newline at end of file +- https://github.com/grpc/grpc/pull/39148 +- https://github.com/grpc/grpc/pull/39445 +- https://github.com/grpc/grpc/pull/39708 +- https://github.com/grpc/grpc/pull/40321 From deffb81fd3ace58ff07475d81b448e0f7e99a435 Mon Sep 17 00:00:00 2001 From: Gregory Cooke Date: Mon, 11 Aug 2025 18:34:44 +0000 Subject: [PATCH 7/7] update header info --- L127-cpp-spiffe-root-provider.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/L127-cpp-spiffe-root-provider.md b/L127-cpp-spiffe-root-provider.md index 657f4c0d0..fbc8f7400 100644 --- a/L127-cpp-spiffe-root-provider.md +++ b/L127-cpp-spiffe-root-provider.md @@ -2,9 +2,9 @@ L127: C++: SPIFFE Bundle Map support in Root Providers ---- * Author(s): gtcooke94 * Approver: markdroth -* Status: In Review +* Status: Implemented * Implemented in: core, cpp -* Last updated: 2025-07-17 +* Last updated: 2025-08-11 * Discussion at: https://groups.google.com/g/grpc-io/c/G47BjLsF4JQ ## Abstract