xds/bootstrap: add trusted_xds_server server feature#8692
Merged
Pranjali-2501 merged 5 commits intogrpc:masterfrom Nov 25, 2025
Merged
xds/bootstrap: add trusted_xds_server server feature#8692Pranjali-2501 merged 5 commits intogrpc:masterfrom
trusted_xds_server server feature#8692Pranjali-2501 merged 5 commits intogrpc:masterfrom
Conversation
Pranjali-2501
added
the
Area: xDS
Pranjali-2501
force-pushed
the
bootstrap-changes
branch
from
ab07959 to
c691084
Compare
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #8692 +/- ##
==========================================
- Coverage 83.42% 83.34% -0.08%
==========================================
Files 416 419 +3
Lines 32303 32443 +140
==========================================
+ Hits 26948 27040 +92
- Misses 3993 4031 +38
- Partials 1362 1372 +10
🚀 New features to boost your workflow:
|
easwars
changed the title
trusted_xds_server server feature
Contributor
|
The generic xDS client's configuration can be found here: We need to propagate this newly added server feature to the generic xDS client as well. In order to do that, we need to do the following:
func (s *ServerConfig) SupportsServerFeature(feature ServerFeature) bool { ... }
type ServerFeature int
const (
ServerFeatureIgnoreResourceDeletion ServerFeature = iota
ServerFeatureTrustedXDSServer
)
|
Contributor
|
@Pranjali-2501 : Please assign it back to me once you've handled the comment. Thanks. |
easwars
approved these changes
Nov 25, 2025
Comment on lines
+77
to
+92
|
|
||
| // IgnoreResourceDeletion is a server feature which if set to true, | ||
| // indicates that resource deletion errors from xDS management servers can | ||
| // be ignored and cached resource data can be used. | ||
| // | ||
| // This will be removed in the future once we implement gRFC A88 | ||
| // and two new fields FailOnDataErrors and | ||
| // ResourceTimerIsTransientError will be introduced. | ||
| IgnoreResourceDeletion bool | ||
|
|
||
| // TODO: Link to gRFC A88 | ||
| ServerFeature ServerFeature |
Contributor
There was a problem hiding this comment.
Nit: You could get rid of the newline and add a trailing comment to this line saying this field stores a bitmap of supported features.
| serverFeatures = serverFeatures | xdsclient.ServerFeatureTrustedXDSServer | ||
| } | ||
| gsc := xdsclient.ServerConfig{ | ||
| ServerIdentifier: clients.ServerIdentifier{ServerURI: sc.ServerURI(), Extensions: grpctransport.ServerIdentifierExtension{ConfigName: sc.SelectedChannelCreds().Type}}, |
Contributor
There was a problem hiding this comment.
Nit: Please use a separate line for individual fields (in sub-struct fields as well). I understand this is continuing to do what the existing code was doing. But that happened to be a part of a giant refactor, and it was often easy to miss things during the review. See: go/go-style/decisions#literal-formatting
Thanks.
Pranjali-2501
added a commit
that referenced
this pull request
Jan 5, 2026
…icy (gRFC A81) (#8779) This PR implements the xDS :authority header rewriting feature as specified in [gRFC A81](https://github.com/grpc/proposal/blob/master/A81-xds-authority-rewriting.md) ### Key Changes: * xds_cluster_impl LB Policy: * Updated the Picker to check for the auto_host_rewrite flag (passed via ConfigSelector). * If enabled, the picker retrieves the hostname attribute from the subchannel . * The picker populates the Metadata field in PickResult with the new :authority value. * changes in stream.go: * Updated stream.go to inspect the PickResult metadata. If an :authority override is present and the user has not explicitly set an authority via CallOption, the `callHdr.Authority` is updated with hostname. * PR relies on the following changes already merged: * Bootstrap config change (#8692): Added the trusted_xds_server server feature to the bootstrap configuration. * xDS resource validation (#8728): Implemented validation and extraction of the auto_host_rewrite field from RDS resources and the hostname field from EDS resources. * Endpoint Structure (#8750): Refactored xdsresource.Endpoint to use resolver.Endpoint, ensuring that attributes (like the endpoint's hostname) are correctly stored and accessible to the picker. * xDS ConfigSelector changes (#8740): Updated the xDS resolver to propagate the auto_host_rewrite flag from the Route Configuration to the Load Balancer via the ConfigSelector. RELEASE NOTES: * xDS: Added support for the :authority rewriting (gRFC A81). When `autoHostRewrite` is enabled in the xDS RouteConfiguration, the client will rewrite the HTTP/2 :authority header to the value of the selected endpoint's hostname.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR implements the Bootstrap config changes for gRFC A81.
Authority rewriting is a security-sensitive feature that should only be enabled when the xDS server is explicitly trusted to provide such configuration. gRFC A81 specifies that this trust is indicated by adding
trusted_xds_serverto the server_features list for a given server in the bootstrap file.RELEASE NOTES: None