xds: channel_creds other than insecure and google_default

[amenzhinsky]

Is there a plan to add new types of channel creds, especially I'm interested in tls creds for control planes that use self-sined certificates or clients without system ca certificates bundle?

[menghanl]

I'm assuming you are talking about the creds configuration in xds bootstrap file, right?

@dfawley do you know if there's something planned?

[dfawley]

I'm not sure. @easwars, do you know about this?

[amenzhinsky]

@menghanl yep

Ideally I'd like to have something like:

{
  "type": "tls",
  "cert": "PEM-ENCODED-CERT",
  "key": "PEM-ENCODED-KEY",
  "ca_cert": "PEM-ENCODED-CERT",
  "server_name": "override-server-name",
  "insecure": false
}

that would result in credentials.NewTLS(&tls.Config{...})

[dfawley]

cc @sanjaypujare

Something like this would need to be designed as a cross-language feature, if it's not already in the works. Should we move this to grpc/grpc for follow-up?

[menghanl]

This was mentioned in the first xDS gRFC where the bootstrap format is defined: https://github.com/grpc/proposal/blob/master/A27-xds-global-load-balancing.md#xdsclient-and-bootstrap-file

Initially, the only types of channel creds we support will be google_default and insecure. In the future, we will add a general-purpose mechanism for configuring arbitrary channel creds types with arbitrary configuration.

I don't think I've heard anything afterwards.
@markdroth Did we make any concrete plan? Is this something we will support soon?

[markdroth]

Yes, this is absolutely something that we plan to do; we already have a design it. We'll be tackling this in Q3.

[dfawley]

IIUC this was implemented in #5136

[markdroth]

I suspect this feature request was not just for the plugin system (which probably isn't a public API) but rather specifically for adding a way to configure TlsCreds with some arbitrary configuration instead of GoogleDefaultCreds. We have a design for that but have not yet implemented it.