Skip to content

Commit 343b4d8

Browse files
authored
L127: C++: SPIFFE Bundle Map support in Providers (#506)
1 parent 4f833c5 commit 343b4d8

1 file changed

Lines changed: 59 additions & 0 deletions

File tree

L127-cpp-spiffe-root-provider.md

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
L127: C++: SPIFFE Bundle Map support in Root Providers
2+
----
3+
* Author(s): gtcooke94
4+
* Approver: markdroth
5+
* Status: Implemented
6+
* Implemented in: core, cpp
7+
* Last updated: 2025-08-11
8+
* Discussion at: https://groups.google.com/g/grpc-io/c/G47BjLsF4JQ
9+
10+
## Abstract
11+
12+
The purpose of this proposal is to add public API support for SPIFFE bundle maps in root certificate file watcher providers. [A87] details the broader internals for this support.
13+
14+
## Background
15+
16+
gRPC supports SPIFFE bundle maps as root certificate material per [A87]. Public APIs to configure these roots are needed.
17+
18+
### Related Proposals:
19+
* [A87]
20+
21+
[A87]: A87-mtls-spiffe-support.md
22+
23+
## Proposal
24+
25+
This document proposes to extend the C-Core and C++ APIs as follows:
26+
27+
28+
### C-Core
29+
In the C-core API, we will add a new `spiffe_bundle_map_path` parameter to the `grpc_tls_certificate_provider_file_watcher_create()` function, which will now look like this:
30+
31+
```
32+
GRPCAPI grpc_tls_certificate_provider*
33+
grpc_tls_certificate_provider_file_watcher_create(
34+
const char* private_key_path, const char* identity_certificate_path,
35+
const char* root_cert_path, const char* spiffe_bundle_map_path, unsigned int refresh_interval_sec);
36+
```
37+
38+
If the `spiffe_bundle_map_path` is set, the `root_cert_path` will be ignored. This holds even in the case where the `spiffe_bundle_map_path` ends up being invalid.
39+
40+
### C++
41+
While the existing C++ API is marked experimental, we don't _want_ to break existing users. Thus, we will add a constructor with the `spiffe_bundle_map_path` argument to the `FileWatcherCertificateProvider`.
42+
In order to not break current users, we will make the existing constructors support this by supplying an empty SPIFFE bundle map path.
43+
```
44+
45+
FileWatcherCertificateProvider(const std::string& private_key_path,
46+
const std::string& identity_certificate_path,
47+
const std::string& root_cert_path,
48+
const std::string& spiffe_bundle_map_path,
49+
unsigned int refresh_interval_sec);
50+
```
51+
52+
### Other Providers
53+
This proposal _only_ aims to support file-based SPIFFE Bundle Maps via the file watcher providers. The `StaticDataCertificateProvider` structure is left as future work. This will involve broadening the API surface to expose a type for the SPIFFE bundle map.
54+
55+
## Implementation
56+
- https://github.com/grpc/grpc/pull/39148
57+
- https://github.com/grpc/grpc/pull/39445
58+
- https://github.com/grpc/grpc/pull/39708
59+
- https://github.com/grpc/grpc/pull/40321

0 commit comments

Comments
 (0)