grpc 1.78.1 → 1.80.0

data/src/core/xds/grpc/xds_routing.cc

@@ -190,9 +190,177 @@ std::optional<absl::string_view> XdsRouting::GetHeaderValue(
   return initial_metadata->GetStringValue(header_name, concatenated_value);
 }
 
+XdsRouting::PerRouteFilterChainBuilder::PerRouteFilterChainBuilder(
+    const std::vector<XdsListenerResource::HttpConnectionManager::HttpFilter>&
+        hcm_filter_configs,
+    const XdsHttpFilterRegistry& http_filter_registry,
+    const XdsRouteConfigResource::VirtualHost& vhost,
+    FilterChainBuilder& builder,
+    absl::AnyInvocable<void(FilterChainBuilder&)> add_last_filter,
+    const Blackboard* old_blackboard, Blackboard* new_blackboard)
+    : hcm_filter_configs_(hcm_filter_configs),
+      vhost_(vhost),
+      builder_(builder),
+      add_last_filter_(std::move(add_last_filter)),
+      old_blackboard_(old_blackboard),
+      new_blackboard_(new_blackboard) {
+  filter_impls_.reserve(hcm_filter_configs.size());
+  for (const auto& http_filter : hcm_filter_configs) {
+    // Find filter.  This is guaranteed to succeed, because it's checked
+    // at config validation time.
+    const XdsHttpFilterImpl* filter_impl =
+        http_filter_registry.GetFilterForTopLevelType(
+            http_filter.config_proto_type);
+    GRPC_CHECK_NE(filter_impl, nullptr);
+    // Add filter to list.
+    filter_impls_.push_back(filter_impl);
+  }
+}
+
+namespace {
+
+RefCountedPtr<const FilterConfig> GetOverrideConfig(
+    const XdsHttpFilterImpl* filter_impl,
+    const XdsRouteConfigResource::TypedPerFilterConfig& typed_per_filter_config,
+    const std::string& name) {
+  auto it = typed_per_filter_config.find(name);
+  if (it == typed_per_filter_config.end()) return nullptr;
+  if (it->second.config_proto_type != filter_impl->OverrideConfigProtoName()) {
+    return nullptr;
+  }
+  return it->second.filter_config;
+}
+
+}  // namespace
+
+absl::StatusOr<RefCountedPtr<const FilterChain>>
+XdsRouting::PerRouteFilterChainBuilder::GetDefaultFilterChain() {
+  if (default_filter_chain_.ok() && *default_filter_chain_ == nullptr) {
+    GRPC_TRACE_LOG(xds_resolver, INFO) << "Building default filter chain:";
+    for (size_t i = 0; i < filter_impls_.size(); ++i) {
+      auto* filter_impl = filter_impls_[i];
+      const auto& filter_config = hcm_filter_configs_[i];
+      RefCountedPtr<const FilterConfig> config;
+      if (filter_config.filter_config != nullptr) {
+        auto vhost_override_config = GetOverrideConfig(
+            filter_impl, vhost_.typed_per_filter_config, filter_config.name);
+        config = filter_impl->MergeConfigs(filter_config.filter_config,
+                                           std::move(vhost_override_config),
+                                           nullptr, nullptr);
+        filter_impl->UpdateBlackboard(*config, old_blackboard_,
+                                      new_blackboard_);
+      }
+      GRPC_TRACE_LOG(xds_resolver, INFO)
+          << "  Adding filter=" << filter_config.name
+          << " config=" << (config == nullptr ? "<null>" : config->ToString());
+      filter_impl->AddFilter(builder_, std::move(config));
+    }
+    if (add_last_filter_ != nullptr) add_last_filter_(builder_);
+    default_filter_chain_ = builder_.Build();
+    GRPC_TRACE_LOG(xds_resolver, INFO)
+        << "Filter chain creation status: " << default_filter_chain_.status();
+  }
+  return default_filter_chain_;
+}
+
+absl::StatusOr<RefCountedPtr<const FilterChain>>
+XdsRouting::PerRouteFilterChainBuilder::BuildFilterChainForRoute(
+    const XdsRouteConfigResource::Route& route) {
+  GRPC_TRACE_LOG(xds_resolver, INFO)
+      << "Building filter chain for route:" << route.ToString();
+  // If there are no per-route overrides, use the default filter chain.
+  if (route.typed_per_filter_config.empty()) return GetDefaultFilterChain();
+  // Otherwise, build a new filter chain for the route.
+  for (size_t i = 0; i < filter_impls_.size(); ++i) {
+    auto* filter_impl = filter_impls_[i];
+    const auto& filter_config = hcm_filter_configs_[i];
+    RefCountedPtr<const FilterConfig> config;
+    if (filter_config.filter_config != nullptr) {
+      auto vhost_override_config = GetOverrideConfig(
+          filter_impl, vhost_.typed_per_filter_config, filter_config.name);
+      auto route_override_config = GetOverrideConfig(
+          filter_impl, route.typed_per_filter_config, filter_config.name);
+      config = filter_impl->MergeConfigs(
+          filter_config.filter_config, std::move(vhost_override_config),
+          std::move(route_override_config), nullptr);
+      filter_impl->UpdateBlackboard(*config, old_blackboard_, new_blackboard_);
+    }
+    GRPC_TRACE_LOG(xds_resolver, INFO)
+        << "  Adding filter=" << filter_config.name
+        << " config=" << (config == nullptr ? "<null>" : config->ToString());
+    filter_impl->AddFilter(builder_, std::move(config));
+  }
+  if (add_last_filter_ != nullptr) add_last_filter_(builder_);
+  absl::StatusOr<RefCountedPtr<const FilterChain>> route_filter_chain =
+      builder_.Build();
+  GRPC_TRACE_LOG(xds_resolver, INFO)
+      << "Filter chain creation status: " << route_filter_chain.status();
+  return route_filter_chain;
+}
+
+void XdsRouting::PerRouteFilterChainBuilder::
+    BuildFilterChainForRouteWithWeightedClusters(
+        const XdsRouteConfigResource::Route& route,
+        absl::FunctionRef<
+            void(size_t, absl::StatusOr<RefCountedPtr<const FilterChain>>)>
+            set_filter_chain_for_cluster_weight) {
+  // If any cluster weight does not have any filter config overrides,
+  // we'll reuse the route-level filter chain.  We construct it lazily
+  // and cache it so that we never construct it more than we need to.
+  absl::StatusOr<RefCountedPtr<const FilterChain>> route_filter_chain = nullptr;
+  const auto& route_action =
+      std::get<XdsRouteConfigResource::Route::RouteAction>(route.action);
+  const auto& cluster_weights = std::get<
+      std::vector<XdsRouteConfigResource::Route::RouteAction::ClusterWeight>>(
+      route_action.action);
+  for (size_t j = 0; j < cluster_weights.size(); ++j) {
+    const auto& cluster_weight = cluster_weights[j];
+    if (cluster_weight.typed_per_filter_config.empty()) {
+      // No per-ClusterWeight overrides, so use the route-level filter chain.
+      if (route_filter_chain.ok() && *route_filter_chain == nullptr) {
+        route_filter_chain = BuildFilterChainForRoute(route);
+      }
+      set_filter_chain_for_cluster_weight(j, route_filter_chain);
+    } else {
+      GRPC_TRACE_LOG(xds_resolver, INFO)
+          << "Building filter chain for route:" << route.ToString()
+          << " ClusterWeight:" << cluster_weight.ToString();
+      for (size_t i = 0; i < filter_impls_.size(); ++i) {
+        auto* filter_impl = filter_impls_[i];
+        const auto& filter_config = hcm_filter_configs_[i];
+        RefCountedPtr<const FilterConfig> config;
+        if (filter_config.filter_config != nullptr) {
+          auto vhost_override_config = GetOverrideConfig(
+              filter_impl, vhost_.typed_per_filter_config, filter_config.name);
+          auto route_override_config = GetOverrideConfig(
+              filter_impl, route.typed_per_filter_config, filter_config.name);
+          auto cluster_weight_override_config = GetOverrideConfig(
+              filter_impl, cluster_weight.typed_per_filter_config,
+              filter_config.name);
+          config = filter_impl->MergeConfigs(
+              filter_config.filter_config, std::move(vhost_override_config),
+              std::move(route_override_config),
+              std::move(cluster_weight_override_config));
+          filter_impl->UpdateBlackboard(*config, old_blackboard_,
+                                        new_blackboard_);
+        }
+        GRPC_TRACE_LOG(xds_resolver, INFO)
+            << "  Adding filter=" << filter_config.name << " config="
+            << (config == nullptr ? "<null>" : config->ToString());
+        filter_impl->AddFilter(builder_, std::move(config));
+      }
+      if (add_last_filter_ != nullptr) add_last_filter_(builder_);
+      auto filter_chain = builder_.Build();
+      GRPC_TRACE_LOG(xds_resolver, INFO)
+          << "Filter chain creation status: " << filter_chain.status();
+      set_filter_chain_for_cluster_weight(j, std::move(filter_chain));
+    }
+  }
+}
+
 namespace {
 
-const XdsHttpFilterImpl::FilterConfig* FindFilterConfigOverride(
+const XdsRouteConfigResource::FilterConfigOverride* FindFilterConfigOverride(
     const std::string& instance_name,
     const XdsRouteConfigResource::VirtualHost& vhost,
     const XdsRouteConfigResource::Route& route,
@@ -229,8 +397,8 @@ GeneratePerHTTPFilterConfigs(
     // Find filter.  This is guaranteed to succeed, because it's checked
     // at config validation time in the listener parsing code.
     const XdsHttpFilterImpl* filter_impl =
-        http_filter_registry.GetFilterForType(
-            http_filter.config.config_proto_type_name);
+        http_filter_registry.GetFilterForTopLevelType(
+            http_filter.config_proto_type);
     GRPC_CHECK_NE(filter_impl, nullptr);
     // If there is not actually any C-core filter associated with this
     // xDS filter, then it won't need any config, so skip it.
@@ -270,9 +438,16 @@ XdsRouting::GeneratePerHTTPFilterConfigsForMethodConfig(
       [&](const XdsHttpFilterImpl& filter_impl,
           const XdsListenerResource::HttpConnectionManager::HttpFilter&
               http_filter) {
-        const XdsHttpFilterImpl::FilterConfig* config_override =
-            FindFilterConfigOverride(http_filter.name, vhost, route,
-                                     cluster_weight);
+        // Find override config, if any.
+        const XdsRouteConfigResource::FilterConfigOverride*
+            filter_config_override = FindFilterConfigOverride(
+                http_filter.name, vhost, route, cluster_weight);
+        const Json* config_override = nullptr;
+        if (filter_config_override != nullptr &&
+            filter_config_override->config_proto_type ==
+                filter_impl.OverrideConfigProtoName()) {
+          config_override = &filter_config_override->config;
+        }
         // Generate service config for filter.
         return filter_impl.GenerateMethodConfig(http_filter.config,
                                                 config_override);

data/src/core/xds/grpc/xds_routing.h

@@ -80,6 +80,63 @@ class XdsRouting final {
       grpc_metadata_batch* initial_metadata, absl::string_view header_name,
       std::string* concatenated_value);
 
+  // Logic for building a filter chain for a given route.  Caching is
+  // done to avoid unnecessary work while iterating over the list of
+  // routes in a given VirtualHost.
+  //
+  // TODO(roth): Currently, this class uses the xds_resolver tracer for
+  // logging.  When we change the server side to use the new filter
+  // config structure, add a new tracer and use that instead, so that it
+  // can be used on both the client and server side.
+  class PerRouteFilterChainBuilder {
+   public:
+    // The add_last_filter() callback is called on the builder after
+    // adding all of the xDS HTTP filters and right before building the
+    // filter chain.  May be null if not needed.
+    PerRouteFilterChainBuilder(
+        const std::vector<
+            XdsListenerResource::HttpConnectionManager::HttpFilter>&
+            hcm_filter_configs,
+        const XdsHttpFilterRegistry& http_filter_registry,
+        const XdsRouteConfigResource::VirtualHost& vhost,
+        FilterChainBuilder& builder,
+        absl::AnyInvocable<void(FilterChainBuilder&)> add_last_filter,
+        const Blackboard* old_blackboard, Blackboard* new_blackboard);
+
+    // Builds a filter chain for a route that has an individual cluster
+    // or a ClusterSpecifierPlugin.
+    absl::StatusOr<RefCountedPtr<const FilterChain>> BuildFilterChainForRoute(
+        const XdsRouteConfigResource::Route& route);
+
+    // Builds a filter chain for a route that uses WeightedClusters.
+    // The set_filter_chain_for_cluster_weight() function will be called
+    // once for each index in the WeightedClusters list.
+    void BuildFilterChainForRouteWithWeightedClusters(
+        const XdsRouteConfigResource::Route& route,
+        absl::FunctionRef<
+            void(size_t, absl::StatusOr<RefCountedPtr<const FilterChain>>)>
+            set_filter_chain_for_cluster_weight);
+
+   private:
+    absl::StatusOr<RefCountedPtr<const FilterChain>> GetDefaultFilterChain();
+
+    const std::vector<XdsListenerResource::HttpConnectionManager::HttpFilter>&
+        hcm_filter_configs_;
+    const XdsRouteConfigResource::VirtualHost& vhost_;
+    FilterChainBuilder& builder_;
+    absl::AnyInvocable<void(FilterChainBuilder&)> add_last_filter_;
+    const Blackboard* old_blackboard_;
+    Blackboard* new_blackboard_;
+
+    // Same size as hcm_filter_configs_.
+    std::vector<const XdsHttpFilterImpl*> filter_impls_;
+
+    // Cached default filter chain, to be used for any route that does
+    // not have any filter config overrides.
+    absl::StatusOr<RefCountedPtr<const FilterChain>> default_filter_chain_ =
+        nullptr;
+  };
+
   struct GeneratePerHttpFilterConfigsResult {
     // Map of service config field name to list of elements for that field.
     std::map<std::string, std::vector<std::string>> per_filter_configs;

data/src/core/xds/grpc/xds_server_grpc.cc

@@ -109,56 +109,68 @@ bool XdsBootstrapCallCredsEnabled() {
 
 }  // namespace
 
-void GrpcXdsServer::JsonPostLoad(const Json& json, const JsonArgs& args,
-                                 ValidationErrors* errors) {
-  // Parse "channel_creds".
-  RefCountedPtr<ChannelCredsConfig> channel_creds_config;
-  {
-    auto channel_creds_list =
-        LoadJsonObjectField<std::vector<ChannelOrCallCreds>>(
-            json.object(), args, "channel_creds", errors);
-    if (channel_creds_list.has_value()) {
-      ValidationErrors::ScopedField field(errors, ".channel_creds");
-      for (size_t i = 0; i < channel_creds_list->size(); ++i) {
-        ValidationErrors::ScopedField field(errors, absl::StrCat("[", i, "]"));
-        auto& creds = (*channel_creds_list)[i];
-        // Select the first channel creds type that we support, but
-        // validate all entries.
-        if (CoreConfiguration::Get().channel_creds_registry().IsSupported(
-                creds.type)) {
-          ValidationErrors::ScopedField field(errors, ".config");
-          auto config =
-              CoreConfiguration::Get().channel_creds_registry().ParseConfig(
-                  creds.type, Json::FromObject(creds.config), args, errors);
-          if (channel_creds_config == nullptr) {
-            channel_creds_config = std::move(config);
-          }
+RefCountedPtr<const ChannelCredsConfig> ParseXdsBootstrapChannelCreds(
+    const Json& json, const JsonArgs& args, ValidationErrors* errors) {
+  RefCountedPtr<const ChannelCredsConfig> channel_creds_config;
+  auto channel_creds_list =
+      LoadJsonObjectField<std::vector<ChannelOrCallCreds>>(
+          json.object(), args, "channel_creds", errors);
+  if (channel_creds_list.has_value()) {
+    ValidationErrors::ScopedField field(errors, ".channel_creds");
+    for (size_t i = 0; i < channel_creds_list->size(); ++i) {
+      ValidationErrors::ScopedField field(errors, absl::StrCat("[", i, "]"));
+      auto& creds = (*channel_creds_list)[i];
+      // Select the first channel creds type that we support, but
+      // validate all entries.
+      if (CoreConfiguration::Get().channel_creds_registry().IsSupported(
+              creds.type)) {
+        ValidationErrors::ScopedField field(errors, ".config");
+        auto config =
+            CoreConfiguration::Get().channel_creds_registry().ParseConfig(
+                creds.type, Json::FromObject(creds.config), args, errors);
+        if (channel_creds_config == nullptr) {
+          channel_creds_config = std::move(config);
         }
       }
-      if (channel_creds_config == nullptr) {
-        errors->AddError("no known creds type found");
+    }
+    if (channel_creds_config == nullptr) {
+      errors->AddError("no known creds type found");
+    }
+  }
+  return channel_creds_config;
+}
+
+std::vector<RefCountedPtr<const CallCredsConfig>> ParseXdsBootstrapCallCreds(
+    const Json& json, const JsonArgs& args, ValidationErrors* errors) {
+  std::vector<RefCountedPtr<const CallCredsConfig>> call_creds_configs;
+  auto call_creds_list = LoadJsonObjectField<std::vector<ChannelOrCallCreds>>(
+      json.object(), args, "call_creds", errors, /*required=*/false);
+  if (call_creds_list.has_value()) {
+    ValidationErrors::ScopedField field(errors, ".call_creds");
+    for (size_t i = 0; i < call_creds_list->size(); ++i) {
+      ValidationErrors::ScopedField field(errors, absl::StrCat("[", i, "]"));
+      auto& creds = (*call_creds_list)[i];
+      if (CoreConfiguration::Get().call_creds_registry().IsSupported(
+              creds.type)) {
+        ValidationErrors::ScopedField field(errors, ".config");
+        call_creds_configs.push_back(
+            CoreConfiguration::Get().call_creds_registry().ParseConfig(
+                creds.type, Json::FromObject(creds.config), args, errors));
       }
     }
   }
+  return call_creds_configs;
+}
+
+void GrpcXdsServer::JsonPostLoad(const Json& json, const JsonArgs& args,
+                                 ValidationErrors* errors) {
+  // Parse "channel_creds".
+  RefCountedPtr<const ChannelCredsConfig> channel_creds_config =
+      ParseXdsBootstrapChannelCreds(json, args, errors);
   // Parse "call_creds".
-  std::vector<RefCountedPtr<CallCredsConfig>> call_creds_configs;
+  std::vector<RefCountedPtr<const CallCredsConfig>> call_creds_configs;
   if (XdsBootstrapCallCredsEnabled()) {
-    auto call_creds_list = LoadJsonObjectField<std::vector<ChannelOrCallCreds>>(
-        json.object(), args, "call_creds", errors);
-    if (call_creds_list.has_value()) {
-      ValidationErrors::ScopedField field(errors, ".call_creds");
-      for (size_t i = 0; i < call_creds_list->size(); ++i) {
-        ValidationErrors::ScopedField field(errors, absl::StrCat("[", i, "]"));
-        auto& creds = (*call_creds_list)[i];
-        if (CoreConfiguration::Get().call_creds_registry().IsSupported(
-                creds.type)) {
-          ValidationErrors::ScopedField field(errors, ".config");
-          call_creds_configs.push_back(
-              CoreConfiguration::Get().call_creds_registry().ParseConfig(
-                  creds.type, Json::FromObject(creds.config), args, errors));
-        }
-      }
-    }
+    call_creds_configs = ParseXdsBootstrapCallCreds(json, args, errors);
   }
   // Parse "server_features".
   {

data/src/core/xds/grpc/xds_server_grpc.h

@@ -32,12 +32,18 @@
 
 namespace grpc_core {
 
+RefCountedPtr<const ChannelCredsConfig> ParseXdsBootstrapChannelCreds(
+    const Json& json, const JsonArgs& args, ValidationErrors* errors);
+
+std::vector<RefCountedPtr<const CallCredsConfig>> ParseXdsBootstrapCallCreds(
+    const Json& json, const JsonArgs& args, ValidationErrors* errors);
+
 class GrpcXdsServerTarget final : public GrpcXdsServerInterface {
  public:
   explicit GrpcXdsServerTarget(
       std::string server_uri,
-      RefCountedPtr<ChannelCredsConfig> channel_creds_config,
-      std::vector<RefCountedPtr<CallCredsConfig>> call_creds_configs)
+      RefCountedPtr<const ChannelCredsConfig> channel_creds_config,
+      std::vector<RefCountedPtr<const CallCredsConfig>> call_creds_configs)
       : server_uri_(std::move(server_uri)),
         channel_creds_config_(std::move(channel_creds_config)),
         call_creds_configs_(std::move(call_creds_configs)) {}
@@ -45,18 +51,19 @@ class GrpcXdsServerTarget final : public GrpcXdsServerInterface {
   bool Equals(const XdsServerTarget& other) const override;
   std::string Key() const override;
   const std::string& server_uri() const override { return server_uri_; }
-  RefCountedPtr<ChannelCredsConfig> channel_creds_config() const override {
+  RefCountedPtr<const ChannelCredsConfig> channel_creds_config()
+      const override {
     return channel_creds_config_;
   }
-  const std::vector<RefCountedPtr<CallCredsConfig>>& call_creds_configs()
+  const std::vector<RefCountedPtr<const CallCredsConfig>>& call_creds_configs()
       const override {
     return call_creds_configs_;
   }
 
  private:
   std::string server_uri_;
-  RefCountedPtr<ChannelCredsConfig> channel_creds_config_;
-  std::vector<RefCountedPtr<CallCredsConfig>> call_creds_configs_;
+  RefCountedPtr<const ChannelCredsConfig> channel_creds_config_;
+  std::vector<RefCountedPtr<const CallCredsConfig>> call_creds_configs_;
 };
 
 class GrpcXdsServer final : public XdsBootstrap::XdsServer {

data/src/core/xds/grpc/xds_server_grpc_interface.h

@@ -26,9 +26,10 @@ namespace grpc_core {
 
 class GrpcXdsServerInterface : public XdsBootstrap::XdsServerTarget {
  public:
-  virtual RefCountedPtr<ChannelCredsConfig> channel_creds_config() const = 0;
+  virtual RefCountedPtr<const ChannelCredsConfig> channel_creds_config()
+      const = 0;
 
-  virtual const std::vector<RefCountedPtr<CallCredsConfig>>&
+  virtual const std::vector<RefCountedPtr<const CallCredsConfig>>&
   call_creds_configs() const = 0;
 };
 

data/src/core/xds/grpc/xds_transport_grpc.cc

@@ -252,11 +252,13 @@ class GrpcXdsTransportFactory::GrpcXdsTransport::StateWatcher final
 
 namespace {
 
-RefCountedPtr<Channel> CreateXdsChannel(const ChannelArgs& args,
-                                        const GrpcXdsServerInterface& server) {
+RefCountedPtr<Channel> CreateXdsChannel(
+    const ChannelArgs& args,
+    CertificateProviderStoreInterface& certificate_provider_store,
+    const GrpcXdsServerInterface& server) {
   RefCountedPtr<grpc_channel_credentials> channel_creds =
       CoreConfiguration::Get().channel_creds_registry().CreateChannelCreds(
-          server.channel_creds_config());
+          server.channel_creds_config(), certificate_provider_store);
   RefCountedPtr<grpc_call_credentials> call_creds;
   for (const auto& call_creds_config : server.call_creds_configs()) {
     RefCountedPtr<grpc_call_credentials> creds =
@@ -289,8 +291,9 @@ GrpcXdsTransportFactory::GrpcXdsTransport::GrpcXdsTransport(
       key_(server.Key()) {
   GRPC_TRACE_LOG(xds_client, INFO)
       << "[GrpcXdsTransport " << this << "] created";
-  channel_ = CreateXdsChannel(factory_->args_,
-                              DownCast<const GrpcXdsServerInterface&>(server));
+  channel_ =
+      CreateXdsChannel(factory_->args_, *factory_->certificate_provider_store_,
+                       DownCast<const GrpcXdsServerInterface&>(server));
   GRPC_CHECK(channel_ != nullptr);
   if (channel_->IsLame()) {
     *status = absl::UnavailableError("xds client has a lame channel");
@@ -374,8 +377,11 @@ ChannelArgs ModifyChannelArgs(const ChannelArgs& args) {
 
 }  // namespace
 
-GrpcXdsTransportFactory::GrpcXdsTransportFactory(const ChannelArgs& args)
+GrpcXdsTransportFactory::GrpcXdsTransportFactory(
+    const ChannelArgs& args,
+    RefCountedPtr<CertificateProviderStoreInterface> certificate_provider_store)
     : args_(ModifyChannelArgs(args)),
+      certificate_provider_store_(std::move(certificate_provider_store)),
       interested_parties_(grpc_pollset_set_create()) {
   // Calling grpc_init to ensure gRPC does not shut down until the XdsClient is
   // destroyed.

data/src/core/xds/grpc/xds_transport_grpc.h

@@ -34,6 +34,7 @@
 #include "src/core/util/orphanable.h"
 #include "src/core/util/ref_counted_ptr.h"
 #include "src/core/util/sync.h"
+#include "src/core/xds/grpc/certificate_provider_store_interface.h"
 #include "src/core/xds/xds_client/xds_bootstrap.h"
 #include "src/core/xds/xds_client/xds_transport.h"
 #include "absl/container/flat_hash_map.h"
@@ -45,7 +46,9 @@ class GrpcXdsTransportFactory final : public XdsTransportFactory {
  public:
   class GrpcXdsTransport;
 
-  explicit GrpcXdsTransportFactory(const ChannelArgs& args);
+  GrpcXdsTransportFactory(const ChannelArgs& args,
+                          RefCountedPtr<CertificateProviderStoreInterface>
+                              certificate_provider_store);
   ~GrpcXdsTransportFactory() override;
 
   void Orphaned() override {}
@@ -58,6 +61,7 @@ class GrpcXdsTransportFactory final : public XdsTransportFactory {
 
  private:
   ChannelArgs args_;
+  RefCountedPtr<CertificateProviderStoreInterface> certificate_provider_store_;
   grpc_pollset_set* interested_parties_;
 
   Mutex mu_;

data/src/ruby/ext/grpc/rb_grpc_imports.generated.c

@@ -76,18 +76,19 @@ grpc_alts_server_credentials_create_type grpc_alts_server_credentials_create_imp
 grpc_tls_identity_pairs_create_type grpc_tls_identity_pairs_create_import;
 grpc_tls_identity_pairs_add_pair_type grpc_tls_identity_pairs_add_pair_import;
 grpc_tls_identity_pairs_destroy_type grpc_tls_identity_pairs_destroy_import;
-grpc_tls_certificate_provider_static_data_create_type grpc_tls_certificate_provider_static_data_create_import;
 grpc_tls_certificate_provider_file_watcher_create_type grpc_tls_certificate_provider_file_watcher_create_import;
+grpc_tls_certificate_provider_in_memory_create_type grpc_tls_certificate_provider_in_memory_create_import;
+grpc_tls_certificate_provider_in_memory_set_root_certificate_type grpc_tls_certificate_provider_in_memory_set_root_certificate_import;
+grpc_tls_certificate_provider_in_memory_set_identity_certificate_type grpc_tls_certificate_provider_in_memory_set_identity_certificate_import;
 grpc_tls_certificate_provider_release_type grpc_tls_certificate_provider_release_import;
 grpc_tls_credentials_options_create_type grpc_tls_credentials_options_create_import;
 grpc_tls_credentials_options_set_min_tls_version_type grpc_tls_credentials_options_set_min_tls_version_import;
 grpc_tls_credentials_options_set_max_tls_version_type grpc_tls_credentials_options_set_max_tls_version_import;
 grpc_tls_credentials_options_copy_type grpc_tls_credentials_options_copy_import;
 grpc_tls_credentials_options_destroy_type grpc_tls_credentials_options_destroy_import;
-grpc_tls_credentials_options_set_certificate_provider_type grpc_tls_credentials_options_set_certificate_provider_import;
-grpc_tls_credentials_options_watch_root_certs_type grpc_tls_credentials_options_watch_root_certs_import;
+grpc_tls_credentials_options_set_identity_certificate_provider_type grpc_tls_credentials_options_set_identity_certificate_provider_import;
+grpc_tls_credentials_options_set_root_certificate_provider_type grpc_tls_credentials_options_set_root_certificate_provider_import;
 grpc_tls_credentials_options_set_root_cert_name_type grpc_tls_credentials_options_set_root_cert_name_import;
-grpc_tls_credentials_options_watch_identity_key_cert_pairs_type grpc_tls_credentials_options_watch_identity_key_cert_pairs_import;
 grpc_tls_credentials_options_set_identity_cert_name_type grpc_tls_credentials_options_set_identity_cert_name_import;
 grpc_tls_credentials_options_set_cert_request_type_type grpc_tls_credentials_options_set_cert_request_type_import;
 grpc_tls_credentials_options_set_crl_directory_type grpc_tls_credentials_options_set_crl_directory_import;
@@ -175,6 +176,7 @@ grpc_resource_quota_ref_type grpc_resource_quota_ref_import;
 grpc_resource_quota_unref_type grpc_resource_quota_unref_import;
 grpc_resource_quota_resize_type grpc_resource_quota_resize_import;
 grpc_resource_quota_set_max_threads_type grpc_resource_quota_set_max_threads_import;
+grpc_resource_quota_set_max_outstanding_streams_type grpc_resource_quota_set_max_outstanding_streams_import;
 grpc_dump_xds_configs_type grpc_dump_xds_configs_import;
 grpc_resource_quota_arg_vtable_type grpc_resource_quota_arg_vtable_import;
 grpc_channelz_get_top_channels_type grpc_channelz_get_top_channels_import;
@@ -362,18 +364,19 @@ void grpc_rb_load_imports(HMODULE library) {
   grpc_tls_identity_pairs_create_import = (grpc_tls_identity_pairs_create_type) GetProcAddress(library, "grpc_tls_identity_pairs_create");
   grpc_tls_identity_pairs_add_pair_import = (grpc_tls_identity_pairs_add_pair_type) GetProcAddress(library, "grpc_tls_identity_pairs_add_pair");
   grpc_tls_identity_pairs_destroy_import = (grpc_tls_identity_pairs_destroy_type) GetProcAddress(library, "grpc_tls_identity_pairs_destroy");
-  grpc_tls_certificate_provider_static_data_create_import = (grpc_tls_certificate_provider_static_data_create_type) GetProcAddress(library, "grpc_tls_certificate_provider_static_data_create");
   grpc_tls_certificate_provider_file_watcher_create_import = (grpc_tls_certificate_provider_file_watcher_create_type) GetProcAddress(library, "grpc_tls_certificate_provider_file_watcher_create");
+  grpc_tls_certificate_provider_in_memory_create_import = (grpc_tls_certificate_provider_in_memory_create_type) GetProcAddress(library, "grpc_tls_certificate_provider_in_memory_create");
+  grpc_tls_certificate_provider_in_memory_set_root_certificate_import = (grpc_tls_certificate_provider_in_memory_set_root_certificate_type) GetProcAddress(library, "grpc_tls_certificate_provider_in_memory_set_root_certificate");
+  grpc_tls_certificate_provider_in_memory_set_identity_certificate_import = (grpc_tls_certificate_provider_in_memory_set_identity_certificate_type) GetProcAddress(library, "grpc_tls_certificate_provider_in_memory_set_identity_certificate");
   grpc_tls_certificate_provider_release_import = (grpc_tls_certificate_provider_release_type) GetProcAddress(library, "grpc_tls_certificate_provider_release");
   grpc_tls_credentials_options_create_import = (grpc_tls_credentials_options_create_type) GetProcAddress(library, "grpc_tls_credentials_options_create");
   grpc_tls_credentials_options_set_min_tls_version_import = (grpc_tls_credentials_options_set_min_tls_version_type) GetProcAddress(library, "grpc_tls_credentials_options_set_min_tls_version");
   grpc_tls_credentials_options_set_max_tls_version_import = (grpc_tls_credentials_options_set_max_tls_version_type) GetProcAddress(library, "grpc_tls_credentials_options_set_max_tls_version");
   grpc_tls_credentials_options_copy_import = (grpc_tls_credentials_options_copy_type) GetProcAddress(library, "grpc_tls_credentials_options_copy");
   grpc_tls_credentials_options_destroy_import = (grpc_tls_credentials_options_destroy_type) GetProcAddress(library, "grpc_tls_credentials_options_destroy");
-  grpc_tls_credentials_options_set_certificate_provider_import = (grpc_tls_credentials_options_set_certificate_provider_type) GetProcAddress(library, "grpc_tls_credentials_options_set_certificate_provider");
-  grpc_tls_credentials_options_watch_root_certs_import = (grpc_tls_credentials_options_watch_root_certs_type) GetProcAddress(library, "grpc_tls_credentials_options_watch_root_certs");
+  grpc_tls_credentials_options_set_identity_certificate_provider_import = (grpc_tls_credentials_options_set_identity_certificate_provider_type) GetProcAddress(library, "grpc_tls_credentials_options_set_identity_certificate_provider");
+  grpc_tls_credentials_options_set_root_certificate_provider_import = (grpc_tls_credentials_options_set_root_certificate_provider_type) GetProcAddress(library, "grpc_tls_credentials_options_set_root_certificate_provider");
   grpc_tls_credentials_options_set_root_cert_name_import = (grpc_tls_credentials_options_set_root_cert_name_type) GetProcAddress(library, "grpc_tls_credentials_options_set_root_cert_name");
-  grpc_tls_credentials_options_watch_identity_key_cert_pairs_import = (grpc_tls_credentials_options_watch_identity_key_cert_pairs_type) GetProcAddress(library, "grpc_tls_credentials_options_watch_identity_key_cert_pairs");
   grpc_tls_credentials_options_set_identity_cert_name_import = (grpc_tls_credentials_options_set_identity_cert_name_type) GetProcAddress(library, "grpc_tls_credentials_options_set_identity_cert_name");
   grpc_tls_credentials_options_set_cert_request_type_import = (grpc_tls_credentials_options_set_cert_request_type_type) GetProcAddress(library, "grpc_tls_credentials_options_set_cert_request_type");
   grpc_tls_credentials_options_set_crl_directory_import = (grpc_tls_credentials_options_set_crl_directory_type) GetProcAddress(library, "grpc_tls_credentials_options_set_crl_directory");
@@ -461,6 +464,7 @@ void grpc_rb_load_imports(HMODULE library) {
   grpc_resource_quota_unref_import = (grpc_resource_quota_unref_type) GetProcAddress(library, "grpc_resource_quota_unref");
   grpc_resource_quota_resize_import = (grpc_resource_quota_resize_type) GetProcAddress(library, "grpc_resource_quota_resize");
   grpc_resource_quota_set_max_threads_import = (grpc_resource_quota_set_max_threads_type) GetProcAddress(library, "grpc_resource_quota_set_max_threads");
+  grpc_resource_quota_set_max_outstanding_streams_import = (grpc_resource_quota_set_max_outstanding_streams_type) GetProcAddress(library, "grpc_resource_quota_set_max_outstanding_streams");
   grpc_dump_xds_configs_import = (grpc_dump_xds_configs_type) GetProcAddress(library, "grpc_dump_xds_configs");
   grpc_resource_quota_arg_vtable_import = (grpc_resource_quota_arg_vtable_type) GetProcAddress(library, "grpc_resource_quota_arg_vtable");
   grpc_channelz_get_top_channels_import = (grpc_channelz_get_top_channels_type) GetProcAddress(library, "grpc_channelz_get_top_channels");

data/src/ruby/ext/grpc/rb_grpc_imports.generated.h

@@ -204,12 +204,18 @@ extern grpc_tls_identity_pairs_add_pair_type grpc_tls_identity_pairs_add_pair_im
 typedef void(*grpc_tls_identity_pairs_destroy_type)(grpc_tls_identity_pairs* pairs);
 extern grpc_tls_identity_pairs_destroy_type grpc_tls_identity_pairs_destroy_import;
 #define grpc_tls_identity_pairs_destroy grpc_tls_identity_pairs_destroy_import
-typedef grpc_tls_certificate_provider*(*grpc_tls_certificate_provider_static_data_create_type)(const char* root_certificate, grpc_tls_identity_pairs* pem_key_cert_pairs);
-extern grpc_tls_certificate_provider_static_data_create_type grpc_tls_certificate_provider_static_data_create_import;
-#define grpc_tls_certificate_provider_static_data_create grpc_tls_certificate_provider_static_data_create_import
 typedef grpc_tls_certificate_provider*(*grpc_tls_certificate_provider_file_watcher_create_type)(const char* private_key_path, const char* identity_certificate_path, const char* root_cert_path, const char* spiffe_bundle_map_path, unsigned int refresh_interval_sec);
 extern grpc_tls_certificate_provider_file_watcher_create_type grpc_tls_certificate_provider_file_watcher_create_import;
 #define grpc_tls_certificate_provider_file_watcher_create grpc_tls_certificate_provider_file_watcher_create_import
+typedef grpc_tls_certificate_provider*(*grpc_tls_certificate_provider_in_memory_create_type)();
+extern grpc_tls_certificate_provider_in_memory_create_type grpc_tls_certificate_provider_in_memory_create_import;
+#define grpc_tls_certificate_provider_in_memory_create grpc_tls_certificate_provider_in_memory_create_import
+typedef bool(*grpc_tls_certificate_provider_in_memory_set_root_certificate_type)(grpc_tls_certificate_provider* provider, const char* root_cert);
+extern grpc_tls_certificate_provider_in_memory_set_root_certificate_type grpc_tls_certificate_provider_in_memory_set_root_certificate_import;
+#define grpc_tls_certificate_provider_in_memory_set_root_certificate grpc_tls_certificate_provider_in_memory_set_root_certificate_import
+typedef bool(*grpc_tls_certificate_provider_in_memory_set_identity_certificate_type)(grpc_tls_certificate_provider* provider, grpc_tls_identity_pairs* pem_key_cert_pairs);
+extern grpc_tls_certificate_provider_in_memory_set_identity_certificate_type grpc_tls_certificate_provider_in_memory_set_identity_certificate_import;
+#define grpc_tls_certificate_provider_in_memory_set_identity_certificate grpc_tls_certificate_provider_in_memory_set_identity_certificate_import
 typedef void(*grpc_tls_certificate_provider_release_type)(grpc_tls_certificate_provider* provider);
 extern grpc_tls_certificate_provider_release_type grpc_tls_certificate_provider_release_import;
 #define grpc_tls_certificate_provider_release grpc_tls_certificate_provider_release_import
@@ -228,18 +234,15 @@ extern grpc_tls_credentials_options_copy_type grpc_tls_credentials_options_copy_
 typedef void(*grpc_tls_credentials_options_destroy_type)(grpc_tls_credentials_options* options);
 extern grpc_tls_credentials_options_destroy_type grpc_tls_credentials_options_destroy_import;
 #define grpc_tls_credentials_options_destroy grpc_tls_credentials_options_destroy_import
-typedef void(*grpc_tls_credentials_options_set_certificate_provider_type)(grpc_tls_credentials_options* options, grpc_tls_certificate_provider* provider);
-extern grpc_tls_credentials_options_set_certificate_provider_type grpc_tls_credentials_options_set_certificate_provider_import;
-#define grpc_tls_credentials_options_set_certificate_provider grpc_tls_credentials_options_set_certificate_provider_import
-typedef void(*grpc_tls_credentials_options_watch_root_certs_type)(grpc_tls_credentials_options* options);
-extern grpc_tls_credentials_options_watch_root_certs_type grpc_tls_credentials_options_watch_root_certs_import;
-#define grpc_tls_credentials_options_watch_root_certs grpc_tls_credentials_options_watch_root_certs_import
+typedef void(*grpc_tls_credentials_options_set_identity_certificate_provider_type)(grpc_tls_credentials_options* options, grpc_tls_certificate_provider* provider);
+extern grpc_tls_credentials_options_set_identity_certificate_provider_type grpc_tls_credentials_options_set_identity_certificate_provider_import;
+#define grpc_tls_credentials_options_set_identity_certificate_provider grpc_tls_credentials_options_set_identity_certificate_provider_import
+typedef void(*grpc_tls_credentials_options_set_root_certificate_provider_type)(grpc_tls_credentials_options* options, grpc_tls_certificate_provider* provider);
+extern grpc_tls_credentials_options_set_root_certificate_provider_type grpc_tls_credentials_options_set_root_certificate_provider_import;
+#define grpc_tls_credentials_options_set_root_certificate_provider grpc_tls_credentials_options_set_root_certificate_provider_import
 typedef void(*grpc_tls_credentials_options_set_root_cert_name_type)(grpc_tls_credentials_options* options, const char* root_cert_name);
 extern grpc_tls_credentials_options_set_root_cert_name_type grpc_tls_credentials_options_set_root_cert_name_import;
 #define grpc_tls_credentials_options_set_root_cert_name grpc_tls_credentials_options_set_root_cert_name_import
-typedef void(*grpc_tls_credentials_options_watch_identity_key_cert_pairs_type)(grpc_tls_credentials_options* options);
-extern grpc_tls_credentials_options_watch_identity_key_cert_pairs_type grpc_tls_credentials_options_watch_identity_key_cert_pairs_import;
-#define grpc_tls_credentials_options_watch_identity_key_cert_pairs grpc_tls_credentials_options_watch_identity_key_cert_pairs_import
 typedef void(*grpc_tls_credentials_options_set_identity_cert_name_type)(grpc_tls_credentials_options* options, const char* identity_cert_name);
 extern grpc_tls_credentials_options_set_identity_cert_name_type grpc_tls_credentials_options_set_identity_cert_name_import;
 #define grpc_tls_credentials_options_set_identity_cert_name grpc_tls_credentials_options_set_identity_cert_name_import
@@ -501,6 +504,9 @@ extern grpc_resource_quota_resize_type grpc_resource_quota_resize_import;
 typedef void(*grpc_resource_quota_set_max_threads_type)(grpc_resource_quota* resource_quota, int new_max_threads);
 extern grpc_resource_quota_set_max_threads_type grpc_resource_quota_set_max_threads_import;
 #define grpc_resource_quota_set_max_threads grpc_resource_quota_set_max_threads_import
+typedef void(*grpc_resource_quota_set_max_outstanding_streams_type)(grpc_resource_quota* resource_quota, int new_max_outstanding_streams);
+extern grpc_resource_quota_set_max_outstanding_streams_type grpc_resource_quota_set_max_outstanding_streams_import;
+#define grpc_resource_quota_set_max_outstanding_streams grpc_resource_quota_set_max_outstanding_streams_import
 typedef grpc_slice(*grpc_dump_xds_configs_type)(void);
 extern grpc_dump_xds_configs_type grpc_dump_xds_configs_import;
 #define grpc_dump_xds_configs grpc_dump_xds_configs_import