Skip to content

fix: Create a single S2AChannelCredentials per application #3989

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rmehta19 wants to merge 16 commits into
base: main
Choose a base branch
from
+93 −35
Open

fix: Create a single S2AChannelCredentials per application #3989

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
8ddbe44
Single S2AChannelCredentials + use AdvancedTls.
rmehta19 Nov 14, 2025
e35914f
add comment.
rmehta19 Nov 14, 2025
217737b
address comments.
rmehta19 Dec 5, 2025
5f52e87
correct variable name.
rmehta19 Dec 5, 2025
b3d457b
Merge branch 'main' into singe-channel-creds
rmehta19 Dec 5, 2025
953e1a0
move adv tls changes to another PR.
rmehta19 Dec 5, 2025
53b8b84
reduce nesting.
rmehta19 Jan 5, 2026
6b047ae
add comment.
rmehta19 Jan 5, 2026
075db93
don't catch exception that's not thrown.
rmehta19 Jan 5, 2026
3266899
reset.
rmehta19 Jan 6, 2026
5aba3fc
format.
rmehta19 Jan 6, 2026
fc107a5
Merge branch 'main' into singe-channel-creds
rmehta19 Jan 6, 2026
c7536e6
package private.
rmehta19 Jan 7, 2026
71335fc
rename.
rmehta19 Jan 7, 2026
77303c9
rename s2aChannelCredentials.
rmehta19 Jan 8, 2026
8930b06
add test.
rmehta19 Jan 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
104 changes: 69 additions & 35 deletions ...java/gax-grpc/src/main/java/com/google/api/gax/grpc/InstantiatingGrpcChannelProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,23 @@ public final class InstantiatingGrpcChannelProvider implements TransportChannelP
@Nullable
private final ApiFunction<ManagedChannelBuilder, ManagedChannelBuilder> channelConfigurator;

// This is initialized once for the lifetime of the application. This enables re-using
// channels to S2A.
private static volatile ChannelCredentials s2aChannelCredentials;

/**
* Resets the s2aChannelCredentials of the {@link InstantiatingGrpcChannelProvider} class for
* testing purposes.
*
* <p>This should only be called from tests.
*/
@VisibleForTesting
static void resetS2AChannelCredentials() {
synchronized (InstantiatingGrpcChannelProvider.class) {
s2aChannelCredentials = null;
}
}

/*
* Experimental feature
*
Expand Down Expand Up @@ -595,43 +612,60 @@ ChannelCredentials createPlaintextToS2AChannelCredentials(String plaintextAddres
* @return {@link ChannelCredentials} configured to use S2A to create mTLS connection.
*/
ChannelCredentials createS2ASecuredChannelCredentials() {
SecureSessionAgentConfig config = s2aConfigProvider.getConfig();
String plaintextAddress = config.getPlaintextAddress();
String mtlsAddress = config.getMtlsAddress();
if (Strings.isNullOrEmpty(mtlsAddress)) {
// Fallback to plaintext connection to S2A.
LOG.log(
Level.INFO,
"Cannot establish an mTLS connection to S2A because autoconfig endpoint did not return a mtls address to reach S2A.");
return createPlaintextToS2AChannelCredentials(plaintextAddress);
}
// Currently, MTLS to MDS is only available on GCE. See:
// https://cloud.google.com/compute/docs/metadata/overview#https-mds
// Try to load MTLS-MDS creds.
File rootFile = new File(MTLS_MDS_ROOT_PATH);
File certKeyFile = new File(MTLS_MDS_CERT_CHAIN_AND_KEY_PATH);
if (rootFile.isFile() && certKeyFile.isFile()) {
// Try to connect to S2A using mTLS.
ChannelCredentials mtlsToS2AChannelCredentials = null;
try {
mtlsToS2AChannelCredentials =
createMtlsToS2AChannelCredentials(rootFile, certKeyFile, certKeyFile);
} catch (IOException ignore) {
// Fallback to plaintext-to-S2A connection on error.
LOG.log(
Level.WARNING,
"Cannot establish an mTLS connection to S2A due to error creating MTLS to MDS TlsChannelCredentials credentials, falling back to plaintext connection to S2A: "
+ ignore.getMessage());
return createPlaintextToS2AChannelCredentials(plaintextAddress);
if (s2aChannelCredentials == null) {
// s2aChannelCredentials is initialized once and shared by all instances of the class.
// To prevent a race on initialization, the object initialization is synchronized on the class
// object.
synchronized (InstantiatingGrpcChannelProvider.class) {
if (s2aChannelCredentials != null) {
return s2aChannelCredentials;
}
SecureSessionAgentConfig config = s2aConfigProvider.getConfig();
String plaintextAddress = config.getPlaintextAddress();
String mtlsAddress = config.getMtlsAddress();
if (Strings.isNullOrEmpty(mtlsAddress)) {
// Fallback to plaintext connection to S2A.
LOG.log(
Level.INFO,
"Cannot establish an mTLS connection to S2A because autoconfig endpoint did not return a mtls address to reach S2A.");
s2aChannelCredentials = createPlaintextToS2AChannelCredentials(plaintextAddress);
return s2aChannelCredentials;
}
// Currently, MTLS to MDS is only available on GCE. See:
// https://cloud.google.com/compute/docs/metadata/overview#https-mds
// Try to load MTLS-MDS creds.
File rootFile = new File(MTLS_MDS_ROOT_PATH);
File certKeyFile = new File(MTLS_MDS_CERT_CHAIN_AND_KEY_PATH);
if (rootFile.isFile() && certKeyFile.isFile()) {
// Try to connect to S2A using mTLS.
ChannelCredentials mtlsToS2AChannelCredentials = null;
try {
mtlsToS2AChannelCredentials =
createMtlsToS2AChannelCredentials(rootFile, certKeyFile, certKeyFile);
} catch (IOException ignore) {
// Fallback to plaintext-to-S2A connection on error.
LOG.log(
Level.WARNING,
"Cannot establish an mTLS connection to S2A due to error creating MTLS to MDS TlsChannelCredentials credentials, falling back to plaintext connection to S2A: "
+ ignore.getMessage());
s2aChannelCredentials = createPlaintextToS2AChannelCredentials(plaintextAddress);
return s2aChannelCredentials;
}
s2aChannelCredentials =
buildS2AChannelCredentials(mtlsAddress, mtlsToS2AChannelCredentials);
return s2aChannelCredentials;
} else {
// Fallback to plaintext-to-S2A connection if MTLS-MDS creds do not exist.
LOG.log(
Level.INFO,
"Cannot establish an mTLS connection to S2A because MTLS to MDS credentials do not"
+ " exist on filesystem, falling back to plaintext connection to S2A");
s2aChannelCredentials = createPlaintextToS2AChannelCredentials(plaintextAddress);
return s2aChannelCredentials;
}
}
return buildS2AChannelCredentials(mtlsAddress, mtlsToS2AChannelCredentials);
} else {
// Fallback to plaintext-to-S2A connection if MTLS-MDS creds do not exist.
LOG.log(
Level.INFO,
"Cannot establish an mTLS connection to S2A because MTLS to MDS credentials do not exist on filesystem, falling back to plaintext connection to S2A");
return createPlaintextToS2AChannelCredentials(plaintextAddress);
}
return s2aChannelCredentials;
}

private ManagedChannel createSingleChannel() throws IOException {
Expand Down
24 changes: 24 additions & 0 deletions .../gax-grpc/src/test/java/com/google/api/gax/grpc/InstantiatingGrpcChannelProviderTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1155,6 +1155,7 @@ void createS2ASecuredChannelCredentials_bothS2AAddressesNull_returnsNull() {
.setS2AConfigProvider(s2aConfigProvider)
.build();
assertThat(provider.createS2ASecuredChannelCredentials()).isNull();
InstantiatingGrpcChannelProvider.resetS2AChannelCredentials();
}

@Test
Expand All @@ -1175,6 +1176,28 @@ void createS2ASecuredChannelCredentials_bothS2AAddressesNull_returnsNull() {
.contains(
"Cannot establish an mTLS connection to S2A because autoconfig endpoint did not return a mtls address to reach S2A.");
InstantiatingGrpcChannelProvider.LOG.removeHandler(logHandler);
InstantiatingGrpcChannelProvider.resetS2AChannelCredentials();
}

@Test
void
createTwoS2ASecuredChannelCredentials_mtlsS2AAddressNull_returnsSamePlaintextToS2AS2AChannelCredentials() {
SecureSessionAgent s2aConfigProvider = Mockito.mock(SecureSessionAgent.class);
SecureSessionAgentConfig config =
SecureSessionAgentConfig.createBuilder().setPlaintextAddress("localhost:8080").build();
Mockito.when(s2aConfigProvider.getConfig()).thenReturn(config);
InstantiatingGrpcChannelProvider provider =
InstantiatingGrpcChannelProvider.newBuilder()
.setS2AConfigProvider(s2aConfigProvider)
.build();
assertThat(provider.createS2ASecuredChannelCredentials()).isNotNull();
InstantiatingGrpcChannelProvider provider2 =
InstantiatingGrpcChannelProvider.newBuilder()
.setS2AConfigProvider(s2aConfigProvider)
.build();
assertThat(provider2.createS2ASecuredChannelCredentials()).isNotNull();
assertEquals(provider, provider2);
InstantiatingGrpcChannelProvider.resetS2AChannelCredentials();
}

@Test
Expand All @@ -1197,6 +1220,7 @@ void createS2ASecuredChannelCredentials_returnsPlaintextToS2AS2AChannelCredentia
.contains(
"Cannot establish an mTLS connection to S2A because MTLS to MDS credentials do not exist on filesystem, falling back to plaintext connection to S2A");
InstantiatingGrpcChannelProvider.LOG.removeHandler(logHandler);
InstantiatingGrpcChannelProvider.resetS2AChannelCredentials();
}

@Test
Expand Down
Loading