xds: Remove isXdsSniEnabled and align SNI logic with gRFC A101#12625
xds: Remove isXdsSniEnabled and align SNI logic with gRFC A101#12625kannanjgithub merged 2 commits intogrpc:masterfrom
Conversation
Remove the isXdsSniEnabled environment variable guard and the legacy logic that falls back to the channel authority for SNI. This aligns the implementation with gRFC A101, ensuring no SNI is sent if it is not explicitly determined by xDS configurations. Update the test suite by removing the isXdsSniEnabled flag and deleting test case that specifically verified behavior when the flag was set to false. Additionally, add a new test case to verify that SNI is omitted when none of the A101 conditions are met, ensuring the SNI field is not sent in the TLS handshake. Ref grpc#11784
becomeStar
changed the title
| sniToUse = grpcHandler.getAuthority(); | ||
| } else { | ||
| autoSniSanValidationDoesNotApply = false; | ||
| sniToUse = ""; |
There was a problem hiding this comment.
This assignment is redundant.
There was a problem hiding this comment.
Thanks for the review.
I’ve updated the change to remove the empty-string SNI handling and the associated test. It seemed that treating an empty string as a special case was no longer necessary, so I simplified the logic accordingly.
Please let me know if this looks reasonable to you.
There was a problem hiding this comment.
About the description, it mentions that is removing the fallback logic to the channel authoriy if the SNI isn't determined by the XDS configs. The reference to fallback sounds like the env guard GRPC_USE_CHANNEL_AUTHORITY_IF_NO_SNI_APPLICABLE. We are not removing this one yet. The flag GRPC_EXPERIMENTAL_XDS_SNI usage you have removed is for determining SNI using XDS configs at all times from now on. Can you edit the description to be more accurate?
There was a problem hiding this comment.
Thanks for pointing that out.
I've updated the PR description to clarify that this change removes the
experimental xDS SNI guard and does not remove the
GRPC_USE_CHANNEL_AUTHORITY_IF_NO_SNI_APPLICABLE fallback.
Remove handling that propagated an empty string as SNI when no SNI conditions were met. With the legacy authority-based fallback removed, omitting SNI is the intended behavior under gRFC A101. Relying on an empty string as an intermediate representation is unnecessary and couples behavior to an internal detail. This also removes a test that asserted the empty-string SNI, as it no longer reflects a stable or observable contract.
kannanjgithub
added
the
kokoro:run
|
/gcbrun |
grpc-kokoro
removed
the
kokoro:run
3 participants
Description
Remove the
isXdsSniEnabled(GRPC_EXPERIMENTAL_XDS_SNI) guard so that SNI determination via xDS is always enabled. This aligns the behavior withgRFC A101, where SNI is determined by xDS configurations such as
auto_host_sniorUpstreamTlsContext.sni, without relying on anexperimental toggle.
This change does not remove the
GRPC_USE_CHANNEL_AUTHORITY_IF_NO_SNI_APPLICABLEfallback logic, which remains unchanged.Changes
isXdsSniEnabledflag and the related conditional logic.experimental flag was disabled, since the flag is no longer supported.
Note for Reviewers
Some test files show large diffs because of re-indentation after removing
try-finallyblocks (since theisXdsSniEnabledflag is no longer needed).I recommend reviewing these files with the 'Hide whitespace changes'
option enabled.
Ref #11784