func CreateDownstreamTLSContext()

in grpc-xds/control-plane-go/pkg/xds/tls/downstream_tls_context.go [26:74]

• 33 lines of code
• 2 McCabe index (conditional complexity)

func CreateDownstreamTLSContext(requireClientCerts bool) *tlsv3.DownstreamTlsContext {
	downstreamTLSContext := tlsv3.DownstreamTlsContext{
		CommonTlsContext: &tlsv3.CommonTlsContext{
			// AlpnProtocols is ignored by gRPC xDS according to gRFC A29, but Envoy wants it.
			AlpnProtocols: []string{"h2"},
			// Set server certificate for gRPC servers:
			TlsCertificateProviderInstance: &tlsv3.CertificateProviderPluginInstance{
				InstanceName: certificateProviderInstanceName,
				// Using the same certificate name value as Traffic Director, but the
				// certificate name is ignored by gRPC according to gRFC A29.
				CertificateName: "DEFAULT",
			},
			// Set server certificate for Envoy:
			TlsCertificateSdsSecretConfigs: []*tlsv3.SdsSecretConfig{
				{
					Name: "downstream_cert", // Match the name in Envoy static_resources.secrets
				},
			},
		},
	}

	if requireClientCerts {
		// `require_client_certificate: true` requires a `validation_context`.
		downstreamTLSContext.RequireClientCertificate = wrapperspb.Bool(true)
		// Validate client certificates:
		// gRFC A29 specifies to use either `validation_context` or
		// `combined_validation_context.default_validation_context`.
		downstreamTLSContext.CommonTlsContext.ValidationContextType = &tlsv3.CommonTlsContext_CombinedValidationContext{
			CombinedValidationContext: &tlsv3.CommonTlsContext_CombinedCertificateValidationContext{
				// gRPC client config using xDS certificate provider framework:
				DefaultValidationContext: &tlsv3.CertificateValidationContext{
					CaCertificateProviderInstance: &tlsv3.CertificateProviderPluginInstance{
						InstanceName: certificateProviderInstanceName,
						// Using the same certificate name value as Traffic Director,
						// but the certificate name is ignored by gRPC, see gRFC A29.
						CertificateName: "ROOTCA",
					},
				},
				// Envoy config using static resources, see:
				// https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret
				ValidationContextSdsSecretConfig: &tlsv3.SdsSecretConfig{
					Name: "downstream_validation", // Match the name in Envoy static_resources.secrets
				},
			},
		}
	}

	return &downstreamTLSContext
}