fix xds credentials being silently ignored (#566)

* fix xds credentials being silently ignored Fixes #565 * Apply suggestion from @dragonsinth Co-authored-by: Scott Blum <dragonsinth@gmail.com> --------- Co-authored-by: Scott Blum <dragonsinth@gmail.com>
2026-06-17 08:28:30 +03:00 · 2026-06-15 17:10:27 +02:00
parent 4ea1554ec7
commit afea969b8a
1 changed files with 17 additions and 2 deletions
--- a/grpcurl.go
+++ b/grpcurl.go
@@ -614,8 +614,8 @@ func BlockingDial(ctx context.Context, network, address string, creds credential
 	}

 	var err error
-	if strings.HasPrefix(address, "xds:///") {
-		// The xds:/// prefix is used to signal to the gRPC client to use an xDS server to resolve the
+	if strings.HasPrefix(address, "xds://") {
+		// The xds:// prefix is used to signal to the gRPC client to use an xDS server to resolve the
 		// target. The relevant credentials will be automatically pulled from the GRPC_XDS_BOOTSTRAP or
 		// GRPC_XDS_BOOTSTRAP_CONFIG env vars.
 		creds, err = xdsCredentials.NewClientCredentials(xdsCredentials.ClientOptions{FallbackCreds: creds})
@@ -753,3 +753,18 @@ func (c *errSignalingConn) Read(b []byte) (int, error) {
 	}
 	return n, err
 }
+
+// UsesXDS forwards the optional UsesXDS marker of the wrapped credentials. The
+// xDS credentials returned for "xds://" targets implement this method, and
+// grpc-go's cds balancer relies on a type assertion for it to decide whether to
+// apply the security configuration (e.g. UpstreamTlsContext) delivered by the
+// management server. Because errSignalingCreds embeds the TransportCredentials
+// interface, that extra method is not promoted automatically, so we forward it
+// explicitly. Without this, xDS-supplied mTLS is silently ignored and the
+// connection falls back to the plain credentials.
+func (c *errSignalingCreds) UsesXDS() bool {
+	if x, ok := c.TransportCredentials.(interface{ UsesXDS() bool }); ok {
+		return x.UsesXDS()
+	}
+	return false
+}