From afea969b8a8eef25a48bd8def90efb4aa36c81de Mon Sep 17 00:00:00 2001 From: Erik Engberg Date: Mon, 15 Jun 2026 17:10:27 +0200 Subject: [PATCH] fix xds credentials being silently ignored (#566) * fix xds credentials being silently ignored Fixes #565 * Apply suggestion from @dragonsinth Co-authored-by: Scott Blum --------- Co-authored-by: Scott Blum --- grpcurl.go | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/grpcurl.go b/grpcurl.go index 0fcaf54..c5625b1 100644 --- a/grpcurl.go +++ b/grpcurl.go @@ -614,8 +614,8 @@ func BlockingDial(ctx context.Context, network, address string, creds credential } var err error - if strings.HasPrefix(address, "xds:///") { - // The xds:/// prefix is used to signal to the gRPC client to use an xDS server to resolve the + if strings.HasPrefix(address, "xds://") { + // The xds:// prefix is used to signal to the gRPC client to use an xDS server to resolve the // target. The relevant credentials will be automatically pulled from the GRPC_XDS_BOOTSTRAP or // GRPC_XDS_BOOTSTRAP_CONFIG env vars. creds, err = xdsCredentials.NewClientCredentials(xdsCredentials.ClientOptions{FallbackCreds: creds}) @@ -753,3 +753,18 @@ func (c *errSignalingConn) Read(b []byte) (int, error) { } return n, err } + +// UsesXDS forwards the optional UsesXDS marker of the wrapped credentials. The +// xDS credentials returned for "xds://" targets implement this method, and +// grpc-go's cds balancer relies on a type assertion for it to decide whether to +// apply the security configuration (e.g. UpstreamTlsContext) delivered by the +// management server. Because errSignalingCreds embeds the TransportCredentials +// interface, that extra method is not promoted automatically, so we forward it +// explicitly. Without this, xDS-supplied mTLS is silently ignored and the +// connection falls back to the plain credentials. +func (c *errSignalingCreds) UsesXDS() bool { + if x, ok := c.TransportCredentials.(interface{ UsesXDS() bool }); ok { + return x.UsesXDS() + } + return false +}