feat: Add experimental S2A integration in client libraries grpc transport

[rmehta19]

Modify the Client Libraries gRPC Channel builder to use mTLS via S2A if the experimental environment variable is set, S2A is available (We check this by using utility added in googleapis/google-auth-library-java#1400), and a few more conditions (see shouldUseS2A).

Following https://google.aip.dev/auth/4115, Only attempt to use S2A after DirectPath and DCA (https://google.aip.dev/auth/4114) are ruled out as options. If conditions to use S2A are not met (env variable not set, or S2A is not running in environment, etc (shouldUseS2A returns false)), fall back to default TLS connection.

When we are creating S2A-enabled Grpc Channel Credentials, we first try to secure the connection between the client and the S2A via MTLS, using MTLS-MDS credentials. If MTLS-MDS credentials can't be loaded, then we fallback to a plaintext connection between the client and S2A.

The parallel go implementation : googleapis/google-api-go-client#1874 (now lives here: https://github.com/googleapis/google-cloud-go/blob/main/auth/internal/transport/cba.go)

S2A Java client: https://github.com/grpc/grpc-java/tree/master/s2a

Resolving b/376258193 means that S2A.java is no longer experimental

[conventional-commit-lint-gcf]

🤖 I detect that the PR title and the commit message differ and there's only one commit. To use the PR title for the commit history, you can use Github's automerge feature with squashing, or use automerge label. Good luck human!

-- conventional-commit-lint bot
https://conventionalcommits.org/

[sonarqubecloud]

Quality Gate passed for 'gapic-generator-java-root'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarqubecloud]

Quality Gate passed for 'java_showcase_integration_tests'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[lqiu96]

Thanks @rmehta19, can we do a few things to help clean up the PR for reviews:

1. Can you add a conventional commit style title to the PR? I think something like feat: {...} would help us and users understand the changes that went in the PR/ release
2. Can we split the deps upgrades into separate PRs? We typically use renovate-bot to merge deps and I believe we just merged. the ones you are looking for.

[blakeli0]

I think this should be if (rootFile.isFile() && certKeyFile.isFile())? Or refactor this to

if (!rootFile.isFile() || !certKeyFile.isFile()) {
  return createPlaintextToS2AChannelCredentials(plaintextAddress);
}

to reduce indentation?

[rmehta19]

Sorry this is my bad! Changed to if (rootFile.isFile() && certKeyFile.isFile()). Thanks for catching! 1ff7a92

[blakeli0]

Thanks! I think that means we don't have any test coverage for createS2ASecuredChannelCredentials() though, and to some extend, also no test coverage for the logics in createSingleChannel().

It's probably hard to test the channels created from createSingleChannel() since there are no getters in ManagedChannel for us to verify it, and that's probably we don't have much test for it in the past either. For the new method createS2ASecuredChannelCredentials(), we could probably extract the file path as parameters of this method so that we can unit test it properly.

[blakeli0]

I guess these are well-known locations on GCE? Do we have any public or internal docs for these locations? If not, where do we get these? What I'm worried is that how do we get notified if they change?

[rmehta19]

I guess these are well-known locations on GCE?

Yes

Do we have any public or internal docs for these locations?

I included a link down below in the logic, I've moved it up here as well: https://cloud.google.com/compute/docs/metadata/overview#https-mds. Specifically https://cloud.google.com/compute/docs/metadata/overview#https-mds-root-certs and https://cloud.google.com/compute/docs/metadata/overview#https-mds-client-certs

2958fb4

[blakeli0]

LGTM. There is a CI checking failing though, we might need to update some dependencies for self-service, @lqiu96 can you please take a look?

[lqiu96]

/gcbrun

[lqiu96]

nit: Perhaps this else block could be an early return instead
i.e.

if (!rootFile.isFile() || !certKeyFile.isFile()) {
...
}
{Logic to create s2a}

would reduce the nesting. Ignore this comment if this was already discussed.

PR LGTM

[blakeli0]

Agreed, I also suggested it in #3326 (comment), but it does not have to block this PR.

[ejona86]

This mustn't depend on io.grpc.s2a.S2AChannelCredentials because it is @ExperimentalApi. Libraries can't choose the versions of the libraries they use. We'd need to stabilize the API for use here.