-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auth: grpc.NewClient dns scheme incompatible with secure forward-proxies #11089
Comments
@erezrokah Can you please update this issue to include actual program output in the Actual behavior section demonstrating how the change from |
See discussion and possible workaround in grpc/grpc-go#7556. |
Thanks for the reply @quartzmo 👍
I'll add sample code but in order to observe the behavior you'd need put up a forward proxy like envoy and see it break.
Won't this workaround disable DSN resolving altogether even when explicitly set by the scheme? |
We are asking you to provide this program output, thank you! |
Another possible workaround tactic is to use option.WithEndpoint to set the service endpoint with the |
Let me set up a repo that better shows how this is a breaking change and I'll update the issue with it.
Is there a way of doing that without knowing each service endpoint in advance? We're using almost every module in this repo to interact with GCP so adding it manually will require a bit of work, and also we'd have to maintain the list of endpoints up to date To clarify I'm not asking to revert the change, only a way to get the previous behavior that can be applied generically to all modules |
Sounds good. I agree that this is really important. As I have been doing, please link any tactical workarounds you come across, as one of these might offer an solution to be used either directly by users, or indirectly via some change to the client libraries or the auth library. Note that grpc.Dial (where |
Hi @quartzmo I've created a reproduction in the repo here https://github.com/cloudquery/gcp-client-breakage. |
Per the recommendation of @arjan-bal on grpc/grpc-go#7556 (comment), we are in agreement that we should temporarily revert usages of |
Closed by #11118 |
Client
cloud.google.com/go/auth
Environment
go version go1.23.2 darwin/arm64
Code and Dependencies
This issue impacts all consumers of the
auth
package which I believe are all the different packages in this repo and also https://github.com/googleapis/google-api-go-client/blob/3347fa1ef84d6de6d5f0ce651bf6da6577791a9e/transport/grpc/dial.go#L22go.mod
Expected behavior
Resolving scheme should not change without communicating the breaking change
Actual behavior
Resolving scheme changed in a
chore:
#10780Additional context
Started after upgrading to v0.9.2.
Setting
GOOGLE_API_GO_EXPERIMENTAL_DISABLE_NEW_AUTH_LIB
totrue
seems to fix the issue as it changes the logic here to useDialContext
instead ofNewClient
from the auth packageRelated to grpc/grpc-go#7556
Updated
Added a reproduction scenario via https://github.com/cloudquery/gcp-client-breakage
The text was updated successfully, but these errors were encountered: