gcp_authn: simplify crypto utils#45385
Conversation
Signed-off-by: antoniovleonti <leonti@google.com>
|
/gemini review |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request refactors the GCP authentication filter's crypto utilities by replacing the getBase64EncodedCertificateFingerprint function with a new CertFingerprinter interface and its implementation CertFingerprinterImpl. The new implementation simplifies certificate fingerprinting by extracting it directly from a PEM-formatted string, removing the dependency on TLS certificate providers and Subject Alternative Name (SAN) validation within this utility. Tests and build dependencies have been updated accordingly. There are no review comments to address, and I have no feedback to provide.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
|
/assign @tyxia |
|
/assign @yanavlasov |
3 participants
Commit Message: gcp_authn: simplify crypto utils
Additional Description:
Previously my understanding was that the gcp authn filter was going to have its own sds config to specify a certificate for generating bound tokens. However, due to incompatibility with grpc, this design was scrapped in favor of just directly the cluster's client certificate.
This makes the job of the crypto util simpler since it no longer needs to resolve SDS config or verify the resulting cert. Instead it trusts that the cluster is configured correctly (otherwise the connection will likely fail anyway--so the token wont matter), so all it needs to do is generate a fingerprint.
The san matching functionality has been removed. The SDS resolution functionality has also been removed. Now it just takes a PEM cert string and returns a fingerprint.
Finally, I put the whole util behind an interface so I can mock it in unit tests.
Risk Level: none (changing unused code)
Testing: unit tests updated
Docs Changes: none needed
Release Notes: none needed
I used generative AI to create this change.