Skip to content

WithTransportCredentials #568

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bfivelson0101 wants to merge 15 commits into
base: main
Choose a base branch
from
Open

WithTransportCredentials #568

bfivelson0101 wants to merge 15 commits into from

Conversation

@bfivelson0101
Copy link

@bfivelson0101 bfivelson0101 commented Jan 16, 2026
edited
Loading

This pr adds an option to inject custom grpc transport credentials into the connection. The primary reason for this is to provide a way to trust certificates that were issued by a custom ca. The current implementation allowed for the SystemCertPool or insecureSkipVerify as the only transport options.

Definition of Ready

  • I am happy with the code
  • Short description of the feature/issue is added in the pr description
  • PR is linked to the corresponding user story
  • Acceptance criteria are met
  • All open todos and follow ups are defined in a new ticket and justified
  • Deviations from the acceptance criteria and design are agreed with the PO and documented.
  • No debug or dead code
  • My code has no repetitions
  • Critical parts are tested automatically
  • Where possible E2E tests are implemented
  • Documentation/examples are up-to-date
  • All non-functional requirements are met
  • Functionality of the acceptance criteria is checked manually on the dev system.

@hifabienne hifabienne added the os-contribution This is a contribution from our open-source community label Jan 16, 2026
@bfivelson0101 bfivelson0101 mentioned this pull request Jan 16, 2026
Open
13 tasks
@bfivelson0101 bfivelson0101 changed the title Custom transport WithTransportCredentials Jan 16, 2026
@bfivelson0101 bfivelson0101 marked this pull request as ready for review January 16, 2026 14:33
Copilot AI review requested due to automatic review settings January 16, 2026 14:33
Copilot AI reviewed Jan 16, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds support for injecting custom gRPC transport credentials to enable connections with certificates issued by custom certificate authorities. Previously, only the system certificate pool or insecure skip verify were supported as transport options.

Changes:

  • Added WithTransportCredentials option to both pkg/client/zitadel and pkg/client packages
  • Modified transport option logic to prioritize custom credentials over default options
  • Added example implementations demonstrating custom CA usage with both admin and management APIs

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
pkg/client/zitadel/client.go Added transportCredentials field to Connection struct and WithTransportCredentials option function; modified transportOption to check for custom credentials first
pkg/client/client.go Added transportCredentials field to clientOptions, WithTransportCredentials option function, and modified newConnection to accept and use custom credentials
example/customCA/middleware/tokenTools.go Helper functions for creating JWT profile token sources with custom HTTP clients for CA trust
example/customCA/admin/admin.go Example demonstrating admin API usage with custom CA certificate
example/customCA/Management/management.go Example demonstrating management API usage with custom CA certificate

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

example/customCA/admin/admin.go
ctx := context.Background()

//build tls config with custom CA
var tlsConfig = &tls.Config{}
Copy link

Copilot AI Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The tls.Config is initialized with default values, which may not enforce minimum TLS version requirements. For production use, consider explicitly setting MinVersion (e.g., tls.VersionTLS12 or tls.VersionTLS13) to ensure secure TLS connections. While this is example code, it sets a pattern that users might follow.

Suggested change
var tlsConfig = &tls.Config{}
var tlsConfig = &tls.Config{
MinVersion: tls.VersionTLS12,
}

Copilot uses AI. Check for mistakes.
bfivelson0101 and others added 6 commits January 16, 2026 07:40
@bfivelson0101
Update pkg/client/zitadel/client.go
f4f6565 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@bfivelson0101
Update example/customCA/Management/management.go
3087643 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@bfivelson0101
Update pkg/client/client.go
0c35bed 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@bfivelson0101
zitadel client test
9fadfb3
@bfivelson0101
Merge remote-tracking branch 'origin/CustomTransport' into CustomTran…
9b10067 
…sport
@bfivelson0101
client mock credential test
0d1892c
@mridang mridang self-assigned this Jan 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@mridang mridang

Labels

os-contribution This is a contribution from our open-source community

Projects

Product Management
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bfivelson0101 @mridang @hifabienne