From fcf91a5183c4d03087e16a143bf82bb08522c23e Mon Sep 17 00:00:00 2001
From: Zach Reyes <zasweq@google.com>
Date: Mon, 25 Nov 2024 19:10:45 -0800
Subject: [PATCH 1/3] Add xDS Credentials

---
 examples/features/csm_observability/client/main.go |  7 ++++++-
 examples/features/csm_observability/server/main.go | 12 +++++++++++-
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/examples/features/csm_observability/client/main.go b/examples/features/csm_observability/client/main.go
index 20b357c2faad..52e51b826830 100644
--- a/examples/features/csm_observability/client/main.go
+++ b/examples/features/csm_observability/client/main.go
@@ -29,6 +29,7 @@ import (
 
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"
+	xdscreds "google.golang.org/grpc/credentials/xds"
 	"google.golang.org/grpc/examples/features/proto/echo"
 	"google.golang.org/grpc/stats/opentelemetry"
 	"google.golang.org/grpc/stats/opentelemetry/csm"
@@ -56,7 +57,11 @@ func main() {
 	cleanup := csm.EnableObservability(context.Background(), opentelemetry.Options{MetricsOptions: opentelemetry.MetricsOptions{MeterProvider: provider}})
 	defer cleanup()
 
-	cc, err := grpc.NewClient(*target, grpc.WithTransportCredentials(insecure.NewCredentials()))
+	creds, err := xdscreds.NewClientCredentials(xdscreds.ClientOptions{FallbackCreds: insecure.NewCredentials()})
+	if err != nil {
+		log.Fatalf("Failed to create xDS credentials: %v", err)
+	}
+	cc, err := grpc.NewClient(*target, grpc.WithTransportCredentials(creds))
 	if err != nil {
 		log.Fatalf("Failed to start NewClient: %v", err)
 	}
diff --git a/examples/features/csm_observability/server/main.go b/examples/features/csm_observability/server/main.go
index b87f859aa1c0..4002a616fc84 100644
--- a/examples/features/csm_observability/server/main.go
+++ b/examples/features/csm_observability/server/main.go
@@ -28,9 +28,12 @@ import (
 	"net/http"
 
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+	xdscreds "google.golang.org/grpc/credentials/xds"
 	pb "google.golang.org/grpc/examples/features/proto/echo"
 	"google.golang.org/grpc/stats/opentelemetry"
 	"google.golang.org/grpc/stats/opentelemetry/csm"
+	"google.golang.org/grpc/xds"
 
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"go.opentelemetry.io/otel/exporters/prometheus"
@@ -67,7 +70,14 @@ func main() {
 	if err != nil {
 		log.Fatalf("Failed to listen: %v", err)
 	}
-	s := grpc.NewServer()
+	creds, err := xdscreds.NewServerCredentials(xdscreds.ServerOptions{FallbackCreds: insecure.NewCredentials()})
+	if err != nil {
+		log.Fatalf("Failed to create xDS credentials: %v", err)
+	}
+	s, err := xds.NewGRPCServer(grpc.Creds(creds))
+	if err != nil {
+		log.Fatalf("Failed to start xDS Server: %v", err)
+	}
 	pb.RegisterEchoServer(s, &echoServer{addr: ":" + *port})
 
 	log.Printf("Serving on %s\n", *port)

From 27f1e9ef5d04611698ed8f08a45a6c7d79553d28 Mon Sep 17 00:00:00 2001
From: Zach Reyes <zasweq@google.com>
Date: Tue, 26 Nov 2024 15:09:13 -0800
Subject: [PATCH 2/3] Responded to Doug's comment

---
 examples/features/csm_observability/client/main.go | 3 +++
 examples/features/csm_observability/server/main.go | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/examples/features/csm_observability/client/main.go b/examples/features/csm_observability/client/main.go
index 52e51b826830..a5e7af8d7801 100644
--- a/examples/features/csm_observability/client/main.go
+++ b/examples/features/csm_observability/client/main.go
@@ -57,6 +57,9 @@ func main() {
 	cleanup := csm.EnableObservability(context.Background(), opentelemetry.Options{MetricsOptions: opentelemetry.MetricsOptions{MeterProvider: provider}})
 	defer cleanup()
 
+	// The fallback credentials are here solely for demonstration purposes.
+	// Fallback credentials should not be used this way in production as it is
+	// insecure.
 	creds, err := xdscreds.NewClientCredentials(xdscreds.ClientOptions{FallbackCreds: insecure.NewCredentials()})
 	if err != nil {
 		log.Fatalf("Failed to create xDS credentials: %v", err)
diff --git a/examples/features/csm_observability/server/main.go b/examples/features/csm_observability/server/main.go
index 4002a616fc84..b995ac032917 100644
--- a/examples/features/csm_observability/server/main.go
+++ b/examples/features/csm_observability/server/main.go
@@ -70,6 +70,9 @@ func main() {
 	if err != nil {
 		log.Fatalf("Failed to listen: %v", err)
 	}
+	// The fallback credentials are here solely for demonstration purposes.
+	// Fallback credentials should not be used this way in production as it is
+	// insecure.
 	creds, err := xdscreds.NewServerCredentials(xdscreds.ServerOptions{FallbackCreds: insecure.NewCredentials()})
 	if err != nil {
 		log.Fatalf("Failed to create xDS credentials: %v", err)

From adab125fa82a13450ceca4cc0fdbd290247ede80 Mon Sep 17 00:00:00 2001
From: Zach Reyes <zasweq@google.com>
Date: Tue, 26 Nov 2024 15:25:17 -0800
Subject: [PATCH 3/3] Responded to Doug's comment

---
 examples/features/csm_observability/client/main.go | 5 ++---
 examples/features/csm_observability/server/main.go | 5 ++---
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/examples/features/csm_observability/client/main.go b/examples/features/csm_observability/client/main.go
index a5e7af8d7801..cf33e6cb641d 100644
--- a/examples/features/csm_observability/client/main.go
+++ b/examples/features/csm_observability/client/main.go
@@ -57,9 +57,8 @@ func main() {
 	cleanup := csm.EnableObservability(context.Background(), opentelemetry.Options{MetricsOptions: opentelemetry.MetricsOptions{MeterProvider: provider}})
 	defer cleanup()
 
-	// The fallback credentials are here solely for demonstration purposes.
-	// Fallback credentials should not be used this way in production as it is
-	// insecure.
+	// Set up xds credentials that fall back to insecure as described in:
+	// https://cloud.google.com/service-mesh/docs/service-routing/security-proxyless-setup#workloads_are_unable_to_communicate_in_the_security_setup.
 	creds, err := xdscreds.NewClientCredentials(xdscreds.ClientOptions{FallbackCreds: insecure.NewCredentials()})
 	if err != nil {
 		log.Fatalf("Failed to create xDS credentials: %v", err)
diff --git a/examples/features/csm_observability/server/main.go b/examples/features/csm_observability/server/main.go
index b995ac032917..3cafe23316b3 100644
--- a/examples/features/csm_observability/server/main.go
+++ b/examples/features/csm_observability/server/main.go
@@ -70,9 +70,8 @@ func main() {
 	if err != nil {
 		log.Fatalf("Failed to listen: %v", err)
 	}
-	// The fallback credentials are here solely for demonstration purposes.
-	// Fallback credentials should not be used this way in production as it is
-	// insecure.
+	// Set up xds credentials that fall back to insecure as described in:
+	// https://cloud.google.com/service-mesh/docs/service-routing/security-proxyless-setup#workloads_are_unable_to_communicate_in_the_security_setup.
 	creds, err := xdscreds.NewServerCredentials(xdscreds.ServerOptions{FallbackCreds: insecure.NewCredentials()})
 	if err != nil {
 		log.Fatalf("Failed to create xDS credentials: %v", err)