[config] Move certificate provider registry into core config (#30890)

* [config] Move certificate provider registry into core config * Automated change: Fix sanity tests Co-authored-by: ctiller <ctiller@users.noreply.github.com>
2 years ago · 2b46cb40d3
parent 134401a4d6
commit 2b46cb40d3
16 changed files with 189 additions and 177 deletions
--- a/4
+++ b/4
@ -1251,6 +1251,7 @@ grpc_cc_library(
    ],
    visibility = ["@grpc:client_channel"],
    deps = [
+        "certificate_provider_registry",
        "channel_args_preconditioning",
        "channel_creds_registry",
        "channel_init",
@ -4433,8 +4434,9 @@ grpc_cc_library(
        "src/core/lib/security/certificate_provider/certificate_provider_factory.h",
    ],
    deps = [
+        "error",
        "gpr",
-        "grpc_base",
+        "grpc_public_hdrs",
        "json",
        "ref_counted",
        "ref_counted_ptr",
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -2866,6 +2866,7 @@ add_library(grpc_unsecure
  src/core/lib/security/authorization/authorization_policy_provider_vtable.cc
  src/core/lib/security/authorization/evaluate_args.cc
  src/core/lib/security/authorization/grpc_server_authz_filter.cc
+  src/core/lib/security/certificate_provider/certificate_provider_registry.cc
  src/core/lib/security/context/security_context.cc
  src/core/lib/security/credentials/call_creds_util.cc
  src/core/lib/security/credentials/composite/composite_credentials.cc
--- a/2
+++ b/2
@ -2019,6 +2019,7 @@ LIBGRPC_UNSECURE_SRC = \
    src/core/lib/security/authorization/authorization_policy_provider_vtable.cc \
    src/core/lib/security/authorization/evaluate_args.cc \
    src/core/lib/security/authorization/grpc_server_authz_filter.cc \
+    src/core/lib/security/certificate_provider/certificate_provider_registry.cc \
    src/core/lib/security/context/security_context.cc \
    src/core/lib/security/credentials/call_creds_util.cc \
    src/core/lib/security/credentials/composite/composite_credentials.cc \
@ -3166,7 +3167,6 @@ src/core/lib/matchers/matchers.cc: $(OPENSSL_DEP)
 src/core/lib/security/authorization/grpc_authorization_engine.cc: $(OPENSSL_DEP)
 src/core/lib/security/authorization/matchers.cc: $(OPENSSL_DEP)
 src/core/lib/security/authorization/rbac_policy.cc: $(OPENSSL_DEP)
-src/core/lib/security/certificate_provider/certificate_provider_registry.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/alts/alts_credentials.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/alts/check_gcp_environment.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/alts/check_gcp_environment_linux.cc: $(OPENSSL_DEP)
--- a/build_autogenerated.yaml
+++ b/build_autogenerated.yaml
@ -2147,6 +2147,8 @@ libs:
  - src/core/lib/security/authorization/authorization_policy_provider.h
  - src/core/lib/security/authorization/evaluate_args.h
  - src/core/lib/security/authorization/grpc_server_authz_filter.h
+  - src/core/lib/security/certificate_provider/certificate_provider_factory.h
+  - src/core/lib/security/certificate_provider/certificate_provider_registry.h
  - src/core/lib/security/context/security_context.h
  - src/core/lib/security/credentials/call_creds_util.h
  - src/core/lib/security/credentials/channel_creds_registry.h
@ -2465,6 +2467,7 @@ libs:
  - src/core/lib/security/authorization/authorization_policy_provider_vtable.cc
  - src/core/lib/security/authorization/evaluate_args.cc
  - src/core/lib/security/authorization/grpc_server_authz_filter.cc
+  - src/core/lib/security/certificate_provider/certificate_provider_registry.cc
  - src/core/lib/security/context/security_context.cc
  - src/core/lib/security/credentials/call_creds_util.cc
  - src/core/lib/security/credentials/composite/composite_credentials.cc
--- a/grpc.gyp
+++ b/grpc.gyp
@ -1370,6 +1370,7 @@
        'src/core/lib/security/authorization/authorization_policy_provider_vtable.cc',
        'src/core/lib/security/authorization/evaluate_args.cc',
        'src/core/lib/security/authorization/grpc_server_authz_filter.cc',
+        'src/core/lib/security/certificate_provider/certificate_provider_registry.cc',
        'src/core/lib/security/context/security_context.cc',
        'src/core/lib/security/credentials/call_creds_util.cc',
        'src/core/lib/security/credentials/composite/composite_credentials.cc',
--- a/src/core/ext/xds/certificate_provider_store.cc
+++ b/src/core/ext/xds/certificate_provider_store.cc
@ -24,6 +24,7 @@

 #include <grpc/support/log.h>

+#include "src/core/lib/config/core_configuration.h"
 #include "src/core/lib/iomgr/error.h"
 #include "src/core/lib/security/certificate_provider/certificate_provider_registry.h"

@ -48,8 +49,9 @@ void CertificateProviderStore::PluginDefinition::JsonPostLoad(
  CertificateProviderFactory* factory = nullptr;
  if (!plugin_name.empty()) {
    ScopedField field(errors, ".plugin_name");
-    factory = CertificateProviderRegistry::LookupCertificateProviderFactory(
-        plugin_name);
+    factory = CoreConfiguration::Get()
+                  .certificate_provider_registry()
+                  .LookupCertificateProviderFactory(plugin_name);
    if (factory == nullptr) {
      errors->AddError(absl::StrCat("Unrecognized plugin name: ", plugin_name));
      return;  // No point checking config.
@ -126,8 +128,10 @@ CertificateProviderStore::CreateCertificateProviderLocked(
    return nullptr;
  }
  CertificateProviderFactory* factory =
-      CertificateProviderRegistry::LookupCertificateProviderFactory(
-          plugin_config_it->second.plugin_name);
+      CoreConfiguration::Get()
+          .certificate_provider_registry()
+          .LookupCertificateProviderFactory(
+              plugin_config_it->second.plugin_name);
  if (factory == nullptr) {
    // This should never happen since an entry is only inserted in the
    // plugin_config_map_ if the corresponding factory was found when parsing
--- a/src/core/ext/xds/file_watcher_certificate_provider_factory.cc
+++ b/src/core/ext/xds/file_watcher_certificate_provider_factory.cc
@ -31,6 +31,7 @@
 #include <grpc/support/log.h>
 #include <grpc/support/time.h>

+#include "src/core/lib/config/core_configuration.h"
 #include "src/core/lib/json/json_util.h"
 #include "src/core/lib/security/certificate_provider/certificate_provider_registry.h"
 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
@ -143,11 +144,10 @@ FileWatcherCertificateProviderFactory::CreateCertificateProvider(
      file_watcher_config->refresh_interval().millis() / GPR_MS_PER_SEC);
 }

-void FileWatcherCertificateProviderInit() {
-  CertificateProviderRegistry::RegisterCertificateProviderFactory(
+void RegisterFileWatcherCertificateProvider(
+    CoreConfiguration::Builder* builder) {
+  builder->certificate_provider_registry()->RegisterCertificateProviderFactory(
      absl::make_unique<FileWatcherCertificateProviderFactory>());
 }

-void FileWatcherCertificateProviderShutdown() {}
-
 }  // namespace grpc_core
--- a/src/core/lib/config/core_configuration.cc
+++ b/src/core/lib/config/core_configuration.cc
@ -44,7 +44,9 @@ CoreConfiguration::CoreConfiguration(Builder* builder)
      channel_creds_registry_(builder->channel_creds_registry_.Build()),
      service_config_parser_(builder->service_config_parser_.Build()),
      resolver_registry_(builder->resolver_registry_.Build()),
-      lb_policy_registry_(builder->lb_policy_registry_.Build()) {}
+      lb_policy_registry_(builder->lb_policy_registry_.Build()),
+      certificate_provider_registry_(
+          builder->certificate_provider_registry_.Build()) {}

 void CoreConfiguration::RegisterBuilder(std::function<void(Builder*)> builder) {
  GPR_ASSERT(config_.load(std::memory_order_relaxed) == nullptr &&
--- a/src/core/lib/config/core_configuration.h
+++ b/src/core/lib/config/core_configuration.h
@ -25,6 +25,7 @@
 #include "src/core/lib/channel/channel_args_preconditioning.h"
 #include "src/core/lib/load_balancing/lb_policy_registry.h"
 #include "src/core/lib/resolver/resolver_registry.h"
+#include "src/core/lib/security/certificate_provider/certificate_provider_registry.h"
 #include "src/core/lib/security/credentials/channel_creds_registry.h"
 #include "src/core/lib/service_config/service_config_parser.h"
 #include "src/core/lib/surface/channel_init.h"
@ -69,6 +70,10 @@ class CoreConfiguration {
      return &lb_policy_registry_;
    }

+    CertificateProviderRegistry::Builder* certificate_provider_registry() {
+      return &certificate_provider_registry_;
+    }
+
   private:
    friend class CoreConfiguration;

@ -79,6 +84,7 @@ class CoreConfiguration {
    ServiceConfigParser::Builder service_config_parser_;
    ResolverRegistry::Builder resolver_registry_;
    LoadBalancingPolicyRegistry::Builder lb_policy_registry_;
+    CertificateProviderRegistry::Builder certificate_provider_registry_;

    Builder();
    CoreConfiguration* Build();
@ -187,6 +193,10 @@ class CoreConfiguration {
    return lb_policy_registry_;
  }

+  const CertificateProviderRegistry& certificate_provider_registry() const {
+    return certificate_provider_registry_;
+  }
+
  static void SetDefaultBuilder(void (*builder)(CoreConfiguration::Builder*)) {
    default_builder_ = builder;
  }
@ -212,6 +222,7 @@ class CoreConfiguration {
  ServiceConfigParser service_config_parser_;
  ResolverRegistry resolver_registry_;
  LoadBalancingPolicyRegistry lb_policy_registry_;
+  CertificateProviderRegistry certificate_provider_registry_;
 };

 extern void BuildCoreConfiguration(CoreConfiguration::Builder* builder);
--- a/src/core/lib/security/certificate_provider/certificate_provider_registry.cc
+++ b/src/core/lib/security/certificate_provider/certificate_provider_registry.cc
@ -30,74 +30,31 @@

 namespace grpc_core {

-namespace {
-
-class RegistryState {
- public:
-  void RegisterCertificateProviderFactory(
-      std::unique_ptr<CertificateProviderFactory> factory) {
-    gpr_log(GPR_DEBUG, "registering certificate provider factory for \"%s\"",
-            factory->name());
-    for (size_t i = 0; i < factories_.size(); ++i) {
-      GPR_ASSERT(strcmp(factories_[i]->name(), factory->name()) != 0);
-    }
-    factories_.push_back(std::move(factory));
-  }
-
-  CertificateProviderFactory* LookupCertificateProviderFactory(
-      absl::string_view name) const {
-    for (size_t i = 0; i < factories_.size(); ++i) {
-      if (name == factories_[i]->name()) {
-        return factories_[i].get();
-      }
-    }
-    return nullptr;
+void CertificateProviderRegistry::Builder::RegisterCertificateProviderFactory(
+    std::unique_ptr<CertificateProviderFactory> factory) {
+  gpr_log(GPR_DEBUG, "registering certificate provider factory for \"%s\"",
+          factory->name());
+  for (size_t i = 0; i < factories_.size(); ++i) {
+    GPR_ASSERT(strcmp(factories_[i]->name(), factory->name()) != 0);
  }
-
- private:
-  std::vector<std::unique_ptr<CertificateProviderFactory>> factories_;
-};
-
-RegistryState* g_state = nullptr;
-
-}  // namespace
-
-//
-// CertificateProviderRegistry
-//
-
-CertificateProviderFactory*
-CertificateProviderRegistry::LookupCertificateProviderFactory(
-    absl::string_view name) {
-  GPR_ASSERT(g_state != nullptr);
-  return g_state->LookupCertificateProviderFactory(name);
+  factories_.push_back(std::move(factory));
 }

-void CertificateProviderRegistry::InitRegistry() {
-  if (g_state == nullptr) g_state = new RegistryState();
+CertificateProviderRegistry CertificateProviderRegistry::Builder::Build() {
+  CertificateProviderRegistry r;
+  r.factories_ = std::move(factories_);
+  return r;
 }

-void CertificateProviderRegistry::ShutdownRegistry() {
-  delete g_state;
-  g_state = nullptr;
-}
-
-void CertificateProviderRegistry::RegisterCertificateProviderFactory(
-    std::unique_ptr<CertificateProviderFactory> factory) {
-  InitRegistry();
-  g_state->RegisterCertificateProviderFactory(std::move(factory));
+CertificateProviderFactory*
+CertificateProviderRegistry::LookupCertificateProviderFactory(
+    absl::string_view name) const {
+  for (size_t i = 0; i < factories_.size(); ++i) {
+    if (name == factories_[i]->name()) {
+      return factories_[i].get();
+    }
+  }
+  return nullptr;
 }

 }  // namespace grpc_core
-
-//
-// Plugin registration
-//
-
-void grpc_certificate_provider_registry_init() {
-  grpc_core::CertificateProviderRegistry::InitRegistry();
-}
-
-void grpc_certificate_provider_registry_shutdown() {
-  grpc_core::CertificateProviderRegistry::ShutdownRegistry();
-}
--- a/src/core/lib/security/certificate_provider/certificate_provider_registry.h
+++ b/src/core/lib/security/certificate_provider/certificate_provider_registry.h
@ -22,6 +22,7 @@
 #include <grpc/support/port_platform.h>

 #include <memory>
+#include <vector>

 #include "absl/strings/string_view.h"

@ -32,26 +33,36 @@ namespace grpc_core {
 // Global registry for all the certificate provider plugins.
 class CertificateProviderRegistry {
 public:
-  // Returns the factory for the plugin keyed by name.
-  static CertificateProviderFactory* LookupCertificateProviderFactory(
-      absl::string_view name);
+  class Builder {
+   public:
+    // Register a provider with the registry. Can only be called after calling
+    // InitRegistry(). The key of the factory is extracted from factory
+    // parameter with method CertificateProviderFactory::name. If the same key
+    // is registered twice, an exception is raised.
+    void RegisterCertificateProviderFactory(
+        std::unique_ptr<CertificateProviderFactory> factory);
+
+    CertificateProviderRegistry Build();

-  // The following methods are used to create and populate the
-  // CertificateProviderRegistry. NOT THREAD SAFE -- to be used only during
-  // global gRPC initialization and shutdown.
+   private:
+    std::vector<std::unique_ptr<CertificateProviderFactory>> factories_;
+  };

-  // Global initialization of the registry.
-  static void InitRegistry();
+  CertificateProviderRegistry(const CertificateProviderRegistry&) = delete;
+  CertificateProviderRegistry& operator=(const CertificateProviderRegistry&) =
+      delete;
+  CertificateProviderRegistry(CertificateProviderRegistry&&) = default;
+  CertificateProviderRegistry& operator=(CertificateProviderRegistry&&) =
+      default;
+
+  // Returns the factory for the plugin keyed by name.
+  CertificateProviderFactory* LookupCertificateProviderFactory(
+      absl::string_view name) const;

-  // Global shutdown of the registry.
-  static void ShutdownRegistry();
+ private:
+  CertificateProviderRegistry() = default;

-  // Register a provider with the registry. Can only be called after calling
-  // InitRegistry(). The key of the factory is extracted from factory
-  // parameter with method CertificateProviderFactory::name. If the same key
-  // is registered twice, an exception is raised.
-  static void RegisterCertificateProviderFactory(
-      std::unique_ptr<CertificateProviderFactory> factory);
+  std::vector<std::unique_ptr<CertificateProviderFactory>> factories_;
 };

 }  // namespace grpc_core
--- a/src/core/plugin_registry/grpc_plugin_registry_extra.cc
+++ b/src/core/plugin_registry/grpc_plugin_registry_extra.cc
@ -26,22 +26,12 @@ namespace grpc_core {
 void XdsClientGlobalInit();
 void XdsClientGlobalShutdown();
 }  // namespace grpc_core
-void grpc_certificate_provider_registry_init(void);
-void grpc_certificate_provider_registry_shutdown(void);
-namespace grpc_core {
-void FileWatcherCertificateProviderInit();
-void FileWatcherCertificateProviderShutdown();
-}  // namespace grpc_core
 #endif

 void grpc_register_extra_plugins() {
 #ifndef GRPC_NO_XDS
  grpc_register_plugin(grpc_core::XdsClientGlobalInit,
                       grpc_core::XdsClientGlobalShutdown);
-  grpc_register_plugin(grpc_certificate_provider_registry_init,
-                       grpc_certificate_provider_registry_shutdown);
-  grpc_register_plugin(grpc_core::FileWatcherCertificateProviderInit,
-                       grpc_core::FileWatcherCertificateProviderShutdown);
 #endif
 }

@ -59,6 +49,8 @@ extern void RegisterXdsClusterImplLbPolicy(CoreConfiguration::Builder* builder);
 extern void RegisterCdsLbPolicy(CoreConfiguration::Builder* builder);
 extern void RegisterXdsClusterResolverLbPolicy(
    CoreConfiguration::Builder* builder);
+extern void RegisterFileWatcherCertificateProvider(
+    CoreConfiguration::Builder* builder);
 #endif
 void RegisterExtraFilters(CoreConfiguration::Builder* builder) {
  // Use builder to avoid unused-parameter warning.
@ -75,6 +67,7 @@ void RegisterExtraFilters(CoreConfiguration::Builder* builder) {
  RegisterXdsClusterImplLbPolicy(builder);
  RegisterCdsLbPolicy(builder);
  RegisterXdsClusterResolverLbPolicy(builder);
+  RegisterFileWatcherCertificateProvider(builder);
 #endif
 }
 }  // namespace grpc_core
--- a/test/core/security/certificate_provider_registry_test.cc
+++ b/test/core/security/certificate_provider_registry_test.cc
@ -60,23 +60,17 @@ class FakeCertificateProviderFactory2 : public CertificateProviderFactory {
 };

 TEST(CertificateProviderRegistryTest, Basic) {
-  CertificateProviderRegistry::InitRegistry();
+  CertificateProviderRegistry::Builder b;
  auto* fake_factory_1 = new FakeCertificateProviderFactory1;
  auto* fake_factory_2 = new FakeCertificateProviderFactory2;
-  CertificateProviderRegistry::RegisterCertificateProviderFactory(
+  b.RegisterCertificateProviderFactory(
      std::unique_ptr<CertificateProviderFactory>(fake_factory_1));
-  CertificateProviderRegistry::RegisterCertificateProviderFactory(
+  b.RegisterCertificateProviderFactory(
      std::unique_ptr<CertificateProviderFactory>(fake_factory_2));
-  EXPECT_EQ(
-      CertificateProviderRegistry::LookupCertificateProviderFactory("fake1"),
-      fake_factory_1);
-  EXPECT_EQ(
-      CertificateProviderRegistry::LookupCertificateProviderFactory("fake2"),
-      fake_factory_2);
-  EXPECT_EQ(
-      CertificateProviderRegistry::LookupCertificateProviderFactory("fake3"),
-      nullptr);
-  CertificateProviderRegistry::ShutdownRegistry();
+  auto r = b.Build();
+  EXPECT_EQ(r.LookupCertificateProviderFactory("fake1"), fake_factory_1);
+  EXPECT_EQ(r.LookupCertificateProviderFactory("fake2"), fake_factory_2);
+  EXPECT_EQ(r.LookupCertificateProviderFactory("fake3"), nullptr);
 }

 }  // namespace
--- a/test/core/xds/certificate_provider_store_test.cc
+++ b/test/core/xds/certificate_provider_store_test.cc
@ -22,6 +22,7 @@

 #include <gmock/gmock.h>

+#include "src/core/lib/config/core_configuration.h"
 #include "src/core/lib/gprpp/unique_type_name.h"
 #include "src/core/lib/security/certificate_provider/certificate_provider_registry.h"
 #include "test/core/util/test_config.h"
@ -107,66 +108,84 @@ class FakeCertificateProviderFactory2 : public CertificateProviderFactory {
 TEST_F(CertificateProviderStoreTest, Basic) {
  // Set up factories. (Register only one of the factories.)
  auto* fake_factory_1 = new FakeCertificateProviderFactory1;
-  CertificateProviderRegistry::RegisterCertificateProviderFactory(
-      std::unique_ptr<CertificateProviderFactory>(fake_factory_1));
-  auto fake_factory_2 = absl::make_unique<FakeCertificateProviderFactory2>();
-  // Set up store
-  CertificateProviderStore::PluginDefinitionMap map = {
-      {"fake_plugin_1",
-       {"fake1", fake_factory_1->CreateCertificateProviderConfig(Json::Object(),
-                                                                 nullptr)}},
-      {"fake_plugin_2",
-       {"fake2", fake_factory_2->CreateCertificateProviderConfig(Json::Object(),
-                                                                 nullptr)}},
-      {"fake_plugin_3",
-       {"fake1", fake_factory_1->CreateCertificateProviderConfig(Json::Object(),
-                                                                 nullptr)}},
-  };
-  auto store = MakeOrphanable<CertificateProviderStore>(std::move(map));
-  // Test for creating certificate providers with known plugin configuration.
-  auto cert_provider_1 = store->CreateOrGetCertificateProvider("fake_plugin_1");
-  ASSERT_NE(cert_provider_1, nullptr);
-  auto cert_provider_3 = store->CreateOrGetCertificateProvider("fake_plugin_3");
-  ASSERT_NE(cert_provider_3, nullptr);
-  // Test for creating certificate provider with known plugin configuration but
-  // unregistered factory.
-  ASSERT_EQ(store->CreateOrGetCertificateProvider("fake_plugin_2"), nullptr);
-  // Test for creating certificate provider with unknown plugin configuration.
-  ASSERT_EQ(store->CreateOrGetCertificateProvider("unknown"), nullptr);
-  // Test for getting previously created certificate providers.
-  ASSERT_EQ(store->CreateOrGetCertificateProvider("fake_plugin_1"),
-            cert_provider_1);
-  ASSERT_EQ(store->CreateOrGetCertificateProvider("fake_plugin_3"),
-            cert_provider_3);
-  // Release previously created certificate providers so that the store outlasts
-  // the certificate providers.
-  cert_provider_1.reset();
-  cert_provider_3.reset();
+  CoreConfiguration::RunWithSpecialConfiguration(
+      [=](CoreConfiguration::Builder* builder) {
+        builder->certificate_provider_registry()
+            ->RegisterCertificateProviderFactory(
+                std::unique_ptr<CertificateProviderFactory>(fake_factory_1));
+      },
+      [=] {
+        auto fake_factory_2 =
+            absl::make_unique<FakeCertificateProviderFactory2>();
+        // Set up store
+        CertificateProviderStore::PluginDefinitionMap map = {
+            {"fake_plugin_1",
+             {"fake1", fake_factory_1->CreateCertificateProviderConfig(
+                           Json::Object(), nullptr)}},
+            {"fake_plugin_2",
+             {"fake2", fake_factory_2->CreateCertificateProviderConfig(
+                           Json::Object(), nullptr)}},
+            {"fake_plugin_3",
+             {"fake1", fake_factory_1->CreateCertificateProviderConfig(
+                           Json::Object(), nullptr)}},
+        };
+        auto store = MakeOrphanable<CertificateProviderStore>(std::move(map));
+        // Test for creating certificate providers with known plugin
+        // configuration.
+        auto cert_provider_1 =
+            store->CreateOrGetCertificateProvider("fake_plugin_1");
+        ASSERT_NE(cert_provider_1, nullptr);
+        auto cert_provider_3 =
+            store->CreateOrGetCertificateProvider("fake_plugin_3");
+        ASSERT_NE(cert_provider_3, nullptr);
+        // Test for creating certificate provider with known plugin
+        // configuration but unregistered factory.
+        ASSERT_EQ(store->CreateOrGetCertificateProvider("fake_plugin_2"),
+                  nullptr);
+        // Test for creating certificate provider with unknown plugin
+        // configuration.
+        ASSERT_EQ(store->CreateOrGetCertificateProvider("unknown"), nullptr);
+        // Test for getting previously created certificate providers.
+        ASSERT_EQ(store->CreateOrGetCertificateProvider("fake_plugin_1"),
+                  cert_provider_1);
+        ASSERT_EQ(store->CreateOrGetCertificateProvider("fake_plugin_3"),
+                  cert_provider_3);
+        // Release previously created certificate providers so that the store
+        // outlasts the certificate providers.
+        cert_provider_1.reset();
+        cert_provider_3.reset();
+      });
 }

 TEST_F(CertificateProviderStoreTest, Multithreaded) {
  auto* fake_factory_1 = new FakeCertificateProviderFactory1;
-  CertificateProviderRegistry::RegisterCertificateProviderFactory(
-      std::unique_ptr<CertificateProviderFactory>(fake_factory_1));
-  CertificateProviderStore::PluginDefinitionMap map = {
-      {"fake_plugin_1",
-       {"fake1", fake_factory_1->CreateCertificateProviderConfig(Json::Object(),
-                                                                 nullptr)}}};
-  auto store = MakeOrphanable<CertificateProviderStore>(std::move(map));
-  // Test concurrent `CreateOrGetCertificateProvider()` with the same key.
-  std::vector<std::thread> threads;
-  threads.reserve(1000);
-  for (auto i = 0; i < 1000; i++) {
-    threads.emplace_back([&store]() {
-      for (auto i = 0; i < 10; ++i) {
-        ASSERT_NE(store->CreateOrGetCertificateProvider("fake_plugin_1"),
-                  nullptr);
-      }
-    });
-  }
-  for (auto& thread : threads) {
-    thread.join();
-  }
+  CoreConfiguration::RunWithSpecialConfiguration(
+      [=](CoreConfiguration::Builder* builder) {
+        builder->certificate_provider_registry()
+            ->RegisterCertificateProviderFactory(
+                std::unique_ptr<CertificateProviderFactory>(fake_factory_1));
+      },
+      [=] {
+        CertificateProviderStore::PluginDefinitionMap map = {
+            {"fake_plugin_1",
+             {"fake1", fake_factory_1->CreateCertificateProviderConfig(
+                           Json::Object(), nullptr)}}};
+        auto store = MakeOrphanable<CertificateProviderStore>(std::move(map));
+        // Test concurrent `CreateOrGetCertificateProvider()` with the same key.
+        std::vector<std::thread> threads;
+        threads.reserve(1000);
+        for (auto i = 0; i < 1000; i++) {
+          threads.emplace_back([&store]() {
+            for (auto i = 0; i < 10; ++i) {
+              ASSERT_NE(store->CreateOrGetCertificateProvider("fake_plugin_1"),
+                        nullptr);
+            }
+          });
+        }
+        for (auto& thread : threads) {
+          thread.join();
+        }
+      });
 }

 }  // namespace
--- a/test/core/xds/xds_bootstrap_test.cc
+++ b/test/core/xds/xds_bootstrap_test.cc
@ -22,6 +22,7 @@

 #include "src/core/ext/xds/xds_bootstrap_grpc.h"
 #include "src/core/ext/xds/xds_client_grpc.h"
+#include "src/core/lib/config/core_configuration.h"
 #include "src/core/lib/gpr/env.h"
 #include "src/core/lib/gpr/tmpfile.h"
 #include "src/core/lib/security/certificate_provider/certificate_provider_registry.h"
@ -711,9 +712,14 @@ TEST(XdsBootstrapTest, XdsServerToJsonAndParse) {
 int main(int argc, char** argv) {
  ::testing::InitGoogleTest(&argc, argv);
  grpc::testing::TestEnvironment env(&argc, argv);
+  grpc_core::CoreConfiguration::RegisterBuilder(
+      [](grpc_core::CoreConfiguration::Builder* builder) {
+        builder->certificate_provider_registry()
+            ->RegisterCertificateProviderFactory(
+                absl::make_unique<
+                    grpc_core::testing::FakeCertificateProviderFactory>());
+      });
  grpc_init();
-  grpc_core::CertificateProviderRegistry::RegisterCertificateProviderFactory(
-      absl::make_unique<grpc_core::testing::FakeCertificateProviderFactory>());
  int ret = RUN_ALL_TESTS();
  grpc_shutdown();
  return ret;
--- a/test/cpp/end2end/xds/xds_end2end_test.cc
+++ b/test/cpp/end2end/xds/xds_end2end_test.cc
@ -68,6 +68,7 @@
 #include "src/core/lib/address_utils/parse_address.h"
 #include "src/core/lib/address_utils/sockaddr_utils.h"
 #include "src/core/lib/channel/channel_args.h"
+#include "src/core/lib/config/core_configuration.h"
 #include "src/core/lib/gpr/env.h"
 #include "src/core/lib/gpr/string.h"
 #include "src/core/lib/gpr/time_precise.h"
@ -4050,14 +4051,21 @@ int main(int argc, char** argv) {
 #endif
  grpc::testing::FakeCertificateProvider::CertDataMapWrapper cert_data_map_1;
  grpc::testing::g_fake1_cert_data_map = &cert_data_map_1;
-  grpc_core::CertificateProviderRegistry::RegisterCertificateProviderFactory(
-      absl::make_unique<grpc::testing::FakeCertificateProviderFactory>(
-          "fake1", grpc::testing::g_fake1_cert_data_map));
  grpc::testing::FakeCertificateProvider::CertDataMapWrapper cert_data_map_2;
  grpc::testing::g_fake2_cert_data_map = &cert_data_map_2;
-  grpc_core::CertificateProviderRegistry::RegisterCertificateProviderFactory(
-      absl::make_unique<grpc::testing::FakeCertificateProviderFactory>(
-          "fake2", grpc::testing::g_fake2_cert_data_map));
+  grpc_core::CoreConfiguration::RegisterBuilder(
+      [](grpc_core::CoreConfiguration::Builder* builder) {
+        builder->certificate_provider_registry()
+            ->RegisterCertificateProviderFactory(
+                absl::make_unique<
+                    grpc::testing::FakeCertificateProviderFactory>(
+                    "fake1", grpc::testing::g_fake1_cert_data_map));
+        builder->certificate_provider_registry()
+            ->RegisterCertificateProviderFactory(
+                absl::make_unique<
+                    grpc::testing::FakeCertificateProviderFactory>(
+                    "fake2", grpc::testing::g_fake2_cert_data_map));
+      });
  grpc_init();
  grpc_core::XdsHttpFilterRegistry::RegisterFilter(
      absl::make_unique<grpc::testing::NoOpHttpFilter>(