gRPC Dependency Conflict: Update to gRPC v1.72+ to Resolve genproto Ambiguous Import Errors #63
Description
Problem Statement
The SPIRE Plugin SDK currently depends on google.golang.org/grpc v1.53.0 (March 2023), which causes ambiguous import errors when plugin developers try to use modern gRPC versions (v1.74+) in their plugins. This forces developers to use workarounds like replace directives in their go.mod files.
Root Cause
This issue stems from the Google genproto ecosystem migration that occurred in March 2024. The conflict arises because:
- SPIRE Plugin SDK v1.12.4 depends on
google.golang.org/grpc v1.53.0 - Modern gRPC versions (v1.74+) use the new genproto submodule structure (
google.golang.org/genproto/googleapis/rpc) - Older gRPC versions reference the old genproto structure (
google.golang.org/genproto) - Go module resolution finds the same packages in multiple modules, causing ambiguous imports
Impact
- Plugin developers cannot use modern gRPC features without workarounds
- Requires manual
replacedirectives in plugingo.modfiles - Blocks adoption of gRPC security and performance improvements
- Creates maintenance burden for plugin developers
Minimal Reproducible Example
Create a simple plugin that imports both SPIRE Plugin SDK and modern gRPC:
go.mod:
module genproto-conflict-example
go 1.21
require (
github.com/spiffe/spire-plugin-sdk v1.12.4
google.golang.org/grpc v1.74.2
)main.go:
package main
import (
"context"
"log"
"github.com/spiffe/spire-plugin-sdk/pluginmain"
nodeattestorv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/server/nodeattestor/v1"
configv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/service/common/config/v1"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
)
type Plugin struct {
nodeattestorv1.UnimplementedNodeAttestorServer
configv1.UnimplementedConfigServer
}
func (p *Plugin) Attest(stream nodeattestorv1.NodeAttestor_AttestServer) error {
return status.Error(codes.Unimplemented, "example plugin")
}
func (p *Plugin) Configure(ctx context.Context, req *configv1.ConfigureRequest) (*configv1.ConfigureResponse, error) {
return &configv1.ConfigureResponse{}, nil
}
func main() {
log.Println("Starting example plugin")
plugin := new(Plugin)
pluginmain.Serve(
nodeattestorv1.NodeAttestorPluginServer(plugin),
configv1.ConfigServiceServer(plugin),
)
}Error when running go mod tidy:
go: genproto-conflict-example imports
google.golang.org/grpc/status imports
google.golang.org/genproto/googleapis/rpc/status: ambiguous import: found package google.golang.org/genproto/googleapis/rpc/status in multiple modules:
google.golang.org/genproto v0.0.0-20230223222841-637eb2293923 (/home/user/go/pkg/mod/google.golang.org/[email protected]/googleapis/rpc/status)
google.golang.org/genproto/googleapis/rpc v0.0.0-20250528174236-200df99c418a (/home/user/go/pkg/mod/google.golang.org/genproto/googleapis/[email protected]/status)
Current Workaround
Plugin developers must add this to their go.mod:
replace google.golang.org/genproto => google.golang.org/genproto v0.0.0-20250528174236-200df99c418aProposed Solution
Update SPIRE Plugin SDK dependencies to use gRPC v1.72+ which has resolved the genproto conflicts (grpc/grpc-go#8127).
N.B. The below is untested. I am not sufficiently familiar with spiffe internals, so I will leave the actual changes to you !
Possible changes to go.mod:
require (
// ... other dependencies
google.golang.org/grpc v1.72.0 // or latest stable
google.golang.org/protobuf v1.35.0 // or latest compatible
)Benefits of Upgrade
- Eliminates dependency conflicts for plugin developers
- Access to modern gRPC features:
- Improved security (TLS 1.3 by default)
- Better performance optimizations
- Enhanced observability features
- Simplified plugin development - no more
replacedirectives needed - Future-proofs the SDK against similar ecosystem migrations
Backward Compatibility
gRPC maintains backward compatibility, so this update should not break existing plugins. However, thorough testing is recommended, particularly around:
- Existing plugin interfaces
- TLS/security configurations
- Performance characteristics
Related Issues
- grpc/grpc-go#8127 - gRPC v1.70 ambiguous import (fixed in v1.72+)
- googleapis/go-genproto#1015 - genproto migration guide
- googleapis/go-genproto#1203 - specific ambiguous import issue
Environment
- SPIRE Plugin SDK: v1.12.4
- Current gRPC version in SDK: v1.53.0
- Target gRPC version: v1.72.0+
- Go version: 1.21+
This issue affects all plugin developers who want to use modern gRPC features alongside the SPIRE Plugin SDK. Resolving this would significantly improve the developer experience and remove a major barrier to adopting the latest gRPC improvements