grpc / grpc-java / #20071
89%

DEFAULT BRANCH: master
Ran
Jobs 1
Files 624
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 88.574% (-0.03%) from 88.606%
#20071

push

github

web-flow 
xds: Support deprecated xDS TLS fields for Istio compat (#12435)

## Problem

When using xDS with Istio's grpc-agent in proxyless mode, Java gRPC
fails with:

```
LDS response Listener validation error: 
tls_certificate_provider_instance is required in downstream-tls-context
```

**Root Cause:**

Istio sends deprecated certificate provider fields for backward
compatibility with older Envoy versions. Java gRPC currently only reads
the current fields, causing validation failures.

Specifically, Istio uses these deprecated fields:
1. **Field 11**: `tls_certificate_certificate_provider_instance`
(deprecated) instead of field 14 (`tls_certificate_provider_instance`)
2. **Field 4**: `validation_context_certificate_provider_instance` in
`CombinedValidationContext` (deprecated) instead of
`ca_certificate_provider_instance` in `default_validation_context`

## Fix

Istio is adding support for the new fields in
https://github.com/istio/istio/pull/58257. Add fallback logic to support
deprecated certificate provider fields before that is rolled out:

**For identity certificates:**
1. Try current field 14 (`tls_certificate_provider_instance`) first
2. Fall back to deprecated field 11
(`tls_certificate_certificate_provider_instance`)

**For validation context in CombinedValidationContext:**
1. Try `ca_certificate_provider_instance` in
`default_validation_context` first
2. Fall back to deprecated field 4
(`validation_context_certificate_provider_instance`)

This matches the behavior of
[grpc-cpp](https://github.com/grpc/grpc/blob/master/src/core/xds/grpc/xds_common_types_parser.cc#L435-L474)
and
[grpc-go](https://github.com/grpc/grpc-go/blob/master/internal/xds/xdsclient/xdsresource/unmarshal_cds.go#L310-L344)
implementations.

## Testing

* Added new tests for both deprecated field paths (field 11 and field 4)
* All existing tests pass
* Manual local testing with Istio in proxyless mode verified the
compatibility fix works

---------

Co-authored-by: Amp <amp@ampcode.com>

35124 of 39655 relevant lines covered (88.57%)

0.89 hits per line

Uncovered Existing Lines

Lines Coverage File
1
87.6
 -0.83% ../rls/src/main/java/io/grpc/rls/LinkedHashLruCache.java
1
74.23
 -1.03% ../servlet/src/main/java/io/grpc/servlet/AsyncServletOutputStreamWriter.java
3
93.22
 -1.69% ../core/src/main/java/io/grpc/internal/AbstractClientStream.java
3
86.83
 -1.23% ../core/src/main/java/io/grpc/internal/DelayedClientCall.java
3
69.83
 -2.59% ../servlet/src/main/java/io/grpc/servlet/ServletServerStream.java
4
91.9
 -1.9% ../xds/src/main/java/io/grpc/xds/client/ControlPlaneClient.java
6
79.03
 -4.84% ../servlet/src/main/java/io/grpc/servlet/ServletAdapter.java
7
91.25
 0.25% ../xds/src/main/java/io/grpc/xds/XdsClusterResource.java
Jobs
ID Job ID Ran Files Coverage
1 #20071.1 624
88.57
Source Files on build #20071