grpc / grpc-java / #20077
89%
master: 89%

LAST BUILD BRANCH: v1.79.x
DEFAULT BRANCH: master
Ran
Jobs 1
Files 621
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 88.515% (-0.02%) from 88.533%
#20077

push

github

ejona86 
xds: Support deprecated xDS TLS fields for Istio compat (#12435)

## Problem

When using xDS with Istio's grpc-agent in proxyless mode, Java gRPC
fails with:

```
LDS response Listener validation error: 
tls_certificate_provider_instance is required in downstream-tls-context
```

**Root Cause:**

Istio sends deprecated certificate provider fields for backward
compatibility with older Envoy versions. Java gRPC currently only reads
the current fields, causing validation failures.

Specifically, Istio uses these deprecated fields:
1. **Field 11**: `tls_certificate_certificate_provider_instance`
(deprecated) instead of field 14 (`tls_certificate_provider_instance`)
2. **Field 4**: `validation_context_certificate_provider_instance` in
`CombinedValidationContext` (deprecated) instead of
`ca_certificate_provider_instance` in `default_validation_context`

## Fix

Istio is adding support for the new fields in
https://github.com/istio/istio/pull/58257. Add fallback logic to support
deprecated certificate provider fields before that is rolled out:

**For identity certificates:**
1. Try current field 14 (`tls_certificate_provider_instance`) first
2. Fall back to deprecated field 11
(`tls_certificate_certificate_provider_instance`)

**For validation context in CombinedValidationContext:**
1. Try `ca_certificate_provider_instance` in
`default_validation_context` first
2. Fall back to deprecated field 4
(`validation_context_certificate_provider_instance`)

This matches the behavior of
[grpc-cpp](https://github.com/grpc/grpc/blob/master/src/core/xds/grpc/xds_common_types_parser.cc#L435-L474)
and
[grpc-go](https://github.com/grpc/grpc-go/blob/master/internal/xds/xdsclient/xdsresource/unmarshal_cds.go#L310-L344)
implementations.

## Testing

* Added new tests for both deprecated field paths (field 11 and field 4)
* All existing tests pass
* Manual local testing with Istio in proxyless mode verified the
compatibility fix works

---------

Co-authored-by: Amp <amp@ampcode.com>

34983 of 39522 relevant lines covered (88.52%)

0.89 hits per line

Uncovered Existing Lines

Lines Coverage File
1
90.77
 -0.26% ../core/src/main/java/io/grpc/internal/ClientCallImpl.java
1
96.55
 -0.57% ../core/src/main/java/io/grpc/internal/DelayedClientTransport.java
1
74.23
 -1.03% ../servlet/src/main/java/io/grpc/servlet/AsyncServletOutputStreamWriter.java
2
92.89
 -0.28% ../okhttp/src/main/java/io/grpc/okhttp/OkHttpClientTransport.java
3
95.05
 -0.44% ../core/src/main/java/io/grpc/internal/RetriableStream.java
5
69.83
 -4.31% ../servlet/src/main/java/io/grpc/servlet/ServletServerStream.java
6
79.03
 -3.23% ../servlet/src/main/java/io/grpc/servlet/ServletAdapter.java
7
91.25
 0.25% ../xds/src/main/java/io/grpc/xds/XdsClusterResource.java
Jobs
ID Job ID Ran Files Coverage
1 #20077.1 621
88.52
Source Files on build #20077