xds: close SslContexrProviderSupplier when the CDS LoadBalancer is shut down to prevent leakage (#8240)

xds/src/main/java/io/grpc/xds/ClusterImplLoadBalancer.java

@@ -153,8 +153,11 @@ final class ClusterImplLoadBalancer extends LoadBalancer {
     }
     if (childLb != null) {
       childLb.shutdown();
+      if (childLbHelper != null) {
+        childLbHelper.updateSslContextProviderSupplier(null);
         childLbHelper = null;
       }
+    }
     if (xdsClient != null) {
       xdsClient = xdsClientPool.returnObject(xdsClient);
     }

xds/src/main/java/io/grpc/xds/internal/sds/SslContextProviderSupplier.java

@@ -19,6 +19,7 @@ package io.grpc.xds.internal.sds;
 import static com.google.common.base.Preconditions.checkNotNull;
 import static com.google.common.base.Preconditions.checkState;
 
+import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.MoreObjects;
 import io.grpc.xds.EnvoyServerProtoData.BaseTlsContext;
 import io.grpc.xds.EnvoyServerProtoData.DownstreamTlsContext;
@@ -100,6 +101,10 @@ public final class SslContextProviderSupplier implements Closeable {
         : tlsContextManager.findOrCreateServerSslContextProvider((DownstreamTlsContext) tlsContext);
   }
 
+  @VisibleForTesting public boolean isShutdown() {
+    return shutdown;
+  }
+
   /** Called by consumer when tlsContext changes. */
   @Override
   public synchronized void close() {

xds/src/test/java/io/grpc/xds/ClusterImplLoadBalancerTest.java

@@ -138,7 +138,9 @@ public class ClusterImplLoadBalancerTest {
 
   @After
   public void tearDown() {
+    if (loadBalancer != null) {
       loadBalancer.shutdown();
+    }
     assertThat(xdsClientRefs).isEqualTo(0);
     assertThat(downstreamBalancers).isEmpty();
   }
@@ -553,11 +555,21 @@ public class ClusterImplLoadBalancerTest {
       SslContextProviderSupplier supplier =
           eag.getAttributes().get(InternalXdsAttributes.ATTR_SSL_CONTEXT_PROVIDER_SUPPLIER);
       if (enableSecurity) {
+        assertThat(supplier.isShutdown()).isFalse();
         assertThat(supplier.getTlsContext()).isEqualTo(upstreamTlsContext);
       } else {
         assertThat(supplier).isNull();
       }
     }
+    loadBalancer.shutdown();
+    for (EquivalentAddressGroup eag : subchannel.getAllAddresses()) {
+      SslContextProviderSupplier supplier =
+              eag.getAttributes().get(InternalXdsAttributes.ATTR_SSL_CONTEXT_PROVIDER_SUPPLIER);
+      if (enableSecurity) {
+        assertThat(supplier.isShutdown()).isTrue();
+      }
+    }
+    loadBalancer = null;
   }
 
   private void deliverAddressesAndConfig(List<EquivalentAddressGroup> addresses,