grpc
/
grpc-java
mirror of https://github.com/grpc/grpc-java.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
grpc-java/xds
History
adam lazur 53cd1a2256 xds: Support deprecated xDS TLS fields for Istio compat (#12435) 
## Problem

When using xDS with Istio's grpc-agent in proxyless mode, Java gRPC
fails with:

```
LDS response Listener validation error: 
tls_certificate_provider_instance is required in downstream-tls-context
```

**Root Cause:**

Istio sends deprecated certificate provider fields for backward
compatibility with older Envoy versions. Java gRPC currently only reads
the current fields, causing validation failures.

Specifically, Istio uses these deprecated fields:
1. **Field 11**: `tls_certificate_certificate_provider_instance`
(deprecated) instead of field 14 (`tls_certificate_provider_instance`)
2. **Field 4**: `validation_context_certificate_provider_instance` in
`CombinedValidationContext` (deprecated) instead of
`ca_certificate_provider_instance` in `default_validation_context`

## Fix

Istio is adding support for the new fields in
https://github.com/istio/istio/pull/58257. Add fallback logic to support
deprecated certificate provider fields before that is rolled out:

**For identity certificates:**
1. Try current field 14 (`tls_certificate_provider_instance`) first
2. Fall back to deprecated field 11
(`tls_certificate_certificate_provider_instance`)

**For validation context in CombinedValidationContext:**
1. Try `ca_certificate_provider_instance` in
`default_validation_context` first
2. Fall back to deprecated field 4
(`validation_context_certificate_provider_instance`)

This matches the behavior of
[grpc-cpp](https://github.com/grpc/grpc/blob/master/src/core/xds/grpc/xds_common_types_parser.cc#L435-L474)
and
[grpc-go](https://github.com/grpc/grpc-go/blob/master/internal/xds/xdsclient/xdsresource/unmarshal_cds.go#L310-L344)
implementations.

## Testing

* Added new tests for both deprecated field paths (field 11 and field 4)
* All existing tests pass
* Manual local testing with Istio in proxyless mode verified the
compatibility fix works

---------

Co-authored-by: Amp <amp@ampcode.com>
 		2025-11-13 06:43:35 -08:00
..
src
third_party
BUILD.bazel
build.gradle