xds: Support deprecated xDS TLS fields for Istio compat #12435
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… field Add backward compatibility for deprecated certificate provider field 11 (tls_certificate_certificate_provider_instance) by falling back to it when field 14 (tls_certificate_provider_instance) is not present. This matches the behavior of grpc-go and grpc-cpp, enabling compatibility with Istio which sends the deprecated field for backward compatibility with older Envoy versions. Amp-Thread-ID: https://ampcode.com/threads/T-a71beee4-6f09-48fb-a8f8-9f2e09c1623f Co-authored-by: Amp <amp@ampcode.com>
laz-canva
force-pushed
the
istio-tls-backwards-compat
branch
from
0aa24a0 to
f142fa1
Compare
...src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderSslContextProvider.java
Outdated
Show resolved
Hide resolved
Add @SuppressWarnings("deprecation") to test helper that intentionally uses deprecated field to verify backward compatibility.
Add fallback to deprecated validation_context_certificate_provider_instance (field 4) in CombinedValidationContext for Istio compatibility.
laz-canva
changed the title
kannanjgithub
approved these changes
Oct 29, 2025
kannanjgithub
added
the
kokoro:run
grpc-kokoro
removed
the
kokoro:run
Why isn't the fix here "send both the old and new fields in Istio"? Just because older Envoys need it doesn't mean you can't include the newer field. I think these fields were removed in 65d0bb8 . Basically, these should never have been used in production in gRPC. The only reason to add them back is to give time for Istio to update their fields. Is that happening? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
When using xDS with Istio's grpc-agent in proxyless mode, Java gRPC fails with:
Root Cause:
Istio sends deprecated certificate provider fields for backward compatibility with older Envoy versions. Java gRPC currently only reads the current fields, causing validation failures.
Specifically, Istio uses these deprecated fields:
tls_certificate_certificate_provider_instance(deprecated) instead of field 14 (tls_certificate_provider_instance)validation_context_certificate_provider_instanceinCombinedValidationContext(deprecated) instead ofca_certificate_provider_instanceindefault_validation_contextFix
Add fallback logic to support deprecated certificate provider fields:
For identity certificates:
tls_certificate_provider_instance) firsttls_certificate_certificate_provider_instance)For validation context in CombinedValidationContext:
ca_certificate_provider_instanceindefault_validation_contextfirstvalidation_context_certificate_provider_instance)This matches the behavior of grpc-cpp and grpc-go implementations.
Testing