Skip to content

xds: Support deprecated xDS TLS fields for Istio compat (1.77.x backport) #12508

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 13, 2025
Merged

xds: Support deprecated xDS TLS fields for Istio compat (1.77.x backport) #12508

merged 1 commit into from
Nov 13, 2025
+148 −5

Conversation

@ejona86
Copy link
Member

@ejona86 ejona86 commented Nov 12, 2025

Problem

When using xDS with Istio's grpc-agent in proxyless mode, Java gRPC fails with:

LDS response Listener validation error: 
tls_certificate_provider_instance is required in downstream-tls-context

Root Cause:

Istio sends deprecated certificate provider fields for backward compatibility with older Envoy versions. Java gRPC currently only reads the current fields, causing validation failures.

Specifically, Istio uses these deprecated fields:

  1. Field 11: tls_certificate_certificate_provider_instance (deprecated) instead of field 14 (tls_certificate_provider_instance)
  2. Field 4: validation_context_certificate_provider_instance in CombinedValidationContext (deprecated) instead of ca_certificate_provider_instance in default_validation_context

Fix

Add fallback logic to support deprecated certificate provider fields:

For identity certificates:

  1. Try current field 14 (tls_certificate_provider_instance) first
  2. Fall back to deprecated field 11 (tls_certificate_certificate_provider_instance)

For validation context in CombinedValidationContext:

  1. Try ca_certificate_provider_instance in default_validation_context first
  2. Fall back to deprecated field 4 (validation_context_certificate_provider_instance)

This matches the behavior of grpc-cpp and grpc-go implementations.

Testing

  • Added new tests for both deprecated field paths (field 11 and field 4)
  • All existing tests pass
  • Manual local testing with Istio in proxyless mode verified the compatibility fix works

Backport of #12435

CC @laz-canva

@laz-canva @ampcode-com @ejona86
xds: Support deprecated xDS TLS fields for Istio compat (grpc#12435)
9de52af 
## Problem

When using xDS with Istio's grpc-agent in proxyless mode, Java gRPC
fails with:

```
LDS response Listener validation error: 
tls_certificate_provider_instance is required in downstream-tls-context
```

**Root Cause:**

Istio sends deprecated certificate provider fields for backward
compatibility with older Envoy versions. Java gRPC currently only reads
the current fields, causing validation failures.

Specifically, Istio uses these deprecated fields:
1. **Field 11**: `tls_certificate_certificate_provider_instance`
(deprecated) instead of field 14 (`tls_certificate_provider_instance`)
2. **Field 4**: `validation_context_certificate_provider_instance` in
`CombinedValidationContext` (deprecated) instead of
`ca_certificate_provider_instance` in `default_validation_context`

## Fix

Istio is adding support for the new fields in
istio/istio#58257. Add fallback logic to support
deprecated certificate provider fields before that is rolled out:

**For identity certificates:**
1. Try current field 14 (`tls_certificate_provider_instance`) first
2. Fall back to deprecated field 11
(`tls_certificate_certificate_provider_instance`)

**For validation context in CombinedValidationContext:**
1. Try `ca_certificate_provider_instance` in
`default_validation_context` first
2. Fall back to deprecated field 4
(`validation_context_certificate_provider_instance`)

This matches the behavior of
[grpc-cpp](https://github.com/grpc/grpc/blob/master/src/core/xds/grpc/xds_common_types_parser.cc#L435-L474)
and
[grpc-go](https://github.com/grpc/grpc-go/blob/master/internal/xds/xdsclient/xdsresource/unmarshal_cds.go#L310-L344)
implementations.

## Testing

* Added new tests for both deprecated field paths (field 11 and field 4)
* All existing tests pass
* Manual local testing with Istio in proxyless mode verified the
compatibility fix works

---------

Co-authored-by: Amp <amp@ampcode.com>
@ejona86 ejona86 merged commit 53cd1a2 into grpc:v1.77.x Nov 13, 2025
15 of 17 checks passed
@ejona86 ejona86 deleted the backport-istio-tls-backwards-compat-1.77 branch November 13, 2025 14:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kannanjgithub kannanjgithub kannanjgithub approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ejona86 @kannanjgithub @laz-canva