xds: Support deprecated xDS TLS fields for Istio compat #12435
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… field Add backward compatibility for deprecated certificate provider field 11 (tls_certificate_certificate_provider_instance) by falling back to it when field 14 (tls_certificate_provider_instance) is not present. This matches the behavior of grpc-go and grpc-cpp, enabling compatibility with Istio which sends the deprecated field for backward compatibility with older Envoy versions. Amp-Thread-ID: https://ampcode.com/threads/T-a71beee4-6f09-48fb-a8f8-9f2e09c1623f Co-authored-by: Amp <[email protected]>
laz-canva
force-pushed
the
istio-tls-backwards-compat
branch
from
0aa24a0 to
f142fa1
Compare
...src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderSslContextProvider.java
Outdated
Show resolved
Hide resolved
Add @SuppressWarnings("deprecation") to test helper that intentionally uses deprecated field to verify backward compatibility.
Add fallback to deprecated validation_context_certificate_provider_instance (field 4) in CombinedValidationContext for Istio compatibility.
laz-canva
changed the title
kannanjgithub
previously approved these changes
Oct 29, 2025
kannanjgithub
added
the
kokoro:run
grpc-kokoro
removed
the
kokoro:run
Member
Why isn't the fix here "send both the old and new fields in Istio"? Just because older Envoys need it doesn't mean you can't include the newer field. I think these fields were removed in 65d0bb8 . Basically, these should never have been used in production in gRPC. The only reason to add them back is to give time for Istio to update their fields. Is that happening? |
Contributor
|
@laz-canva, can you reach out on the Istio repo to send both the new and old fields? |
Contributor
Author
|
Sure I'll work on this on the istio side of things
…On Thu, Nov 6, 2025, 19:26 Kannan J ***@***.***> wrote:
*kannanjgithub* left a comment (grpc/grpc-java#12435)
<#12435 (comment)>
@laz-canva <https://github.com/laz-canva>, can you reach out on the Istio
repo to send both the new and old fields?
—
Reply to this email directly, view it on GitHub
<#12435 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BSU5OMVUPTI4GTXDOEGQFFT33MO4XAVCNFSM6AAAAACJ45VEPGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTIOJWGQYTMMJYGU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
**
** <https://www.canva.com/>
Empowering the world to design
We're hiring,
apply here <https://www.canva.com/careers/>! Check out the latest news and
learnings from our team on the Canva Newsroom
<https://www.canva.com/newsroom/news/>.
<https://twitter.com/canva>
<https://facebook.com/canva>
<https://au.linkedin.com/company/canva>
<https://twitter.com/canva> <https://facebook.com/canva>
<https://www.linkedin.com/company/canva>
<https://instagram.com/canva>
|
Merged
2 tasks
Contributor
Author
Istio PR to send both: istio/istio#58257 |
ejona86
approved these changes
Nov 12, 2025
ejona86
added
the
TODO:backport
ejona86
pushed a commit
to ejona86/grpc-java
that referenced
this pull request
Nov 12, 2025
## Problem When using xDS with Istio's grpc-agent in proxyless mode, Java gRPC fails with: ``` LDS response Listener validation error: tls_certificate_provider_instance is required in downstream-tls-context ``` **Root Cause:** Istio sends deprecated certificate provider fields for backward compatibility with older Envoy versions. Java gRPC currently only reads the current fields, causing validation failures. Specifically, Istio uses these deprecated fields: 1. **Field 11**: `tls_certificate_certificate_provider_instance` (deprecated) instead of field 14 (`tls_certificate_provider_instance`) 2. **Field 4**: `validation_context_certificate_provider_instance` in `CombinedValidationContext` (deprecated) instead of `ca_certificate_provider_instance` in `default_validation_context` ## Fix Istio is adding support for the new fields in istio/istio#58257. Add fallback logic to support deprecated certificate provider fields before that is rolled out: **For identity certificates:** 1. Try current field 14 (`tls_certificate_provider_instance`) first 2. Fall back to deprecated field 11 (`tls_certificate_certificate_provider_instance`) **For validation context in CombinedValidationContext:** 1. Try `ca_certificate_provider_instance` in `default_validation_context` first 2. Fall back to deprecated field 4 (`validation_context_certificate_provider_instance`) This matches the behavior of [grpc-cpp](https://github.com/grpc/grpc/blob/master/src/core/xds/grpc/xds_common_types_parser.cc#L435-L474) and [grpc-go](https://github.com/grpc/grpc-go/blob/master/internal/xds/xdsclient/xdsresource/unmarshal_cds.go#L310-L344) implementations. ## Testing * Added new tests for both deprecated field paths (field 11 and field 4) * All existing tests pass * Manual local testing with Istio in proxyless mode verified the compatibility fix works --------- Co-authored-by: Amp <[email protected]>
ejona86
pushed a commit
that referenced
this pull request
Nov 13, 2025
## Problem When using xDS with Istio's grpc-agent in proxyless mode, Java gRPC fails with: ``` LDS response Listener validation error: tls_certificate_provider_instance is required in downstream-tls-context ``` **Root Cause:** Istio sends deprecated certificate provider fields for backward compatibility with older Envoy versions. Java gRPC currently only reads the current fields, causing validation failures. Specifically, Istio uses these deprecated fields: 1. **Field 11**: `tls_certificate_certificate_provider_instance` (deprecated) instead of field 14 (`tls_certificate_provider_instance`) 2. **Field 4**: `validation_context_certificate_provider_instance` in `CombinedValidationContext` (deprecated) instead of `ca_certificate_provider_instance` in `default_validation_context` ## Fix Istio is adding support for the new fields in istio/istio#58257. Add fallback logic to support deprecated certificate provider fields before that is rolled out: **For identity certificates:** 1. Try current field 14 (`tls_certificate_provider_instance`) first 2. Fall back to deprecated field 11 (`tls_certificate_certificate_provider_instance`) **For validation context in CombinedValidationContext:** 1. Try `ca_certificate_provider_instance` in `default_validation_context` first 2. Fall back to deprecated field 4 (`validation_context_certificate_provider_instance`) This matches the behavior of [grpc-cpp](https://github.com/grpc/grpc/blob/master/src/core/xds/grpc/xds_common_types_parser.cc#L435-L474) and [grpc-go](https://github.com/grpc/grpc-go/blob/master/internal/xds/xdsclient/xdsresource/unmarshal_cds.go#L310-L344) implementations. ## Testing * Added new tests for both deprecated field paths (field 11 and field 4) * All existing tests pass * Manual local testing with Istio in proxyless mode verified the compatibility fix works --------- Co-authored-by: Amp <[email protected]>
ejona86
removed
the
TODO:backport
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
When using xDS with Istio's grpc-agent in proxyless mode, Java gRPC fails with:
Root Cause:
Istio sends deprecated certificate provider fields for backward compatibility with older Envoy versions. Java gRPC currently only reads the current fields, causing validation failures.
Specifically, Istio uses these deprecated fields:
tls_certificate_certificate_provider_instance(deprecated) instead of field 14 (tls_certificate_provider_instance)validation_context_certificate_provider_instanceinCombinedValidationContext(deprecated) instead ofca_certificate_provider_instanceindefault_validation_contextFix
Add fallback logic to support deprecated certificate provider fields:
For identity certificates:
tls_certificate_provider_instance) firsttls_certificate_certificate_provider_instance)For validation context in CombinedValidationContext:
ca_certificate_provider_instanceindefault_validation_contextfirstvalidation_context_certificate_provider_instance)This matches the behavior of grpc-cpp and grpc-go implementations.
Testing