istiod: Send both current and deprecated xDS TLS certificate provider fields#58257
Merged
istio-testing merged 4 commits intoistio:masterfrom Nov 12, 2025
Merged
Conversation
Collaborator
|
Hi @laz-canva. Thanks for your PR. I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Fixes istiod's gRPC generator to send both current and deprecated xDS TLS certificate provider fields for backward compatibility with all gRPC client versions. When serving proxyless gRPC clients (GENERATOR=grpc), istiod now sends: Identity certificates: - Field 14: tls_certificate_provider_instance (current) - Field 11: tls_certificate_certificate_provider_instance (deprecated) CA certificates: - Field 13: ca_certificate_provider_instance (current) - Field 4: validation_context_certificate_provider_instance (deprecated) This fixes validation failures in modern gRPC clients (grpc-go >= 1.66, grpc-cpp >= 1.66, grpc-java recent versions) that only recognize current fields, while maintaining compatibility with older clients that only recognize deprecated fields. Signed-off-by: adam lazur <laz@canva.com>
a5c1695 to
8154210
Compare
ramaraochavali
approved these changes
Nov 11, 2025
Stevenjin8
reviewed
Nov 11, 2025
Stevenjin8
reviewed
Nov 11, 2025
Stevenjin8
reviewed
Nov 11, 2025
| TlsCertificateProviderInstance: currentCertProviderInstance, | ||
|
|
||
| // DEPRECATED field (field 11) - kept for backward compatibility with older gRPC clients | ||
| // TODO: Remove this field after 2 releases (when all users have upgraded gRPC clients) |
Contributor
There was a problem hiding this comment.
I generally agree with this. I know for proxy versions, we allow the proxy to be one version behind the control plane. I wonder what our support posture is for proxyless grpc given that 1.66 is definity out of support
Contributor
Author
There was a problem hiding this comment.
My plan was simply to mimic that model, but gRPC releases and Istio releases are independent so it's maybe less clear cut?
As it is it'll be:
- both compatible (this PR)
- warning that next release will drop backwards compat (warning in release notes only?)
- drop backwards compat + upgrade note
I could argue for dropping step 2 as it's not adding a ton of value in this case, and the number of people affected (proxyless gRPC + Istio users) seems to be pretty small?
I'm happy to do whatever Istio devs prefer.
Contributor
|
/ok-to-test |
28d82c8 to
6f53274
Compare
The tls_test.go file intentionally tests deprecated xDS fields for backward compatibility verification. Add nolint:staticcheck directives to suppress SA1019 warnings about accessing these deprecated fields. Signed-off-by: adam lazur <laz@canva.com>
e8ab2f3 to
1261975
Compare
The tls_test.go file intentionally tests deprecated xDS fields for backward compatibility verification. Add nolint:staticcheck directives to suppress SA1019 warnings about accessing these deprecated fields. Signed-off-by: adam lazur <laz@canva.com>
1261975 to
fa1a769
Compare
ejona86
pushed a commit
to grpc/grpc-java
that referenced
this pull request
Nov 12, 2025
## Problem When using xDS with Istio's grpc-agent in proxyless mode, Java gRPC fails with: ``` LDS response Listener validation error: tls_certificate_provider_instance is required in downstream-tls-context ``` **Root Cause:** Istio sends deprecated certificate provider fields for backward compatibility with older Envoy versions. Java gRPC currently only reads the current fields, causing validation failures. Specifically, Istio uses these deprecated fields: 1. **Field 11**: `tls_certificate_certificate_provider_instance` (deprecated) instead of field 14 (`tls_certificate_provider_instance`) 2. **Field 4**: `validation_context_certificate_provider_instance` in `CombinedValidationContext` (deprecated) instead of `ca_certificate_provider_instance` in `default_validation_context` ## Fix Istio is adding support for the new fields in istio/istio#58257. Add fallback logic to support deprecated certificate provider fields before that is rolled out: **For identity certificates:** 1. Try current field 14 (`tls_certificate_provider_instance`) first 2. Fall back to deprecated field 11 (`tls_certificate_certificate_provider_instance`) **For validation context in CombinedValidationContext:** 1. Try `ca_certificate_provider_instance` in `default_validation_context` first 2. Fall back to deprecated field 4 (`validation_context_certificate_provider_instance`) This matches the behavior of [grpc-cpp](https://github.com/grpc/grpc/blob/master/src/core/xds/grpc/xds_common_types_parser.cc#L435-L474) and [grpc-go](https://github.com/grpc/grpc-go/blob/master/internal/xds/xdsclient/xdsresource/unmarshal_cds.go#L310-L344) implementations. ## Testing * Added new tests for both deprecated field paths (field 11 and field 4) * All existing tests pass * Manual local testing with Istio in proxyless mode verified the compatibility fix works --------- Co-authored-by: Amp <amp@ampcode.com>
ejona86
pushed a commit
to ejona86/grpc-java
that referenced
this pull request
Nov 12, 2025
## Problem When using xDS with Istio's grpc-agent in proxyless mode, Java gRPC fails with: ``` LDS response Listener validation error: tls_certificate_provider_instance is required in downstream-tls-context ``` **Root Cause:** Istio sends deprecated certificate provider fields for backward compatibility with older Envoy versions. Java gRPC currently only reads the current fields, causing validation failures. Specifically, Istio uses these deprecated fields: 1. **Field 11**: `tls_certificate_certificate_provider_instance` (deprecated) instead of field 14 (`tls_certificate_provider_instance`) 2. **Field 4**: `validation_context_certificate_provider_instance` in `CombinedValidationContext` (deprecated) instead of `ca_certificate_provider_instance` in `default_validation_context` ## Fix Istio is adding support for the new fields in istio/istio#58257. Add fallback logic to support deprecated certificate provider fields before that is rolled out: **For identity certificates:** 1. Try current field 14 (`tls_certificate_provider_instance`) first 2. Fall back to deprecated field 11 (`tls_certificate_certificate_provider_instance`) **For validation context in CombinedValidationContext:** 1. Try `ca_certificate_provider_instance` in `default_validation_context` first 2. Fall back to deprecated field 4 (`validation_context_certificate_provider_instance`) This matches the behavior of [grpc-cpp](https://github.com/grpc/grpc/blob/master/src/core/xds/grpc/xds_common_types_parser.cc#L435-L474) and [grpc-go](https://github.com/grpc/grpc-go/blob/master/internal/xds/xdsclient/xdsresource/unmarshal_cds.go#L310-L344) implementations. ## Testing * Added new tests for both deprecated field paths (field 11 and field 4) * All existing tests pass * Manual local testing with Istio in proxyless mode verified the compatibility fix works --------- Co-authored-by: Amp <amp@ampcode.com>
ejona86
pushed a commit
to grpc/grpc-java
that referenced
this pull request
Nov 13, 2025
## Problem When using xDS with Istio's grpc-agent in proxyless mode, Java gRPC fails with: ``` LDS response Listener validation error: tls_certificate_provider_instance is required in downstream-tls-context ``` **Root Cause:** Istio sends deprecated certificate provider fields for backward compatibility with older Envoy versions. Java gRPC currently only reads the current fields, causing validation failures. Specifically, Istio uses these deprecated fields: 1. **Field 11**: `tls_certificate_certificate_provider_instance` (deprecated) instead of field 14 (`tls_certificate_provider_instance`) 2. **Field 4**: `validation_context_certificate_provider_instance` in `CombinedValidationContext` (deprecated) instead of `ca_certificate_provider_instance` in `default_validation_context` ## Fix Istio is adding support for the new fields in istio/istio#58257. Add fallback logic to support deprecated certificate provider fields before that is rolled out: **For identity certificates:** 1. Try current field 14 (`tls_certificate_provider_instance`) first 2. Fall back to deprecated field 11 (`tls_certificate_certificate_provider_instance`) **For validation context in CombinedValidationContext:** 1. Try `ca_certificate_provider_instance` in `default_validation_context` first 2. Fall back to deprecated field 4 (`validation_context_certificate_provider_instance`) This matches the behavior of [grpc-cpp](https://github.com/grpc/grpc/blob/master/src/core/xds/grpc/xds_common_types_parser.cc#L435-L474) and [grpc-go](https://github.com/grpc/grpc-go/blob/master/internal/xds/xdsclient/xdsresource/unmarshal_cds.go#L310-L344) implementations. ## Testing * Added new tests for both deprecated field paths (field 11 and field 4) * All existing tests pass * Manual local testing with Istio in proxyless mode verified the compatibility fix works --------- Co-authored-by: Amp <amp@ampcode.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes istiod's gRPC generator to send both current and deprecated xDS TLS certificate
provider fields for backward compatibility with all gRPC client versions.
Problem:
tls_certificate_provider_instance is required in downstream-tls-context(see this pr discussion)Fix:
Send both field versions during the transition.
For identity certificates:
tls_certificate_provider_instance)tls_certificate_certificate_provider_instance)For CA certificates:
ca_certificate_provider_instanceindefault_validation_contextvalidation_context_certificate_provider_instance)Result: Compatibility with old and new gRPC clients
Testing: Unit tests in new file
pilot/pkg/networking/grpcgen/tls_test.goMigration Plan:
This is Phase 1 of a 3-phase migration following Istio's deprecation policy
(minimum 2 releases before removal). Deprecated fields will be removed in Phase 3.
To help us figure out who should review this PR, please put an X in all the areas that this PR affects.
Does this PR introduce a user-facing change?