xds: Support deprecated tls_certificate_certificate_provider_instance field

Add backward compatibility for deprecated certificate provider field 11
(tls_certificate_certificate_provider_instance) by falling back to it
when field 14 (tls_certificate_provider_instance) is not present.

This matches the behavior of grpc-go and grpc-cpp, enabling
compatibility with Istio which sends the deprecated field for backward
compatibility with older Envoy versions.

Amp-Thread-ID: https://ampcode.com/threads/T-a71beee4-6f09-48fb-a8f8-9f2e09c1623f
Co-authored-by: Amp <amp@ampcode.com>

Author: laz-canva

xds/src/main/java/io/grpc/xds/XdsClusterResource.java

@@ -541,7 +541,12 @@ private static String getIdentityCertInstanceName(CommonTlsContext commonTlsCont
     if (commonTlsContext.hasTlsCertificateProviderInstance()) {
       return commonTlsContext.getTlsCertificateProviderInstance().getInstanceName();
     }
-    return null;
+    // Fall back to deprecated field (field 11) for backward compatibility with Istio
+    @SuppressWarnings("deprecation")
+    String instanceName = commonTlsContext.hasTlsCertificateCertificateProviderInstance()
+        ? commonTlsContext.getTlsCertificateCertificateProviderInstance().getInstanceName()
+        : null;
+    return instanceName;
   }
 
   private static String getRootCertInstanceName(CommonTlsContext commonTlsContext) {

xds/src/main/java/io/grpc/xds/internal/security/CommonTlsContextUtil.java

@@ -28,7 +28,10 @@ public static boolean hasCertProviderInstance(CommonTlsContext commonTlsContext)
     if (commonTlsContext == null) {
       return false;
     }
+    @SuppressWarnings("deprecation")
+    boolean hasDeprecatedField = commonTlsContext.hasTlsCertificateCertificateProviderInstance();
     return commonTlsContext.hasTlsCertificateProviderInstance()
+        || hasDeprecatedField
         || hasValidationProviderInstance(commonTlsContext);
   }
 
@@ -53,6 +56,18 @@ public static CommonTlsContext.CertificateProviderInstance convert(
         .setCertificateName(pluginInstance.getCertificateName()).build();
   }
 
+  /**
+   * Converts deprecated {@link CommonTlsContext.CertificateProviderInstance} (field 11) to
+   * internal {@link CommonTlsContext.CertificateProviderInstance}.
+   * This supports a deprecated field for backward compatibility (primarily for Istio)
+   */
+  public static CommonTlsContext.CertificateProviderInstance convertDeprecated(
+      CommonTlsContext.CertificateProviderInstance deprecatedInstance) {
+    return CommonTlsContext.CertificateProviderInstance.newBuilder()
+        .setInstanceName(deprecatedInstance.getInstanceName())
+        .setCertificateName(deprecatedInstance.getCertificateName()).build();
+  }
+
   public static boolean isUsingSystemRootCerts(CommonTlsContext commonTlsContext) {
     if (commonTlsContext.hasCombinedValidationContext()) {
       return commonTlsContext.getCombinedValidationContext().getDefaultValidationContext()

xds/src/main/java/io/grpc/xds/internal/security/certprovider/CertProviderSslContextProvider.java

@@ -113,7 +113,14 @@ protected static CertificateProviderInstance getCertProviderInstance(
     if (commonTlsContext.hasTlsCertificateProviderInstance()) {
       return CommonTlsContextUtil.convert(commonTlsContext.getTlsCertificateProviderInstance());
     }
-    return null;
+    // Fall back to deprecated field for backward compatibility with Istio
+    @SuppressWarnings("deprecation")
+    CertificateProviderInstance deprecatedInstance =
+        commonTlsContext.hasTlsCertificateCertificateProviderInstance()
+            ? CommonTlsContextUtil.convertDeprecated(
+                commonTlsContext.getTlsCertificateCertificateProviderInstance())
+            : null;
+    return deprecatedInstance;
   }
 
   @Nullable

xds/src/test/java/io/grpc/xds/internal/security/CommonTlsContextTestsUtil.java

@@ -232,6 +232,32 @@ private static CommonTlsContext buildCommonTlsContextForCertProviderInstance(
     return builder.build();
   }
 
+  /** Helper method to build CommonTlsContext using deprecated certificate provider field. */
+  public static CommonTlsContext buildCommonTlsContextWithDeprecatedCertProviderInstance(
+      String certInstanceName,
+      String certName,
+      String rootInstanceName,
+      String rootCertName,
+      Iterable<String> alpnProtocols,
+      CertificateValidationContext staticCertValidationContext) {
+    CommonTlsContext.Builder builder = CommonTlsContext.newBuilder();
+    if (certInstanceName != null) {
+      // Use deprecated field (field 11) instead of current field (field 14)
+      builder =
+              builder.setTlsCertificateCertificateProviderInstance(
+                      CommonTlsContext.CertificateProviderInstance.newBuilder()
+                              .setInstanceName(certInstanceName)
+                              .setCertificateName(certName));
+    }
+    builder =
+        addCertificateValidationContext(
+            builder, rootInstanceName, rootCertName, staticCertValidationContext);
+    if (alpnProtocols != null) {
+      builder.addAllAlpnProtocols(alpnProtocols);
+    }
+    return builder.build();
+  }
+
   private static CommonTlsContext buildNewCommonTlsContextForCertProviderInstance(
           String certInstanceName,
           String certName,

xds/src/test/java/io/grpc/xds/internal/security/certprovider/CertProviderClientSslContextProviderTest.java

@@ -470,6 +470,58 @@ public void testProviderForClient_rootInstanceNull_but_isUsingSystemRootCerts_va
             .build(), false);
   }
 
+  @Test
+  public void testProviderForClient_deprecatedCertProviderField() throws Exception {
+    final CertificateProvider.DistributorWatcher[] watcherCaptor =
+        new CertificateProvider.DistributorWatcher[1];
+    TestCertificateProvider.createAndRegisterProviderProvider(
+        certificateProviderRegistry, watcherCaptor, "testca", 0);
+    
+    // Build UpstreamTlsContext using deprecated field
+    EnvoyServerProtoData.UpstreamTlsContext upstreamTlsContext =
+        new EnvoyServerProtoData.UpstreamTlsContext(
+            CommonTlsContextTestsUtil.buildCommonTlsContextWithDeprecatedCertProviderInstance(
+                "gcp_id",
+                "cert-default",
+                "gcp_id",
+                "root-default",
+                /* alpnProtocols= */ null,
+                /* staticCertValidationContext= */ null));
+    
+    Bootstrapper.BootstrapInfo bootstrapInfo = CommonBootstrapperTestUtils.getTestBootstrapInfo();
+    CertProviderClientSslContextProvider provider =
+        (CertProviderClientSslContextProvider)
+            certProviderClientSslContextProviderFactory.getProvider(
+                upstreamTlsContext,
+                bootstrapInfo.node().toEnvoyProtoNode(),
+                bootstrapInfo.certProviders());
+
+    assertThat(provider.savedKey).isNull();
+    assertThat(provider.savedCertChain).isNull();
+    assertThat(provider.savedTrustedRoots).isNull();
+    assertThat(provider.getSslContextAndTrustManager()).isNull();
+
+    // Generate cert update
+    watcherCaptor[0].updateCertificate(
+        CommonCertProviderTestUtils.getPrivateKey(CLIENT_KEY_FILE),
+        ImmutableList.of(getCertFromResourceName(CLIENT_PEM_FILE)));
+    assertThat(provider.savedKey).isNotNull();
+    assertThat(provider.savedCertChain).isNotNull();
+    assertThat(provider.getSslContextAndTrustManager()).isNull();
+
+    // Generate root cert update
+    watcherCaptor[0].updateTrustedRoots(ImmutableList.of(getCertFromResourceName(CA_PEM_FILE)));
+    assertThat(provider.getSslContextAndTrustManager()).isNotNull();
+    assertThat(provider.savedKey).isNull();
+    assertThat(provider.savedCertChain).isNull();
+    assertThat(provider.savedTrustedRoots).isNull();
+
+    TestCallback testCallback =
+        CommonTlsContextTestsUtil.getValueThruCallback(provider);
+
+    doChecksOnSslContext(false, testCallback.updatedSslContext, /* expectedApnProtos= */ null);
+  }
+
   static class QueuedExecutor implements Executor {
     /** A list of Runnables to be run in order. */
     @VisibleForTesting final Queue<Runnable> runQueue = new ConcurrentLinkedQueue<>();