xds: Support deprecated field in CombinedValidationContext

Add fallback to deprecated validation_context_certificate_provider_instance
(field 4) in CombinedValidationContext for Istio compatibility.

Author: laz-canva

xds/src/main/java/io/grpc/xds/XdsClusterResource.java

@@ -564,6 +564,16 @@ private static String getRootCertInstanceName(CommonTlsContext commonTlsContext)
         return combinedCertificateValidationContext.getDefaultValidationContext()
             .getCaCertificateProviderInstance().getInstanceName();
       }
+      // Fall back to deprecated field (field 4) in CombinedValidationContext
+      @SuppressWarnings("deprecation")
+      String instanceName = combinedCertificateValidationContext
+          .hasValidationContextCertificateProviderInstance()
+          ? combinedCertificateValidationContext.getValidationContextCertificateProviderInstance()
+              .getInstanceName()
+          : null;
+      if (instanceName != null) {
+        return instanceName;
+      }
     }
     return null;
   }

xds/src/main/java/io/grpc/xds/internal/security/CommonTlsContextUtil.java

@@ -40,9 +40,19 @@ private static boolean hasValidationProviderInstance(CommonTlsContext commonTlsC
         .hasCaCertificateProviderInstance()) {
       return true;
     }
-    return commonTlsContext.hasCombinedValidationContext()
-        && commonTlsContext.getCombinedValidationContext().getDefaultValidationContext()
-          .hasCaCertificateProviderInstance();
+    if (commonTlsContext.hasCombinedValidationContext()) {
+      CommonTlsContext.CombinedCertificateValidationContext combined =
+          commonTlsContext.getCombinedValidationContext();
+      if (combined.hasDefaultValidationContext()
+          && combined.getDefaultValidationContext().hasCaCertificateProviderInstance()) {
+        return true;
+      }
+      // Check deprecated field (field 4) in CombinedValidationContext
+      @SuppressWarnings("deprecation")
+      boolean hasDeprecatedField = combined.hasValidationContextCertificateProviderInstance();
+      return hasDeprecatedField;
+    }
+    return false;
   }
 
   /**

xds/src/test/java/io/grpc/xds/GrpcXdsClientImplDataTest.java

@@ -3234,6 +3234,24 @@ public void validateCommonTlsContext_combinedValidationContextSystemRootCerts()
         .validateCommonTlsContext(commonTlsContext, ImmutableSet.of(), false);
   }
 
+  @Test
+  @SuppressWarnings("deprecation")
+  public void validateCommonTlsContext_combinedValidationContextDeprecatedCertProvider()
+      throws ResourceInvalidException {
+    CommonTlsContext commonTlsContext = CommonTlsContext.newBuilder()
+        .setTlsCertificateProviderInstance(
+            CertificateProviderPluginInstance.newBuilder().setInstanceName("cert1"))
+        .setCombinedValidationContext(
+            CommonTlsContext.CombinedCertificateValidationContext.newBuilder()
+                .setValidationContextCertificateProviderInstance(
+                    CommonTlsContext.CertificateProviderInstance.newBuilder()
+                        .setInstanceName("root1"))
+                .build())
+        .build();
+    XdsClusterResource
+        .validateCommonTlsContext(commonTlsContext, ImmutableSet.of("cert1", "root1"), true);
+  }
+
   @Test
   public void validateCommonTlsContext_validationContextSystemRootCerts_envVarNotSet_throws() {
     XdsClusterResource.enableSystemRootCerts = false;