fix(xds): Allow and normalize trailing dot (FQDN) in matchHostName (#12644) ## Summary `matchHostName` in `RoutingUtils` and `XdsNameResolver` currently rejects hostnames and patterns with a trailing dot (`.`) via `checkArgument`. A trailing dot denotes a **Fully Qualified Domain Name (FQDN)** as defined in [RFC 1034 Section 3.1](https://www.rfc-editor.org/rfc/rfc1034#section-3.1), and is a valid, well-defined representation of an absolute domain name. Rejecting it is inconsistent with the RFC. This change removes the trailing-dot rejection and adds normalization to strip the trailing dot before matching, making `example.com.` and `example.com` match equivalently. ## Background Per [RFC 1034 Section 3.1](https://www.rfc-editor.org/rfc/rfc1034#section-3.1): > "If the name ends with a dot, it is an absolute name ... For example, `poneria.ISI.EDU.`" A trailing dot simply indicates that the name is rooted at the DNS root and is semantically equivalent to the same name without the trailing dot. Treating it as invalid prevents legitimate FQDNs from being used as hostnames or virtual host domain patterns in xDS routing configuration. ## Motivation This was discovered when using gRPC Proxyless Service Mesh on a Kubernetes cluster with Istio. The issue surfaced after upgrading Istio from 1.26.8 to 1.28.3. The Istio change [istio/istio#56008](https://github.com/istio/istio/pull/56008) began sending FQDN-style domain names (with trailing dots) in xDS route configuration, which caused grpc-java to throw an `IllegalArgumentException` in `matchHostName`: ```text java.lang.IllegalArgumentException: Invalid pattern/domain name at com.google.common.base.Preconditions.checkArgument(Preconditions.java:143) ``` The root cause is that grpc-java's `matchHostName` was not RFC-compliant in rejecting trailing dots — the Istio upgrade merely made it visible. The fix here is to bring grpc-java into compliance with RFC 1034, independent of any specific Istio version. ## Changes - `xds/src/main/java/io/grpc/xds/RoutingUtils.java`: Removed trailing-dot rejection and added FQDN normalization in `matchHostName`. - `xds/src/main/java/io/grpc/xds/XdsNameResolver.java`: Same as above. - `xds/src/test/java/io/grpc/xds/XdsNameResolverTest.java`: Added `matchHostName_trailingDot` test covering exact match, prefix wildcard, and suffix wildcard with trailing dot combinations. ## References - [RFC 1034 – Domain Names: Concepts and Facilities](https://www.rfc-editor.org/rfc/rfc1034) - [RFC 1035 – Domain Names: Implementation and Specification](https://www.rfc-editor.org/rfc/rfc1035) - [istio/istio#56008](https://github.com/istio/istio/pull/56008) – Istio change that began sending FQDN domain names in xDS configuration
gRPC-Java supports Java 8 and later. Android minSdkVersion 21 (Lollipop) and later are supported with Java 8 language desugaring.
TLS usage on Android typically requires Play Services Dynamic Security Provider. Please see the Security Readme.
Older Java versions are not directly supported, but a branch remains available for fixes and releases. See gRFC P5 JDK Version Support Policy.
| Java version | gRPC Branch |
|---|---|
| 7 | 1.41.x |
For a guided tour, take a look at the quick start guide or the more explanatory gRPC basics.
The examples and the Android example are standalone projects that showcase the usage of gRPC.
Download the JARs. Or for Maven with non-Android, add to your pom.xml:
<dependency> <groupId>io.grpc</groupId> <artifactId>grpc-netty-shaded</artifactId> <version>1.79.0</version> <scope>runtime</scope> </dependency> <dependency> <groupId>io.grpc</groupId> <artifactId>grpc-protobuf</artifactId> <version>1.79.0</version> </dependency> <dependency> <groupId>io.grpc</groupId> <artifactId>grpc-stub</artifactId> <version>1.79.0</version> </dependency>
Or for Gradle with non-Android, add to your dependencies:
runtimeOnly 'io.grpc:grpc-netty-shaded:1.79.0' implementation 'io.grpc:grpc-protobuf:1.79.0' implementation 'io.grpc:grpc-stub:1.79.0'
For Android client, use grpc-okhttp instead of grpc-netty-shaded and grpc-protobuf-lite instead of grpc-protobuf:
implementation 'io.grpc:grpc-okhttp:1.79.0' implementation 'io.grpc:grpc-protobuf-lite:1.79.0' implementation 'io.grpc:grpc-stub:1.79.0'
For Bazel, you can either use Maven (with the GAVs from above), or use @io_grpc_grpc_java//api et al (see below).
Development snapshots are available in Sonatypes's snapshot repository.
For protobuf-based codegen, you can put your proto files in the src/main/proto and src/test/proto directories along with an appropriate plugin.
For protobuf-based codegen integrated with the Maven build system, you can use protobuf-maven-plugin (Eclipse and NetBeans users should also look at os-maven-plugin's IDE documentation):
<build> <extensions> <extension> <groupId>kr.motd.maven</groupId> <artifactId>os-maven-plugin</artifactId> <version>1.7.1</version> </extension> </extensions> <plugins> <plugin> <groupId>org.xolstice.maven.plugins</groupId> <artifactId>protobuf-maven-plugin</artifactId> <version>0.6.1</version> <configuration> <protocArtifact>com.google.protobuf:protoc:3.25.8:exe:${os.detected.classifier}</protocArtifact> <pluginId>grpc-java</pluginId> <pluginArtifact>io.grpc:protoc-gen-grpc-java:1.79.0:exe:${os.detected.classifier}</pluginArtifact> </configuration> <executions> <execution> <goals> <goal>compile</goal> <goal>compile-custom</goal> </goals> </execution> </executions> </plugin> </plugins> </build>
For non-Android protobuf-based codegen integrated with the Gradle build system, you can use protobuf-gradle-plugin:
plugins { id 'com.google.protobuf' version '0.9.5' } protobuf { protoc { artifact = "com.google.protobuf:protoc:3.25.8" } plugins { grpc { artifact = 'io.grpc:protoc-gen-grpc-java:1.79.0' } } generateProtoTasks { all()*.plugins { grpc {} } } }
The prebuilt protoc-gen-grpc-java binary uses glibc on Linux. If you are compiling on Alpine Linux, you may want to use the Alpine grpc-java package which uses musl instead.
For Android protobuf-based codegen integrated with the Gradle build system, also use protobuf-gradle-plugin but specify the ‘lite’ options:
plugins { id 'com.google.protobuf' version '0.9.5' } protobuf { protoc { artifact = "com.google.protobuf:protoc:3.25.8" } plugins { grpc { artifact = 'io.grpc:protoc-gen-grpc-java:1.79.0' } } generateProtoTasks { all().each { task -> task.builtins { java { option 'lite' } } task.plugins { grpc { option 'lite' } } } } }
For Bazel, use the proto_library and the java_proto_library (no load() required) and load("@io_grpc_grpc_java//:java_grpc_library.bzl", "java_grpc_library") (from this project), as in this example BUILD.bazel.
APIs annotated with @Internal are for internal use by the gRPC library and should not be used by gRPC users. APIs annotated with @ExperimentalApi are subject to change in future releases, and library code that other projects may depend on should not use these APIs.
We recommend using the grpc-java-api-checker (an Error Prone plugin) to check for usages of @ExperimentalApi and @Internal in any library code that depends on gRPC. It may also be used to check for @Internal usage or unintended @ExperimentalApi consumption in non-library code.
If you are making changes to gRPC-Java, see the compiling instructions.
At a high level there are three distinct layers to the library: Stub, Channel, and Transport.
The Stub layer is what is exposed to most developers and provides type-safe bindings to whatever datamodel/IDL/interface you are adapting. gRPC comes with a plugin to the protocol-buffers compiler that generates Stub interfaces out of .proto files, but bindings to other datamodel/IDL are easy and encouraged.
The Channel layer is an abstraction over Transport handling that is suitable for interception/decoration and exposes more behavior to the application than the Stub layer. It is intended to be easy for application frameworks to use this layer to address cross-cutting concerns such as logging, monitoring, auth, etc.
The Transport layer does the heavy lifting of putting and taking bytes off the wire. The interfaces to it are abstract just enough to allow plugging in of different implementations. Note the transport layer API is considered internal to gRPC and has weaker API guarantees than the core API under package io.grpc.
gRPC comes with multiple Transport implementations: