chore: merge main into generate-libraries-main

Author: cloud-java-bot

gax-java/gax-grpc/src/main/java/com/google/api/gax/grpc/InstantiatingGrpcChannelProvider.java

@@ -1300,6 +1300,9 @@ public InstantiatingGrpcChannelProvider build() {
             LOG.log(
                 Level.WARNING,
                 "DefaultMtlsProviderFactory encountered unexpected IOException: " + e.getMessage());
+            LOG.log(
+                Level.WARNING,
+                "mTLS configuration was detected on the device, but mTLS failed to initialize. Falling back to non-mTLS channel.");
           }
         }
       }

gax-java/gax-httpjson/src/main/java/com/google/api/gax/httpjson/InstantiatingHttpJsonChannelProvider.java

@@ -356,6 +356,9 @@ public InstantiatingHttpJsonChannelProvider build() {
             LOG.log(
                 Level.WARNING,
                 "DefaultMtlsProviderFactory encountered unexpected IOException: " + e.getMessage());
+            LOG.log(
+                Level.WARNING,
+                "mTLS configuration was detected on the device, but mTLS failed to initialize. Falling back to non-mTLS channel.");
           }
         }
       }

gax-java/gax/src/main/java/com/google/api/gax/rpc/EndpointContext.java

@@ -292,17 +292,25 @@ private String determineEndpoint() throws IOException {
               ? CertificateBasedAccess.createWithSystemEnv()
               : certificateBasedAccess();
       MtlsProvider mtlsProvider = mtlsProvider();
-      if (mtlsProvider == null) {
-        try {
-          mtlsProvider = DefaultMtlsProviderFactory.create();
-        } catch (CertificateSourceUnavailableException e) {
-          // This is okay. Leave mtlsProvider as null;
-        } catch (IOException e) {
-          LOG.log(
-              Level.WARNING,
-              "DefaultMtlsProviderFactory encountered unexpected IOException: " + e.getMessage());
+
+      // Only attempt to create a default MtlsProvider if client certificate usage is enabled.
+      if (certificateBasedAccess.useMtlsClientCertificate()) {
+        if (mtlsProvider == null) {
+          try {
+            mtlsProvider = DefaultMtlsProviderFactory.create();
+          } catch (CertificateSourceUnavailableException e) {
+            // This is okay. Leave mtlsProvider as null;
+          } catch (IOException e) {
+            LOG.log(
+                Level.WARNING,
+                "DefaultMtlsProviderFactory encountered unexpected IOException: " + e.getMessage());
+            LOG.log(
+                Level.WARNING,
+                "mTLS configuration was detected on the device, but mTLS failed to initialize. Falling back to non-mTLS channel.");
+          }
         }
       }
+
       // TransportChannelProvider's endpoint will override the ClientSettings' endpoint
       String customEndpoint =
           transportChannelProviderEndpoint() == null