Remove feature guarding of the env vars for Cloud run CSM:

  GRPC_EXPERIMENTAL_XDS_SNI
  GRPC_EXPERIMENTAL_XDS_AUTHORITY_REWRITE
  GRPC_EXPERIMENTAL_XDS_SYSTEM_ROOT_CERTS
  GRPC_EXPERIMENTAL_XDS_GCP_AUTHENTICATION_FILTER

Author: kannanjgithub

xds/src/main/java/io/grpc/xds/FilterRegistry.java

@@ -17,7 +17,6 @@
 package io.grpc.xds;
 
 import com.google.common.annotations.VisibleForTesting;
-import io.grpc.internal.GrpcUtil;
 import java.util.HashMap;
 import java.util.Map;
 import javax.annotation.Nullable;
@@ -33,18 +32,13 @@ final class FilterRegistry {
 
   private FilterRegistry() {}
 
-  static boolean isEnabledGcpAuthnFilter =
-      GrpcUtil.getFlag("GRPC_EXPERIMENTAL_XDS_GCP_AUTHENTICATION_FILTER", false);
-
   static synchronized FilterRegistry getDefaultRegistry() {
     if (instance == null) {
       instance = newRegistry().register(
               new FaultFilter.Provider(),
               new RouterFilter.Provider(),
-              new RbacFilter.Provider());
-      if (isEnabledGcpAuthnFilter) {
-        instance.register(new GcpAuthenticationFilter.Provider());
-      }
+              new RbacFilter.Provider(),
+              new GcpAuthenticationFilter.Provider());
     }
     return instance;
   }

xds/src/main/java/io/grpc/xds/GcpAuthenticationFilter.java

@@ -17,7 +17,6 @@
 package io.grpc.xds;
 
 import static com.google.common.base.Preconditions.checkNotNull;
-import static io.grpc.xds.FilterRegistry.isEnabledGcpAuthnFilter;
 import static io.grpc.xds.XdsNameResolver.CLUSTER_SELECTION_KEY;
 import static io.grpc.xds.XdsNameResolver.XDS_CONFIG_CALL_OPTION_KEY;
 
@@ -313,10 +312,6 @@ public String getTypeUrl() {
     public AudienceWrapper parse(Any any) throws ResourceInvalidException {
       Audience audience;
       try {
-        if (!isEnabledGcpAuthnFilter) {
-          throw new InvalidProtocolBufferException("Environment variable for GCP Authentication "
-              + "Filter is Not Set");
-        }
         audience = any.unpack(Audience.class);
       } catch (InvalidProtocolBufferException ex) {
         throw new ResourceInvalidException("Invalid Resource in address proto", ex);

xds/src/main/java/io/grpc/xds/XdsClusterResource.java

@@ -64,9 +64,6 @@ class XdsClusterResource extends XdsResourceType<CdsUpdate> {
           ? Boolean.parseBoolean(System.getenv("GRPC_EXPERIMENTAL_ENABLE_LEAST_REQUEST"))
           : Boolean.parseBoolean(
               System.getProperty("io.grpc.xds.experimentalEnableLeastRequest", "true"));
-  @VisibleForTesting
-  public static boolean enableSystemRootCerts =
-      GrpcUtil.getFlag("GRPC_EXPERIMENTAL_XDS_SYSTEM_ROOT_CERTS", false);
   static boolean isEnabledXdsHttpConnect =
       GrpcUtil.getFlag("GRPC_EXPERIMENTAL_XDS_HTTP_CONNECT", false);
 
@@ -486,8 +483,7 @@ static void validateCommonTlsContext(
     }
     String rootCaInstanceName = getRootCertInstanceName(commonTlsContext);
     if (rootCaInstanceName == null) {
-      if (!server && (!enableSystemRootCerts
-          || !CommonTlsContextUtil.isUsingSystemRootCerts(commonTlsContext))) {
+      if (!server && !CommonTlsContextUtil.isUsingSystemRootCerts(commonTlsContext)) {
         throw new ResourceInvalidException(
             "ca_certificate_provider_instance or system_root_certs is required in "
                 + "upstream-tls-context");

xds/src/main/java/io/grpc/xds/XdsRouteConfigureResource.java

@@ -475,8 +475,7 @@ static StructOrError<RouteAction> parseRouteAction(
       case CLUSTER:
         return StructOrError.fromStruct(RouteAction.forCluster(
             proto.getCluster(), hashPolicies, timeoutNano, retryPolicy,
-            GrpcUtil.getFlag(GRPC_EXPERIMENTAL_XDS_AUTHORITY_REWRITE, false)
-            && args.getServerInfo().isTrustedXdsServer() && proto.getAutoHostRewrite().getValue()));
+            args.getServerInfo().isTrustedXdsServer() && proto.getAutoHostRewrite().getValue()));
       case CLUSTER_HEADER:
         return null;
       case WEIGHTED_CLUSTERS:
@@ -510,8 +509,7 @@ static StructOrError<RouteAction> parseRouteAction(
         }
         return StructOrError.fromStruct(VirtualHost.Route.RouteAction.forWeightedClusters(
             weightedClusters, hashPolicies, timeoutNano, retryPolicy,
-            GrpcUtil.getFlag(GRPC_EXPERIMENTAL_XDS_AUTHORITY_REWRITE, false)
-            && args.getServerInfo().isTrustedXdsServer() && proto.getAutoHostRewrite().getValue()));
+            args.getServerInfo().isTrustedXdsServer() && proto.getAutoHostRewrite().getValue()));
       case CLUSTER_SPECIFIER_PLUGIN:
         if (enableRouteLookup) {
           String pluginName = proto.getClusterSpecifierPlugin();
@@ -527,8 +525,7 @@ static StructOrError<RouteAction> parseRouteAction(
           NamedPluginConfig namedPluginConfig = NamedPluginConfig.create(pluginName, pluginConfig);
           return StructOrError.fromStruct(VirtualHost.Route.RouteAction.forClusterSpecifierPlugin(
               namedPluginConfig, hashPolicies, timeoutNano, retryPolicy,
-              GrpcUtil.getFlag(GRPC_EXPERIMENTAL_XDS_AUTHORITY_REWRITE, false)
-              && args.getServerInfo().isTrustedXdsServer()
+              args.getServerInfo().isTrustedXdsServer()
                   && proto.getAutoHostRewrite().getValue()));
         } else {
           return null;

xds/src/main/java/io/grpc/xds/internal/security/SecurityProtocolNegotiators.java

@@ -215,21 +215,16 @@ public void handlerAdded(ChannelHandlerContext ctx) throws Exception {
       this.sslContextProviderSupplier = sslContextProviderSupplier;
       EnvoyServerProtoData.BaseTlsContext tlsContext = sslContextProviderSupplier.getTlsContext();
       UpstreamTlsContext upstreamTlsContext = ((UpstreamTlsContext) tlsContext);
-      if (CertificateUtils.isXdsSniEnabled) {
-        String sniToUse = upstreamTlsContext.getAutoHostSni()
-            && !Strings.isNullOrEmpty(endpointHostname)
-            ? endpointHostname : upstreamTlsContext.getSni();
-        if (sniToUse.isEmpty() && CertificateUtils.useChannelAuthorityIfNoSniApplicable) {
-          sniToUse = grpcHandler.getAuthority();
-          autoSniSanValidationDoesNotApply = true;
-        } else {
-          autoSniSanValidationDoesNotApply = false;
-        }
-        sni = sniToUse;
+      String sniToUse = upstreamTlsContext.getAutoHostSni()
+          && !Strings.isNullOrEmpty(endpointHostname)
+          ? endpointHostname : upstreamTlsContext.getSni();
+      if (sniToUse.isEmpty() && CertificateUtils.useChannelAuthorityIfNoSniApplicable) {
+        sniToUse = grpcHandler.getAuthority();
+        autoSniSanValidationDoesNotApply = true;
       } else {
-        sni = grpcHandler.getAuthority();
         autoSniSanValidationDoesNotApply = false;
       }
+      sni = sniToUse;
     }
 
     @VisibleForTesting

xds/src/main/java/io/grpc/xds/internal/security/trust/XdsX509TrustManager.java

@@ -308,7 +308,7 @@ public void checkServerTrusted(X509Certificate[] chain, String authType)
 
   private List<StringMatcher> getAutoSniSanMatchers(SSLParameters sslParams) {
     List<StringMatcher> sniNamesToMatch = new ArrayList<>();
-    if (CertificateUtils.isXdsSniEnabled && autoSniSanValidation) {
+    if (autoSniSanValidation) {
       List<SNIServerName> serverNames = sslParams.getServerNames();
       if (serverNames != null) {
         for (SNIServerName serverName : serverNames) {

xds/src/test/java/io/grpc/xds/GcpAuthenticationFilterTest.java

@@ -88,11 +88,6 @@ public class GcpAuthenticationFilterTest {
   private static final RdsUpdate rdsUpdate = getRdsUpdate();
   private static final CdsUpdate cdsUpdate = getCdsUpdate();
 
-  @Before
-  public void setUp() {
-    System.setProperty("GRPC_EXPERIMENTAL_XDS_GCP_AUTHENTICATION_FILTER", "true");
-  }
-
   @Test
   public void testNewFilterInstancesPerFilterName() {
     assertThat(new GcpAuthenticationFilter("FILTER_INSTANCE_NAME1", 10))