feat(tonic-xds): gRFC A29 data-plane TLS connector wiring

[YutaoMa]

Motivation

Ref: #2444

Closes out gRFC A29 (xDS-Based TLS Security) in tonic-xds. The cert provider foundation merged in #2593 and #2616 left the connector integration deferred — its pre-req Endpoint::tls_config_with_verifier landed in #2612.

With that hook available, this PR wires up the per-cluster TLS connector.

Solution

Five commits, each independently reviewable:

• file_watcher background refresh.
• Eager cert parsing in cert provider, verifier access it per handshake.
• Atomically swap Connector on CDS update. Existing endpoint channels keep their connector; new connections pick up the latest. Invalid CDS updates are logged and the previous-good connector is kept.
• Data-plane TlsConnector — for clusters with Some(security), the connector holds the A29 verifier plus an optional identity provider (mTLS). connect() fetches identity per call, assembles a ClientTlsConfig, and builds the endpoint.
• Docs + dead_code cleanup

Tests

Sync refresh_once tests in file_watcher, synthetic-cert chain tests for SAN matching, build_connector dispatch tests, and a counter-based test asserting identity is fetched per connect(). Existing channel.rs integration tests exercise the cluster-aware discovery path end-to-end on the plaintext.

Interop validation

End-to-end mTLS against Istio (Kind + grpc-agent template + SPIFFE creds)
in YutaoMa/tonic-xds-istio-interop@tonic-pr-2640:

git clone https://github.com/YutaoMa/tonic-xds-istio-interop.git
cd tonic-xds-istio-interop && git checkout tonic-pr-2640
./setup.sh && ./run-test.sh

Confirmed successful run with logs request ok request_num=1 … N shown below. The harness uncovered the
two parser-interop bugs fixed in 66d77c5a.

yutma@yutma-mn3741 tonic-xds-istio-interop % ./run-test.sh
==> Applying tonic-xds-client deployment...
serviceaccount/tonic-xds-client unchanged
deployment.apps/tonic-xds-client unchanged
==> Restarting tonic-xds-client to pick up latest image...
deployment.apps/tonic-xds-client restarted
Waiting for deployment "tonic-xds-client" rollout to finish: 1 old replicas are pending termination...
Waiting for deployment "tonic-xds-client" rollout to finish: 1 old replicas are pending termination...
deployment "tonic-xds-client" successfully rolled out
==> Streaming tonic-xds-client logs (Ctrl-C to stop)...

Found 2 pods, using pod/tonic-xds-client-fc69984b-mjwlz
2026-05-12T23:32:39.301779Z  INFO tonic_xds_client: building xDS channel target=xds:///greeter.xds-test.svc.cluster.local:50051
2026-05-12T23:32:39.302790Z  INFO tonic_xds_client: channel built; sending requests every 5s
2026-05-12T23:32:39.302844Z  INFO tonic_xds_client: sending unary request request_num=1
2026-05-12T23:32:39.329498Z  INFO tonic_xds_client: request ok request_num=1 response=Hello request-1 from 0.0.0.0:50051
2026-05-12T23:32:44.331071Z  INFO tonic_xds_client: sending unary request request_num=2
2026-05-12T23:32:44.333457Z  INFO tonic_xds_client: request ok request_num=2 response=Hello request-2 from 0.0.0.0:50051
2026-05-12T23:32:49.336730Z  INFO tonic_xds_client: sending unary request request_num=3
2026-05-12T23:32:49.338296Z  INFO tonic_xds_client: request ok request_num=3 response=Hello request-3 from 0.0.0.0:50051
2026-05-12T23:32:54.340085Z  INFO tonic_xds_client: sending unary request request_num=4
2026-05-12T23:32:54.344715Z  INFO tonic_xds_client: request ok request_num=4 response=Hello request-4 from 0.0.0.0:50051
2026-05-12T23:32:59.346421Z  INFO tonic_xds_client: sending unary request request_num=5
2026-05-12T23:32:59.348229Z  INFO tonic_xds_client: request ok request_num=5 response=Hello request-5 from 0.0.0.0:50051
2026-05-12T23:33:04.350184Z  INFO tonic_xds_client: sending unary request request_num=6
2026-05-12T23:33:04.351546Z  INFO tonic_xds_client: request ok request_num=6 response=Hello request-6 from 0.0.0.0:50051
2026-05-12T23:33:09.353003Z  INFO tonic_xds_client: sending unary request request_num=7
2026-05-12T23:33:09.354252Z  INFO tonic_xds_client: request ok request_num=7 response=Hello request-7 from 0.0.0.0:50051
2026-05-12T23:33:14.356055Z  INFO tonic_xds_client: sending unary request request_num=8
2026-05-12T23:33:14.357055Z  INFO tonic_xds_client: request ok request_num=8 response=Hello request-8 from 0.0.0.0:50051
2026-05-12T23:33:19.359671Z  INFO tonic_xds_client: sending unary request request_num=9
2026-05-12T23:33:19.361201Z  INFO tonic_xds_client: request ok request_num=9 response=Hello request-9 from 0.0.0.0:50051
2026-05-12T23:33:24.364393Z  INFO tonic_xds_client: sending unary request request_num=10

[gu0keno0]

I'll continue to look at the other files.

[gu0keno0]

Is this still deadcode after the integration?

[gu0keno0]

Same question for this.

[gu0keno0]

what do they contain when both are emitted?

[gu0keno0]

Oh, does this mean istio just emit the same provider in the two different forms?

[gu0keno0]

Currently loadbalancer just take a Connector object, would it be possible to create a wrapper connector that provide atomic method to swap the inner one? Then we can reuse the same wrapper in LoadBalancer.

[gu0keno0]

Or the other way is like you commented there, make LoadBalancer call loadfull everytime, I just feel a wrapper might be simpler for callers. Yet it's up to you. If you want to do one way versus the other, maybe change it for LoadBalancer as well.