From 175f61f24114e0ae8c6008616f7f73cfb76f6276 Mon Sep 17 00:00:00 2001 From: hc-github-team-consul-core Date: Thu, 8 Jun 2023 14:11:44 -0400 Subject: [PATCH] Backport of [API Gateway] Fix trust domain for external peered services in synthesis code into release/1.16.x (#17616) * backport of commit 63e87434721824902d1bd8c7ef72456615020180 * backport of commit 896f11789b89062c745433a17dc37da5b56185fd --------- Co-authored-by: Andrew Stucki --- .changelog/17609.txt | 4 ++++ agent/proxycfg/snapshot.go | 15 ++++++++++++--- 2 files changed, 16 insertions(+), 3 deletions(-) create mode 100644 .changelog/17609.txt diff --git a/.changelog/17609.txt b/.changelog/17609.txt new file mode 100644 index 000000000..cbace1f8c --- /dev/null +++ b/.changelog/17609.txt @@ -0,0 +1,4 @@ +```release-note:bug +gateways: Fixed a bug in API gateways where binding a route that only targets a service imported from a peer results +in the programmed gateway having no routes. +``` diff --git a/agent/proxycfg/snapshot.go b/agent/proxycfg/snapshot.go index 5e92013b2..1880dcd66 100644 --- a/agent/proxycfg/snapshot.go +++ b/agent/proxycfg/snapshot.go @@ -741,14 +741,23 @@ type configSnapshotAPIGateway struct { func (c *configSnapshotAPIGateway) synthesizeChains(datacenter string, listener structs.APIGatewayListener, boundListener structs.BoundAPIGatewayListener) ([]structs.IngressService, structs.Upstreams, []*structs.CompiledDiscoveryChain, error) { chains := []*structs.CompiledDiscoveryChain{} - trustDomain := "" + + // We leverage the test trust domain knowing + // that the domain will get overridden if + // there is a target to something other than an + // external/peered service. If the below + // code doesn't get a trust domain due to all the + // targets being external, the chain will + // have the domain munged anyway during synthesis. + trustDomain := connect.TestTrustDomain DOMAIN_LOOP: for _, chain := range c.DiscoveryChain { for _, target := range chain.Targets { if !target.External { - trustDomain = connect.TrustDomainForTarget(*target) - if trustDomain != "" { + domain := connect.TrustDomainForTarget(*target) + if domain != "" { + trustDomain = domain break DOMAIN_LOOP } }