From 47a7e52098e5d46ac41f1dc47b71af1c5b3c6e17 Mon Sep 17 00:00:00 2001
From: Eric Haberkorn <erichaberkorn@gmail.com>
Date: Fri, 28 Apr 2023 16:27:57 -0400
Subject: [PATCH] fix panic in `injectSANMatcher` when `tlsContext` is `nil`
 (#17185)

---
 .changelog/17185.txt  | 3 +++
 agent/xds/clusters.go | 4 ++++
 2 files changed, 7 insertions(+)
 create mode 100644 .changelog/17185.txt

diff --git a/.changelog/17185.txt b/.changelog/17185.txt
new file mode 100644
index 000000000..cde123e2d
--- /dev/null
+++ b/.changelog/17185.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+xds: Fix possible panic that can when generating clusters before the root certificates have been fetched.
+```
diff --git a/agent/xds/clusters.go b/agent/xds/clusters.go
index d29d00a25..35d31af9c 100644
--- a/agent/xds/clusters.go
+++ b/agent/xds/clusters.go
@@ -1427,6 +1427,10 @@ func (s *ResourceGenerator) makeExportedUpstreamClustersForMeshGateway(cfgSnap *
 
 // injectSANMatcher updates a TLS context so that it verifies the upstream SAN.
 func injectSANMatcher(tlsContext *envoy_tls_v3.CommonTlsContext, matchStrings ...string) error {
+	if tlsContext == nil {
+		return fmt.Errorf("invalid type: expected CommonTlsContext_ValidationContext not to be nil")
+	}
+
 	validationCtx, ok := tlsContext.ValidationContextType.(*envoy_tls_v3.CommonTlsContext_ValidationContext)
 	if !ok {
 		return fmt.Errorf("invalid type: expected CommonTlsContext_ValidationContext, got %T",