Update prepared query cluster SAN validation

Previously SAN validation for prepared queries was broken because we validated against the name, namespace, and datacenter for prepared queries. However, prepared queries can target: - Services with a name that isn't their own - Services in multiple datacenters This means that the SpiffeID to validate needs to be based on the prepared query endpoints, and not the prepared query's upstream definition. This commit updates prepared query clusters to account for that.
2021-08-18 18:06:41 -06:00 · 2021-08-18 18:06:41 -06:00 · b1050e4229
parent 1f192eb7d9
commit b1050e4229
85 changed files with 326 additions and 109 deletions
--- a/agent/proxycfg/testing.go
+++ b/agent/proxycfg/testing.go
@ -144,6 +144,46 @@ func TestUpstreamNodes(t testing.T, service string) structs.CheckServiceNodes {
 	}
 }

+func TestPreparedQueryNodes(t testing.T, service string) structs.CheckServiceNodes {
+
+	// The service instances targeted by the prepared query are given the slightly different name
+	// "geo-cache-target" to ensure we don't use the prepared query's name for SAN validation.
+	// The name of prepared queries won't always match the name of the service they target.
+	nodes := structs.CheckServiceNodes{
+		structs.CheckServiceNode{
+			Node: &structs.Node{
+				ID:         "test1",
+				Node:       "test1",
+				Address:    "10.10.1.1",
+				Datacenter: "dc1",
+			},
+			Service: &structs.NodeService{
+				Kind:    structs.ServiceKindConnectProxy,
+				Service: service + "-sidecar-proxy",
+				Port:    8080,
+				Proxy: structs.ConnectProxyConfig{
+					DestinationServiceName: service + "-target",
+				},
+			},
+		},
+		structs.CheckServiceNode{
+			Node: &structs.Node{
+				ID:         "test2",
+				Node:       "test2",
+				Address:    "10.20.1.2",
+				Datacenter: "dc2",
+			},
+			Service: &structs.NodeService{
+				Kind:    structs.ServiceKindTypical,
+				Service: service + "-target",
+				Port:    8080,
+				Connect: structs.ServiceConnect{Native: true},
+			},
+		},
+	}
+	return nodes
+}
+
 func TestUpstreamNodesInStatus(t testing.T, status string) structs.CheckServiceNodes {
 	return structs.CheckServiceNodes{
 		structs.CheckServiceNode{
@ -666,7 +706,7 @@ func TestConfigSnapshot(t testing.T) *ConfigSnapshot {
 				},
 			},
 			PreparedQueryEndpoints: map[string]structs.CheckServiceNodes{
-				"prepared_query:geo-cache": TestUpstreamNodes(t, "geo-cache"),
+				"prepared_query:geo-cache": TestPreparedQueryNodes(t, "geo-cache"),
 			},
 			Intentions:    nil, // no intentions defined
 			IntentionsSet: true,
@ -781,11 +821,7 @@ func testConfigSnapshotDiscoveryChain(t testing.T, variation string, additionalE
 				t, variation, leaf, additionalEntries...,
 			),
 			PreparedQueryEndpoints: map[string]structs.CheckServiceNodes{
-
-				// The service instances targeted by the prepared query are given the slightly different name
-				// "geo-cache-target" to ensure we don't use the prepared query's name for SAN validation.
-				// The name of prepared queries won't always match the name of the service they target.
-				"prepared_query:geo-cache": TestUpstreamNodes(t, "geo-cache-target"),
+				"prepared_query:geo-cache": TestPreparedQueryNodes(t, "geo-cache"),
 			},
 			Intentions:    nil, // no intentions defined
 			IntentionsSet: true,
--- a/agent/xds/clusters.go
+++ b/agent/xds/clusters.go
@ -535,17 +535,34 @@ func (s *ResourceGenerator) makeUpstreamClusterForPreparedQuery(upstream structs
 		}
 	}

-	spiffeID := connect.SpiffeIDService{
-		Host:       cfgSnap.Roots.TrustDomain,
-		Partition:  upstream.DestinationPartition,
-		Namespace:  upstream.DestinationNamespace,
-		Datacenter: dc,
-		Service:    upstream.DestinationName,
+	endpoints := cfgSnap.ConnectProxy.PreparedQueryEndpoints[upstream.Identifier()]
+	var (
+		spiffeIDs = make([]connect.SpiffeIDService, 0)
+		seen      = make(map[string]struct{})
+	)
+	for _, e := range endpoints {
+		id := fmt.Sprintf("%s/%s", e.Node.Datacenter, e.Service.CompoundServiceName())
+		if _, ok := seen[id]; ok {
+			continue
+		}
+		seen[id] = struct{}{}
+
+		name := e.Service.Proxy.DestinationServiceName
+		if e.Service.Connect.Native {
+			name = e.Service.Service
+		}
+		spiffeIDs = append(spiffeIDs, connect.SpiffeIDService{
+			Host:       cfgSnap.Roots.TrustDomain,
+			Namespace:  e.Service.NamespaceOrDefault(),
+			Partition:  e.Service.PartitionOrDefault(),
+			Datacenter: e.Node.Datacenter,
+			Service:    name,
+		})
 	}

 	// Enable TLS upstream with the configured client certificate.
 	commonTLSContext := makeCommonTLSContextFromLeaf(cfgSnap, cfgSnap.Leaf())
-	err = injectSANMatcher(commonTLSContext, spiffeID)
+	err = injectSANMatcher(commonTLSContext, spiffeIDs...)
 	if err != nil {
 		return nil, fmt.Errorf("failed to inject SAN matcher rules for cluster %q: %v", sni, err)
 	}
--- a/agent/xds/testdata/clusters/connect-proxy-lb-in-resolver.envoy-1-18-x.golden
+++ b/agent/xds/testdata/clusters/connect-proxy-lb-in-resolver.envoy-1-18-x.golden
@ -107,7 +107,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/connect-proxy-lb-in-resolver.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/clusters/connect-proxy-lb-in-resolver.v2compat.envoy-1-16-x.golden
@ -107,7 +107,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/connect-proxy-with-chain-and-failover.envoy-1-18-x.golden
+++ b/agent/xds/testdata/clusters/connect-proxy-with-chain-and-failover.envoy-1-18-x.golden
@ -105,7 +105,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/connect-proxy-with-chain-and-failover.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/clusters/connect-proxy-with-chain-and-failover.v2compat.envoy-1-16-x.golden
@ -105,7 +105,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/connect-proxy-with-chain-and-overrides.envoy-1-18-x.golden
+++ b/agent/xds/testdata/clusters/connect-proxy-with-chain-and-overrides.envoy-1-18-x.golden
@ -105,7 +105,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/connect-proxy-with-chain-and-overrides.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/clusters/connect-proxy-with-chain-and-overrides.v2compat.envoy-1-16-x.golden
@ -105,7 +105,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/connect-proxy-with-chain-external-sni.envoy-1-18-x.golden
+++ b/agent/xds/testdata/clusters/connect-proxy-with-chain-external-sni.envoy-1-18-x.golden
@ -102,7 +102,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/connect-proxy-with-chain-external-sni.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/clusters/connect-proxy-with-chain-external-sni.v2compat.envoy-1-16-x.golden
@ -102,7 +102,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/connect-proxy-with-chain.envoy-1-18-x.golden
+++ b/agent/xds/testdata/clusters/connect-proxy-with-chain.envoy-1-18-x.golden
@ -102,7 +102,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/connect-proxy-with-chain.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/clusters/connect-proxy-with-chain.v2compat.envoy-1-16-x.golden
@ -102,7 +102,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-double-failover-through-local-gateway-triggered.envoy-1-18-x.golden
+++ b/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-double-failover-through-local-gateway-triggered.envoy-1-18-x.golden
@ -108,7 +108,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-double-failover-through-local-gateway-triggered.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-double-failover-through-local-gateway-triggered.v2compat.envoy-1-16-x.golden
@ -108,7 +108,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-double-failover-through-local-gateway.envoy-1-18-x.golden
+++ b/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-double-failover-through-local-gateway.envoy-1-18-x.golden
@ -108,7 +108,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-double-failover-through-local-gateway.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-double-failover-through-local-gateway.v2compat.envoy-1-16-x.golden
@ -108,7 +108,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-double-failover-through-remote-gateway-triggered.envoy-1-18-x.golden
+++ b/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-double-failover-through-remote-gateway-triggered.envoy-1-18-x.golden
@ -108,7 +108,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-double-failover-through-remote-gateway-triggered.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-double-failover-through-remote-gateway-triggered.v2compat.envoy-1-16-x.golden
@ -108,7 +108,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-double-failover-through-remote-gateway.envoy-1-18-x.golden
+++ b/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-double-failover-through-remote-gateway.envoy-1-18-x.golden
@ -108,7 +108,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-double-failover-through-remote-gateway.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-double-failover-through-remote-gateway.v2compat.envoy-1-16-x.golden
@ -108,7 +108,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-failover-through-local-gateway-triggered.envoy-1-18-x.golden
+++ b/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-failover-through-local-gateway-triggered.envoy-1-18-x.golden
@ -105,7 +105,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-failover-through-local-gateway-triggered.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-failover-through-local-gateway-triggered.v2compat.envoy-1-16-x.golden
@ -105,7 +105,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-failover-through-local-gateway.envoy-1-18-x.golden
+++ b/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-failover-through-local-gateway.envoy-1-18-x.golden
@ -105,7 +105,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-failover-through-local-gateway.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-failover-through-local-gateway.v2compat.envoy-1-16-x.golden
@ -105,7 +105,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-failover-through-remote-gateway-triggered.envoy-1-18-x.golden
+++ b/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-failover-through-remote-gateway-triggered.envoy-1-18-x.golden
@ -105,7 +105,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-failover-through-remote-gateway-triggered.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-failover-through-remote-gateway-triggered.v2compat.envoy-1-16-x.golden
@ -105,7 +105,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-failover-through-remote-gateway.envoy-1-18-x.golden
+++ b/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-failover-through-remote-gateway.envoy-1-18-x.golden
@ -105,7 +105,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-failover-through-remote-gateway.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/clusters/connect-proxy-with-tcp-chain-failover-through-remote-gateway.v2compat.envoy-1-16-x.golden
@ -105,7 +105,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/custom-limits-max-connections-only.envoy-1-18-x.golden
+++ b/agent/xds/testdata/clusters/custom-limits-max-connections-only.envoy-1-18-x.golden
@ -110,7 +110,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/custom-limits-max-connections-only.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/clusters/custom-limits-max-connections-only.v2compat.envoy-1-16-x.golden
@ -110,7 +110,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/custom-limits-set-to-zero.envoy-1-18-x.golden
+++ b/agent/xds/testdata/clusters/custom-limits-set-to-zero.envoy-1-18-x.golden
@ -114,7 +114,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/custom-limits-set-to-zero.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/clusters/custom-limits-set-to-zero.v2compat.envoy-1-16-x.golden
@ -114,7 +114,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/custom-limits.envoy-1-18-x.golden
+++ b/agent/xds/testdata/clusters/custom-limits.envoy-1-18-x.golden
@ -114,7 +114,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/custom-limits.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/clusters/custom-limits.v2compat.envoy-1-16-x.golden
@ -114,7 +114,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/custom-local-app.envoy-1-18-x.golden
+++ b/agent/xds/testdata/clusters/custom-local-app.envoy-1-18-x.golden
@ -102,7 +102,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/custom-local-app.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/clusters/custom-local-app.v2compat.envoy-1-16-x.golden
@ -102,7 +102,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/custom-timeouts.envoy-1-18-x.golden
+++ b/agent/xds/testdata/clusters/custom-timeouts.envoy-1-18-x.golden
@ -102,7 +102,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/custom-timeouts.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/clusters/custom-timeouts.v2compat.envoy-1-16-x.golden
@ -102,7 +102,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/custom-upstream-default-chain.envoy-1-18-x.golden
+++ b/agent/xds/testdata/clusters/custom-upstream-default-chain.envoy-1-18-x.golden
@ -44,7 +44,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/custom-upstream-default-chain.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/clusters/custom-upstream-default-chain.v2compat.envoy-1-16-x.golden
@ -44,7 +44,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/custom-upstream.envoy-1-18-x.golden
+++ b/agent/xds/testdata/clusters/custom-upstream.envoy-1-18-x.golden
@ -44,7 +44,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/custom-upstream.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/clusters/custom-upstream.v2compat.envoy-1-16-x.golden
@ -44,7 +44,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/defaults.envoy-1-18-x.golden
+++ b/agent/xds/testdata/clusters/defaults.envoy-1-18-x.golden
@ -102,7 +102,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/defaults.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/clusters/defaults.v2compat.envoy-1-16-x.golden
@ -102,7 +102,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/downstream-service-with-unix-sockets.envoy-1-18-x.golden
+++ b/agent/xds/testdata/clusters/downstream-service-with-unix-sockets.envoy-1-18-x.golden
@ -102,7 +102,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/downstream-service-with-unix-sockets.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/clusters/downstream-service-with-unix-sockets.v2compat.envoy-1-16-x.golden
@ -102,7 +102,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/splitter-with-resolver-redirect.envoy-1-18-x.golden
+++ b/agent/xds/testdata/clusters/splitter-with-resolver-redirect.envoy-1-18-x.golden
@ -44,7 +44,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/splitter-with-resolver-redirect.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/clusters/splitter-with-resolver-redirect.v2compat.envoy-1-16-x.golden
@ -44,7 +44,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/transparent-proxy-catalog-destinations-only.envoy-1-18-x.golden
+++ b/agent/xds/testdata/clusters/transparent-proxy-catalog-destinations-only.envoy-1-18-x.golden
@ -102,7 +102,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/transparent-proxy-catalog-destinations-only.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/clusters/transparent-proxy-catalog-destinations-only.v2compat.envoy-1-16-x.golden
@ -102,7 +102,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/transparent-proxy-dial-instances-directly.envoy-1-18-x.golden
+++ b/agent/xds/testdata/clusters/transparent-proxy-dial-instances-directly.envoy-1-18-x.golden
@ -102,7 +102,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/transparent-proxy-dial-instances-directly.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/clusters/transparent-proxy-dial-instances-directly.v2compat.envoy-1-16-x.golden
@ -102,7 +102,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/transparent-proxy.envoy-1-18-x.golden
+++ b/agent/xds/testdata/clusters/transparent-proxy.envoy-1-18-x.golden
@ -102,7 +102,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/clusters/transparent-proxy.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/clusters/transparent-proxy.v2compat.envoy-1-16-x.golden
@ -102,7 +102,10 @@
              },
              "matchSubjectAltNames": [
                {
-                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache"
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/geo-cache-target"
+                },
+                {
+                  "exact": "spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc2/svc/geo-cache-target"
                }
              ]
            }
--- a/agent/xds/testdata/endpoints/connect-proxy-with-chain-and-failover.envoy-1-18-x.golden
+++ b/agent/xds/testdata/endpoints/connect-proxy-with-chain-and-failover.envoy-1-18-x.golden
@ -89,7 +89,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/testdata/endpoints/connect-proxy-with-chain-and-failover.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/endpoints/connect-proxy-with-chain-and-failover.v2compat.envoy-1-16-x.golden
@ -89,7 +89,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/testdata/endpoints/connect-proxy-with-chain-and-overrides.envoy-1-18-x.golden
+++ b/agent/xds/testdata/endpoints/connect-proxy-with-chain-and-overrides.envoy-1-18-x.golden
@ -57,7 +57,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/testdata/endpoints/connect-proxy-with-chain-and-overrides.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/endpoints/connect-proxy-with-chain-and-overrides.v2compat.envoy-1-16-x.golden
@ -57,7 +57,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/testdata/endpoints/connect-proxy-with-chain-external-sni.envoy-1-18-x.golden
+++ b/agent/xds/testdata/endpoints/connect-proxy-with-chain-external-sni.envoy-1-18-x.golden
@ -57,7 +57,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/testdata/endpoints/connect-proxy-with-chain-external-sni.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/endpoints/connect-proxy-with-chain-external-sni.v2compat.envoy-1-16-x.golden
@ -57,7 +57,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/testdata/endpoints/connect-proxy-with-chain.envoy-1-18-x.golden
+++ b/agent/xds/testdata/endpoints/connect-proxy-with-chain.envoy-1-18-x.golden
@ -57,7 +57,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/testdata/endpoints/connect-proxy-with-chain.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/endpoints/connect-proxy-with-chain.v2compat.envoy-1-16-x.golden
@ -57,7 +57,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/testdata/endpoints/connect-proxy-with-default-chain-and-custom-cluster.envoy-1-18-x.golden
+++ b/agent/xds/testdata/endpoints/connect-proxy-with-default-chain-and-custom-cluster.envoy-1-18-x.golden
@ -23,7 +23,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/testdata/endpoints/connect-proxy-with-default-chain-and-custom-cluster.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/endpoints/connect-proxy-with-default-chain-and-custom-cluster.v2compat.envoy-1-16-x.golden
@ -23,7 +23,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-double-failover-through-local-gateway-triggered.envoy-1-18-x.golden
+++ b/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-double-failover-through-local-gateway-triggered.envoy-1-18-x.golden
@ -57,7 +57,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-double-failover-through-local-gateway-triggered.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-double-failover-through-local-gateway-triggered.v2compat.envoy-1-16-x.golden
@ -57,7 +57,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-double-failover-through-local-gateway.envoy-1-18-x.golden
+++ b/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-double-failover-through-local-gateway.envoy-1-18-x.golden
@ -57,7 +57,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-double-failover-through-local-gateway.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-double-failover-through-local-gateway.v2compat.envoy-1-16-x.golden
@ -57,7 +57,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-double-failover-through-remote-gateway-triggered.envoy-1-18-x.golden
+++ b/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-double-failover-through-remote-gateway-triggered.envoy-1-18-x.golden
@ -57,7 +57,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-double-failover-through-remote-gateway-triggered.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-double-failover-through-remote-gateway-triggered.v2compat.envoy-1-16-x.golden
@ -57,7 +57,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-double-failover-through-remote-gateway.envoy-1-18-x.golden
+++ b/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-double-failover-through-remote-gateway.envoy-1-18-x.golden
@ -57,7 +57,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-double-failover-through-remote-gateway.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-double-failover-through-remote-gateway.v2compat.envoy-1-16-x.golden
@ -57,7 +57,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-failover-through-local-gateway-triggered.envoy-1-18-x.golden
+++ b/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-failover-through-local-gateway-triggered.envoy-1-18-x.golden
@ -57,7 +57,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-failover-through-local-gateway-triggered.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-failover-through-local-gateway-triggered.v2compat.envoy-1-16-x.golden
@ -57,7 +57,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-failover-through-local-gateway.envoy-1-18-x.golden
+++ b/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-failover-through-local-gateway.envoy-1-18-x.golden
@ -57,7 +57,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-failover-through-local-gateway.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-failover-through-local-gateway.v2compat.envoy-1-16-x.golden
@ -57,7 +57,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-failover-through-remote-gateway-triggered.envoy-1-18-x.golden
+++ b/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-failover-through-remote-gateway-triggered.envoy-1-18-x.golden
@ -57,7 +57,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-failover-through-remote-gateway-triggered.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-failover-through-remote-gateway-triggered.v2compat.envoy-1-16-x.golden
@ -57,7 +57,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-failover-through-remote-gateway.envoy-1-18-x.golden
+++ b/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-failover-through-remote-gateway.envoy-1-18-x.golden
@ -57,7 +57,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-failover-through-remote-gateway.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/endpoints/connect-proxy-with-tcp-chain-failover-through-remote-gateway.v2compat.envoy-1-16-x.golden
@ -57,7 +57,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/testdata/endpoints/defaults.envoy-1-18-x.golden
+++ b/agent/xds/testdata/endpoints/defaults.envoy-1-18-x.golden
@ -57,7 +57,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/testdata/endpoints/defaults.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/endpoints/defaults.v2compat.envoy-1-16-x.golden
@ -57,7 +57,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/testdata/endpoints/splitter-with-resolver-redirect.envoy-1-18-x.golden
+++ b/agent/xds/testdata/endpoints/splitter-with-resolver-redirect.envoy-1-18-x.golden
@ -23,7 +23,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/testdata/endpoints/splitter-with-resolver-redirect.v2compat.envoy-1-16-x.golden
+++ b/agent/xds/testdata/endpoints/splitter-with-resolver-redirect.v2compat.envoy-1-16-x.golden
@ -23,7 +23,7 @@
              "endpoint": {
                "address": {
                  "socketAddress": {
-                    "address": "10.10.1.2",
+                    "address": "10.20.1.2",
                    "portValue": 8080
                  }
                }
--- a/agent/xds/xds_protocol_helpers_test.go
+++ b/agent/xds/xds_protocol_helpers_test.go
@ -43,7 +43,7 @@ func newTestSnapshot(
 ) *proxycfg.ConfigSnapshot {
 	snap := proxycfg.TestConfigSnapshotDiscoveryChainDefaultWithEntries(t, additionalEntries...)
 	snap.ConnectProxy.PreparedQueryEndpoints = map[string]structs.CheckServiceNodes{
-		"prepared_query:geo-cache": proxycfg.TestUpstreamNodes(t, "geo-cache"),
+		"prepared_query:geo-cache": proxycfg.TestPreparedQueryNodes(t, "geo-cache"),
 	}
 	if prevSnap != nil {
 		snap.Roots = prevSnap.Roots
@ -250,9 +250,9 @@ func xdsNewUpstreamTransportSocket(
 	t *testing.T,
 	snap *proxycfg.ConfigSnapshot,
 	sni string,
-	uri connect.SpiffeIDService,
+	uri ...connect.SpiffeIDService,
 ) *envoy_core_v3.TransportSocket {
-	return xdsNewTransportSocket(t, snap, false, false, sni, uri)
+	return xdsNewTransportSocket(t, snap, false, false, sni, uri...)
 }

 func xdsNewTransportSocket(
@ -261,7 +261,7 @@ func xdsNewTransportSocket(
 	downstream bool,
 	requireClientCert bool,
 	sni string,
-	uri connect.SpiffeIDService,
+	uri ...connect.SpiffeIDService,
 ) *envoy_core_v3.TransportSocket {
 	// Assume just one root for now, can get fancier later if needed.
 	caPEM := snap.Roots.Roots[0].RootCert
@ -278,8 +278,8 @@ func xdsNewTransportSocket(
 			},
 		},
 	}
-	if uri.Service != "" {
-		require.NoError(t, injectSANMatcher(commonTLSContext, uri))
+	if uri[0].Service != "" {
+		require.NoError(t, injectSANMatcher(commonTLSContext, uri...))
 	}

 	var tlsContext proto.Message
@ -371,12 +371,20 @@ func makeTestCluster(t *testing.T, snap *proxycfg.ConfigSnapshot, fixtureName st
 			Service:    "db",
 		}

-		geocacheSNI = "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul"
-		geocacheURI = connect.SpiffeIDService{
-			Host:       "11111111-2222-3333-4444-555555555555.consul",
-			Namespace:  "default",
-			Datacenter: "dc1",
-			Service:    "geo-cache",
+		geocacheSNI  = "geo-cache.default.dc1.query.11111111-2222-3333-4444-555555555555.consul"
+		geocacheURIs = []connect.SpiffeIDService{
+			{
+				Host:       "11111111-2222-3333-4444-555555555555.consul",
+				Namespace:  "default",
+				Datacenter: "dc1",
+				Service:    "geo-cache-target",
+			},
+			{
+				Host:       "11111111-2222-3333-4444-555555555555.consul",
+				Namespace:  "default",
+				Datacenter: "dc2",
+				Service:    "geo-cache-target",
+			},
 		}
 	)

@ -483,7 +491,7 @@ func makeTestCluster(t *testing.T, snap *proxycfg.ConfigSnapshot, fixtureName st
 			CircuitBreakers:  &envoy_cluster_v3.CircuitBreakers{},
 			OutlierDetection: &envoy_cluster_v3.OutlierDetection{},
 			ConnectTimeout:   ptypes.DurationProto(5 * time.Second),
-			TransportSocket:  xdsNewUpstreamTransportSocket(t, snap, geocacheSNI, geocacheURI),
+			TransportSocket:  xdsNewUpstreamTransportSocket(t, snap, geocacheSNI, geocacheURIs...),
 		}
 	default:
 		t.Fatalf("unexpected fixture name: %s", fixtureName)
@ -535,7 +543,7 @@ func makeTestEndpoints(t *testing.T, _ *proxycfg.ConfigSnapshot, fixtureName str
 				{
 					LbEndpoints: []*envoy_endpoint_v3.LbEndpoint{
 						xdsNewEndpointWithHealth("10.10.1.1", 8080, envoy_core_v3.HealthStatus_HEALTHY, 1),
-						xdsNewEndpointWithHealth("10.10.1.2", 8080, envoy_core_v3.HealthStatus_HEALTHY, 1),
+						xdsNewEndpointWithHealth("10.20.1.2", 8080, envoy_core_v3.HealthStatus_HEALTHY, 1),
 					},
 				},
 			},