diff --git a/.changelog/17185.txt b/.changelog/17185.txt new file mode 100644 index 0000000000..cde123e2de --- /dev/null +++ b/.changelog/17185.txt @@ -0,0 +1,3 @@ +```release-note:bug +xds: Fix possible panic that can when generating clusters before the root certificates have been fetched. +``` diff --git a/agent/xds/clusters.go b/agent/xds/clusters.go index d29d00a256..35d31af9cc 100644 --- a/agent/xds/clusters.go +++ b/agent/xds/clusters.go @@ -1427,6 +1427,10 @@ func (s *ResourceGenerator) makeExportedUpstreamClustersForMeshGateway(cfgSnap * // injectSANMatcher updates a TLS context so that it verifies the upstream SAN. func injectSANMatcher(tlsContext *envoy_tls_v3.CommonTlsContext, matchStrings ...string) error { + if tlsContext == nil { + return fmt.Errorf("invalid type: expected CommonTlsContext_ValidationContext not to be nil") + } + validationCtx, ok := tlsContext.ValidationContextType.(*envoy_tls_v3.CommonTlsContext_ValidationContext) if !ok { return fmt.Errorf("invalid type: expected CommonTlsContext_ValidationContext, got %T",