Finish resolving upstream defaults in proxycfg

agent/proxycfg/state.go

@@ -333,6 +333,11 @@ func (s *state) initWatchesConnectProxy(snap *ConfigSnapshot) error {
 	for i := range s.proxyCfg.Upstreams {
 		u := s.proxyCfg.Upstreams[i]
 
+		// Store defaults keyed under wildcard so they can be applied to centrally configured upstreams
+		if u.DestinationName == structs.WildcardSpecifier {
+			snap.ConnectProxy.UpstreamConfig[u.DestinationID().String()] = &u
+		}
+
 		// This can be true if the upstream is a synthetic entry populated from centralized upstream config.
 		// Watches should not be created for them.
 		if u.CentrallyConfigured {
@@ -795,6 +800,16 @@ func (s *state) handleUpdateConnectProxy(u cache.UpdateEvent, snap *ConfigSnapsh
 			u, ok := snap.ConnectProxy.UpstreamConfig[svc.String()]
 			if ok {
 				cfgMap = u.Config
+			} else {
+				// Use the centralized upstream defaults if they exist and there isn't specific configuration for this upstream
+				// This is only relevant to upstreams from intentions because for explicit upstreams the defaulting is handled
+				// by the ResolveServiceConfig endpoint.
+				wildcardSID := structs.NewServiceID(structs.WildcardSpecifier, structs.WildcardEnterpriseMeta())
+				defaults, ok := snap.ConnectProxy.UpstreamConfig[wildcardSID.String()]
+				if ok {
+					cfgMap = defaults.Config
+					snap.ConnectProxy.UpstreamConfig[svc.String()] = defaults
+				}
 			}
 
 			cfg, err := parseReducedUpstreamConfig(cfgMap)

agent/proxycfg/state_test.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"sync"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/require"
 
@@ -1606,6 +1607,16 @@ func TestState_WatchesAndUpdates(t *testing.T) {
 				Proxy: structs.ConnectProxyConfig{
 					DestinationServiceName: "api",
 					TransparentProxy:       true,
+					Upstreams: structs.Upstreams{
+						{
+							CentrallyConfigured:  true,
+							DestinationName:      structs.WildcardSpecifier,
+							DestinationNamespace: structs.WildcardSpecifier,
+							Config: map[string]interface{}{
+								"connect_timeout_ms": 6000,
+							},
+						},
+					},
 				},
 			},
 			sourceDC: "dc1",
@@ -1622,10 +1633,13 @@ func TestState_WatchesAndUpdates(t *testing.T) {
 					},
 					verifySnapshot: func(t testing.TB, snap *ConfigSnapshot) {
 						require.False(t, snap.Valid(), "proxy without roots/leaf/intentions is not valid")
-						require.True(t, snap.ConnectProxy.IsEmpty())
 						require.True(t, snap.MeshGateway.IsEmpty())
 						require.True(t, snap.IngressGateway.IsEmpty())
 						require.True(t, snap.TerminatingGateway.IsEmpty())
+
+						// Centrally configured upstream defaults should be stored so that upstreams from intentions can inherit them
+						require.Len(t, snap.ConnectProxy.UpstreamConfig, 1)
+						require.Contains(t, snap.ConnectProxy.UpstreamConfig, "*")
 					},
 				},
 				// Valid snapshot after roots, leaf, and intentions
@@ -1694,16 +1708,24 @@ func TestState_WatchesAndUpdates(t *testing.T) {
 
 						// Should not have results yet
 						require.Empty(t, snap.ConnectProxy.DiscoveryChain)
+
+						require.Len(t, snap.ConnectProxy.UpstreamConfig, 2)
+						cfg, ok := snap.ConnectProxy.UpstreamConfig[db.String()]
+						require.True(t, ok)
+
+						// Upstream config should have been inherited from defaults under wildcard key
+						require.Equal(t, cfg.Config["connect_timeout_ms"], 6000)
 					},
 				},
 				// Discovery chain updates should be stored
 				{
 					requiredWatches: map[string]verifyWatchRequest{
 						"discovery-chain:" + dbStr: genVerifyDiscoveryChainWatch(&structs.DiscoveryChainRequest{
-							Name:                 "db",
+							Name:                   "db",
-							EvaluateInDatacenter: "dc1",
+							EvaluateInDatacenter:   "dc1",
-							EvaluateInNamespace:  "default",
+							EvaluateInNamespace:    "default",
-							Datacenter:           "dc1",
+							Datacenter:             "dc1",
+							OverrideConnectTimeout: 6 * time.Second,
 						}),
 					},
 					events: []cache.UpdateEvent{