diff --git a/.changelog/17609.txt b/.changelog/17609.txt new file mode 100644 index 0000000000..cbace1f8c7 --- /dev/null +++ b/.changelog/17609.txt @@ -0,0 +1,4 @@ +```release-note:bug +gateways: Fixed a bug in API gateways where binding a route that only targets a service imported from a peer results +in the programmed gateway having no routes. +``` diff --git a/agent/proxycfg/snapshot.go b/agent/proxycfg/snapshot.go index 5e92013b27..1880dcd669 100644 --- a/agent/proxycfg/snapshot.go +++ b/agent/proxycfg/snapshot.go @@ -741,14 +741,23 @@ type configSnapshotAPIGateway struct { func (c *configSnapshotAPIGateway) synthesizeChains(datacenter string, listener structs.APIGatewayListener, boundListener structs.BoundAPIGatewayListener) ([]structs.IngressService, structs.Upstreams, []*structs.CompiledDiscoveryChain, error) { chains := []*structs.CompiledDiscoveryChain{} - trustDomain := "" + + // We leverage the test trust domain knowing + // that the domain will get overridden if + // there is a target to something other than an + // external/peered service. If the below + // code doesn't get a trust domain due to all the + // targets being external, the chain will + // have the domain munged anyway during synthesis. + trustDomain := connect.TestTrustDomain DOMAIN_LOOP: for _, chain := range c.DiscoveryChain { for _, target := range chain.Targets { if !target.External { - trustDomain = connect.TrustDomainForTarget(*target) - if trustDomain != "" { + domain := connect.TrustDomainForTarget(*target) + if domain != "" { + trustDomain = domain break DOMAIN_LOOP } }