From c5c216008d87c02d0dfa96aeb8f3f4ba74cd26c3 Mon Sep 17 00:00:00 2001
From: "R.B. Boyer" <4903+rboyer@users.noreply.github.com>
Date: Tue, 12 Jul 2022 11:38:13 -0500
Subject: [PATCH] peering: always send the mesh gateway SpiffeID even for tcp
 services (#13728)

If someone were to switch a peer-exported service from L4 to L7 there
would be a brief SAN validation hiccup as traffic shifted to the mesh
gateway for termination.

This PR sends the mesh gateway SpiffeID down all the time so the clients
always expect a switch.
---
 .../public/services/peerstream/stream_test.go |  1 +
 .../peerstream/subscription_manager.go        | 19 ++++++++++---------
 .../peerstream/subscription_manager_test.go   |  2 ++
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/agent/grpc/public/services/peerstream/stream_test.go b/agent/grpc/public/services/peerstream/stream_test.go
index 7366f42134..8bf644c5bd 100644
--- a/agent/grpc/public/services/peerstream/stream_test.go
+++ b/agent/grpc/public/services/peerstream/stream_test.go
@@ -720,6 +720,7 @@ func TestStreamResources_Server_ServiceUpdates(t *testing.T) {
 				require.Equal(t, "tcp", pm.Protocol)
 				spiffeIDs := []string{
 					"spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/mysql",
+					"spiffe://11111111-2222-3333-4444-555555555555.consul/gateway/mesh/dc/dc1",
 				}
 				require.Equal(t, spiffeIDs, pm.SpiffeID)
 			},
diff --git a/agent/grpc/public/services/peerstream/subscription_manager.go b/agent/grpc/public/services/peerstream/subscription_manager.go
index 70813e845a..65fd914e34 100644
--- a/agent/grpc/public/services/peerstream/subscription_manager.go
+++ b/agent/grpc/public/services/peerstream/subscription_manager.go
@@ -558,6 +558,12 @@ func createDiscoChainHealth(
 			trustDomain,
 		)
 
+		gwSpiffeID := connect.SpiffeIDMeshGateway{
+			Host:       trustDomain,
+			Partition:  sn.PartitionOrDefault(),
+			Datacenter: datacenter,
+		}
+
 		// Create common peer meta.
 		//
 		// TODO(peering): should this be replicated by service and not by instance?
@@ -565,19 +571,14 @@ func createDiscoChainHealth(
 			SNI: []string{sni},
 			SpiffeID: []string{
 				mainSpiffeIDString,
+				// Always include the gateway id here to facilitate error-free
+				// L4/L7 upgrade/downgrade scenarios.
+				gwSpiffeID.URI().String(),
 			},
 			Protocol: info.Protocol,
 		}
 
-		if structs.IsProtocolHTTPLike(info.Protocol) {
-			gwSpiffeID := connect.SpiffeIDMeshGateway{
-				Host:       trustDomain,
-				Partition:  sn.PartitionOrDefault(),
-				Datacenter: datacenter,
-			}
-
-			peerMeta.SpiffeID = append(peerMeta.SpiffeID, gwSpiffeID.URI().String())
-		} else {
+		if !structs.IsProtocolHTTPLike(info.Protocol) {
 			for _, target := range info.TCPTargets {
 				targetSpiffeID := connect.SpiffeIDService{
 					Host:       trustDomain,
diff --git a/agent/grpc/public/services/peerstream/subscription_manager_test.go b/agent/grpc/public/services/peerstream/subscription_manager_test.go
index 82b1a7e5f1..cd12b2c221 100644
--- a/agent/grpc/public/services/peerstream/subscription_manager_test.go
+++ b/agent/grpc/public/services/peerstream/subscription_manager_test.go
@@ -275,6 +275,7 @@ func TestSubscriptionManager_RegisterDeregister(t *testing.T) {
 								},
 								SpiffeID: []string{
 									"spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/mysql",
+									"spiffe://11111111-2222-3333-4444-555555555555.consul/gateway/mesh/dc/dc1",
 									"spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/failover",
 								},
 								Protocol: "tcp",
@@ -335,6 +336,7 @@ func TestSubscriptionManager_RegisterDeregister(t *testing.T) {
 								},
 								SpiffeID: []string{
 									"spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/mysql",
+									"spiffe://11111111-2222-3333-4444-555555555555.consul/gateway/mesh/dc/dc1",
 								},
 								Protocol: "tcp",
 							},