peering: always send the mesh gateway SpiffeID even for tcp services (#13728)

If someone were to switch a peer-exported service from L4 to L7 there would be a brief SAN validation hiccup as traffic shifted to the mesh gateway for termination. This PR sends the mesh gateway SpiffeID down all the time so the clients always expect a switch.
2025-01-22 11:40:06 +00:00 · 2022-07-12 11:38:13 -05:00 · 2022-07-12 11:38:13 -05:00 · c5c216008d
commit c5c216008d
parent f0e6e4e697
3 changed files with 13 additions and 9 deletions
--- a/agent/grpc/public/services/peerstream/stream_test.go
+++ b/agent/grpc/public/services/peerstream/stream_test.go
@ -720,6 +720,7 @@ func TestStreamResources_Server_ServiceUpdates(t *testing.T) {
 				require.Equal(t, "tcp", pm.Protocol)
 				spiffeIDs := []string{
 					"spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/mysql",
+					"spiffe://11111111-2222-3333-4444-555555555555.consul/gateway/mesh/dc/dc1",
 				}
 				require.Equal(t, spiffeIDs, pm.SpiffeID)
 			},
--- a/agent/grpc/public/services/peerstream/subscription_manager.go
+++ b/agent/grpc/public/services/peerstream/subscription_manager.go
@ -558,6 +558,12 @@ func createDiscoChainHealth(
 			trustDomain,
 		)

+		gwSpiffeID := connect.SpiffeIDMeshGateway{
+			Host:       trustDomain,
+			Partition:  sn.PartitionOrDefault(),
+			Datacenter: datacenter,
+		}
+
 		// Create common peer meta.
 		//
 		// TODO(peering): should this be replicated by service and not by instance?
@ -565,19 +571,14 @@ func createDiscoChainHealth(
 			SNI: []string{sni},
 			SpiffeID: []string{
 				mainSpiffeIDString,
+				// Always include the gateway id here to facilitate error-free
+				// L4/L7 upgrade/downgrade scenarios.
+				gwSpiffeID.URI().String(),
 			},
 			Protocol: info.Protocol,
 		}

-		if structs.IsProtocolHTTPLike(info.Protocol) {
-			gwSpiffeID := connect.SpiffeIDMeshGateway{
-				Host:       trustDomain,
-				Partition:  sn.PartitionOrDefault(),
-				Datacenter: datacenter,
-			}
-
-			peerMeta.SpiffeID = append(peerMeta.SpiffeID, gwSpiffeID.URI().String())
-		} else {
+		if !structs.IsProtocolHTTPLike(info.Protocol) {
 			for _, target := range info.TCPTargets {
 				targetSpiffeID := connect.SpiffeIDService{
 					Host:       trustDomain,
--- a/agent/grpc/public/services/peerstream/subscription_manager_test.go
+++ b/agent/grpc/public/services/peerstream/subscription_manager_test.go
@ -275,6 +275,7 @@ func TestSubscriptionManager_RegisterDeregister(t *testing.T) {
 								},
 								SpiffeID: []string{
 									"spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/mysql",
+									"spiffe://11111111-2222-3333-4444-555555555555.consul/gateway/mesh/dc/dc1",
 									"spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/failover",
 								},
 								Protocol: "tcp",
@ -335,6 +336,7 @@ func TestSubscriptionManager_RegisterDeregister(t *testing.T) {
 								},
 								SpiffeID: []string{
 									"spiffe://11111111-2222-3333-4444-555555555555.consul/ns/default/dc/dc1/svc/mysql",
+									"spiffe://11111111-2222-3333-4444-555555555555.consul/gateway/mesh/dc/dc1",
 								},
 								Protocol: "tcp",
 							},