Fix: nil secret in resourceversiontable (#2982)

* fix nil secret in resourceversiontable Signed-off-by: huabing zhao <[email protected]> * check secrets in the xds result Signed-off-by: huabing zhao <[email protected]> --------- Signed-off-by: huabing zhao <[email protected]>
envoyproxy · Mar 25, 2024 · e880439 · e880439
1 parent e58bb22
commit e880439
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 6 deletions.
diff --git a/...nal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.secrets.yaml b/...nal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.secrets.yaml
@@ -0,0 +1 @@
+[]
diff --git a/internal/xds/translator/translator.go b/internal/xds/translator/translator.go
@@ -521,12 +521,14 @@ func processTLSSocket(tlsConfig *ir.TLSUpstreamConfig, tCtx *types.ResourceVersi
 	if tlsConfig == nil {
 		return nil, nil
 	}
-	CaSecret := buildXdsUpstreamTLSCASecret(tlsConfig)
-	if CaSecret != nil {
+	// Create a secret for the CA certificate only if it's not using the system trust store
+	if !tlsConfig.UseSystemTrustStore {
+		CaSecret := buildXdsUpstreamTLSCASecret(tlsConfig)
 		if err := tCtx.AddXdsResource(resourcev3.SecretType, CaSecret); err != nil {
 			return nil, err
 		}
 	}
+
 	// for upstreamTLS , a fixed sni can be used. use auto_sni otherwise
 	// https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/sni#faq-how-to-setup-sni:~:text=For%20clusters%2C%20a,for%20trust%20anchor.
 	tlsSocket, err := buildXdsUpstreamTLSSocketWthCert(tlsConfig)
@@ -574,9 +576,12 @@ func addXdsCluster(tCtx *types.ResourceVersionTable, args *xdsClusterArgs) error
 	xdsEndpoints := buildXdsClusterLoadAssignment(args.name, args.settings)
 	for _, ds := range args.settings {
 		if ds.TLS != nil {
-			secret := buildXdsUpstreamTLSCASecret(ds.TLS)
-			if err := tCtx.AddXdsResource(resourcev3.SecretType, secret); err != nil {
-				return err
+			// Create a secret for the CA certificate only if it's not using the system trust store
+			if !ds.TLS.UseSystemTrustStore {
+				secret := buildXdsUpstreamTLSCASecret(ds.TLS)
+				if err := tCtx.AddXdsResource(resourcev3.SecretType, secret); err != nil {
+					return err
+				}
 			}
 		}
 	}
@@ -602,6 +607,7 @@ const (
 
 func buildXdsUpstreamTLSCASecret(tlsConfig *ir.TLSUpstreamConfig) *tlsv3.Secret {
 	// Build the tls secret
+	// It's just a sanity check, we shouldn't call this function if the system trust store is used
 	if tlsConfig.UseSystemTrustStore {
 		return nil
 	}

diff --git a/internal/xds/translator/translator_test.go b/internal/xds/translator/translator_test.go
@@ -92,7 +92,8 @@ func TestTranslateXds(t *testing.T) {
 			name: "http-route-dns-cluster",
 		},
 		{
-			name: "http-route-with-tls-system-truststore",
+			name:           "http-route-with-tls-system-truststore",
+			requireSecrets: true,
 		},
 		{
 			name:           "http-route-with-tlsbundle",

diff --git a/internal/xds/types/resourceversiontable.go b/internal/xds/types/resourceversiontable.go
@@ -76,6 +76,11 @@ func (t *ResourceVersionTable) GetXdsResources() XdsResources {
 }
 
 func (t *ResourceVersionTable) AddXdsResource(rType resourcev3.Type, xdsResource types.Resource) error {
+	// It's a sanity check to make sure the xdsResource is not nil
+	if xdsResource == nil {
+		return fmt.Errorf("xds resource is nil")
+	}
+
 	// Perform type switch to handle different types of xdsResource
 	switch rType {
 	case resourcev3.ListenerType: