Fix: nil secret in resourceversiontable

internal/xds/translator/testdata/out/xds-ir/http-route-with-tls-system-truststore.secrets.yaml

@@ -0,0 +1 @@
+[]

internal/xds/translator/translator.go

@@ -521,12 +521,14 @@
 	if tlsConfig == nil {
 		return nil, nil
 	}
-	CaSecret := buildXdsUpstreamTLSCASecret(tlsConfig)
-	if CaSecret != nil {
+	// Create a secret for the CA certificate only if it's not using the system trust store
+	if !tlsConfig.UseSystemTrustStore {
+		CaSecret := buildXdsUpstreamTLSCASecret(tlsConfig)
 		if err := tCtx.AddXdsResource(resourcev3.SecretType, CaSecret); err != nil {
 			return nil, err
 		}
 	}
+
 	// for upstreamTLS , a fixed sni can be used. use auto_sni otherwise
 	// https://www.envoyproxy.io/docs/envoy/latest/faq/configuration/sni#faq-how-to-setup-sni:~:text=For%20clusters%2C%20a,for%20trust%20anchor.
 	tlsSocket, err := buildXdsUpstreamTLSSocketWthCert(tlsConfig)
@@ -574,9 +576,12 @@
 	xdsEndpoints := buildXdsClusterLoadAssignment(args.name, args.settings)
 	for _, ds := range args.settings {
 		if ds.TLS != nil {
-			secret := buildXdsUpstreamTLSCASecret(ds.TLS)
-			if err := tCtx.AddXdsResource(resourcev3.SecretType, secret); err != nil {
-				return err
+			// Create a secret for the CA certificate only if it's not using the system trust store
+			if !ds.TLS.UseSystemTrustStore {
+				secret := buildXdsUpstreamTLSCASecret(ds.TLS)
+				if err := tCtx.AddXdsResource(resourcev3.SecretType, secret); err != nil {
+					return err
+				}
 			}
 		}
 	}
@@ -602,6 +607,7 @@
 
 func buildXdsUpstreamTLSCASecret(tlsConfig *ir.TLSUpstreamConfig) *tlsv3.Secret {
 	// Build the tls secret
+	// It's just a sanity check, we shouldn't call this function if the system trust store is used
 	if tlsConfig.UseSystemTrustStore {
 		return nil
 	}

internal/xds/translator/translator_test.go

@@ -92,7 +92,8 @@ func TestTranslateXds(t *testing.T) {
 			name: "http-route-dns-cluster",
 		},
 		{
-			name: "http-route-with-tls-system-truststore",
+			name:           "http-route-with-tls-system-truststore",
+			requireSecrets: true,
 		},
 		{
 			name:           "http-route-with-tlsbundle",

internal/xds/types/resourceversiontable.go

@@ -76,6 +76,11 @@
 }
 
 func (t *ResourceVersionTable) AddXdsResource(rType resourcev3.Type, xdsResource types.Resource) error {
+	// It's a sanity check to make sure the xdsResource is not nil
+	if xdsResource == nil {
+		return fmt.Errorf("xds resource is nil")
+	}
+
 	// Perform type switch to handle different types of xdsResource
 	switch rType {
 	case resourcev3.ListenerType: