Propagate trust domain to e/w gateway (#58428)

keithmattix · web-flow · commit 7e3a76e8051f · 2025-11-27T08:20:10.000-08:00
* Propagate trust domain to e/w gateway

Signed-off-by: Keith Mattix II &lt;keithmattix@microsoft.com&gt;

* Add release note

Signed-off-by: Keith Mattix II &lt;keithmattix@microsoft.com&gt;

* Remove extra space

Signed-off-by: Keith Mattix II &lt;keithmattix@microsoft.com&gt;

---------

Signed-off-by: Keith Mattix II &lt;keithmattix@microsoft.com&gt;
diff --git a/pilot/pkg/serviceregistry/kube/controller/ambient/ambientindex_multicluster_test.go b/pilot/pkg/serviceregistry/kube/controller/ambient/ambientindex_multicluster_test.go
@@ -551,6 +551,8 @@ func TestMulticlusterAmbientIndex_TestServiceMerging(t *testing.T) {
 func TestMulticlusterAmbientIndex_SplitHorizon(t *testing.T) {
 	test.SetForTest(t, &features.EnableAmbientMultiNetwork, true)
 	s := newAmbientTestServer(t, testC, testNW, "")
+	// Test that we're propagating the trust domain correctly
+	s.meshConfig.Mesh().TrustDomain = s.DomainSuffix
 	s.AddSecret("s1", "remote-cluster") // overlapping ips
 	remoteClients := krt.NewCollection(s.remoteClusters, func(_ krt.HandlerContext, c *multicluster.Cluster) **remoteAmbientClients {
 		cl := c.Client
@@ -635,6 +637,12 @@ func TestMulticlusterAmbientIndex_SplitHorizon(t *testing.T) {
 		if len(gwwl.Workload.Addresses) != 1 {
 			return fmt.Errorf("expected network gateway workload to have addresses, got %v", gwwl.Workload.Addresses)
 		}
+		if gwwl.Workload.TrustDomain != s.DomainSuffix {
+			return fmt.Errorf("expected network gateway workload to have trust domain %s, got %s",
+				s.DomainSuffix,
+				gwwl.Workload.TrustDomain,
+			)
+		}
 		expectedAddress := []uint8{172, 0, 1, 2}
 		if !reflect.DeepEqual(gwwl.Workload.Addresses[0], expectedAddress) {
 			return fmt.Errorf("expected network gateway workload to have address %s, got %s",
diff --git a/pilot/pkg/serviceregistry/kube/controller/ambient/workloads.go b/pilot/pkg/serviceregistry/kube/controller/ambient/workloads.go
@@ -115,7 +115,8 @@ func (a *index) WorkloadsCollection(
 		opts.WithName("EndpointSliceWorkloads")...)
 
 	NetworkGatewayWorkloads := krt.NewManyFromNothing[model.WorkloadInfo](func(ctx krt.HandlerContext) []model.WorkloadInfo {
-		return slices.Map(a.LookupAllNetworkGateway(ctx), convertGateway)
+		meshCfg := krt.FetchOne(ctx, meshConfig.AsCollection())
+		return slices.Map(a.LookupAllNetworkGateway(ctx), convertGateway(meshCfg))
 	}, opts.WithName("NetworkGatewayWorkloads")...)
 
 	Workloads := krt.JoinCollection(
@@ -263,10 +264,11 @@ func MergedGlobalWorkloadsCollection(
 	)
 
 	GlobalNetworkGatewayWorkloads := krt.NewManyFromNothing[model.WorkloadInfo](func(ctx krt.HandlerContext) []model.WorkloadInfo {
+		meshCfg := krt.FetchOne(ctx, meshConfig.AsCollection())
 		return slices.Map(LookupAllNetworkGateway(
 			ctx,
 			globalNetworks.NetworkGateways,
-		), convertGateway)
+		), convertGateway(meshCfg))
 	}, opts.WithName("LocalNetworkGatewayWorkloads")...)
 	LocalNetworkGatewayWorkloadsWithCluster := krt.MapCollection(
 		GlobalNetworkGatewayWorkloads,
@@ -1544,22 +1546,25 @@ func gatewayUID(gw model.NetworkGateway) string {
 // convertGateway always converts a NetworkGateway into a Workload.
 // Workloads have a NetworkGateway field, which is effectively a pointer to another object (Service or Workload); in order
 // to facilitate this we need to translate our Gateway model down into a WorkloadInfo ztunnel can understand.
-func convertGateway(gw NetworkGateway) model.WorkloadInfo {
-	wl := &workloadapi.Workload{
-		Uid:            gatewayUID(gw.NetworkGateway),
-		Name:           gatewayUID(gw.NetworkGateway),
-		ServiceAccount: gw.ServiceAccount.Name,
-		Namespace:      gw.ServiceAccount.Namespace,
-		Network:        gw.Network.String(),
-	}
+func convertGateway(mesh *MeshConfig) func(gw NetworkGateway) model.WorkloadInfo {
+	return func(gw NetworkGateway) model.WorkloadInfo {
+		wl := &workloadapi.Workload{
+			Uid:            gatewayUID(gw.NetworkGateway),
+			Name:           gatewayUID(gw.NetworkGateway),
+			ServiceAccount: gw.ServiceAccount.Name,
+			Namespace:      gw.ServiceAccount.Namespace,
+			Network:        gw.Network.String(),
+			TrustDomain:    pickTrustDomain(mesh),
+		}
 
-	if ip, err := netip.ParseAddr(gw.Addr); err == nil {
-		wl.Addresses = append(wl.Addresses, ip.AsSlice())
-	} else {
-		wl.Hostname = gw.Addr
-	}
+		if ip, err := netip.ParseAddr(gw.Addr); err == nil {
+			wl.Addresses = append(wl.Addresses, ip.AsSlice())
+		} else {
+			wl.Hostname = gw.Addr
+		}
 
-	return precomputeWorkload(model.WorkloadInfo{Workload: wl})
+		return precomputeWorkload(model.WorkloadInfo{Workload: wl})
+	}
 }
 
 func getNetworkGatewayAddress(
diff --git a/releasenotes/notes/58427.yaml b/releasenotes/notes/58427.yaml
@@ -0,0 +1,7 @@
+apiVersion: release-notes/v2
+kind: bug-fix
+area: traffic-management
+issue: [58427]
+releaseNotes:
+  - |
+    **Fixed** an issue causing ambient multi-network connections to fail when using a custom trust domain.
