Merge 16d59ad into backport/nd/net-10435-cluster-validation/overly-wa…

…rm-thrush
hashicorp · Aug 20, 2024 · 9a3658b · 9a3658b
2 parents 2b183ec + 16d59ad
commit 9a3658b
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 10 deletions.
diff --git a/agent/structs/config_entry_mesh.go b/agent/structs/config_entry_mesh.go
@@ -20,9 +20,12 @@ type MeshConfigEntry struct {
 	// MutualTLSMode=permissive in either service-defaults or proxy-defaults.
 	AllowEnablingPermissiveMutualTLS bool `json:",omitempty" alias:"allow_enabling_permissive_mutual_tls"`
 
-	// ValidateClusters is false by default and configures whether Envoy proxies will validate clusters in a route. If
-	// set to true and any clusters in the route do not exist, the route table will not load. If set to false, the route
-	// table will load and routing to a non-existent cluster will result in a 404.
+	// ValidateClusters controls whether the clusters the route table refers to are validated. The default value is
+	// false. When set to false and a route refers to a cluster that does not exist, the route table loads and routing
+	// to a non-existent cluster results in a 404. When set to true and the route is set to a cluster that do not exist,
+	// the route table will not load. For more information, refer to
+	// [HTTP route configuration in the Envoy docs](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route.proto#envoy-v3-api-field-config-route-v3-routeconfiguration-validate-clusters)
+	// for more details.
 	ValidateClusters bool `json:",omitempty" alias:"validate_clusters"`
 
 	TLS *MeshTLSConfig `json:",omitempty"`

diff --git a/agent/xds/routes.go b/agent/xds/routes.go
@@ -286,10 +286,8 @@ func (s *ResourceGenerator) routesForMeshGateway(cfgSnap *proxycfg.ConfigSnapsho
 			Name:         uid.EnvoyID(),
 			VirtualHosts: []*envoy_route_v3.VirtualHost{virtualHost},
 		}
-		if mesh := cfgSnap.MeshConfig(); mesh != nil {
-			if mesh.ValidateClusters {
-				route.ValidateClusters = response.MakeBoolValue(true)
-			}
+		if meshValidateClusters(cfgSnap) {
+			route.ValidateClusters = response.MakeBoolValue(true)
 		}
 		resources = append(resources, route)
 	}

diff --git a/api/config_entry_mesh.go b/api/config_entry_mesh.go
@@ -26,9 +26,12 @@ type MeshConfigEntry struct {
 	// MutualTLSMode=permissive in either service-defaults or proxy-defaults.
 	AllowEnablingPermissiveMutualTLS bool `json:",omitempty" alias:"allow_enabling_permissive_mutual_tls"`
 
-	// ValidateClusters is false by default and configures whether Envoy proxies will validate clusters in a route. If
-	// set to true and any clusters in the route do not exist, the route table will not load. If set to false, the route
-	// table will load and routing to a non-existent cluster will result in a 404.
+	// ValidateClusters controls whether the clusters the route table refers to are validated. The default value is
+	// false. When set to false and a route refers to a cluster that does not exist, the route table loads and routing
+	// to a non-existent cluster results in a 404. When set to true and the route is set to a cluster that do not exist,
+	// the route table will not load. For more information, refer to
+	// [HTTP route configuration in the Envoy docs](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route.proto#envoy-v3-api-field-config-route-v3-routeconfiguration-validate-clusters)
+	// for more details.
 	ValidateClusters bool `json:",omitempty" alias:"validate_clusters"`
 
 	TLS *MeshTLSConfig `json:",omitempty"`

diff --git a/website/content/docs/connect/config-entries/mesh.mdx b/website/content/docs/connect/config-entries/mesh.mdx
@@ -342,6 +342,17 @@ Note that the Kubernetes example does not include a `partition` field. Configura
       description:
         'Controls whether `MutualTLSMode=permissive` can be set in the `proxy-defaults` and `service-defaults` configuration entries. '
     },
+    {
+      name: 'ValidateClusters',
+      type: 'bool: false',
+      description:
+        `Controls whether the clusters the route table refers to are validated. The default value is false. When set to
+         false and a route refers to a cluster that does not exist, the route table loads and routing to a non-existent
+         cluster results in a 404. When set to true and the route is set to a cluster that do not exist, the route table
+         will not load.  For more information, refer to
+         [HTTP route configuration in the Envoy docs](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route.proto#envoy-v3-api-field-config-route-v3-routeconfiguration-validate-clusters)
+         for more details. `,
+    },
     {
       name: 'TLS',
       type: 'TLSConfig: <optional>',