fix: don't request client cert SDS when only CAFile is set

[mrgupta7]

Description

When a Terminating Gateway service is configured with only CAFile (one-way TLS), makeUpstreamTLSContext was unconditionally emitting a TlsCertificateSdsSecretConfigs entry for svc-cert. Since no client cert is configured, the SDS server never pushes that secret, leaving Envoy's upstream cluster stuck in a permanent warming state and dropping all traffic to that service.

Updated the existing tests to handle such scenarios.

Testing & Reproduction steps

Tested with the setup - 200 OK response.

curl -v http://127.0.0.1:5000

*   Trying 127.0.0.1:5000...
* Connected to 127.0.0.1 (127.0.0.1) port 5000
> GET / HTTP/1.1
> Host: 127.0.0.1:5000
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 200 OK
...

Links

• CSL-15511

Test Results

Envoy dynamic_active_cluster before fix

"common_tls_context": {
                  "tls_certificate_sds_secret_configs": [
                    {
                      "name": "external-dns-service-cert",
                      "sds_config": {
                        "ads": {},
                        "resource_api_version": "V3"
                      }
                    }
                  ],
                  "validation_context_sds_secret_config": {
                    "name": "external-dns-service-ca",
                    "sds_config": {
                      "ads": {},
                      "resource_api_version": "V3"
                    }
                  }
                }

Envoy dynamic_active_cluster after fix

"common_tls_context": {
         "validation_context_sds_secret_config": {
          "name": "external-dns-service-ca",
          "sds_config": {
           "ads": {},
           "resource_api_version": "V3"
          }
         }
        }
       }

PR Checklist

• updated test coverage
• external facing docs updated
• appropriate backport labels added
• not a security concern

PCI review checklist

• I have documented a clear reason for, and description of, the change I am making.

• If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.

• If applicable, I've documented the impact of any changes to security controls.

  Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.

[github-actions]

Go Test Coverage: 61.7%

See the workflow run for the full per-package breakdown and downloadable HTML report.

[codecov-commenter]

Codecov Report

Caution

This repository is currently using the Sentry GitHub App to receive Codecov PR comments. This integration will be deprecated on July 8, 2026. Please install the Codecov GitHub App to continue receiving coverage reports on your pull requests.
✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 59.36%. Comparing base (313b0ed) to head (012656e).

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #23679      +/-   ##
==========================================
- Coverage   59.67%   59.36%   -0.32%     
==========================================
  Files         945      752     -193     
  Lines      114721    91520   -23201     
==========================================
- Hits        68465    54332   -14133     
+ Misses      39902    31867    -8035     
+ Partials     6354     5321    -1033     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[anandmukul93]

what is the difference in behaviour because of the code changes now ?

https://github.com/hashicorp/consul-enterprise/blob/main/agent/xds/secrets.go#L71
already we have published secrets via SDS .
here the reference is only provided as name.

[mrgupta7]

updated the envoy config changes before and after fix in description