From 647f6505699080fdc305e3034a01d0411fcafb79 Mon Sep 17 00:00:00 2001
From: Dhia Ayachi <dhia.ayachi@gmail.com>
Date: Tue, 22 Oct 2024 14:39:20 -0400
Subject: [PATCH] fix to not cancel Trust Bundle watch when another upstream is
 available on the same peer.

---
 agent/proxycfg/connect_proxy.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/agent/proxycfg/connect_proxy.go b/agent/proxycfg/connect_proxy.go
index 0a8c1737923e..4c0c4d558673 100644
--- a/agent/proxycfg/connect_proxy.go
+++ b/agent/proxycfg/connect_proxy.go
@@ -430,10 +430,12 @@ func (s *handlerConnectProxy) handleUpdate(ctx context.Context, u UpdateEvent, s
 		}
 
 		seenUpstreams := make(map[UpstreamID]struct{})
+		seenPeers := make(map[string]struct{})
 		for _, svc := range resp.Services {
 			uid := NewUpstreamIDFromServiceName(svc)
 
 			seenUpstreams[uid] = struct{}{}
+			seenPeers[uid.Peer] = struct{}{}
 
 			cfgMap := make(map[string]interface{})
 			u, ok := snap.ConnectProxy.UpstreamConfig[uid]
@@ -496,7 +498,11 @@ func (s *handlerConnectProxy) handleUpdate(ctx context.Context, u UpdateEvent, s
 					targetUID := NewUpstreamIDFromTargetID(targetID)
 					if targetUID.Peer != "" {
 						snap.ConnectProxy.PeerUpstreamEndpoints.CancelWatch(targetUID)
-						snap.ConnectProxy.UpstreamPeerTrustBundles.CancelWatch(targetUID.Peer)
+						// Only cancel watch if the peer is not seen,
+						// otherwise keep it as it's used by another service on the same peer
+						if _, ok := seenPeers[targetUID.Peer]; !ok {
+							snap.ConnectProxy.UpstreamPeerTrustBundles.CancelWatch(targetUID.Peer)
+						}
 					}
 				}
 				delete(snap.ConnectProxy.WatchedUpstreams, uid)