pilot: fix to ensure we only use mesh config after it is initialized (i…

…stio#52820) * pilot: fix to ensure we only use mesh config after it is initialized Fixes istio#52803 * add comment
dhawton · Aug 27, 2024 · 5d9f6d0 · 5d9f6d0
1 parent 9d826e8
commit 5d9f6d0
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/pilot/pkg/bootstrap/server.go b/pilot/pkg/bootstrap/server.go
@@ -242,14 +242,12 @@ func NewServer(args *PilotArgs, initFuncs ...func(*Server)) (*Server, error) {
 		istiodCertBundleWatcher: keycertbundle.NewWatcher(),
 		webhookInfo:             &webhookInfo{},
 	}
-	s.workloadTrustBundle = tb.NewTrustBundle(nil, e.Watcher)
 
 	// Apply custom initialization functions.
 	for _, fn := range initFuncs {
 		fn(s)
 	}
 	// Initialize workload Trust Bundle before XDS Server
-	e.TrustBundle = s.workloadTrustBundle
 	s.XDSServer = xds.NewDiscoveryServer(e, args.RegistryOptions.KubeOptions.ClusterAliases)
 	configGen := core.NewConfigGenerator(s.XDSServer.Cache)
 
@@ -288,6 +286,10 @@ func NewServer(args *PilotArgs, initFuncs ...func(*Server)) (*Server, error) {
 		return nil, err
 	}
 
+	// Initialize trust bundle after mesh config which it depends on
+	s.workloadTrustBundle = tb.NewTrustBundle(nil, e.Watcher)
+	e.TrustBundle = s.workloadTrustBundle
+
 	// Options based on the current 'defaults' in istio.
 	caOpts := &caOptions{
 		TrustDomain:      s.environment.Mesh().TrustDomain,