From 63e87434721824902d1bd8c7ef72456615020180 Mon Sep 17 00:00:00 2001
From: Andrew Stucki <andrew.stucki@hashicorp.com>
Date: Wed, 7 Jun 2023 18:37:30 -0400
Subject: [PATCH 1/2] [API Gateway] Fix trust domain for external peered
 services in synthesis code

---
 agent/proxycfg/snapshot.go | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/agent/proxycfg/snapshot.go b/agent/proxycfg/snapshot.go
index 5e92013b272f..1880dcd669f6 100644
--- a/agent/proxycfg/snapshot.go
+++ b/agent/proxycfg/snapshot.go
@@ -741,14 +741,23 @@ type configSnapshotAPIGateway struct {
 
 func (c *configSnapshotAPIGateway) synthesizeChains(datacenter string, listener structs.APIGatewayListener, boundListener structs.BoundAPIGatewayListener) ([]structs.IngressService, structs.Upstreams, []*structs.CompiledDiscoveryChain, error) {
 	chains := []*structs.CompiledDiscoveryChain{}
-	trustDomain := ""
+
+	// We leverage the test trust domain knowing
+	// that the domain will get overridden if
+	// there is a target to something other than an
+	// external/peered service. If the below
+	// code doesn't get a trust domain due to all the
+	// targets being external, the chain will
+	// have the domain munged anyway during synthesis.
+	trustDomain := connect.TestTrustDomain
 
 DOMAIN_LOOP:
 	for _, chain := range c.DiscoveryChain {
 		for _, target := range chain.Targets {
 			if !target.External {
-				trustDomain = connect.TrustDomainForTarget(*target)
-				if trustDomain != "" {
+				domain := connect.TrustDomainForTarget(*target)
+				if domain != "" {
+					trustDomain = domain
 					break DOMAIN_LOOP
 				}
 			}

From 896f11789b89062c745433a17dc37da5b56185fd Mon Sep 17 00:00:00 2001
From: Andrew Stucki <andrew.stucki@hashicorp.com>
Date: Wed, 7 Jun 2023 18:48:59 -0400
Subject: [PATCH 2/2] Add changelog

---
 .changelog/17609.txt | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 .changelog/17609.txt

diff --git a/.changelog/17609.txt b/.changelog/17609.txt
new file mode 100644
index 000000000000..cbace1f8c7d2
--- /dev/null
+++ b/.changelog/17609.txt
@@ -0,0 +1,4 @@
+```release-note:bug
+gateways: Fixed a bug in API gateways where binding a route that only targets a service imported from a peer results
+in the programmed gateway having no routes.
+```