From a33b224a55fb570f4775bb8944eb0e39a4b680c7 Mon Sep 17 00:00:00 2001
From: Derek Menteer <105233703+hashi-derek@users.noreply.github.com>
Date: Mon, 24 Apr 2023 12:03:26 -0500
Subject: [PATCH] Fix virtual services being included in intention topology as
 downstreams. (#17099)

---
 agent/consul/state/intention.go | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/agent/consul/state/intention.go b/agent/consul/state/intention.go
index 3212b20389..3b03b91007 100644
--- a/agent/consul/state/intention.go
+++ b/agent/consul/state/intention.go
@@ -1079,16 +1079,21 @@ func (s *Store) intentionTopologyTxn(
 		}
 		addSvcs(tempServices)
 
-		// Query the virtual ip table as well to include virtual services that don't have a registered instance yet.
-		vipIndex, vipServices, err := servicesVirtualIPsTxn(tx)
-		if err != nil {
-			return index, nil, fmt.Errorf("failed to list service virtual IPs: %v", err)
-		}
-		for _, svc := range vipServices {
-			services[svc.Service.ServiceName] = struct{}{}
-		}
-		if vipIndex > index {
-			index = vipIndex
+		if !downstreams {
+			// Query the virtual ip table as well to include virtual services that don't have a registered instance yet.
+			// We only need to do this for upstreams currently, so that tproxy can find which discovery chains should be
+			// contacted for failover scenarios. Virtual services technically don't need to be considered as downstreams,
+			// because they will take on the identity of the calling service, rather than the chain itself.
+			vipIndex, vipServices, err := servicesVirtualIPsTxn(tx)
+			if err != nil {
+				return index, nil, fmt.Errorf("failed to list service virtual IPs: %v", err)
+			}
+			for _, svc := range vipServices {
+				services[svc.Service.ServiceName] = struct{}{}
+			}
+			if vipIndex > index {
+				index = vipIndex
+			}
 		}
 	} else {
 		// destinations can only ever be upstream, since they are only allowed as intention destination.