spiffe: fix a data race in writing trust domain.

pkg/spiffe/spiffe.go

@@ -17,6 +17,7 @@ package spiffe
 import (
 	"fmt"
 	"strings"
+	"sync"
 
 	"istio.io/istio/pkg/log"
 )
@@ -31,15 +32,21 @@ const (
 )
 
 var (
-	trustDomain = defaultTrustDomain
+	trustDomain      = defaultTrustDomain
+	trustDomainMutex sync.RWMutex
 )
 
 func SetTrustDomain(value string) {
 	// Replace special characters in spiffe
-	trustDomain = strings.Replace(value, "@", ".", -1)
+	v := strings.Replace(value, "@", ".", -1)
+	trustDomainMutex.Lock()
+	trustDomain = v
+	trustDomainMutex.Unlock()
 }
 
 func GetTrustDomain() string {
+	trustDomainMutex.RLock()
+	defer trustDomainMutex.RUnlock()
 	return trustDomain
 }
 
@@ -60,7 +67,7 @@ func GenSpiffeURI(ns, serviceAccount string) (string, error) {
 		err = fmt.Errorf(
 			"namespace or service account empty for SPIFFEE uri ns=%v serviceAccount=%v", ns, serviceAccount)
 	}
-	return URIPrefix + trustDomain + "/ns/" + ns + "/sa/" + serviceAccount, err
+	return URIPrefix + GetTrustDomain() + "/ns/" + ns + "/sa/" + serviceAccount, err
 }
 
 // MustGenSpiffeURI returns the formatted uri(SPIFFEE format for now) for the certificate and logs if there was an error.
@@ -79,7 +86,5 @@ func GenCustomSpiffe(identity string) string {
 		return ""
 	}
 
-	// replace special character in spiffe
-	trustDomain = strings.Replace(trustDomain, "@", ".", -1)
-	return URIPrefix + trustDomain + "/" + identity
+	return URIPrefix + GetTrustDomain() + "/" + identity
 }