From e7010256fe706e638a862b3fa18214078637dff7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E9=9F=A9=E8=B4=A4=E6=B6=9B?= <601803023@qq.com>
Date: Wed, 14 Jan 2026 09:30:51 +0800
Subject: [PATCH] feat: add authentication wrapper for debug endpoints (#3318)

---
 istio/istio             |  2 +-
 pkg/bootstrap/server.go | 14 +++++++++++---
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/istio/istio b/istio/istio
index 3d7792ae2..c4703274c 160000
--- a/istio/istio
+++ b/istio/istio
@@ -1 +1 @@
-Subproject commit 3d7792ae287f1600a430c5f11f3de2c168a59a86
+Subproject commit c4703274cacd3e2e61269ebef21a78780708d29f
diff --git a/pkg/bootstrap/server.go b/pkg/bootstrap/server.go
index 0e1db80b6..e787d7add 100644
--- a/pkg/bootstrap/server.go
+++ b/pkg/bootstrap/server.go
@@ -16,12 +16,13 @@ package bootstrap
 
 import (
 	"fmt"
-	"istio.io/istio/pkg/config/mesh/meshwatcher"
-	"istio.io/istio/pkg/kube/krt"
 	"net"
 	"net/http"
 	"time"
 
+	"istio.io/istio/pkg/config/mesh/meshwatcher"
+	"istio.io/istio/pkg/kube/krt"
+
 	prometheus "github.com/grpc-ecosystem/go-grpc-prometheus"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/reflection"
@@ -436,10 +437,17 @@ func (s *Server) initHttpServer() error {
 	}
 	s.xdsServer.AddDebugHandlers(s.httpMux, nil, true, nil)
 	s.httpMux.HandleFunc("/ready", s.readyHandler)
-	s.httpMux.HandleFunc("/registry/watcherStatus", s.registryWatcherStatusHandler)
+	s.httpMux.HandleFunc("/registry/watcherStatus", s.withConditionalAuth(s.registryWatcherStatusHandler))
 	return nil
 }
 
+func (s *Server) withConditionalAuth(handler http.HandlerFunc) http.HandlerFunc {
+	if features.DebugAuth {
+		return s.xdsServer.AllowAuthenticatedOrLocalhost(handler)
+	}
+	return handler
+}
+
 // readyHandler checks whether the http server is ready
 func (s *Server) readyHandler(w http.ResponseWriter, _ *http.Request) {
 	for name, fn := range s.readinessProbes {