diff --git a/.changelog/17566.txt b/.changelog/17566.txt new file mode 100644 index 0000000000..f15718bd76 --- /dev/null +++ b/.changelog/17566.txt @@ -0,0 +1,3 @@ +```release-note:bug +xds: Fixed a bug where modifying ACLs on a token being actively used for an xDS connection caused all xDS updates to fail. +``` diff --git a/agent/proxycfg-glue/glue.go b/agent/proxycfg-glue/glue.go index 03afd5c155..320d2fc258 100644 --- a/agent/proxycfg-glue/glue.go +++ b/agent/proxycfg-glue/glue.go @@ -5,6 +5,7 @@ package proxycfgglue import ( "context" + "errors" "github.com/hashicorp/go-hclog" "github.com/hashicorp/go-memdb" @@ -141,6 +142,12 @@ func newUpdateEvent(correlationID string, result any, err error) proxycfg.Update if acl.IsErrNotFound(err) { err = proxycfg.TerminalError(err) } + // these are also errors where we should mark them + // as terminal for the sake of proxycfg, since they require + // a resubscribe. + if errors.Is(err, stream.ErrSubForceClosed) || errors.Is(err, stream.ErrShuttingDown) { + err = proxycfg.TerminalError(err) + } return proxycfg.UpdateEvent{ CorrelationID: correlationID, Result: result,