consul/agent/proxycfg
R.B. Boyer 9a485cdb49
proxycfg: ensure that an irrecoverable error in proxycfg closes the xds session and triggers a replacement proxycfg watcher (#16497)
Receiving an "acl not found" error from an RPC in the agent cache and the
streaming/event components will cause any request loops to cease under the
assumption that they will never work again if the token was destroyed. This
prevents log spam (#14144, #9738).

Unfortunately due to things like:

- authz requests going to stale servers that may not have witnessed the token
  creation yet

- authz requests in a secondary datacenter happening before the tokens get
  replicated to that datacenter

- authz requests from a primary TO a secondary datacenter happening before the
  tokens get replicated to that datacenter

The caller will get an "acl not found" *before* the token exists, rather than
just after. The machinery added above in the linked PRs will kick in and
prevent the request loop from looping around again once the tokens actually
exist.

For `consul-dataplane` usages, where xDS is served by the Consul servers
rather than the clients ultimately this is not a problem because in that
scenario the `agent/proxycfg` machinery is on-demand and launched by a new xDS
stream needing data for a specific service in the catalog. If the watching
goroutines are terminated it ripples down and terminates the xDS stream, which
CDP will eventually re-establish and restart everything.

For Consul client usages, the `agent/proxycfg` machinery is ahead-of-time
launched at service registration time (called "local" in some of the proxycfg
machinery) so when the xDS stream comes in the data is already ready to go. If
the watching goroutines terminate it should terminate the xDS stream, but
there's no mechanism to re-spawn the watching goroutines. If the xDS stream
reconnects it will see no `ConfigSnapshot` and will not get one again until
the client agent is restarted, or the service is re-registered with something
changed in it.

This PR fixes a few things in the machinery:

- there was an inadvertent deadlock in fetching snapshot from the proxycfg
  machinery by xDS, such that when the watching goroutine terminated the
  snapshots would never be fetched. This caused some of the xDS machinery to
  get indefinitely paused and not finish the teardown properly.

- Every 30s we now attempt to re-insert all locally registered services into
  the proxycfg machinery.

- When services are re-inserted into the proxycfg machinery we special case
  "dead" ones such that we unilaterally replace them rather that doing that
  conditionally.
2023-03-03 14:27:53 -06:00
..
internal/watch perf: remove expensive reflection from xDS hot path (#14934) 2022-10-14 10:26:42 +01:00
api_gateway.go Protobuf Refactoring for Multi-Module Cleanliness (#16302) 2023-02-17 16:14:46 -05:00
connect_proxy.go Protobuf Refactoring for Multi-Module Cleanliness (#16302) 2023-02-17 16:14:46 -05:00
data_sources.go feat: xDS updates for peerings control plane through mesh gw 2022-10-07 08:46:42 -06:00
data_sources_oss.go proxycfg: replace direct agent cache usage with interfaces (#13320) 2022-06-01 16:18:06 +01:00
deep-copy.sh Implement APIGateway proxycfg snapshot (#16194) 2023-02-08 15:52:12 -06:00
ingress_gateway.go Protobuf Refactoring for Multi-Module Cleanliness (#16302) 2023-02-17 16:14:46 -05:00
manager.go proxycfg: ensure that an irrecoverable error in proxycfg closes the xds session and triggers a replacement proxycfg watcher (#16497) 2023-03-03 14:27:53 -06:00
manager_test.go Protobuf Refactoring for Multi-Module Cleanliness (#16302) 2023-02-17 16:14:46 -05:00
mesh_gateway.go Protobuf Refactoring for Multi-Module Cleanliness (#16302) 2023-02-17 16:14:46 -05:00
mesh_gateway_oss.go proxycfg: remove dependency on `cache.UpdateEvent` (#13144) 2022-05-20 15:47:40 +01:00
naming.go Fix configuration merging for implicit tproxy upstreams. (#16000) 2023-01-18 13:43:53 -06:00
naming_oss.go peering: Make Upstream peer-aware (#12900) 2022-04-29 18:12:51 -04:00
naming_test.go Cluster peering failover disco chain changes (#14296) 2022-08-23 09:13:43 -04:00
proxycfg.deepcopy.go Protobuf Refactoring for Multi-Module Cleanliness (#16302) 2023-02-17 16:14:46 -05:00
proxycfg.go Regenerate files according to 1.19.2 formatter 2022-10-24 16:12:08 -04:00
snapshot.go Protobuf Refactoring for Multi-Module Cleanliness (#16302) 2023-02-17 16:14:46 -05:00
snapshot_test.go Protobuf Refactoring for Multi-Module Cleanliness (#16302) 2023-02-17 16:14:46 -05:00
state.go proxycfg: ensure that an irrecoverable error in proxycfg closes the xds session and triggers a replacement proxycfg watcher (#16497) 2023-03-03 14:27:53 -06:00
state_oss_test.go proxycfg: replace direct agent cache usage with interfaces (#13320) 2022-06-01 16:18:06 +01:00
state_test.go Fix issue where terminating gateway service resolvers weren't properly cleaned up (#16498) 2023-03-03 09:56:57 -05:00
terminating_gateway.go Fix issue where terminating gateway service resolvers weren't properly cleaned up (#16498) 2023-03-03 09:56:57 -05:00
testing.go Protobuf Refactoring for Multi-Module Cleanliness (#16302) 2023-02-17 16:14:46 -05:00
testing_api_gateway.go Inline API Gateway TLS cert code (#16295) 2023-02-17 12:46:03 -05:00
testing_connect_proxy.go proxycfg: server-local intentions data source 2022-07-04 10:48:36 +01:00
testing_ingress_gateway.go Add ServiceResolver RequestTimeout for route timeouts to make TerminatingGateway upstream timeouts configurable (#16495) 2023-03-03 09:37:12 -05:00
testing_mesh_gateway.go Add ServiceResolver RequestTimeout for route timeouts to make TerminatingGateway upstream timeouts configurable (#16495) 2023-03-03 09:37:12 -05:00
testing_oss.go proxycfg: replace direct agent cache usage with interfaces (#13320) 2022-06-01 16:18:06 +01:00
testing_peering.go Protobuf Refactoring for Multi-Module Cleanliness (#16302) 2023-02-17 16:14:46 -05:00
testing_terminating_gateway.go Add extension validation on config save and refactor extensions. (#16110) 2023-01-30 15:35:26 -06:00
testing_tproxy.go troubleshoot: service to service validation (#16096) 2023-01-27 11:43:16 -08:00
testing_upstreams.go Add ServiceResolver RequestTimeout for route timeouts to make TerminatingGateway upstream timeouts configurable (#16495) 2023-03-03 09:37:12 -05:00
upstreams.go Protobuf Refactoring for Multi-Module Cleanliness (#16302) 2023-02-17 16:14:46 -05:00