Backport of [OSS] Fix initial_fetch_timeout to wait for all xDS resources into release/1.14.x (#18066)

* fix(connect): set initial_fetch_time to wait indefinitely * changelog --------- Co-authored-by: DanStough <dan.stough@hashicorp.com>
1 year ago · 148a79fe93
38 changed files with 94 additions and 3 deletions
--- a/.changelog/18024.txt
+++ b/.changelog/18024.txt
@ -0,0 +1,3 @@
+```release-note:bug
+connect: fix a bug with Envoy potentially starting with incomplete configuration by not waiting enough for initial xDS configuration.
+```
--- a/agent/proxycfg/ingress_gateway.go
+++ b/agent/proxycfg/ingress_gateway.go
@ -92,12 +92,19 @@ func (s *handlerIngressGateway) handleUpdate(ctx context.Context, u UpdateEvent,
 		if !ok {
 			return fmt.Errorf("invalid type for response: %T", u.Result)
 		}
+
+		// We set this even if the response is empty so that we know the watch is set,
+		// but we don't block if the ingress config entry is unset for this gateway
+		snap.IngressGateway.GatewayConfigLoaded = true
+
+		if resp.Entry == nil {
+			return nil
+		}
 		gatewayConf, ok := resp.Entry.(*structs.IngressGatewayConfigEntry)
 		if !ok {
 			return fmt.Errorf("invalid type for config entry: %T", resp.Entry)
 		}

-		snap.IngressGateway.GatewayConfigLoaded = true
 		snap.IngressGateway.TLSConfig = gatewayConf.TLS
 		if gatewayConf.Defaults != nil {
 			snap.IngressGateway.Defaults = *gatewayConf.Defaults
--- a/agent/proxycfg/snapshot.go
+++ b/agent/proxycfg/snapshot.go
@ -687,6 +687,18 @@ func (c *configSnapshotIngressGateway) isEmpty() bool {
 		!c.MeshConfigSet
 }

+// valid tests for two valid ingress snapshot states:
+//  1. waiting: the watch on ingress config entries is set, but none were received
+//  2. loaded: both the ingress config entry AND the leaf cert are set
+func (c *configSnapshotIngressGateway) valid() bool {
+	waiting := c.GatewayConfigLoaded && len(c.Upstreams) == 0 && c.Leaf == nil
+
+	// If we have a leaf, it implies we successfully watched parent resources
+	loaded := c.GatewayConfigLoaded && c.Leaf != nil
+
+	return waiting || loaded
+}
+
 type IngressListenerKey struct {
 	Protocol string
 	Port     int
@ -769,8 +781,7 @@ func (s *ConfigSnapshot) Valid() bool {

 	case structs.ServiceKindIngressGateway:
 		return s.Roots != nil &&
-			s.IngressGateway.Leaf != nil &&
-			s.IngressGateway.GatewayConfigLoaded &&
+			s.IngressGateway.valid() &&
 			s.IngressGateway.HostsSet &&
 			s.IngressGateway.MeshConfigSet
 	default:
--- a/command/connect/envoy/bootstrap_tpl.go
+++ b/command/connect/envoy/bootstrap_tpl.go
@ -261,10 +261,12 @@ const bootstrapTemplate = `{
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/CONSUL_GRPC_ADDR-with-https-scheme-enables-tls.golden
+++ b/command/connect/envoy/testdata/CONSUL_GRPC_ADDR-with-https-scheme-enables-tls.golden
@ -197,10 +197,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/CONSUL_HTTP_ADDR-with-https-scheme-does-not-affect-grpc-tls.golden
+++ b/command/connect/envoy/testdata/CONSUL_HTTP_ADDR-with-https-scheme-does-not-affect-grpc-tls.golden
@ -184,10 +184,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/access-log-path.golden
+++ b/command/connect/envoy/testdata/access-log-path.golden
@ -184,10 +184,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/both-CONSUL_HTTP_ADDR-PLAIN-and-CONSUL_GRPC_ADDR-TLS-is-tls.golden
+++ b/command/connect/envoy/testdata/both-CONSUL_HTTP_ADDR-PLAIN-and-CONSUL_GRPC_ADDR-TLS-is-tls.golden
@ -197,10 +197,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/both-CONSUL_HTTP_ADDR-TLS-and-CONSUL_GRPC_ADDR-PLAIN-is-plain.golden
+++ b/command/connect/envoy/testdata/both-CONSUL_HTTP_ADDR-TLS-and-CONSUL_GRPC_ADDR-PLAIN-is-plain.golden
@ -184,10 +184,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/defaults-nodemeta.golden
+++ b/command/connect/envoy/testdata/defaults-nodemeta.golden
@ -185,10 +185,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/defaults.golden
+++ b/command/connect/envoy/testdata/defaults.golden
@ -184,10 +184,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/deprecated-grpc-addr-config.golden
+++ b/command/connect/envoy/testdata/deprecated-grpc-addr-config.golden
@ -184,10 +184,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/envoy-readiness-probe.golden
+++ b/command/connect/envoy/testdata/envoy-readiness-probe.golden
@ -273,10 +273,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/existing-ca-file.golden
+++ b/command/connect/envoy/testdata/existing-ca-file.golden
@ -197,10 +197,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/existing-ca-path.golden
+++ b/command/connect/envoy/testdata/existing-ca-path.golden
@ -197,10 +197,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/extra_-multiple.golden
+++ b/command/connect/envoy/testdata/extra_-multiple.golden
@ -206,10 +206,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/extra_-single.golden
+++ b/command/connect/envoy/testdata/extra_-single.golden
@ -197,10 +197,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/grpc-addr-env.golden
+++ b/command/connect/envoy/testdata/grpc-addr-env.golden
@ -184,10 +184,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/grpc-addr-flag.golden
+++ b/command/connect/envoy/testdata/grpc-addr-flag.golden
@ -184,10 +184,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/grpc-addr-unix-with-tls.golden
+++ b/command/connect/envoy/testdata/grpc-addr-unix-with-tls.golden
@ -196,10 +196,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/grpc-addr-unix.golden
+++ b/command/connect/envoy/testdata/grpc-addr-unix.golden
@ -183,10 +183,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/grpc-tls-addr-config.golden
+++ b/command/connect/envoy/testdata/grpc-tls-addr-config.golden
@ -197,10 +197,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/ingress-gateway-address-specified.golden
+++ b/command/connect/envoy/testdata/ingress-gateway-address-specified.golden
@ -273,10 +273,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/ingress-gateway-no-auto-register.golden
+++ b/command/connect/envoy/testdata/ingress-gateway-no-auto-register.golden
@ -273,10 +273,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/ingress-gateway-nodemeta.golden
+++ b/command/connect/envoy/testdata/ingress-gateway-nodemeta.golden
@ -274,10 +274,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/ingress-gateway-register-with-service-and-proxy-id.golden
+++ b/command/connect/envoy/testdata/ingress-gateway-register-with-service-and-proxy-id.golden
@ -273,10 +273,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/ingress-gateway-register-with-service-without-proxy-id.golden
+++ b/command/connect/envoy/testdata/ingress-gateway-register-with-service-without-proxy-id.golden
@ -273,10 +273,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/ingress-gateway.golden
+++ b/command/connect/envoy/testdata/ingress-gateway.golden
@ -273,10 +273,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/prometheus-metrics-tls-ca-file.golden
+++ b/command/connect/envoy/testdata/prometheus-metrics-tls-ca-file.golden
@ -310,10 +310,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/prometheus-metrics-tls-ca-path.golden
+++ b/command/connect/envoy/testdata/prometheus-metrics-tls-ca-path.golden
@ -310,10 +310,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/prometheus-metrics.golden
+++ b/command/connect/envoy/testdata/prometheus-metrics.golden
@ -273,10 +273,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/stats-config-override.golden
+++ b/command/connect/envoy/testdata/stats-config-override.golden
@ -62,10 +62,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/token-arg.golden
+++ b/command/connect/envoy/testdata/token-arg.golden
@ -184,10 +184,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/token-env.golden
+++ b/command/connect/envoy/testdata/token-env.golden
@ -184,10 +184,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/token-file-arg.golden
+++ b/command/connect/envoy/testdata/token-file-arg.golden
@ -184,10 +184,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/token-file-env.golden
+++ b/command/connect/envoy/testdata/token-file-env.golden
@ -184,10 +184,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/xds-addr-config.golden
+++ b/command/connect/envoy/testdata/xds-addr-config.golden
@ -184,10 +184,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {
--- a/command/connect/envoy/testdata/zipkin-tracing-config.golden
+++ b/command/connect/envoy/testdata/zipkin-tracing-config.golden
@ -217,10 +217,12 @@
  "dynamic_resources": {
    "lds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "cds_config": {
      "ads": {},
+      "initial_fetch_timeout": "0s",
      "resource_api_version": "V3"
    },
    "ads_config": {