Backport of Fix up case where subscription is terminated due to ACLs changing or a snapshot restore occurring into release/1.15.x (#17567)

* backport of commit 82e7d4fe18 * backport of commit 45008e27c3 * backport of commit bdee9e3b98 --------- Co-authored-by: Andrew Stucki <andrew.stucki@hashicorp.com>
2023-06-05 13:32:17 -04:00 · 2023-06-05 13:32:17 -04:00 · db584696fd
parent d2a1795176
commit db584696fd
2 changed files with 10 additions and 0 deletions
--- a/.changelog/17566.txt
+++ b/.changelog/17566.txt
@ -0,0 +1,3 @@
+```release-note:bug
+xds: Fixed a bug where modifying ACLs on a token being actively used for an xDS connection caused all xDS updates to fail.
+```
--- a/agent/proxycfg-glue/glue.go
+++ b/agent/proxycfg-glue/glue.go
@ -2,6 +2,7 @@ package proxycfgglue

 import (
 	"context"
+	"errors"

 	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-memdb"
@ -137,6 +138,12 @@ func newUpdateEvent(correlationID string, result any, err error) proxycfg.Update
 	if acl.IsErrNotFound(err) {
 		err = proxycfg.TerminalError(err)
 	}
+	// these are also errors where we should mark them
+	// as terminal for the sake of proxycfg, since they require
+	// a resubscribe.
+	if errors.Is(err, stream.ErrSubForceClosed) || errors.Is(err, stream.ErrShuttingDown) {
+		err = proxycfg.TerminalError(err)
+	}
 	return proxycfg.UpdateEvent{
 		CorrelationID: correlationID,
 		Result:        result,