Make proxy only listen after initial certs are fetched

agent/agent.go

@@ -2168,7 +2168,7 @@ func (a *Agent) applyProxyDefaults(proxy *structs.ConnectManagedProxy) error {
 	// If there is no globally configured default we need to get the
 	// default command so we can do "consul connect proxy"
 	if len(proxy.Command) == 0 {
-		command, err := defaultProxyCommand()
+		command, err := defaultProxyCommand(a.config)
 		if err != nil {
 			return err
 		}
@@ -2970,7 +2970,7 @@ func (a *Agent) registerCache() {
 }
 
 // defaultProxyCommand returns the default Connect managed proxy command.
-func defaultProxyCommand() ([]string, error) {
+func defaultProxyCommand(agentCfg *config.RuntimeConfig) ([]string, error) {
 	// Get the path to the current exectuable. This is cached once by the
 	// library so this is effectively just a variable read.
 	execPath, err := os.Executable()
@@ -2979,5 +2979,10 @@ func defaultProxyCommand() ([]string, error) {
 	}
 
 	// "consul connect proxy" default value for managed daemon proxy
-	return []string{execPath, "connect", "proxy"}, nil
+	cmd := []string{execPath, "connect", "proxy"}
+
+	if agentCfg != nil && agentCfg.LogLevel != "INFO" {
+		cmd = append(cmd, "-log-level", agentCfg.LogLevel)
+	}
+	return cmd, nil
 }

agent/agent_endpoint_test.go

@@ -3260,7 +3260,7 @@ func TestAgentConnectProxyConfig_ConfigHandling(t *testing.T) {
 	t.Parallel()
 
 	// Get the default command to compare below
-	defaultCommand, err := defaultProxyCommand()
+	defaultCommand, err := defaultProxyCommand(nil)
 	require.NoError(t, err)
 
 	// Define a local service with a managed proxy. It's registered in the test

connect/proxy/proxy.go

@@ -36,9 +36,18 @@ func New(client *api.Client, cw ConfigWatcher, logger *log.Logger) (*Proxy, erro
 func (p *Proxy) Serve() error {
 	var cfg *Config
 
+	// failCh is used to stop Serve and return an error from another goroutine we
+	// spawn.
+	failCh := make(chan error, 1)
+
 	// Watch for config changes (initial setup happens on first "change")
 	for {
 		select {
+		case err := <-failCh:
+			// don't log here, we can log with better context at the point where we
+			// write the err to the chan
+			return err
+
 		case newCfg := <-p.cfgWatcher.Watch():
 			p.logger.Printf("[DEBUG] got new config")
 
@@ -64,20 +73,27 @@ func (p *Proxy) Serve() error {
 					tcfg := service.ServerTLSConfig()
 					cert, _ := tcfg.GetCertificate(nil)
 					leaf, _ := x509.ParseCertificate(cert.Certificate[0])
+<<<<<<< HEAD
 					p.logger.Printf("[DEBUG] leaf: %s roots: %s", leaf.URIs[0],
 						bytes.Join(tcfg.RootCAs.Subjects(), []byte(",")))
 				}()
+=======
+					p.logger.Printf("[DEBUG] leaf: %s roots: %s", leaf.URIs[0], bytes.Join(tcfg.RootCAs.Subjects(), []byte(",")))
+>>>>>>> Make proxy only listen after initial certs are fetched
 
-				// Only start a listener if we have a port set. This allows
+					// Only start a listener if we have a port set. This allows
-				// the configuration to disable our public listener.
+					// the configuration to disable our public listener.
-				if newCfg.PublicListener.BindPort != 0 {
+					if newCfg.PublicListener.BindPort != 0 {
-					newCfg.PublicListener.applyDefaults()
+						newCfg.PublicListener.applyDefaults()
-					l := NewPublicListener(p.service, newCfg.PublicListener, p.logger)
+						l := NewPublicListener(p.service, newCfg.PublicListener, p.logger)
-					err = p.startListener("public listener", l)
+						err = p.startListener("public listener", l)
-					if err != nil {
+						if err != nil {
-						return err
+							// This should probably be fatal.
+							p.logger.Printf("[ERR] failed to start public listener: %s", err)
+							failCh <- err
+						}
 					}
-				}
+				}()
 			}
 
 			// TODO(banks) update/remove upstreams properly based on a diff with current. Can