d5a2eb677f
Transparent proxies can set up filter chains that allow direct connections to upstream service instances. Services that can be dialed directly are stored in the PassthroughUpstreams map of the proxycfg snapshot. Previously these addresses were not being cleaned up based on new service health data. The list of addresses associated with an upstream service would only ever grow. As services scale up and down, eventually they will have instances assigned to an IP that was previously assigned to a different service. When IP addresses are duplicated across filter chain match rules the listener config will be rejected by Envoy. This commit updates the proxycfg snapshot management so that passthrough addresses can get cleaned up when no longer associated with a given upstream. There is still the possibility of a race condition here where due to timing an address is shared between multiple passthrough upstreams. That concern is mitigated by #12195, but will be further addressed in a follow-up. |
||
|---|---|---|
| .. | ||
| clusters | ||
| endpoints | ||
| listeners | ||
| rbac | ||
| routes | ||
| alt-test-leaf-cert.golden | ||
| alt-test-leaf-key.golden | ||
| alt-test-root-cert.golden | ||
| cache-test-leaf-cert.golden | ||
| cache-test-leaf-key.golden | ||
| db-test-leaf-cert.golden | ||
| db-test-leaf-key.golden | ||
| test-leaf-cert.golden | ||
| test-leaf-key.golden | ||
| test-root-cert.golden | ||