3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-06 04:42:56 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/authorize
History
Caleb Doxsey 7a6d7c5a3c
config: use stable route ids for authorize matching and order xds responses (#5618) 
## Summary
Update the `RouteID` to use the `policy.ID` if it is set. This makes it
so that updated routes use a stable identifier between updates so if the
envoy control plane is updated before the authorize service's internal
definitions (or vice-versa) the authorize service will still be able to
match the route.

The current behavior results in a 404 if envoy passes the old route id.
The new behavior will result in inconsistency, but it should be quickly
remedied. To help with debugging 4 new fields were added to the
authorize check log. The `route-id` and `route-checksum` as the
authorize sees it and the `envoy-route-id` and `envoy-route-checksum` as
envoy sees it.

I also updated the way we send updates to envoy to try and model their
recommended approach:

> In general, to avoid traffic drop, sequencing of updates should follow
a make before break model, wherein:
> 
> - CDS updates (if any) must always be pushed first.
> - EDS updates (if any) must arrive after CDS updates for the
respective clusters.
> - LDS updates must arrive after corresponding CDS/EDS updates.
> - RDS updates related to the newly added listeners must arrive after
CDS/EDS/LDS updates.
> - VHDS updates (if any) related to the newly added RouteConfigurations
must arrive after RDS updates.
> - Stale CDS clusters and related EDS endpoints (ones no longer being
referenced) can then be removed.

This should help avoid 404s when configuration is being updated.

## Related issues
-
[ENG-2386](https://linear.app/pomerium/issue/ENG-2386/large-number-of-routes-leads-to-404s-and-slowness)

## Checklist
- [x] reference any related issues
- [x] updated unit tests
- [x] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review
2025-05-19 10:52:15 -06:00
..
checkrequest authorize: refactor logAuthorizeCheck() (#5576) 2025-04-23 09:21:52 -07:00
evaluator config: use stable route ids for authorize matching and order xds responses (#5618) 2025-05-19 10:52:15 -06:00
internal/store mcp: handle and pass upstream oauth2 tokens (#5595) 2025-05-01 12:42:31 -04:00
access_tracker.go core/go: use hashicorp/go-set (#5278) 2024-10-03 12:59:11 -06:00
access_tracker_test.go core/lint: upgrade golangci-lint, replace interface{} with any (#5099) 2024-05-02 14:33:52 -06:00
authorize.go mcp: pass access token to the upstream (#5593) 2025-04-29 12:13:18 -04:00
authorize_int_test.go authorize: move IdP token session creator initialization (#5616)d 2025-05-14 13:54:39 -07:00
authorize_test.go upgrade to go v1.24 (#5562) 2025-04-02 15:53:09 -06:00
check_response.go mcp: add global runtime flag (#5604) 2025-05-02 16:33:42 -04:00
check_response_grpc.go authorize: handle gRPC requests (#5400) 2024-12-19 08:46:53 -07:00
check_response_test.go mcp: add global runtime flag (#5604) 2025-05-02 16:33:42 -04:00
databroker.go proxy: use querier cache for user info (#5532) 2025-03-20 09:50:22 -06:00
databroker_test.go proxy: use querier cache for user info (#5532) 2025-03-20 09:50:22 -06:00
grpc.go config: use stable route ids for authorize matching and order xds responses (#5618) 2025-05-19 10:52:15 -06:00
grpc_test.go config: use stable route ids for authorize matching and order xds responses (#5618) 2025-05-19 10:52:15 -06:00
log.go config: use stable route ids for authorize matching and order xds responses (#5618) 2025-05-19 10:52:15 -06:00
log_test.go config: use stable route ids for authorize matching and order xds responses (#5618) 2025-05-19 10:52:15 -06:00
state.go authorize: move IdP token session creator initialization (#5616)d 2025-05-14 13:54:39 -07:00