Caleb Doxsey 7a6d7c5a3c config: use stable route ids for authorize matching and order xds responses (#5618) ... ## Summary Update the `RouteID` to use the `policy.ID` if it is set. This makes it so that updated routes use a stable identifier between updates so if the envoy control plane is updated before the authorize service's internal definitions (or vice-versa) the authorize service will still be able to match the route. The current behavior results in a 404 if envoy passes the old route id. The new behavior will result in inconsistency, but it should be quickly remedied. To help with debugging 4 new fields were added to the authorize check log. The `route-id` and `route-checksum` as the authorize sees it and the `envoy-route-id` and `envoy-route-checksum` as envoy sees it. I also updated the way we send updates to envoy to try and model their recommended approach: > In general, to avoid traffic drop, sequencing of updates should follow a make before break model, wherein: > > - CDS updates (if any) must always be pushed first. > - EDS updates (if any) must arrive after CDS updates for the respective clusters. > - LDS updates must arrive after corresponding CDS/EDS updates. > - RDS updates related to the newly added listeners must arrive after CDS/EDS/LDS updates. > - VHDS updates (if any) related to the newly added RouteConfigurations must arrive after RDS updates. > - Stale CDS clusters and related EDS endpoints (ones no longer being referenced) can then be removed. This should help avoid 404s when configuration is being updated. ## Related issues - [ENG-2386](https://linear.app/pomerium/issue/ENG-2386/large-number-of-routes-leads-to-404s-and-slowness) ## Checklist - [x] reference any related issues - [x] updated unit tests - [x] add appropriate label (`enhancement`, `bug`, `breaking`, `dependencies`, `ci`) - [x] ready for review		2025-05-19 10:52:15 -06:00
..
reproxy	config: use stable route ids for authorize matching and order xds responses (#5618)	2025-05-19 10:52:15 -06:00
test_data	telemetry: add tracing	2019-07-24 09:20:16 -07:00
branding.go	config: add branding settings (#3558)	2022-08-16 14:51:47 -06:00
canonical.go	proxy: add support for logging http request headers (#4388)	2023-07-25 09:46:42 -06:00
client.go	logging: remove ctx from global log methods (#5337)	2024-10-23 14:18:52 -06:00
client_test.go	core/telemetry: move requestid to pkg directory (#4911)	2024-01-19 13:18:16 -07:00
cookie.go	httputil: add cookie chunker (#3775)	2022-12-02 09:41:09 -07:00
cookie_test.go	core/lint: upgrade golangci-lint, replace interface{} with any (#5099)	2024-05-02 14:33:52 -06:00
docs.go	*: remove import path comments (#545)	2020-03-16 10:13:47 -07:00
errors.go	core/logging: change log.Error function (#5251)	2024-09-05 15:42:46 -06:00
errors_test.go	httputil: ignore errors < 400 (#3781)	2022-12-05 09:00:25 -07:00
handlers.go	core/lint: upgrade golangci-lint, replace interface{} with any (#5099)	2024-05-02 14:33:52 -06:00
handlers_test.go	core/lint: upgrade golangci-lint, replace interface{} with any (#5099)	2024-05-02 14:33:52 -06:00
headers.go	only support loading idp tokens via bearer tokens (#5545)	2025-03-26 09:47:40 -06:00
httputil.go	device enrollment: fix ip address (#3430)	2022-06-16 11:30:38 -06:00
httputil_test.go	config: remove source, remove deadcode, fix linting issues (#4118)	2023-04-21 17:25:11 -06:00
ip.go	authenticate: add events (#4051)	2023-05-01 15:11:30 -04:00
options.go	Merge remote-tracking branch 'origin/master' into feature/envoy	2020-05-18 17:10:10 -04:00
router.go	upgrade to go v1.24 (#5562)	2025-04-02 15:53:09 -06:00
server.go	logging: remove ctx from global log methods (#5337)	2024-10-23 14:18:52 -06:00
server_test.go	core/lint: upgrade golangci-lint, replace interface{} with any (#5099)	2024-05-02 14:33:52 -06:00
signedout.go	core/authenticate: refactor identity authenticators to initiate redirect (#4858)	2023-12-19 12:04:23 -07:00
transport.go	config: use insecure skip verify if derived certificates are not used (#3861)	2023-01-11 13:50:51 -07:00