From 7ef43ac0dc2625f50a8949161884d1d0b20006ef Mon Sep 17 00:00:00 2001 From: jm96441n Date: Tue, 19 Mar 2024 18:57:59 +0000 Subject: [PATCH 1/4] backport of commit debd682a8e9f692f9ae80b1071ef553eeba04ebd --- control-plane/api-gateway/cache/consul.go | 90 ++++++++++++++++++----- 1 file changed, 71 insertions(+), 19 deletions(-) diff --git a/control-plane/api-gateway/cache/consul.go b/control-plane/api-gateway/cache/consul.go index f2d6ec9bf9..dbc052d0bf 100644 --- a/control-plane/api-gateway/cache/consul.go +++ b/control-plane/api-gateway/cache/consul.go @@ -83,6 +83,12 @@ type Cache struct { subscribers map[string][]*Subscription subscriberMutex *sync.Mutex + gatewayNameToPolicy map[string]*api.ACLPolicy + policyMutex *sync.Mutex + + gatewayNameToRole map[string]*api.ACLRole + aclRoleMutex *sync.Mutex + namespacesEnabled bool crossNamespaceACLPolicy string @@ -109,6 +115,10 @@ func New(config Config) *Cache { cacheMutex: &sync.Mutex{}, subscribers: make(map[string][]*Subscription), subscriberMutex: &sync.Mutex{}, + gatewayNameToPolicy: make(map[string]*api.ACLPolicy), + policyMutex: &sync.Mutex{}, + gatewayNameToRole: make(map[string]*api.ACLRole), + aclRoleMutex: &sync.Mutex{}, kinds: Kinds, synced: make(chan struct{}, len(Kinds)), logger: config.Logger, @@ -339,21 +349,46 @@ func (c *Cache) Write(ctx context.Context, entry api.ConfigEntry) error { } func (c *Cache) ensurePolicy(client *api.Client, gatewayName string) (string, error) { - policy := c.gatewayPolicy(gatewayName) + c.policyMutex.Lock() + defer c.policyMutex.Unlock() + + createPolicy := func() (string, error) { + policy := c.gatewayPolicy(gatewayName) - created, _, err := client.ACL().PolicyCreate(&policy, &api.WriteOptions{}) + created, _, err := client.ACL().PolicyCreate(&policy, &api.WriteOptions{}) + + if isPolicyExistsErr(err, policy.Name) { + existing, _, err := client.ACL().PolicyReadByName(policy.Name, &api.QueryOptions{}) + if err != nil { + return "", err + } + return existing.ID, nil + } - if isPolicyExistsErr(err, policy.Name) { - existing, _, err := client.ACL().PolicyReadByName(policy.Name, &api.QueryOptions{}) if err != nil { return "", err } - return existing.ID, nil + + c.gatewayNameToPolicy[gatewayName] = created + return created.ID, nil } - if err != nil { - return "", err + + cachedPolicy, found := c.gatewayNameToPolicy[gatewayName] + if found { + existing, _, err := client.ACL().PolicyReadByName(cachedPolicy.Name, &api.QueryOptions{}) + + if existing == nil { + return createPolicy() + } + + if err != nil { + return "", err + } + + return existing.ID, nil } - return created.ID, nil + + return createPolicy() } func (c *Cache) ensureRole(client *api.Client, gatewayName string) (string, error) { @@ -362,24 +397,41 @@ func (c *Cache) ensureRole(client *api.Client, gatewayName string) (string, erro return "", err } - aclRoleName := fmt.Sprint("managed-gateway-acl-role-", gatewayName) + c.aclRoleMutex.Lock() + defer c.aclRoleMutex.Unlock() + + createRole := func() (string, error) { + aclRoleName := fmt.Sprint("managed-gateway-acl-role-", gatewayName) + role := &api.ACLRole{ + Name: aclRoleName, + Description: "ACL Role for Managed API Gateways", + Policies: []*api.ACLLink{{ID: policyID}}, + } + + _, _, err = client.ACL().RoleCreate(role, &api.WriteOptions{}) + if err != nil { + return "", err + } + c.gatewayNameToRole[gatewayName] = role + return aclRoleName, err + } + + cachedRole, found := c.gatewayNameToRole[gatewayName] + + if !found { + return createRole() + } - aclRole, _, err := client.ACL().RoleReadByName(aclRoleName, &api.QueryOptions{}) + aclRole, _, err := client.ACL().RoleReadByName(cachedRole.Name, &api.QueryOptions{}) if err != nil { return "", err } - if aclRole != nil { - return aclRoleName, nil - } - role := &api.ACLRole{ - Name: aclRoleName, - Description: "ACL Role for Managed API Gateways", - Policies: []*api.ACLLink{{ID: policyID}}, + if aclRole != nil { + return cachedRole.Name, nil } - _, _, err = client.ACL().RoleCreate(role, &api.WriteOptions{}) - return aclRoleName, err + return createRole() } func (c *Cache) gatewayPolicy(gatewayName string) api.ACLPolicy { From ef176cb4513931b26e7f0b3bd6f980899139431e Mon Sep 17 00:00:00 2001 From: jm96441n Date: Wed, 20 Mar 2024 00:28:12 +0000 Subject: [PATCH 2/4] backport of commit b97f65886a04029d90190e4f3061376346c8749f --- control-plane/api-gateway/cache/consul.go | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/control-plane/api-gateway/cache/consul.go b/control-plane/api-gateway/cache/consul.go index dbc052d0bf..c1b9e840e2 100644 --- a/control-plane/api-gateway/cache/consul.go +++ b/control-plane/api-gateway/cache/consul.go @@ -374,21 +374,21 @@ func (c *Cache) ensurePolicy(client *api.Client, gatewayName string) (string, er } cachedPolicy, found := c.gatewayNameToPolicy[gatewayName] - if found { - existing, _, err := client.ACL().PolicyReadByName(cachedPolicy.Name, &api.QueryOptions{}) + if !found { + return createPolicy() + } - if existing == nil { - return createPolicy() - } + existing, _, err := client.ACL().PolicyReadByName(cachedPolicy.Name, &api.QueryOptions{}) - if err != nil { - return "", err - } + if existing == nil { + return createPolicy() + } - return existing.ID, nil + if err != nil { + return "", err } - return createPolicy() + return existing.ID, nil } func (c *Cache) ensureRole(client *api.Client, gatewayName string) (string, error) { From 7a6c03b3fd8c5a7803ca8e49b942aa7df3d149a0 Mon Sep 17 00:00:00 2001 From: jm96441n Date: Wed, 20 Mar 2024 00:29:10 +0000 Subject: [PATCH 3/4] backport of commit 451a9405acdf95494353e1b2fe88aca0d77f4cb9 --- control-plane/api-gateway/cache/consul.go | 1 + 1 file changed, 1 insertion(+) diff --git a/control-plane/api-gateway/cache/consul.go b/control-plane/api-gateway/cache/consul.go index c1b9e840e2..0b0d067df7 100644 --- a/control-plane/api-gateway/cache/consul.go +++ b/control-plane/api-gateway/cache/consul.go @@ -374,6 +374,7 @@ func (c *Cache) ensurePolicy(client *api.Client, gatewayName string) (string, er } cachedPolicy, found := c.gatewayNameToPolicy[gatewayName] + if !found { return createPolicy() } From 3e4dae1d5c475d26c9fb21a9515c306f83cadddd Mon Sep 17 00:00:00 2001 From: jm96441n Date: Thu, 21 Mar 2024 15:52:16 +0000 Subject: [PATCH 4/4] backport of commit e06c2ce63ebc1bbf1809bea17862e20b03d1bcf2 --- .changelog/3779.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .changelog/3779.txt diff --git a/.changelog/3779.txt b/.changelog/3779.txt new file mode 100644 index 0000000000..946fcca208 --- /dev/null +++ b/.changelog/3779.txt @@ -0,0 +1,3 @@ +```release-note:bug +api-gateway: Fix order of initialization for creating ACL role/policy to avoid error logs in consul. +```