From cd2189a4018e534a11db8e8d61912f1c89254bf0 Mon Sep 17 00:00:00 2001
From: Andrew Stucki <andrew.stucki@hashicorp.com>
Date: Mon, 5 Jun 2023 15:49:30 +0000
Subject: [PATCH 1/3] backport of commit
 82e7d4fe18d450b2d43d476b704dc3ef1d155184

---
 agent/proxycfg-glue/glue.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/agent/proxycfg-glue/glue.go b/agent/proxycfg-glue/glue.go
index a188a0a852b..c0ea0c1a9e2 100644
--- a/agent/proxycfg-glue/glue.go
+++ b/agent/proxycfg-glue/glue.go
@@ -137,6 +137,12 @@ func newUpdateEvent(correlationID string, result any, err error) proxycfg.Update
 	if acl.IsErrNotFound(err) {
 		err = proxycfg.TerminalError(err)
 	}
+	// these are also errors where we should mark them
+	// as terminal for the sake of proxycfg, since they require
+	// a resubscribe.
+	if err == stream.ErrSubForceClosed || err == stream.ErrShuttingDown {
+		err = proxycfg.TerminalError(err)
+	}
 	return proxycfg.UpdateEvent{
 		CorrelationID: correlationID,
 		Result:        result,

From ddbd534aa14d2836008e5790c15c0a2460887076 Mon Sep 17 00:00:00 2001
From: Andrew Stucki <andrew.stucki@hashicorp.com>
Date: Mon, 5 Jun 2023 15:56:47 +0000
Subject: [PATCH 2/3] backport of commit
 45008e27c356321d7c94b23b165cce1b04a5dfb3

---
 .changelog/17566.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 .changelog/17566.txt

diff --git a/.changelog/17566.txt b/.changelog/17566.txt
new file mode 100644
index 00000000000..f15718bd760
--- /dev/null
+++ b/.changelog/17566.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+xds: Fixed a bug where modifying ACLs on a token being actively used for an xDS connection caused all xDS updates to fail.
+```

From adad503da5488de5b5fbc36180509d30fbd6af68 Mon Sep 17 00:00:00 2001
From: Andrew Stucki <andrew.stucki@hashicorp.com>
Date: Mon, 5 Jun 2023 16:09:32 +0000
Subject: [PATCH 3/3] backport of commit
 bdee9e3b9858ca9b654de853bcb4c77d8f14843e

---
 agent/proxycfg-glue/glue.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/agent/proxycfg-glue/glue.go b/agent/proxycfg-glue/glue.go
index c0ea0c1a9e2..9730a417f83 100644
--- a/agent/proxycfg-glue/glue.go
+++ b/agent/proxycfg-glue/glue.go
@@ -2,6 +2,7 @@ package proxycfgglue
 
 import (
 	"context"
+	"errors"
 
 	"github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-memdb"
@@ -140,7 +141,7 @@ func newUpdateEvent(correlationID string, result any, err error) proxycfg.Update
 	// these are also errors where we should mark them
 	// as terminal for the sake of proxycfg, since they require
 	// a resubscribe.
-	if err == stream.ErrSubForceClosed || err == stream.ErrShuttingDown {
+	if errors.Is(err, stream.ErrSubForceClosed) || errors.Is(err, stream.ErrShuttingDown) {
 		err = proxycfg.TerminalError(err)
 	}
 	return proxycfg.UpdateEvent{