hashicorp · boxofrad · Nov 9, 2021 · Nov 5, 2021 · Nov 8, 2021 · Nov 8, 2021
diff --git a/.changelog/11522.txt b/.changelog/11522.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+xds: fixes a bug where replacing a mesh gateway node used for WAN federation (with another that has a different IP) could leave gateways in the other DC unable to re-establish the connection
+```
diff --git a/agent/proxycfg/testing.go b/agent/proxycfg/testing.go
@@ -1506,6 +1506,47 @@ func TestConfigSnapshotMeshGatewayUsingFederationStates(t testing.T) *ConfigSnap
 	return testConfigSnapshotMeshGateway(t, true, true)
 }
 
+func TestConfigSnapshotMeshGatewayNewerInformationInFederationStates(t testing.T) *ConfigSnapshot {
+	snap := TestConfigSnapshotMeshGateway(t)
+
+	csn1 := snap.MeshGateway.GatewayGroups["dc2"][0]
+	csn2 := snap.MeshGateway.GatewayGroups["dc2"][1]
+
+	// Create a duplicate entry in FedStateGateways, with a higher ModifyIndex, to
+	// verify that its IP is chosen over the one in GatewayGroups (198.18.1.1).
+	svc1 := structs.TestNodeServiceMeshGatewayWithAddrs(t,
+		"10.0.1.3", 8443,
+		structs.ServiceAddress{Address: "10.0.1.3", Port: 8443},
+		structs.ServiceAddress{Address: "198.18.1.3", Port: 443},
+	)
+	svc1.RaftIndex.ModifyIndex = csn1.Service.ModifyIndex + 1
+
+	// Create another duplicate entry, this time without increasing its ModifyIndex,
+	// to verify that the IP in GatewayGroups (198.18.1.2) is chosen.
+	svc2 := structs.TestNodeServiceMeshGatewayWithAddrs(t,
+		"10.0.1.4", 8443,
+		structs.ServiceAddress{Address: "10.0.1.4", Port: 8443},
+		structs.ServiceAddress{Address: "198.18.1.4", Port: 443},
+	)
+
+	snap.MeshGateway.FedStateGateways = map[string]structs.CheckServiceNodes{
+		"dc2": {
+			{
+				Node:    csn1.Node,
+				Service: svc1,
+				Checks:  csn1.Checks,
+			},
+			{
+				Node:    csn2.Node,
+				Service: svc2,
+				Checks:  csn2.Checks,
+			},
+		},
+	}
+
+	return snap
+}
+
 func TestConfigSnapshotMeshGatewayNoServices(t testing.T) *ConfigSnapshot {
 	return testConfigSnapshotMeshGateway(t, false, false)
 }

diff --git a/agent/xds/endpoints.go b/agent/xds/endpoints.go
@@ -123,15 +123,64 @@ func (s *ResourceGenerator) endpointsFromSnapshotMeshGateway(cfgSnap *proxycfg.C
 			continue
 		}
 
-		endpoints, ok := cfgSnap.MeshGateway.GatewayGroups[key.String()]
-		if !ok {
-			endpoints, ok = cfgSnap.MeshGateway.FedStateGateways[key.String()]
-			if !ok { // not possible
-				s.Logger.Error("skipping mesh gateway endpoints because no definition found", "datacenter", key)
-				continue
+		endpoints := cfgSnap.MeshGateway.GatewayGroups[key.String()].ShallowClone()
+
+		// Merge in gateways from the federation state, handling duplicates by picking
+		// the one with the greatest ModifyIndex.
+		//
+		// Mesh gateways in remote DCs are discovered in two ways:
+		//
+		//	1. Via an Internal.ServiceDump RPC in the remote DC (GatewayGroups).
+		//	2. In the federation state that is replicated from the primary DC (FedStateGateways).
+		//
+		// Previously, GatewayGroups was always given presedence over FedStateGateways
+		// but this is problematic when using mesh gateways for WAN federation.
+		//
+		// Consider the following example:
+		//
+		//	- Primary and Secondary DCs are WAN Federated via local mesh gateways.
+		//
+		//	- Secondary DC's mesh gateway is running on an ephemeral compute instance
+		//	  and is abruptly terminated and rescheduled with a *new IP address*.
+		//
+		//	- Primary DC's mesh gateway is no longer able to connect to the Secondary
+		//	  DC as its proxy is configured with the old IP address. Therefore any RPC
+		//	  from the Primary to the Secondary DC will fail (including the one to
+		//	  discover the gateway's new IP address).
+		//
+		//	- Secondary DC performs its regular anti-entropy of federation state data
+		//	  to the Primary DC (this succeeds as there is still connectivity in this
+		//	  direction).
+		//
+		//	- At this point the Primary DC's mesh gateway should observe the new IP
+		//	  address and reconfigure its proxy, however as we always prioritised
+		//	  GatewayGroups this didn't happen and the connection remained severed.
+		fedStateEndpoints := cfgSnap.MeshGateway.FedStateGateways[key.String()]
+		for _, fse := range fedStateEndpoints {
+			idx := -1
+
+			for i, e := range endpoints {
+				if e.Service.Service == fse.Service.Service && e.Node.ID == fse.Node.ID {
+					idx = i
+					break
+				}
+			}
+
+			switch {
+			case idx == -1:
+				// Definition is only present in the federation state, add it wholesale.
+				endpoints = append(endpoints, fse)
+			case endpoints[idx].Service.RaftIndex.ModifyIndex < fse.Service.RaftIndex.ModifyIndex:
+				// Definition in the federation state is fresher, prefer it over the other.
+				endpoints[idx] = fse
 			}
 		}
 
+		if len(endpoints) == 0 {
+			s.Logger.Error("skipping mesh gateway endpoints because no definition found", "datacenter", key)
+			continue
+		}
+
 		{ // standard connect
 			clusterName := connect.GatewaySNI(key.Datacenter, key.Partition, cfgSnap.Roots.TrustDomain)
 

diff --git a/agent/xds/endpoints_test.go b/agent/xds/endpoints_test.go
@@ -245,6 +245,10 @@ func TestEndpointsFromSnapshot(t *testing.T) {
 			create: proxycfg.TestConfigSnapshotMeshGatewayUsingFederationStates,
 			setup:  nil,
 		},
+		{
+			name:   "mesh-gateway-newer-information-in-federation-states",
+			create: proxycfg.TestConfigSnapshotMeshGatewayNewerInformationInFederationStates,
+		},
 		{
 			name:   "mesh-gateway-no-services",
 			create: proxycfg.TestConfigSnapshotMeshGatewayNoServices,

diff --git a/...estdata/endpoints/mesh-gateway-newer-information-in-federation-states.envoy-1-20-x.golden b/...estdata/endpoints/mesh-gateway-newer-information-in-federation-states.envoy-1-20-x.golden
@@ -0,0 +1,145 @@
+{
+  "versionInfo": "00000001",
+  "resources": [
+    {
+      "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment",
+      "clusterName": "bar.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+      "endpoints": [
+        {
+          "lbEndpoints": [
+            {
+              "endpoint": {
+                "address": {
+                  "socketAddress": {
+                    "address": "172.16.1.6",
+                    "portValue": 2222
+                  }
+                }
+              },
+              "healthStatus": "HEALTHY",
+              "loadBalancingWeight": 1
+            },
+            {
+              "endpoint": {
+                "address": {
+                  "socketAddress": {
+                    "address": "172.16.1.7",
+                    "portValue": 2222
+                  }
+                }
+              },
+              "healthStatus": "HEALTHY",
+              "loadBalancingWeight": 1
+            },
+            {
+              "endpoint": {
+                "address": {
+                  "socketAddress": {
+                    "address": "172.16.1.8",
+                    "portValue": 2222
+                  }
+                }
+              },
+              "healthStatus": "HEALTHY",
+              "loadBalancingWeight": 1
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment",
+      "clusterName": "dc2.internal.11111111-2222-3333-4444-555555555555.consul",
+      "endpoints": [
+        {
+          "lbEndpoints": [
+            {
+              "endpoint": {
+                "address": {
+                  "socketAddress": {
+                    "address": "198.18.1.3",
+                    "portValue": 443
+                  }
+                }
+              },
+              "healthStatus": "HEALTHY",
+              "loadBalancingWeight": 1
+            },
+            {
+              "endpoint": {
+                "address": {
+                  "socketAddress": {
+                    "address": "198.18.1.2",
+                    "portValue": 443
+                  }
+                }
+              },
+              "healthStatus": "HEALTHY",
+              "loadBalancingWeight": 1
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "@type": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment",
+      "clusterName": "foo.default.dc1.internal.11111111-2222-3333-4444-555555555555.consul",
+      "endpoints": [
+        {
+          "lbEndpoints": [
+            {
+              "endpoint": {
+                "address": {
+                  "socketAddress": {
+                    "address": "172.16.1.3",
+                    "portValue": 2222
+                  }
+                }
+              },
+              "healthStatus": "HEALTHY",
+              "loadBalancingWeight": 1
+            },
+            {
+              "endpoint": {
+                "address": {
+                  "socketAddress": {
+                    "address": "172.16.1.4",
+                    "portValue": 2222
+                  }
+                }
+              },
+              "healthStatus": "HEALTHY",
+              "loadBalancingWeight": 1
+            },
+            {
+              "endpoint": {
+                "address": {
+                  "socketAddress": {
+                    "address": "172.16.1.5",
+                    "portValue": 2222
+                  }
+                }
+              },
+              "healthStatus": "HEALTHY",
+              "loadBalancingWeight": 1
+            },
+            {
+              "endpoint": {
+                "address": {
+                  "socketAddress": {
+                    "address": "172.16.1.9",
+                    "portValue": 2222
+                  }
+                }
+              },
+              "healthStatus": "HEALTHY",
+              "loadBalancingWeight": 1
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "typeUrl": "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment",
+  "nonce": "00000001"
+}