Skip to content

policy: fix autogroup:self propagation and optimize cache invalidation #2807

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kradalby merged 4 commits into from
Oct 23, 2025
Merged

policy: fix autogroup:self propagation and optimize cache invalidation #2807

kradalby merged 4 commits into from
Oct 23, 2025

Conversation

@kradalby
Copy link
Collaborator

@kradalby kradalby commented Oct 19, 2025
edited
Loading

autogroup:self uses per-node filters, causing stale peer maps when nodes
change (global filter hash unchanged). Fix by detecting autogroup:self
in SetNodes() and forcing peer map rebuild.

Replace blanket cache clearing with granular invalidation of affected
nodes only. Move ReduceFilterRules to policyutil package and add
NodeView.HasNetworkChanges() for network change detection.

Fixes #2802

Claude was used in this PR.

@kradalby kradalby force-pushed the kradalby/2802-acl-self-propagate branch 4 times, most recently from 12dc8b5 to f834379 Compare October 22, 2025 09:41
@kradalby kradalby changed the title integration: add acl test to validate propagation policy: fix autogroup:self propagation and optimize cache invalidation Oct 22, 2025
@kradalby kradalby force-pushed the kradalby/2802-acl-self-propagate branch from f834379 to 76d119c Compare October 22, 2025 09:47
@kradalby kradalby added this to the v0.27.0 milestone Oct 22, 2025
@kradalby kradalby force-pushed the kradalby/2802-acl-self-propagate branch from 76d119c to 3e605ee Compare October 22, 2025 13:53
kradalby added a commit to kradalby/headscale that referenced this pull request Oct 23, 2025
@kradalby
integration: fix test flakiness with EventuallyWithT patterns
54b5d39 
Implements two patterns to handle eventual consistency in integration tests:

1. Built-in backoff retry for simple accessors (FQDN, IPv4, IPs)
   - Functions return (value, error) with internal 10s exponential backoff
   - Added MustFQDN(), MustIPv4(), MustIPs() panic variants

2. EventuallyWithT wrapping for complex validation
   - Status(): 11 calls (peer visibility, expiration, tags)
   - ListNodes(): 6 calls (registration, routes)
   - Curl(): 11 calls (HTTP connectivity)
   - Netmap(): 1 call (network map validation)

All 336 external state calls now have proper retry logic.

Fixes juanfont#2807
@kradalby kradalby force-pushed the kradalby/2802-acl-self-propagate branch from 57f9b64 to 35e27e3 Compare October 23, 2025 10:07
@kradalby
integration: add test to validate acl propagation
f96a374 
Add a ACL test that updates and validates node connectivity
over time as nodes and policy changes.

Updates juanfont#2802

Signed-off-by: Kristoffer Dalby <[email protected]>
kradalby added a commit to kradalby/headscale that referenced this pull request Oct 23, 2025
@kradalby
integration: fix test flakiness with EventuallyWithT patterns
82b2677 
Implements two patterns to handle eventual consistency in integration tests:

1. Built-in backoff retry for simple accessors (FQDN, IPv4, IPs)
   - Functions return (value, error) with internal 10s exponential backoff
   - Added MustFQDN(), MustIPv4(), MustIPs() panic variants

2. EventuallyWithT wrapping for complex validation
   - Status(): 11 calls (peer visibility, expiration, tags)
   - ListNodes(): 6 calls (registration, routes)
   - Curl(): 11 calls (HTTP connectivity)
   - Netmap(): 1 call (network map validation)

All 336 external state calls now have proper retry logic.

Fixes juanfont#2807
@kradalby kradalby force-pushed the kradalby/2802-acl-self-propagate branch 2 times, most recently from a26837d to d763dad Compare October 23, 2025 13:51
@kradalby
policy: fix autogroup:self propagation and optimize cache invalidation
7a8d888 
autogroup:self uses per-node filters, causing stale peer maps when nodes
change (global filter hash unchanged). Fix by detecting autogroup:self
in SetNodes() and forcing peer map rebuild.

Replace blanket cache clearing with granular invalidation of affected
nodes only. Move ReduceFilterRules to policyutil package and add
NodeView.HasNetworkChanges() for network change detection.
@kradalby
integration: more eventually and timing handling
aba890f
@kradalby
chore: fix formatting and linting issues
f0281a1 
- Remove trailing whitespace and extra blank lines
- Fix comment spacing
- Normalize indentation (spaces to tabs)
- Use octal prefix for file permissions
@kradalby kradalby force-pushed the kradalby/2802-acl-self-propagate branch from d763dad to f0281a1 Compare October 23, 2025 14:56
@kradalby kradalby marked this pull request as ready for review October 23, 2025 14:59
@kradalby kradalby merged commit 2bf1200 into juanfont:main Oct 23, 2025
170 of 176 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@juanfont juanfont juanfont approved these changes

@ohdearaugustin ohdearaugustin Awaiting requested review from ohdearaugustin ohdearaugustin is a code owner

@nblock nblock Awaiting requested review from nblock nblock is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v0.27.0

Development

Successfully merging this pull request may close these issues.

[Bug] ACL with autogroup:self is only pushed after restart

2 participants

@kradalby @juanfont