coder
diff --git a/‎codersdk/workspacesdk/connector.go
Lines changed: 0 additions & 14 deletions b/‎codersdk/workspacesdk/connector.go
Lines changed: 0 additions & 14 deletions
diff --git a/‎codersdk/workspacesdk/connector_internal_test.go
Lines changed: 0 additions & 53 deletions b/‎codersdk/workspacesdk/connector_internal_test.go
Lines changed: 0 additions & 53 deletions
diff --git a/‎codersdk/workspacesdk/workspacesdk.go
Lines changed: 2 additions & 13 deletions b/‎codersdk/workspacesdk/workspacesdk.go
Lines changed: 2 additions & 13 deletions
diff --git a/‎enterprise/coderd/workspaceproxy.go
Lines changed: 1 addition & 1 deletion b/‎enterprise/coderd/workspaceproxy.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎tailnet/configmaps.go
Lines changed: 71 additions & 27 deletions b/‎tailnet/configmaps.go
Lines changed: 71 additions & 27 deletions
diff --git a/‎tailnet/configmaps_internal_test.go
Lines changed: 69 additions & 0 deletions b/‎tailnet/configmaps_internal_test.go
Lines changed: 69 additions & 0 deletions
diff --git a/‎tailnet/conn.go
Lines changed: 3 additions & 2 deletions b/‎tailnet/conn.go
Lines changed: 3 additions & 2 deletions
@@ -53,8 +53,6 @@ type tailnetAPIConnector struct {
 	coordinateURL string
 	dialOptions   *websocket.DialOptions
 	conn          tailnetConn
-	agentAckOnce  sync.Once
-	agentAck      chan struct{}
 
 	connected chan error
 	isFirst   bool
@@ -76,7 +74,6 @@ func runTailnetAPIConnector(
 		conn:          conn,
 		connected:     make(chan error, 1),
 		closed:        make(chan struct{}),
-		agentAck:      make(chan struct{}),
 	}
 	tac.gracefulCtx, tac.cancelGracefulCtx = context.WithCancel(context.Background())
 	go tac.manageGracefulTimeout()
@@ -193,17 +190,6 @@ func (tac *tailnetAPIConnector) coordinate(client proto.DRPCTailnetClient) {
 	}()
 	coordination := tailnet.NewRemoteCoordination(tac.logger, coord, tac.conn, tac.agentID)
 	tac.logger.Debug(tac.ctx, "serving coordinator")
-	go func() {
-		select {
-		case <-tac.ctx.Done():
-			tac.logger.Debug(tac.ctx, "ctx timeout before agent ack")
-		case <-coordination.AwaitAck():
-			tac.logger.Debug(tac.ctx, "got agent ack")
-			tac.agentAckOnce.Do(func() {
-				close(tac.agentAck)
-			})
-		}
-	}()
 	select {
 	case <-tac.ctx.Done():
 		tac.logger.Debug(tac.ctx, "main context canceled; do graceful disconnect")
 
@@ -89,59 +89,6 @@ func TestTailnetAPIConnector_Disconnects(t *testing.T) {
 	require.NotNil(t, reqDisc.Disconnect)
 }
 
-func TestTailnetAPIConnector_Ack(t *testing.T) {
-	t.Parallel()
-	testCtx := testutil.Context(t, testutil.WaitShort)
-	ctx, cancel := context.WithCancel(testCtx)
-	defer cancel()
-	logger := slogtest.Make(t, nil).Leveled(slog.LevelDebug)
-	agentID := uuid.UUID{0x55}
-	clientID := uuid.UUID{0x66}
-	fCoord := tailnettest.NewFakeCoordinator()
-	var coord tailnet.Coordinator = fCoord
-	coordPtr := atomic.Pointer[tailnet.Coordinator]{}
-	coordPtr.Store(&coord)
-	derpMapCh := make(chan *tailcfg.DERPMap)
-	defer close(derpMapCh)
-	svc, err := tailnet.NewClientService(
-		logger, &coordPtr,
-		time.Millisecond, func() *tailcfg.DERPMap { return <-derpMapCh },
-	)
-	require.NoError(t, err)
-
-	svr := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		sws, err := websocket.Accept(w, r, nil)
-		if !assert.NoError(t, err) {
-			return
-		}
-		ctx, nc := codersdk.WebsocketNetConn(r.Context(), sws, websocket.MessageBinary)
-		err = svc.ServeConnV2(ctx, nc, tailnet.StreamID{
-			Name: "client",
-			ID:   clientID,
-			Auth: tailnet.ClientCoordinateeAuth{AgentID: agentID},
-		})
-		assert.NoError(t, err)
-	}))
-
-	fConn := newFakeTailnetConn()
-
-	uut := runTailnetAPIConnector(ctx, logger, agentID, svr.URL, &websocket.DialOptions{}, fConn)
-
-	call := testutil.RequireRecvCtx(ctx, t, fCoord.CoordinateCalls)
-	reqTun := testutil.RequireRecvCtx(ctx, t, call.Reqs)
-	require.NotNil(t, reqTun.AddTunnel)
-
-	_ = testutil.RequireRecvCtx(ctx, t, uut.connected)
-
-	// send an ack to the client
-	testutil.RequireSendCtx(ctx, t, call.Resps, &proto.CoordinateResponse{
-		TunnelAck: &proto.CoordinateResponse_Ack{Id: agentID[:]},
-	})
-
-	// the agentAck channel should be successfully closed
-	_ = testutil.RequireRecvCtx(ctx, t, uut.agentAck)
-}
-
 type fakeTailnetConn struct{}
 
 func (*fakeTailnetConn) UpdatePeers([]*proto.CoordinateResponse_PeerUpdate) error {
 
@@ -203,6 +203,8 @@ func (c *Client) DialAgent(dialCtx context.Context, agentID uuid.UUID, options *
 		DERPForceWebSockets: connInfo.DERPForceWebSockets,
 		Logger:              options.Logger,
 		BlockEndpoints:      c.client.DisableDirectConnections || options.BlockEndpoints,
+		// TODO: enable in upstack PR
+		// ShouldWaitForHandshake: true,
 	})
 	if err != nil {
 		return nil, xerrors.Errorf("create tailnet: %w", err)
@@ -260,19 +262,6 @@ func (c *Client) DialAgent(dialCtx context.Context, agentID uuid.UUID, options *
 		options.Logger.Debug(ctx, "connected to tailnet v2+ API")
 	}
 
-	// TODO: uncomment after pgcoord ack's are implemented (upstack pr)
-	// options.Logger.Debug(ctx, "waiting for agent ack")
-	// // 5 seconds is chosen because this is the timeout for failed Wireguard
-	// // handshakes. In the worst case, we wait the same amount of time as a
-	// // failed handshake.
-	// timer := time.NewTimer(5 * time.Second)
-	// select {
-	// case <-connector.agentAck:
-	// case <-timer.C:
-	// 	options.Logger.Debug(ctx, "timed out waiting for agent ack")
-	// }
-	// timer.Stop()
-
 	agentConn = NewAgentConn(conn, AgentConnOptions{
 		AgentID: agentID,
 		CloseFunc: func() error {
 
@@ -658,7 +658,7 @@ func (api *API) workspaceProxyRegister(rw http.ResponseWriter, r *http.Request)
 			if err != nil {
 				return xerrors.Errorf("insert replica: %w", err)
 			}
-		} else if err != nil {
+		} else {
 			return xerrors.Errorf("get replica: %w", err)
 		}
 
 
@@ -56,10 +56,11 @@ type phased struct {
 
 type configMaps struct {
 	phased
-	netmapDirty  bool
-	derpMapDirty bool
-	filterDirty  bool
-	closing      bool
+	netmapDirty      bool
+	derpMapDirty     bool
+	filterDirty      bool
+	closing          bool
+	waitForHandshake bool
 
 	engine         engineConfigurable
 	static         netmap.NetworkMap
@@ -216,6 +217,9 @@ func (c *configMaps) netMapLocked() *netmap.NetworkMap {
 func (c *configMaps) peerConfigLocked() []*tailcfg.Node {
 	out := make([]*tailcfg.Node, 0, len(c.peers))
 	for _, p := range c.peers {
+		if !p.readyForHandshake {
+			continue
+		}
 		n := p.node.Clone()
 		if c.blockEndpoints {
 			n.Endpoints = nil
@@ -225,6 +229,12 @@ func (c *configMaps) peerConfigLocked() []*tailcfg.Node {
 	return out
 }
 
+func (c *configMaps) setWaitForHandshake(wait bool) {
+	c.L.Lock()
+	defer c.L.Unlock()
+	c.waitForHandshake = wait
+}
+
 // setAddresses sets the addresses belonging to this node to the given slice. It
 // triggers configuration of the engine if the addresses have changed.
 // c.L MUST NOT be held.
@@ -377,17 +387,9 @@ func (c *configMaps) updatePeerLocked(update *proto.CoordinateResponse_PeerUpdat
 			return false
 		}
 		logger = logger.With(slog.F("key_id", node.Key.ShortString()), slog.F("node", node))
-		peerStatus, ok := status.Peer[node.Key]
-		// Starting KeepAlive messages at the initialization of a connection
-		// causes a race condition. If we send the handshake before the peer has
-		// our node, we'll have to wait for 5 seconds before trying again.
-		// Ideally, the first handshake starts when the user first initiates a
-		// connection to the peer. After a successful connection we enable
-		// keep alives to persist the connection and keep it from becoming idle.
-		// SSH connections don't send packets while idle, so we use keep alives
-		// to avoid random hangs while we set up the connection again after
-		// inactivity.
-		node.KeepAlive = ok && peerStatus.Active
+		// Since we don't send nodes into Tailscale unless we're sure that the
+		// peer is ready for handshakes, we always enable keepalives.
+		node.KeepAlive = true
 	}
 	switch {
 	case !ok && update.Kind == proto.CoordinateResponse_PeerUpdate_NODE:
@@ -396,23 +398,46 @@ func (c *configMaps) updatePeerLocked(update *proto.CoordinateResponse_PeerUpdat
 		if ps, ok := status.Peer[node.Key]; ok {
 			lastHandshake = ps.LastHandshake
 		}
-		c.peers[id] = &peerLifecycle{
-			peerID:        id,
-			node:          node,
-			lastHandshake: lastHandshake,
-			lost:          false,
+		lc = &peerLifecycle{
+			peerID:            id,
+			node:              node,
+			lastHandshake:     lastHandshake,
+			lost:              false,
+			readyForHandshake: !c.waitForHandshake,
 		}
+		if c.waitForHandshake {
+			lc.readyForHandshakeTimer = c.clock.AfterFunc(5*time.Second, func() {
+				logger.Debug(context.Background(), "ready for handshake timeout")
+				c.peerReadyForHandshakeTimeout(id)
+			})
+		}
+		c.peers[id] = lc
 		logger.Debug(context.Background(), "adding new peer")
-		return true
+		// since we just got this node, we don't know if it's ready for
+		// handshakes yet.
+		return lc.readyForHandshake
 	case ok && update.Kind == proto.CoordinateResponse_PeerUpdate_NODE:
 		// update
 		node.Created = lc.node.Created
-		dirty = !lc.node.Equal(node)
+		dirty = !lc.node.Equal(node) && lc.readyForHandshake
 		lc.node = node
 		lc.lost = false
 		lc.resetTimer()
 		logger.Debug(context.Background(), "node update to existing peer", slog.F("dirty", dirty))
 		return dirty
+	case ok && update.Kind == proto.CoordinateResponse_PeerUpdate_READY_FOR_HANDSHAKE:
+		wasReady := lc.readyForHandshake
+		lc.readyForHandshake = true
+		if lc.readyForHandshakeTimer != nil {
+			lc.readyForHandshakeTimer.Stop()
+		}
+		logger.Debug(context.Background(), "peer ready for handshake")
+		return !wasReady
+	case !ok && update.Kind == proto.CoordinateResponse_PeerUpdate_READY_FOR_HANDSHAKE:
+		// TODO: should we keep track of ready for handshake messages we get
+		// from unknown nodes?
+		logger.Debug(context.Background(), "got peer ready for handshake for unknown peer")
+		return false
 	case !ok:
 		// disconnected or lost, but we don't have the node. No op
 		logger.Debug(context.Background(), "skipping update for peer we don't recognize")
@@ -550,12 +575,31 @@ func (c *configMaps) fillPeerDiagnostics(d *PeerDiagnostics, peerID uuid.UUID) {
 	d.LastWireguardHandshake = ps.LastHandshake
 }
 
+func (c *configMaps) peerReadyForHandshakeTimeout(peerID uuid.UUID) {
+	c.L.Lock()
+	defer c.L.Unlock()
+	lc, ok := c.peers[peerID]
+	if !ok {
+		return
+	}
+	if lc.readyForHandshakeTimer != nil {
+		wasReady := lc.readyForHandshake
+		lc.readyForHandshakeTimer = nil
+		lc.readyForHandshake = true
+		if !wasReady {
+			c.Broadcast()
+		}
+	}
+}
+
 type peerLifecycle struct {
-	peerID        uuid.UUID
-	node          *tailcfg.Node
-	lost          bool
-	lastHandshake time.Time
-	timer         *clock.Timer
+	peerID                 uuid.UUID
+	node                   *tailcfg.Node
+	lost                   bool
+	lastHandshake          time.Time
+	timer                  *clock.Timer
+	readyForHandshake      bool
+	readyForHandshakeTimer *clock.Timer
 }
 
 func (l *peerLifecycle) resetTimer() {
 
@@ -185,6 +185,75 @@ func TestConfigMaps_updatePeers_new(t *testing.T) {
 	_ = testutil.RequireRecvCtx(ctx, t, done)
 }
 
+func TestConfigMaps_updatePeers_new_waitForHandshake(t *testing.T) {
+	t.Parallel()
+	ctx := testutil.Context(t, testutil.WaitShort)
+	logger := slogtest.Make(t, nil).Leveled(slog.LevelDebug)
+	fEng := newFakeEngineConfigurable()
+	nodePrivateKey := key.NewNode()
+	nodeID := tailcfg.NodeID(5)
+	discoKey := key.NewDisco()
+	uut := newConfigMaps(logger, fEng, nodeID, nodePrivateKey, discoKey.Public())
+	defer uut.close()
+	uut.setWaitForHandshake(true)
+
+	p1ID := uuid.UUID{1}
+	p1Node := newTestNode(1)
+	p1n, err := NodeToProto(p1Node)
+	require.NoError(t, err)
+
+	go func() {
+		<-fEng.status
+		fEng.statusDone <- struct{}{}
+	}()
+
+	u1 := []*proto.CoordinateResponse_PeerUpdate{
+		{
+			Id:   p1ID[:],
+			Kind: proto.CoordinateResponse_PeerUpdate_NODE,
+			Node: p1n,
+		},
+	}
+	uut.updatePeers(u1)
+
+	// it should not send the peer to the netmap yet
+
+	go func() {
+		<-fEng.status
+		fEng.statusDone <- struct{}{}
+	}()
+
+	u2 := []*proto.CoordinateResponse_PeerUpdate{
+		{
+			Id:   p1ID[:],
+			Kind: proto.CoordinateResponse_PeerUpdate_READY_FOR_HANDSHAKE,
+		},
+	}
+	uut.updatePeers(u2)
+
+	// it should now send the peer to the netmap
+
+	nm := testutil.RequireRecvCtx(ctx, t, fEng.setNetworkMap)
+	r := testutil.RequireRecvCtx(ctx, t, fEng.reconfig)
+
+	require.Len(t, nm.Peers, 1)
+	n1 := getNodeWithID(t, nm.Peers, 1)
+	require.Equal(t, "127.3.3.40:1", n1.DERP)
+	require.Equal(t, p1Node.Endpoints, n1.Endpoints)
+	require.True(t, n1.KeepAlive)
+
+	// we rely on nmcfg.WGCfg() to convert the netmap to wireguard config, so just
+	// require the right number of peers.
+	require.Len(t, r.wg.Peers, 1)
+
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		uut.close()
+	}()
+	_ = testutil.RequireRecvCtx(ctx, t, done)
+}
+
 func TestConfigMaps_updatePeers_same(t *testing.T) {
 	t.Parallel()
 	ctx := testutil.Context(t, testutil.WaitShort)
 
@@ -87,8 +87,8 @@ type Options struct {
 	// connections, rather than trying `Upgrade: derp` first and potentially
 	// falling back. This is useful for misbehaving proxies that prevent
 	// fallback due to odd behavior, like Azure App Proxy.
-	DERPForceWebSockets bool
-
+	DERPForceWebSockets    bool
+	ShouldWaitForHandshake bool
 	// BlockEndpoints specifies whether P2P endpoints are blocked.
 	// If so, only DERPs can establish connections.
 	BlockEndpoints bool
@@ -216,6 +216,7 @@ func NewConn(options *Options) (conn *Conn, err error) {
 		nodePrivateKey,
 		magicConn.DiscoPublicKey(),
 	)
+	cfgMaps.setWaitForHandshake(options.ShouldWaitForHandshake)
 	cfgMaps.setAddresses(options.Addresses)
 	if options.DERPMap != nil {
 		cfgMaps.setDERPMap(options.DERPMap)
Original file line number	Diff line number	Diff line change
`@@ -658,7 +658,7 @@ func (api API) workspaceProxyRegister(rw http.ResponseWriter, r http.Request)`
`658`	`658`	`if err != nil {`
`659`	`659`	`return xerrors.Errorf("insert replica: %w", err)`
`660`	`660`	`}`
`661`		`- } else if err != nil {`
	`661`	`+ } else {`
`662`	`662`	`return xerrors.Errorf("get replica: %w", err)`
`663`	`663`	`}`
`664`	`664`