coder
diff --git a/‎coderd/database/db.go
+1-1 b/‎coderd/database/db.go
+1-1
diff --git a/‎coderd/database/dbauthz/dbauthz.go
+7 b/‎coderd/database/dbauthz/dbauthz.go
+7
diff --git a/‎coderd/database/dbauthz/dbauthz_test.go
+5 b/‎coderd/database/dbauthz/dbauthz_test.go
+5
diff --git a/‎coderd/database/dbmem/dbmem.go
+4 b/‎coderd/database/dbmem/dbmem.go
+4
diff --git a/‎coderd/database/dbmetrics/dbmetrics.go
+7 b/‎coderd/database/dbmetrics/dbmetrics.go
+7
diff --git a/‎coderd/database/dbmock/dbmock.go
+14 b/‎coderd/database/dbmock/dbmock.go
+14
diff --git a/‎coderd/database/querier.go
+1 b/‎coderd/database/querier.go
+1
diff --git a/‎coderd/database/queries.sql.go
+17 b/‎coderd/database/queries.sql.go
+17
diff --git a/‎coderd/database/queries/tailnet.sql
+6 b/‎coderd/database/queries/tailnet.sql
+6
diff --git a/‎enterprise/tailnet/connio.go
+23 b/‎enterprise/tailnet/connio.go
+23
diff --git a/‎enterprise/tailnet/handshaker.go
+133 b/‎enterprise/tailnet/handshaker.go
+133
diff --git a/‎enterprise/tailnet/handshaker_internal_test.go
+45 b/‎enterprise/tailnet/handshaker_internal_test.go
+45
@@ -103,7 +103,7 @@ func (q *sqlQuerier) InTx(function func(Store) error, txOpts *sql.TxOptions) err
 				// Transaction succeeded.
 				return nil
 			}
-			if err != nil && !IsSerializedError(err) {
+			if !IsSerializedError(err) {
 				// We should only retry if the error is a serialization error.
 				return err
 			}
 
@@ -2645,6 +2645,13 @@ func (q *querier) ListWorkspaceAgentPortShares(ctx context.Context, workspaceID
 	return q.db.ListWorkspaceAgentPortShares(ctx, workspaceID)
 }
 
+func (q *querier) PublishReadyForHandshake(ctx context.Context, arg database.PublishReadyForHandshakeParams) error {
+	if err := q.authorizeContext(ctx, rbac.ActionRead, rbac.ResourceTailnetCoordinator); err != nil {
+		return err
+	}
+	return q.db.PublishReadyForHandshake(ctx, arg)
+}
+
 func (q *querier) ReduceWorkspaceAgentShareLevelToAuthenticatedByTemplate(ctx context.Context, templateID uuid.UUID) error {
 	template, err := q.db.GetTemplateByID(ctx, templateID)
 	if err != nil {
 
@@ -1829,6 +1829,11 @@ func (s *MethodTestSuite) TestTailnetFunctions() {
 			Asserts(rbac.ResourceTailnetCoordinator, rbac.ActionCreate).
 			Errors(dbmem.ErrUnimplemented)
 	}))
+	s.Run("PublishReadyForHandshake", s.Subtest(func(db database.Store, check *expects) {
+		check.Args(database.PublishReadyForHandshakeParams{}).
+			Asserts(rbac.ResourceTailnetCoordinator, rbac.ActionUpdate).
+			Errors(dbmem.ErrUnimplemented)
+	}))
 }
 
 func (s *MethodTestSuite) TestDBCrypt() {
 
@@ -6742,6 +6742,10 @@ func (q *FakeQuerier) ListWorkspaceAgentPortShares(_ context.Context, workspaceI
 	return shares, nil
 }
 
+func (*FakeQuerier) PublishReadyForHandshake(context.Context, database.PublishReadyForHandshakeParams) error {
+	return ErrUnimplemented
+}
+
 func (q *FakeQuerier) ReduceWorkspaceAgentShareLevelToAuthenticatedByTemplate(_ context.Context, templateID uuid.UUID) error {
 	err := validateDatabaseType(templateID)
 	if err != nil {
 
@@ -207,6 +207,12 @@ FROM tailnet_tunnels
 INNER JOIN tailnet_peers ON tailnet_tunnels.src_id = tailnet_peers.id
 WHERE tailnet_tunnels.dst_id = $1;
 
+-- name: PublishReadyForHandshake :exec
+SELECT pg_notify(
+	'tailnet_ready_for_handshake',
+	format('%s,%s', sqlc.arg('to')::text, sqlc.arg('from')::text)
+);
+
 -- For PG Coordinator HTMLDebug
 
 -- name: GetAllTailnetCoordinators :many
 
@@ -30,6 +30,7 @@ type connIO struct {
 	responses    chan<- *proto.CoordinateResponse
 	bindings     chan<- binding
 	tunnels      chan<- tunnel
+	rfhs         chan<- readyForHandshake
 	auth         agpl.CoordinateeAuth
 	mu           sync.Mutex
 	closed       bool
@@ -46,6 +47,7 @@ func newConnIO(coordContext context.Context,
 	logger slog.Logger,
 	bindings chan<- binding,
 	tunnels chan<- tunnel,
+	rfhs chan<- readyForHandshake,
 	requests <-chan *proto.CoordinateRequest,
 	responses chan<- *proto.CoordinateResponse,
 	id uuid.UUID,
@@ -64,6 +66,7 @@ func newConnIO(coordContext context.Context,
 		responses: responses,
 		bindings:  bindings,
 		tunnels:   tunnels,
+		rfhs:      rfhs,
 		auth:      auth,
 		name:      name,
 		start:     now,
@@ -190,6 +193,26 @@ func (c *connIO) handleRequest(req *proto.CoordinateRequest) error {
 		c.disconnected = true
 		return errDisconnect
 	}
+	if req.ReadyForHandshake != nil {
+		c.logger.Debug(c.peerCtx, "got ready for handshake ", slog.F("rfh", req.ReadyForHandshake))
+		for _, rfh := range req.ReadyForHandshake {
+			dst, err := uuid.FromBytes(rfh.Id)
+			if err != nil {
+				c.logger.Error(c.peerCtx, "unable to convert bytes to UUID", slog.Error(err))
+				// this shouldn't happen unless there is a client error.  Close the connection so the client
+				// doesn't just happily continue thinking everything is fine.
+				return err
+			}
+
+			if err := agpl.SendCtx(c.coordCtx, c.rfhs, readyForHandshake{hKey: hKey{
+				src: c.id,
+				dst: dst,
+			}}); err != nil {
+				c.logger.Debug(c.peerCtx, "failed to send ready for handshake", slog.Error(err))
+				return err
+			}
+		}
+	}
 	return nil
 }
 
 
@@ -0,0 +1,133 @@
+package tailnet
+
+import (
+	"context"
+	"slices"
+	"sync"
+
+	"github.com/cenkalti/backoff/v4"
+	"github.com/google/uuid"
+
+	"cdr.dev/slog"
+	"github.com/coder/coder/v2/coderd/database"
+)
+
+type readyForHandshake struct {
+	hKey
+}
+
+type hKey struct {
+	src uuid.UUID
+	dst uuid.UUID
+}
+
+type handshaker struct {
+	ctx           context.Context
+	logger        slog.Logger
+	coordinatorID uuid.UUID
+	store         database.Store
+	updates       <-chan readyForHandshake
+
+	workQ *workQ[hKey]
+
+	workerWG sync.WaitGroup
+}
+
+func newHandshaker(ctx context.Context,
+	logger slog.Logger,
+	id uuid.UUID,
+	store database.Store,
+	updates <-chan readyForHandshake,
+	startWorkers <-chan struct{},
+) *handshaker {
+	s := &handshaker{
+		ctx:           ctx,
+		logger:        logger,
+		coordinatorID: id,
+		store:         store,
+		updates:       updates,
+		workQ:         newWorkQ[hKey](ctx),
+	}
+	go s.handle()
+	// add to the waitgroup immediately to avoid any races waiting for it before
+	// the workers start.
+	s.workerWG.Add(numHandshakerWorkers)
+	go func() {
+		<-startWorkers
+		for i := 0; i < numHandshakerWorkers; i++ {
+			go s.worker()
+		}
+	}()
+	return s
+}
+
+func (t *handshaker) handle() {
+	for {
+		select {
+		case <-t.ctx.Done():
+			t.logger.Debug(t.ctx, "handshaker exiting", slog.Error(t.ctx.Err()))
+			return
+		case rfh := <-t.updates:
+			t.workQ.enqueue(rfh.hKey)
+		}
+	}
+}
+
+func (t *handshaker) worker() {
+	defer t.workerWG.Done()
+	eb := backoff.NewExponentialBackOff()
+	eb.MaxElapsedTime = 0 // retry indefinitely
+	eb.MaxInterval = dbMaxBackoff
+	bkoff := backoff.WithContext(eb, t.ctx)
+	for {
+		hk, err := t.workQ.acquire()
+		if err != nil {
+			// context expired
+			return
+		}
+		err = backoff.Retry(func() error {
+			return t.writeOne(hk)
+		}, bkoff)
+		if err != nil {
+			bkoff.Reset()
+		}
+		t.workQ.done(hk)
+	}
+}
+
+func (t *handshaker) writeOne(hk hKey) error {
+	logger := t.logger.With(
+		slog.F("src_id", hk.src),
+		slog.F("dst_id", hk.dst),
+	)
+
+	peers, err := t.store.GetTailnetTunnelPeerIDs(t.ctx, hk.src)
+	if err != nil {
+		if !database.IsQueryCanceledError(err) {
+			logger.Error(t.ctx, "get tunnel peers ids", slog.Error(err))
+		}
+		return err
+	}
+
+	if !slices.ContainsFunc(peers, func(peer database.GetTailnetTunnelPeerIDsRow) bool {
+		return peer.PeerID == hk.dst
+	}) {
+		// In the in-memory coordinator we return an error to the client, but
+		// this isn't really possible here.
+		logger.Warn(t.ctx, "cannot process ready for handshake, src isn't peered with dst")
+		return nil
+	}
+
+	err = t.store.PublishReadyForHandshake(t.ctx, database.PublishReadyForHandshakeParams{
+		To:   hk.dst.String(),
+		From: hk.src.String(),
+	})
+	if err != nil {
+		if !database.IsQueryCanceledError(err) {
+			logger.Error(t.ctx, "publish ready for handshake", slog.Error(err))
+		}
+		return err
+	}
+
+	return nil
+}
@@ -0,0 +1,45 @@
+package tailnet
+
+import (
+	"context"
+	"testing"
+
+	"github.com/google/uuid"
+	"go.uber.org/mock/gomock"
+
+	"cdr.dev/slog"
+	"cdr.dev/slog/sloggers/slogtest"
+	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/dbmock"
+	"github.com/coder/coder/v2/testutil"
+)
+
+func Test_handshaker_NoPermission(t *testing.T) {
+	t.Parallel()
+
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+	mDB := dbmock.NewMockStore(ctrl)
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitSuperLong)
+	defer cancel()
+	logger := slogtest.Make(t, nil).Leveled(slog.LevelDebug)
+
+	rfhCh := make(chan readyForHandshake)
+	ready := make(chan struct{})
+	close(ready)
+
+	srcID, dstID := uuid.New(), uuid.New()
+
+	newHandshaker(ctx, logger, uuid.New(), mDB, rfhCh, ready)
+
+	called := make(chan struct{})
+	mDB.EXPECT().GetTailnetTunnelPeerIDs(gomock.Any(), srcID).
+		DoAndReturn(func(context.Context, uuid.UUID) ([]database.GetTailnetTunnelPeerIDsRow, error) {
+			close(called)
+			return []database.GetTailnetTunnelPeerIDsRow{}, nil
+		})
+	rfhCh <- readyForHandshake{hKey{src: srcID, dst: dstID}}
+	<-called
+	// the handshaker should not attempt to broadcast the rfh. if it does, the
+	// mock will catch an unmocked call.
+}
Original file line number	Diff line number	Diff line change
`@@ -103,7 +103,7 @@ func (q sqlQuerier) InTx(function func(Store) error, txOpts sql.TxOptions) err`
`103`	`103`	`// Transaction succeeded.`
`104`	`104`	`return nil`
`105`	`105`	`}`
`106`		`- if err != nil && !IsSerializedError(err) {`
	`106`	`+ if !IsSerializedError(err) {`
`107`	`107`	`// We should only retry if the error is a serialization error.`
`108`	`108`	`return err`
`109`	`109`	`}`