[tunnel] fix race between agent registration and endpoint address allocation

dilyevsky · claude · dilyevsky · commit 849f4005a52a · 2026-03-06T22:01:58.000-08:00
The connect handler was calling onConnect (which allocates the infra
Endpoint) before adding the agent to TunnelNode.Status.Agents. This
caused the InfraEndpointReconciler to miss the agent when writing the
overlay address, leaving the connection permanently stuck with no
address.

Fixes:
- Reorder connect handler to register agent before endpoint allocation
- Fix upsertAgentStatus range loop copy bug (modified copy, not slice)
- Requeue ReconcileWithClient when agent address is pending

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/pkg/tunnel/server.go b/pkg/tunnel/server.go
@@ -374,9 +374,9 @@ func (t *TunnelServer) Start(ctx context.Context) error {
 }
 
 func upsertAgentStatus(s *corev1alpha.TunnelNodeStatus, agent *corev1alpha.AgentStatus) {
-	for _, a := range s.Agents {
-		if a.Name == agent.Name {
-			a = *agent
+	for i := range s.Agents {
+		if s.Agents[i].Name == agent.Name {
+			s.Agents[i] = *agent
 			return
 		}
 	}
@@ -530,11 +530,9 @@ func (t *TunnelServer) makeSingleConnectHandler(ctx context.Context, qConn quic.
 
 		t.conns.Set(connID, conn)
 
-		// Invoke onConnect callback if configured.
-		if t.options.onConnect != nil {
-			t.options.onConnect(ctx, connID, tn)
-		}
-
+		// Register the agent in TunnelNode status before allocating the
+		// endpoint so the InfraEndpointReconciler can find the agent when
+		// it writes the overlay address.
 		logger.Info("Updating agent status")
 
 		agent := &corev1alpha.AgentStatus{
@@ -562,6 +560,13 @@ func (t *TunnelServer) makeSingleConnectHandler(ctx context.Context, qConn quic.
 			logger.Error("Failed to update agent status", slog.Any("error", err))
 		}
 
+		// Invoke onConnect callback if configured.
+		// This triggers endpoint allocation; agent must be in TunnelNode
+		// status first so the address reconciler can find it.
+		if t.options.onConnect != nil {
+			t.options.onConnect(ctx, connID, tn)
+		}
+
 		// Blocking wait for the lifetime of the tunnel connection.
 		select {
 		case <-r.Context().Done():
@@ -763,6 +768,7 @@ func (t *TunnelServer) ReconcileWithClient(ctx context.Context, c client.Client,
 	}
 
 	// Configure agent addresses from TunnelNode status.
+	var pendingAddress bool
 	for _, agent := range node.Status.Agents {
 		log := log.WithValues("agent", agent.Name)
 
@@ -774,7 +780,8 @@ func (t *TunnelServer) ReconcileWithClient(ctx context.Context, c client.Client,
 
 		// Parse IPv6 address from agent status.
 		if agent.AgentAddress == "" {
-			log.Info("Agent address is empty")
+			log.Info("Agent address is empty, will requeue")
+			pendingAddress = true
 			continue
 		}
 		addrv6, err := netip.ParseAddr(agent.AgentAddress)
@@ -799,5 +806,9 @@ func (t *TunnelServer) ReconcileWithClient(ctx context.Context, c client.Client,
 		}
 	}
 
+	if pendingAddress {
+		return ctrl.Result{RequeueAfter: 1 * time.Second}, nil
+	}
+
 	return ctrl.Result{}, nil
 }
