VAULT-28192 fix Agent and Proxy consuming large amounts of CPU for auto-auth self-healing (#27518)

* VAULT-28192 fix Agent and Proxy consuming large amounts of CPU for auto-auth self-healing * Changelog * Update changelog * drain incoming if we get invalid token --------- Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
2025-10-29 01:32:33 +00:00 · 2024-06-19 10:23:51 -04:00
parent e7f2107b52
commit 3959722892
3 changed files with 25 additions and 31 deletions
--- a/changelog/27518.txt
+++ b/changelog/27518.txt
@@ -0,0 +1,7 @@
+```release-note:bug
+agent: Fixed an issue causing excessive CPU usage during normal operation
+```
+
+```release-note:bug
+proxy: Fixed an issue causing excessive CPU usage during normal operation
+```
--- a/command/agent/template/template.go
+++ b/command/agent/template/template.go
@@ -246,31 +246,24 @@ func (ts *Server) Run(ctx context.Context, incoming chan string, templates []*ct
 				ts.runner.Stop()
 				return nil
 			}
-		default:
-			// We are using default instead of a new case block to prioritize the case where <-incoming has a new value over
-			// receiving an error message from the consul-template server
-			select {
-			case err := <-ts.runner.ServerErrCh:
-				var responseError *api.ResponseError
-				ok := errors.As(err, &responseError)
-				if !ok {
-					ts.logger.Error("template server: could not extract error response")
-					continue
-				}
-				if responseError.StatusCode == 403 && strings.Contains(responseError.Error(), logical.ErrInvalidToken.Error()) && !tokenRenewalInProgress.Load() {
-					ts.logger.Info("template server: received invalid token error")
-
-					// Drain the error channel before sending a new error
-					select {
-					case <-invalidTokenCh:
-					default:
-					}
-					invalidTokenCh <- err
-				}
-			default:
+		case err := <-ts.runner.ServerErrCh:
+			var responseError *api.ResponseError
+			ok := errors.As(err, &responseError)
+			if !ok {
+				ts.logger.Error("template server: could not extract error response")
 				continue
 			}
+			if responseError.StatusCode == 403 && strings.Contains(responseError.Error(), logical.ErrInvalidToken.Error()) && !tokenRenewalInProgress.Load() {
+				ts.logger.Info("template server: received invalid token error")

+				// Drain the error channel and incoming channel before sending a new error
+				select {
+				case <-invalidTokenCh:
+				case <-incoming:
+				default:
+				}
+				invalidTokenCh <- err
+			}
 		}
 	}
 }
--- a/command/agentproxyshared/auth/auth.go
+++ b/command/agentproxyshared/auth/auth.go
@@ -563,18 +563,12 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 				// Set authenticated when authentication succeeds
 				metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 1)
 				ah.logger.Info("renewed auth token")
-
 			case <-credCh:
 				ah.logger.Info("auth method found new credentials, re-authenticating")
 				break LifetimeWatcherLoop
-			default:
-				select {
-				case <-ah.InvalidToken:
-					ah.logger.Info("invalid token found, re-authenticating")
-					break LifetimeWatcherLoop
-				default:
-					continue
-				}
+			case <-ah.InvalidToken:
+				ah.logger.Info("invalid token found, re-authenticating")
+				break LifetimeWatcherLoop
 			}
 		}
 	}