craigbox
commented
3 weeks ago I've replicated the problem and it smells like something to do with how Envoy is buffering connections to the tcp-echo sample.
The test starts the tcp-echo server (source), waits for the deployment, and pipes text into netcat, expecting to get it back immediately. ("connection rejected" output is based on whether or not the response had 'hello' in it, which all responses should.)
for i inseq 1 100; do echo $i | nc localhost 9002; done on the tcp-echo container returns 100 hellos as you would expect.
$ for i inseq 1 100; do echo $i | nc 10.244.2.15 9002; done from the sleep container returns nothing.
When I use netcat manually, I can regularly cause it to not respond to the first line of text I send in. When you send a second line, you then get responses for both come through.
https://github.com/user-attachments/assets/f4fcfbf5-5926-48e3-946d-db6b6168969c
This was not-fixed by https://github.com/istio/istio.io/pull/15474#issuecomment-2258801446
(but the fact that we had a commented "make sure we nuke the env because preceeding tests aren't cleaning up" is suspicious)
The flake is random and is probably not due to
authz-tcptests themselves but to some preceding tests not properly cleaning up.