Understand Traffic Director client status

When you use Traffic Director to handle your application networking, consider the following two primary components:

The infrastructure layer. The infrastructure layer, such as Envoy sidecar proxies or proxyless gRPC libraries, is configured to handle networking on behalf of your applications.
The control plane, Traffic Director. The control plane generates configuration for, and distributes configuration to, the infrastructure layer.

When an Envoy proxy or the gRPC library is initialized, it uses xDS APIs to connect to Traffic Director. The proxy or the library acts as a client to Traffic Director. After a connection is established between the client and Traffic Director, Traffic Director sends configuration information back to the client and updates the configuration as needed.

It is sometimes helpful to understand which clients are connected to Traffic Director or to inspect the configuration that Traffic Director generates for its clients. For example, you might want to debug an issue, or you might want to understand how the actions that you took when configuring Traffic Director affect the configuration that your clients see.

Traffic Director supports the Client Status Discovery Service (CSDS) API. You use a CSDS client to query this API. This enables you to see which clients are connected to Traffic Director and to inspect the configuration that Traffic Director generates for its clients.

The CSDS client is an open source tool that you can obtain from the Envoy repository. The following diagram illustrates how the CSDS client queries Traffic Director for information about Traffic Director's CSDS API.

Using the CSDS API to obtain configuration information about Traffic Director clients. — Using the CSDS API to obtain configuration information about Traffic Director clients (click to enlarge)

The CSDS client connects to Traffic Director and presents a project number and network name, along with a set of credentials. Traffic Director can then respond with information about the various Traffic Director clients to which it is connected.

For more information about the CSDS client, see the README file.

Prerequisites

To connect to the CSDS API, you need a CSDS client. You can obtain the client in one of two ways:

You can build the client by using Cloud Shell.
You can build the client on a local development machine.

Build the CSDS client by using Cloud Shell

To use Cloud Shell to build the CSDS client, do the following:

Reset Cloud Shell by using the instructions in Disabling or resetting Cloud Shell. This ensures that existing configurations do not interfere with your build.
In the Google Cloud console, open a new Cloud Shell session.
Run the following command to obtain the source code that you use to build the CSDS client:
```
git clone https://github.com/envoyproxy/envoy-tools.git
```
Navigate to the CSDS client directory and run the following commands:
```
cd envoy-tools/csds-client/
make init
make build
```
After the build is complete, test it with the following command:
```
csds-client -help
```

If the build is successful, you see the help text for the client.

Build the CSDS client on a local development machine

You can download and build a CSDS client on a local machine by following the instructions in the README file in the open source repository. To do this, you must also have Go and the make tool set up in your environment. If you prefer not to do this, use the preceding instructions for Cloud Shell, in which Go and the make tool are provided for you.

Additional prerequisites

Make sure that the node ID of each client is unique within the service mesh. If multiple clients share the same node ID, only one configuration is returned—the configuration for the client that most recently connected to Traffic Director.

If you use Google's reference packages, you do not need to manually set the node ID in your bootstrap files; a node ID is generated for you. If you do not use the reference packages, you must manually set the node ID in each of your bootstrap files.
Ensure that you have access to a user account that has the Identity and Access Management (IAM) permissions required to configure Traffic Director. The following instructions use the Google Cloud CLI to generate and automatically supply the credentials needed by the CSDS client. Alternatively, you can use the CSDS client and supply the credentials directly.

Determine which clients are currently connected to Traffic Director

You can use the CSDS client to determine which clients are connected to your Traffic Director configuration.

To get this information, you need the following details:

The ID of the project from which the credentials were generated.
If you're using the service routing APIs, one of the following, depending on which resource the xDS client fetches:
- The name of the Mesh resource
- The scope parameter on the Gateway resource
If you're using the older APIs, the name of the VPC network that you specified when you configured Traffic Director. This network is the one specified by the forwarding rule of the routing rule map.

Service routing APIs

From an account that has the correct permissions, run the following command:

gcloud auth application-default login \
 --billing-project=BILLING_PROJECT_ID

Create a new file in the YAML format with the following content.
```
node_matchers:
  - node_metadatas:
      - path:
          - key: TRAFFICDIRECTOR_GCP_PROJECT_NUMBER
        value:
          string_match:
            exact: "PROJECT_NUMBER"
      - path:
          - key: TRAFFICDIRECTOR_MESH_SCOPE_NAME
        value:
          string_match:
            exact: "MESH_OR_SCOPE"
```
Replace the following values:
- PROJECT_NUMBER: the ID of the project
- MESH_OR_SCOPE: if the xDS client fetches a Mesh resource, use a prefix of mesh: followed by the actual mesh name; if the xDS client fetches a Gateway resource, use a prefix of scope: followed by the name of the scope parameter

Run the CSDS client, which uses the credentials generated by the gcloud CLI. Replace PATH_TO_CSDS_REQUEST_YAML_FILE with the path to the YAML file that you created in the previous step.

csds-client \
  -service_uri trafficdirector.googleapis.com:443 \
  -platform gcp \
  -authn_mode auto \
  -api_version v2 \
  -request_file PATH_TO_CSDS_REQUEST_YAML_FILE

You should see output similar to the following:

Client ID                                          xDS stream type    Config status
603e3524-d1d6-4a9e-9b26-39bcd633a7cb~10.128.0.5    ADS                N/A
603e3524-d1d6-4a9e-9b26-39bcd633a7cb~10.128.0.5    LRS                N/A
8576d4bf-8f10-40b2-920b-bb6a7cf9f34a~10.168.0.3    ADS                N/A
8576d4bf-8f10-40b2-920b-bb6a7cf9f34a~10.168.0.3    LRS                N/A
d9577b61-fa3a-41d6-90bd-11c4fdd2f8c0~10.128.0.4    ADS                N/A
d9577b61-fa3a-41d6-90bd-11c4fdd2f8c0~10.128.0.4    LRS                N/A
f38a59c1-4428-42f1-be81-e02eb994f9dd~10.128.0.6    ADS                N/A
f38a59c1-4428-42f1-be81-e02eb994f9dd~10.128.0.6    LRS                N/A

The Client ID column displays the client IDs of the clients that are connected to Traffic Director. These client IDs are provided by using the node_id field in the bootstrap file used by Envoy or proxyless gRPC when they connect to Traffic Director.

Older APIs

From an account that has the correct permissions, run the following command:

gcloud auth application-default login \
 --billing-project=BILLING_PROJECT_ID

Create a new file in the YAML format with the following content.

node_matchers:
  - node_metadatas:
      - path:
          - key: TRAFFICDIRECTOR_GCP_PROJECT_NUMBER
        value:
          string_match:
            exact: "PROJECT_NUMBER"
      - path:
          - key: TRAFFICDIRECTOR_NETWORK_NAME
        value:
          string_match:
            exact: "NETWORK_NAME"

Replace the following values:

PROJECT_NUMBER: the unique ID of the Google Cloud project
NETWORK_NAME: the VPC network specified by the forwarding rule of the routing rule map

Run the CSDS client, which uses the credentials generated by the gcloud CLI. Replace PATH_TO_CSDS_REQUEST_YAML_FILE with the path to the YAML file that you created in the previous step.

csds-client \
  -service_uri trafficdirector.googleapis.com:443 \
  -platform gcp \
  -authn_mode auto \
  -api_version v2 \
  -request_file PATH_TO_CSDS_REQUEST_YAML_FILE

You should see output similar to the following:

Client ID                                          xDS stream type    Config status
603e3524-d1d6-4a9e-9b26-39bcd633a7cb~10.128.0.5    ADS                N/A
603e3524-d1d6-4a9e-9b26-39bcd633a7cb~10.128.0.5    LRS                N/A
8576d4bf-8f10-40b2-920b-bb6a7cf9f34a~10.168.0.3    ADS                N/A
8576d4bf-8f10-40b2-920b-bb6a7cf9f34a~10.168.0.3    LRS                N/A
d9577b61-fa3a-41d6-90bd-11c4fdd2f8c0~10.128.0.4    ADS                N/A
d9577b61-fa3a-41d6-90bd-11c4fdd2f8c0~10.128.0.4    LRS                N/A
f38a59c1-4428-42f1-be81-e02eb994f9dd~10.128.0.6    ADS                N/A
f38a59c1-4428-42f1-be81-e02eb994f9dd~10.128.0.6    LRS                N/A

Inspect the configuration for a specific Traffic Director client

You can inspect the configuration that Traffic Director sends to a particular client by using the client ID, which you obtained in the previous section.

You can examine the detailed configuration of the resource proto to determine which xDS API version that specific client is using. For example, if you see envoy.api.v2.Cluster in the config, it means the client is using the v2 API. If you see envoy.api.v3.Cluster in the configuration, it means the client is using the v3 API.

Service routing APIs

Update the YAML file that you created in Determine which clients are currently connected to Traffic Director. Add a node-id field that uses the client ID as its value.
```
node_matchers:
  - node_id:
      exact: "CLIENT_ID"
    node_metadatas:
      - path:
          - key: TRAFFICDIRECTOR_GCP_PROJECT_NUMBER
        value:
          string_match:
            exact: "PROJECT_NUMBER"
      - path:
          - key: TRAFFICDIRECTOR_MESH_SCOPE_NAME
        value:
          string_match:
            exact: "MESH_OR_SCOPE_NAME"
```
Replace the following values:
- CLIENT_ID: the ID of the client whose configuration you're inspecting—for example, projects/000000/networks/mesh:mesh1/nodes/00000000-0000-0000-0000-00000000~127.0.0.1
- PROJECT_NUMBER: the unique ID of the Google Cloud project
- MESH_OR_SCOPE: if the xDS client fetches a Mesh resource, use a prefix of mesh: followed by the actual mesh name; if the xDS client fetches a Gateway resource, use a prefix of scope: followed by the name of the scope parameter
Run the CSDS client. Running the client generates a JSON file. This file contains the configuration that is sent to the Traffic Director client.
```
csds-client \
 -service_uri trafficdirector.googleapis.com:443 \
 -platform gcp \
 -authn_mode auto \
 -api_version v2 \
 -request_file PATH_TO_CSDS_REQUEST_YAML_FILE \
 -output_file FILENAME.JSON
```
Replace the following values:
- PATH_TO_CSDS_REQUEST_YAML_FILE: the path to your YAML file
- FILENAME.JSON: a name for the file that holds the output of the CSDS client
You should see output similar to the following:
```
Client ID                                          xDS stream type    Config status
8576d4bf-8f10-40b2-920b-bb6a7cf9f34a~10.168.0.3    ADS                LDS  SYNCED
                                                                      RDS  SYNCED
                                                                      CDS  STALE
Config has been saved to FILENAME.JSON
```
You can inspect a detailed xDS configuration by looking at the JSON file. This output contains the status of individual xDS configurations sent by Traffic Director to the client by using an aggregated gRPC stream (ADS).

Older APIs

Update the YAML file that you created in Determine which clients are currently connected to Traffic Director. Add a node-id field that uses the client ID as its value.
```
node_matchers:
  - node_id:
      exact: "CLIENT_ID"
    node_metadatas:
      - path:
          - key: TRAFFICDIRECTOR_GCP_PROJECT_NUMBER
        value:
          string_match:
            exact: "PROJECT_NUMBER"
      - path:
          - key: TRAFFICDIRECTOR_NETWORK_NAME
        value:
          string_match:
            exact: "NETWORK_NAME"
```
Replace the following values:
- CLIENT_ID: the ID of the client whose configuration you're inspecting—for example, f38a59c1-4428-42f1-be81-e02eb994f9dd~10.128.0.6
- PROJECT_NUMBER: the unique ID of the Google Cloud project
- NETWORK_NAME: The VPC network specified by the forwarding rule of the routing rule map
Run the CSDS client. Running the client generates a JSON file. This file contains the configuration that is sent to the Traffic Director client.
```
csds-client \
 -service_uri trafficdirector.googleapis.com:443 \
 -platform gcp \
 -authn_mode auto \
 -api_version v2 \
 -request_file PATH_TO_CSDS_REQUEST_YAML_FILE \
 -output_file FILENAME.JSON
```
Replace the following values:
- PATH_TO_CSDS_REQUEST_YAML_FILE: the path to your YAML file
- FILENAME.JSON: a name for the file that holds the output of the CSDS client
You should see output similar to the following:
```
Client ID                                          xDS stream type    Config status
8576d4bf-8f10-40b2-920b-bb6a7cf9f34a~10.168.0.3    ADS                LDS  SYNCED
                                                                      RDS  SYNCED
                                                                      CDS  STALE
Config has been saved to FILENAME.JSON
```
You can inspect a detailed xDS configuration by looking at the JSON file. This output contains the status of individual xDS configurations sent by Traffic Director to the client by using an aggregated gRPC stream (ADS).

Status values

The following table lists the xDS configuration status values that you might see.

Value	Description
`UNKNOWN`	(Default) ⁣Status information is not available or is unknown.
`SYNCED`	Traffic Director sent the configuration to the client and received an `ACK` from the client.
`ERROR`	⁣Traffic Director sent the configuration to the client and received a `NACK` from the client.
`STALE`	Traffic Director sent the configuration to the client but did not receive an `ACK` or a `NACK` from the client.
`NOT_SENT`	The configuration was not sent.
`N/A`	The CSDS client did not include the node ID. All of the connected streams are returned, but the configuration status is not available.

Visualization and monitoring

The CSDS client open source tool has additional features that you might want to use, such as visualization and continued monitoring. For more information about these features, see the README file in the open source repository.

Error message

You might see the following error message from the CSDS client when you enable the Traffic Director API in only your project:

rpc error: code = NotFound desc = Requested entity was not found.

This is expected behavior. Traffic Director configuration is scoped per network. If you haven't created a network yet and you run the CSDS client, you see this error message.

Limitations

Traffic Director only supports the CSDS v2 API.
Endpoint information is not included in the CSDS response because this information is not available in the CSDS v2 API.
The node ID of each client must be unique within the service mesh. If multiple clients share the same node ID, only one configuration is returned—the configuration for the client that most recently connected to Traffic Director.
You might sometimes see a backslash (\) in the node ID field in the YAML file. If this happens, escape the backslash by using an additional backslash when you query the CSDS API for configuration information. This is a known issue.

What's next

To find general Traffic Director troubleshooting information, see Troubleshooting deployments that use Envoy.
To resolve configuration issues when you deploy proxyless gRPC services, see Troubleshooting deployments that use proxyless gRPC.