Fix data race in host infrastructure proxy context map

This commit fixes a data race in the host infrastructure where
proxyContextMap was being accessed concurrently without synchronization.

The race occurred between:
- runEnvoy() writing to the map (line 92)
- Close() reading from the map (line 37)
- stopEnvoy() reading and deleting from the map (lines 125, 129)

Added a sync.RWMutex to protect all accesses to proxyContextMap:
- Use RLock for reads in Close() and CreateOrUpdateProxyInfra()
- Use Lock for writes in runEnvoy() and stopEnvoy()
- Extract map keys before iteration in Close() to avoid holding
  the lock while calling stopEnvoy()

This ensures thread-safe access to the proxy context map during
concurrent infrastructure operations.

Signed-off-by: Adrian Cole <[email protected]>

Author: codefromthecrypt

internal/infrastructure/host/infra.go

@@ -11,6 +11,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"sync"
 
 	egv1a1 "github.com/envoyproxy/gateway/api/v1alpha1"
 	"github.com/envoyproxy/gateway/internal/envoygateway/config"
@@ -46,6 +47,8 @@ type Infra struct {
 
 	// proxyContextMap store the context of each running proxy by its name for lifecycle management.
 	proxyContextMap map[string]*proxyContext
+	// mu protects proxyContextMap from concurrent access.
+	mu sync.RWMutex
 
 	// TODO: remove this field once it supports the configurable homeDir
 	sdsConfigPath string

internal/infrastructure/host/proxy_infra.go

@@ -34,7 +34,14 @@ type proxyContext struct {
 
 // Close implements the Manager interface.
 func (i *Infra) Close() error {
+	i.mu.RLock()
+	names := make([]string, 0, len(i.proxyContextMap))
 	for name := range i.proxyContextMap {
+		names = append(names, name)
+	}
+	i.mu.RUnlock()
+
+	for _, name := range names {
 		i.stopEnvoy(name)
 	}
 	return nil
@@ -53,7 +60,10 @@ func (i *Infra) CreateOrUpdateProxyInfra(ctx context.Context, infra *ir.Infra) e
 	proxyInfra := infra.GetProxyInfra()
 	proxyName := utils.GetHashedName(proxyInfra.Name, 64)
 	// Return directly if the proxy is running.
-	if _, ok := i.proxyContextMap[proxyName]; ok {
+	i.mu.RLock()
+	_, running := i.proxyContextMap[proxyName]
+	i.mu.RUnlock()
+	if running {
 		return nil
 	}
 
@@ -89,7 +99,9 @@ func (i *Infra) CreateOrUpdateProxyInfra(ctx context.Context, infra *ir.Infra) e
 func (i *Infra) runEnvoy(ctx context.Context, envoyVersion, name string, args []string) {
 	pCtx, cancel := context.WithCancel(ctx)
 	exit := make(chan struct{}, 1)
+	i.mu.Lock()
 	i.proxyContextMap[name] = &proxyContext{cancel: cancel, exit: exit}
+	i.mu.Unlock()
 	go func() {
 		// Run blocks until pCtx is done or the process exits where the latter doesn't happen when
 		// Envoy successfully starts up. So, this will not return until pCtx is done in practice.
@@ -122,11 +134,18 @@ func (i *Infra) DeleteProxyInfra(_ context.Context, infra *ir.Infra) error {
 
 // stopEnvoy stops the Envoy process by its name. It will block until the process completely stopped.
 func (i *Infra) stopEnvoy(proxyName string) {
-	if pCtx, ok := i.proxyContextMap[proxyName]; ok {
+	i.mu.Lock()
+	pCtx, ok := i.proxyContextMap[proxyName]
+	i.mu.Unlock()
+
+	if ok {
 		pCtx.cancel()    // Cancel causes the Envoy process to exit.
 		<-pCtx.exit      // Wait for the Envoy process to completely exit.
 		close(pCtx.exit) // Close the channel to avoid leaking.
+
+		i.mu.Lock()
 		delete(i.proxyContextMap, proxyName)
+		i.mu.Unlock()
 	}
 }