feat(agent): optimise getting health checks from consul server by shashankNandigama · Pull Request #354 · hashicorp/consul-esm

shashankNandigama · 2026-03-04T12:44:57Z

Issue

Delay in fetching new service healthChecks registered in new namespaces

Root cause

In ESM getHealthChecks() method, it fetches the list of namespaces and then loops over all namespaces to fetch the health checks present in those namespaces. It makes a blocking query to the API /v1/health/state/any. By default consul server has a waitTime of 5 minutes for blocking queries.

When there are for example 100 namespaces with some services in them and there are no new service registrations or de-registrations, or state changes in these namespaces the query to fetch healthChecks gets blocked for 5 mins for each namespace.Now if a new service is registered in a new namespace, this new namespace is recognised by esm only after it finishes iterating over 100 namespaces leading to a long delay.

Change

Consul server supports sending health checks in all namespaces in a single API call, updated esm to use this instead of sequentially fetching all health checks in all namespaces.

Validation
Tested the delay in esm fetching new services registered by registering upto ~50k services and it is taking <20 seconds for esm to add new services to its monitoring list.

PCI review checklist

I have documented a clear reason for, and description of, the change I am making.
If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
If applicable, I've documented the impact of any changes to security controls.

Examples of changes to security controls include using new access control methods, adding or removing logging pipelines, etc.

agent.go

agent_test.go

santoshpulluri · 2026-03-05T07:26:29Z

agent.go

-			a.logger.Warn("Error querying for health check info", "error", err)
-			continue
+			a.namespaceWildcard = ""
+			a.logger.Warn("Failed to detect Consul edition after retries, defaulting to CE behavior", "error", err)


Change the log level to error

santoshpulluri · 2026-03-05T07:26:47Z

agent.go

+			if err == nil {
+				break
+			}
+			a.logger.Warn("Error fetching agent info for enterprise detection, will retry",


Change the log level to error

santoshpulluri · 2026-03-05T07:29:20Z

agent.go

+// Enterprise builds include "+ent" in the version (e.g. "1.18.0+ent").
+func (a *Agent) getNamespaceWildcard() string {
+	a.namespaceWildcardOnce.Do(func() {
+		maxRetries := 3


i believe these constants should be declared at common place with proper details in the comment.

santoshpulluri · 2026-03-05T07:31:20Z

agent.go

+// Returns "*" for Enterprise Consul (wildcard across all namespaces) or "" for OSS/CE.
+// Detection is done by checking the Consul version string from /v1/agent/self —
+// Enterprise builds include "+ent" in the version (e.g. "1.18.0+ent").
+func (a *Agent) getNamespaceWildcard() string {


We should cache the previous value and run this only when it is nil.
Basically execute it once when successfully detects CE/ENT.

shashankNandigama added 3 commits March 4, 2026 13:00

use single api to get healthChecks in all namepsaces

6119019

update unitTests

15c8bfa

check for enterprise consul and update tests

46165d8

shashankNandigama requested a review from a team as a code owner March 4, 2026 12:44

shashankNandigama mentioned this pull request Mar 4, 2026

fix: delay in fetching new services in new namespaces #351

Closed

3 tasks