this commit removes the `linkerd-http-executor` crate, and replaces all
usage of its `TracingExecutor` type with the `TokioExecutor` type
provided by `hyper-util`.
this work is based upon hyperium/hyper-util#166. that change, included
in the 0.1.11 release, altered the `TokioExecutor` type so that it
propagates tracing context when the `tracing` feature is enabled.
with that change made, our `TracingExecutor` type is now redundant.
* https://github.com/hyperium/hyper-util/pull/166
* https://github.com/hyperium/hyper-util/blob/master/CHANGELOG.md#0111-2025-03-31
Signed-off-by: katelyn martin <kate@buoyant.io>
this commit introduces a new metric family tracking the rate and outcome
of dns lookups made by the linkerd2 proxy. this metric family has three
labels, counting the number of DNS resolutions for each distinct
control plane client, by record type (A/AAAA or SRV), and by outcome
(success or failure).
this metric is named `control_dns_resolutions_total`.
this commit generally does this via the addition of some new interfaces
to `linkerd-dns`'s `Resolver` structure. the `resolve_addrs()` method is
extended to increment particular counters if they have been installed.
the `linkerd-app` crate's `Dns` type now encapsulates its resolver, and
callers acquire a new resolver by providing a client name to its
`resolver()` method. this uses the client name to construct label sets
and create the corresponding time series for each client.
once proxies with this patch are running, and the viz extension has been
installed, one can query this metric like so:
**nb:** this screenshot shows an early prototype, this metric has since
been renamed.
this promQL query...
```
sum(rate(control_dns_resolutions_total[1m])) by (app,client,result) > 0
```
...will show the per-minute rate of dns lookups/failures across each
application workload, for each control-plane client, for each possible
outcome.
Signed-off-by: katelyn martin <kate@buoyant.io>
Co-authored-by: Oliver Gould <ver@buoyant.io>
In linkerd/linkerd2-proxy#3547, we removed unsafe authority labels. This was a
breaking change, since the behavior was considered unsafe.
To support a graceful migration, this change adds an environment configuration,
`LINKERD2_PROXY_INBOUND_AUTHORITY_LABELS=unsafe`, that reverts to the prior
behavior.
It may be configured in linkerd2 via the proxy.additionalEnv helm value.
The latest edge doesn't properly install gateway API crds. This changes our
justfile to install the resources from the upstream release instead of the
Linkerd CLI.
this commit changes a message for a debug-level tracing event.
this block builds a trace collector. we can call it that, instead of the
more generic term "client". there are many clients being built here,
including identity, policy, and destination controller clients.
Signed-off-by: katelyn martin <kate@buoyant.io>
this commit fixes some broken links now that we have updated to the
latest 1.0 version of `http-body`.
this should address some warnings that can be seen in pull requests'
"files" tab in github. see, for example:
`https://github.com/linkerd/linkerd2-proxy/pull/3818/files`.
Signed-off-by: katelyn martin <kate@buoyant.io>
`LINKERD2_PROXY_RESOLV_CONF` is an environment variable that ostensibly
is used to set the path of the resolver configuration file.
this connects to a `resolv_conf_path` field in the application's dns
`Config` structure, but that field is never used.
because it is marked as public, this isn't caught by the compiler's dead
code analysis.
see `resolv.conf(5)` for more information.
Signed-off-by: katelyn martin <kate@buoyant.io>
* chore(deps): dependabot group for unicode components
this commit introduces a new dependabot group.
this will update all of the crates maintained by the icu4x organization
in lockstep. we depend upon these transitively to handle urls.
```
; cargo tree | rg icu_ | rg 'icu_\w*' --only-matching | sort | uniq
icu_collections
icu_locid
icu_locid_transform
icu_locid_transform_data
icu_normalizer
icu_normalizer_data
icu_properties
icu_properties_data
icu_provider
icu_provider_macros
```
see:
- https://docs.rs/icu/latest/icu/
- https://icu.unicode.org/
- https://github.com/orgs/unicode-org/repositories?type=all
- https://crates.io/crates/idna
- #3811
- #3812
- #3813
Signed-off-by: katelyn martin <kate@buoyant.io>
* nit: alphabetize
Signed-off-by: katelyn martin <kate@buoyant.io>
* review: use a glob
Co-authored-by: Oliver Gould <ver@buoyant.io>
---------
Signed-off-by: katelyn martin <kate@buoyant.io>
Co-authored-by: Oliver Gould <ver@buoyant.io>
this commit addresses a todo comment in the `linkerd-proxy-resolve`
crate. this comment mentioned that a `match` block was originally an `if
let` block. a clippy lint is locally ignored as well, regarding `match`
statements with a single pattern.
contrary to the comment, `if let` *does* work with pin projection, as of
today.
Signed-off-by: katelyn martin <kate@buoyant.io>
this commit adds a group to the dependabot configuration.
this will mean that dependabot updates `tonic` and `tonic-build` in
lockstep.
Signed-off-by: katelyn martin <kate@buoyant.io>
DNS servers may return extremely low TTLs in some cases. When we're polling DNS to power a load balancer, we need to enforce a minimum duration to prevent tight-looping DNS queries.
This change adds a 5s minimum time between DNS lookups when resolving control plane components.
fixeslinkerd/linkerd2#13508
* build(deps): bump deranged from 0.4.0 to 0.4.1
Bumps [deranged](https://github.com/jhpratt/deranged) from 0.4.0 to 0.4.1.
- [Commits](https://github.com/jhpratt/deranged/commits)
---
updated-dependencies:
- dependency-name: deranged
dependency-type: indirect
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
* fix(proxy/tap): fix inference error
https://github.com/jhpratt/deranged/issues/19
`deranged` added some additional interfaces in 0.4.1 that seem to affect
this `Into<T>` invocation. use `From::from` instead, so we can
explicitly indicate that we wish to convert this into an integer for
comparison.
Signed-off-by: katelyn martin <kate@buoyant.io>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: katelyn martin <kate@buoyant.io>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: katelyn martin <kate@buoyant.io>
We can run our testing k3d cluster with minimal components enabled. This will
speed up the cluster creation and deletion process (i.e. especially in CI).
* chore(deps)!: upgrade to tower 0.5
this commit updates our tower dependency from 0.4 to 0.5.
note that this commit does not affect the `tower-service` and
`tower-layer` crates, reëxported by `tower` itself. the `Service<T>`
trait and the closely related `Layer<S>` trait have not been changed.
the `tower` crate's utilities have changed in various ways, some of
particular note for the linkerd2 proxy. see these items, excerpted from
the tower changelog:
- **retry**: **Breaking Change** `retry::Policy::retry` now accepts `&mut Req` and `&mut Res` instead of the previous mutable versions. This
increases the flexibility of the retry policy. To update, update your method signature to include `mut` for both parameters. ([tower-rs/tower#584])
- **retry**: **Breaking Change** Change Policy to accept &mut self ([tower-rs/tower#681])
- **retry**: **Breaking Change** `Budget` is now a trait. This allows end-users to implement their own budget and bucket implementations. ([tower-rs/tower#703])
- **util**: **Breaking Change** `Either::A` and `Either::B` have been renamed `Either::Left` and `Either::Right`, respectively. ([tower-rs/tower#637])
- **util**: **Breaking Change** `Either` now requires its two services to have the same error type. ([tower-rs/tower#637])
- **util**: **Breaking Change** `Either` no longer implemenmts `Future`. ([tower-rs/tower#637])
- **buffer**: **Breaking Change** `Buffer<S, Request>` is now generic over `Buffer<Request, S::Future>.` ([tower-rs/tower#654])
see:
* <https://github.com/tower-rs/tower/pull/584>
* <https://github.com/tower-rs/tower/pull/681>
* <https://github.com/tower-rs/tower/pull/703>
* <https://github.com/tower-rs/tower/pull/637>
* <https://github.com/tower-rs/tower/pull/654>
the `Either` trait bounds are particularly impactful for us. because
this runs counter to how we treat errors (skewing towards boxed errors,
in general), we temporarily vendor a version of `Either` from the 0.4
release, whose variants have been renamed to match the 0.5 interface.
updating to box the inner `A` and `B` services' errors, so we satiate
the new `A::Error = B::Error` bounds, can be addressed as a follow-on.
that's intentionally left as a separate change, due to the net size of
our patchset between this branch and #3504.
* <https://github.com/tower-rs/tower/compare/v0.4.x...master>
* <https://github.com/tower-rs/tower/blob/master/tower/CHANGELOG.md>
this work is based upon #3504. for more information, see:
* https://github.com/linkerd/linkerd2/issues/8733
* https://github.com/linkerd/linkerd2-proxy/pull/3504
Signed-off-by: katelyn martin <kate@buoyant.io>
X-Ref: https://github.com/tower-rs/tower/pull/815
X-Ref: https://github.com/tower-rs/tower/pull/817
X-Ref: https://github.com/tower-rs/tower/pull/818
X-Ref: https://github.com/tower-rs/tower/pull/819
* fix(stack/loadshed): update test affected by tower-rs/tower#635
this commit updates a test that was affected by breaking changes in
tower's `Buffer` middleware. see this excerpt from the description of
that change:
> I had to change some of the integration tests slightly as part of this
> change. This is because the buffer implementation using semaphore
> permits is _very subtly_ different from one using a bounded channel. In
> the `Semaphore`-based implementation, a semaphore permit is stored in
> the `Message` struct sent over the channel. This is so that the capacity
> is used as long as the message is in flight. However, when the worker
> task is processing a message that's been recieved from the channel,
> the permit is still not dropped. Essentially, the one message actively
> held by the worker task _also_ occupies one "slot" of capacity, so the
> actual channel capacity is one less than the value passed to the
> constructor, _once the first request has been sent to the worker_. The
> bounded MPSC changed this behavior so that capacity is only occupied
> while a request is actually in the channel, which broke some tests
> that relied on the old (and technically wrong) behavior.
bear particular attention to this:
> The bounded MPSC changed this behavior so that capacity is only
> occupied while a request is actually in the channel, which broke some
> tests that relied on the old (and technically wrong) behavior.
that pr adds an additional message to the channel in tests exercising
the laod-shedding behavior, on account of the previous (incorrect)
behavior.
https://github.com/tower-rs/tower/pull/635/files#r797108274
this commit performs the same change for our corresponding test, adding
an additional `ready()` call before we hit the buffer's limit.
Signed-off-by: katelyn martin <kate@buoyant.io>
* review: use vendored `Either` for consistency
https://github.com/linkerd/linkerd2-proxy/pull/3744#discussion_r1999878537
Signed-off-by: katelyn martin <kate@buoyant.io>
---------
Signed-off-by: katelyn martin <kate@buoyant.io>
In #3626, we refactored the origin_dst determination logic to utilize
socket2 calls. However, this change inadvertently disrupted IPv6 and
dual-stack support, causing the server to fail to start when deployed on
such network configurations:
```
WARN ThreadId(01) inbound: linkerd_app_core::serve: Server failed to accept connection error=No such file or directory (os error 2)
```
This change reintroduces detection of the current network family,
calling socket2's `original_dst()` or `original_dst_ipv6()` depending on
the case.
Tested fine in both IPv6 and dual-stack Kind clusters.
this golfs down the return expression in
`NameRef::try_from_ascii_str()`.
rather than binding our `s` to a temporary variable, in order to return
a `Self(s)` result, we can take the same result and use `Result::map` to
convert a `Result<&'a str, InvalidName>` to a
`Result<NameRef<'a>, InvalidName>`.
Signed-off-by: katelyn martin <kate@buoyant.io>
* build(deps): bump the hickory group with 2 updates
Bumps the hickory group with 2 updates: [hickory-resolver](https://github.com/hickory-dns/hickory-dns) and [hickory-proto](https://github.com/hickory-dns/hickory-dns).
Updates `hickory-resolver` from 0.24.4 to 0.25.1
- [Release notes](https://github.com/hickory-dns/hickory-dns/releases)
- [Changelog](https://github.com/hickory-dns/hickory-dns/blob/main/OLD-CHANGELOG.md)
- [Commits](https://github.com/hickory-dns/hickory-dns/compare/v0.24.4...v0.25.1)
Updates `hickory-proto` from 0.24.4 to 0.25.1
- [Release notes](https://github.com/hickory-dns/hickory-dns/releases)
- [Changelog](https://github.com/hickory-dns/hickory-dns/blob/main/OLD-CHANGELOG.md)
- [Commits](https://github.com/hickory-dns/hickory-dns/compare/v0.24.4...v0.25.1)
---
updated-dependencies:
- dependency-name: hickory-resolver
dependency-type: direct:production
update-type: version-update:semver-minor
dependency-group: hickory
- dependency-name: hickory-proto
dependency-type: indirect
update-type: version-update:semver-minor
dependency-group: hickory
...
Signed-off-by: dependabot[bot] <support@github.com>
* chore(dns): address breaking changes in `hickory-resolver`
see also #3782.
this commit addresses breaking changes in the v0.25.0 release of
`hickory-resolver`, used by our `linkerd-dns` crate to handle DNS
resolution.
see the release notes, here:
<https://github.com/hickory-dns/hickory-dns/releases/tag/v0.25.0>
> 0.25.0 represents a large release for the Hickory DNS project. Over 14
> months since 0.24.0, we've [..] addressed a number of findings from our
> first security audit.
changes that are relevant to us include:
> * Support for TLS using native-tls or OpenSSL has been removed. We now
> only provide first-party support for rustls (0.23, for DNS over TLS,
> HTTP/2, QUIC and HTTP/3). We support ring or aws-lc-rs for
> cryptographic operations both for DNSSEC and TLS. The
> dns-over-rustls,dns-over-native-tls, dns-over-openssl,
> dns-over-https-rustls, dns-over-https, dns-over-quic and dns-over-h3
> features have been removed in favor of a set of
> {tls,https,quic,h3}-{aws-lc-rs,ring} features across our library
> crates.
>
> * The synchronous API in the resolver and client crates, which
> previously provided a thin partial wrapper over the asynchronous
> API, has been removed. Downstream users will have to migrate to the
> asynchronous API.
>
> * Error types are now exposed directly in the crate roots.
this commit updates references to the
`hickory_resolver::error::ResolveError` error with
`hickory_resolver::ResolveError` now that the errors submodule is
private. (hickory-dns/hickory-dns#2530)
this commit replaces references to
`hickory_resolver::TokioAsyncResolver` with its new name,
`hickory_resolver::TokioResolver`. (hickory-dns/hickory-dns#2521)
this commit inspects "no records found" errors according to the new api.
this particular change isn't especially documented, explicitly, but
occurred in hickory-dns/hickory-dns#2094. see in particular, in that
respect, corresponding changes in the upstream repo's own code. for
example: https://github.com/hickory-dns/hickory-dns/pull/2094/files#diff-330847b46040a30d449f85e8a804bea085f0974d3cba80d79d83acc56f33542dL176-R178
```diff
- match error.kind() {
- ResolveErrorKind::NoRecordsFound { query, soa, .. } => {
+ match error.proto().map(ProtoError::kind) {
+ Some(ProtoErrorKind::NoRecordsFound { query, soa, .. }) => {
```
there is a small pull request being proposed upstream to introduce a
`Builder::with_options()` method, which would make our construction of a
dns resolver marginally more idiomatic. this however, is not a blocker,
by any means.
X-Ref: hickory-dns/hickory-dns#2521
X-Ref: hickory-dns/hickory-dns#2830
X-Ref: hickory-dns/hickory-dns#2094
X-Ref: hickory-dns/hickory-dns#2877
Signed-off-by: katelyn martin <kate@buoyant.io>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: katelyn martin <kate@buoyant.io>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This PR adds os param to our package job in the release workflow.
This allows us to build and release Windows artifacts.
Signed-off-by: Zahari Dichev <zaharidichev@gmail.com>
dependabot[bot]