nit(app): remove frivolous code (#4094)

this commit removes a piece of code that has been commented out.

it additionally removes a variable binding that is not needed. `dst` is
not moved, so we do not need to bind the address of the destination
service to a variable, nor do we need to clone it.

Signed-off-by: katelyn martin <kate@buoyant.io>

.checksec/amd64-gnu.json

@@ -0,0 +1,8 @@
+{
+  "canary": "no",
+  "nx": "yes",
+  "pie": "yes",
+  "relro": "full",
+  "rpath": "no",
+  "runpath": "no"
+}

.checksec/amd64-musl.json

@@ -0,0 +1,8 @@
+{
+  "canary": "no",
+  "nx": "yes",
+  "pie": "yes",
+  "relro": "full",
+  "rpath": "no",
+  "runpath": "no"
+}

.checksec/arm-gnu.json

@@ -0,0 +1,8 @@
+{
+  "canary": "no",
+  "nx": "yes",
+  "pie": "yes",
+  "relro": "full",
+  "rpath": "no",
+  "runpath": "no"
+}

.checksec/arm-musl.json

@@ -0,0 +1,8 @@
+{
+  "canary": "no",
+  "nx": "yes",
+  "pie": "no",
+  "relro": "partial",
+  "rpath": "no",
+  "runpath": "no"
+}

.checksec/arm64-gnu.json

@@ -0,0 +1,8 @@
+{
+  "canary": "no",
+  "nx": "yes",
+  "pie": "yes",
+  "relro": "full",
+  "rpath": "no",
+  "runpath": "no"
+}

.checksec/arm64-musl.json

@@ -0,0 +1,8 @@
+{
+  "canary": "no",
+  "nx": "yes",
+  "pie": "no",
+  "relro": "partial",
+  "rpath": "no",
+  "runpath": "no"
+}

.clippy.toml

@@ -1 +1,22 @@
 type-complexity-threshold = 500
+disallowed-methods = [
+    # Mutating environment variables in a multi-threaded context can
+    # cause data races.
+    # see https://github.com/rust-lang/rust/issues/90308 for details.
+    "std::env::set_var",
+    "std::env::remove_var",
+
+    # Avoid instances of https://github.com/rust-lang/rust/issues/86470 until tokio/tokio#4461 is
+    # available.
+    "tokio::time::Instant::duration_since",
+    "tokio::time::Instant::elapsed",
+    # Clippy doesn't let us ban tokio::time::Instant::sub, but it knows what it did.
+]
+disallowed-types = [
+    # Use parking_lot instead.
+    "std::sync::Mutex",
+    "std::sync::RwLock",
+
+    # Use tokio::time::Instant instead.
+    "std::time::Instant",
+]

.codecov.yml

@@ -0,0 +1,33 @@
+coverage:
+  ignore:
+    - "linkerd/app/integration/src/**"
+    - "**/src/gen/**"
+    - "tools/**"
+
+  precision: 2
+  round: down
+  range: "70...100"
+
+  status:
+    project:
+      default:
+        target: auto
+        threshold: 2%
+        if_not_found: success
+        if_ci_failed: error
+        paths:
+          - "!linkerd/app/integration/src/**"
+          - "!**/src/gen/**"
+          - "!tools/**"
+
+    patch:
+      default:
+        target: auto
+        threshold: 1%
+        if_not_found: success
+        if_ci_failed: error
+
+comment:
+  layout: "header, diff, files, footer"
+  behavior: default
+  require_changes: false

.devcontainer/Dockerfile

@@ -0,0 +1,12 @@
+ARG DEV_VERSION
+
+FROM ghcr.io/linkerd/dev:${DEV_VERSION}
+RUN scurl https://run.linkerd.io/install-edge | sh && \
+    mkdir -p "$HOME/bin" && ln -s "$HOME/.linkerd2/bin/linkerd" "$HOME/bin/linkerd"
+
+ENV RUSTFLAGS="--cfg tokio_unstable"
+
+# XXX(ver) This doesn't currently work, because it puts
+# /usr/local/cargo/registry into a weird state with regard to permissions.
+#RUN rustup toolchain install --profile=minimal nightly
+#RUN cargo +nightly install cargo-fuzz

.devcontainer/devcontainer.json

@@ -0,0 +1,63 @@
+{
+	"name": "linkerd2-proxy",
+	"build": {
+		"dockerfile": "Dockerfile",
+		"args": {
+			"DEV_VERSION": "v47",
+			"http_proxy": "${localEnv:http_proxy}",
+			"https_proxy": "${localEnv:https_proxy}"
+		}
+	},
+	"features": {
+		"ghcr.io/devcontainers/features/github-cli:1": {}
+	},
+	"customizations": {
+		"vscode": {
+			"extensions": [
+				"DavidAnson.vscode-markdownlint",
+				"kokakiwi.vscode-just",
+				"NathanRidley.autotrim",
+				"rust-lang.rust-analyzer",
+				"samverschueren.final-newline",
+				"tamasfe.even-better-toml",
+				"zxh404.vscode-proto3"
+			],
+			"settings": {
+				"files.insertFinalNewline": true,
+				"[git-commit]": {
+					"editor.rulers": [
+						72,
+						80
+					],
+					"editor.wordWrap": "wordWrapColumn",
+					"editor.wordWrapColumn": 80
+				}
+			}
+		}
+	},
+	// Support docker + debugger
+	"runArgs": [
+		"--init",
+		// Limit container memory usage.
+		"--memory=24g",
+		"--memory-swap=24g",
+		// Use the host network so we can access k3d, etc.
+		"--net=host",
+		// For lldb
+		"--cap-add=SYS_PTRACE",
+		"--security-opt=seccomp=unconfined"
+	],
+	"overrideCommand": false,
+	"remoteUser": "code",
+	"containerEnv": {
+		"CXX": "clang++-19",
+		"RUSTFLAGS": "--cfg tokio_unstable"
+	},
+	"mounts": [
+		{
+			"source": "/var/run/docker.sock",
+			"target": "/var/run/docker-host.sock",
+			"type": "bind"
+		}
+	]
+}

.gitattributes

@@ -1 +1,3 @@
 Cargo.lock linguist-generated=false
+linkerd/transport-header/src/gen/* linguist-generated=true
+opencensus-proto/src/gen/* linguist-generated=true

.github/CODEOWNERS

@@ -1 +1 @@
-* @linkerd/proxy-maintainers
+* @linkerd/maintainers

.github/actions/package/Dockerfile

@@ -1,16 +0,0 @@
-ARG BASE_IMAGE=rust:1.55.0-buster
-FROM $BASE_IMAGE
-WORKDIR /linkerd
-RUN apt-get update && \
-    apt-get install -y jq && \
-    apt-get install -y --no-install-recommends g++-aarch64-linux-gnu libc6-dev-arm64-cross && \
-    rustup target add aarch64-unknown-linux-gnu && \
-    apt-get install -y --no-install-recommends g++-arm-linux-gnueabihf libc6-dev-armhf-cross && \
-    rustup target add armv7-unknown-linux-gnueabihf && \
-    apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/
-ENV CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER=aarch64-linux-gnu-gcc
-ENV CARGO_TARGET_ARMV7_UNKNOWN_LINUX_GNUEABIHF_LINKER=arm-linux-gnueabihf-gcc
-# v2.1.0
-ARG CHECKSEC_SHA=04582bad41589ad479ca8b1f0170ed317475b5a5
-RUN cd /usr/local/bin && curl -vsLO "https://raw.githubusercontent.com/slimm609/checksec.sh/$CHECKSEC_SHA/checksec" && chmod 755 checksec
-COPY expected-checksec.json validate-checksec.sh /linkerd/

.github/actions/package/expected-checksec.json

@@ -1,10 +0,0 @@
-{
-  "canary": "yes",
-  "fortify_source": "yes",
-  "nx": "yes",
-  "pie": "yes",
-  "relro": "full",
-  "rpath": "no",
-  "runpath": "no",
-  "symbols": "no"
-}

.github/actions/package/validate-checksec.sh

@@ -1,25 +0,0 @@
-#!/bin/sh
-
-set -eu
-
-if [ $# -ne 2 ]; then
-    (
-        echo "usage: $0 EXPECTED RECEIVED"
-        echo
-        echo "Found $# args"
-    ) >&2
-    exit 64
-fi
-
-expected_file="$1"
-received_file="$2"
-if [ ! -f "$expected_file" ]; then
-    echo "JSON output not found: $expected_file" >&2
-    exit 1
-fi
-if [ ! -f "$received_file" ]; then
-    echo "JSON output not found: $received_file" >&2
-    exit 1
-fi
-
-jq -S '.' "$received_file" | diff -u "$expected_file" - >&2

.github/actions/release-tag-meta/Dockerfile

@@ -1,3 +0,0 @@
-FROM busybox:1.31
-COPY entrypoint.sh /
-ENTRYPOINT ["/entrypoint.sh"]

.github/actions/release-tag-meta/action.yml

@@ -1,16 +0,0 @@
-name: release-tag-meta
-description: Extract release metadata from the tag
-inputs:
-  git-ref:
-    required: true
-    description: "The git ref (i.e. starting with refs/tags)"
-outputs:
-  tag:
-    description: "The git tag (without the refs prefix)"
-  name:
-    description: "The release name"
-runs:
-  using: docker
-  image: Dockerfile
-  args:
-    - ${{ inputs.git-ref }}

.github/actions/release-tag-meta/entrypoint.sh

@@ -1,10 +0,0 @@
-#!/bin/sh
-
-set -eu
-
-ref="$1"
-tag=$(echo "$ref" | sed s,^refs/tags/,,)
-name=$(echo "$tag" | sed s,^release/,,)
-
-echo ::set-output "name=tag::$tag"
-echo ::set-output "name=name::$name"

.github/copilot-instructions.md

@@ -0,0 +1,156 @@
+# Linkerd2 Proxy Copilot Instructions
+
+## Code Generation
+
+- Code MUST pass `cargo fmt`.
+- Code MUST pass `cargo clippy --all-targets --all-features -- -D warnings`.
+- Markdown MUST pass `markdownlint-cli2`.
+- Prefer `?` for error propagation.
+- Avoid `unwrap()` and `expect()` outside tests.
+- Use `tracing` crate macros (`tracing::info!`, etc.) for structured logging.
+
+### Comments
+
+Comments should explain **why**, not **what**. Focus on high-level rationale and
+design intent at the function or block level, rather than line-by-line
+descriptions.
+
+- Use comments to capture:
+  - System-facing or interface-level concerns
+  - Key invariants, preconditions, and postconditions
+  - Design decisions and trade-offs
+  - Cross-references to architecture or design documentation
+- Avoid:
+  - Line-by-line commentary explaining obvious code
+  - Restating what the code already clearly expresses
+- For public APIs:
+  - Use `///` doc comments to describe the contract, behavior, parameters, and
+    usage examples
+- For internal rationale:
+  - Use `//` comments sparingly to note non-obvious reasoning or edge-case
+    handling
+- Be neutral and factual.
+
+### Rust File Organization
+
+For Rust source files, enforce this layout:
+
+1. **Non‑public imports**  
+   - Declare all `use` statements for private/internal crates first.  
+   - Group imports to avoid duplicates and do **not** add blank lines between
+     `use` statements.
+
+2. **Module declarations**  
+   - List all `mod` declarations.
+
+3. **Re‑exports**  
+   - Follow with `pub use` statements.
+
+4. **Type definitions**  
+   - Define `struct`, `enum`, `type`, and `trait` declarations.  
+   - Sort by visibility: `pub` first, then `pub(crate)`, then private.
+   - Public types should be documented with `///` comments.
+
+5. **Impl blocks**  
+   - Implement methods in the same order as types above.  
+   - Precede each type’s `impl` block with a header comment: `// === <TypeName> ===`
+
+6. **Tests**  
+   - End with a `tests` module guarded by `#[cfg(test)]`.
+   - If the in‑file test module exceeds 100 lines, move it to
+     `tests/<filename>.rs` as a child integration‑test module.
+
+## Test Generation
+
+- Async tests MUST use `tokio::test`.
+- Synchronous tests use `#[test]`.
+- Include at least one failing‑edge‑case test per public function.
+- Use `tracing::info!` for logging in tests, usually in place of comments.
+
+## Code Review
+
+### Rust
+
+- Point out any `unsafe` blocks and justify their safety.
+- Flag functions >50 LOC for refactor suggestions.
+- Highlight missing docs on public items.
+
+### Markdown
+
+- Use `markdownlint-cli2` to check for linting errors.
+- Lines SHOULD be wrapped at 80 characters.
+- Fenced code blocks MUST include a language identifier.
+
+### Copilot Instructions
+
+- Start each instruction with an imperative, present‑tense verb.
+- Keep each instruction under 120 characters.
+- Provide one directive per instruction; avoid combining multiple ideas.
+- Use "MUST" and "SHOULD" sparingly to emphasize critical rules.
+- Avoid semicolons and complex punctuation within bullets.
+- Do not reference external links, documents, or specific coding standards.
+
+## Commit Messages
+
+Commits follow the Conventional Commits specification:
+
+### Subject
+
+Subjects are in the form: `<type>[optional scope]: <description>`
+
+- **Type**: feat, fix, docs, refactor, test, chore, ci, build, perf, revert
+  (others by agreement)
+- **Scope**: optional, lowercase; may include `/` to denote sub‑modules (e.g.
+  `http/detect`)
+- **Description**: imperative mood, present tense, no trailing period
+- MUST be less than 72 characters
+- Omit needless words!
+
+### Body
+
+Non-trivial commits SHOULD include a body summarizing the change.
+
+- Explain *why* the change was needed.  
+- Describe *what* was done at a high level.
+- Use present-tense narration.
+- Use complete sentences, paragraphs, and punctuation.
+- Preceded by a blank line.
+- Wrapped at 80 characters.
+- Omit needless words!
+
+### Breaking changes
+
+If the change introduces a backwards-incompatible change, it MUST be marked as
+such.
+
+- Indicated by `!` after the type/scope (e.g. `feat(inbound)!: …`)  
+- Optionally including a `BREAKING CHANGE:` section in the footer explaining the
+  change in behavior.
+
+### Examples
+
+```text
+feat(auth): add JWT refresh endpoint
+
+There is currently no way to refresh a JWT token.
+
+This exposes a new `/refresh` route that returns a refreshed token.
+```
+
+```text
+feat(api)!: remove deprecated v1 routes
+
+The `/v1/*` endpoints have been deprecated for a long time and are no
+longer called by clients.
+
+This change removes the `/v1/*` endpoints and all associated code,
+including integration tests and documentation.
+
+BREAKING CHANGE: The previously-deprecated `/v1/*` endpoints were removed.
+```
+
+## Pull Requests
+
+- The subject line MUST be in the conventional commit format.
+- Auto‑generate a PR body summarizing the problem, solution, and verification steps.
+- List breaking changes under a separate **Breaking Changes** heading.

.github/dependabot.yml

@@ -1,41 +1,115 @@
+# Dependabot are scheduled to avoid contention with normal workday CI usage. We
+# start running updates at 10AM UTC (2AM PST).
 version: 2
 updates:
   - package-ecosystem: cargo
     directory: /
     schedule:
       interval: daily
+      time: "10:00"
+      timezone: "UTC"
+    allow:
+      - dependency-type: "all"
+    ignore:
+      # These dependencies are for platforms that we don't support:
+      - dependency-name: "hermit-abi"
+      - dependency-name: "redox_*"
+      - dependency-name: "js-sys"
+      - dependency-name: "wasm-bindgen"
+      - dependency-name: "web-sys"
+      - dependency-name: "windows*"
+    groups:
+      boring:
+        patterns:
+          - "tokio-boring"
+          - "boring*"
+      futures:
+        patterns:
+          - "futures*"
+      grpc:
+        patterns:
+          - "prost*"
+          - "tonic*"
+      hickory:
+        patterns:
+          - "hickory*"
+      icu4x:
+        patterns:
+          - "icu_*"
+      opentelemetry:
+        patterns:
+          - "opentelemetry*"
+      rustls:
+        patterns:
+          - "tokio-rustls"
+          - "rustls*"
+          - "ring"
+      symbolic:
+        patterns:
+          - "symbolic-*"
+      tracing:
+        patterns:
+          - "tracing*"
 
   - package-ecosystem: cargo
     directory: /linkerd/addr/fuzz
     schedule:
       interval: daily
+      time: "10:00"
+      timezone: "UTC"
 
   - package-ecosystem: cargo
     directory: /linkerd/app/inbound/fuzz
     schedule:
       interval: daily
+      time: "10:00"
+      timezone: "UTC"
 
   - package-ecosystem: cargo
     directory: /linkerd/dns/fuzz
     schedule:
       interval: daily
+      time: "10:00"
+      timezone: "UTC"
 
   - package-ecosystem: cargo
     directory: /linkerd/proxy/http/fuzz
     schedule:
       interval: daily
+      time: "10:00"
+      timezone: "UTC"
 
   - package-ecosystem: cargo
     directory: /linkerd/tls/fuzz
     schedule:
       interval: daily
+      time: "10:00"
+      timezone: "UTC"
 
   - package-ecosystem: cargo
     directory: /linkerd/transport-header/fuzz
     schedule:
       interval: daily
+      time: "10:00"
+      timezone: "UTC"
 
   - package-ecosystem: github-actions
     directory: "/"
     schedule:
       interval: daily
+      time: "10:00"
+      timezone: "UTC"
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: daily
+      time: "09:00"
+      timezone: "UTC"
+
+  - package-ecosystem: "docker"
+    directory: "/.devcontainer"
+    schedule:
+      interval: daily
+      time: "09:00"
+      timezone: "UTC"

.github/fuzzers-list.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+## Lists the fuzzers that should be run given a set of changed files.
+
+# Find the nearest fuzzer crate, or nothing.
+find_fuzz_dir() {
+    d=${1%/*}
+    if ! [[ "$d" =~ / ]]; then
+        return
+    elif [ -d "$d" ] && [[ "$d" = */fuzz ]]; then
+        echo "$d"
+    elif [ -f "$d/fuzz/Cargo.toml" ]; then
+        echo "$d/fuzz"
+    else
+        find_fuzz_dir "$d"
+    fi
+}
+
+for file in "$@" ; do
+    if [ "$file" = .github/workflows/fuzzers.yml ] || [ "$file" = .github/fuzzers-list.sh ]; then
+        find linkerd -type d -name fuzz
+        break
+    fi
+    find_fuzz_dir "$file"
+done | sort -u

.github/list-crates.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+set -eu
+
+if [ $# -eq 0 ]; then
+    echo '[]'
+    exit 0
+fi
+
+# Find the nearest Cargo.toml (except the root).
+find_manifest() {
+    p=${1%/*}
+    if [ -f "$p/Cargo.toml" ]; then
+        realpath "$p/Cargo.toml"
+    else
+        find_manifest "$p"
+    fi
+}
+
+# Build an expression to match all changed manifests.
+manifest_expr() {
+    printf '%s' 'false'
+    for file in "$@" ; do
+        m=$(find_manifest "$file")
+        if [ "$m" != "Cargo.toml" ]; then
+            printf ' or (. == "%s")' "$m"
+        fi
+    done
+    printf '\n'
+}
+
+expr=$(manifest_expr "$@")
+
+# Get the crate names for all changed manifest directories.
+crates=$(cargo metadata --locked --format-version=1 \
+    | jq -cr "[.packages[] | select(.manifest_path | $expr) | .name]")
+
+echo "crates=$crates" >> "$GITHUB_OUTPUT"
+echo "$crates" | jq .

.github/workflows/advisory.yml

@@ -1,58 +0,0 @@
-# Optional build
-name: Advisory
-
-on:
-  pull_request: {}
-
-jobs:
-  # Prevent sudden announcement of a new advisory from failing Ci.
-  advisories:
-    timeout-minutes: 5
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-    - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
-    - uses: EmbarkStudios/cargo-deny-action@0ca727bbae7b7b578b9a5f98186caac35aa2a00d
-      with:
-        command: check advisories
-
-  # Ensure that all of the fuzzers continue to build.
-  #
-  # This is optional because it depends on the nightly toolchain.
-  fuzzers:
-    timeout-minutes: 40
-    runs-on: ubuntu-latest
-    container:
-      image: docker://rust:1.55.0-buster
-    permissions:
-      contents: read
-    strategy:
-      matrix:
-        dir:
-          - addr
-          - app/inbound
-          - dns
-          - proxy/http
-          - tls
-          - transport-header
-    steps:
-      - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
-      - run: rustup toolchain add nightly
-      - run: cargo install cargo-fuzz
-      # Iterate through all fuzz crates to ensure each compiles independently.
-      - run: cd linkerd/${{matrix.dir}}/fuzz && cargo +nightly fuzz build
-
-  # It's easy to make changes that are innocuous in dev builds that end up ballooning resources
-  # needed for release builds. This job builds the proxy in release-mode to ensure the build isn't
-  # OOM-killed.
-  release-binary:
-    timeout-minutes: 20
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
-      - run: make build
-        env:
-          CARGO_RELEASE: true

.github/workflows/beta.yml

@@ -0,0 +1,34 @@
+# Builds the proxy on the beta toolchain to help catch Rust regressions before they hit stable.
+name: rust-beta
+
+on:
+  workflow_dispatch: {}
+  pull_request:
+    paths:
+      - justfile
+      - .github/workflows/beta.yml
+  schedule:
+    # Run weekly on wednesday @ midnightish Pacific-time.
+    - cron: "30 7 * * 3"
+
+env:
+  CARGO_INCREMENTAL: 0
+  CARGO_NET_RETRY: 10
+  RUSTUP_MAX_RETRIES: 10
+  RUSTFLAGS: "-D warnings --cfg tokio_unstable"
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    container: ghcr.io/linkerd/dev:v47-rust
+    timeout-minutes: 20
+    continue-on-error: true
+    steps:
+      - run: rustup toolchain install --profile=minimal beta
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - run: git config --global --add safe.directory "$PWD" # actions/runner#2033
+      - run: just toolchain=beta fetch
+      - run: just toolchain=beta build

.github/workflows/coverage.yml

@@ -1,20 +1,58 @@
 name: Coverage
 
-# Run weekly on Sunday at midnight (UTC).
 on:
-  schedule:
-    - cron: '0 0 * * 0'
+  push:
+    branches: [main]
+  pull_request: {}
+
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref }}
+  cancel-in-progress: true
+
+env:
+  CARGO_INCREMENTAL: 0
+  CARGO_NET_RETRY: 10
+  RUSTFLAGS: "-D warnings -A deprecated --cfg tokio_unstable -C debuginfo=2"
+  RUSTUP_MAX_RETRIES: 10
 
 jobs:
-  test:
-    name: codecov
-    runs-on: ubuntu-latest
+  meta:
+    timeout-minutes: 5
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - id: changed
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
+        with:
+          files: |
+            .codecov.yml
+            .github/workflows/coverage.yml
+            **/*.rs
+          files_ignore: |
+            *-proto/**
+            linkerd/transport-header/**
+    outputs:
+      any_changed: ${{ steps.changed.outputs.any_changed }}
+
+  codecov:
+    needs: meta
+    if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || needs.meta.outputs.any_changed == 'true'
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
     timeout-minutes: 30
     container:
-      image: docker://rust:1.55.0-buster
-      options: --security-opt seccomp=unconfined
+      image: docker://ghcr.io/linkerd/dev:v47-rust
+      options: --security-opt seccomp=unconfined # 🤷
+    env:
+      CXX: "/usr/bin/clang++-19"
     steps:
-      - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
-      - run: cargo install cargo-tarpaulin
-      - run: cargo tarpaulin --verbose --workspace --out Xml
-      - uses: codecov/codecov-action@f32b3a3741e1053eb607407145bc9619351dc93b
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0
+      - run: cargo tarpaulin --locked --workspace --exclude=linkerd2-proxy --exclude=linkerd-transport-header --exclude=opencensus-proto --exclude=spire-proto --no-run
+      - run: cargo tarpaulin --locked --workspace --exclude=linkerd2-proxy --exclude=linkerd-transport-header --exclude=opencensus-proto --exclude=spire-proto --skip-clean --ignore-tests --no-fail-fast --out=Xml
+        # Some tests are especially flakey in coverage tests. That's fine. We
+        # only really care to measure how much of our codebase is covered.
+        continue-on-error: true
+      - uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24

.github/workflows/fuzzers.yml

@@ -0,0 +1,63 @@
+name: fuzzers
+
+on:
+  # Only run on PRs that touch fuzzed crates
+  pull_request:
+    paths:
+      - 'linkerd/addr/**'
+      - 'linkerd/app/inbound/**'
+      - 'linkerd/dns/**'
+      - 'linkerd/proxy/http/**'
+      - 'linkerd/tls/**'
+      - 'linkerd/transport-header/**'
+      - .github/workflows/fuzzers.yml
+      - .github/fuzzers-list.sh
+
+env:
+  CARGO_INCREMENTAL: 0
+  CARGO_NET_RETRY: 10
+  RUST_BACKTRACE: short
+  RUSTFLAGS: "-D warnings -A deprecated --cfg tokio_unstable -C debuginfo=0"
+  RUSTUP_MAX_RETRIES: 10
+
+permissions:
+  contents: read
+
+jobs:
+  list-changed:
+    timeout-minutes: 3
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    container: docker://rust:1.88.0
+    steps:
+      - run: apt update && apt install -y jo
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - run: git config --global --add safe.directory "$PWD" # actions/runner#2033
+      - uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
+        id: changed-files
+      - name: list changed crates
+        id: list-changed
+        shell: bash
+        run: |
+          dirs=$(.github/fuzzers-list.sh ${{ steps.changed-files.outputs.all_changed_files }} | jo -a)
+          echo "dirs=$dirs" >> "$GITHUB_OUTPUT"
+    outputs:
+      dirs: ${{ steps.list-changed.outputs.dirs }}
+
+  # Build fuzzers for any changed crates.
+  build:
+    needs: [list-changed]
+    timeout-minutes: 40
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    container: docker://rust:1.88.0
+    strategy:
+      matrix:
+        dir: ${{ fromJson(needs.list-changed.outputs.dirs) }}
+    steps:
+      - run: rustup toolchain add nightly
+      - run: cargo install cargo-fuzz
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - run: git config --global --add safe.directory "$PWD" # actions/runner#2033
+      - working-directory: ${{matrix.dir}}
+        run: cargo +nightly fetch
+      - working-directory: ${{matrix.dir}}
+        run: cargo +nightly fuzz build

.github/workflows/markdown.yml

@@ -0,0 +1,20 @@
+name: markdown
+
+permissions:
+  contents: read
+
+on:
+  pull_request:
+    paths:
+      - '**/*.md'
+      - .github/workflows/markdown.yml
+
+jobs:
+  markdownlint:
+    timeout-minutes: 5
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - uses: DavidAnson/markdownlint-cli2-action@992badcdf24e3b8eb7e87ff9287fe931bcb00c6e
+        with:
+            globs: "**/*.md"

.github/workflows/nightly.yml

@@ -0,0 +1,34 @@
+# Builds the proxy on the nightly toolchain to help catch Rust regressions before they hit beta.
+name: rust-nightly
+
+on:
+  workflow_dispatch: {}
+  pull_request:
+    paths:
+      - justfile
+      - .github/workflows/nightly.yml
+  schedule:
+    # Run daily @ midnightish Pacific-time.
+    - cron: "0 8 * * *"
+
+env:
+  CARGO_INCREMENTAL: 0
+  CARGO_NET_RETRY: 10
+  RUSTFLAGS: "-D warnings -A opaque_hidden_inferred_bound --cfg tokio_unstable -C debuginfo=0"
+  RUSTUP_MAX_RETRIES: 10
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    container: ghcr.io/linkerd/dev:v47-rust
+    timeout-minutes: 20
+    continue-on-error: true
+    steps:
+      - run: rustup toolchain install --profile=minimal nightly
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - run: git config --global --add safe.directory "$PWD" # actions/runner#2033
+      - run: just toolchain=nightly fetch
+      - run: just toolchain=nightly profile=release build

.github/workflows/pr.yml

@@ -0,0 +1,177 @@
+name: Pull Request
+on: pull_request
+
+env:
+  CARGO_INCREMENTAL: 0
+  CARGO_NET_RETRY: 10
+  RUSTUP_MAX_RETRIES: 10
+  RUSTFLAGS: "-D warnings -D deprecated --cfg tokio_unstable -C debuginfo=0"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref }}
+  cancel-in-progress: true
+
+jobs:
+  meta:
+    timeout-minutes: 5
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - id: build
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
+        with:
+          files: |
+            .github/workflows/pr.yml
+            justfile
+            Dockerfile
+      - id: actions
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
+        with:
+          files: |
+            .github/workflows/**
+            .devcontainer/*
+      - id: cargo
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
+        with:
+          files_ignore: "Cargo.toml"
+          files: |
+            **/Cargo.toml
+      - id: cargo-crates
+        if: steps.cargo.outputs.any_changed == 'true'
+        run: ./.github/list-crates.sh ${{ steps.cargo.outputs.all_changed_files }}
+      - id: rust
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
+        with:
+          files: |
+            **/*.rs
+            Cargo.lock
+    outputs:
+      is_dependabot: ${{ github.actor == 'dependabot[bot]' }}
+      any_changed: ${{ steps.build.outputs.any_changed == 'true' || steps.actions.outputs.any_changed == 'true' || steps.cargo.outputs.any_change == 'true' || steps.rust.outputs.any_changed == 'true' }}
+      build_changed: ${{ steps.build.outputs.any_changed }}
+      actions_changed: ${{ steps.build.outputs.any_changed == 'true' || steps.actions.outputs.any_changed == 'true' }}
+      cargo_changed: ${{ steps.cargo.outputs.any_changed == 'true' }}
+      cargo_crates: ${{ steps.cargo-crates.outputs.crates }}
+      rust_changed: ${{ steps.build.outputs.any_changed == 'true' ||  steps.rust.outputs.any_changed == 'true' }}
+
+  info:
+    timeout-minutes: 3
+    needs: meta
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    steps:
+      - name: Info
+        run: |
+          echo 'github.actor: ${{ github.actor }}'
+          echo 'github.event_name: ${{ github.event_name }}'
+          echo 'github.event.pull_request.number: ${{ github.event.pull_request.number }}'
+          echo 'needs.meta.outputs.is_dependabot: ${{ needs.meta.outputs.is_dependabot }}'
+          echo 'needs.meta.outputs.any_changed: ${{ needs.meta.outputs.any_changed }}'
+          echo 'needs.meta.outputs.actions_changed: ${{ needs.meta.outputs.actions_changed }}'
+          echo 'needs.meta.outputs.cargo_changed: ${{ needs.meta.outputs.cargo_changed }}'
+          echo 'needs.meta.outputs.cargo_crates: ${{ needs.meta.outputs.cargo_crates }}'
+          echo 'needs.meta.outputs.rust_changed: ${{ needs.meta.outputs.rust_changed }}'
+
+  actions:
+    needs: meta
+    if: needs.meta.outputs.actions_changed == 'true'
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    steps:
+      - uses: linkerd/dev/actions/setup-tools@v47
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - run: just action-lint
+      - run: just action-dev-check
+
+  rust:
+    needs: meta
+    if: needs.meta.outputs.cargo_changed == 'true' || needs.meta.outputs.rust_changed == 'true'
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    container: ghcr.io/linkerd/dev:v47-rust
+    permissions:
+      contents: read
+    timeout-minutes: 20
+    steps:
+      - run: git config --global --add safe.directory "$PWD" # actions/runner#2033
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0
+      - run: just fetch
+      - run: cargo deny --all-features check bans licenses sources
+      - run: just check-fmt
+      - run: just clippy
+      - run: just doc
+      - run: just test --exclude=linkerd2-proxy --no-run
+      - run: just test --exclude=linkerd2-proxy
+        env:
+          NEXTEST_RETRIES: 3
+
+  rust-crates:
+    needs: meta
+    if: needs.meta.outputs.cargo_changed == 'true'
+    timeout-minutes: 20
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    container: ghcr.io/linkerd/dev:v47-rust
+    strategy:
+      matrix:
+        crate: ${{ fromJson(needs.meta.outputs.cargo_crates) }}
+    steps:
+      - run: git config --global --add safe.directory "$PWD" # actions/runner#2033
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0
+      - run: just fetch
+      - run: just check-crate ${{ matrix.crate }}
+
+  linkerd-install:
+    needs: meta
+    if: needs.meta.outputs.cargo_changed == 'true' || needs.meta.outputs.rust_changed == 'true'
+    timeout-minutes: 20
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    env:
+      WAIT_TIMEOUT: 2m
+    steps:
+      - uses: linkerd/dev/actions/setup-tools@v47
+      - name: scurl https://run.linkerd.io/install-edge | sh
+        run: |
+          scurl https://run.linkerd.io/install-edge | sh
+          echo "PATH=$PATH:$HOME/.linkerd2/bin" >> "$GITHUB_ENV"
+          export PATH="$PATH:$HOME/.linkerd2/bin"
+          tag=$(linkerd version --client --short)
+          echo "linkerd $tag"
+          echo "LINKERD_TAG=$tag" >> "$GITHUB_ENV"
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - run: just docker
+      - run: just k3d-create
+      - run: just k3d-load-linkerd
+      - run: just linkerd-install
+      - run: just linkerd-check-control-plane-proxy
+        env:
+          TMPDIR: ${{ runner.temp }}
+
+  ship-it:
+    timeout-minutes: 3
+    needs: [meta, actions, rust, rust-crates, linkerd-install]
+    if: always()
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - name: Results
+        run: |
+          echo 'needs.actions.result: ${{ needs.actions.result }}'
+          echo 'needs.rust.result: ${{ needs.rust.result }}'
+          echo 'needs.rust-crates.result: ${{ needs.rust-crates.result }}'
+          echo 'needs.linkerd-install.result: ${{ needs.linkerd-install.result }}'
+
+      - name: Verify jobs
+        # All jobs must succeed or be skipped.
+        if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')
+        run: exit 1
+
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        if: needs.meta.outputs.is_dependabot == 'true' && needs.meta.outputs.any_changed == 'true'
+      - name: "Merge dependabot changes"
+        if: needs.meta.outputs.is_dependabot == 'true' && needs.meta.outputs.any_changed == 'true'
+        run: gh pr merge '${{ github.event.pull_request.number }}' --auto --squash
+        env:
+          GH_TOKEN: ${{ github.token }}

.github/workflows/release-weekly.yml

@@ -0,0 +1,78 @@
+name: Weekly proxy release
+
+on:
+  schedule:
+    # Wednesday at ~8:40PM Pacific
+    - cron: "40 3 * * 3"
+  workflow_dispatch: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref }}
+  cancel-in-progress: true
+
+jobs:
+  last-release:
+    if: github.repository == 'linkerd/linkerd2-proxy' # Don't run this in forks.
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    timeout-minutes: 5
+    env:
+      GH_REPO: ${{ github.repository }}
+      GH_TOKEN: ${{ github.token }}
+    steps:
+      - name: Latest release
+        id: latest
+        run: gh release view --json name,publishedAt | jq -r 'to_entries[] | (.key + "=" + .value)' >> "$GITHUB_OUTPUT"
+      - name: Check if release was in last 72 hours
+        id: recency
+        env:
+          PUBLISHED_AT: ${{ steps.latest.outputs.publishedAt }}
+        run: |
+          if [ "$(date -d "$PUBLISHED_AT" +%s)" -gt "$(date -d '72 hours ago' +%s)" ]; then
+            echo "Last release $PUBLISHED_AT is recent" >&2
+            echo "recent=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "Last release $PUBLISHED_AT is not recent" >&2
+            echo "recent=false" >> "$GITHUB_OUTPUT"
+          fi
+    outputs:
+      version: ${{ steps.latest.outputs.name }}
+      published-at: ${{ steps.latest.outputs.publishedAt }}
+      recent: ${{ steps.recency.outputs.recent == 'true' }}
+
+  last-commit:
+    needs: last-release
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - name: Check if the most recent commit is after the last release
+        id: recency
+        env:
+          PUBLISHED_AT: ${{ needs.last-release.outputs.published-at }}
+        run: |
+          if [ "$(git log -1 --format=%ct)" -gt "$(date -d "$PUBLISHED_AT" +%s)" ]; then
+            echo "HEAD after last release $PUBLISHED_AT" >&2
+            echo "after-release=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "after-release=false" >> "$GITHUB_OUTPUT"
+          fi
+    outputs:
+      after-release: ${{ steps.recency.outputs.after-release == 'true' }}
+
+  trigger-release:
+    needs: [last-release, last-commit]
+    if: needs.last-release.outputs.recent == 'false' && needs.last-commit.outputs.after-release == 'true'
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    timeout-minutes: 5
+    permissions:
+      actions: write
+    env:
+      GH_REPO: ${{ github.repository }}
+      GH_TOKEN: ${{ github.token }}
+      LAST_VERSION: ${{ needs.last-release.outputs.version }}
+    steps:
+      - name: Get the latest minor version
+        run: |
+          m="$(echo "$LAST_VERSION" | cut -d. -f2)"
+          echo MINOR_VERSION="$((m+1))" >> "$GITHUB_ENV"
+      - run: gh workflow run release.yml -f publish=true -f version=v2."$MINOR_VERSION".0

.github/workflows/release.yml

@@ -1,94 +1,254 @@
 name: Release
 
 on:
-  push:
-    tags:
-      - "release/*"
+  pull_request: {}
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version in the form v1.2.3-prerelease+buildinfo"
+        required: true
+        type: string
+      tag-prefix:
+        description: "Tag prefix"
+        required: false
+        type: string
+        default: "release/"
+      profile:
+        description: "Build profile"
+        required: false
+        type: choice
+        options: ["debug", "release"]
+        default: "release"
+      publish:
+        description: "Publish the release?"
+        required: false
+        type: boolean
+        default: false
+      ref:
+        description: "Reference of the commit to release (default: github.ref)"
+        required: false
+        type: string
+        default: ""
+      prerelease:
+        description: "Is this a prerelease?"
+        required: false
+        type: boolean
+        default: false
+      draft:
+        description: "Is this a draft?"
+        required: false
+        type: boolean
+        default: false
+      latest:
+        description: "Make this the latest release?"
+        required: false
+        type: boolean
+        default: true
+
+env:
+  CARGO: "cargo auditable"
+  CARGO_INCREMENTAL: 0
+  CARGO_NET_RETRY: 10
+  RUSTFLAGS: "-D warnings -A deprecated --cfg tokio_unstable"
+  RUSTUP_MAX_RETRIES: 10
+
+concurrency:
+  group: ${{ github.workflow }}-${{ inputs.ref || github.head_ref }}
+  cancel-in-progress: true
 
 jobs:
+  meta:
+    timeout-minutes: 5
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        if: github.event_name == 'pull_request'
+      - id: workflow
+        if: github.event_name == 'pull_request'
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
+        with:
+          files: |
+            .github/workflows/release.yml
+      - id: build
+        if: github.event_name == 'pull_request'
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
+        with:
+          files: |
+            justfile
+            Cargo.toml
+
+      - id: version
+        env:
+          VERSION: ${{ inputs.version }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          shopt -s extglob
+          if [[ "$GITHUB_EVENT_NAME" == pull_request ]]; then
+            echo version="0.0.0-test.${GITHUB_SHA:0:7}" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          if ! [[ "$VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z-]+)?(\+[0-9A-Za-z-]+)?$ ]]; then
+            echo "Invalid version: $VERSION" >&2
+            exit 1
+          fi
+          echo version="${VERSION#v}" >> "$GITHUB_OUTPUT"
+
+      - id: platform
+        shell: bash
+        env:
+          WORKFLOW_CHANGED: ${{ steps.workflow.outputs.any_changed }}
+        run: |
+          if [[ "$GITHUB_EVENT_NAME" == pull_request && "$WORKFLOW_CHANGED" != 'true' ]]; then
+            ( echo archs='["amd64"]'
+              echo oses='["linux"]' ) >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          ( echo archs='["amd64", "arm64"]'
+            echo oses='["linux", "windows"]'
+          ) >> "$GITHUB_OUTPUT"
+
+    outputs:
+      archs: ${{ steps.platform.outputs.archs }}
+      oses: ${{ steps.platform.outputs.oses }}
+      version: ${{ steps.version.outputs.version }}
+      package: ${{ github.event_name == 'workflow_dispatch' || steps.build.outputs.any_changed == 'true' || steps.workflow.outputs.any_changed == 'true' }}
+      profile: ${{ inputs.profile || 'release' }}
+      publish: ${{ inputs.publish }}
+      ref: ${{ inputs.ref || github.sha }}
+      tag: "${{ inputs.tag-prefix || 'release/' }}v${{ steps.version.outputs.version }}"
+      prerelease: ${{ inputs.prerelease }}
+      draft: ${{ inputs.draft }}
+      latest: ${{ inputs.latest }}
+
+  info:
+    needs: meta
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    timeout-minutes: 3
+    steps:
+      - name: Inputs
+        run: |
+          jq . <<EOF
+          ${{ toJson(inputs) }}
+          EOF
+      - name: Meta
+        run: |
+          jq . <<EOF
+          ${{ toJson(needs.meta.outputs) }}
+          EOF
+
   package:
-    permissions:
-      contents: write
+    needs: meta
+    if: needs.meta.outputs.package == 'true'
+
     strategy:
       matrix:
-        architecture: [amd64, arm64, arm]
-        include:
-          - architecture: amd64
-            target: x86_64-unknown-linux-gnu
-            strip: strip
-          - architecture: arm64
-            target: aarch64-unknown-linux-gnu
-            strip: aarch64-linux-gnu-strip
-          - architecture: arm
-            target: armv7-unknown-linux-gnueabihf
-            strip: arm-linux-gnueabihf-strip
-    name: Package (${{ matrix.architecture }})
-    runs-on: ubuntu-latest
+        arch: ${{ fromJson(needs.meta.outputs.archs) }}
+        os: ${{ fromJson(needs.meta.outputs.oses) }}
+        libc: [gnu] # musl
+        exclude:
+          - os: windows
+            arch: arm64
+
+    # If we're not actually building on a release tag, don't short-circuit on
+    # errors. This helps us know whether a failure is platform-specific.
+    continue-on-error: ${{ needs.meta.outputs.publish != 'true' }}
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
     timeout-minutes: 40
+    container: docker://ghcr.io/linkerd/dev:v47-rust-musl
+    env:
+      LINKERD2_PROXY_VENDOR: ${{ github.repository_owner }}
+      LINKERD2_PROXY_VERSION: ${{ needs.meta.outputs.version }}
     steps:
-      - name: git co
-        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
+      # TODO: add to dev image
+      - name: Install MiniGW
+        if: matrix.os == 'windows'
+        run: apt-get update && apt-get install -y mingw-w64
+      - name: Install cross compilation toolchain
+        if: matrix.arch == 'arm64'
+        run: apt-get update && apt-get install -y binutils-aarch64-linux-gnu
 
-      - name: meta
-        id: release-tag-meta
-        uses: ./.github/actions/release-tag-meta
+      - name: Configure git
+        run: git config --global --add safe.directory "$PWD" # actions/runner#2033
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
         with:
-          git-ref: ${{ github.ref }}
-      #- run: echo "${{ toJSON(steps.release-tag-meta) }}"
-
-      - name: package
-        env:
-          CARGO_RELEASE: "1"
-          PACKAGE_VERSION: ${{ steps.release-tag-meta.outputs.name }}
-          CARGO_TARGET: ${{ matrix.target }}
-          STRIP: ${{ matrix.strip }}
-          ARCH: ${{ matrix.architecture }}
-        uses: ./.github/actions/package
+          ref: ${{ needs.meta.outputs.ref }}
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0
         with:
-          entrypoint: make
-          args: package
-
-      - name: checksec
-        uses: ./.github/actions/package
+          key: ${{ matrix.os }}-${{ matrix.arch }}
+      - run: just fetch
+      - run: just arch=${{ matrix.arch }} libc=${{ matrix.libc }} os=${{ matrix.os }} rustup
+      - run: just arch=${{ matrix.arch }} libc=${{ matrix.libc }} os=${{ matrix.os }} profile=${{ needs.meta.outputs.profile }} build
+      - run: just arch=${{ matrix.arch }} libc=${{ matrix.libc }} os=${{ matrix.os }} profile=${{ needs.meta.outputs.profile }} package
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
         with:
-          entrypoint: /linkerd/validate-checksec.sh
-          args: /linkerd/expected-checksec.json "target/${{ matrix.target }}/release/package/linkerd2-proxy-${{ steps.release-tag-meta.outputs.name }}-${{ matrix.architecture }}-checksec.json"
+          name: ${{ matrix.arch }}-${{ matrix.os }}-artifacts
+          path: target/package/*
 
-      - name: upload artifacts
-        uses: actions/upload-artifact@27121b0bdffd731efa15d66772be8dc71245d074
-        with:
-          name: ${{ matrix.architecture }}-artifacts
-          path: target/${{ matrix.target }}/release/package/*
-
-  release:
-    needs: [package]
-    name: GitHub Release
-    runs-on: ubuntu-latest
+  publish:
+    needs: [meta, package]
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
     timeout-minutes: 5
     permissions:
+      actions: write
       contents: write
+    env:
+      VERSION: v${{ needs.meta.outputs.version }}
+      TAG: ${{ needs.meta.outputs.tag }}
     steps:
-      - name: git co
-        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
-
-      - name: meta
-        id: release-tag-meta
-        uses: ./.github/actions/release-tag-meta
+      - name: Configure git
+        env:
+          GITHUB_USERNAME: ${{ vars.LINKERD2_PROXY_GITHUB_USERNAME || 'github-actions[bot]' }}
+        run: |
+          git config --global --add safe.directory "$PWD" # actions/runner#2033
+          git config --global user.name "$GITHUB_USERNAME"
+          git config --global user.email "$GITHUB_USERNAME"@users.noreply.github.com
+      # Tag the release.
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
         with:
-          git-ref: ${{ github.ref }}
-
-      - name: download artifacts
-        uses: actions/download-artifact@3be87be14a055c47b01d3bd88f8fe02320a9bb60
+          token: ${{ secrets.LINKERD2_PROXY_GITHUB_TOKEN || github.token }}
+          ref: ${{ needs.meta.outputs.ref }}
+      - run: git tag -a -m "$VERSION" "$TAG"
+      # Fetch the artifacts.
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
         with:
           path: artifacts
-
-      - name: display structure of downloaded files
-        run: ls -R artifacts
-
-      - name: release
-        uses: softprops/action-gh-release@6034af24fba4e5a8e975aaa6056554efe4c794d0
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - run: du -h artifacts/**/*
+      # Publish the release.
+      - if: needs.meta.outputs.publish == 'true'
+        run: git push origin "$TAG"
+      - if: needs.meta.outputs.publish == 'true'
+        uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8
         with:
-          name: ${{ steps.release-tag-meta.outputs.name }}
+          name: ${{ env.VERSION }}
+          tag_name: ${{ env.TAG }}
           files: artifacts/**/*
+          generate_release_notes: true
+          prerelease: ${{ needs.meta.outputs.prerelease }}
+          draft: ${{ needs.meta.outputs.draft }}
+          make_latest: ${{ needs.meta.outputs.latest }}
+      - if: >-
+          needs.meta.outputs.publish == 'true' &&
+          needs.meta.outputs.prerelease == 'false' &&
+          needs.meta.outputs.draft == 'false' &&
+          needs.meta.outputs.latest == 'true'
+        name: Trigger sync-proxy in linkerd2
+        run: gh workflow run sync-proxy.yml -f version="$TAG"
+        env:
+          GH_REPO: ${{ vars.LINKERD2_REPO || 'linkerd/linkerd2' }}
+          GH_TOKEN: ${{ secrets.LINKERD2_GITHUB_TOKEN }}
+
+  release-ok:
+    needs: publish
+    if: always()
+    timeout-minutes: 3
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    steps:
+      - name: Results
+        run: |
+          echo 'needs.publish.result: ${{ needs.publish.result }}'
+
+      - name: Verify jobs
+        # All jobs must succeed or be skipped.
+        if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')
+        run: exit 1

.github/workflows/rust.yml

@@ -1,78 +0,0 @@
-name: Rust PR
-
-on:
-  pull_request: {}
-
-jobs:
-
-  ## Required builds
-
-  # Ensures we don't take unintended dependencies.
-  audit:
-    timeout-minutes: 5
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-    - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
-    - uses: EmbarkStudios/cargo-deny-action@0ca727bbae7b7b578b9a5f98186caac35aa2a00d
-      with:
-        command: check bans licenses sources
-
-  # Linting
-  clippy:
-    timeout-minutes: 5
-    runs-on: ubuntu-latest
-    container:
-      image: docker://rust:1.55.0-buster
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
-      - run: rustup component add clippy
-      - run: make lint
-
-  # Iterate through all (non-fuzzer) sub-crates to ensure each compiles independently.
-  check:
-    timeout-minutes: 20
-    runs-on: ubuntu-latest
-    container:
-      image: docker://rust:1.55.0-buster
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
-      - run: for d in $(for toml in $(find . -mindepth 2 -name Cargo.toml -not -path '*/fuzz/*') ; do echo ${toml%/*} ; done | sort -r ) ; do echo "# $d" ; (cd $d ; cargo check --all-targets) ; done
-
-  # Enforce automated formatting.
-  fmt:
-    timeout-minutes: 5
-    runs-on: ubuntu-latest
-    container:
-      image: docker://rust:1.55.0-buster
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
-      - run: rustup component add rustfmt
-      - run: make check-fmt
-
-  # Run all tests.
-  test:
-    timeout-minutes: 15
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
-      - run: make test
-
-  # Generate docs
-  docs:
-    timeout-minutes: 15
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
-      - run: cargo doc

.github/workflows/shellcheck.yml

@@ -0,0 +1,20 @@
+name: markdown
+
+permissions:
+  contents: read
+
+on:
+  pull_request:
+    paths:
+      - .github/workflows/shellcheck.yml
+      - '**/*.sh'
+      - justfile
+
+jobs:
+  sh-lint:
+    timeout-minutes: 5
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    steps:
+      - uses: linkerd/dev/actions/setup-tools@v47
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - run: just sh-lint

.github/workflows/toolchain.yml

@@ -0,0 +1,66 @@
+name: rust-toolchain
+
+on:
+  pull_request:
+    paths:
+      - rust-toolchain
+      - "**Dockerfile"
+      - ".github/workflows/*"
+      - ".github/**/Dockerfile"
+
+permissions:
+  contents: read
+
+jobs:
+  devcontainer:
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    container: ghcr.io/linkerd/dev:v47-rust
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - run: git config --global --add safe.directory "$PWD" # actions/runner#2033
+      - run: |
+          VERSION_REGEX='channel = "([0-9]+\.[0-9]+\.[0-9]+)"'
+          TOOLCHAIN=$(cat rust-toolchain.toml)
+          if [[ $TOOLCHAIN =~ $VERSION_REGEX ]]; then
+            VERSION=${BASH_REMATCH[1]}
+            if [ "$(cargo --version | cut -d' ' -f2)" != "$VERSION" ]; then
+              echo "::error file=rust-toolchain.toml::rust-toolchain channel '$VERSION' does not match devcontainer '$(cargo --version)'"
+              exit 1
+            fi
+          else
+            echo "::error file=rust-toolchain.toml::failed to parse rust-toolchain.toml"
+            exit 1
+          fi
+        shell: bash
+
+
+  workflows:
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    steps:
+      - uses: linkerd/dev/actions/setup-tools@v47
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - shell: bash
+        run: |
+          VERSION_REGEX='channel = "([0-9]+\.[0-9]+\.[0-9]+)"'
+          TOOLCHAIN=$(cat rust-toolchain.toml)
+          if [[ $TOOLCHAIN =~ $VERSION_REGEX ]]; then
+            VERSION=${BASH_REMATCH[1]}
+          else
+            echo "::error file=rust-toolchain.toml::failed to parse rust-toolchain.toml"
+            exit 1
+          fi
+
+          ex=0
+          while IFS= read -r file ; do
+            while IFS= read -r image ; do
+              if [[ "$image" =~ ^docker://(docker.io/library/)?rust: ]]; then
+                tag="${image##*rust:}"
+                v="${tag%%-*}"
+                if [[ "$v" != "$VERSION" ]]; then
+                  echo "::warning file=$file::$file uses incorrect rust version: '$v' (rust-toolchain.toml contains '$VERSION')"
+                  ex=$((ex + 1))
+                fi
+              fi
+            done < <(yq '.jobs[] | select(.container) | .container.image // .container' "$file")
+          done < <(find .github/workflows -name '*.yml')
+          exit $ex

.gitignore

@@ -1,5 +1,8 @@
+.cargo
+**/.cargo
 target
 **/target
 **/corpus
 **/artifacts
 **/fuzz/Cargo.lock
+.vscode/settings.json

CONTRIBUTING.md

@@ -1,14 +1,14 @@
-# Contributing to linkerd2-proxy #
+# Contributing
 
 :balloon: Thanks for your help improving the project!
 
-## Getting Help ##
+## Getting Help
 
 If you have a question about Linkerd2 or have encountered problems using it,
-start by [asking a question in the forums][discourse] or join us in the
+start by [asking a question in the forums][discussions] or join us in the
 [#linkerd2 Slack channel][slack].
 
-## Certificate of Origin ##
+## Certificate of Origin
 
 By contributing to this project you agree to the Developer Certificate of
 Origin (DCO). This document was created by the Linux Kernel community and is a
@@ -17,7 +17,7 @@ contribution. See the [DCO](DCO) file for details.
 
 In practice, just add a line to every git commit message:
 
-```
+```text
 Signed-off-by: Jane Smith <jane.smith@example.com>
 ```
 
@@ -26,30 +26,32 @@ Use your real name (sorry, no pseudonyms or anonymous contributions).
 If you set your `user.name` and `user.email` git configs, you can sign your
 commit automatically with `git commit -s`.
 
-## Submitting a Pull Request ##
+## Submitting a Pull Request
 
 Do you have an improvement?
 
 1. Submit an [issue][issue] describing your proposed change.
 2. We will try to respond to your issue promptly.
-3. Fork this repo, develop and test your code changes. See the project's [README](README.md) for further information about working in this repository.
+3. Fork this repo, develop and test your code changes. See the project's
+   [README](README.md) for further information about working in this repository.
 4. Submit a pull request against this repo's `main` branch.
 5. Your branch may be merged once all configured checks pass, including:
     - The branch has passed tests in CI.
-    - A review from appropriate maintainers (see [MAINTAINERS.md](MAINTAINERS.md) and [GOVERNANCE.md](GOVERNANCE.md))
+    - A review from appropriate maintainers (see
+      [MAINTAINERS.md](MAINTAINERS.md) and [GOVERNANCE.md](GOVERNANCE.md))
 
-## Committing ##
+## Committing
 
 We prefer squash or rebase commits so that all changes from a branch are
 committed to `main` as a single commit. All pull requests are squashed when
 merged, but rebasing prior to merge gives you better control over the commit
 message.
 
-### Commit messages ###
+### Commit messages
 
 Finalized commit messages should be in the following format:
 
-```
+```text
 Subject
 
 Problem
@@ -61,7 +63,7 @@ Validation
 Fixes #[GitHub issue ID]
 ```
 
-#### Subject ####
+#### Subject
 
 - one line, <= 50 characters
 - describe what is done; not the result
@@ -70,36 +72,33 @@ Fixes #[GitHub issue ID]
 - do not end in a period — this is a title/subject
 - reference the GitHub issue by number
 
-##### Examples #####
+##### Examples
 
-```
+```text
 bad: server disconnects should cause dst client disconnects.
 good: Propagate disconnects from source to destination
 ```
 
-```
+```text
 bad: support tls servers
 good: Introduce support for server-side TLS (#347)
 ```
 
-#### Problem ####
+#### Problem
 
 Explain the context and why you're making that change.  What is the problem
 you're trying to solve? In some cases there is not a problem and this can be
 thought of as being the motivation for your change.
 
-#### Solution ####
+#### Solution
 
 Describe the modifications you've made.
 
-#### Validation ####
+#### Validation
 
 Describe the testing you've done to validate your change.  Performance-related
 changes should include before- and after- benchmark results.
 
-[discourse]: https://discourse.linkerd.io/c/conduit
-[governance]: GOVERNANCE.md
+[discussions]: https://github.com/linkerd/linkerd2/discussions/new
 [issue]: https://github.com/linkerd/linkerd2/issues/new
-[maintainers]: MAINTAINERS.md
-[members]: https://github.com/orgs/linkerd/people
 [slack]: http://slack.linkerd.io/

Cargo.toml

@@ -14,9 +14,8 @@ members = [
     "linkerd/app/outbound",
     "linkerd/app/test",
     "linkerd/app",
-    "linkerd/cache",
     "linkerd/conditional",
-    "linkerd/detect",
+    "linkerd/distribute",
     "linkerd/dns/name",
     "linkerd/dns",
     "linkerd/duplex",
@@ -24,52 +23,115 @@ members = [
     "linkerd/errno",
     "linkerd/error-respond",
     "linkerd/exp-backoff",
-    "linkerd/http-box",
-    "linkerd/http-classify",
-    "linkerd/http-metrics",
-    "linkerd/http-retry",
+    "linkerd/http/access-log",
+    "linkerd/http/box",
+    "linkerd/http/classify",
+    "linkerd/http/detect",
+    "linkerd/http/h2",
+    "linkerd/http/insert",
+    "linkerd/http/metrics",
+    "linkerd/http/override-authority",
+    "linkerd/http/prom",
+    "linkerd/http/retain",
+    "linkerd/http/retry",
+    "linkerd/http/route",
+    "linkerd/http/stream-timeouts",
+    "linkerd/http/upgrade",
+    "linkerd/http/variant",
     "linkerd/identity",
+    "linkerd/idle-cache",
     "linkerd/io",
+    "linkerd/meshtls",
+    "linkerd/meshtls/verifier",
     "linkerd/metrics",
+    "linkerd/mock/http-body",
+    "linkerd/opaq-route",
     "linkerd/opencensus",
+    "linkerd/opentelemetry",
+    "linkerd/pool",
+    "linkerd/pool/mock",
+    "linkerd/pool/p2c",
     "linkerd/proxy/api-resolve",
-    "linkerd/proxy/dns-resolve",
+    "linkerd/proxy/balance",
+    "linkerd/proxy/balance/gauge-endpoints",
+    "linkerd/proxy/balance/queue",
+    "linkerd/proxy/client-policy",
     "linkerd/proxy/core",
-    "linkerd/proxy/discover",
+    "linkerd/proxy/dns-resolve",
     "linkerd/proxy/http",
-    "linkerd/proxy/identity",
+    "linkerd/proxy/identity-client",
+    "linkerd/proxy/spire-client",
     "linkerd/proxy/resolve",
+    "linkerd/proxy/server-policy",
     "linkerd/proxy/tap",
     "linkerd/proxy/tcp",
     "linkerd/proxy/transport",
     "linkerd/reconnect",
     "linkerd/retry",
-    "linkerd/server-policy",
+    "linkerd/router",
+    "linkerd/rustls",
     "linkerd/service-profiles",
     "linkerd/signal",
     "linkerd/stack",
     "linkerd/stack/metrics",
     "linkerd/stack/tracing",
-    "linkerd/system",
+    "linkerd/tonic-stream",
     "linkerd/tonic-watch",
     "linkerd/tls",
+    "linkerd/tls/route",
+    "linkerd/tls/test-util",
     "linkerd/tracing",
     "linkerd/transport-header",
     "linkerd/transport-metrics",
+    "linkerd/workers",
     "linkerd2-proxy",
     "opencensus-proto",
+    "opentelemetry-proto",
+    "spiffe-proto",
+    "tools",
 ]
 
-# Debug symbols end up chewing up several GB of disk space, so better to just
-# disable them.
-[profile.dev]
-debug = false
-
-[profile.test]
-debug = false
-
 [profile.release]
+debug = 1
 lto = true
 
-[patch.crates-io]
-webpki = { git = "https://github.com/linkerd/webpki", branch = "cert-dns-names-0.21" }
+[workspace.package]
+version = "0.1.0"
+authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
+license = "Apache-2.0"
+edition = "2021"
+publish = false
+
+[workspace.dependencies]
+bytes = { version = "1" }
+drain = { version = "0.2", default-features = false }
+h2 = { version = "0.4" }
+http = { version = "1" }
+http-body = { version = "1" }
+hyper = { version = "1", default-features = false }
+prometheus-client = { version = "0.23" }
+prost = { version = "0.13" }
+prost-build = { version = "0.13", default-features = false }
+prost-types = { version = "0.13" }
+tokio-rustls = { version = "0.26", default-features = false, features = [
+    "logging",
+] }
+tonic = { version = "0.13", default-features = false }
+tonic-build = { version = "0.13", default-features = false }
+tower = { version = "0.5", default-features = false }
+tower-service = { version = "0.3" }
+tower-test = { version = "0.4" }
+tracing = { version = "0.1" }
+
+[workspace.dependencies.http-body-util]
+version = "0.1.3"
+default-features = false
+features = ["channel"]
+
+[workspace.dependencies.hyper-util]
+version = "0.1"
+default-features = false
+features = ["tokio", "tracing"]
+
+[workspace.dependencies.linkerd2-proxy-api]
+version = "0.17.0"

Dockerfile

@@ -1,68 +1,58 @@
-# syntax=docker/dockerfile:experimental
+# syntax=docker/dockerfile:1.4
 
-# Proxy build and runtime
-#
 # This is intended **DEVELOPMENT ONLY**, i.e. so that proxy developers can
 # easily test the proxy in the context of the larger `linkerd2` project.
-#
-# This Dockerfile requires expirmental features to be enabled in both the
-# Docker client and daemon. You MUST use buildkit to build this image. The
-# simplest way to do this is to set the `DOCKER_BUILDKIT` environment variable:
-#
-#     :; DOCKER_BUILDKIT=1 docker build .
-#
-# Alternatively, you can use `buildx`, which supports more complicated build
-# configurations:
-#
-#     :; docker buildx build . --load
 
-# Please make changes via update-rust-version.sh
-ARG RUST_IMAGE=rust:1.55.0-buster
+ARG RUST_IMAGE=ghcr.io/linkerd/dev:v47-rust
 
 # Use an arbitrary ~recent edge release image to get the proxy
 # identity-initializing and linkerd-await wrappers.
-ARG RUNTIME_IMAGE=ghcr.io/linkerd/proxy:edge-21.4.5
+ARG LINKERD2_IMAGE=ghcr.io/linkerd/proxy:edge-23.11.2
 
-# Build the proxy, leveraging (new, experimental) cache mounting.
-#
-# See: https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/experimental.md#run---mounttypecache
-FROM $RUST_IMAGE as build
+FROM $LINKERD2_IMAGE as linkerd2
 
-# When set, causes the proxy to be compiled in development mode.
-ARG PROXY_UNOPTIMIZED
+FROM --platform=$BUILDPLATFORM $RUST_IMAGE as fetch
 
-# Controls what features are enabled in the proxy.
-ARG PROXY_FEATURES
+ARG PROXY_FEATURES=""
+ARG TARGETARCH="amd64"
+RUN apt-get update && \
+    apt-get install -y time && \
+    if [[ "$PROXY_FEATURES" =~ .*meshtls-boring.* ]] ; then \
+      apt-get install -y golang ; \
+    fi && \
+    case "$TARGETARCH" in \
+        amd64) true ;; \
+        arm64) apt-get install --no-install-recommends -y binutils-aarch64-linux-gnu ;; \
+    esac && \
+    rm -rf /var/lib/apt/lists/*
 
-RUN --mount=type=cache,target=/var/lib/apt/lists \
-  --mount=type=cache,target=/var/tmp \
-  apt update && apt install -y time cmake
+ENV CARGO_NET_RETRY=10
+ENV RUSTUP_MAX_RETRIES=10
 
-WORKDIR /usr/src/linkerd2-proxy
+WORKDIR /src
 COPY . .
-RUN --mount=type=cache,target=target \
-  --mount=type=cache,from=rust:1.55.0-buster,source=/usr/local/cargo,target=/usr/local/cargo \
-  mkdir -p /out && \
-  if [ -n "$PROXY_UNOPTIMIZED" ]; then \
-  (cd linkerd2-proxy && /usr/bin/time -v cargo build --locked --features="$PROXY_FEATURES") && \
-  mv target/debug/linkerd2-proxy /out/linkerd2-proxy ; \
-  else \
-  (cd linkerd2-proxy && /usr/bin/time -v cargo build --locked --release --features="$PROXY_FEATURES") && \
-  mv target/release/linkerd2-proxy /out/linkerd2-proxy ; \
-  fi
+RUN --mount=type=cache,id=cargo,target=/usr/local/cargo/registry \
+    just fetch
 
-## Install the proxy binary into the base runtime image.
-FROM $RUNTIME_IMAGE as runtime
-
-# When set, causes the proxy to remove the identity wrapper responsible for
-# CSR and key generation.
-ARG SKIP_IDENTITY_WRAPPER
+# Build the proxy.
+FROM fetch as build
+ENV CARGO_INCREMENTAL=0
+ENV RUSTFLAGS="-D warnings -A deprecated --cfg tokio_unstable"
+ARG PROFILE="release"
+ARG LINKERD2_PROXY_VERSION=""
+ARG LINKERD2_PROXY_VENDOR=""
+SHELL ["/bin/bash", "-c"]
+RUN --mount=type=cache,id=cargo,target=/usr/local/cargo/registry \
+    if [[ "$PROXY_FEATURES" =~ .*pprof.* ]] ; then cmd=build-debug ; else cmd=build ; fi ; \
+    /usr/bin/time -v just arch="$TARGETARCH" features="$PROXY_FEATURES" profile="$PROFILE" "$cmd" && \
+    ( mkdir -p /out ; \
+        mv $(just --evaluate profile="$PROFILE" _target_bin) /out/ ; \
+        du -sh /out/* )
 
+# Install the proxy binary into a base image that we can at least get a shell
+# for debugging.
+FROM docker.io/library/debian:bookworm-slim as runtime
 WORKDIR /linkerd
-COPY --from=build /out/linkerd2-proxy /usr/lib/linkerd/linkerd2-proxy
-ENV LINKERD2_PROXY_LOG=warn,linkerd=info
-RUN if [ -n "$SKIP_IDENTITY_WRAPPER" ] ; then \
-  rm -f /usr/bin/linkerd2-proxy-run && \
-  ln /usr/lib/linkerd/linkerd2-proxy /usr/bin/linkerd2-proxy-run ; \
-  fi
-# Inherits the ENTRYPOINT from the runtime image.
+COPY --from=linkerd2 /usr/lib/linkerd/* /usr/lib/linkerd/
+COPY --from=build /out/* /usr/lib/linkerd/
+ENTRYPOINT ["/usr/lib/linkerd/linkerd2-proxy-identity"]

GOVERNANCE.md

@@ -1 +1,3 @@
-See https://github.com/linkerd/linkerd2/blob/main/GOVERNANCE.md
+# Governance
+
+See <https://github.com/linkerd/linkerd2/blob/main/GOVERNANCE.md>.

MAINTAINERS.md

@@ -1 +1,3 @@
-See https://github.com/linkerd/linkerd2/blob/main/MAINTAINERS.md
+# Maintainers
+
+See <https://github.com/linkerd/linkerd2/blob/main/MAINTAINERS.md>.

Makefile

@@ -1,128 +0,0 @@
-CARGO_TARGET ?= $(shell rustup show |sed -n 's/^Default host: \(.*\)/\1/p')
-TARGET = target/$(CARGO_TARGET)/debug
-ifdef CARGO_RELEASE
-	RELEASE = --release
-	TARGET = target/$(CARGO_TARGET)/release
-endif
-
-ifndef PACKAGE_VERSION
-	PACKAGE_VERSION = $(shell git rev-parse --short HEAD)
-endif
-
-ARCH ?= amd64
-STRIP ?= strip
-PROFILING = profiling
-TARGET_BIN = $(TARGET)/linkerd2-proxy
-PKG_ROOT = $(TARGET)/package
-PKG_NAME = linkerd2-proxy-$(PACKAGE_VERSION)-$(ARCH)
-PKG_BASE = $(PKG_ROOT)/$(PKG_NAME)
-PKG_CHECKSEC = $(PKG_BASE)-checksec.json
-PKG = $(PKG_NAME).tar.gz
-
-SHASUM = shasum -a 256
-
-CARGO ?= cargo
-CARGO_BUILD = $(CARGO) build --frozen $(RELEASE) --target $(CARGO_TARGET)
-CARGO_TEST = $(CARGO) test --frozen $(RELEASE) --target $(CARGO_TARGET)
-CARGO_FMT = $(CARGO) fmt --all
-CARGO_CLIPPY = $(CARGO) clippy
-
-DOCKER = docker
-DOCKER_BUILD = docker build
-ifdef DOCKER_TAG
-	DOCKER_BUILD = docker build -t $(DOCKER_TAG)
-endif
-ifdef DOCKER_UNOPTIMIZED
-	DOCKER_BUILD += --build-arg="PROXY_UNOPTIMIZED=$(DOCKER_UNOPTIMIZED)"
-endif
-
-RUSTCFLAGS ?=
-ifdef CARGO_DEBUG
-	RUSTCFLAGS += -C debuginfo=2
-endif
-
-SHELLCHECK ?= shellcheck
-SHELLCHECK_CMD = $(SHELLCHECK) -x -P "$(CURDIR)/profiling"
-
-$(TARGET_BIN): fetch
-	$(CARGO_BUILD) -p linkerd2-proxy
-
-$(PKG_ROOT)/$(PKG) $(PKG_CHECKSEC): $(TARGET_BIN)
-	mkdir -p $(PKG_BASE)/bin
-	cp LICENSE $(PKG_BASE)
-	cp $(TARGET_BIN) $(PKG_BASE)/bin/linkerd2-proxy
-	$(STRIP) $(PKG_BASE)/bin/linkerd2-proxy
-ifdef CARGO_DEBUG
-	if which objcopy >/dev/null ; then \
-		objcopy $(TARGET_BIN) $(PKG_BASE)/linkerd2-proxy.obj ; \
-		chmod 644 $(PKG_BASE)/linkerd2-proxy.obj ; \
-	fi
-endif
-	./checksec.sh $(PKG_BASE)/bin/linkerd2-proxy >$(PKG_CHECKSEC) || true
-	cd $(PKG_ROOT) && \
-		tar -czvf $(PKG) $(PKG_NAME) && \
-		($(SHASUM) $(PKG) >$(PKG_NAME).txt)
-	rm -rf $(PKG_BASE)
-
-
-.PHONY: fetch
-fetch: Cargo.lock
-	$(CARGO) fetch --locked
-
-.PHONY: check
-check: fetch
-	$(CARGO) check
-
-.PHONY: build
-build: $(TARGET_BIN)
-
-.PHONY: clean
-clean:
-	$(CARGO) clean --target-dir $(TARGET)
-
-.PHONY: check-fmt
-check-fmt:
-	$(CARGO_FMT) -- --check
-
-.PHONY: fmt
-fmt:
-	$(CARGO_FMT)
-
-.PHONY: lint
-lint:
-	$(CARGO_CLIPPY) --all-targets
-
-
-.PHONY: shellcheck
-shellcheck:
-	$(SHELLCHECK_CMD) $$(find "$(CURDIR)" -type f \
-		! -path "$(CURDIR)"/.git/hooks/\*.sample \
-		| while read -r f; do [ "$$(file -b --mime-type "$$f")" = 'text/x-shellscript' ] && printf '%s\0' "$$f"; done | xargs -0)
-
-.PHONY: test
-test: fetch
-	$(CARGO_TEST)
-
-.PHONY: test-flakey
-test-flakey: fetch
-	$(CARGO_TEST) --features linkerd-app-integration/flaky_tests
-
-.PHONY: package
-package: $(PKG_ROOT)/$(PKG)
-
-.PHONY: clean-package
-clean-package:
-	rm -rf $(PKG_ROOT)
-
-.PHONY: clean-profile
-clean-profile:
-	rm -rf target/release/profile*
-	rm -rf target/profile/*
-
-.PHONY: docker
-docker: Dockerfile Cargo.lock
-	DOCKER_BUILDKIT=1 $(DOCKER_BUILD) .
-
-.PHONY: all
-all: build test
-

README.md

@@ -1,7 +1,8 @@
+# The Linkerd Proxy
+
 ![linkerd2][logo]
 
-<!-- TODO [![Build Status][ci-badge]][ci] -->
-[![GitHub license][license-badge]](LICENSE)
+[![GitHub license](https://img.shields.io/github/license/linkerd/linkerd2-proxy.svg)](LICENSE)
 [![Slack Status][slack-badge]][slack]
 
 This repo contains the transparent proxy component of [Linkerd2][linkerd2].
@@ -16,7 +17,7 @@ This proxy's features include:
 * Transparent, zero-config WebSocket proxying;
 * Automatic, latency-aware, layer-7 [load balancing][loadbalancing];
 * Automatic layer-4 load balancing for non-HTTP traffic;
-* Automatic TLS (experimental);
+* Automatic Mutual TLS;
 * An on-demand diagnostic `tap` API.
 
 This proxy is primarily intended to run on Linux in containerized
@@ -29,28 +30,33 @@ The proxy supports service discovery via DNS and the [linkerd2
 The Linkerd project is hosted by the Cloud Native Computing Foundation
 ([CNCF][cncf]).
 
-
 ## Building the project
 
-A `Makefile` is provided to automate most build tasks. It provides the
-following targets:
+We use [`just-cargo`][just-cargo] which provide a thin wrapper around `just` and
+`cargo`.
 
-* `make build` -- Compiles the proxy on your local system using `cargo`
-* `make clean` -- Cleans the build target on the local system using `cargo clean`
-* `make test` -- Runs unit and integration tests on your local system using `cargo`
-* `make test-flakey` -- Runs _all_ tests, including those that may fail spuriously
-* `make package` -- Builds a tarball at
-  `target/release/linkerd2-proxy-${PACKAGE_VERSION}.tar.gz`. If
-  `PACKAGE_VERSION` is not set in the environment, the local git SHA is used.
-* `make docker` -- Builds a Docker container image that can be used for testing.
-   If the `DOCKER_TAG` environment variable is set, the image is given this
-   name. Otherwise, the image is not named.
+We recommend that you use the included [`Dev Container`][devc] to avoid setting
+up the complex development environment by hand.
+
+### Just
+
+A [`justfile`](./justfile) is provided to automate most build tasks. It provides
+the following recipes:
+
+* `just build` -- Compiles the proxy on your local system using `cargo`
+* `just test` -- Runs unit and integration tests on your local system using `cargo`
+* `just docker` -- Builds a Docker container image that can be used for testing.
 
 ### Cargo
 
 Usually, [Cargo][cargo], Rust's package manager, is used to build and test this
 project. If you don't have Cargo installed, we suggest getting it via
-https://rustup.rs/.
+<https://rustup.rs/>.
+
+### Devcontainer
+
+A Devcontainer is provided for use with Visual Studio Code. It includes all of
+the tooling needed to build and test the proxy.
 
 ### Repository Structure
 
@@ -60,7 +66,9 @@ targets are especially important:
 
 * [`linkerd2-proxy`] contains the proxy executable;
 * [`linkerd2-app-integration`] contains the proxy's integration tests;
-* [`linkerd2-app`] bundles the [`linkerd2-app-inbound`] and [`linkerd2-app-outbound`] crates so that they may be run by the executable or integration tests.
+* [`linkerd2-app`] bundles the [`linkerd2-app-inbound`] and
+  [`linkerd2-app-outbound`] crates so that they may be run by the executable or
+  integration tests.
 
 [`linkerd2-proxy`]: linkerd2-proxy
 [`linkerd2-app`]: linkerd/app
@@ -73,13 +81,14 @@ targets are especially important:
 This project is for everyone. We ask that our users and contributors take a few
 minutes to review our [code of conduct][coc].
 
-
 ## Security
 
 We test our code by way of fuzzing and this is described in [FUZZING.md](/docs/FUZZING.md).
 
-A third party security audit focused on fuzzing Linkerd2-proxy was performed by Ada Logics in 2021. The full report is available [here](docs/linkerd2-proxy-fuzzing-report.pdf).
-
+A third party security audit focused on fuzzing Linkerd2-proxy was performed by
+Ada Logics in 2021. The
+[full report](/docs/reports/linkerd2-proxy-fuzzing-report.pdf) can be found in
+the `docs/reports/` directory.
 
 ## License
 
@@ -96,22 +105,19 @@ under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
 CONDITIONS OF ANY KIND, either express or implied. See the License for the
 specific language governing permissions and limitations under the License.
 
-
 <!-- refs -->
 [cargo]: https://github.com/rust-lang/cargo/
-[ci]: https://travis-ci.org/linkerd/linkerd2-proxy
-<!-- TODO [ci-badge]: https://travis-ci.org/linkerd/linkerd2-proxy.svg?branch=master -->
 [cncf]: https://cncf.io/
 [coc]: https://github.com/linkerd/linkerd/wiki/Linkerd-code-of-conduct
+[devc]: https://containers.dev/
+[just-cargo]: https://github.com/linkerd/dev/tree/main/bin/just-cargo
 [k8s]: https://kubernetes.io/
-[license-badge]: https://img.shields.io/github/license/linkerd/linkerd2.svg
-[linkerd1]: https://github.com/linkerd/linkerd
-[linkerd2]: https://github.com/linkerd/linkerd2
-[linkerd2-proxy-api]: https://github.com/linkerd/linkerd2-proxy-api
-[loadbalancing]: https://linkerd.io/features/load-balancing/
-[logo]: https://user-images.githubusercontent.com/9226/33582867-3e646e02-d90c-11e7-85a2-2e238737e859.png
-[prom]: https://prometheus.io/
-[rust]: https://www.rust-lang.org/
-[slack-badge]: https://slack.linkerd.io/badge.svg
-[slack]: https://slack.linkerd.io
-[twitter]: https://twitter.com/linkerd/
+[linkerd1]: <https://github.com/linkerd/linkerd>
+[linkerd2]: <https://github.com/linkerd/linkerd2>
+[linkerd2-proxy-api]: <https://github.com/linkerd/linkerd2-proxy-api>
+[loadbalancing]: <https://linkerd.io/2.11/features/load-balancing/>
+[logo]: <https://user-images.githubusercontent.com/9226/33582867-3e646e02-d90c-11e7-85a2-2e238737e859.png>
+[prom]: <https://prometheus.io/>
+[rust]: <https://www.rust-lang.org/>
+[slack-badge]: <https://slack.linkerd.io/badge.svg>
+[slack]: <https://slack.linkerd.io>

checksec.sh

@@ -1,28 +0,0 @@
-#!/bin/bash
-
-set -eu
-
-require_from() {
-    if ! command -v "$1" >/dev/null 2>/dev/null ; then
-        echo "Please acquire $1 from $2" >&2
-        exit 1
-    fi
-}
-
-require_from readelf     binutils
-require_from checksec    https://github.com/slimm609/checksec.sh
-require_from jq          https://stedolan.github.io/jq/
-
-if [ $# -ne 1 ]; then
-    echo "usage: $0 EXECUTABLE" >&2
-    exit 64
-fi
-
-path="$1"
-if [ ! -x "$path" ]; then
-    echo "Executable not found: $path" >&2
-    exit 1
-fi
-
-out=$(checksec --output=json --file="$path")
-echo "$out" | jq ".[\"$path\"] | del(.\"fortify-able\") | del(.fortified)" 

deny.toml

@@ -1,42 +1,36 @@
+[graph]
 targets = [
     { triple = "x86_64-unknown-linux-gnu" },
     { triple = "aarch64-unknown-linux-gnu" },
-    { triple = "armv7-unknown-linux-gnu" },
 ]
 
 [advisories]
 db-path = "~/.cargo/advisory-db"
 db-urls = ["https://github.com/rustsec/advisory-db"]
-vulnerability = "deny"
-unmaintained = "warn"
-yanked = "deny"
-notice = "warn"
 ignore = []
 
 [licenses]
-unlicensed = "deny"
 allow = [
     "Apache-2.0",
+    "BSD-2-Clause",
     "BSD-3-Clause",
     "ISC",
     "MIT",
+    "Unicode-3.0",
+    "Zlib",
 ]
-deny = []
-copyleft = "deny"
-allow-osi-fsf-free = "neither"
-default = "deny"
+# Ignore local workspace license values for unpublished crates.
+private = { ignore = true }
 confidence-threshold = 0.8
 exceptions = [
-    { allow = ["Zlib"], name = "adler32", version = "*" },
-    { allow = ["ISC", "MIT", "OpenSSL"], name = "ring", version = "*" },
-]
-
-[[licenses.clarify]]
-name = "ring"
-version = "*"
-expression = "MIT AND ISC AND OpenSSL"
-license-files = [
-    { path = "LICENSE", hash = 0xbd0eed23 }
+    { allow = [
+        "ISC",
+        "OpenSSL",
+    ], name = "aws-lc-sys", version = "*" },
+    { allow = [
+        "ISC",
+        "OpenSSL",
+    ], name = "aws-lc-fips-sys", version = "*" },
 ]
 
 [bans]
@@ -45,17 +39,38 @@ multiple-versions = "deny"
 wildcards = "allow"
 highlight = "all"
 deny = [
-    { name = "rustls", wrappers = ["tokio-rustls"] }
+    { name = "rustls", wrappers = ["tokio-rustls"] },
+    # rustls-webpki should be used instead.
+    { name = "webpki" },
+    # aws-lc-rs should be used instead.
+    { name = "ring" }
+]
+skip = [
+    # `linkerd-trace-context`, `rustls-pemfile` and `tonic` depend on `base64`
+    # v0.13.1 while `rcgen` depends on v0.21.5
+    { name = "base64" },
+    # tonic/axum depend on a newer `tower`, which we are still catching up to.
+    # see #3744.
+    { name = "tower", version = "0.5" },
+]
+skip-tree = [
+    # thiserror v2 is still propagating through the ecosystem
+    { name = "thiserror", version = "1" },
+    # rand v0.9 is still propagating through the ecosystem
+    { name = "rand", version = "0.8" },
+    # rust v1.0 is still propagating through the ecosystem
+    { name = "rustix", version = "0.38" },
+    # `pprof` uses a number of old dependencies. for now, we skip its subtree.
+    { name = "pprof" },
+    # aws-lc-rs uses a slightly outdated version of bindgen
+    { name = "bindgen", version = "0.69.5" },
+    # socket v0.6 is still propagating through the ecosystem
+    { name = "socket2", version = "0.5" },
 ]
-skip = []
-skip-tree = []
 
 [sources]
 unknown-registry = "deny"
 unknown-git = "deny"
-allow-registry = ["https://github.com/rust-lang/crates.io-index"]
-
-[sources.allow-org]
-github = [
-    "linkerd",
+allow-registry = [
+    "https://github.com/rust-lang/crates.io-index",
 ]

docs/FUZZING.md

@@ -1,21 +1,35 @@
-# Linkerd2-proxy fuzz testing
+# Linkerd Proxy Fuzz Testing
 
-The proxy is tested via fuzzing by way of [OSS-Fuzz](https://github.com/google/oss-fuzz) and we rely on [cargo-fuzz](https://github.com/rust-fuzz/cargo-fuzz) as our underlying fuzzing engine. 
+The proxy is tested via fuzzing by way of
+[OSS-Fuzz](https://github.com/google/oss-fuzz) and we rely on
+[cargo-fuzz](https://github.com/rust-fuzz/cargo-fuzz) as our underlying fuzzing
+engine.
 
 ## Fuzz tests
 
 ### Folder structure
 
-We place the fuzz tests into folders within the individual crates that the fuzz tests target. For example, we have a fuzz test that that target the crate `/linkerd/addr` and the code in `/linkerd/addr/src` and thus the fuzz test that targets this crate is put in `/linkerd/addr/fuzz`. The folder set up we use for each of the fuzz tests is automatically generated by `cargo fuzz init` (described [here](https://github.com/rust-fuzz/cargo-fuzz#cargo-fuzz-init)).
+We place the fuzz tests into folders within the individual crates that the fuzz
+tests target. For example, we have a fuzz test that that target the crate
+`/linkerd/addr` and the code in `/linkerd/addr/src` and thus the fuzz test that
+targets this crate is put in `/linkerd/addr/fuzz`.
 
+The folder structure for each of the fuzz tests is automatically generated by
+`cargo fuzz init`. See cargo fuzz's
+[`README.md`](https://github.com/rust-fuzz/cargo-fuzz#cargo-fuzz-init) for more
+information.
 
 ### Fuzz targets
 
-The general idea behind the fuzz tests is to follow the testing set up of the rest of the proxy. As such, we both have fuzz tests that resemble small unit-test-like code pieces, as well as fuzz tests that resemble larger integration-test-like code pieces. 
+The general idea behind the fuzz tests is to follow the testing set up of the
+rest of the proxy. As such, we both have fuzz tests that resemble small
+unit-test-like code pieces, as well as fuzz tests that resemble larger
+integration-test-like code pieces.
 
 #### Unit-test-like fuzzers
 
-The code in `/linkerd/addr/fuzz/fuzz_targets/fuzz_target_1.rs` is an example of a unit-test-like fuzzer:
+The code in `/linkerd/addr/fuzz/fuzz_targets/fuzz_target_1.rs` is an example of
+a unit-test-like fuzzer:
 
 ```rust
 #![no_main]
@@ -32,7 +46,11 @@ fuzz_target!(|data: &[u8]| {
     }
 });
 ```
-`fuzz_target` is the entrypoint of the fuzzer and is what the underlying fuzzing engine cargo-fuzz will call with pseudo-random data in the `data` argument. The fuzzer further calls into code in the `linkerd2_addr` module, which is defined as follows:
+
+`fuzz_target` is the entrypoint of the fuzzer and is what the underlying fuzzing
+engine cargo-fuzz will call with pseudo-random data in the `data` argument. The
+fuzzer further calls into code in the `linkerd2_addr` module, which is defined
+as follows:
 
 ```rust
 #[cfg(fuzzing)]
@@ -55,13 +73,15 @@ pub mod fuzz_logic {
 }
 ```
 
-We use this indirection of having fuzzing-related code in the modules themselves to align with the scoping of the proxy code. 
+We use this indirection of having fuzzing-related code in the modules themselves
+to align with the scoping of the proxy code.
 
-We wrap our fuzzing code in `[#cfg(fuzzing)]` to avoid shipping the fuzzing code when build the release binaries.
+We wrap our fuzzing code in `[#cfg(fuzzing)]` to avoid shipping the fuzzing code
+when build the release binaries.
 
 We compile and run the above fuzzer with the following commands:
 
-```
+```shell
 # Build the fuzzer
 cd linkerd/addr
 cargo +nightly fuzz build
@@ -74,6 +94,10 @@ This is also the sequence of commands to use for running the fuzzers locally.
 
 #### Integration-test-like fuzzers
 
-The larger fuzzers we keep follow a similar structural set up as to the unit-test-like fuzzers, but are essentially just more substantial in nature. The idea behind these fuzzers is to test end-to-end concepts more so than individual components of the proxy. 
+The larger fuzzers we keep follow a similar structural set up as to the
+unit-test-like fuzzers, but are essentially just more substantial in nature. The
+idea behind these fuzzers is to test end-to-end concepts more so than individual
+components of the proxy.
 
-The inbound fuzzer [here](/linkerd/app/inbound/fuzz/fuzz_targets/fuzz_target_1.rs) is an example of this.
+The [inbound fuzzer](/linkerd/app/inbound/fuzz/fuzz_targets/fuzz_target_1.rs)
+is an example of this.

hyper-balance/Cargo.toml

@@ -1,17 +1,18 @@
 [package]
 name = "hyper-balance"
-version = "0.1.0"
-authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
-license = "Apache-2.0"
-edition = "2018"
-publish = false
+version = { workspace = true }
+authors = { workspace = true }
+license = { workspace = true }
+edition = { workspace = true }
+publish = { workspace = true }
 
 [dependencies]
 futures = { version = "0.3", default-features = false }
-http = "0.2"
-hyper = "0.14"
+http = { workspace = true }
+http-body = { workspace = true }
+hyper = { workspace = true }
 pin-project = "1"
-tower = { version = "0.4.8", default-features = false, features = ["load"] }
+tower = { workspace = true, default-features = false, features = ["load"] }
 tokio = { version = "1", features = ["macros"] }
 
 [dev-dependencies]

hyper-balance/src/lib.rs

@@ -1,7 +1,7 @@
-#![deny(warnings, rust_2018_idioms)]
+#![deny(rust_2018_idioms, clippy::disallowed_methods, clippy::disallowed_types)]
 #![forbid(unsafe_code)]
 
-use hyper::body::HttpBody;
+use http_body::Body;
 use pin_project::pin_project;
 use std::pin::Pin;
 use std::task::{Context, Poll};
@@ -34,11 +34,11 @@ pub struct PendingUntilEosBody<T, B> {
     body: B,
 }
 
-// ==== PendingUntilFirstData ====
+// === PendingUntilFirstData ===
 
 impl<T, B> TrackCompletion<T, http::Response<B>> for PendingUntilFirstData
 where
-    B: HttpBody,
+    B: Body,
 {
     type Output = http::Response<PendingUntilFirstDataBody<T, B>>;
 
@@ -55,11 +55,11 @@ where
     }
 }
 
-// ==== PendingUntilEos ====
+// === PendingUntilEos ===
 
 impl<T, B> TrackCompletion<T, http::Response<B>> for PendingUntilEos
 where
-    B: HttpBody,
+    B: Body,
 {
     type Output = http::Response<PendingUntilEosBody<T, B>>;
 
@@ -76,11 +76,11 @@ where
     }
 }
 
-// ==== PendingUntilFirstDataBody ====
+// === PendingUntilFirstDataBody ===
 
 impl<T, B> Default for PendingUntilFirstDataBody<T, B>
 where
-    B: HttpBody + Default,
+    B: Body + Default,
 {
     fn default() -> Self {
         Self {
@@ -90,9 +90,9 @@ where
     }
 }
 
-impl<T, B> HttpBody for PendingUntilFirstDataBody<T, B>
+impl<T, B> Body for PendingUntilFirstDataBody<T, B>
 where
-    B: HttpBody,
+    B: Body,
     T: Send + 'static,
 {
     type Data = B::Data;
@@ -102,38 +102,31 @@ where
         self.body.is_end_stream()
     }
 
-    fn poll_data(
+    fn poll_frame(
         self: Pin<&mut Self>,
         cx: &mut Context<'_>,
-    ) -> Poll<Option<Result<Self::Data, Self::Error>>> {
+    ) -> Poll<Option<Result<http_body::Frame<Self::Data>, Self::Error>>> {
         let this = self.project();
-        let ret = futures::ready!(this.body.poll_data(cx));
+        let ret = futures::ready!(this.body.poll_frame(cx));
 
-        // Once a data frame is received, the handle is dropped. On subsequent calls, this
+        // Once a frame is received, the handle is dropped. On subsequent calls, this
         // is a noop.
         drop(this.handle.take());
 
         Poll::Ready(ret)
     }
 
-    fn poll_trailers(
-        self: Pin<&mut Self>,
-        cx: &mut Context<'_>,
-    ) -> Poll<Result<Option<http::HeaderMap>, Self::Error>> {
-        let this = self.project();
-        // If this is being called, the handle definitely should have been dropped
-        // already.
-        drop(this.handle.take());
-
-        this.body.poll_trailers(cx)
+    #[inline]
+    fn size_hint(&self) -> hyper::body::SizeHint {
+        self.body.size_hint()
     }
 }
 
-// ==== PendingUntilEosBody ====
+// === PendingUntilEosBody ===
 
 impl<T, B> Default for PendingUntilEosBody<T, B>
 where
-    B: HttpBody + Default,
+    B: Body + Default,
 {
     fn default() -> Self {
         Self {
@@ -143,43 +136,35 @@ where
     }
 }
 
-impl<T: Send + 'static, B: HttpBody> HttpBody for PendingUntilEosBody<T, B> {
+impl<T: Send + 'static, B: Body> Body for PendingUntilEosBody<T, B> {
     type Data = B::Data;
     type Error = B::Error;
 
+    #[inline]
     fn is_end_stream(&self) -> bool {
         self.body.is_end_stream()
     }
 
-    fn poll_data(
+    fn poll_frame(
         self: Pin<&mut Self>,
         cx: &mut Context<'_>,
-    ) -> Poll<Option<Result<Self::Data, Self::Error>>> {
+    ) -> Poll<Option<Result<http_body::Frame<Self::Data>, Self::Error>>> {
         let mut this = self.project();
         let body = &mut this.body;
         tokio::pin!(body);
-        let ret = futures::ready!(body.poll_data(cx));
+        let frame = futures::ready!(body.poll_frame(cx));
 
         // If this was the last frame, then drop the handle immediately.
         if this.body.is_end_stream() {
             drop(this.handle.take());
         }
 
-        Poll::Ready(ret)
+        Poll::Ready(frame)
     }
 
-    fn poll_trailers(
-        self: Pin<&mut Self>,
-        cx: &mut Context<'_>,
-    ) -> Poll<Result<Option<http::HeaderMap>, Self::Error>> {
-        let this = self.project();
-        let ret = futures::ready!(this.body.poll_trailers(cx));
-
-        // Once trailers are received, the handle is dropped immediately (in case the body
-        // is retained longer for some reason).
-        drop(this.handle.take());
-
-        Poll::Ready(ret)
+    #[inline]
+    fn size_hint(&self) -> hyper::body::SizeHint {
+        self.body.size_hint()
     }
 }
 
@@ -187,7 +172,7 @@ impl<T: Send + 'static, B: HttpBody> HttpBody for PendingUntilEosBody<T, B> {
 mod tests {
     use super::{PendingUntilEos, PendingUntilFirstData};
     use futures::future::poll_fn;
-    use hyper::body::HttpBody;
+    use http_body::{Body, Frame};
     use std::collections::VecDeque;
     use std::io::Cursor;
     use std::pin::Pin;
@@ -214,11 +199,13 @@ mod tests {
         assert_ready!(task::spawn(poll_fn(|cx| {
             let body = &mut body;
             tokio::pin!(body);
-            body.poll_data(cx)
+            body.poll_frame(cx)
         }))
         .poll())
-        .expect("data some")
-        .expect("data ok");
+        .expect("frame is some")
+        .expect("frame is ok")
+        .into_data()
+        .expect("frame is data");
         assert!(wk.upgrade().is_none());
     }
 
@@ -271,10 +258,10 @@ mod tests {
         let res = assert_ready!(task::spawn(poll_fn(|cx| {
             let body = &mut body;
             tokio::pin!(body);
-            body.poll_data(cx)
+            body.poll_frame(cx)
         }))
         .poll());
-        assert!(res.expect("data is some").is_err());
+        assert!(res.expect("frame is some").is_err());
         assert!(wk.upgrade().is_none());
     }
 
@@ -297,21 +284,21 @@ mod tests {
         assert_ready!(task::spawn(poll_fn(|cx| {
             let body = &mut body;
             tokio::pin!(body);
-            body.poll_data(cx)
+            body.poll_frame(cx)
         }))
         .poll())
-        .expect("data some")
-        .expect("data ok");
+        .expect("frame is some")
+        .expect("frame is ok");
         assert!(wk.upgrade().is_some());
 
         assert_ready!(task::spawn(poll_fn(|cx| {
             let body = &mut body;
             tokio::pin!(body);
-            body.poll_data(cx)
+            body.poll_frame(cx)
         }))
         .poll())
-        .expect("data some")
-        .expect("data ok");
+        .expect("frame is some")
+        .expect("frame is ok");
         assert!(wk.upgrade().is_none());
     }
 
@@ -344,40 +331,42 @@ mod tests {
         assert_ready!(task::spawn(poll_fn(|cx| {
             let body = &mut body;
             tokio::pin!(body);
-            body.poll_data(cx)
+            body.poll_frame(cx)
         }))
         .poll())
-        .expect("data")
-        .expect("data ok");
+        .expect("frame is some")
+        .expect("frame is ok");
         assert!(wk.upgrade().is_some());
 
         assert_ready!(task::spawn(poll_fn(|cx| {
             let body = &mut body;
             tokio::pin!(body);
-            body.poll_data(cx)
+            body.poll_frame(cx)
         }))
         .poll())
-        .expect("data")
-        .expect("data ok");
+        .expect("frame is some")
+        .expect("frame is ok");
         assert!(wk.upgrade().is_some());
 
+        assert_ready!(task::spawn(poll_fn(|cx| {
+            let body = &mut body;
+            tokio::pin!(body);
+            body.poll_frame(cx)
+        }))
+        .poll())
+        .expect("frame is some")
+        .expect("frame is ok")
+        .into_trailers()
+        .expect("is trailers");
+        assert!(wk.upgrade().is_none());
+
         let poll = assert_ready!(task::spawn(poll_fn(|cx| {
             let body = &mut body;
             tokio::pin!(body);
-            body.poll_data(cx)
+            body.poll_frame(cx)
         }))
         .poll());
         assert!(poll.is_none());
-        assert!(wk.upgrade().is_some());
-
-        assert_ready!(task::spawn(poll_fn(|cx| {
-            let body = &mut body;
-            tokio::pin!(body);
-            body.poll_trailers(cx)
-        }))
-        .poll())
-        .expect("trailers ok")
-        .expect("trailers");
         assert!(wk.upgrade().is_none());
     }
 
@@ -400,14 +389,14 @@ mod tests {
         let poll = assert_ready!(task::spawn(poll_fn(|cx| {
             let body = &mut body;
             tokio::pin!(body);
-            body.poll_data(cx)
+            body.poll_frame(cx)
         }))
         .poll());
         assert!(poll.expect("some").is_err());
         assert!(wk.upgrade().is_none());
     }
 
-    struct Handle(Arc<()>);
+    struct Handle(#[allow(dead_code)] Arc<()>);
     impl Handle {
         fn new() -> (Self, Weak<()>) {
             let strong = Arc::new(());
@@ -418,7 +407,7 @@ mod tests {
 
     #[derive(Default)]
     struct TestBody(VecDeque<&'static str>, Option<http::HeaderMap>);
-    impl HttpBody for TestBody {
+    impl Body for TestBody {
         type Data = Cursor<&'static str>;
         type Error = &'static str;
 
@@ -426,26 +415,27 @@ mod tests {
             self.0.is_empty() & self.1.is_none()
         }
 
-        fn poll_data(
+        fn poll_frame(
             mut self: Pin<&mut Self>,
             _: &mut Context<'_>,
-        ) -> Poll<Option<Result<Self::Data, Self::Error>>> {
-            Poll::Ready(self.as_mut().0.pop_front().map(Cursor::new).map(Ok))
-        }
-
-        fn poll_trailers(
-            mut self: Pin<&mut Self>,
-            _: &mut Context<'_>,
-        ) -> Poll<Result<Option<http::HeaderMap>, Self::Error>> {
+        ) -> Poll<Option<Result<http_body::Frame<Self::Data>, Self::Error>>> {
             let mut this = self.as_mut();
-            assert!(this.0.is_empty());
-            Poll::Ready(Ok(this.1.take()))
+
+            // Return the next data frame from the sequence of chunks.
+            if let Some(chunk) = this.0.pop_front() {
+                let frame = Some(Ok(Frame::data(Cursor::new(chunk))));
+                return Poll::Ready(frame);
+            }
+
+            // Yield the trailers once all data frames have been yielded.
+            let trailers = this.1.take().map(Frame::<Self::Data>::trailers).map(Ok);
+            Poll::Ready(trailers)
         }
     }
 
     #[derive(Default)]
     struct ErrBody(Option<&'static str>);
-    impl HttpBody for ErrBody {
+    impl Body for ErrBody {
         type Data = Cursor<&'static str>;
         type Error = &'static str;
 
@@ -453,18 +443,13 @@ mod tests {
             self.0.is_none()
         }
 
-        fn poll_data(
+        fn poll_frame(
             mut self: Pin<&mut Self>,
             _: &mut Context<'_>,
-        ) -> Poll<Option<Result<Self::Data, Self::Error>>> {
-            Poll::Ready(Some(Err(self.as_mut().0.take().expect("err"))))
-        }
+        ) -> Poll<Option<Result<http_body::Frame<Self::Data>, Self::Error>>> {
+            let err = self.as_mut().0.take().expect("err");
 
-        fn poll_trailers(
-            mut self: Pin<&mut Self>,
-            _: &mut Context<'_>,
-        ) -> Poll<Result<Option<http::HeaderMap>, Self::Error>> {
-            Poll::Ready(Err(self.as_mut().0.take().expect("err")))
+            Poll::Ready(Some(Err(err)))
         }
     }
 }

justfile

@@ -0,0 +1,341 @@
+# See https://just.systems/man/en
+
+#
+# Configuration
+#
+
+export RUST_BACKTRACE := env_var_or_default("RUST_BACKTRACE", "short")
+
+# Use the dev environment's version of protoc.
+export PROTOC_NO_VENDOR := "1"
+
+# By default we compile in development mode mode because it's faster.
+profile := if env_var_or_default("RELEASE", "") == "" { "debug" } else { "release" }
+toolchain := ""
+
+features := ""
+
+export LINKERD2_PROXY_VERSION := env_var_or_default("LINKERD2_PROXY_VERSION", "0.0.0-dev" + `git rev-parse --short HEAD`)
+export LINKERD2_PROXY_VENDOR := env_var_or_default("LINKERD2_PROXY_VENDOR", `whoami` + "@" + `hostname`)
+
+# TODO: these variables will be included in dev v48
+export AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_gnu := env_var_or_default("AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_gnu", "-fuse-ld=/usr/aarch64-linux-gnu/bin/ld")
+export AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_musl := env_var_or_default("AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_musl", "-fuse-ld=/usr/aarch64-linux-gnu/bin/ld")
+
+# The version name to use for packages.
+package_version := "v" + LINKERD2_PROXY_VERSION
+
+# Docker image name & tag.
+docker-repo := "localhost/linkerd/proxy"
+docker-tag := `git rev-parse --abbrev-ref HEAD | sed 's|/|.|g'` + "." + `git rev-parse --short HEAD`
+docker-image := docker-repo + ":" + docker-tag
+
+# The architecture name to use for packages. Either 'amd64' or 'arm64'.
+arch := "amd64"
+# The OS name to use for packages. Either 'linux' or 'windows'.
+os := "linux"
+
+libc := 'gnu'
+
+# If a `arch` is specified, then we change the default cargo `--target`
+# to support cross-compilation. Otherwise, we use `rustup` to find the default.
+_target := if os + '-' + arch == "linux-amd64" {
+        "x86_64-unknown-linux-" + libc
+    } else if os + '-' + arch == "linux-arm64" {
+        "aarch64-unknown-linux-" + libc
+    } else if os + '-' + arch == "windows-amd64" {
+        "x86_64-pc-windows-" + libc
+    } else {
+        error("unsupported: os=" + os + " arch=" + arch + " libc=" + libc)
+    }
+
+_cargo := 'just-cargo profile=' + profile + ' target=' + _target + ' toolchain=' + toolchain
+
+_target_dir := "target" / _target / profile
+_target_bin := _target_dir / "linkerd2-proxy" + if os == 'windows' { '.exe' } else { '' }
+_package_name := "linkerd2-proxy-" + package_version + "-" + os + "-" + arch + if libc == 'musl' { '-static' } else { '' }
+_package_dir := "target/package" / _package_name
+shasum := "shasum -a 256"
+
+_features := if features == "all" {
+        "--all-features"
+    } else if features != "" {
+        "--no-default-features --features=" + features
+    } else { "" }
+
+wait-timeout := env_var_or_default("WAIT_TIMEOUT", "1m")
+
+export CXX := 'clang++-19'
+
+#
+# Recipes
+#
+
+rustup:
+    @{{ _cargo }} _target-installed
+
+# Run all lints
+lint: sh-lint md-lint clippy doc action-lint action-dev-check
+
+# Fetch dependencies
+fetch:
+    @{{ _cargo }} fetch --locked
+
+fmt:
+    @{{ _cargo }} fmt
+
+# Fails if the code does not match the expected format (via rustfmt).
+check-fmt:
+    @{{ _cargo }} fmt -- --check
+
+check *flags:
+    @{{ _cargo }} check --workspace --all-targets --frozen {{ flags }}
+
+check-crate crate *flags:
+    @{{ _cargo }} check --package={{ crate }} --all-targets --frozen {{ _features }} {{ flags }}
+
+clippy *flags:
+    @{{ _cargo }} clippy --workspace --all-targets --frozen {{ _features }} {{ flags }}
+
+clippy-crate crate *flags:
+    @{{ _cargo }} clippy --package={{ crate }} --all-targets --frozen {{ _features }} {{ flags }}
+
+clippy-dir dir *flags:
+    cd {{ dir }} && {{ _cargo }} clippy --all-targets --frozen {{ _features }} {{ flags }}
+
+doc *flags:
+    @{{ _cargo }} doc --no-deps --workspace --frozen {{ _features }} {{ flags }}
+
+doc-crate crate *flags:
+    @{{ _cargo }} doc --package={{ crate }} --all-targets --frozen {{ _features }} {{ flags }}
+
+# Build all tests
+test-build *flags:
+    @{{ _cargo }} test-build --workspace --frozen {{ _features }} {{ flags }}
+
+# Run all tests
+test *flags:
+    @{{ _cargo }} test --workspace --frozen {{ _features }} {{ flags }}
+
+test-crate crate *flags:
+    @{{ _cargo }} test --package={{ crate }} --frozen {{ _features }} {{ flags }}
+
+test-dir dir *flags:
+    cd {{ dir }} && {{ _cargo }} test --frozen {{ _features }} {{ flags }}
+
+# Build the proxy
+# XXX(ver) checksec doesn't work when profile=debug, so skip it.
+build: _build _strip
+
+# Build the proxy without stripping debug symbols
+build-debug: _build
+
+_build:
+    @rm -f {{ _target_bin }} {{ _target_bin }}.dbg
+    @{{ _cargo }} build --frozen --package=linkerd2-proxy {{ _features }}
+
+_strip:
+    {{ _objcopy }} --only-keep-debug {{ _target_bin }} {{ _target_bin }}.dbg
+    {{ _objcopy }} --strip-unneeded {{ _target_bin }}
+    {{ _objcopy }} --add-gnu-debuglink={{ _target_bin }}.dbg {{ _target_bin }}
+
+_package_bin := _package_dir / "bin" / "linkerd2-proxy"
+
+# XXX aarch64-musl builds do not enable PIE, so we use target-specific
+# files to document those differences.
+_expected_checksec := '.checksec' / arch + '-' + libc + '.json'
+
+# Check the security properties of the proxy binary.
+checksec:
+    checksec --output=json --file='{{ _target_bin }}' \
+        | jq '.' | tee /dev/stderr \
+        | jq -S '.[] | del(."fortify_source") | del(."fortify-able") | del(.fortified) | del(.symbols)' \
+        | diff -u {{ _expected_checksec }} - >&2
+
+_objcopy := 'llvm-objcopy-' + `just-cargo --evaluate _llvm-version`
+
+# Build a package (i.e. for a release)
+package: build
+    @mkdir -p {{ _package_dir }}/bin
+    cp LICENSE {{ _package_dir }}/
+    cp {{ _target_bin }} {{ _target_bin }}.dbg {{ _package_dir }}/
+    tar -czvf target/package/{{ _package_name }}.tar.gz  -C target/package {{ _package_name }} >/dev/null
+    cd target/package && ({{ shasum }} {{ _package_name }}.tar.gz | tee {{ _package_name }}.txt)
+    @rm -rf {{ _package_dir }}
+    @du -h target/package/{{ _package_name }}.tar.gz
+    @tar tzvf target/package/{{ _package_name }}.tar.gz
+
+# Build all of the fuzzers (SLOW).
+fuzzers:
+    #!/usr/bin/env bash
+    set -euo pipefail
+    if [ "{{ toolchain }}" != "nightly" ]; then
+        echo "fuzzers must be run with nightly" >&2
+        exit 1
+    fi
+    for dir in $(find ./linkerd -type d -name fuzz); do
+        echo "cd $dir && cargo +nightly fuzz build"
+        ( cd $dir ; cargo +nightly fuzz build \
+                {{ if profile == "release" { "--release" } else { "" } }} )
+    done
+
+export DOCKER_BUILDX_CACHE_DIR := env_var_or_default('DOCKER_BUILDX_CACHE_DIR', '')
+
+# Build a docker image (FOR TESTING ONLY)
+docker *args='--output=type=docker': && _clean-cache
+    docker buildx build . \
+        --pull \
+        --tag={{ docker-image }} \
+        --build-arg PROFILE='{{ profile }}' \
+        --build-arg LINKERD2_PROXY_VENDOR='{{ LINKERD2_PROXY_VENDOR }}' \
+        --build-arg LINKERD2_PROXY_VERSION='{{ LINKERD2_PROXY_VERSION }}' \
+        --no-cache-filter=runtime \
+        {{ if linkerd-tag == '' { '' } else { '--build-arg=RUNTIME_IMAGE=ghcr.io/linkerd/proxy:' + linkerd-tag } }} \
+        {{ if features != "" { "--build-arg PROXY_FEATURES=" + features } else { "" } }} \
+        {{ if DOCKER_BUILDX_CACHE_DIR == '' { '' } else { '--cache-from=type=local,src=' + DOCKER_BUILDX_CACHE_DIR + ' --cache-to=type=local,dest=' + DOCKER_BUILDX_CACHE_DIR } }} \
+        {{ args }}
+
+_clean-cache:
+    @{{ if DOCKER_BUILDX_CACHE_DIR == '' { 'true' } else { 'just-dev prune-action-cache ' + DOCKER_BUILDX_CACHE_DIR } }}
+
+# Lints all shell scripts in the repo.
+sh-lint:
+    @just-sh
+
+md-lint:
+    @just-md
+
+# Lints all GitHub Actions workflows
+action-lint:
+    @just-dev lint-actions
+
+action-dev-check:
+    #!/usr/bin/env bash
+    # TODO(ver) consolidate this again with just-dev
+    #@just-dev check-action-images
+    set -euo pipefail
+    VERSION=$(j5j .devcontainer/devcontainer.json |jq -r '.build.args["DEV_VERSION"]')
+    EX=0
+    while IFS= read filelineimg ; do
+        # Parse lines in the form `file:line img:tag`
+        fileline="${filelineimg%% *}"
+        file="${fileline%%:*}"
+        line="${fileline##*:}"
+        img="${filelineimg##* }"
+        name="${img%%:*}"
+        # Tag may be in the form of `version[-variant]`
+        tag="${img##*:}"
+        version="${tag%%-*}"
+        if [ "$name" = 'ghcr.io/linkerd/dev' ] && [ "$version" != "$VERSION" ]; then
+            if [ "${GITHUB_ACTIONS:-}" = "true" ]; then
+                echo "::error file=${file},line=${line}::Expected image 'ghcr.io/linkerd/dev:$VERSION'; found '${img}'" >&2
+            else
+                echo "${file}:${line}: Expected image 'ghcr.io/linkerd/dev:$VERSION'; found '${img}'" >&2
+            fi
+            EX=$(( EX+1 ))
+        fi
+    done < <( /usr/local/bin/action-images )
+    exit $EX
+
+##
+## Linkerd
+##
+
+linkerd-tag := env_var_or_default('LINKERD_TAG', '')
+_controller-image := 'ghcr.io/linkerd/controller'
+_policy-image := 'ghcr.io/linkerd/policy-controller'
+_init-image := 'ghcr.io/linkerd/proxy-init'
+_init-tag := 'v2.4.0'
+
+_kubectl := 'just-k3d kubectl'
+_linkerd := 'linkerd --context=k3d-$(just-k3d --evaluate K3D_CLUSTER_NAME)'
+
+_tag-set:
+    #!/usr/bin/env bash
+    if [ -z '{{ linkerd-tag }}' ]; then
+        echo "linkerd-tag must be set" >&2
+        exit 1
+    fi
+
+_k3d-ready:
+    @just-k3d ready
+
+export K3D_CLUSTER_NAME := "l5d-proxy"
+export K3D_CREATE_FLAGS := "--no-lb"
+export K3S_DISABLE := "local-storage,traefik,servicelb,metrics-server@server:*"
+k3d-create: && _k3d-ready
+    @just-k3d create
+
+k3d-load-linkerd: _tag-set _k3d-ready
+    for i in \
+        '{{ _controller-image }}:{{ linkerd-tag }}' \
+        '{{ _policy-image }}:{{ linkerd-tag }}' \
+        '{{ _init-image }}:{{ _init-tag }}' \
+    ; do \
+        docker pull -q "$i" ; \
+    done
+    @just-k3d import \
+        '{{ docker-image }}' \
+        '{{ _controller-image }}:{{ linkerd-tag }}' \
+        '{{ _policy-image }}:{{ linkerd-tag }}' \
+        '{{ _init-image }}:{{ _init-tag }}'
+
+# Install crds on the test cluster.
+_linkerd-crds-install: _k3d-ready
+    {{ _kubectl }} apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.1/standard-install.yaml
+    {{ _linkerd }} install --crds \
+        | {{ _kubectl }} apply -f -
+    {{ _kubectl }} wait crd --for condition=established \
+        --selector='linkerd.io/control-plane-ns' \
+        --timeout={{ wait-timeout }}
+
+# Install linkerd on the test cluster using test images.
+linkerd-install *args='': _tag-set k3d-load-linkerd _linkerd-crds-install && _linkerd-ready
+    {{ _linkerd }} install \
+            --set='imagePullPolicy=Never' \
+            --set='controllerImage={{ _controller-image }}' \
+            --set='linkerdVersion={{ linkerd-tag }}' \
+            --set='policyController.image.name={{ _policy-image }}' \
+            --set='policyController.image.version={{ linkerd-tag }}' \
+            --set='proxy.image.name={{ docker-repo }}' \
+            --set='proxy.image.version={{ docker-tag }}' \
+            --set='proxy.logLevel=linkerd=debug\,info' \
+            --set='proxyInit.image.name={{ _init-image }}' \
+            --set='proxyInit.image.version={{ _init-tag }}' \
+            {{ args }} \
+        | {{ _kubectl }} apply -f -
+
+linkerd-uninstall:
+    {{ _linkerd }} uninstall \
+        | {{ _kubectl }} delete -f -
+
+linkerd-check-control-plane-proxy:
+    #!/usr/bin/env bash
+    set -euo pipefail
+    check=$(mktemp --tmpdir check-XXXX.json)
+    {{ _linkerd }} check -o json > "$check"
+    result=$(jq -r \
+        '.categories[] | select(.categoryName == "linkerd-control-plane-proxy") | .checks[] | select(.description == "control plane proxies are healthy") | .result' \
+        "$check")
+    if [ "$result" != "success" ]; then
+        jq '.categories[] | .checks[] | select(.result != "success") | select(.hint | contains("-version") | not)' \
+            "$check" >&2
+        {{ _kubectl }} describe po -n linkerd >&2
+        exit 1
+    fi
+    rm "$check"
+
+_linkerd-ready:
+    {{ _kubectl }} wait pod --for=condition=ready \
+        --namespace=linkerd --selector='linkerd.io/control-plane-component' \
+        --timeout={{ wait-timeout }}
+
+#
+# Dev Container
+#
+
+devcontainer-up:
+    devcontainer.js up --workspace-folder=.
+
+devcontainer-exec container-id *args:
+    devcontainer.js exec --container-id={{ container-id }} {{ args }}

linkerd/addr/Cargo.toml

@@ -1,12 +1,16 @@
 [package]
 name = "linkerd-addr"
-version = "0.1.0"
-authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
-license = "Apache-2.0"
-edition = "2018"
-publish = false
+version = { workspace = true }
+authors = { workspace = true }
+license = { workspace = true }
+edition = { workspace = true }
+publish = { workspace = true }
 
 [dependencies]
-http = "0.2"
+http = { workspace = true }
+ipnet = "2.11"
 linkerd-dns-name = { path = "../dns/name" }
-thiserror = "1.0"
+thiserror = "2"
+
+[lints.rust]
+unexpected_cfgs = { level = "warn", check-cfg = ['cfg(fuzzing)'] }

linkerd/addr/fuzz/Cargo.toml

@@ -1,9 +1,10 @@
 [package]
 name = "linkerd-addr-fuzz"
-version = "0.0.0"
-authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
-publish = false
-edition = "2018"
+version = { workspace = true }
+authors = { workspace = true }
+license = { workspace = true }
+edition = { workspace = true }
+publish = { workspace = true }
 
 [package.metadata]
 cargo-fuzz = true
@@ -12,7 +13,7 @@ cargo-fuzz = true
 libfuzzer-sys = "0.4"
 linkerd-addr = { path = ".." }
 linkerd-tracing = { path = "../../tracing", features = ["ansi"] }
-tracing = "0.1.26"
+tracing = { workspace = true }
 
 # Prevent this from interfering with workspaces
 [workspace]

linkerd/addr/src/addr_match.rs

@@ -1,7 +1,7 @@
+use crate::Addr;
 use ipnet::IpNet;
-use linkerd_addr::Addr;
-use linkerd_dns::{Name, Suffix};
-use std::{fmt, iter::FromIterator, net::IpAddr, sync::Arc};
+use linkerd_dns_name::{Name, Suffix};
+use std::{fmt, net::IpAddr, sync::Arc};
 
 #[derive(Clone, Debug, Default)]
 pub struct AddrMatch {

linkerd/addr/src/lib.rs

@@ -1,13 +1,17 @@
-#![deny(warnings, rust_2018_idioms)]
+#![deny(rust_2018_idioms, clippy::disallowed_methods, clippy::disallowed_types)]
 #![forbid(unsafe_code)]
 use linkerd_dns_name::Name;
 use std::{
     fmt,
     net::{IpAddr, SocketAddr},
     str::FromStr,
+    sync::Arc,
 };
 use thiserror::Error;
 
+mod addr_match;
+pub use self::addr_match::{AddrMatch, IpMatch, NameMatch};
+
 #[derive(Clone, Debug, Eq, Hash, PartialEq)]
 pub enum Addr {
     Name(NameAddr),
@@ -16,7 +20,7 @@ pub enum Addr {
 
 #[derive(Clone, Debug, Eq, Hash, PartialEq)]
 pub struct NameAddr {
-    name: Name,
+    name: Arc<Name>,
     port: u16,
 }
 
@@ -96,15 +100,11 @@ impl Addr {
                     // them ourselves.
                     format!("[{}]", a.ip())
                 };
-                http::uri::Authority::from_str(&ip).unwrap_or_else(|err| {
-                    panic!("SocketAddr ({}) must be valid authority: {}", a, err)
-                })
-            }
-            Addr::Socket(a) => {
-                http::uri::Authority::from_str(&a.to_string()).unwrap_or_else(|err| {
-                    panic!("SocketAddr ({}) must be valid authority: {}", a, err)
-                })
+                http::uri::Authority::from_str(&ip)
+                    .unwrap_or_else(|err| panic!("SocketAddr ({a}) must be valid authority: {err}"))
             }
+            Addr::Socket(a) => http::uri::Authority::from_str(&a.to_string())
+                .unwrap_or_else(|err| panic!("SocketAddr ({a}) must be valid authority: {err}")),
         }
     }
 
@@ -167,7 +167,10 @@ impl AsRef<Self> for Addr {
 
 impl From<(Name, u16)> for NameAddr {
     fn from((name, port): (Name, u16)) -> Self {
-        NameAddr { name, port }
+        NameAddr {
+            name: name.into(),
+            port,
+        }
     }
 }
 
@@ -191,9 +194,8 @@ impl NameAddr {
             return Err(Error::InvalidHost);
         }
 
-        Name::from_str(host)
-            .map(|name| NameAddr { name, port })
-            .map_err(|_| Error::InvalidHost)
+        let name = Name::from_str(host).map_err(|_| Error::InvalidHost)?;
+        Ok((name, port).into())
     }
 
     pub fn from_authority_with_default_port(
@@ -259,14 +261,14 @@ mod tests {
         ];
         for (host, expected_result) in cases {
             let a = Addr::from_str(host).unwrap();
-            assert_eq!(a.is_loopback(), *expected_result, "{:?}", host)
+            assert_eq!(a.is_loopback(), *expected_result, "{host:?}")
         }
     }
 
     fn test_to_http_authority(cases: &[&str]) {
         let width = cases.iter().map(|s| s.len()).max().unwrap_or(0);
         for host in cases {
-            print!("trying {:1$} ... ", host, width);
+            print!("trying {host:width$} ... ");
             Addr::from_str(host).unwrap().to_http_authority();
             println!("ok");
         }

linkerd/app/Cargo.toml

@@ -1,10 +1,10 @@
 [package]
 name = "linkerd-app"
-version = "0.1.0"
-authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
-license = "Apache-2.0"
-edition = "2018"
-publish = false
+version = { workspace = true }
+authors = { workspace = true }
+license = { workspace = true }
+edition = { workspace = true }
+publish = { workspace = true }
 description = """
 Configures and executes the proxy
 
@@ -13,9 +13,12 @@ This is used by tests and the executable.
 
 [features]
 allow-loopback = ["linkerd-app-outbound/allow-loopback"]
+log-streaming = ["linkerd-app-admin/log-streaming"]
+pprof = ["linkerd-app-admin/pprof"]
 
 [dependencies]
 futures = { version = "0.3", default-features = false }
+hyper-util = { workspace = true }
 linkerd-app-admin = { path = "./admin" }
 linkerd-app-core = { path = "./core" }
 linkerd-app-gateway = { path = "./gateway" }
@@ -23,10 +26,14 @@ linkerd-app-inbound = { path = "./inbound" }
 linkerd-app-outbound = { path = "./outbound" }
 linkerd-error = { path = "../error" }
 linkerd-opencensus = { path = "../opencensus" }
-regex = "1.5.4"
-thiserror = "1.0"
+linkerd-opentelemetry = { path = "../opentelemetry" }
+linkerd-tonic-stream = { path = "../tonic-stream" }
+linkerd-workers = { path = "../workers" }
+rangemap = "1"
+regex = "1"
+thiserror = "2"
 tokio = { version = "1", features = ["rt"] }
-tokio-stream = { version = "0.1.7", features = ["time", "sync"] }
-tonic = { version = "0.5", default-features = false, features = ["prost"] }
-tower = "0.4.8"
-tracing = "0.1.28"
+tokio-stream = { version = "0.1", features = ["time", "sync"] }
+tonic = { workspace = true, default-features = false, features = ["prost"] }
+tower = { workspace = true }
+tracing = { workspace = true }

linkerd/app/admin/Cargo.toml

@@ -1,27 +1,40 @@
 [package]
 name = "linkerd-app-admin"
-version = "0.1.0"
-authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
-license = "Apache-2.0"
-edition = "2018"
-publish = false
+version = { workspace = true }
+authors = { workspace = true }
+license = { workspace = true }
+edition = { workspace = true }
+publish = { workspace = true }
 description = """
 The linkerd proxy's admin server.
 """
 
+[features]
+default = []
+pprof = ["deflate", "dep:pprof"]
+log-streaming = ["linkerd-tracing/stream"]
+
 [dependencies]
-html-escape = "0.2"
-http = "0.2"
-hyper = { version = "0.14", features = ["http1", "http2"] }
+bytes = { workspace = true }
+deflate = { version = "1", optional = true, features = ["gzip"] }
+http = { workspace = true }
+http-body = { workspace = true }
+http-body-util = { workspace = true }
+hyper = { workspace = true, features = ["http1", "http2"] }
 futures = { version = "0.3", default-features = false }
+pprof = { version = "0.15", optional = true, features = ["prost-codec"] }
+serde = "1"
+serde_json = "1"
+thiserror = "2"
+tokio = { version = "1", features = ["macros", "sync", "parking_lot"] }
+tracing = { workspace = true }
+
 linkerd-app-core = { path = "../core" }
 linkerd-app-inbound = { path = "../inbound" }
-thiserror = "1"
-tokio = { version = "1", features = ["macros", "sync", "parking_lot"]}
-tracing = "0.1"
+linkerd-tracing = { path = "../../tracing" }
 
 [dependencies.tower]
-version = "0.4"
+workspace = true
 default-features = false
 features = [
     "buffer",
@@ -30,4 +43,3 @@ features = [
     "timeout",
     "util",
 ]
-

linkerd/app/admin/src/lib.rs

@@ -1,6 +1,8 @@
-#![deny(warnings, rust_2018_idioms)]
+#![deny(rust_2018_idioms, clippy::disallowed_methods, clippy::disallowed_types)]
 #![forbid(unsafe_code)]
 
+#[cfg(feature = "pprof")]
+mod pprof;
 mod server;
 mod stack;
 

linkerd/app/admin/src/pprof.rs

@@ -0,0 +1,62 @@
+use linkerd_app_core::Result;
+
+#[derive(Copy, Clone, Debug)]
+pub(crate) struct Pprof;
+
+impl Pprof {
+    pub async fn profile<B>(self, req: http::Request<B>) -> Result<http::Response<hyper::Body>> {
+        use pprof::protos::Message;
+
+        fn query_param<'r, B>(req: &'r http::Request<B>, name: &'static str) -> Option<&'r str> {
+            let params = req.uri().path_and_query()?.query()?.split('&');
+            params
+                .filter_map(|p| p.strip_prefix(name)?.strip_prefix('='))
+                .next()
+        }
+
+        // TODO(ver) Pretty-up error handling if we ever expose this outside of
+        // development.
+        let duration = std::time::Duration::from_secs_f64(
+            query_param(&req, "seconds")
+                .map(|s| s.parse::<f64>())
+                .transpose()?
+                .unwrap_or(30.0),
+        );
+        let frequency = query_param(&req, "frequency")
+            .map(|s| s.parse::<i32>())
+            .transpose()?
+            // Go's default.
+            .unwrap_or(100);
+        tracing::info!(?duration, frequency, "Collecting");
+
+        let report = {
+            let guard = pprof::ProfilerGuard::new(frequency)?;
+            tokio::time::sleep(duration).await;
+            guard.report().build()?
+        };
+        tracing::info!(
+            ?duration,
+            frequency,
+            frames = report.data.len(),
+            "Collected"
+        );
+
+        let pb_gz = {
+            let mut gz = deflate::write::GzEncoder::new(
+                Vec::<u8>::new(),
+                deflate::CompressionOptions::fast(),
+            );
+            std::io::Write::write_all(&mut gz, &{
+                let mut buf = Vec::new();
+                report.pprof()?.encode(&mut buf)?;
+                buf
+            })?;
+            gz.finish()?
+        };
+
+        Ok(http::Response::builder()
+            .header(http::header::CONTENT_TYPE, "application/octet-stream")
+            .body(hyper::Body::from(pb_gz))
+            .expect("response must be valid"))
+    }
+}

linkerd/app/admin/src/server.rs

@@ -0,0 +1,347 @@
+//! Serves an HTTP admin server.
+//!
+//! * `GET /metrics` -- reports prometheus-formatted metrics.
+//! * `GET /ready` -- returns 200 when the proxy is ready to participate in meshed
+//!   traffic.
+//! * `GET /live` -- returns 200 when the proxy is live.
+//! * `GET /proxy-log-level` -- returns the current proxy tracing filter.
+//! * `PUT /proxy-log-level` -- sets a new tracing filter.
+//! * `GET /tasks` -- returns a dump of spawned Tokio tasks (when enabled by the
+//!   tracing configuration).
+//! * `POST /shutdown` -- shuts down the proxy.
+
+use futures::future::{self, TryFutureExt};
+use http::StatusCode;
+use linkerd_app_core::{
+    metrics::{self as metrics, legacy::FmtMetrics},
+    proxy::http::{Body, BoxBody, ClientHandle, Request, Response},
+    trace, Error, Result,
+};
+use std::{
+    future::Future,
+    pin::Pin,
+    task::{Context, Poll},
+};
+use tokio::sync::mpsc;
+
+mod json;
+mod log;
+mod readiness;
+
+pub use self::readiness::{Latch, Readiness};
+
+#[derive(Clone)]
+pub struct Admin<M> {
+    metrics: metrics::legacy::Serve<M>,
+    tracing: trace::Handle,
+    ready: Readiness,
+    shutdown_tx: mpsc::UnboundedSender<()>,
+    enable_shutdown: bool,
+    #[cfg(feature = "pprof")]
+    pprof: Option<crate::pprof::Pprof>,
+}
+
+pub type ResponseFuture = Pin<Box<dyn Future<Output = Result<Response<BoxBody>>> + Send + 'static>>;
+
+impl<M> Admin<M> {
+    pub fn new(
+        metrics: M,
+        ready: Readiness,
+        shutdown_tx: mpsc::UnboundedSender<()>,
+        enable_shutdown: bool,
+        tracing: trace::Handle,
+    ) -> Self {
+        Self {
+            metrics: metrics::legacy::Serve::new(metrics),
+            ready,
+            shutdown_tx,
+            enable_shutdown,
+            tracing,
+
+            #[cfg(feature = "pprof")]
+            pprof: None,
+        }
+    }
+
+    #[cfg(feature = "pprof")]
+    pub fn with_profiling(mut self, enabled: bool) -> Self {
+        self.pprof = enabled.then_some(crate::pprof::Pprof);
+        self
+    }
+
+    fn ready_rsp(&self) -> Response<BoxBody> {
+        if self.ready.is_ready() {
+            Response::builder()
+                .status(StatusCode::OK)
+                .header(http::header::CONTENT_TYPE, "text/plain")
+                .body(BoxBody::from_static("ready\n"))
+                .expect("builder with known status code must not fail")
+        } else {
+            Response::builder()
+                .status(StatusCode::SERVICE_UNAVAILABLE)
+                .body(BoxBody::from_static("not ready\n"))
+                .expect("builder with known status code must not fail")
+        }
+    }
+
+    fn live_rsp() -> Response<BoxBody> {
+        Response::builder()
+            .status(StatusCode::OK)
+            .header(http::header::CONTENT_TYPE, "text/plain")
+            .body(BoxBody::from_static("live\n"))
+            .expect("builder with known status code must not fail")
+    }
+
+    fn env_rsp<B>(req: Request<B>) -> Response<BoxBody> {
+        use std::{collections::HashMap, env, ffi::OsString};
+
+        if req.method() != http::Method::GET {
+            return Self::method_not_allowed();
+        }
+
+        if let Err(not_acceptable) = json::accepts_json(&req) {
+            return not_acceptable;
+        }
+
+        fn unicode(s: OsString) -> String {
+            s.to_string_lossy().into_owned()
+        }
+
+        let query = req
+            .uri()
+            .path_and_query()
+            .and_then(http::uri::PathAndQuery::query);
+        let env = if let Some(query) = query {
+            if query.contains('=') {
+                return json::json_error_rsp(
+                    "env.json query parameters may not contain key-value pairs",
+                    StatusCode::BAD_REQUEST,
+                );
+            }
+            query
+                .split('&')
+                .map(|qparam| {
+                    let var = match std::env::var(qparam) {
+                        Err(env::VarError::NotPresent) => None,
+                        Err(env::VarError::NotUnicode(bad)) => Some(unicode(bad)),
+                        Ok(var) => Some(var),
+                    };
+                    (qparam.to_string(), var)
+                })
+                .collect::<HashMap<String, Option<String>>>()
+        } else {
+            std::env::vars_os()
+                .map(|(key, var)| (unicode(key), Some(unicode(var))))
+                .collect::<HashMap<String, Option<String>>>()
+        };
+
+        json::json_rsp(&env)
+    }
+
+    fn shutdown(&self) -> Response<BoxBody> {
+        if !self.enable_shutdown {
+            return Response::builder()
+                .status(StatusCode::NOT_FOUND)
+                .header(http::header::CONTENT_TYPE, "text/plain")
+                .body(BoxBody::from_static("shutdown endpoint is not enabled\n"))
+                .expect("builder with known status code must not fail");
+        }
+        if self.shutdown_tx.send(()).is_ok() {
+            Response::builder()
+                .status(StatusCode::OK)
+                .header(http::header::CONTENT_TYPE, "text/plain")
+                .body(BoxBody::from_static("shutdown\n"))
+                .expect("builder with known status code must not fail")
+        } else {
+            Response::builder()
+                .status(StatusCode::INTERNAL_SERVER_ERROR)
+                .header(http::header::CONTENT_TYPE, "text/plain")
+                .body(BoxBody::from_static("shutdown listener dropped\n"))
+                .expect("builder with known status code must not fail")
+        }
+    }
+
+    fn internal_error_rsp(error: impl ToString) -> http::Response<BoxBody> {
+        http::Response::builder()
+            .status(http::StatusCode::INTERNAL_SERVER_ERROR)
+            .header(http::header::CONTENT_TYPE, "text/plain")
+            .body(BoxBody::new(error.to_string()))
+            .expect("builder with known status code should not fail")
+    }
+
+    fn not_found() -> Response<BoxBody> {
+        Response::builder()
+            .status(http::StatusCode::NOT_FOUND)
+            .body(BoxBody::empty())
+            .expect("builder with known status code must not fail")
+    }
+
+    fn method_not_allowed() -> Response<BoxBody> {
+        Response::builder()
+            .status(http::StatusCode::METHOD_NOT_ALLOWED)
+            .body(BoxBody::empty())
+            .expect("builder with known status code must not fail")
+    }
+
+    fn forbidden_not_localhost() -> Response<BoxBody> {
+        Response::builder()
+            .status(http::StatusCode::FORBIDDEN)
+            .header(http::header::CONTENT_TYPE, "text/plain")
+            .body(BoxBody::new::<String>(
+                "Requests are only permitted from localhost.".into(),
+            ))
+            .expect("builder with known status code must not fail")
+    }
+
+    fn client_is_localhost<B>(req: &Request<B>) -> bool {
+        req.extensions()
+            .get::<ClientHandle>()
+            .map(|a| match a.addr.ip() {
+                std::net::IpAddr::V4(v4) => v4.is_loopback(),
+                std::net::IpAddr::V6(v6) => {
+                    if let Some(v4) = v6.to_ipv4_mapped() {
+                        v4.is_loopback()
+                    } else {
+                        v6.is_loopback()
+                    }
+                }
+            })
+            .unwrap_or(false)
+    }
+}
+
+impl<M, B> tower::Service<http::Request<B>> for Admin<M>
+where
+    M: FmtMetrics,
+    B: Body + Send + 'static,
+    B::Error: Into<Error>,
+    B::Data: Send,
+{
+    type Response = http::Response<BoxBody>;
+    type Error = Error;
+    type Future = ResponseFuture;
+
+    fn poll_ready(&mut self, _: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
+        Poll::Ready(Ok(()))
+    }
+
+    fn call(&mut self, req: Request<B>) -> Self::Future {
+        match req.uri().path() {
+            "/live" => Box::pin(future::ok(Self::live_rsp())),
+            "/ready" => Box::pin(future::ok(self.ready_rsp())),
+            "/metrics" => {
+                let rsp = self.metrics.serve(req).unwrap_or_else(|error| {
+                    ::tracing::error!(%error, "Failed to format metrics");
+                    Self::internal_error_rsp(error)
+                });
+                Box::pin(future::ok(rsp))
+            }
+
+            "/proxy-log-level" => {
+                if !Self::client_is_localhost(&req) {
+                    return Box::pin(future::ok(Self::forbidden_not_localhost()));
+                }
+
+                let level = match self.tracing.level() {
+                    Some(level) => level.clone(),
+                    None => return Box::pin(future::ok(Self::not_found())),
+                };
+
+                Box::pin(log::level::serve(level, req).or_else(|error| {
+                    tracing::error!(error, "Failed to get/set tracing level");
+                    future::ok(Self::internal_error_rsp(error))
+                }))
+            }
+
+            #[cfg(feature = "log-streaming")]
+            "/logs.json" => {
+                if !Self::client_is_localhost(&req) {
+                    return Box::pin(future::ok(Self::forbidden_not_localhost()));
+                }
+
+                Box::pin(
+                    log::stream::serve(self.tracing.clone(), req).or_else(|error| {
+                        tracing::error!(error, "Failed to stream logs");
+                        future::ok(Self::internal_error_rsp(error))
+                    }),
+                )
+            }
+
+            "/env.json" => Box::pin(future::ok(Self::env_rsp(req))),
+
+            "/shutdown" => {
+                if req.method() == http::Method::POST {
+                    if Self::client_is_localhost(&req) {
+                        Box::pin(future::ok(self.shutdown()))
+                    } else {
+                        Box::pin(future::ok(Self::forbidden_not_localhost()))
+                    }
+                } else {
+                    Box::pin(future::ok(Self::method_not_allowed()))
+                }
+            }
+
+            #[cfg(feature = "pprof")]
+            "/debug/pprof/profile.pb.gz" if self.pprof.is_some() => {
+                let pprof = self.pprof.expect("unreachable");
+
+                if !Self::client_is_localhost(&req) {
+                    return Box::pin(future::ok(Self::forbidden_not_localhost()));
+                }
+
+                if req.method() != http::Method::GET {
+                    return Box::pin(future::ok(Self::method_not_allowed()));
+                }
+
+                Box::pin(async move {
+                    Ok(pprof
+                        .profile(req)
+                        .await
+                        .unwrap_or_else(Self::internal_error_rsp))
+                })
+            }
+
+            _ => Box::pin(future::ok(Self::not_found())),
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use http::method::Method;
+    use std::time::Duration;
+    use tokio::time::timeout;
+    use tower::util::ServiceExt;
+
+    const TIMEOUT: Duration = Duration::from_secs(1);
+
+    #[tokio::test]
+    async fn ready_when_latches_dropped() {
+        let (r, l0) = Readiness::new();
+        let l1 = l0.clone();
+
+        let (_, t) = trace::Settings::default().build();
+        let (s, _) = mpsc::unbounded_channel();
+        let admin = Admin::new((), r, s, true, t);
+        macro_rules! call {
+            () => {{
+                let r = Request::builder()
+                    .method(Method::GET)
+                    .uri("http://0.0.0.0/ready")
+                    .body(BoxBody::empty())
+                    .unwrap();
+                let f = admin.clone().oneshot(r);
+                timeout(TIMEOUT, f).await.expect("timeout").expect("call")
+            }};
+        }
+
+        assert_eq!(call!().status(), StatusCode::SERVICE_UNAVAILABLE);
+
+        drop(l0);
+        assert_eq!(call!().status(), StatusCode::SERVICE_UNAVAILABLE);
+
+        drop(l1);
+        assert_eq!(call!().status(), StatusCode::OK);
+    }
+}

linkerd/app/admin/src/server/json.rs

@@ -0,0 +1,79 @@
+static JSON_MIME: &str = "application/json";
+pub(in crate::server) static JSON_HEADER_VAL: HeaderValue = HeaderValue::from_static(JSON_MIME);
+
+use bytes::Bytes;
+use hyper::{
+    header::{self, HeaderValue},
+    StatusCode,
+};
+use linkerd_app_core::proxy::http::BoxBody;
+
+pub(crate) fn json_error_rsp(
+    error: impl ToString,
+    status: http::StatusCode,
+) -> http::Response<BoxBody> {
+    mk_rsp(
+        status,
+        &serde_json::json!({
+            "error": error.to_string(),
+            "status": status.as_u16(),
+        }),
+    )
+}
+
+pub(crate) fn json_rsp(val: &impl serde::Serialize) -> http::Response<BoxBody> {
+    mk_rsp(StatusCode::OK, val)
+}
+
+#[allow(clippy::result_large_err)]
+pub(crate) fn accepts_json<B>(req: &http::Request<B>) -> Result<(), http::Response<BoxBody>> {
+    if let Some(accept) = req.headers().get(header::ACCEPT) {
+        let accept = match std::str::from_utf8(accept.as_bytes()) {
+            Ok(accept) => accept,
+            Err(_) => {
+                tracing::warn!("Accept header is not valid UTF-8");
+                return Err(json_error_rsp(
+                    "Accept header must be UTF-8",
+                    StatusCode::BAD_REQUEST,
+                ));
+            }
+        };
+        let will_accept_json = accept.contains(JSON_MIME)
+            || accept.contains("application/*")
+            || accept.contains("*/*");
+        if !will_accept_json {
+            tracing::warn!(?accept, "Accept header will not accept 'application/json'");
+            return Err(http::Response::builder()
+                .status(StatusCode::NOT_ACCEPTABLE)
+                .body(BoxBody::from_static(JSON_MIME))
+                .expect("builder with known status code must not fail"));
+        }
+    }
+
+    Ok(())
+}
+
+fn mk_rsp(status: StatusCode, val: &impl serde::Serialize) -> http::Response<BoxBody> {
+    // Serialize the value into JSON, and then place the bytes in a boxed response body.
+    let json = serde_json::to_vec(val)
+        .map(Bytes::from)
+        .map(http_body_util::Full::new)
+        .map(BoxBody::new);
+
+    match json {
+        Ok(body) => http::Response::builder()
+            .status(status)
+            .header(header::CONTENT_TYPE, JSON_HEADER_VAL.clone())
+            .body(body)
+            .expect("builder with known status code must not fail"),
+        Err(error) => {
+            tracing::warn!(?error, "failed to serialize JSON value");
+            http::Response::builder()
+                .status(StatusCode::INTERNAL_SERVER_ERROR)
+                .body(BoxBody::new(format!(
+                    "failed to serialize JSON value: {error}"
+                )))
+                .expect("builder with known status code must not fail")
+        }
+    }
+}

linkerd/app/admin/src/server/level.rs

@@ -1,51 +0,0 @@
-use hyper::{
-    body::{Buf, HttpBody},
-    Body,
-};
-use linkerd_app_core::{trace::level::Handle, Error};
-use std::io;
-
-pub(super) async fn serve<B>(
-    level: &Handle,
-    req: http::Request<B>,
-) -> Result<http::Response<Body>, Error>
-where
-    B: HttpBody,
-    B::Error: Into<Error>,
-{
-    let mk_rsp = |status: http::StatusCode, body: Body| -> http::Response<Body> {
-        http::Response::builder()
-            .status(status)
-            .body(body)
-            .expect("builder with known status code must not fail")
-    };
-
-    let rsp = match *req.method() {
-        http::Method::GET => {
-            let level = level.current()?;
-            mk_rsp(http::StatusCode::OK, level.into())
-        }
-
-        http::Method::PUT => {
-            let body = hyper::body::aggregate(req.into_body())
-                .await
-                .map_err(|e| io::Error::new(io::ErrorKind::Other, e))?;
-            match level.set_from(body.chunk()) {
-                Ok(()) => mk_rsp(http::StatusCode::NO_CONTENT, Body::empty()),
-                Err(error) => {
-                    tracing::warn!(%error, "Setting log level failed");
-                    mk_rsp(http::StatusCode::BAD_REQUEST, error.into())
-                }
-            }
-        }
-
-        _ => http::Response::builder()
-            .status(http::StatusCode::METHOD_NOT_ALLOWED)
-            .header("allow", "GET")
-            .header("allow", "PUT")
-            .body(Body::empty())
-            .expect("builder with known status code must not fail"),
-    };
-
-    Ok(rsp)
-}

linkerd/app/admin/src/server/log.rs

@@ -0,0 +1,3 @@
+pub(super) mod level;
+#[cfg(feature = "log-streaming")]
+pub(super) mod stream;

linkerd/app/admin/src/server/log/level.rs

@@ -0,0 +1,60 @@
+use bytes::Buf;
+use http::{header, StatusCode};
+use linkerd_app_core::{
+    proxy::http::{Body, BoxBody},
+    trace::level,
+    Error,
+};
+use std::io;
+
+pub async fn serve<B>(
+    level: level::Handle,
+    req: http::Request<B>,
+) -> Result<http::Response<BoxBody>, Error>
+where
+    B: Body,
+    B::Error: Into<Error>,
+{
+    Ok(match *req.method() {
+        http::Method::GET => {
+            let level = level.current()?;
+            mk_rsp(StatusCode::OK, level)
+        }
+
+        http::Method::PUT => {
+            use http_body_util::BodyExt;
+            let body = req
+                .into_body()
+                .collect()
+                .await
+                .map_err(io::Error::other)?
+                .aggregate();
+            match level.set_from(body.chunk()) {
+                Ok(_) => mk_rsp(StatusCode::NO_CONTENT, BoxBody::empty()),
+                Err(error) => {
+                    tracing::warn!(%error, "Setting log level failed");
+                    mk_rsp(StatusCode::BAD_REQUEST, error)
+                }
+            }
+        }
+
+        _ => http::Response::builder()
+            .status(StatusCode::METHOD_NOT_ALLOWED)
+            .header(header::ALLOW, "GET")
+            .header(header::ALLOW, "PUT")
+            .body(BoxBody::empty())
+            .expect("builder with known status code must not fail"),
+    })
+}
+
+fn mk_rsp<B>(status: StatusCode, body: B) -> http::Response<BoxBody>
+where
+    B: Body + Send + 'static,
+    B::Data: Send + 'static,
+    B::Error: Into<Error>,
+{
+    http::Response::builder()
+        .status(status)
+        .body(BoxBody::new(body))
+        .expect("builder with known status code must not fail")
+}

linkerd/app/admin/src/server/log/stream.rs

@@ -0,0 +1,144 @@
+use crate::server::json;
+use bytes::{Buf, Bytes};
+use futures::FutureExt;
+use hyper::{header, StatusCode};
+use linkerd_app_core::{
+    proxy::http::{Body, BoxBody},
+    trace::{self},
+    Error,
+};
+use trace::EnvFilter;
+use tracing::instrument::WithSubscriber;
+
+macro_rules! recover {
+    ($thing:expr, $msg:literal, $status:expr $(,)?) => {
+        match $thing {
+            Ok(val) => val,
+            Err(error) => {
+                tracing::warn!(%error, status = %$status, message = %$msg);
+                return Ok(json::json_error_rsp(error, $status));
+            }
+        }
+    }
+}
+
+// If log streaming support is enabled, start a new log stream
+pub async fn serve<B>(
+    handle: trace::Handle,
+    req: http::Request<B>,
+) -> Result<http::Response<BoxBody>, Error>
+where
+    B: Body,
+    B::Error: Into<Error>,
+{
+    let handle = handle.into_stream();
+
+    if let Err(not_acceptable) = json::accepts_json(&req) {
+        return Ok(not_acceptable);
+    }
+
+    let try_filter = match req.method() {
+        // If the request is a GET, use the query string as the requested log filter.
+        &http::Method::GET => {
+            let query = req
+                .uri()
+                .query()
+                .ok_or("Missing query string for log-streaming filter");
+            tracing::trace!(req.query = ?query);
+            let query = recover!(query, "Missing query string", StatusCode::BAD_REQUEST);
+            parse_filter(query)
+        }
+        // If the request is a QUERY, use the request body
+        method if method.as_str() == "QUERY" => {
+            // TODO(eliza): validate that the request has a content-length...
+            use http_body_util::BodyExt;
+            let body = recover!(
+                req.into_body()
+                    .collect()
+                    .await
+                    .map_err(Into::into)
+                    .map(http_body_util::Collected::aggregate),
+                "Reading log stream request body",
+                StatusCode::BAD_REQUEST
+            );
+
+            let body_str = recover!(
+                std::str::from_utf8(body.chunk()),
+                "Parsing log stream filter",
+                StatusCode::BAD_REQUEST,
+            );
+
+            parse_filter(body_str)
+        }
+        method => {
+            tracing::warn!(?method, "Unsupported method");
+            return Ok(http::Response::builder()
+                .status(StatusCode::METHOD_NOT_ALLOWED)
+                .header(header::ALLOW, "GET")
+                .header(header::ALLOW, "QUERY")
+                .body(BoxBody::empty())
+                .expect("builder with known status code must not fail"));
+        }
+    };
+
+    let filter = recover!(
+        try_filter,
+        "Parsing log stream filter",
+        StatusCode::BAD_REQUEST,
+    );
+
+    let rx = recover!(
+        handle.add_stream(filter),
+        "Starting log stream",
+        StatusCode::INTERNAL_SERVER_ERROR
+    );
+
+    // TODO(eliza): it's currently a bit sad that we have to use `Body::channel`
+    // and spawn a worker task to poll from the log stream and write to the
+    // request body using `Bytes::copy_from_slice` --- this allocates and
+    // `memcpy`s the buffer, which is unfortunate.
+    //
+    // https://github.com/hawkw/thingbuf/issues/62 would allow us to avoid the
+    // copy by passing the channel's pooled buffer directly to hyper, and
+    // returning it to the channel to be reused when hyper is done with it.
+    let (mut tx, body) = http_body_util::channel::Channel::<Bytes, Error>::new(1024);
+    tokio::spawn(
+        async move {
+            // TODO(eliza): we could definitely implement some batching here.
+            while let Some(line) = rx.next_line().await {
+                tx.send_data(Bytes::copy_from_slice(line.as_ref())).await?;
+
+                // if any log events were dropped, report that to the client
+                let dropped = rx.take_dropped_count();
+                if dropped > 0 {
+                    let json =
+                        serde_json::to_vec(&serde_json::json!({ "dropped_events": dropped }))?;
+                    tx.send_data(Bytes::from(json)).await?;
+                }
+            }
+
+            Ok(())
+        }
+        // send any logs generated by the log streaming task to /dev/null
+        .with_subscriber(tracing::subscriber::NoSubscriber::default())
+        .map(|res: Result<(), Error>| {
+            tracing::debug!(?res, "Log stream completed");
+        }),
+    );
+
+    Ok(mk_rsp(StatusCode::OK, BoxBody::new(body)))
+}
+
+fn parse_filter(filter_str: &str) -> Result<EnvFilter, impl std::error::Error> {
+    let filter = EnvFilter::builder().with_regex(false).parse(filter_str);
+    tracing::trace!(?filter, ?filter_str);
+    filter
+}
+
+fn mk_rsp<B>(status: StatusCode, body: B) -> http::Response<B> {
+    http::Response::builder()
+        .status(status)
+        .header(header::CONTENT_TYPE, json::JSON_HEADER_VAL.clone())
+        .body(body)
+        .expect("builder with known status code must not fail")
+}

linkerd/app/admin/src/server/mod.rs

@@ -1,251 +0,0 @@
-//! Serves an HTTP admin server.
-//!
-//! * `GET /metrics` -- reports prometheus-formatted metrics.
-//! * `GET /ready` -- returns 200 when the proxy is ready to participate in meshed
-//!   traffic.
-//! * `GET /live` -- returns 200 when the proxy is live.
-//! * `GET /proxy-log-level` -- returns the current proxy tracing filter.
-//! * `PUT /proxy-log-level` -- sets a new tracing filter.
-//! * `GET /tasks` -- returns a dump of spawned Tokio tasks (when enabled by the
-//!   tracing configuration).
-//! * `POST /shutdown` -- shuts down the proxy.
-
-use futures::future;
-use http::StatusCode;
-use hyper::{
-    body::{Body, HttpBody},
-    Request, Response,
-};
-use linkerd_app_core::{
-    metrics::{self as metrics, FmtMetrics},
-    proxy::http::ClientHandle,
-    trace, Error,
-};
-use std::{
-    future::Future,
-    net::SocketAddr,
-    pin::Pin,
-    task::{Context, Poll},
-};
-use tokio::sync::mpsc;
-
-mod level;
-mod readiness;
-
-pub use self::readiness::{Latch, Readiness};
-
-#[derive(Clone)]
-pub struct Admin<M> {
-    metrics: metrics::Serve<M>,
-    tracing: trace::Handle,
-    ready: Readiness,
-    shutdown_tx: mpsc::UnboundedSender<()>,
-}
-
-#[derive(Clone)]
-pub struct Accept<S> {
-    service: S,
-    server: hyper::server::conn::Http,
-}
-
-#[derive(Clone)]
-pub struct Serve<S> {
-    client_addr: SocketAddr,
-    inner: S,
-}
-
-pub type ResponseFuture =
-    Pin<Box<dyn Future<Output = Result<Response<Body>, Error>> + Send + 'static>>;
-
-impl<M> Admin<M> {
-    pub fn new(
-        metrics: M,
-        ready: Readiness,
-        shutdown_tx: mpsc::UnboundedSender<()>,
-        tracing: trace::Handle,
-    ) -> Self {
-        Self {
-            metrics: metrics::Serve::new(metrics),
-            ready,
-            shutdown_tx,
-            tracing,
-        }
-    }
-
-    fn ready_rsp(&self) -> Response<Body> {
-        if self.ready.is_ready() {
-            Response::builder()
-                .status(StatusCode::OK)
-                .header(http::header::CONTENT_TYPE, "text/plain")
-                .body("ready\n".into())
-                .expect("builder with known status code must not fail")
-        } else {
-            Response::builder()
-                .status(StatusCode::SERVICE_UNAVAILABLE)
-                .body("not ready\n".into())
-                .expect("builder with known status code must not fail")
-        }
-    }
-
-    fn live_rsp() -> Response<Body> {
-        Response::builder()
-            .status(StatusCode::OK)
-            .header(http::header::CONTENT_TYPE, "text/plain")
-            .body("live\n".into())
-            .expect("builder with known status code must not fail")
-    }
-
-    fn shutdown(&self) -> Response<Body> {
-        if self.shutdown_tx.send(()).is_ok() {
-            Response::builder()
-                .status(StatusCode::OK)
-                .header(http::header::CONTENT_TYPE, "text/plain")
-                .body("shutdown\n".into())
-                .expect("builder with known status code must not fail")
-        } else {
-            Response::builder()
-                .status(StatusCode::INTERNAL_SERVER_ERROR)
-                .header(http::header::CONTENT_TYPE, "text/plain")
-                .body("shutdown listener dropped\n".into())
-                .expect("builder with known status code must not fail")
-        }
-    }
-
-    fn internal_error_rsp(error: impl ToString) -> http::Response<Body> {
-        http::Response::builder()
-            .status(http::StatusCode::INTERNAL_SERVER_ERROR)
-            .header(http::header::CONTENT_TYPE, "text/plain")
-            .body(error.to_string().into())
-            .expect("builder with known status code should not fail")
-    }
-
-    fn not_found() -> Response<Body> {
-        Response::builder()
-            .status(http::StatusCode::NOT_FOUND)
-            .body(Body::empty())
-            .expect("builder with known status code must not fail")
-    }
-
-    fn method_not_allowed() -> Response<Body> {
-        Response::builder()
-            .status(http::StatusCode::METHOD_NOT_ALLOWED)
-            .body(Body::empty())
-            .expect("builder with known status code must not fail")
-    }
-
-    fn forbidden_not_localhost() -> Response<Body> {
-        Response::builder()
-            .status(http::StatusCode::FORBIDDEN)
-            .header(http::header::CONTENT_TYPE, "text/plain")
-            .body("Requests are only permitted from localhost.".into())
-            .expect("builder with known status code must not fail")
-    }
-
-    fn client_is_localhost<B>(req: &Request<B>) -> bool {
-        req.extensions()
-            .get::<ClientHandle>()
-            .map(|a| a.addr.ip().is_loopback())
-            .unwrap_or(false)
-    }
-}
-
-impl<M, B> tower::Service<http::Request<B>> for Admin<M>
-where
-    M: FmtMetrics,
-    B: HttpBody + Send + Sync + 'static,
-    B::Error: Into<Error>,
-    B::Data: Send,
-{
-    type Response = http::Response<Body>;
-    type Error = Error;
-    type Future = ResponseFuture;
-
-    fn poll_ready(&mut self, _: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
-        Poll::Ready(Ok(()))
-    }
-
-    fn call(&mut self, req: Request<B>) -> Self::Future {
-        match req.uri().path() {
-            "/live" => Box::pin(future::ok(Self::live_rsp())),
-            "/ready" => Box::pin(future::ok(self.ready_rsp())),
-            "/metrics" => {
-                let rsp = self.metrics.serve(req).unwrap_or_else(|error| {
-                    ::tracing::error!(%error, "Failed to format metrics");
-                    Self::internal_error_rsp(error)
-                });
-                Box::pin(future::ok(rsp))
-            }
-            "/proxy-log-level" => {
-                if Self::client_is_localhost(&req) {
-                    let level = self.tracing.level().cloned();
-                    Box::pin(async move {
-                        let rsp = match level {
-                            Some(level) => {
-                                level::serve(&level, req).await.unwrap_or_else(|error| {
-                                    tracing::error!(%error, "Failed to get/set tracing level");
-                                    Self::internal_error_rsp(error)
-                                })
-                            }
-                            None => Self::not_found(),
-                        };
-                        Ok(rsp)
-                    })
-                } else {
-                    Box::pin(future::ok(Self::forbidden_not_localhost()))
-                }
-            }
-            "/shutdown" => {
-                if req.method() == http::Method::POST {
-                    if Self::client_is_localhost(&req) {
-                        Box::pin(future::ok(self.shutdown()))
-                    } else {
-                        Box::pin(future::ok(Self::forbidden_not_localhost()))
-                    }
-                } else {
-                    Box::pin(future::ok(Self::method_not_allowed()))
-                }
-            }
-            _ => Box::pin(future::ok(Self::not_found())),
-        }
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use http::method::Method;
-    use std::time::Duration;
-    use tokio::{sync::mpsc, time::timeout};
-    use tower::util::ServiceExt;
-
-    const TIMEOUT: Duration = Duration::from_secs(1);
-
-    #[tokio::test]
-    async fn ready_when_latches_dropped() {
-        let (r, l0) = Readiness::new();
-        let l1 = l0.clone();
-
-        let (_, t) = trace::Settings::default().build();
-        let (s, _) = mpsc::unbounded_channel();
-        let admin = Admin::new((), r, s, t);
-        macro_rules! call {
-            () => {{
-                let r = Request::builder()
-                    .method(Method::GET)
-                    .uri("http://0.0.0.0/ready")
-                    .body(Body::empty())
-                    .unwrap();
-                let f = admin.clone().oneshot(r);
-                timeout(TIMEOUT, f).await.expect("timeout").expect("call")
-            };};
-        }
-
-        assert_eq!(call!().status(), StatusCode::SERVICE_UNAVAILABLE);
-
-        drop(l0);
-        assert_eq!(call!().status(), StatusCode::SERVICE_UNAVAILABLE);
-
-        drop(l1);
-        assert_eq!(call!().status(), StatusCode::OK);
-    }
-}

linkerd/app/admin/src/server/readiness.rs

@@ -8,7 +8,7 @@ pub struct Readiness(Weak<()>);
 
 /// When all latches are dropped, the process is considered ready.
 #[derive(Clone, Debug)]
-pub struct Latch(Arc<()>);
+pub struct Latch(#[allow(dead_code)] Arc<()>);
 
 impl Readiness {
     pub fn new() -> (Readiness, Latch) {

linkerd/app/admin/src/stack.rs

@@ -1,13 +1,15 @@
 use linkerd_app_core::{
     classify,
     config::ServerConfig,
-    detect, drain, errors,
-    metrics::{self, FmtMetrics},
-    proxy::{http, identity::LocalCrtKey},
+    drain, errors, identity,
+    metrics::{self, legacy::FmtMetrics},
+    proxy::http,
     serve,
     svc::{self, ExtractParam, InsertParam, Param},
     tls, trace,
-    transport::{self, listen::Bind, ClientAddr, Local, OrigDstAddr, Remote, ServerAddr},
+    transport::{
+        self, addrs::AddrPair, listen::Bind, ClientAddr, Local, OrigDstAddr, Remote, ServerAddr,
+    },
     Error, Result,
 };
 use linkerd_app_inbound as inbound;
@@ -20,6 +22,9 @@ use tracing::debug;
 pub struct Config {
     pub server: ServerConfig,
     pub metrics_retain_idle: Duration,
+    #[cfg(feature = "pprof")]
+    pub enable_profiling: bool,
+    pub enable_shutdown: bool,
 }
 
 pub struct Task {
@@ -34,7 +39,7 @@ struct NonHttpClient(Remote<ClientAddr>);
 
 #[derive(Debug, Error)]
 #[error("Unexpected TLS connection to {} from {}", self.0, self.1)]
-struct UnexpectedSni(tls::ServerId, Remote<ClientAddr>);
+struct UnexpectedSni(tls::ServerName, Remote<ClientAddr>);
 
 #[derive(Clone, Debug)]
 struct Tcp {
@@ -47,18 +52,18 @@ struct Tcp {
 #[derive(Clone, Debug)]
 struct Http {
     tcp: Tcp,
-    version: http::Version,
+    version: http::Variant,
 }
 
 #[derive(Clone, Debug)]
 struct Permitted {
-    permit: inbound::policy::Permit,
+    permit: inbound::policy::HttpRoutePermit,
     http: Http,
 }
 
 #[derive(Clone)]
 struct TlsParams {
-    identity: Option<LocalCrtKey>,
+    identity: identity::Server,
 }
 
 const DETECT_TIMEOUT: Duration = Duration::from_secs(1);
@@ -73,40 +78,70 @@ impl Config {
     pub fn build<B, R>(
         self,
         bind: B,
-        policy: impl inbound::policy::CheckPolicy,
-        identity: Option<LocalCrtKey>,
+        policy: impl inbound::policy::GetPolicy,
+        identity: identity::Server,
         report: R,
-        metrics: inbound::Metrics,
+        metrics: inbound::InboundMetrics,
         trace: trace::Handle,
         drain: drain::Watch,
         shutdown: mpsc::UnboundedSender<()>,
     ) -> Result<Task>
     where
         R: FmtMetrics + Clone + Send + Sync + Unpin + 'static,
-        B: Bind<ServerConfig>,
-        B::Addrs: svc::Param<Remote<ClientAddr>> + svc::Param<Local<ServerAddr>>,
+        B: Bind<ServerConfig, BoundAddrs = Local<ServerAddr>>,
+        B::Addrs: svc::Param<Remote<ClientAddr>>,
+        B::Addrs: svc::Param<Local<ServerAddr>>,
+        B::Addrs: svc::Param<AddrPair>,
     {
         let (listen_addr, listen) = bind.bind(&self.server)?;
 
         // Get the policy for the admin server.
-        let policy = policy.check_policy(OrigDstAddr(listen_addr.into()))?;
+        let policy = policy.get_policy(OrigDstAddr(listen_addr.into()));
 
         let (ready, latch) = crate::server::Readiness::new();
-        let admin = crate::server::Admin::new(report, ready, shutdown, trace);
-        let admin = svc::stack(move |_| admin.clone())
-            .push(metrics.proxy.http_endpoint.to_layer::<classify::Response, _, Permitted>())
+
+        #[cfg_attr(not(feature = "pprof"), allow(unused_mut))]
+        let admin = crate::server::Admin::new(report, ready, shutdown, self.enable_shutdown, trace);
+
+        #[cfg(feature = "pprof")]
+        let admin = admin.with_profiling(self.enable_profiling);
+
+        let http = svc::stack(move |_| admin.clone())
+            .push(
+                metrics
+                    .proxy
+                    .http_endpoint
+                    .to_layer::<classify::Response, _, Permitted>(),
+            )
+            .push(classify::NewClassify::layer_default())
             .push_map_target(|(permit, http)| Permitted { permit, http })
-            .push(inbound::policy::NewAuthorizeHttp::layer(metrics.http_authz.clone()))
+            .push(inbound::policy::NewHttpPolicy::layer(
+                metrics.http_authz.clone(),
+            ))
             .push(Rescue::layer())
             .push_on_service(http::BoxResponse::layer())
-            .push(http::NewServeHttp::layer(Default::default(), drain.clone()))
-            .push_request_filter(
+            .arc_new_clone_http();
+
+        let inbound::DetectMetrics(detect_metrics) = metrics.detect.clone();
+        let tcp = http
+            .unlift_new()
+            .push(http::NewServeHttp::layer({
+                let drain = drain.clone();
+                move |t: &Http| {
+                    http::ServerParams {
+                        version: t.version,
+                        http2: Default::default(),
+                        drain: drain.clone(),
+                    }
+                }
+            }))
+            .push_filter(
                 |(http, tcp): (
-                    Result<Option<http::Version>, detect::DetectTimeoutError<_>>,
+                    http::Detection,
                     Tcp,
                 )| {
                     match http {
-                        Ok(Some(version)) => Ok(Http { version, tcp }),
+                        http::Detection::Http(version) => Ok(Http { version, tcp }),
                         // If detection timed out, we can make an educated guess at the proper
                         // behavior:
                         // - If the connection was meshed, it was most likely transported over
@@ -114,12 +149,12 @@ impl Config {
                         // - If the connection was unmeshed, it was mostly likely HTTP/1.
                         // - If we received some unexpected SNI, the client is mostly likely
                         //   confused/stale.
-                        Err(_timeout) => {
-                            let version = match tcp.tls.clone() {
-                                tls::ConditionalServerTls::None(_) => http::Version::Http1,
+                        http::Detection::ReadTimeout(_timeout) => {
+                            let version = match tcp.tls {
+                                tls::ConditionalServerTls::None(_) => http::Variant::Http1,
                                 tls::ConditionalServerTls::Some(tls::ServerTls::Established {
                                     ..
-                                }) => http::Version::H2,
+                                }) => http::Variant::H2,
                                 tls::ConditionalServerTls::Some(tls::ServerTls::Passthru {
                                     sni,
                                 }) => {
@@ -127,12 +162,12 @@ impl Config {
                                     return Err(Error::from(UnexpectedSni(sni, tcp.client)));
                                 }
                             };
-                            debug!(%version, "HTTP detection timed out; assuming HTTP");
+                            debug!(?version, "HTTP detection timed out; assuming HTTP");
                             Ok(Http { version, tcp })
                         }
                         // If the connection failed HTTP detection, check if we detected TLS for
                         // another target. This might indicate that the client is confused/stale.
-                        Ok(None) => match tcp.tls {
+                        http::Detection::NotHttp => match tcp.tls {
                             tls::ConditionalServerTls::Some(tls::ServerTls::Passthru { sni }) => {
                                 Err(UnexpectedSni(sni, tcp.client).into())
                             }
@@ -141,8 +176,14 @@ impl Config {
                     }
                 },
             )
-            .push(svc::ArcNewService::layer())
-            .push(detect::NewDetectService::layer(svc::stack::CloneParam::from(detect::Config::<http::DetectHttp>::from_timeout(DETECT_TIMEOUT))))
+            .arc_new_tcp()
+            .lift_new_with_target()
+            .push(http::NewDetect::layer(move |tcp: &Tcp| {
+                http::DetectParams {
+                    read_timeout: DETECT_TIMEOUT,
+                    metrics: detect_metrics.metrics(tcp.policy.server_label())
+                }
+            }))
             .push(transport::metrics::NewServer::layer(metrics.proxy.transport))
             .push_map_target(move |(tls, addrs): (tls::ConditionalServerTls, B::Addrs)| {
                 Tcp {
@@ -152,13 +193,14 @@ impl Config {
                     policy: policy.clone(),
                 }
             })
-            .push(svc::ArcNewService::layer())
-            .push(tls::NewDetectTls::layer(TlsParams {
+            .arc_new_tcp()
+            .push(tls::NewDetectTls::<identity::Server, _, _>::layer(TlsParams {
                 identity,
             }))
+            .arc_new_tcp()
             .into_inner();
 
-        let serve = Box::pin(serve::serve(listen, admin, drain.signaled()));
+        let serve = Box::pin(serve::serve(listen, tcp, drain.signaled()));
         Ok(Task {
             listen_addr,
             latch,
@@ -172,7 +214,7 @@ impl Config {
 impl Param<transport::labels::Key> for Tcp {
     fn param(&self) -> transport::labels::Key {
         transport::labels::Key::inbound_server(
-            self.tls.clone(),
+            self.tls.as_ref().map(|t| t.labels()),
             self.addr.into(),
             self.policy.server_label(),
         )
@@ -181,8 +223,8 @@ impl Param<transport::labels::Key> for Tcp {
 
 // === impl Http ===
 
-impl Param<http::Version> for Http {
-    fn param(&self) -> http::Version {
+impl Param<http::Variant> for Http {
+    fn param(&self) -> http::Variant {
         self.version
     }
 }
@@ -199,6 +241,14 @@ impl Param<Remote<ClientAddr>> for Http {
     }
 }
 
+impl Param<AddrPair> for Http {
+    fn param(&self) -> AddrPair {
+        let Remote(client) = self.tcp.client;
+        let Local(server) = self.tcp.addr;
+        AddrPair(client, server)
+    }
+}
+
 impl Param<tls::ConditionalServerTls> for Http {
     fn param(&self) -> tls::ConditionalServerTls {
         self.tcp.tls.clone()
@@ -222,7 +272,7 @@ impl Param<metrics::ServerLabel> for Http {
 impl Param<metrics::EndpointLabels> for Permitted {
     fn param(&self) -> metrics::EndpointLabels {
         metrics::InboundEndpointLabels {
-            tls: self.http.tcp.tls.clone(),
+            tls: self.http.tcp.tls.as_ref().map(|t| t.labels()),
             authority: None,
             target_addr: self.http.tcp.addr.into(),
             policy: self.permit.labels.clone(),
@@ -240,9 +290,9 @@ impl<T> ExtractParam<tls::server::Timeout, T> for TlsParams {
     }
 }
 
-impl<T> ExtractParam<Option<LocalCrtKey>, T> for TlsParams {
+impl<T> ExtractParam<identity::Server, T> for TlsParams {
     #[inline]
-    fn extract_param(&self, _: &T) -> Option<LocalCrtKey> {
+    fn extract_param(&self, _: &T) -> identity::Server {
         self.identity.clone()
     }
 }
@@ -291,12 +341,15 @@ impl<T: Param<tls::ConditionalServerTls>> ExtractParam<errors::respond::EmitHead
 
 impl errors::HttpRescue<Error> for Rescue {
     fn rescue(&self, error: Error) -> Result<errors::SyntheticHttpResponse> {
-        let cause = errors::root_cause(&*error);
-        if cause.is::<inbound::policy::DeniedUnauthorized>() {
-            return Ok(errors::SyntheticHttpResponse::permission_denied(error));
+        if let Some(cause) = errors::cause_ref::<inbound::policy::HttpRouteNotFound>(&*error) {
+            return Ok(errors::SyntheticHttpResponse::not_found(cause));
         }
 
-        tracing::warn!(%error, "Unexpected error");
+        if let Some(cause) = errors::cause_ref::<inbound::policy::HttpRouteUnauthorized>(&*error) {
+            return Ok(errors::SyntheticHttpResponse::permission_denied(cause));
+        }
+
+        tracing::warn!(error, "Unexpected error");
         Ok(errors::SyntheticHttpResponse::unexpected_error())
     }
 }

linkerd/app/core/Cargo.toml

@@ -1,10 +1,10 @@
 [package]
 name = "linkerd-app-core"
-version = "0.1.0"
-authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
-license = "Apache-2.0"
-edition = "2018"
-publish = false
+version = { workspace = true }
+authors = { workspace = true }
+license = { workspace = true }
+edition = { workspace = true }
+publish = { workspace = true }
 description = """
 Core infrastructure for the proxy application
 
@@ -13,43 +13,50 @@ independently of the inbound and outbound proxy logic.
 """
 
 [dependencies]
-bytes = "1"
-drain = { version = "0.1.0", features = ["retain"] }
-http = "0.2"
-http-body = "0.4"
-hyper = { version = "0.14.13", features = ["http1", "http2"] }
+drain = { workspace = true, features = ["retain"] }
+http = { workspace = true }
+http-body = { workspace = true }
+hyper = { workspace = true, features = ["http1", "http2"] }
 futures = { version = "0.3", default-features = false }
-ipnet = "2.3"
+ipnet = "2.11"
+prometheus-client = { workspace = true }
+thiserror = "2"
+tokio = { version = "1", features = ["macros", "sync", "parking_lot"] }
+tokio-stream = { version = "0.1", features = ["time"] }
+tonic = { workspace = true, default-features = false, features = ["prost"] }
+tracing = { workspace = true }
+pin-project = "1"
+
 linkerd-addr = { path = "../../addr" }
-linkerd-cache = { path = "../../cache" }
 linkerd-conditional = { path = "../../conditional" }
 linkerd-dns = { path = "../../dns" }
-linkerd-detect = { path = "../../detect" }
-linkerd-duplex = { path = "../../duplex" }
-linkerd-errno = { path = "../../errno" }
 linkerd-error = { path = "../../error" }
 linkerd-error-respond = { path = "../../error-respond" }
 linkerd-exp-backoff = { path = "../../exp-backoff" }
-linkerd-http-classify = { path = "../../http-classify" }
-linkerd-http-metrics = { path = "../../http-metrics" }
-linkerd-http-retry = { path = "../../http-retry" }
+linkerd-http-metrics = { path = "../../http/metrics" }
 linkerd-identity = { path = "../../identity" }
+linkerd-idle-cache = { path = "../../idle-cache" }
 linkerd-io = { path = "../../io" }
-linkerd-metrics = { path = "../../metrics", features = ["linkerd-stack"] }
+linkerd-meshtls = { path = "../../meshtls", default-features = false }
+linkerd-metrics = { path = "../../metrics", features = ["process", "stack"] }
 linkerd-opencensus = { path = "../../opencensus" }
-linkerd-proxy-core = { path = "../../proxy/core" }
+linkerd-opentelemetry = { path = "../../opentelemetry" }
 linkerd-proxy-api-resolve = { path = "../../proxy/api-resolve" }
-linkerd-proxy-discover = { path = "../../proxy/discover" }
-linkerd-proxy-identity = { path = "../../proxy/identity" }
-linkerd-proxy-http = { path = "../../proxy/http" }
-linkerd-proxy-resolve = { path = "../../proxy/resolve" }
+linkerd-proxy-balance = { path = "../../proxy/balance" }
+linkerd-proxy-core = { path = "../../proxy/core" }
+linkerd-proxy-client-policy = { path = "../../proxy/client-policy" }
 linkerd-proxy-dns-resolve = { path = "../../proxy/dns-resolve" }
+linkerd-proxy-http = { path = "../../proxy/http" }
+linkerd-proxy-identity-client = { path = "../../proxy/identity-client" }
+linkerd-proxy-spire-client = { path = "../../proxy/spire-client" }
+linkerd-proxy-resolve = { path = "../../proxy/resolve" }
+linkerd-proxy-server-policy = { path = "../../proxy/server-policy" }
 linkerd-proxy-tap = { path = "../../proxy/tap" }
 linkerd-proxy-tcp = { path = "../../proxy/tcp" }
 linkerd-proxy-transport = { path = "../../proxy/transport" }
 linkerd-reconnect = { path = "../../reconnect" }
-linkerd-retry = { path = "../../retry" }
-linkerd-server-policy = { path = "../../server-policy" }
+linkerd-router = { path = "../../router" }
+linkerd-rustls = { path = "../../rustls" }
 linkerd-service-profiles = { path = "../../service-profiles" }
 linkerd-stack = { path = "../../stack" }
 linkerd-stack-metrics = { path = "../../stack/metrics" }
@@ -59,30 +66,16 @@ linkerd-transport-header = { path = "../../transport-header" }
 linkerd-transport-metrics = { path = "../../transport-metrics" }
 linkerd-tls = { path = "../../tls" }
 linkerd-trace-context = { path = "../../trace-context" }
-regex = "1.5.4"
-serde_json = "1"
-thiserror = "1.0"
-tokio = { version = "1", features = ["macros", "sync", "parking_lot"]}
-tokio-stream = { version = "0.1.7", features = ["time"] }
-tonic = { version = "0.5", default-features = false, features = ["prost"] }
-tracing = "0.1.28"
-parking_lot = "0.11"
-pin-project = "1"
 
 [dependencies.tower]
-version = "0.4.8"
+workspace = true
 default-features = false
-features = [
-    "buffer",
-    "make",
-    "spawn-ready",
-    "timeout",
-    "util",
-    "limit",
-]
+features = ["make", "spawn-ready", "timeout", "util", "limit"]
 
-[target.'cfg(target_os = "linux")'.dependencies]
-linkerd-system = { path = "../../system" }
+[build-dependencies]
+semver = "1"
 
 [dev-dependencies]
-quickcheck = { version = "1", default-features = false }
+bytes = { workspace = true }
+http-body-util = { workspace = true }
+linkerd-mock-http-body = { path = "../../mock/http-body" }

linkerd/app/core/build.rs

@@ -1,32 +1,48 @@
 use std::process::Command;
-use std::string::String;
 
 fn set_env(name: &str, cmd: &mut Command) {
     let value = match cmd.output() {
         Ok(output) => String::from_utf8(output.stdout).unwrap(),
         Err(err) => {
-            println!("cargo:warning={}", err);
+            println!("cargo:warning={err}");
             "".to_string()
         }
     };
-    println!("cargo:rustc-env={}={}", name, value);
+    println!("cargo:rustc-env={name}={value}");
+}
+
+fn version() -> String {
+    if let Ok(v) = std::env::var("LINKERD2_PROXY_VERSION") {
+        if !v.is_empty() {
+            if let Err(err) = semver::Version::parse(&v) {
+                panic!("LINKERD2_PROXY_VERSION must be semver: version='{v}' error='{err}'");
+            }
+            return v;
+        }
+    }
+
+    "0.0.0-dev".to_string()
+}
+
+fn vendor() -> String {
+    std::env::var("LINKERD2_PROXY_VENDOR").unwrap_or_default()
 }
 
 fn main() {
-    set_env(
-        "GIT_BRANCH",
-        Command::new("git").args(&["rev-parse", "--abbrev-ref", "HEAD"]),
-    );
     set_env(
         "GIT_SHA",
-        Command::new("git").args(&["rev-parse", "--short", "HEAD"]),
+        Command::new("git").args(["rev-parse", "--short", "HEAD"]),
     );
-    set_env(
-        "GIT_VERSION",
-        Command::new("git").args(&["describe", "--always", "HEAD"]),
-    );
-    set_env("RUST_VERSION", Command::new("rustc").arg("--version"));
 
-    let profile = std::env::var("PROFILE").unwrap();
-    println!("cargo:rustc-env=PROFILE={}", profile);
+    // Capture the ISO 8601 formatted UTC time.
+    set_env(
+        "LINKERD2_PROXY_BUILD_DATE",
+        Command::new("date").args(["-u", "+%Y-%m-%dT%H:%M:%SZ"]),
+    );
+
+    println!("cargo:rustc-env=LINKERD2_PROXY_VERSION={}", version());
+    println!("cargo:rustc-env=LINKERD2_PROXY_VENDOR={}", vendor());
+
+    let profile = std::env::var("PROFILE").expect("PROFILE must be set");
+    println!("cargo:rustc-env=PROFILE={profile}");
 }

linkerd/app/core/src/build_info.rs

@@ -0,0 +1,28 @@
+use linkerd_metrics::prom::{self, encoding::EncodeLabelSet};
+
+pub const BUILD_INFO: BuildInfo = BuildInfo {
+    date: env!("LINKERD2_PROXY_BUILD_DATE"),
+    git_sha: env!("GIT_SHA"),
+    profile: env!("PROFILE"),
+    vendor: env!("LINKERD2_PROXY_VENDOR"),
+    version: env!("LINKERD2_PROXY_VERSION"),
+};
+
+#[derive(Copy, Clone, Debug, Default, Hash, PartialEq, Eq, EncodeLabelSet)]
+pub struct BuildInfo {
+    pub date: &'static str,
+    pub git_sha: &'static str,
+    pub profile: &'static str,
+    pub vendor: &'static str,
+    pub version: &'static str,
+}
+
+impl BuildInfo {
+    pub fn metric(&self) -> prom::Family<BuildInfo, prom::ConstGauge> {
+        let fam = prom::Family::<Self, prom::ConstGauge>::new_with_constructor(|| {
+            prom::ConstGauge::new(1)
+        });
+        let _ = fam.get_or_create(self);
+        fam
+    }
+}

linkerd/app/core/src/classify.rs

@@ -1,67 +1,63 @@
 use crate::profiles;
 use linkerd_error::Error;
-use linkerd_http_classify as classify;
-pub use linkerd_http_classify::{CanClassify, NewClassify};
-use linkerd_proxy_http::{HasH2Reason, ResponseTimeoutError};
+use linkerd_proxy_client_policy as client_policy;
+use linkerd_proxy_http::{classify, HasH2Reason, ResponseTimeoutError};
 use std::borrow::Cow;
 use tonic as grpc;
 use tracing::trace;
 
-#[derive(Clone, Debug)]
+pub type NewClassify<N, X = ()> = classify::NewInsertClassifyResponse<Request, X, N>;
+
+#[derive(Clone, Debug, PartialEq, Eq, Hash)]
 pub enum Request {
     Default,
     Profile(profiles::http::ResponseClasses),
+    ClientPolicy(ClientPolicy),
 }
 
-#[derive(Clone, Debug)]
+#[derive(Clone, Debug, PartialEq, Eq, Hash)]
 pub enum Response {
-    Default,
-    Grpc,
+    Http(client_policy::http::StatusRanges),
+    Grpc(client_policy::grpc::Codes),
     Profile(profiles::http::ResponseClasses),
 }
 
+#[derive(Clone, Debug, PartialEq, Eq, Hash)]
+pub enum ClientPolicy {
+    Grpc(client_policy::grpc::Codes),
+    Http(client_policy::http::StatusRanges),
+}
+
 #[derive(Clone, Debug)]
 pub enum Eos {
-    Default(http::StatusCode),
-    Grpc(GrpcEos),
-    Profile(Class),
-    Error(&'static str),
+    Class(Class),
+    GrpcOpen(client_policy::grpc::Codes),
+    ProfileUnmatched(Class),
 }
 
-#[derive(Clone, Debug)]
-pub enum GrpcEos {
-    NoBody(Class),
-    Open,
-}
+pub type Result<T> = std::result::Result<T, T>;
 
 #[derive(Clone, Debug, Hash, PartialEq, Eq)]
 pub enum Class {
-    Default(SuccessOrFailure),
-    Grpc(SuccessOrFailure, u32),
-    Stream(SuccessOrFailure, Cow<'static, str>),
-}
-
-#[derive(Clone, Debug, Hash, PartialEq, Eq)]
-pub enum SuccessOrFailure {
-    Success,
-    Failure,
+    Http(Result<http::StatusCode>),
+    Grpc(Result<grpc::Code>),
+    Error(Cow<'static, str>),
 }
 
 // === impl Request ===
 
 impl From<profiles::http::ResponseClasses> for Request {
     fn from(classes: profiles::http::ResponseClasses) -> Self {
-        if classes.is_empty() {
-            Request::Default
-        } else {
-            Request::Profile(classes)
+        if !classes.is_empty() {
+            return Self::Profile(classes);
         }
+        Self::Default
     }
 }
 
 impl Default for Request {
     fn default() -> Self {
-        Request::Default
+        Self::Default
     }
 }
 
@@ -72,20 +68,21 @@ impl classify::Classify for Request {
 
     fn classify<B>(&self, req: &http::Request<B>) -> Self::ClassifyResponse {
         match self {
-            Request::Profile(classes) => Response::Profile(classes.clone()),
-            Request::Default => {
-                let is_grpc = req
-                    .headers()
-                    .get(http::header::CONTENT_TYPE)
-                    .and_then(|v| v.to_str().ok())
-                    .map(|ct| ct.starts_with("application/grpc+"))
-                    .unwrap_or(false);
+            Self::Profile(classes) => Response::Profile(classes.clone()),
 
-                if is_grpc {
-                    Response::Grpc
-                } else {
-                    Response::Default
+            Self::ClientPolicy(ClientPolicy::Http(policy)) => {
+                if is_grpc(req.headers()) {
+                    return Response::Grpc(Default::default());
                 }
+                Response::Http(policy.clone())
+            }
+            Self::ClientPolicy(ClientPolicy::Grpc(policy)) => Response::Grpc(policy.clone()),
+
+            Self::Default => {
+                if is_grpc(req.headers()) {
+                    return Response::Grpc(Default::default());
+                }
+                Response::default()
             }
         }
     }
@@ -95,9 +92,7 @@ impl classify::Classify for Request {
 
 impl Default for Response {
     fn default() -> Self {
-        // By default, simply perform HTTP classification. This only applies
-        // when no `insert` layer is present.
-        Response::Default
+        Self::Http(client_policy::http::StatusRanges::default())
     }
 }
 
@@ -108,12 +103,12 @@ impl Response {
     ) -> Option<Class> {
         for class in classes {
             if class.is_match(rsp) {
-                let result = if class.is_failure() {
-                    SuccessOrFailure::Failure
+                let res = if class.is_failure() {
+                    Err(rsp.status())
                 } else {
-                    SuccessOrFailure::Success
+                    Ok(rsp.status())
                 };
-                return Some(Class::Default(result));
+                return Some(Class::Http(res));
             }
         }
 
@@ -126,19 +121,36 @@ impl classify::ClassifyResponse for Response {
     type ClassifyEos = Eos;
 
     fn start<B>(self, rsp: &http::Response<B>) -> Eos {
+        let status = rsp.status();
         match self {
-            Response::Default => grpc_class(rsp.headers())
-                .map(|c| Eos::Grpc(GrpcEos::NoBody(c)))
-                .unwrap_or_else(|| Eos::Default(rsp.status())),
-            Response::Grpc => grpc_class(rsp.headers())
-                .map(|c| Eos::Grpc(GrpcEos::NoBody(c)))
-                .unwrap_or(Eos::Grpc(GrpcEos::Open)),
-            Response::Profile(ref classes) => Self::match_class(rsp, classes.as_ref())
-                .map(Eos::Profile)
+            Self::Http(statuses) => Eos::Class(Class::Http(if statuses.contains(status) {
+                Err(status)
+            } else {
+                Ok(status)
+            })),
+
+            Self::Grpc(codes) => grpc_code(rsp.headers())
+                .map(|c| Eos::Class(Class::Grpc(if codes.contains(c) { Err(c) } else { Ok(c) })))
+                .unwrap_or(Eos::GrpcOpen(codes)),
+
+            Self::Profile(ref classes) => Self::match_class(rsp, classes.as_ref())
+                .map(Eos::Class)
                 .unwrap_or_else(|| {
-                    grpc_class(rsp.headers())
-                        .map(|c| Eos::Grpc(GrpcEos::NoBody(c)))
-                        .unwrap_or_else(|| Eos::Default(rsp.status()))
+                    if let Some(code) = grpc_code(rsp.headers()) {
+                        let codes = client_policy::grpc::Codes::default();
+                        return Eos::Class(Class::Grpc(if codes.contains(code) {
+                            Err(code)
+                        } else {
+                            Ok(code)
+                        }));
+                    }
+
+                    let http = Class::Http(if status.is_server_error() {
+                        Err(status)
+                    } else {
+                        Ok(status)
+                    });
+                    Eos::ProfileUnmatched(http)
                 }),
         }
     }
@@ -149,8 +161,7 @@ impl classify::ClassifyResponse for Response {
         } else {
             h2_error(err).into()
         };
-
-        Class::Stream(SuccessOrFailure::Failure, msg)
+        Class::Error(msg)
     }
 }
 
@@ -159,82 +170,94 @@ impl classify::ClassifyResponse for Response {
 impl classify::ClassifyEos for Eos {
     type Class = Class;
 
-    fn eos(self, trailers: Option<&http::HeaderMap>) -> Self::Class {
+    fn eos(self, trailers: Option<&http::HeaderMap>) -> Class {
         match self {
-            Eos::Default(status) if status.is_server_error() => {
-                Class::Default(SuccessOrFailure::Failure)
+            Self::Class(class) => class,
+            Self::GrpcOpen(codes) => {
+                let code = match trailers.and_then(grpc_code) {
+                    None => return Class::Grpc(Ok(grpc::Code::Unknown)),
+                    Some(code) => code,
+                };
+                if codes.contains(code) {
+                    return Class::Grpc(Err(code));
+                }
+                Class::Grpc(Ok(code))
+            }
+            Self::ProfileUnmatched(http_class) => {
+                if let Some(code) = trailers.and_then(grpc_code) {
+                    let codes = client_policy::grpc::Codes::default();
+                    return Class::Grpc(if codes.contains(code) {
+                        Err(code)
+                    } else {
+                        Ok(code)
+                    });
+                }
+                http_class
             }
-            Eos::Default(_) => trailers
-                .and_then(grpc_class)
-                .unwrap_or(Class::Default(SuccessOrFailure::Success)),
-            Eos::Grpc(GrpcEos::NoBody(class)) => class,
-            Eos::Grpc(GrpcEos::Open) => trailers
-                .and_then(grpc_class)
-                .unwrap_or(Class::Grpc(SuccessOrFailure::Success, 0)),
-            Eos::Profile(class) => class,
-            Eos::Error(msg) => Class::Stream(SuccessOrFailure::Failure, msg.into()),
         }
     }
 
-    fn error(self, err: &Error) -> Self::Class {
-        Class::Stream(SuccessOrFailure::Failure, h2_error(err).into())
+    fn error(self, err: &Error) -> Class {
+        Class::Error(h2_error(err).into())
     }
 }
 
-fn grpc_class(headers: &http::HeaderMap) -> Option<Class> {
-    headers
-        .get("grpc-status")
+fn grpc_code(hdrs: &http::HeaderMap) -> Option<grpc::Code> {
+    hdrs.get("grpc-status")
         .and_then(|v| v.to_str().ok())
-        .and_then(|s| s.parse::<u32>().ok())
-        .map(|grpc_status| {
-            let ok = match grpc::Code::from_i32(grpc_status as i32) {
-                grpc::Code::Unknown
-                | grpc::Code::DeadlineExceeded
-                | grpc::Code::Internal
-                | grpc::Code::Unavailable
-                | grpc::Code::PermissionDenied
-                | grpc::Code::DataLoss => SuccessOrFailure::Failure,
-                _ => SuccessOrFailure::Success,
-            };
-            Class::Grpc(ok, grpc_status)
-        })
+        .and_then(|s| s.parse::<u16>().ok())
+        .map(|code| grpc::Code::from_i32(code as i32))
 }
 
 fn h2_error(err: &Error) -> String {
     if let Some(reason) = err.h2_reason() {
         // This should output the error code in the same format as the spec,
         // for example: PROTOCOL_ERROR
-        format!("h2({:?})", reason)
+        format!("h2({reason:?})")
     } else {
         trace!("classifying found non-h2 error: {:?}", err);
         String::from("unclassified")
     }
 }
 
+fn is_grpc(hdrs: &http::HeaderMap) -> bool {
+    hdrs.get(http::header::CONTENT_TYPE)
+        .and_then(|v| v.to_str().ok())
+        .map(|ct| ct.starts_with("application/grpc"))
+        .unwrap_or(false)
+}
+
 // === impl Class ===
 
 impl Class {
-    pub(super) fn is_failure(&self) -> bool {
+    #[inline]
+    pub fn is_success(&self) -> bool {
+        !self.is_failure()
+    }
+
+    #[inline]
+    pub fn is_failure(&self) -> bool {
         matches!(
             self,
-            Class::Default(SuccessOrFailure::Failure)
-                | Class::Grpc(SuccessOrFailure::Failure, _)
-                | Class::Stream(SuccessOrFailure::Failure, _)
+            Class::Http(Err(_)) | Class::Grpc(Err(_)) | Class::Error(_),
         )
     }
 }
 
 #[cfg(test)]
 mod tests {
-    use super::{Class, SuccessOrFailure};
-    use http::{HeaderMap, Response, StatusCode};
-    use linkerd_http_classify::{ClassifyEos, ClassifyResponse};
+    use super::Class;
+    use http::{HeaderMap, Request, Response, StatusCode};
+    use linkerd_proxy_http::{
+        classify::{ClassifyEos, ClassifyResponse},
+        Classify,
+    };
 
     #[test]
     fn http_response_status_ok() {
         let rsp = Response::builder().status(StatusCode::OK).body(()).unwrap();
-        let class = super::Response::Default.start(&rsp).eos(None);
-        assert_eq!(class, Class::Default(SuccessOrFailure::Success));
+        let class = super::Response::default().start(&rsp).eos(None);
+        assert_eq!(class, Class::Http(Ok(http::StatusCode::OK)));
     }
 
     #[test]
@@ -243,8 +266,8 @@ mod tests {
             .status(StatusCode::BAD_REQUEST)
             .body(())
             .unwrap();
-        let class = super::Response::Default.start(&rsp).eos(None);
-        assert_eq!(class, Class::Default(SuccessOrFailure::Success));
+        let class = super::Response::default().start(&rsp).eos(None);
+        assert_eq!(class, Class::Http(Ok(StatusCode::BAD_REQUEST)));
     }
 
     #[test]
@@ -253,8 +276,8 @@ mod tests {
             .status(StatusCode::INTERNAL_SERVER_ERROR)
             .body(())
             .unwrap();
-        let class = super::Response::Default.start(&rsp).eos(None);
-        assert_eq!(class, Class::Default(SuccessOrFailure::Failure));
+        let class = super::Response::default().start(&rsp).eos(None);
+        assert_eq!(class, Class::Http(Err(StatusCode::INTERNAL_SERVER_ERROR)));
     }
 
     #[test]
@@ -264,8 +287,10 @@ mod tests {
             .status(StatusCode::OK)
             .body(())
             .unwrap();
-        let class = super::Response::Grpc.start(&rsp).eos(None);
-        assert_eq!(class, Class::Grpc(SuccessOrFailure::Success, 0));
+        let class = super::Response::Grpc(Default::default())
+            .start(&rsp)
+            .eos(None);
+        assert_eq!(class, Class::Grpc(Ok(tonic::Code::Ok)));
     }
 
     #[test]
@@ -275,8 +300,10 @@ mod tests {
             .status(StatusCode::OK)
             .body(())
             .unwrap();
-        let class = super::Response::Grpc.start(&rsp).eos(None);
-        assert_eq!(class, Class::Grpc(SuccessOrFailure::Failure, 2));
+        let class = super::Response::Grpc(Default::default())
+            .start(&rsp)
+            .eos(None);
+        assert_eq!(class, Class::Grpc(Err(tonic::Code::Unknown)));
     }
 
     #[test]
@@ -285,8 +312,10 @@ mod tests {
         let mut trailers = HeaderMap::new();
         trailers.insert("grpc-status", 0.into());
 
-        let class = super::Response::Grpc.start(&rsp).eos(Some(&trailers));
-        assert_eq!(class, Class::Grpc(SuccessOrFailure::Success, 0));
+        let class = super::Response::Grpc(Default::default())
+            .start(&rsp)
+            .eos(Some(&trailers));
+        assert_eq!(class, Class::Grpc(Ok(tonic::Code::Ok)));
     }
 
     #[test]
@@ -295,16 +324,20 @@ mod tests {
         let mut trailers = HeaderMap::new();
         trailers.insert("grpc-status", 4.into());
 
-        let class = super::Response::Grpc.start(&rsp).eos(Some(&trailers));
-        assert_eq!(class, Class::Grpc(SuccessOrFailure::Failure, 4));
+        let class = super::Response::Grpc(Default::default())
+            .start(&rsp)
+            .eos(Some(&trailers));
+        assert_eq!(class, Class::Grpc(Err(tonic::Code::DeadlineExceeded)));
     }
 
     #[test]
     fn grpc_response_trailer_missing() {
         let rsp = Response::builder().status(StatusCode::OK).body(()).unwrap();
         let trailers = HeaderMap::new();
-        let class = super::Response::Grpc.start(&rsp).eos(Some(&trailers));
-        assert_eq!(class, Class::Grpc(SuccessOrFailure::Success, 0));
+        let class = super::Response::Grpc(Default::default())
+            .start(&rsp)
+            .eos(Some(&trailers));
+        assert_eq!(class, Class::Grpc(Ok(tonic::Code::Unknown)));
     }
 
     #[test]
@@ -316,6 +349,40 @@ mod tests {
         let class = super::Response::Profile(Default::default())
             .start(&rsp)
             .eos(Some(&trailers));
-        assert_eq!(class, Class::Grpc(SuccessOrFailure::Failure, 4));
+        assert_eq!(class, Class::Grpc(Err(tonic::Code::DeadlineExceeded)));
+    }
+
+    #[test]
+    fn grpc_over_http_trailer_ok() {
+        let req = Request::builder()
+            .header(http::header::CONTENT_TYPE, "application/grpc+proto")
+            .body(())
+            .unwrap();
+        let rsp = Response::builder().status(StatusCode::OK).body(()).unwrap();
+        let mut trailers = HeaderMap::new();
+        trailers.insert("grpc-status", 0.into());
+        let class = super::Request::ClientPolicy(super::ClientPolicy::Http(Default::default()))
+            .classify(&req)
+            .start(&rsp)
+            .eos(Some(&trailers));
+
+        assert_eq!(class, Class::Grpc(Ok(tonic::Code::Ok)));
+    }
+
+    #[test]
+    fn grpc_over_http_trailer_error() {
+        let req = Request::builder()
+            .header(http::header::CONTENT_TYPE, "application/grpc+proto")
+            .body(())
+            .unwrap();
+        let rsp = Response::builder().status(StatusCode::OK).body(()).unwrap();
+        let mut trailers = HeaderMap::new();
+        trailers.insert("grpc-status", 4.into());
+        let class = super::Request::ClientPolicy(super::ClientPolicy::Http(Default::default()))
+            .classify(&req)
+            .start(&rsp)
+            .eos(Some(&trailers));
+
+        assert_eq!(class, Class::Grpc(Err(tonic::Code::DeadlineExceeded)));
     }
 }

linkerd/app/core/src/config.rs

@@ -1,16 +1,17 @@
 pub use crate::exp_backoff::ExponentialBackoff;
 use crate::{
-    proxy::http::{self, h1, h2},
-    svc::{stack::CloneParam, Param},
-    transport::{Keepalive, ListenAddr},
+    proxy::http::{h1, h2},
+    svc::{queue, ExtractParam, Param},
+    transport::{DualListenAddr, Keepalive, ListenAddr, UserTimeout},
 };
 use std::time::Duration;
 
 #[derive(Clone, Debug)]
 pub struct ServerConfig {
-    pub addr: ListenAddr,
+    pub addr: DualListenAddr,
     pub keepalive: Keepalive,
-    pub h2_settings: h2::Settings,
+    pub user_timeout: UserTimeout,
+    pub http2: h2::ServerParams,
 }
 
 #[derive(Clone, Debug)]
@@ -18,34 +19,57 @@ pub struct ConnectConfig {
     pub backoff: ExponentialBackoff,
     pub timeout: Duration,
     pub keepalive: Keepalive,
-    pub h1_settings: h1::PoolSettings,
-    pub h2_settings: h2::Settings,
+    pub user_timeout: UserTimeout,
+    pub http1: h1::PoolSettings,
+    pub http2: h2::ClientParams,
 }
 
 #[derive(Clone, Debug)]
 pub struct ProxyConfig {
     pub server: ServerConfig,
     pub connect: ConnectConfig,
-    pub buffer_capacity: usize,
-    pub cache_max_idle_age: Duration,
-    pub dispatch_timeout: Duration,
     pub max_in_flight_requests: usize,
     pub detect_protocol_timeout: Duration,
 }
 
-// === impl ProxyConfig ===
+#[derive(Debug, Copy, Clone, PartialEq, Eq, Hash)]
+pub struct QueueConfig {
+    /// The number of requests (or connections, depending on the context) that
+    /// may be buffered
+    pub capacity: usize,
 
-impl ProxyConfig {
-    pub fn detect_http(&self) -> CloneParam<linkerd_detect::Config<http::DetectHttp>> {
-        linkerd_detect::Config::from_timeout(self.detect_protocol_timeout).into()
+    /// The maximum amount of time a request may be buffered before failfast
+    /// errors are emitted.
+    pub failfast_timeout: Duration,
+}
+
+// === impl QueueConfig ===
+
+impl<T> ExtractParam<queue::Capacity, T> for QueueConfig {
+    #[inline]
+    fn extract_param(&self, _: &T) -> queue::Capacity {
+        queue::Capacity(self.capacity)
+    }
+}
+
+impl<T> ExtractParam<queue::Timeout, T> for QueueConfig {
+    #[inline]
+    fn extract_param(&self, _: &T) -> queue::Timeout {
+        queue::Timeout(self.failfast_timeout)
     }
 }
 
 // === impl ServerConfig ===
 
+impl Param<DualListenAddr> for ServerConfig {
+    fn param(&self) -> DualListenAddr {
+        self.addr
+    }
+}
+
 impl Param<ListenAddr> for ServerConfig {
     fn param(&self) -> ListenAddr {
-        self.addr
+        ListenAddr(self.addr.0)
     }
 }
 
@@ -54,3 +78,9 @@ impl Param<Keepalive> for ServerConfig {
         self.keepalive
     }
 }
+
+impl Param<UserTimeout> for ServerConfig {
+    fn param(&self) -> UserTimeout {
+        self.user_timeout
+    }
+}

linkerd/app/core/src/control.rs

@@ -1,18 +1,19 @@
 use crate::{
-    classify, config, control, dns, metrics, proxy::http, svc, tls, transport::ConnectTcp, Addr,
+    classify, config, dns, identity, metrics, proxy::http, svc, tls, transport::ConnectTcp, Addr,
     Error,
 };
 use futures::future::Either;
+use linkerd_metrics::prom;
 use std::fmt;
 use tokio::time;
 use tokio_stream::{wrappers::IntervalStream, StreamExt};
-use tracing::warn;
+use tracing::{info_span, warn};
 
 #[derive(Clone, Debug)]
 pub struct Config {
     pub addr: ControlAddr,
     pub connect: config::ConnectConfig,
-    pub buffer_capacity: usize,
+    pub buffer: config::QueueConfig,
 }
 
 #[derive(Clone, Debug)]
@@ -21,57 +22,99 @@ pub struct ControlAddr {
     pub identity: tls::ConditionalClientTls,
 }
 
+#[derive(Debug, thiserror::Error)]
+#[error("controller {addr}: {source}")]
+pub struct ControlError {
+    addr: Addr,
+    #[source]
+    source: Error,
+}
+
+#[derive(Debug, thiserror::Error)]
+#[error("endpoint {addr}: {source}")]
+struct EndpointError {
+    addr: std::net::SocketAddr,
+    #[source]
+    source: Error,
+}
+
 impl svc::Param<Addr> for ControlAddr {
     fn param(&self) -> Addr {
         self.addr.clone()
     }
 }
 
+impl svc::Param<svc::queue::Capacity> for ControlAddr {
+    fn param(&self) -> svc::queue::Capacity {
+        svc::queue::Capacity(1_000)
+    }
+}
+
+impl svc::Param<svc::queue::Timeout> for ControlAddr {
+    fn param(&self) -> svc::queue::Timeout {
+        const FAILFAST: time::Duration = time::Duration::from_secs(30);
+        svc::queue::Timeout(FAILFAST)
+    }
+}
+
+impl svc::Param<http::balance::EwmaConfig> for ControlAddr {
+    fn param(&self) -> http::balance::EwmaConfig {
+        EWMA_CONFIG
+    }
+}
+
 impl fmt::Display for ControlAddr {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         fmt::Display::fmt(&self.addr, f)
     }
 }
 
-type BalanceBody =
-    http::balance::PendingUntilFirstDataBody<tower::load::peak_ewma::Handle, hyper::Body>;
+pub type RspBody = linkerd_http_metrics::requests::ResponseBody<
+    http::balance::Body<hyper::body::Incoming>,
+    classify::Eos,
+>;
 
-pub type RspBody = linkerd_http_metrics::requests::ResponseBody<BalanceBody, classify::Eos>;
+#[derive(Clone, Debug, Default)]
+pub struct Metrics {
+    balance: balance::Metrics,
+}
+
+const EWMA_CONFIG: http::balance::EwmaConfig = http::balance::EwmaConfig {
+    default_rtt: time::Duration::from_millis(30),
+    decay: time::Duration::from_secs(10),
+};
+
+impl Metrics {
+    pub fn register(registry: &mut prom::Registry) -> Self {
+        Metrics {
+            balance: balance::Metrics::register(registry.sub_registry_with_prefix("balancer")),
+        }
+    }
+}
 
 impl Config {
-    pub fn build<L>(
+    pub fn build(
         self,
         dns: dns::Resolver,
-        metrics: metrics::ControlHttp,
-        identity: Option<L>,
+        legacy_metrics: metrics::ControlHttp,
+        metrics: Metrics,
+        identity: identity::NewClient,
     ) -> svc::ArcNewService<
         (),
-        impl svc::Service<
-                http::Request<tonic::body::BoxBody>,
-                Response = http::Response<RspBody>,
-                Error = Error,
-                Future = impl Send,
-            > + Clone,
-    >
-    where
-        L: Clone + svc::Param<tls::client::Config> + Send + Sync + 'static,
-    {
+        svc::BoxCloneSyncService<http::Request<tonic::body::Body>, http::Response<RspBody>>,
+    > {
         let addr = self.addr;
+        tracing::trace!(%addr, "Building");
 
         // When a DNS resolution fails, log the error and use the TTL, if there
         // is one, to drive re-resolution attempts.
         let resolve_backoff = {
             let backoff = self.connect.backoff;
             move |error: Error| {
-                warn!(%error, "Failed to resolve control-plane component");
-                if let Some(e) = error.downcast_ref::<dns::ResolveError>() {
-                    if let dns::ResolveErrorKind::NoRecordsFound {
-                        negative_ttl: Some(ttl_secs),
-                        ..
-                    } = e.kind()
-                    {
-                        let ttl = time::Duration::from_secs(*ttl_secs as u64);
-                        return Ok(Either::Left(
+                warn!(error, "Failed to resolve control-plane component");
+                if let Some(e) = crate::errors::cause_ref::<dns::ResolveError>(&*error) {
+                    if let Some(ttl) = e.negative_ttl() {
+                        return Ok::<_, Error>(Either::Left(
                             IntervalStream::new(time::interval(ttl)).map(|_| ()),
                         ));
                     }
@@ -83,37 +126,68 @@ impl Config {
             }
         };
 
-        svc::stack(ConnectTcp::new(self.connect.keepalive))
-            .push(tls::Client::layer(identity))
-            .push_connect_timeout(self.connect.timeout)
-            .push(self::client::layer())
-            .push_on_service(svc::MapErr::layer(Into::into))
-            .into_new_service()
-            // Ensure that connection is driven independently of the load balancer; but don't drive
-            // reconnection independently of the balancer. This ensures that new connections are
-            // only initiated when the balancer tries to move pending endpoints to ready (i.e. after
-            // checking for discovery updates); but we don't want to continually reconnect without
-            // checking for discovery updates.
+        let client = svc::stack(ConnectTcp::new(
+            self.connect.keepalive,
+            self.connect.user_timeout,
+        ))
+        .push(tls::Client::layer(identity))
+        .push_connect_timeout(self.connect.timeout) // Client<NewClient, ConnectTcp>
+        .push_map_target(|(_version, target)| target)
+        .push(self::client::layer::<_, _>(self.connect.http2))
+        .push_on_service(svc::MapErr::layer_boxed())
+        .into_new_service();
+
+        let endpoint = client
+            // Ensure that connection is driven independently of the load
+            // balancer; but don't drive reconnection independently of the
+            // balancer. This ensures that new connections are only initiated
+            // when the balancer tries to move pending endpoints to ready (i.e.
+            // after checking for discovery updates); but we don't want to
+            // continually reconnect without checking for discovery updates.
             .push_on_service(svc::layer::mk(svc::SpawnReady::new))
+            .push(svc::NewMapErr::layer_from_target::<EndpointError, _>())
             .push_new_reconnect(self.connect.backoff)
-            .instrument(|t: &self::client::Target| tracing::info_span!("endpoint", addr = %t.addr))
-            .push(self::resolve::layer(dns, resolve_backoff))
-            .push_on_service(self::control::balance::layer())
-            .into_new_service()
-            .push(metrics.to_layer::<classify::Response, _, _>())
+            .instrument(|t: &self::client::Target| info_span!("endpoint", addr = %t.addr));
+
+        let balance = endpoint
+            .lift_new()
+            .push(self::balance::layer(metrics.balance, dns, resolve_backoff))
+            .push(legacy_metrics.to_layer::<classify::Response, _, _>())
+            .push(classify::NewClassify::layer_default());
+
+        balance
             .push(self::add_origin::layer())
-            .push_on_service(svc::layers().push_spawn_buffer(self.buffer_capacity))
-            .instrument(|c: &ControlAddr| tracing::info_span!("controller", addr = %c.addr))
+            .push(svc::NewMapErr::layer_from_target::<ControlError, _>())
+            .instrument(|c: &ControlAddr| info_span!("controller", addr = %c.addr))
             .push_map_target(move |()| addr.clone())
+            .push_on_service(svc::BoxCloneSyncService::layer())
             .push(svc::ArcNewService::layer())
             .into_inner()
     }
 }
 
+impl From<(&ControlAddr, Error)> for ControlError {
+    fn from((controller, source): (&ControlAddr, Error)) -> Self {
+        Self {
+            addr: controller.addr.clone(),
+            source,
+        }
+    }
+}
+
+impl From<(&self::client::Target, Error)> for EndpointError {
+    fn from((target, source): (&self::client::Target, Error)) -> Self {
+        Self {
+            addr: target.addr,
+            source,
+        }
+    }
+}
+
 /// Sets the request's URI from `Config`.
 mod add_origin {
     use super::ControlAddr;
-    use linkerd_stack::{layer, NewService};
+    use crate::svc::{layer, NewService};
     use std::task::{Context, Poll};
 
     pub fn layer<M>() -> impl layer::Layer<M, Service = NewAddOrigin<M>> + Clone {
@@ -169,68 +243,88 @@ mod add_origin {
     }
 }
 
-mod resolve {
-    use super::client::Target;
+mod balance {
+    use super::{client::Target, ControlAddr};
     use crate::{
         dns,
-        proxy::{
-            discover,
-            dns_resolve::DnsResolve,
-            resolve::{map_endpoint, recover},
-        },
-        svc,
+        metrics::prom::encoding::EncodeLabelSet,
+        proxy::{dns_resolve::DnsResolve, http, resolve::recover},
+        svc, tls,
     };
-    use linkerd_error::Recover;
+    use linkerd_stack::ExtractParam;
     use std::net::SocketAddr;
 
-    pub fn layer<M, R>(
+    pub(super) type Metrics = http::balance::MetricFamilies<Labels>;
+
+    pub fn layer<B, R: Clone, N>(
+        metrics: Metrics,
         dns: dns::Resolver,
         recover: R,
-    ) -> impl svc::Layer<M, Service = Discover<M, R>>
-    where
-        R: Recover + Clone,
-        R::Backoff: Unpin,
-    {
-        svc::layer::mk(move |endpoint| {
-            discover::resolve(
-                endpoint,
-                map_endpoint::Resolve::new(
-                    IntoTarget(()),
-                    recover::Resolve::new(recover.clone(), DnsResolve::new(dns.clone())),
-                ),
+    ) -> impl svc::Layer<
+        N,
+        Service = http::NewBalance<B, Params, recover::Resolve<R, DnsResolve>, NewIntoTarget<N>>,
+    > {
+        let resolve = recover::Resolve::new(recover, DnsResolve::new(dns));
+        svc::layer::mk(move |inner| {
+            http::NewBalance::new(
+                NewIntoTarget { inner },
+                resolve.clone(),
+                Params(metrics.clone()),
             )
         })
     }
 
-    type Discover<M, R> = discover::MakeEndpoint<
-        discover::FromResolve<
-            map_endpoint::Resolve<IntoTarget, recover::Resolve<R, DnsResolve>>,
-            Target,
-        >,
-        M,
-    >;
+    #[derive(Clone, Debug)]
+    pub struct Params(http::balance::MetricFamilies<Labels>);
 
-    #[derive(Copy, Clone, Debug)]
-    pub struct IntoTarget(());
+    #[derive(Clone, Debug)]
+    pub struct NewIntoTarget<N> {
+        inner: N,
+    }
 
-    impl map_endpoint::MapEndpoint<super::ControlAddr, ()> for IntoTarget {
-        type Out = Target;
+    #[derive(Clone, Debug)]
+    pub struct IntoTarget<N> {
+        inner: N,
+        server_id: tls::ConditionalClientTls,
+    }
 
-        fn map_endpoint(&self, control: &super::ControlAddr, addr: SocketAddr, _: ()) -> Self::Out {
-            Target::new(addr, control.identity.clone())
+    #[derive(Clone, Debug, Hash, PartialEq, Eq, EncodeLabelSet)]
+    pub(super) struct Labels {
+        addr: String,
+    }
+
+    // === impl NewIntoTarget ===
+
+    impl<N: svc::NewService<ControlAddr>> svc::NewService<ControlAddr> for NewIntoTarget<N> {
+        type Service = IntoTarget<N::Service>;
+
+        fn new_service(&self, control: ControlAddr) -> Self::Service {
+            IntoTarget {
+                server_id: control.identity.clone(),
+                inner: self.inner.new_service(control),
+            }
         }
     }
-}
 
-mod balance {
-    use crate::proxy::http;
-    use std::time::Duration;
+    // === impl IntoTarget ===
 
-    const EWMA_DEFAULT_RTT: Duration = Duration::from_millis(30);
-    const EWMA_DECAY: Duration = Duration::from_secs(10);
+    impl<N: svc::NewService<Target>> svc::NewService<(SocketAddr, ())> for IntoTarget<N> {
+        type Service = N::Service;
 
-    pub fn layer<A, B>() -> http::balance::Layer<A, B> {
-        http::balance::layer(EWMA_DEFAULT_RTT, EWMA_DECAY)
+        fn new_service(&self, (addr, ()): (SocketAddr, ())) -> Self::Service {
+            self.inner
+                .new_service(Target::new(addr, self.server_id.clone()))
+        }
+    }
+
+    // === impl Metrics ===
+
+    impl ExtractParam<http::balance::Metrics, ControlAddr> for Params {
+        fn extract_param(&self, tgt: &ControlAddr) -> http::balance::Metrics {
+            self.0.metrics(&Labels {
+                addr: tgt.addr.to_string(),
+            })
+        }
     }
 }
 
@@ -241,11 +335,7 @@ mod client {
         svc, tls,
         transport::{Remote, ServerAddr},
     };
-    use linkerd_proxy_http::h2::Settings as H2Settings;
-    use std::{
-        net::SocketAddr,
-        task::{Context, Poll},
-    };
+    use std::net::SocketAddr;
 
     #[derive(Clone, Hash, Debug, Eq, PartialEq)]
     pub struct Target {
@@ -259,11 +349,6 @@ mod client {
         }
     }
 
-    #[derive(Debug)]
-    pub struct Client<C, B> {
-        inner: http::h2::Connect<C, B>,
-    }
-
     // === impl Target ===
 
     impl svc::Param<Remote<ServerAddr>> for Target {
@@ -286,47 +371,12 @@ mod client {
 
     // === impl Layer ===
 
-    pub fn layer<C, B>() -> impl svc::Layer<C, Service = Client<C, B>> + Copy
+    pub fn layer<C, B>(
+        h2: http::h2::ClientParams,
+    ) -> impl svc::Layer<C, Service = http::h2::Connect<C, B>> + Clone
     where
         http::h2::Connect<C, B>: tower::Service<Target>,
     {
-        svc::layer::mk(|mk_conn| {
-            let inner = http::h2::Connect::new(mk_conn, H2Settings::default());
-            Client { inner }
-        })
-    }
-
-    // === impl Client ===
-
-    impl<C, B> tower::Service<Target> for Client<C, B>
-    where
-        http::h2::Connect<C, B>: tower::Service<Target>,
-    {
-        type Response = <http::h2::Connect<C, B> as tower::Service<Target>>::Response;
-        type Error = <http::h2::Connect<C, B> as tower::Service<Target>>::Error;
-        type Future = <http::h2::Connect<C, B> as tower::Service<Target>>::Future;
-
-        #[inline]
-        fn poll_ready(&mut self, cx: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
-            self.inner.poll_ready(cx)
-        }
-
-        #[inline]
-        fn call(&mut self, target: Target) -> Self::Future {
-            self.inner.call(target)
-        }
-    }
-
-    // A manual impl is needed since derive adds `B: Clone`, but that's just
-    // a PhantomData.
-    impl<C, B> Clone for Client<C, B>
-    where
-        http::h2::Connect<C, B>: Clone,
-    {
-        fn clone(&self) -> Self {
-            Client {
-                inner: self.inner.clone(),
-            }
-        }
+        svc::layer::mk(move |mk_conn| http::h2::Connect::new(mk_conn, h2.clone()))
     }
 }

linkerd/app/core/src/disco_cache.rs

@@ -0,0 +1,159 @@
+//! A specialized `NewIdleCache` to manage discovery stae, usually from a
+//! control plane client.
+
+use futures::TryFutureExt;
+use linkerd_error::Error;
+use linkerd_idle_cache::{Cached, NewIdleCached};
+use linkerd_stack::{
+    layer, queue, CloneParam, FutureService, MapErrBoxed, NewQueueWithoutTimeout, NewService,
+    Oneshot, Param, QueueWithoutTimeout, Service, ServiceExt, ThunkClone,
+};
+use std::{fmt, hash::Hash, task, time};
+
+/// A [`NewService`] that extracts a `K`-typed key from each target to build a
+/// [`Cached`]<[`DiscoverThunk`]>.
+#[derive(Clone)]
+pub struct NewCachedDiscover<K, D, N>
+where
+    K: Clone + fmt::Debug + Eq + Hash + Send + Sync + 'static,
+    D: Service<K, Error = Error> + Clone + Send + Sync + 'static,
+    D::Response: Clone + Send + Sync,
+    D::Future: Send + Unpin,
+{
+    // NewService<K, Service<(), D::Response>>
+    cache: NewIdleCached<K, NewQueueThunk<NewDiscoverThunk<D>>>,
+
+    // NewService<D::Response>
+    inner: N,
+}
+
+/// The future that drives discovery to build an new inner service wrapped
+/// in the [`Cached`] decorator from the discovery lookup, preventing the
+/// cache's idle timeout from starting until returned services are dropped.
+#[derive(Debug)]
+#[pin_project::pin_project]
+pub struct CachedDiscoverFuture<D: Service<()>, N> {
+    // NewService<D::Response>
+    inner: N,
+
+    // Holds a cache handle so that we can carry that forward with the returned
+    // service.
+    cached: Cached<D>,
+
+    // A future that obtains a `D::Response` and produces an `N::Service`.
+    #[pin]
+    future: Oneshot<Cached<D>, ()>,
+}
+
+/// A [`Service<()>`] that uses a `D`-typed discovery service to build a new
+/// inner service wrapped in the discovery service's cache handle.
+pub type CachedDiscover<D, N, S> = FutureService<CachedDiscoverFuture<QueueThunk<D>, N>, Cached<S>>;
+
+/// A [`Service<()>`] that discovers a `Rsp` and returns a clone of it for each
+/// call.
+pub type DiscoverThunk<Req, Rsp, S> = FutureService<
+    futures::future::MapOk<Oneshot<S, Req>, fn(Rsp) -> MapErrBoxed<ThunkClone<Rsp>>>,
+    MapErrBoxed<ThunkClone<Rsp>>,
+>;
+
+#[derive(Clone, Debug)]
+struct NewDiscoverThunk<D> {
+    discover: D,
+}
+
+// We do not enforce any timeouts on discovery. Nor are we concerned with load
+// shedding. `NewCachedDiscover` returns a `FutureService`, so the internal
+// queue's capacity can exert backpressure into `Service::poll_ready`. This is
+// a good thing. That service stack can determine its own load shedding and
+// failfast semantics independently. The queue capacity is purely to avoid
+// contention across clones.
+type NewQueueThunk<D> = NewQueueWithoutTimeout<CloneParam<queue::Capacity>, (), D>;
+type QueueThunk<D> = QueueWithoutTimeout<(), D>;
+const QUEUE_CAPACITY: queue::Capacity = queue::Capacity(10);
+
+// === impl NewCachedDiscover ===
+
+impl<K, D, N> NewCachedDiscover<K, D, N>
+where
+    K: Clone + fmt::Debug + Eq + Hash + Send + Sync + 'static,
+    D: Service<K, Error = Error> + Clone + Send + Sync + 'static,
+    D::Response: Clone + Send + Sync,
+    D::Future: Send + Unpin,
+{
+    pub fn new(inner: N, discover: D, timeout: time::Duration) -> Self {
+        let queue = NewQueueThunk::new(
+            NewDiscoverThunk { discover },
+            CloneParam::from(QUEUE_CAPACITY),
+        );
+        Self {
+            inner,
+            cache: NewIdleCached::new(queue, timeout),
+        }
+    }
+
+    pub fn layer(disco: D, idle: time::Duration) -> impl layer::Layer<N, Service = Self> + Clone {
+        layer::mk(move |inner| Self::new(inner, disco.clone(), idle))
+    }
+}
+
+impl<T, K, D, M, N> NewService<T> for NewCachedDiscover<K, D, M>
+where
+    T: Param<K> + Clone,
+    K: Clone + fmt::Debug + Eq + Hash + Send + Sync + 'static,
+    D: Service<K, Error = Error> + Clone + Send + Sync + 'static,
+    D::Response: Clone + Send + Sync + 'static,
+    D::Future: Send + Unpin,
+    M: NewService<T, Service = N> + Clone,
+    N: NewService<D::Response> + Clone + Send + 'static,
+{
+    type Service = CachedDiscover<D::Response, N, N::Service>;
+
+    fn new_service(&self, target: T) -> Self::Service {
+        let key = target.param();
+        let cached = self.cache.new_service(key);
+        let inner = self.inner.new_service(target);
+        let future = cached.clone().oneshot(());
+        FutureService::new(CachedDiscoverFuture {
+            future,
+            cached,
+            inner,
+        })
+    }
+}
+
+// === impl NewDiscoverThunk ===
+
+impl<T, D> NewService<T> for NewDiscoverThunk<D>
+where
+    D: Service<T, Error = Error> + Clone,
+    D::Response: Clone,
+    D::Future: Unpin,
+{
+    type Service = DiscoverThunk<T, D::Response, D>;
+
+    fn new_service(&self, target: T) -> Self::Service {
+        let disco = self.discover.clone().oneshot(target);
+        FutureService::new(disco.map_ok(|rsp| ThunkClone::new(rsp).into()))
+    }
+}
+
+// === impl DiscoverFUture ===
+
+impl<D, N> std::future::Future for CachedDiscoverFuture<D, N>
+where
+    D: Service<()>,
+    N: NewService<D::Response>,
+{
+    type Output = Result<Cached<N::Service>, D::Error>;
+
+    fn poll(
+        self: std::pin::Pin<&mut Self>,
+        cx: &mut task::Context<'_>,
+    ) -> task::Poll<Self::Output> {
+        let this = self.project();
+        let discovery = futures::ready!(this.future.poll(cx))?;
+        let inner = this.inner.new_service(discovery);
+        let cached = this.cached.clone_with(inner);
+        task::Poll::Ready(Ok(cached))
+    }
+}

linkerd/app/core/src/dns.rs

@@ -1,30 +1,55 @@
-pub use linkerd_dns::*;
-use std::path::PathBuf;
+use self::metrics::Labels;
+use linkerd_metrics::prom::{Counter, Family, Registry};
 use std::time::Duration;
 
+pub use linkerd_dns::*;
+
+mod metrics;
+
 #[derive(Clone, Debug)]
 pub struct Config {
     pub min_ttl: Option<Duration>,
     pub max_ttl: Option<Duration>,
-    pub resolv_conf_path: PathBuf,
 }
 
 pub struct Dns {
-    pub resolver: Resolver,
+    resolver: Resolver,
+    resolutions: Family<Labels, Counter>,
+}
+
+// === impl Dns ===
+
+impl Dns {
+    /// Returns a new [`Resolver`].
+    pub fn resolver(&self, client: &'static str) -> Resolver {
+        let metrics = self.metrics(client);
+
+        self.resolver.clone().with_metrics(metrics)
+    }
 }
 
 // === impl Config ===
 
 impl Config {
-    pub fn build(self) -> Dns {
+    pub fn build(self, registry: &mut Registry) -> Dns {
+        let resolutions = Family::default();
+        registry.register(
+            "resolutions",
+            "Counts the number of DNS records that have been resolved.",
+            resolutions.clone(),
+        );
+
         let resolver =
             Resolver::from_system_config_with(&self).expect("system DNS config must be valid");
-        Dns { resolver }
+        Dns {
+            resolver,
+            resolutions,
+        }
     }
 }
 
 impl ConfigureResolver for Config {
-    /// Modify a `trust-dns-resolver::config::ResolverOpts` to reflect
+    /// Modify a `hickory-resolver::config::ResolverOpts` to reflect
     /// the configured minimum and maximum DNS TTL values.
     fn configure_resolver(&self, opts: &mut ResolverOpts) {
         opts.positive_min_ttl = self.min_ttl;

linkerd/app/core/src/dns/metrics.rs

@@ -0,0 +1,115 @@
+use super::{Dns, Metrics};
+use linkerd_metrics::prom::encoding::{
+    EncodeLabel, EncodeLabelSet, EncodeLabelValue, LabelSetEncoder, LabelValueEncoder,
+};
+use std::fmt::{Display, Write};
+
+#[derive(Clone, Debug, Eq, Hash, PartialEq)]
+pub(super) struct Labels {
+    client: &'static str,
+    record_type: RecordType,
+    result: Outcome,
+}
+
+#[derive(Clone, Debug, Eq, Hash, PartialEq)]
+enum RecordType {
+    A,
+    Srv,
+}
+
+#[derive(Clone, Debug, Eq, Hash, PartialEq)]
+enum Outcome {
+    Ok,
+    NotFound,
+}
+
+// === impl Dns ===
+
+impl Dns {
+    pub(super) fn metrics(&self, client: &'static str) -> Metrics {
+        let family = &self.resolutions;
+
+        let a_records_resolved = (*family.get_or_create(&Labels {
+            client,
+            record_type: RecordType::A,
+            result: Outcome::Ok,
+        }))
+        .clone();
+        let a_records_not_found = (*family.get_or_create(&Labels {
+            client,
+            record_type: RecordType::A,
+            result: Outcome::NotFound,
+        }))
+        .clone();
+        let srv_records_resolved = (*family.get_or_create(&Labels {
+            client,
+            record_type: RecordType::Srv,
+            result: Outcome::Ok,
+        }))
+        .clone();
+        let srv_records_not_found = (*family.get_or_create(&Labels {
+            client,
+            record_type: RecordType::Srv,
+            result: Outcome::NotFound,
+        }))
+        .clone();
+
+        Metrics {
+            a_records_resolved,
+            a_records_not_found,
+            srv_records_resolved,
+            srv_records_not_found,
+        }
+    }
+}
+// === impl Labels ===
+
+impl EncodeLabelSet for Labels {
+    fn encode(&self, mut encoder: LabelSetEncoder<'_>) -> Result<(), std::fmt::Error> {
+        let Self {
+            client,
+            record_type,
+            result,
+        } = self;
+
+        ("client", *client).encode(encoder.encode_label())?;
+        ("record_type", record_type).encode(encoder.encode_label())?;
+        ("result", result).encode(encoder.encode_label())?;
+
+        Ok(())
+    }
+}
+
+// === impl Outcome ===
+
+impl EncodeLabelValue for &Outcome {
+    fn encode(&self, encoder: &mut LabelValueEncoder<'_>) -> Result<(), std::fmt::Error> {
+        encoder.write_str(self.to_string().as_str())
+    }
+}
+
+impl Display for Outcome {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.write_str(match self {
+            Self::Ok => "ok",
+            Self::NotFound => "not_found",
+        })
+    }
+}
+
+// === impl RecordType ===
+
+impl EncodeLabelValue for &RecordType {
+    fn encode(&self, encoder: &mut LabelValueEncoder<'_>) -> Result<(), std::fmt::Error> {
+        encoder.write_str(self.to_string().as_str())
+    }
+}
+
+impl Display for RecordType {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.write_str(match self {
+            Self::A => "A/AAAA",
+            Self::Srv => "SRV",
+        })
+    }
+}

linkerd/app/core/src/dst.rs

@@ -1,28 +0,0 @@
-use super::classify;
-use crate::profiles;
-use linkerd_http_classify::CanClassify;
-use linkerd_proxy_http as http;
-use linkerd_stack::Param;
-
-#[derive(Clone, Debug, PartialEq, Eq, Hash)]
-pub struct Route {
-    pub addr: profiles::LogicalAddr,
-    pub route: profiles::http::Route,
-    pub direction: super::metrics::Direction,
-}
-
-// === impl Route ===
-
-impl CanClassify for Route {
-    type Classify = classify::Request;
-
-    fn classify(&self) -> classify::Request {
-        self.route.response_classes().clone().into()
-    }
-}
-
-impl Param<http::ResponseTimeout> for Route {
-    fn param(&self) -> http::ResponseTimeout {
-        http::ResponseTimeout(self.route.timeout())
-    }
-}

linkerd/app/core/src/errors.rs

@@ -0,0 +1,55 @@
+pub mod body;
+pub mod respond;
+
+pub use self::respond::{HttpRescue, NewRespond, NewRespondService, SyntheticHttpResponse};
+pub use linkerd_error::{cause_ref, is_caused_by};
+pub use linkerd_proxy_http::h2::H2Error;
+pub use linkerd_stack::{FailFastError, LoadShedError};
+pub use tonic::Code as Grpc;
+
+/// Header names and values related to error responses.
+pub mod header {
+    use http::header::{HeaderName, HeaderValue};
+    pub const L5D_PROXY_CONNECTION: HeaderName = HeaderName::from_static("l5d-proxy-connection");
+    pub const L5D_PROXY_ERROR: HeaderName = HeaderName::from_static("l5d-proxy-error");
+    pub(super) const GRPC_CONTENT_TYPE: HeaderValue = HeaderValue::from_static("application/grpc");
+    pub(super) const GRPC_MESSAGE: HeaderName = HeaderName::from_static("grpc-message");
+    pub(super) const GRPC_STATUS: HeaderName = HeaderName::from_static("grpc-status");
+}
+
+#[derive(Debug, thiserror::Error)]
+#[error("connect timed out after {0:?}")]
+pub struct ConnectTimeout(pub(crate) std::time::Duration);
+
+/// Returns `true` if `error` was caused by a gRPC error with the provided
+/// status code.
+#[inline]
+pub fn has_grpc_status(error: &crate::Error, code: tonic::Code) -> bool {
+    cause_ref::<tonic::Status>(error.as_ref())
+        .map(|s| s.code() == code)
+        .unwrap_or(false)
+}
+
+// Copied from tonic, where it's private.
+fn code_header(code: tonic::Code) -> http::HeaderValue {
+    use {http::HeaderValue, tonic::Code};
+    match code {
+        Code::Ok => HeaderValue::from_static("0"),
+        Code::Cancelled => HeaderValue::from_static("1"),
+        Code::Unknown => HeaderValue::from_static("2"),
+        Code::InvalidArgument => HeaderValue::from_static("3"),
+        Code::DeadlineExceeded => HeaderValue::from_static("4"),
+        Code::NotFound => HeaderValue::from_static("5"),
+        Code::AlreadyExists => HeaderValue::from_static("6"),
+        Code::PermissionDenied => HeaderValue::from_static("7"),
+        Code::ResourceExhausted => HeaderValue::from_static("8"),
+        Code::FailedPrecondition => HeaderValue::from_static("9"),
+        Code::Aborted => HeaderValue::from_static("10"),
+        Code::OutOfRange => HeaderValue::from_static("11"),
+        Code::Unimplemented => HeaderValue::from_static("12"),
+        Code::Internal => HeaderValue::from_static("13"),
+        Code::Unavailable => HeaderValue::from_static("14"),
+        Code::DataLoss => HeaderValue::from_static("15"),
+        Code::Unauthenticated => HeaderValue::from_static("16"),
+    }
+}

linkerd/app/core/src/errors/body.rs

@@ -0,0 +1,314 @@
+use super::{
+    header::{GRPC_MESSAGE, GRPC_STATUS},
+    respond::{HttpRescue, SyntheticHttpResponse},
+};
+use http::header::HeaderValue;
+use http_body::Frame;
+use linkerd_error::{Error, Result};
+use pin_project::pin_project;
+use std::{
+    pin::Pin,
+    task::{Context, Poll},
+};
+use tracing::{debug, warn};
+
+/// Returns a "gRPC rescue" body.
+///
+/// This returns a body that, should the inner `B`-typed body return an error when polling for
+/// DATA frames, will "rescue" the stream and return a TRAILERS frame that describes the error.
+#[pin_project(project = ResponseBodyProj)]
+pub struct ResponseBody<R, B>(#[pin] Inner<R, B>);
+
+#[pin_project(project = InnerProj)]
+enum Inner<R, B> {
+    /// An inert body that delegates directly down to the underlying body `B`.
+    Passthru(#[pin] B),
+    /// A body that will be rescued if it yields an error.
+    GrpcRescue {
+        #[pin]
+        inner: B,
+        /// An error response [strategy][HttpRescue].
+        rescue: R,
+        emit_headers: bool,
+    },
+    /// The underlying body `B` yielded an error and was "rescued".
+    Rescued,
+}
+
+// === impl ResponseBody ===
+
+impl<R, B> ResponseBody<R, B> {
+    /// Returns a body in "passthru" mode.
+    pub fn passthru(inner: B) -> Self {
+        Self(Inner::Passthru(inner))
+    }
+
+    /// Returns a "gRPC rescue" body.
+    pub fn grpc_rescue(inner: B, rescue: R, emit_headers: bool) -> Self {
+        Self(Inner::GrpcRescue {
+            inner,
+            rescue,
+            emit_headers,
+        })
+    }
+}
+
+impl<R, B: Default + linkerd_proxy_http::Body> Default for ResponseBody<R, B> {
+    fn default() -> Self {
+        Self(Inner::Passthru(B::default()))
+    }
+}
+
+impl<R, B> linkerd_proxy_http::Body for ResponseBody<R, B>
+where
+    B: linkerd_proxy_http::Body<Error = Error>,
+    R: HttpRescue<B::Error>,
+{
+    type Data = B::Data;
+    type Error = B::Error;
+
+    fn poll_frame(
+        mut self: Pin<&mut Self>,
+        cx: &mut Context<'_>,
+    ) -> Poll<Option<std::result::Result<http_body::Frame<Self::Data>, Self::Error>>> {
+        let ResponseBodyProj(inner) = self.as_mut().project();
+        match inner.project() {
+            InnerProj::Passthru(inner) => inner.poll_frame(cx),
+            InnerProj::GrpcRescue {
+                inner,
+                rescue,
+                emit_headers,
+            } => match inner.poll_frame(cx) {
+                Poll::Ready(Some(Err(error))) => {
+                    // The inner body has yielded an error, which we will try to rescue. If so,
+                    // yield synthetic trailers reporting the error.
+                    let trailers = Self::rescue(error, rescue, *emit_headers)?;
+                    self.set(Self(Inner::Rescued));
+                    Poll::Ready(Some(Ok(Frame::trailers(trailers))))
+                }
+                poll => poll,
+            },
+            InnerProj::Rescued => Poll::Ready(None),
+        }
+    }
+
+    #[inline]
+    fn is_end_stream(&self) -> bool {
+        let Self(inner) = self;
+        match inner {
+            Inner::Passthru(inner) => inner.is_end_stream(),
+            Inner::GrpcRescue { inner, .. } => inner.is_end_stream(),
+            Inner::Rescued => true,
+        }
+    }
+
+    #[inline]
+    fn size_hint(&self) -> http_body::SizeHint {
+        let Self(inner) = self;
+        match inner {
+            Inner::Passthru(inner) => inner.size_hint(),
+            Inner::GrpcRescue { inner, .. } => inner.size_hint(),
+            Inner::Rescued => http_body::SizeHint::with_exact(0),
+        }
+    }
+}
+
+impl<R, B> ResponseBody<R, B>
+where
+    B: http_body::Body,
+    R: HttpRescue<B::Error>,
+{
+    /// Maps an error yielded by the inner body to a collection of gRPC trailers.
+    ///
+    /// This function returns `Ok(trailers)` if the given [`HttpRescue<E>`] strategy could identify
+    /// a cause for an error yielded by the inner `B`-typed body.
+    fn rescue(
+        error: B::Error,
+        rescue: &R,
+        emit_headers: bool,
+    ) -> Result<http::HeaderMap, B::Error> {
+        let SyntheticHttpResponse {
+            grpc_status,
+            message,
+            ..
+        } = rescue.rescue(error)?;
+
+        debug!(grpc.status = ?grpc_status, "Synthesizing gRPC trailers");
+        let mut t = http::HeaderMap::new();
+        t.insert(GRPC_STATUS, super::code_header(grpc_status));
+        if emit_headers {
+            // A gRPC message trailer is only included if instructed to emit additional headers.
+            t.insert(
+                GRPC_MESSAGE,
+                HeaderValue::from_str(&message).unwrap_or_else(|error| {
+                    warn!(%error, "Failed to encode error header");
+                    HeaderValue::from_static("Unexpected error")
+                }),
+            );
+        }
+
+        Ok(t)
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::errors::header::{GRPC_MESSAGE, GRPC_STATUS};
+    use http::HeaderMap;
+    use linkerd_mock_http_body::MockBody;
+
+    struct MockRescue;
+    impl<E> HttpRescue<E> for MockRescue {
+        /// Attempts to synthesize a response from the given error.
+        fn rescue(&self, _: E) -> Result<SyntheticHttpResponse, E> {
+            let synthetic = SyntheticHttpResponse::internal_error("MockRescue::rescue");
+            Ok(synthetic)
+        }
+    }
+
+    #[tokio::test]
+    async fn rescue_body_recovers_from_error_without_grpc_message() {
+        let (_guard, _handle) = linkerd_tracing::test::trace_init();
+        let trailers = {
+            let mut trls = HeaderMap::with_capacity(1);
+            let value = HeaderValue::from_static("caboose");
+            trls.insert("trailer", value);
+            trls
+        };
+        let rescue = {
+            let inner = MockBody::default()
+                .then_yield_data(Poll::Ready(Some(Ok("inter".into()))))
+                .then_yield_data(Poll::Ready(Some(Err("an error midstream".into()))))
+                .then_yield_data(Poll::Ready(Some(Ok("rupted".into()))))
+                .then_yield_trailer(Poll::Ready(Some(Ok(trailers))));
+            let rescue = MockRescue;
+            let emit_headers = false;
+            ResponseBody::grpc_rescue(inner, rescue, emit_headers)
+        };
+        let (data, Some(trailers)) = body_to_string(rescue).await else {
+            panic!("trailers should exist");
+        };
+        assert_eq!(data, "inter");
+        assert_eq!(
+            trailers[GRPC_STATUS],
+            i32::from(tonic::Code::Internal).to_string()
+        );
+        assert_eq!(trailers.get(GRPC_MESSAGE), None);
+    }
+
+    #[tokio::test]
+    async fn rescue_body_recovers_from_error_emitting_message() {
+        let (_guard, _handle) = linkerd_tracing::test::trace_init();
+        let trailers = {
+            let mut trls = HeaderMap::with_capacity(1);
+            let value = HeaderValue::from_static("caboose");
+            trls.insert("trailer", value);
+            trls
+        };
+        let rescue = {
+            let inner = MockBody::default()
+                .then_yield_data(Poll::Ready(Some(Ok("inter".into()))))
+                .then_yield_data(Poll::Ready(Some(Err("an error midstream".into()))))
+                .then_yield_data(Poll::Ready(Some(Ok("rupted".into()))))
+                .then_yield_trailer(Poll::Ready(Some(Ok(trailers))));
+            let rescue = MockRescue;
+            let emit_headers = true;
+            ResponseBody::grpc_rescue(inner, rescue, emit_headers)
+        };
+        let (data, Some(trailers)) = body_to_string(rescue).await else {
+            panic!("trailers should exist");
+        };
+        assert_eq!(data, "inter");
+        assert_eq!(
+            trailers[GRPC_STATUS],
+            i32::from(tonic::Code::Internal).to_string()
+        );
+        assert_eq!(trailers[GRPC_MESSAGE], "MockRescue::rescue");
+    }
+
+    #[tokio::test]
+    async fn rescue_body_works_for_empty() {
+        let (_guard, _handle) = linkerd_tracing::test::trace_init();
+        let rescue = {
+            let inner = MockBody::default();
+            let rescue = MockRescue;
+            let emit_headers = false;
+            ResponseBody::grpc_rescue(inner, rescue, emit_headers)
+        };
+        let (data, trailers) = body_to_string(rescue).await;
+        assert_eq!(data, "");
+        assert_eq!(trailers, None);
+    }
+
+    #[tokio::test]
+    async fn rescue_body_works_for_body_with_data() {
+        let (_guard, _handle) = linkerd_tracing::test::trace_init();
+        let rescue = {
+            let inner = MockBody::default().then_yield_data(Poll::Ready(Some(Ok("unary".into()))));
+            let rescue = MockRescue;
+            let emit_headers = false;
+            ResponseBody::grpc_rescue(inner, rescue, emit_headers)
+        };
+        let (data, trailers) = body_to_string(rescue).await;
+        assert_eq!(data, "unary");
+        assert_eq!(trailers, None);
+    }
+
+    #[tokio::test]
+    async fn rescue_body_works_for_body_with_trailers() {
+        let (_guard, _handle) = linkerd_tracing::test::trace_init();
+        let trailers = {
+            let mut trls = HeaderMap::with_capacity(1);
+            let value = HeaderValue::from_static("caboose");
+            trls.insert("trailer", value);
+            trls
+        };
+        let rescue = {
+            let inner = MockBody::default().then_yield_trailer(Poll::Ready(Some(Ok(trailers))));
+            let rescue = MockRescue;
+            let emit_headers = false;
+            ResponseBody::grpc_rescue(inner, rescue, emit_headers)
+        };
+        let (data, trailers) = body_to_string(rescue).await;
+        assert_eq!(data, "");
+        assert_eq!(trailers.expect("has trailers")["trailer"], "caboose");
+    }
+
+    async fn body_to_string<B>(mut body: B) -> (String, Option<HeaderMap>)
+    where
+        B: http_body::Body + Unpin,
+        B::Error: std::fmt::Debug,
+    {
+        use http_body_util::BodyExt;
+
+        let mut data = String::new();
+        let mut trailers = None;
+
+        // Continue reading frames from the body until it is finished.
+        while let Some(frame) = body
+            .frame()
+            .await
+            .transpose()
+            .expect("reading a frame succeeds")
+        {
+            match frame.into_data().map(|mut buf| {
+                use bytes::Buf;
+                let bytes = buf.copy_to_bytes(buf.remaining());
+                String::from_utf8(bytes.to_vec()).unwrap()
+            }) {
+                Ok(ref s) => data.push_str(s),
+                Err(frame) => {
+                    let trls = frame
+                        .into_trailers()
+                        .map_err(drop)
+                        .expect("test frame is either data or trailers");
+                    trailers = Some(trls);
+                }
+            }
+        }
+
+        tracing::info!(?data, ?trailers, "finished reading body");
+        (data, trailers)
+    }
+}

linkerd/app/core/src/errors/mod.rs

@@ -1,21 +0,0 @@
-pub mod respond;
-
-pub use self::respond::{HttpRescue, NewRespond, NewRespondService, SyntheticHttpResponse};
-pub use linkerd_proxy_http::h2::H2Error;
-pub use linkerd_stack::FailFastError;
-use thiserror::Error;
-pub use tonic::Code as Grpc;
-
-#[derive(Debug, Error)]
-#[error("connect timed out after {0:?}")]
-pub struct ConnectTimeout(pub(crate) std::time::Duration);
-
-/// Obtain the source error at the end of a chain of `Error`s.
-pub fn root_cause<'e>(
-    mut error: &'e (dyn std::error::Error + 'static),
-) -> &'e (dyn std::error::Error + 'static) {
-    while let Some(e) = error.source() {
-        error = e;
-    }
-    error
-}

linkerd/app/core/src/errors/respond.rs

@@ -1,20 +1,16 @@
+use super::{
+    body::ResponseBody,
+    header::{GRPC_CONTENT_TYPE, GRPC_MESSAGE, GRPC_STATUS, L5D_PROXY_CONNECTION, L5D_PROXY_ERROR},
+};
 use crate::svc;
-use http::header::HeaderValue;
+use http::header::{HeaderValue, LOCATION};
 use linkerd_error::{Error, Result};
 use linkerd_error_respond as respond;
-pub use linkerd_proxy_http::{ClientHandle, HasH2Reason};
+use linkerd_proxy_http::{orig_proto, ClientHandle};
 use linkerd_stack::ExtractParam;
-use pin_project::pin_project;
-use std::{
-    borrow::Cow,
-    pin::Pin,
-    task::{Context, Poll},
-};
+use std::borrow::Cow;
 use tracing::{debug, info_span, warn};
 
-pub const L5D_PROXY_CONNECTION: &str = "l5d-proxy-connection";
-pub const L5D_PROXY_ERROR: &str = "l5d-proxy-error";
-
 pub fn layer<R, P: Clone, N>(
     params: P,
 ) -> impl svc::layer::Layer<N, Service = NewRespondService<R, P, N>> + Clone {
@@ -33,9 +29,10 @@ pub trait HttpRescue<E> {
 #[derive(Clone, Debug)]
 pub struct SyntheticHttpResponse {
     pub grpc_status: tonic::Code,
-    pub http_status: http::StatusCode,
-    pub close_connection: bool,
+    http_status: http::StatusCode,
+    close_connection: bool,
     pub message: Cow<'static, str>,
+    location: Option<HeaderValue>,
 }
 
 #[derive(Copy, Clone, Debug)]
@@ -55,26 +52,11 @@ pub struct Respond<R> {
     rescue: R,
     version: http::Version,
     is_grpc: bool,
+    is_orig_proto_upgrade: bool,
     client: Option<ClientHandle>,
     emit_headers: bool,
 }
 
-#[pin_project(project = ResponseBodyProj)]
-pub enum ResponseBody<R, B> {
-    Passthru(#[pin] B),
-    GrpcRescue {
-        #[pin]
-        inner: B,
-        trailers: Option<http::HeaderMap>,
-        rescue: R,
-        emit_headers: bool,
-    },
-}
-
-const GRPC_CONTENT_TYPE: &str = "application/grpc";
-const GRPC_STATUS: &str = "grpc-status";
-const GRPC_MESSAGE: &str = "grpc-message";
-
 // === impl HttpRescue ===
 
 impl<E, F> HttpRescue<E> for F
@@ -90,11 +72,16 @@ where
 
 impl SyntheticHttpResponse {
     pub fn unexpected_error() -> Self {
+        Self::internal_error("unexpected error")
+    }
+
+    pub fn internal_error(msg: impl Into<Cow<'static, str>>) -> Self {
         Self {
             close_connection: true,
             http_status: http::StatusCode::INTERNAL_SERVER_ERROR,
             grpc_status: tonic::Code::Internal,
-            message: Cow::Borrowed("unexpected error"),
+            message: msg.into(),
+            location: None,
         }
     }
 
@@ -104,6 +91,7 @@ impl SyntheticHttpResponse {
             http_status: http::StatusCode::BAD_GATEWAY,
             grpc_status: tonic::Code::Unavailable,
             message: Cow::Owned(msg.to_string()),
+            location: None,
         }
     }
 
@@ -111,8 +99,29 @@ impl SyntheticHttpResponse {
         Self {
             close_connection: true,
             http_status: http::StatusCode::GATEWAY_TIMEOUT,
+            grpc_status: tonic::Code::DeadlineExceeded,
+            message: Cow::Owned(msg.to_string()),
+            location: None,
+        }
+    }
+
+    pub fn gateway_timeout_nonfatal(msg: impl ToString) -> Self {
+        Self {
+            close_connection: false,
+            http_status: http::StatusCode::GATEWAY_TIMEOUT,
+            grpc_status: tonic::Code::DeadlineExceeded,
+            message: Cow::Owned(msg.to_string()),
+            location: None,
+        }
+    }
+
+    pub fn unavailable(msg: impl ToString) -> Self {
+        Self {
+            close_connection: true,
+            http_status: http::StatusCode::SERVICE_UNAVAILABLE,
             grpc_status: tonic::Code::Unavailable,
             message: Cow::Owned(msg.to_string()),
+            location: None,
         }
     }
 
@@ -122,6 +131,7 @@ impl SyntheticHttpResponse {
             grpc_status: tonic::Code::Unauthenticated,
             close_connection: false,
             message: Cow::Owned(msg.to_string()),
+            location: None,
         }
     }
 
@@ -131,6 +141,17 @@ impl SyntheticHttpResponse {
             grpc_status: tonic::Code::PermissionDenied,
             close_connection: false,
             message: Cow::Owned(msg.to_string()),
+            location: None,
+        }
+    }
+
+    pub fn rate_limited(msg: impl ToString) -> Self {
+        Self {
+            http_status: http::StatusCode::TOO_MANY_REQUESTS,
+            grpc_status: tonic::Code::ResourceExhausted,
+            close_connection: false,
+            message: Cow::Owned(msg.to_string()),
+            location: None,
         }
     }
 
@@ -140,6 +161,7 @@ impl SyntheticHttpResponse {
             grpc_status: tonic::Code::Aborted,
             close_connection: true,
             message: Cow::Owned(msg.to_string()),
+            location: None,
         }
     }
 
@@ -149,6 +171,40 @@ impl SyntheticHttpResponse {
             grpc_status: tonic::Code::NotFound,
             close_connection: false,
             message: Cow::Owned(msg.to_string()),
+            location: None,
+        }
+    }
+
+    pub fn redirect(http_status: http::StatusCode, location: &http::Uri) -> Self {
+        Self {
+            http_status,
+            grpc_status: tonic::Code::NotFound,
+            close_connection: false,
+            message: Cow::Borrowed("redirected"),
+            location: Some(
+                HeaderValue::try_from(location.to_string())
+                    .expect("location must be a valid header value"),
+            ),
+        }
+    }
+
+    pub fn response(http_status: http::StatusCode, message: impl Into<Cow<'static, str>>) -> Self {
+        Self {
+            http_status,
+            location: None,
+            grpc_status: tonic::Code::FailedPrecondition,
+            close_connection: false,
+            message: message.into(),
+        }
+    }
+
+    pub fn grpc(grpc_status: tonic::Code, message: impl Into<Cow<'static, str>>) -> Self {
+        Self {
+            grpc_status,
+            http_status: http::StatusCode::OK,
+            location: None,
+            close_connection: false,
+            message: message.into(),
         }
     }
 
@@ -156,7 +212,7 @@ impl SyntheticHttpResponse {
     fn message(&self) -> HeaderValue {
         match self.message {
             Cow::Borrowed(msg) => HeaderValue::from_static(msg),
-            Cow::Owned(ref msg) => HeaderValue::from_str(&*msg).unwrap_or_else(|error| {
+            Cow::Owned(ref msg) => HeaderValue::from_str(msg).unwrap_or_else(|error| {
                 warn!(%error, "Failed to encode error header");
                 HeaderValue::from_static("unexpected error")
             }),
@@ -170,7 +226,7 @@ impl SyntheticHttpResponse {
             .version(http::Version::HTTP_2)
             .header(http::header::CONTENT_LENGTH, "0")
             .header(http::header::CONTENT_TYPE, GRPC_CONTENT_TYPE)
-            .header(GRPC_STATUS, code_header(self.grpc_status));
+            .header(GRPC_STATUS, super::code_header(self.grpc_status));
 
         if emit_headers {
             rsp = rsp
@@ -192,8 +248,14 @@ impl SyntheticHttpResponse {
         &self,
         version: http::Version,
         emit_headers: bool,
+        is_orig_proto_upgrade: bool,
     ) -> http::Response<B> {
-        debug!(status = %self.http_status, ?version, close = %self.close_connection, "Handling error on HTTP connection");
+        debug!(
+            status = %self.http_status,
+            ?version,
+            close = %self.close_connection,
+            "Handling error on HTTP connection"
+        );
         let mut rsp = http::Response::builder()
             .status(self.http_status)
             .version(version)
@@ -204,7 +266,7 @@ impl SyntheticHttpResponse {
         }
 
         if self.close_connection {
-            if version == http::Version::HTTP_11 {
+            if version == http::Version::HTTP_11 && !is_orig_proto_upgrade {
                 // Notify the (proxy or non-proxy) client that the connection will be closed.
                 rsp = rsp.header(http::header::CONNECTION, "close");
             }
@@ -217,6 +279,10 @@ impl SyntheticHttpResponse {
             }
         }
 
+        if let Some(loc) = &self.location {
+            rsp = rsp.header(LOCATION, loc);
+        }
+
         rsp.body(B::default())
             .expect("error response must be valid")
     }
@@ -259,23 +325,36 @@ where
                 let is_grpc = req
                     .headers()
                     .get(http::header::CONTENT_TYPE)
-                    .and_then(|v| v.to_str().ok().map(|s| s.starts_with(GRPC_CONTENT_TYPE)))
+                    .and_then(|v| {
+                        v.to_str().ok().map(|s| {
+                            s.starts_with(
+                                GRPC_CONTENT_TYPE
+                                    .to_str()
+                                    .expect("GRPC_CONTENT_TYPE only contains visible ASCII"),
+                            )
+                        })
+                    })
                     .unwrap_or(false);
                 Respond {
                     client,
                     rescue,
                     is_grpc,
+                    is_orig_proto_upgrade: false,
                     version: http::Version::HTTP_2,
                     emit_headers,
                 }
             }
-            version => Respond {
-                client,
-                rescue,
-                version,
-                is_grpc: false,
-                emit_headers,
-            },
+            version => {
+                let is_h2_upgrade = req.extensions().get::<orig_proto::WasUpgrade>().is_some();
+                Respond {
+                    client,
+                    rescue,
+                    version,
+                    is_grpc: false,
+                    is_orig_proto_upgrade: is_h2_upgrade,
+                    emit_headers,
+                }
+            }
         }
     }
 }
@@ -296,7 +375,7 @@ impl<R> Respond<R> {
 
 impl<B, R> respond::Respond<http::Response<B>, Error> for Respond<R>
 where
-    B: Default + hyper::body::HttpBody,
+    B: Default + linkerd_proxy_http::Body,
     R: HttpRescue<Error> + Clone,
 {
     type Response = http::Response<ResponseBody<R, B>>;
@@ -304,26 +383,26 @@ where
     fn respond(&self, res: Result<http::Response<B>>) -> Result<Self::Response> {
         let error = match res {
             Ok(rsp) => {
-                return Ok(rsp.map(|b| match self {
+                return Ok(rsp.map(|inner| match self {
                     Respond {
                         is_grpc: true,
                         rescue,
                         emit_headers,
                         ..
-                    } => ResponseBody::GrpcRescue {
-                        inner: b,
-                        trailers: None,
-                        rescue: rescue.clone(),
-                        emit_headers: *emit_headers,
-                    },
-                    _ => ResponseBody::Passthru(b),
+                    } => ResponseBody::grpc_rescue(inner, rescue.clone(), *emit_headers),
+                    _ => ResponseBody::passthru(inner),
                 }));
             }
             Err(error) => error,
         };
 
         let rsp = info_span!("rescue", client.addr = %self.client_addr()).in_scope(|| {
-            tracing::info!(%error, "Request failed");
+            if !self.is_grpc {
+                let version = self.version;
+                tracing::info!(error, "{version:?} request failed",);
+            } else {
+                tracing::info!(error, "gRPC request failed");
+            };
             self.rescue.rescue(error)
         })?;
 
@@ -338,133 +417,9 @@ where
         let rsp = if self.is_grpc {
             rsp.grpc_response(self.emit_headers)
         } else {
-            rsp.http_response(self.version, self.emit_headers)
+            rsp.http_response(self.version, self.emit_headers, self.is_orig_proto_upgrade)
         };
 
         Ok(rsp)
     }
 }
-
-// === impl ResponseBody ===
-
-impl<R, B: Default + hyper::body::HttpBody> Default for ResponseBody<R, B> {
-    fn default() -> Self {
-        ResponseBody::Passthru(B::default())
-    }
-}
-
-impl<R, B> hyper::body::HttpBody for ResponseBody<R, B>
-where
-    B: hyper::body::HttpBody<Error = Error>,
-    R: HttpRescue<B::Error>,
-{
-    type Data = B::Data;
-    type Error = B::Error;
-
-    fn poll_data(
-        self: Pin<&mut Self>,
-        cx: &mut Context<'_>,
-    ) -> Poll<Option<Result<Self::Data, Self::Error>>> {
-        match self.project() {
-            ResponseBodyProj::Passthru(inner) => inner.poll_data(cx),
-            ResponseBodyProj::GrpcRescue {
-                inner,
-                trailers,
-                rescue,
-                emit_headers,
-            } => {
-                // should not be calling poll_data if we have set trailers derived from an error
-                assert!(trailers.is_none());
-                match inner.poll_data(cx) {
-                    Poll::Ready(Some(Err(error))) => {
-                        let SyntheticHttpResponse {
-                            grpc_status,
-                            message,
-                            ..
-                        } = rescue.rescue(error)?;
-                        let t = Self::grpc_trailers(grpc_status, &*message, *emit_headers);
-                        *trailers = Some(t);
-                        Poll::Ready(None)
-                    }
-                    data => data,
-                }
-            }
-        }
-    }
-
-    #[inline]
-    fn poll_trailers(
-        self: Pin<&mut Self>,
-        cx: &mut Context<'_>,
-    ) -> Poll<Result<Option<http::HeaderMap>, Self::Error>> {
-        match self.project() {
-            ResponseBodyProj::Passthru(inner) => inner.poll_trailers(cx),
-            ResponseBodyProj::GrpcRescue {
-                inner, trailers, ..
-            } => match trailers.take() {
-                Some(t) => Poll::Ready(Ok(Some(t))),
-                None => inner.poll_trailers(cx),
-            },
-        }
-    }
-
-    #[inline]
-    fn is_end_stream(&self) -> bool {
-        match self {
-            Self::Passthru(inner) => inner.is_end_stream(),
-            Self::GrpcRescue {
-                inner, trailers, ..
-            } => trailers.is_none() && inner.is_end_stream(),
-        }
-    }
-
-    #[inline]
-    fn size_hint(&self) -> http_body::SizeHint {
-        match self {
-            Self::Passthru(inner) => inner.size_hint(),
-            Self::GrpcRescue { inner, .. } => inner.size_hint(),
-        }
-    }
-}
-
-impl<R, B> ResponseBody<R, B> {
-    fn grpc_trailers(code: tonic::Code, message: &str, emit_headers: bool) -> http::HeaderMap {
-        debug!(grpc.status = ?code, "Synthesizing gRPC trailers");
-        let mut t = http::HeaderMap::new();
-        t.insert(GRPC_STATUS, code_header(code));
-        if emit_headers {
-            t.insert(
-                GRPC_MESSAGE,
-                HeaderValue::from_str(message).unwrap_or_else(|error| {
-                    warn!(%error, "Failed to encode error header");
-                    HeaderValue::from_static("Unexpected error")
-                }),
-            );
-        }
-        t
-    }
-}
-
-// Copied from tonic, where it's private.
-fn code_header(code: tonic::Code) -> HeaderValue {
-    use tonic::Code;
-    match code {
-        Code::Ok => HeaderValue::from_static("0"),
-        Code::Cancelled => HeaderValue::from_static("1"),
-        Code::Unknown => HeaderValue::from_static("2"),
-        Code::InvalidArgument => HeaderValue::from_static("3"),
-        Code::DeadlineExceeded => HeaderValue::from_static("4"),
-        Code::NotFound => HeaderValue::from_static("5"),
-        Code::AlreadyExists => HeaderValue::from_static("6"),
-        Code::PermissionDenied => HeaderValue::from_static("7"),
-        Code::ResourceExhausted => HeaderValue::from_static("8"),
-        Code::FailedPrecondition => HeaderValue::from_static("9"),
-        Code::Aborted => HeaderValue::from_static("10"),
-        Code::OutOfRange => HeaderValue::from_static("11"),
-        Code::Unimplemented => HeaderValue::from_static("12"),
-        Code::Internal => HeaderValue::from_static("13"),
-        Code::Unavailable => HeaderValue::from_static("14"),
-        Code::DataLoss => HeaderValue::from_static("15"),
-        Code::Unauthenticated => HeaderValue::from_static("16"),
-    }
-}

linkerd/app/core/src/http_tracing.rs

@@ -1,139 +1,76 @@
 use linkerd_error::Error;
-use linkerd_opencensus::proto::trace::v1 as oc;
 use linkerd_stack::layer;
-use linkerd_trace_context::{self as trace_context, TraceContext};
-use std::{collections::HashMap, sync::Arc};
-use thiserror::Error;
+use linkerd_trace_context::{
+    self as trace_context,
+    export::{ExportSpan, SpanKind, SpanLabels},
+    Span, TraceContext,
+};
+use std::{str::FromStr, sync::Arc};
 use tokio::sync::mpsc;
 
-pub type OpenCensusSink = Option<mpsc::Sender<oc::Span>>;
-pub type Labels = Arc<HashMap<String, String>>;
-
-/// SpanConverter converts trace_context::Span objects into OpenCensus agent
-/// protobuf span objects. SpanConverter receives trace_context::Span objects by
-/// implmenting the SpanSink trait. For each span that it receives, it converts
-/// it to an OpenCensus span and then sends it on the provided mpsc::Sender.
-#[derive(Clone)]
-pub struct SpanConverter {
-    kind: Kind,
-    sink: mpsc::Sender<oc::Span>,
-    labels: Labels,
+#[derive(Debug, Copy, Clone, Default)]
+pub enum CollectorProtocol {
+    #[default]
+    OpenCensus,
+    OpenTelemetry,
 }
 
-#[derive(Debug, Error)]
-#[error("ID '{:?} should have {} bytes, but it has {}", self.id, self.expected_size, self.actual_size)]
-pub struct IdLengthError {
-    id: Vec<u8>,
-    expected_size: usize,
-    actual_size: usize,
+impl FromStr for CollectorProtocol {
+    type Err = ();
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        if s.eq_ignore_ascii_case("opencensus") {
+            Ok(Self::OpenCensus)
+        } else if s.eq_ignore_ascii_case("opentelemetry") {
+            Ok(Self::OpenTelemetry)
+        } else {
+            Err(())
+        }
+    }
 }
 
+pub type SpanSink = mpsc::Sender<ExportSpan>;
+
 pub fn server<S>(
-    sink: OpenCensusSink,
-    labels: impl Into<Labels>,
+    sink: Option<SpanSink>,
+    labels: impl Into<SpanLabels>,
 ) -> impl layer::Layer<S, Service = TraceContext<Option<SpanConverter>, S>> + Clone {
-    SpanConverter::layer(Kind::Server, sink, labels)
+    TraceContext::layer(sink.map(move |sink| SpanConverter {
+        kind: SpanKind::Server,
+        sink,
+        labels: labels.into(),
+    }))
 }
 
 pub fn client<S>(
-    sink: OpenCensusSink,
-    labels: impl Into<Labels>,
+    sink: Option<SpanSink>,
+    labels: impl Into<SpanLabels>,
 ) -> impl layer::Layer<S, Service = TraceContext<Option<SpanConverter>, S>> + Clone {
-    SpanConverter::layer(Kind::Client, sink, labels)
+    TraceContext::layer(sink.map(move |sink| SpanConverter {
+        kind: SpanKind::Client,
+        sink,
+        labels: labels.into(),
+    }))
 }
 
-#[derive(Copy, Clone, Debug, PartialEq)]
-enum Kind {
-    Server = 1,
-    Client = 2,
-}
-
-impl SpanConverter {
-    fn layer<S>(
-        kind: Kind,
-        sink: OpenCensusSink,
-        labels: impl Into<Labels>,
-    ) -> impl layer::Layer<S, Service = TraceContext<Option<Self>, S>> + Clone {
-        TraceContext::layer(sink.map(move |sink| Self {
-            kind,
-            sink,
-            labels: labels.into(),
-        }))
-    }
-
-    fn mk_span(&self, mut span: trace_context::Span) -> Result<oc::Span, IdLengthError> {
-        let mut attributes = HashMap::<String, oc::AttributeValue>::new();
-        for (k, v) in self.labels.iter() {
-            attributes.insert(
-                k.clone(),
-                oc::AttributeValue {
-                    value: Some(oc::attribute_value::Value::StringValue(truncatable(
-                        v.clone(),
-                    ))),
-                },
-            );
-        }
-        for (k, v) in span.labels.drain() {
-            attributes.insert(
-                k.to_string(),
-                oc::AttributeValue {
-                    value: Some(oc::attribute_value::Value::StringValue(truncatable(v))),
-                },
-            );
-        }
-        Ok(oc::Span {
-            trace_id: into_bytes(span.trace_id, 16)?,
-            span_id: into_bytes(span.span_id, 8)?,
-            tracestate: None,
-            parent_span_id: into_bytes(span.parent_id, 8)?,
-            name: Some(truncatable(span.span_name)),
-            kind: self.kind as i32,
-            start_time: Some(span.start.into()),
-            end_time: Some(span.end.into()),
-            attributes: Some(oc::span::Attributes {
-                attribute_map: attributes,
-                dropped_attributes_count: 0,
-            }),
-            stack_trace: None,
-            time_events: None,
-            links: None,
-            status: None, // TODO: this is gRPC status; we must read response trailers to populate this
-            resource: None,
-            same_process_as_parent_span: Some(self.kind == Kind::Client),
-            child_span_count: None,
-        })
-    }
+#[derive(Clone)]
+pub struct SpanConverter {
+    kind: SpanKind,
+    sink: SpanSink,
+    labels: SpanLabels,
 }
 
 impl trace_context::SpanSink for SpanConverter {
-    #[inline]
     fn is_enabled(&self) -> bool {
         true
     }
 
-    fn try_send(&mut self, span: trace_context::Span) -> Result<(), Error> {
-        let span = self.mk_span(span)?;
-        self.sink.try_send(span).map_err(Into::into)
-    }
-}
-
-fn into_bytes(id: trace_context::Id, size: usize) -> Result<Vec<u8>, IdLengthError> {
-    let bytes: Vec<u8> = id.into();
-    if bytes.len() == size {
-        Ok(bytes)
-    } else {
-        let actual_size = bytes.len();
-        Err(IdLengthError {
-            id: bytes,
-            expected_size: size,
-            actual_size,
-        })
-    }
-}
-
-fn truncatable(value: String) -> oc::TruncatableString {
-    oc::TruncatableString {
-        value,
-        truncated_byte_count: 0,
+    fn try_send(&mut self, span: Span) -> Result<(), Error> {
+        self.sink.try_send(ExportSpan {
+            span,
+            kind: self.kind,
+            labels: Arc::clone(&self.labels),
+        })?;
+        Ok(())
     }
 }

linkerd/app/core/src/lib.rs

@@ -7,22 +7,40 @@
 //! - Tap
 //! - Metric labeling
 
-#![deny(warnings, rust_2018_idioms)]
+#![deny(rust_2018_idioms, clippy::disallowed_methods, clippy::disallowed_types)]
+#![allow(opaque_hidden_inferred_bound)]
 #![forbid(unsafe_code)]
 
+use thiserror::Error;
+
+mod build_info;
+pub mod classify;
+pub mod config;
+pub mod control;
+pub mod disco_cache;
+pub mod dns;
+pub mod errors;
+pub mod http_tracing;
+pub mod metrics;
+pub mod proxy;
+pub mod serve;
+pub mod svc;
+pub mod tls_info;
+pub mod transport;
+
+pub use self::build_info::{BuildInfo, BUILD_INFO};
 pub use drain;
 pub use ipnet::{IpNet, Ipv4Net, Ipv6Net};
-pub use linkerd_addr::{self as addr, Addr, NameAddr};
-pub use linkerd_cache as cache;
+pub use linkerd_addr::{self as addr, Addr, AddrMatch, IpMatch, NameAddr, NameMatch};
 pub use linkerd_conditional::Conditional;
-pub use linkerd_detect as detect;
 pub use linkerd_dns;
-pub use linkerd_error::{is_error, Error, Infallible, Recover, Result};
+pub use linkerd_error::{cause_ref, is_caused_by, Error, Infallible, Recover, Result};
 pub use linkerd_exp_backoff as exp_backoff;
 pub use linkerd_http_metrics as http_metrics;
-pub use linkerd_identity as identity;
+pub use linkerd_idle_cache as idle_cache;
 pub use linkerd_io as io;
 pub use linkerd_opencensus as opencensus;
+pub use linkerd_opentelemetry as opentelemetry;
 pub use linkerd_service_profiles as profiles;
 pub use linkerd_stack_metrics as stack_metrics;
 pub use linkerd_stack_tracing as stack_tracing;
@@ -30,25 +48,14 @@ pub use linkerd_tls as tls;
 pub use linkerd_tracing as trace;
 pub use linkerd_transport_header as transport_header;
 
-use thiserror::Error;
-
-mod addr_match;
-pub mod classify;
-pub mod config;
-pub mod control;
-pub mod dns;
-pub mod dst;
-pub mod errors;
-pub mod http_tracing;
-pub mod metrics;
-pub mod proxy;
-pub mod retry;
-pub mod serve;
-pub mod svc;
-pub mod telemetry;
-pub mod transport;
-
-pub use self::addr_match::{AddrMatch, IpMatch, NameMatch};
+pub mod identity {
+    pub use linkerd_identity::*;
+    pub use linkerd_meshtls::*;
+    pub mod client {
+        pub use linkerd_proxy_identity_client as linkerd;
+        pub use linkerd_proxy_spire_client as spire;
+    }
+}
 
 pub const CANONICAL_DST_HEADER: &str = "l5d-dst-canonical";
 
@@ -56,10 +63,10 @@ const DEFAULT_PORT: u16 = 80;
 
 #[derive(Clone, Debug)]
 pub struct ProxyRuntime {
-    pub identity: Option<proxy::identity::LocalCrtKey>,
+    pub identity: identity::creds::Receiver,
     pub metrics: metrics::Proxy,
     pub tap: proxy::tap::Registry,
-    pub span_sink: http_tracing::OpenCensusSink,
+    pub span_sink: Option<http_tracing::SpanSink>,
     pub drain: drain::Watch,
 }
 
@@ -71,9 +78,9 @@ pub fn http_request_authority_addr<B>(req: &http::Request<B>) -> Result<Addr, ad
 }
 
 pub fn http_request_host_addr<B>(req: &http::Request<B>) -> Result<Addr, addr::Error> {
-    use crate::proxy::http::h1;
+    use crate::proxy::http;
 
-    h1::authority_from_host(req)
+    http::authority_from_header(req, http::header::HOST)
         .ok_or(addr::Error::InvalidHost)
         .and_then(|a| Addr::from_authority_and_default_port(&a, DEFAULT_PORT))
 }

linkerd/app/core/src/metrics.rs

@@ -0,0 +1,538 @@
+//! This module provides most of the metrics infrastructure for both inbound &
+//! outbound proxies.
+//!
+//! This is less than ideal. Instead of having common metrics with differing
+//! labels for inbound & outbound, we should instead have distinct metrics for
+//! each case. And the metric registries should be instantiated in the
+//! inbound/outbound crates, etc.
+
+pub use crate::transport::labels::{TargetAddr, TlsAccept};
+use crate::{
+    classify::Class,
+    control, http_metrics, opencensus, opentelemetry, profiles, proxy, stack_metrics, svc, tls,
+    transport::{self, labels::TlsConnect},
+};
+use linkerd_addr::Addr;
+pub use linkerd_metrics::*;
+use linkerd_proxy_server_policy as policy;
+use prometheus_client::encoding::{EncodeLabelSet, EncodeLabelValue};
+use std::{
+    fmt::{self, Write},
+    net::SocketAddr,
+    sync::Arc,
+    time::Duration,
+};
+
+pub type ControlHttp = http_metrics::Requests<ControlLabels, Class>;
+
+pub type HttpEndpoint = http_metrics::Requests<EndpointLabels, Class>;
+
+pub type HttpProfileRoute = http_metrics::Requests<ProfileRouteLabels, Class>;
+
+pub type HttpProfileRouteRetry = http_metrics::Retries<ProfileRouteLabels>;
+
+pub type Stack = stack_metrics::Registry<StackLabels>;
+
+#[derive(Clone, Debug)]
+pub struct Metrics {
+    pub proxy: Proxy,
+    pub control: ControlHttp,
+    pub opencensus: opencensus::metrics::Registry,
+    pub opentelemetry: opentelemetry::metrics::Registry,
+}
+
+#[derive(Clone, Debug)]
+pub struct Proxy {
+    pub http_profile_route: HttpProfileRoute,
+    pub http_profile_route_actual: HttpProfileRoute,
+    pub http_profile_route_retry: HttpProfileRouteRetry,
+    pub http_endpoint: HttpEndpoint,
+    pub transport: transport::Metrics,
+    pub stack: Stack,
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, Hash)]
+pub struct ControlLabels {
+    addr: Addr,
+    server_id: tls::ConditionalClientTlsLabels,
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, Hash)]
+pub enum EndpointLabels {
+    Inbound(InboundEndpointLabels),
+    Outbound(OutboundEndpointLabels),
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, Hash)]
+pub struct InboundEndpointLabels {
+    pub tls: tls::ConditionalServerTlsLabels,
+    pub authority: Option<http::uri::Authority>,
+    pub target_addr: SocketAddr,
+    pub policy: RouteAuthzLabels,
+}
+
+/// A label referencing an inbound `Server` (i.e. for policy).
+#[derive(Clone, Debug, Eq, PartialEq, Hash)]
+pub struct ServerLabel(pub Arc<policy::Meta>, pub u16);
+
+/// Labels referencing an inbound server and authorization.
+#[derive(Clone, Debug, Eq, PartialEq, Hash)]
+pub struct ServerAuthzLabels {
+    pub server: ServerLabel,
+    pub authz: Arc<policy::Meta>,
+}
+
+/// Labels referencing an inbound server and route.
+#[derive(Clone, Debug, Eq, PartialEq, Hash)]
+pub struct RouteLabels {
+    pub server: ServerLabel,
+    pub route: Arc<policy::Meta>,
+}
+
+/// Labels referencing an inbound server, route, and authorization.
+#[derive(Clone, Debug, Eq, PartialEq, Hash)]
+pub struct RouteAuthzLabels {
+    pub route: RouteLabels,
+    pub authz: Arc<policy::Meta>,
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, Hash)]
+pub struct OutboundEndpointLabels {
+    pub server_id: tls::ConditionalClientTlsLabels,
+    pub authority: Option<http::uri::Authority>,
+    pub labels: Option<String>,
+    pub zone_locality: OutboundZoneLocality,
+    pub target_addr: SocketAddr,
+}
+
+#[derive(Debug, Copy, Clone, Default, Hash, Eq, PartialEq, EncodeLabelValue)]
+pub enum OutboundZoneLocality {
+    #[default]
+    Unknown,
+    Local,
+    Remote,
+}
+
+impl OutboundZoneLocality {
+    pub fn new(metadata: &proxy::api_resolve::Metadata) -> Self {
+        if let Some(is_zone_local) = metadata.is_zone_local() {
+            if is_zone_local {
+                OutboundZoneLocality::Local
+            } else {
+                OutboundZoneLocality::Remote
+            }
+        } else {
+            OutboundZoneLocality::Unknown
+        }
+    }
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, Hash)]
+pub struct StackLabels {
+    pub direction: Direction,
+    pub protocol: &'static str,
+    pub name: &'static str,
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, Hash)]
+pub struct ProfileRouteLabels {
+    direction: Direction,
+    addr: profiles::LogicalAddr,
+    labels: Option<String>,
+}
+
+#[derive(Copy, Clone, Debug, PartialEq, Eq, Hash)]
+pub enum Direction {
+    In,
+    Out,
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, Hash)]
+struct Authority<'a>(&'a http::uri::Authority);
+
+pub fn prefix_labels<'i, I>(prefix: &str, mut labels_iter: I) -> Option<String>
+where
+    I: Iterator<Item = (&'i String, &'i String)>,
+{
+    let (k0, v0) = labels_iter.next()?;
+    let mut out = format!("{prefix}_{k0}=\"{v0}\"");
+
+    for (k, v) in labels_iter {
+        write!(out, ",{prefix}_{k}=\"{v}\"").expect("label concat must succeed");
+    }
+    Some(out)
+}
+
+// === impl Metrics ===
+
+impl Metrics {
+    pub fn new(retain_idle: Duration) -> (Self, impl legacy::FmtMetrics + Clone + Send + 'static) {
+        let (control, control_report) = {
+            let m = http_metrics::Requests::<ControlLabels, Class>::default();
+            let r = m.clone().into_report(retain_idle).with_prefix("control");
+            (m, r)
+        };
+
+        let (http_endpoint, endpoint_report) = {
+            let m = http_metrics::Requests::<EndpointLabels, Class>::default();
+            let r = m.clone().into_report(retain_idle);
+            (m, r)
+        };
+
+        let (http_profile_route, profile_route_report) = {
+            let m = http_metrics::Requests::<ProfileRouteLabels, Class>::default();
+            let r = m.clone().into_report(retain_idle).with_prefix("route");
+            (m, r)
+        };
+
+        let (http_profile_route_retry, retry_report) = {
+            let m = http_metrics::Retries::<ProfileRouteLabels>::default();
+            let r = m.clone().into_report(retain_idle).with_prefix("route");
+            (m, r)
+        };
+
+        let (http_profile_route_actual, actual_report) = {
+            let m = http_metrics::Requests::<ProfileRouteLabels, Class>::default();
+            let r = m
+                .clone()
+                .into_report(retain_idle)
+                .with_prefix("route_actual");
+            (m, r.without_latencies())
+        };
+
+        let stack = stack_metrics::Registry::default();
+
+        let (transport, transport_report) = transport::Metrics::new(retain_idle);
+
+        let proxy = Proxy {
+            http_endpoint,
+            http_profile_route,
+            http_profile_route_retry,
+            http_profile_route_actual,
+            stack: stack.clone(),
+            transport,
+        };
+
+        let (opencensus, opencensus_report) = opencensus::metrics::new();
+        let (opentelemetry, opentelemetry_report) = opentelemetry::metrics::new();
+
+        let metrics = Metrics {
+            proxy,
+            control,
+            opencensus,
+            opentelemetry,
+        };
+
+        use legacy::FmtMetrics as _;
+        let report = endpoint_report
+            .and_report(profile_route_report)
+            .and_report(retry_report)
+            .and_report(actual_report)
+            .and_report(control_report)
+            .and_report(transport_report)
+            .and_report(opencensus_report)
+            .and_report(opentelemetry_report)
+            .and_report(stack);
+
+        (metrics, report)
+    }
+}
+
+// === impl CtlLabels ===
+
+impl svc::Param<ControlLabels> for control::ControlAddr {
+    fn param(&self) -> ControlLabels {
+        ControlLabels {
+            addr: self.addr.clone(),
+            server_id: self.identity.as_ref().map(tls::ClientTls::labels),
+        }
+    }
+}
+
+impl legacy::FmtLabels for ControlLabels {
+    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        let Self { addr, server_id } = self;
+
+        write!(f, "addr=\"{addr}\",")?;
+        TlsConnect::from(server_id).fmt_labels(f)?;
+
+        Ok(())
+    }
+}
+
+// === impl ProfileRouteLabels ===
+
+impl ProfileRouteLabels {
+    pub fn inbound(addr: profiles::LogicalAddr, route: &profiles::http::Route) -> Self {
+        let labels = prefix_labels("rt", route.labels().iter());
+        Self {
+            addr,
+            labels,
+            direction: Direction::In,
+        }
+    }
+
+    pub fn outbound(addr: profiles::LogicalAddr, route: &profiles::http::Route) -> Self {
+        let labels = prefix_labels("rt", route.labels().iter());
+        Self {
+            addr,
+            labels,
+            direction: Direction::Out,
+        }
+    }
+}
+
+impl legacy::FmtLabels for ProfileRouteLabels {
+    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        let Self {
+            direction,
+            addr,
+            labels,
+        } = self;
+
+        direction.fmt_labels(f)?;
+        write!(f, ",dst=\"{addr}\"")?;
+
+        if let Some(labels) = labels.as_ref() {
+            write!(f, ",{labels}")?;
+        }
+
+        Ok(())
+    }
+}
+
+// === impl EndpointLabels ===
+
+impl From<InboundEndpointLabels> for EndpointLabels {
+    fn from(i: InboundEndpointLabels) -> Self {
+        Self::Inbound(i)
+    }
+}
+
+impl From<OutboundEndpointLabels> for EndpointLabels {
+    fn from(i: OutboundEndpointLabels) -> Self {
+        Self::Outbound(i)
+    }
+}
+
+impl legacy::FmtLabels for EndpointLabels {
+    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        match self {
+            Self::Inbound(i) => (Direction::In, i).fmt_labels(f),
+            Self::Outbound(o) => (Direction::Out, o).fmt_labels(f),
+        }
+    }
+}
+
+impl legacy::FmtLabels for InboundEndpointLabels {
+    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        let Self {
+            tls,
+            authority,
+            target_addr,
+            policy,
+        } = self;
+
+        if let Some(a) = authority.as_ref() {
+            Authority(a).fmt_labels(f)?;
+            write!(f, ",")?;
+        }
+
+        ((TargetAddr(*target_addr), TlsAccept::from(tls)), policy).fmt_labels(f)?;
+
+        Ok(())
+    }
+}
+
+impl legacy::FmtLabels for ServerLabel {
+    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        let Self(meta, port) = self;
+        write!(
+            f,
+            "srv_group=\"{}\",srv_kind=\"{}\",srv_name=\"{}\",srv_port=\"{}\"",
+            meta.group(),
+            meta.kind(),
+            meta.name(),
+            port
+        )
+    }
+}
+
+impl EncodeLabelSet for ServerLabel {
+    fn encode(&self, mut enc: prometheus_client::encoding::LabelSetEncoder<'_>) -> fmt::Result {
+        prom::EncodeLabelSetMut::encode_label_set(self, &mut enc)
+    }
+}
+
+impl prom::EncodeLabelSetMut for ServerLabel {
+    fn encode_label_set(&self, enc: &mut prom::encoding::LabelSetEncoder<'_>) -> fmt::Result {
+        use prometheus_client::encoding::EncodeLabel;
+        ("srv_group", self.0.group()).encode(enc.encode_label())?;
+        ("srv_kind", self.0.kind()).encode(enc.encode_label())?;
+        ("srv_name", self.0.name()).encode(enc.encode_label())?;
+        ("srv_port", self.1).encode(enc.encode_label())?;
+        Ok(())
+    }
+}
+
+impl legacy::FmtLabels for ServerAuthzLabels {
+    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        let Self { server, authz } = self;
+
+        server.fmt_labels(f)?;
+        write!(
+            f,
+            ",authz_group=\"{}\",authz_kind=\"{}\",authz_name=\"{}\"",
+            authz.group(),
+            authz.kind(),
+            authz.name()
+        )
+    }
+}
+
+impl legacy::FmtLabels for RouteLabels {
+    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        let Self { server, route } = self;
+
+        server.fmt_labels(f)?;
+        write!(
+            f,
+            ",route_group=\"{}\",route_kind=\"{}\",route_name=\"{}\"",
+            route.group(),
+            route.kind(),
+            route.name(),
+        )
+    }
+}
+
+impl legacy::FmtLabels for RouteAuthzLabels {
+    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        let Self { route, authz } = self;
+
+        route.fmt_labels(f)?;
+        write!(
+            f,
+            ",authz_group=\"{}\",authz_kind=\"{}\",authz_name=\"{}\"",
+            authz.group(),
+            authz.kind(),
+            authz.name(),
+        )
+    }
+}
+
+impl svc::Param<OutboundZoneLocality> for OutboundEndpointLabels {
+    fn param(&self) -> OutboundZoneLocality {
+        self.zone_locality
+    }
+}
+
+impl legacy::FmtLabels for OutboundEndpointLabels {
+    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        let Self {
+            server_id,
+            authority,
+            labels,
+            // TODO(kate): this label is not currently emitted.
+            zone_locality: _,
+            target_addr,
+        } = self;
+
+        if let Some(a) = authority.as_ref() {
+            Authority(a).fmt_labels(f)?;
+            write!(f, ",")?;
+        }
+
+        let ta = TargetAddr(*target_addr);
+        let tls = TlsConnect::from(server_id);
+        (ta, tls).fmt_labels(f)?;
+
+        if let Some(labels) = labels.as_ref() {
+            write!(f, ",{labels}")?;
+        }
+
+        Ok(())
+    }
+}
+
+impl fmt::Display for Direction {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        match self {
+            Self::In => write!(f, "inbound"),
+            Self::Out => write!(f, "outbound"),
+        }
+    }
+}
+
+impl legacy::FmtLabels for Direction {
+    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(f, "direction=\"{self}\"")
+    }
+}
+
+impl legacy::FmtLabels for Authority<'_> {
+    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        let Self(authority) = self;
+        write!(f, "authority=\"{authority}\"")
+    }
+}
+
+impl legacy::FmtLabels for Class {
+    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        let class = |ok: bool| if ok { "success" } else { "failure" };
+
+        match self {
+            Class::Http(res) => write!(
+                f,
+                "classification=\"{}\",grpc_status=\"\",error=\"\"",
+                class(res.is_ok())
+            ),
+
+            Class::Grpc(res) => write!(
+                f,
+                "classification=\"{}\",grpc_status=\"{}\",error=\"\"",
+                class(res.is_ok()),
+                match res {
+                    Ok(code) | Err(code) => <i32>::from(*code),
+                }
+            ),
+
+            Class::Error(msg) => write!(
+                f,
+                "classification=\"failure\",grpc_status=\"\",error=\"{msg}\""
+            ),
+        }
+    }
+}
+
+// === impl StackLabels ===
+
+impl StackLabels {
+    pub fn inbound(protocol: &'static str, name: &'static str) -> Self {
+        Self {
+            name,
+            protocol,
+            direction: Direction::In,
+        }
+    }
+
+    pub fn outbound(protocol: &'static str, name: &'static str) -> Self {
+        Self {
+            name,
+            protocol,
+            direction: Direction::Out,
+        }
+    }
+}
+
+impl legacy::FmtLabels for StackLabels {
+    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        let Self {
+            direction,
+            protocol,
+            name,
+        } = self;
+
+        direction.fmt_labels(f)?;
+        write!(f, ",protocol=\"{protocol}\",name=\"{name}\"")
+    }
+}

linkerd/app/core/src/metrics/mod.rs

@@ -1,391 +0,0 @@
-pub use crate::transport::labels::{TargetAddr, TlsAccept};
-use crate::{
-    classify::{Class, SuccessOrFailure},
-    control, dst, http_metrics, http_metrics as metrics, opencensus, profiles, stack_metrics,
-    svc::Param,
-    telemetry, tls,
-    transport::{self, labels::TlsConnect},
-};
-use linkerd_addr::Addr;
-pub use linkerd_metrics::*;
-use std::{
-    fmt::{self, Write},
-    net::SocketAddr,
-    sync::Arc,
-    time::{Duration, SystemTime},
-};
-
-pub type ControlHttp = http_metrics::Requests<ControlLabels, Class>;
-
-pub type HttpEndpoint = http_metrics::Requests<EndpointLabels, Class>;
-
-pub type HttpRoute = http_metrics::Requests<RouteLabels, Class>;
-
-pub type HttpRouteRetry = http_metrics::Retries<RouteLabels>;
-
-pub type Stack = stack_metrics::Registry<StackLabels>;
-
-#[derive(Clone, Debug)]
-pub struct Metrics {
-    pub proxy: Proxy,
-    pub control: ControlHttp,
-    pub opencensus: opencensus::metrics::Registry,
-}
-
-#[derive(Clone, Debug)]
-pub struct Proxy {
-    pub http_route: HttpRoute,
-    pub http_route_actual: HttpRoute,
-    pub http_route_retry: HttpRouteRetry,
-    pub http_endpoint: HttpEndpoint,
-    pub transport: transport::Metrics,
-    pub stack: Stack,
-}
-
-#[derive(Clone, Debug, PartialEq, Eq, Hash)]
-pub struct ControlLabels {
-    addr: Addr,
-    server_id: tls::ConditionalClientTls,
-}
-
-#[derive(Clone, Debug, PartialEq, Eq, Hash)]
-pub enum EndpointLabels {
-    Inbound(InboundEndpointLabels),
-    Outbound(OutboundEndpointLabels),
-}
-
-#[derive(Clone, Debug, PartialEq, Eq, Hash)]
-pub struct InboundEndpointLabels {
-    pub tls: tls::ConditionalServerTls,
-    pub authority: Option<http::uri::Authority>,
-    pub target_addr: SocketAddr,
-    pub policy: AuthzLabels,
-}
-
-/// A label referencing an inbound `Server` (i.e. for policy).
-#[derive(Clone, Debug, Eq, PartialEq, Hash)]
-pub struct ServerLabel(pub Arc<str>);
-
-/// Labels referencing an inbound `ServerAuthorization.
-#[derive(Clone, Debug, Eq, PartialEq, Hash)]
-pub struct AuthzLabels {
-    pub server: ServerLabel,
-    pub authz: Arc<str>,
-}
-
-#[derive(Clone, Debug, PartialEq, Eq, Hash)]
-pub struct OutboundEndpointLabels {
-    pub server_id: tls::ConditionalClientTls,
-    pub authority: Option<http::uri::Authority>,
-    pub labels: Option<String>,
-    pub target_addr: SocketAddr,
-}
-
-#[derive(Clone, Debug, PartialEq, Eq, Hash)]
-pub struct StackLabels {
-    pub direction: Direction,
-    pub protocol: &'static str,
-    pub name: &'static str,
-}
-
-#[derive(Clone, Debug, PartialEq, Eq, Hash)]
-pub struct RouteLabels {
-    direction: Direction,
-    addr: profiles::LogicalAddr,
-    labels: Option<String>,
-}
-
-#[derive(Copy, Clone, Debug, PartialEq, Eq, Hash)]
-pub enum Direction {
-    In,
-    Out,
-}
-
-#[derive(Clone, Debug, PartialEq, Eq, Hash)]
-struct Authority<'a>(&'a http::uri::Authority);
-
-pub fn prefix_labels<'i, I>(prefix: &str, mut labels_iter: I) -> Option<String>
-where
-    I: Iterator<Item = (&'i String, &'i String)>,
-{
-    let (k0, v0) = labels_iter.next()?;
-    let mut out = format!("{}_{}=\"{}\"", prefix, k0, v0);
-
-    for (k, v) in labels_iter {
-        write!(out, ",{}_{}=\"{}\"", prefix, k, v).expect("label concat must succeed");
-    }
-    Some(out)
-}
-
-// === impl Metrics ===
-
-impl Metrics {
-    pub fn new(retain_idle: Duration) -> (Self, impl FmtMetrics + Clone + Send + 'static) {
-        let process = telemetry::process::Report::new(SystemTime::now());
-
-        let build_info = telemetry::build_info::Report::new();
-
-        let (control, control_report) = {
-            let m = metrics::Requests::<ControlLabels, Class>::default();
-            let r = m.clone().into_report(retain_idle).with_prefix("control");
-            (m, r)
-        };
-
-        let (http_endpoint, endpoint_report) = {
-            let m = metrics::Requests::<EndpointLabels, Class>::default();
-            let r = m.clone().into_report(retain_idle);
-            (m, r)
-        };
-
-        let (http_route, route_report) = {
-            let m = metrics::Requests::<RouteLabels, Class>::default();
-            let r = m.clone().into_report(retain_idle).with_prefix("route");
-            (m, r)
-        };
-
-        let (http_route_retry, retry_report) = {
-            let m = metrics::Retries::<RouteLabels>::default();
-            let r = m.clone().into_report(retain_idle).with_prefix("route");
-            (m, r)
-        };
-
-        let (http_route_actual, actual_report) = {
-            let m = metrics::Requests::<RouteLabels, Class>::default();
-            let r = m
-                .clone()
-                .into_report(retain_idle)
-                .with_prefix("route_actual");
-            (m, r.without_latencies())
-        };
-
-        let stack = stack_metrics::Registry::default();
-
-        let (transport, transport_report) = transport::Metrics::new(retain_idle);
-
-        let proxy = Proxy {
-            http_endpoint,
-            http_route,
-            http_route_retry,
-            http_route_actual,
-            stack: stack.clone(),
-            transport,
-        };
-
-        let (opencensus, opencensus_report) = opencensus::metrics::new();
-
-        let metrics = Metrics {
-            proxy,
-            control,
-            opencensus,
-        };
-
-        let report = endpoint_report
-            .and_then(route_report)
-            .and_then(retry_report)
-            .and_then(actual_report)
-            .and_then(control_report)
-            .and_then(transport_report)
-            .and_then(opencensus_report)
-            .and_then(stack)
-            .and_then(process)
-            .and_then(build_info);
-
-        (metrics, report)
-    }
-}
-
-// === impl CtlLabels ===
-
-impl Param<ControlLabels> for control::ControlAddr {
-    fn param(&self) -> ControlLabels {
-        ControlLabels {
-            addr: self.addr.clone(),
-            server_id: self.identity.clone(),
-        }
-    }
-}
-
-impl FmtLabels for ControlLabels {
-    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        write!(f, "addr=\"{}\",", self.addr)?;
-        TlsConnect::from(&self.server_id).fmt_labels(f)?;
-
-        Ok(())
-    }
-}
-
-// === impl RouteLabels ===
-
-impl Param<RouteLabels> for dst::Route {
-    fn param(&self) -> RouteLabels {
-        RouteLabels {
-            addr: self.addr.clone(),
-            direction: self.direction,
-            labels: prefix_labels("rt", self.route.labels().iter()),
-        }
-    }
-}
-
-impl FmtLabels for RouteLabels {
-    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        self.direction.fmt_labels(f)?;
-        write!(f, ",dst=\"{}\"", self.addr)?;
-
-        if let Some(labels) = self.labels.as_ref() {
-            write!(f, ",{}", labels)?;
-        }
-
-        Ok(())
-    }
-}
-
-// === impl EndpointLabels ===
-
-impl From<InboundEndpointLabels> for EndpointLabels {
-    fn from(i: InboundEndpointLabels) -> Self {
-        Self::Inbound(i)
-    }
-}
-
-impl From<OutboundEndpointLabels> for EndpointLabels {
-    fn from(i: OutboundEndpointLabels) -> Self {
-        Self::Outbound(i)
-    }
-}
-
-impl FmtLabels for EndpointLabels {
-    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        match self {
-            Self::Inbound(i) => (Direction::In, i).fmt_labels(f),
-            Self::Outbound(o) => (Direction::Out, o).fmt_labels(f),
-        }
-    }
-}
-
-impl FmtLabels for InboundEndpointLabels {
-    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        if let Some(a) = self.authority.as_ref() {
-            Authority(a).fmt_labels(f)?;
-            write!(f, ",")?;
-        }
-
-        (
-            (TargetAddr(self.target_addr), TlsAccept::from(&self.tls)),
-            &self.policy,
-        )
-            .fmt_labels(f)?;
-
-        Ok(())
-    }
-}
-
-impl fmt::Display for ServerLabel {
-    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        self.0.fmt(f)
-    }
-}
-
-impl FmtLabels for ServerLabel {
-    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        write!(f, "srv_name=\"{}\"", self.0)
-    }
-}
-
-impl FmtLabels for AuthzLabels {
-    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        self.server.fmt_labels(f)?;
-        write!(f, ",saz_name=\"{}\"", self.authz)
-    }
-}
-
-impl FmtLabels for OutboundEndpointLabels {
-    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        if let Some(a) = self.authority.as_ref() {
-            Authority(a).fmt_labels(f)?;
-            write!(f, ",")?;
-        }
-
-        let ta = TargetAddr(self.target_addr);
-        let tls = TlsConnect::from(&self.server_id);
-        (ta, tls).fmt_labels(f)?;
-
-        if let Some(labels) = self.labels.as_ref() {
-            write!(f, ",{}", labels)?;
-        }
-
-        Ok(())
-    }
-}
-
-impl fmt::Display for Direction {
-    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        match self {
-            Self::In => write!(f, "inbound"),
-            Self::Out => write!(f, "outbound"),
-        }
-    }
-}
-
-impl FmtLabels for Direction {
-    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        write!(f, "direction=\"{}\"", self)
-    }
-}
-
-impl<'a> FmtLabels for Authority<'a> {
-    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        write!(f, "authority=\"{}\"", self.0)
-    }
-}
-
-impl FmtLabels for Class {
-    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        match self {
-            Class::Default(result) => write!(f, "classification=\"{}\"", result),
-            Class::Grpc(result, status) => write!(
-                f,
-                "classification=\"{}\",grpc_status=\"{}\"",
-                result, status
-            ),
-            Class::Stream(result, status) => {
-                write!(f, "classification=\"{}\",error=\"{}\"", result, status)
-            }
-        }
-    }
-}
-
-impl fmt::Display for SuccessOrFailure {
-    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        match self {
-            SuccessOrFailure::Success => write!(f, "success"),
-            SuccessOrFailure::Failure => write!(f, "failure"),
-        }
-    }
-}
-
-// === impl StackLabels ===
-
-impl StackLabels {
-    pub fn inbound(protocol: &'static str, name: &'static str) -> Self {
-        Self {
-            name,
-            protocol,
-            direction: Direction::In,
-        }
-    }
-
-    pub fn outbound(protocol: &'static str, name: &'static str) -> Self {
-        Self {
-            name,
-            protocol,
-            direction: Direction::Out,
-        }
-    }
-}
-
-impl FmtLabels for StackLabels {
-    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        self.direction.fmt_labels(f)?;
-        write!(f, ",protocol=\"{}\",name=\"{}\"", self.protocol, self.name)
-    }
-}

linkerd/app/core/src/proxy.rs

@@ -1,11 +1,10 @@
 //! Tools for building a transparent TCP/HTTP proxy.
 
 pub use linkerd_proxy_api_resolve as api_resolve;
+pub use linkerd_proxy_balance as balance;
 pub use linkerd_proxy_core as core;
-pub use linkerd_proxy_discover as discover;
 pub use linkerd_proxy_dns_resolve as dns_resolve;
 pub use linkerd_proxy_http as http;
-pub use linkerd_proxy_identity as identity;
 pub use linkerd_proxy_resolve as resolve;
 pub use linkerd_proxy_tap as tap;
 pub use linkerd_proxy_tcp as tcp;

linkerd/app/core/src/retry.rs

@@ -1,168 +0,0 @@
-use super::classify;
-use super::dst::Route;
-use super::http_metrics::retries::Handle;
-use super::metrics::HttpRouteRetry;
-use crate::profiles;
-use futures::future;
-use linkerd_error::Error;
-use linkerd_http_classify::{Classify, ClassifyEos, ClassifyResponse};
-use linkerd_http_retry::ReplayBody;
-use linkerd_proxy_http::ClientHandle;
-use linkerd_retry as retry;
-use linkerd_stack::{layer, Either, Param};
-use std::sync::Arc;
-
-pub fn layer<N>(
-    metrics: HttpRouteRetry,
-) -> impl layer::Layer<N, Service = retry::NewRetry<NewRetryPolicy, N>> + Clone {
-    retry::NewRetry::<_, N>::layer(NewRetryPolicy::new(metrics))
-}
-
-#[derive(Clone, Debug)]
-pub struct NewRetryPolicy {
-    metrics: HttpRouteRetry,
-}
-
-#[derive(Clone, Debug)]
-pub struct RetryPolicy {
-    metrics: Handle,
-    budget: Arc<retry::Budget>,
-    response_classes: profiles::http::ResponseClasses,
-}
-
-/// Allow buffering requests up to 64 kb
-const MAX_BUFFERED_BYTES: usize = 64 * 1024;
-
-// === impl NewRetryPolicy ===
-
-impl NewRetryPolicy {
-    pub fn new(metrics: HttpRouteRetry) -> Self {
-        Self { metrics }
-    }
-}
-
-impl retry::NewPolicy<Route> for NewRetryPolicy {
-    type Policy = RetryPolicy;
-
-    fn new_policy(&self, route: &Route) -> Option<Self::Policy> {
-        let retries = route.route.retries().cloned()?;
-
-        let metrics = self.metrics.get_handle(route.param());
-        Some(RetryPolicy {
-            metrics,
-            budget: retries.budget().clone(),
-            response_classes: route.route.response_classes().clone(),
-        })
-    }
-}
-
-// === impl Retry ===
-
-impl RetryPolicy {
-    fn can_retry<A: http_body::Body>(&self, req: &http::Request<A>) -> bool {
-        let content_length = |req: &http::Request<_>| {
-            req.headers()
-                .get(http::header::CONTENT_LENGTH)
-                .and_then(|value| value.to_str().ok()?.parse::<usize>().ok())
-        };
-
-        // Requests without bodies can always be retried, as we will not need to
-        // buffer the body. If the request *does* have a body, retry it if and
-        // only if the request contains a `content-length` header and the
-        // content length is >= 64 kb.
-        let has_body = !req.body().is_end_stream();
-        if has_body && content_length(req).unwrap_or(usize::MAX) > MAX_BUFFERED_BYTES {
-            tracing::trace!(
-                req.has_body = has_body,
-                req.content_length = ?content_length(req),
-                "not retryable",
-            );
-            return false;
-        }
-
-        tracing::trace!(
-            req.has_body = has_body,
-            req.content_length = ?content_length(req),
-            "retryable",
-        );
-        true
-    }
-}
-
-impl<A, B, E> retry::Policy<http::Request<A>, http::Response<B>, E> for RetryPolicy
-where
-    A: http_body::Body + Clone,
-{
-    type Future = future::Ready<Self>;
-
-    fn retry(
-        &self,
-        req: &http::Request<A>,
-        result: Result<&http::Response<B>, &E>,
-    ) -> Option<Self::Future> {
-        let retryable = match result {
-            Err(_) => false,
-            Ok(rsp) => classify::Request::from(self.response_classes.clone())
-                .classify(req)
-                .start(rsp)
-                .eos(None)
-                .is_failure(),
-        };
-
-        if !retryable {
-            self.budget.deposit();
-            return None;
-        }
-
-        let withdrew = self.budget.withdraw().is_ok();
-        self.metrics.incr_retryable(withdrew);
-        if !withdrew {
-            return None;
-        }
-
-        Some(future::ready(self.clone()))
-    }
-
-    fn clone_request(&self, req: &http::Request<A>) -> Option<http::Request<A>> {
-        let can_retry = self.can_retry(req);
-        debug_assert!(
-            can_retry,
-            "The retry policy attempted to clone an un-retryable request. This is unexpected."
-        );
-        if !can_retry {
-            return None;
-        }
-
-        let mut clone = http::Request::new(req.body().clone());
-        *clone.method_mut() = req.method().clone();
-        *clone.uri_mut() = req.uri().clone();
-        *clone.headers_mut() = req.headers().clone();
-        *clone.version_mut() = req.version();
-
-        // The HTTP server sets a ClientHandle with the client's address and a means to close the
-        // server-side connection.
-        if let Some(client_handle) = req.extensions().get::<ClientHandle>().cloned() {
-            clone.extensions_mut().insert(client_handle);
-        }
-
-        Some(clone)
-    }
-}
-
-impl<A, B, E> retry::PrepareRequest<http::Request<A>, http::Response<B>, E> for RetryPolicy
-where
-    A: http_body::Body + Unpin,
-    A::Error: Into<Error>,
-{
-    type RetryRequest = http::Request<ReplayBody<A>>;
-
-    fn prepare_request(
-        &self,
-        req: http::Request<A>,
-    ) -> Either<Self::RetryRequest, http::Request<A>> {
-        if self.can_retry(&req) {
-            return Either::A(req.map(|body| ReplayBody::new(body, MAX_BUFFERED_BYTES)));
-        }
-        Either::B(req)
-    }
-}

linkerd/app/core/src/serve.rs

@@ -1,10 +1,11 @@
 use crate::{
-    io,
+    io, is_caused_by,
     svc::{self, Param},
-    transport::{ClientAddr, Remote},
+    Result,
 };
 use futures::prelude::*;
 use linkerd_error::Error;
+use linkerd_proxy_transport::AddrPair;
 use tower::util::ServiceExt;
 use tracing::{debug, debug_span, info, instrument::Instrument, warn};
 
@@ -12,12 +13,12 @@ use tracing::{debug, debug_span, info, instrument::Instrument, warn};
 ///
 /// The task is driven until shutdown is signaled.
 pub async fn serve<M, S, I, A>(
-    listen: impl Stream<Item = std::io::Result<(A, I)>>,
+    listen: impl Stream<Item = Result<(A, I)>>,
     new_accept: M,
     shutdown: impl Future,
 ) where
     I: Send + 'static,
-    A: Param<Remote<ClientAddr>>,
+    A: Param<AddrPair>,
     M: svc::NewService<A, Service = S>,
     S: tower::Service<io::ScopedIo<I>, Response = ()> + Send + 'static,
     S::Error: Into<Error>,
@@ -33,13 +34,14 @@ pub async fn serve<M, S, I, A>(
                     let (addrs, io) = match conn {
                         Ok(conn) => conn,
                         Err(error) => {
-                            warn!(%error, "Server failed to accept connection");
+                            warn!(error, "Server failed to accept connection");
                             continue;
                         }
                     };
 
                     // The local addr should be instrumented from the listener's context.
-                    let span = debug_span!("accept", client.addr = %addrs.param()).entered();
+                    let AddrPair(client_addr, server_addr) = addrs.param();
+                    let span = debug_span!("accept", client.addr = %client_addr, server.addr = %server_addr).entered();
                     let accept = new_accept.new_service(addrs);
 
                     // Dispatch all of the work for a given connection onto a
@@ -54,10 +56,22 @@ pub async fn serve<M, S, I, A>(
                                         .await
                                     {
                                         Ok(()) => debug!("Connection closed"),
-                                        Err(reason) if is_io(&*reason) => {
-                                            debug!(%reason, "Connection closed")
+                                        Err(reason) if is_caused_by::<std::io::Error>(&*reason) => {
+                                            debug!(
+                                                reason,
+                                                client.addr = %client_addr,
+                                                server.addr = %server_addr,
+                                                "Connection closed"
+                                            );
+                                        }
+                                        Err(error) => {
+                                            info!(
+                                                error,
+                                                client.addr = %client_addr,
+                                                server.addr = %server_addr,
+                                                "Connection closed"
+                                            );
                                         }
-                                        Err(error) => info!(%error, "Connection closed"),
                                     }
                                     // Hold the service until the connection is complete. This
                                     // helps tie any inner cache lifetimes to the services they
@@ -65,7 +79,7 @@ pub async fn serve<M, S, I, A>(
                                     drop(accept);
                                 }
                                 Err(error) => {
-                                    warn!(%error, "Server failed to become ready");
+                                    warn!(error, client.addr = %client_addr, "Server failed to become ready");
                                 }
                             }
                         }
@@ -85,7 +99,3 @@ pub async fn serve<M, S, I, A>(
         _ = shutdown => {}
     }
 }
-
-fn is_io(e: &(dyn std::error::Error + 'static)) -> bool {
-    e.is::<io::Error>() || e.source().map(is_io).unwrap_or(false)
-}

linkerd/app/core/src/svc.rs

@@ -1,22 +1,15 @@
 // Possibly unused, but useful during development.
 
-pub use crate::proxy::http;
-use crate::{cache, Error};
+use crate::{disco_cache::NewCachedDiscover, Error};
 use linkerd_error::Recover;
 use linkerd_exp_backoff::{ExponentialBackoff, ExponentialBackoffStream};
-pub use linkerd_reconnect::NewReconnect;
-pub use linkerd_stack::{
-    self as stack, layer, ArcNewService, BoxService, BoxServiceLayer, Either, ExtractParam, Fail,
-    FailFast, Filter, InsertParam, MapErr, MapTargetLayer, NewRouter, NewService, Param, Predicate,
-    UnwrapOr,
-};
-pub use linkerd_stack_tracing::{NewInstrument, NewInstrumentLayer};
 use std::{
+    fmt,
+    hash::Hash,
     task::{Context, Poll},
     time::Duration,
 };
 use tower::{
-    buffer::{Buffer as TowerBuffer, BufferLayer},
     layer::util::{Identity, Stack as Pair},
     make::MakeService,
 };
@@ -25,20 +18,34 @@ pub use tower::{
     spawn_ready::SpawnReady, Service, ServiceExt,
 };
 
+pub use crate::proxy::http;
+pub use linkerd_idle_cache as idle_cache;
+pub use linkerd_reconnect::NewReconnect;
+pub use linkerd_router::{self as router, NewOneshotRoute};
+pub use linkerd_stack::{self as stack, *};
+pub use linkerd_stack_tracing::{GetSpan, NewInstrument, NewInstrumentLayer};
+
 #[derive(Copy, Clone, Debug)]
 pub struct AlwaysReconnect(ExponentialBackoff);
 
-pub type Buffer<Req, Rsp, E> = TowerBuffer<BoxService<Req, Rsp, E>, Req>;
-
 pub type BoxHttp<B = http::BoxBody> =
     BoxService<http::Request<B>, http::Response<http::BoxBody>, Error>;
 
 pub type ArcNewHttp<T, B = http::BoxBody> = ArcNewService<T, BoxHttp<B>>;
 
+pub type BoxCloneHttp<B = http::BoxBody> =
+    BoxCloneSyncService<http::Request<B>, http::Response<http::BoxBody>>;
+
+pub type ArcNewCloneHttp<T, B = http::BoxBody> = ArcNewService<T, BoxCloneHttp<B>>;
+
 pub type BoxTcp<I> = BoxService<I, (), Error>;
 
 pub type ArcNewTcp<T, I> = ArcNewService<T, BoxTcp<I>>;
 
+pub type BoxCloneTcp<I> = BoxCloneSyncService<I, ()>;
+
+pub type ArcNewCloneTcp<T, I> = ArcNewService<T, BoxCloneTcp<I>>;
+
 #[derive(Clone, Debug)]
 pub struct Layers<L>(L);
 
@@ -79,22 +86,32 @@ impl<L> Layers<L> {
         self.push(stack::MapTargetLayer::new(map_target))
     }
 
-    /// Buffers requests in an mpsc, spawning the inner service onto a dedicated task.
-    pub fn push_spawn_buffer<Req>(
-        self,
-        capacity: usize,
-    ) -> Layers<Pair<Pair<L, BoxServiceLayer<Req>>, BufferLayer<Req>>>
-    where
-        Req: Send + 'static,
-    {
-        self.push(BoxServiceLayer::new())
-            .push(BufferLayer::new(capacity))
-    }
-
     pub fn push_on_service<U>(self, layer: U) -> Layers<Pair<L, stack::OnServiceLayer<U>>> {
         self.push(stack::OnServiceLayer::new(layer))
     }
 
+    /// Wraps the inner `N` with `NewCloneService` so that the stack holds a
+    /// `NewService` that always returns a clone of `N` regardless of the target
+    /// value.
+    pub fn lift_new<N>(
+        self,
+    ) -> Layers<Pair<L, impl Layer<N, Service = NewCloneService<N>> + Clone>> {
+        self.push(layer::mk(NewCloneService::from))
+    }
+
+    // Wraps the inner `N`-typed [`NewService`] with a layer that applies the
+    // given target to all inner stacks to produce its service.
+    pub fn push_flatten_new<T, N>(
+        self,
+        target: T,
+    ) -> Layers<Pair<L, impl Layer<N, Service = N::Service> + Clone>>
+    where
+        T: Clone,
+        N: NewService<T>,
+    {
+        self.push(layer::mk(move |inner: N| inner.new_service(target.clone())))
+    }
+
     pub fn push_instrument<G: Clone>(self, get_span: G) -> Layers<Pair<L, NewInstrumentLayer<G>>> {
         self.push(NewInstrumentLayer::new(get_span))
     }
@@ -120,7 +137,7 @@ impl<S> Stack<S> {
         self.push(stack::MapTargetLayer::new(map_target))
     }
 
-    pub fn push_request_filter<F: Clone>(self, filter: F) -> Stack<stack::Filter<S, F>> {
+    pub fn push_filter<F: Clone>(self, filter: F) -> Stack<stack::Filter<S, F>> {
         self.push(stack::Filter::<S, F>::layer(filter))
     }
 
@@ -128,8 +145,8 @@ impl<S> Stack<S> {
     ///
     /// Each time the service is called, the `T`-typed request is cloned and
     /// issued into the inner service.
-    pub fn push_make_thunk(self) -> Stack<stack::MakeThunk<S>> {
-        self.push(layer::mk(stack::MakeThunk::new))
+    pub fn push_new_thunk(self) -> Stack<stack::NewThunk<S>> {
+        self.push(layer::mk(stack::NewThunk::new))
     }
 
     pub fn instrument<G: Clone>(self, get_span: G) -> Stack<NewInstrument<G, S>> {
@@ -152,28 +169,45 @@ impl<S> Stack<S> {
         self.push(NewReconnect::layer(AlwaysReconnect(backoff)))
     }
 
-    /// Buffer requests when when the next layer is out of capacity.
-    pub fn spawn_buffer<Req, Rsp>(
-        self,
-        capacity: usize,
-    ) -> Stack<Buffer<Req, S::Response, S::Error>>
-    where
-        Req: Send + 'static,
-        S: Service<Req> + Send + 'static,
-        S::Response: Send + 'static,
-        S::Error: Into<Error> + Send + Sync + 'static,
-        S::Future: Send,
-    {
-        self.push(BoxServiceLayer::new())
-            .push(BufferLayer::new(capacity))
-    }
-
     /// Assuming `S` implements `NewService` or `MakeService`, applies the given
     /// `L`-typed layer on each service produced by `S`.
     pub fn push_on_service<L: Clone>(self, layer: L) -> Stack<stack::OnService<L, S>> {
         self.push(stack::OnServiceLayer::new(layer))
     }
 
+    /// Lifts `S` into `NewService<_, Service = S>` so that the inner stack is
+    /// cloned for each target (ignoring its value).
+    pub fn lift_new(self) -> Stack<NewCloneService<S>> {
+        self.push(layer::mk(NewCloneService::from))
+    }
+
+    /// Lifts the inner stack via [`Self::lift_new`], but combines both target
+    /// types into a new `P`-typed value via `From`.
+    pub fn lift_new_with_target<P>(self) -> Stack<NewFromTargets<P, NewCloneService<S>>> {
+        // `lift_new` takes a NewService<P> and returns a NewService<T, Service =
+        // NewService<P>> -- turning it into a double-NewService that ignores
+        // the `T`-typed target.
+        //
+        // `NewFromTargets` wraps that and returns a NewService<T, Service =
+        // NewService<(U, T)> -- so that first target is cloned and
+        // combined with the second target via `P::from`.
+        //
+        // The result is that we expose NewService<T, Service = NewService<U>>
+        // over an inner NewService<P>.
+        self.lift_new().push(NewFromTargets::layer())
+    }
+
+    /// Converts an inner `NewService<T, Service = Svc>` into a `NewService<T,
+    /// Service = NewService<_, Service = Svc>>`, cloning `Svc` for each child
+    /// target (ignoring its value), in effect disarding the child `NewService`.
+    ///
+    /// The inverse of `lift_new`.
+    pub fn unlift_new<Svc>(
+        self,
+    ) -> Stack<OnService<impl Layer<Svc, Service = NewCloneService<Svc>> + Clone, S>> {
+        self.push_on_service(layer::mk(NewCloneService::from))
+    }
+
     /// Wraps the inner service with a response timeout such that timeout errors are surfaced as a
     /// `ConnectTimeout` error.
     ///
@@ -181,7 +215,7 @@ impl<S> Stack<S> {
     pub fn push_connect_timeout(
         self,
         timeout: Duration,
-    ) -> Stack<MapErr<stack::Timeout<S>, impl FnOnce(Error) -> Error + Clone>> {
+    ) -> Stack<MapErr<impl FnOnce(Error) -> Error + Clone, stack::Timeout<S>>> {
         self.push(stack::Timeout::layer(timeout))
             .push(MapErr::layer(move |err: Error| {
                 if err.is::<stack::TimeoutError>() {
@@ -202,13 +236,13 @@ impl<S> Stack<S> {
         self.push(http::insert::NewResponseInsert::layer())
     }
 
-    pub fn push_cache<T>(self, idle: Duration) -> Stack<cache::Cache<T, S>>
+    pub fn push_new_idle_cached<T>(self, idle: Duration) -> Stack<idle_cache::NewIdleCached<T, S>>
     where
         T: Clone + Eq + std::fmt::Debug + std::hash::Hash + Send + Sync + 'static,
         S: NewService<T> + 'static,
         S::Service: Send + Sync + 'static,
     {
-        self.push(cache::Cache::layer(idle))
+        self.push(idle_cache::NewIdleCached::layer(idle))
     }
 
     /// Push a service that either calls the inner service if it is ready, or
@@ -237,6 +271,86 @@ impl<S> Stack<S> {
         }))
     }
 
+    pub fn push_new_cached_discover<K, D>(
+        self,
+        discover: D,
+        idle: Duration,
+    ) -> Stack<NewCachedDiscover<K, D, S>>
+    where
+        K: Clone + fmt::Debug + Eq + Hash + Send + Sync + 'static,
+        D: Service<K, Error = Error> + Clone + Send + Sync + 'static,
+        D::Response: Clone + Send + Sync + 'static,
+        D::Future: Send + Unpin,
+    {
+        self.push(NewCachedDiscover::layer(discover, idle))
+    }
+
+    pub fn arc_new_http<T, B, Svc>(self) -> Stack<ArcNewHttp<T, B>>
+    where
+        T: 'static,
+        B: 'static,
+        S: NewService<T, Service = Svc> + Send + Sync + 'static,
+        Svc: Service<http::Request<B>, Response = http::Response<http::BoxBody>, Error = Error>,
+        Svc: Send + 'static,
+        Svc::Future: Send,
+    {
+        self.arc_new_box()
+    }
+
+    pub fn arc_new_clone_http<T, B, Svc>(self) -> Stack<ArcNewCloneHttp<T, B>>
+    where
+        T: 'static,
+        B: 'static,
+        S: NewService<T, Service = Svc> + Send + Sync + 'static,
+        Svc: Service<http::Request<B>, Response = http::Response<http::BoxBody>>,
+        Svc: Clone + Send + Sync + 'static,
+        Svc::Error: Into<Error>,
+        Svc::Future: Send,
+    {
+        self.push_on_service(BoxCloneHttp::layer())
+            .push(ArcNewService::layer())
+    }
+
+    pub fn arc_new_clone_tcp<T, I, Svc>(self) -> Stack<ArcNewCloneTcp<T, I>>
+    where
+        T: 'static,
+        I: 'static,
+        S: NewService<T, Service = Svc> + Send + Sync + 'static,
+        Svc: Service<I, Response = ()> + Clone + Send + Sync + 'static,
+        Svc::Error: Into<Error>,
+        Svc::Future: Send,
+    {
+        self.push_on_service(BoxCloneTcp::layer())
+            .push(ArcNewService::layer())
+    }
+
+    pub fn arc_new_tcp<T, I, Svc>(self) -> Stack<ArcNewTcp<T, I>>
+    where
+        T: 'static,
+        I: 'static,
+        S: NewService<T, Service = Svc> + Send + Sync + 'static,
+        Svc: Service<I, Response = (), Error = Error>,
+        Svc: Send + 'static,
+        Svc::Future: Send,
+    {
+        self.arc_new_box()
+    }
+
+    pub fn arc_new_box<T, Req, Svc>(
+        self,
+    ) -> Stack<ArcNewService<T, BoxService<Req, Svc::Response, Error>>>
+    where
+        T: 'static,
+        Req: 'static,
+        S: NewService<T, Service = Svc> + Send + Sync + 'static,
+        Svc: Service<Req, Error = Error>,
+        Svc: Send + 'static,
+        Svc::Future: Send,
+    {
+        self.push_on_service(BoxService::layer())
+            .push(ArcNewService::layer())
+    }
+
     /// Validates that this stack serves T-typed targets.
     pub fn check_new<T>(self) -> Self
     where
@@ -245,6 +359,23 @@ impl<S> Stack<S> {
         self
     }
 
+    pub fn check_new_new<T, U>(self) -> Self
+    where
+        S: NewService<T>,
+        S::Service: NewService<U>,
+    {
+        self
+    }
+
+    pub fn check_new_new_service<T, U, Req>(self) -> Self
+    where
+        S: NewService<T>,
+        S::Service: NewService<U>,
+        <S::Service as NewService<U>>::Service: Service<Req>,
+    {
+        self
+    }
+
     pub fn check_new_clone<T>(self) -> Self
     where
         S: NewService<T>,
@@ -262,6 +393,14 @@ impl<S> Stack<S> {
         self
     }
 
+    pub fn check_new_accept<T, I>(self) -> Self
+    where
+        S: NewService<T>,
+        S::Service: Service<I, Response = ()>,
+    {
+        self
+    }
+
     /// Validates that this stack serves T-typed targets.
     pub fn check_clone_new_service<T, Req>(self) -> Self
     where

linkerd/app/core/src/telemetry/build_info.rs

@@ -1,72 +0,0 @@
-use linkerd_metrics::{metrics, FmtLabels, FmtMetric, FmtMetrics, Gauge};
-use std::env;
-use std::fmt;
-use std::string::String;
-use std::sync::Arc;
-
-const GIT_BRANCH: &str = env!("GIT_BRANCH");
-const GIT_SHA: &str = env!("GIT_SHA");
-const GIT_VERSION: &str = env!("GIT_VERSION");
-const PROFILE: &str = env!("PROFILE");
-const RUST_VERSION: &str = env!("RUST_VERSION");
-
-metrics! {
-    proxy_build_info: Gauge {
-        "Proxy build info"
-    }
-}
-
-#[derive(Clone, Debug, Default)]
-pub struct Report {
-    name: String,
-    // `value` remains constant over the lifetime of the proxy so that
-    // build information in `labels` remains accurate
-    value: Arc<Gauge>,
-    labels: Arc<BuildInfoLabels>,
-}
-
-#[derive(Clone, Debug, Default)]
-struct BuildInfoLabels {
-    git_branch: String,
-    git_sha: String,
-    git_version: String,
-    profile: String,
-    rust_version: String,
-}
-
-impl Report {
-    pub fn new() -> Self {
-        let labels = Arc::new(BuildInfoLabels {
-            git_branch: GIT_BRANCH.to_string(),
-            git_sha: GIT_SHA.to_string(),
-            git_version: GIT_VERSION.to_string(),
-            profile: PROFILE.to_string(),
-            rust_version: RUST_VERSION.to_string(),
-        });
-        Self {
-            name: "proxy_build_info".to_string(),
-            value: Arc::new(1.into()),
-            labels,
-        }
-    }
-}
-
-impl FmtMetrics for Report {
-    fn fmt_metrics(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        proxy_build_info.fmt_help(f)?;
-        self.value
-            .fmt_metric_labeled(f, self.name.as_str(), self.labels.as_ref())?;
-        Ok(())
-    }
-}
-
-impl FmtLabels for BuildInfoLabels {
-    fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        write!(f, "git_branch=\"{}\"", self.git_branch)?;
-        write!(f, ",git_sha=\"{}\"", self.git_sha)?;
-        write!(f, ",git_version=\"{}\"", self.git_version)?;
-        write!(f, ",profile=\"{}\"", self.profile)?;
-        write!(f, ",rust_version=\"{}\"", self.rust_version)?;
-        Ok(())
-    }
-}

linkerd/app/core/src/telemetry/mod.rs

@@ -1,2 +0,0 @@
-pub mod build_info;
-pub mod process;

linkerd/app/core/src/telemetry/process.rs

@@ -1,153 +0,0 @@
-use linkerd_metrics::{metrics, FmtMetrics, Gauge};
-use std::fmt;
-use std::sync::Arc;
-use std::time::{SystemTime, UNIX_EPOCH};
-
-metrics! {
-    process_start_time_seconds: Gauge {
-        "Time that the process started (in seconds since the UNIX epoch)"
-    }
-}
-
-#[derive(Clone, Debug)]
-pub struct Report {
-    start_time: Arc<Gauge>,
-
-    #[cfg(target_os = "linux")]
-    system: linux::System,
-}
-
-impl Report {
-    pub fn new(start_time: SystemTime) -> Self {
-        let t0 = start_time
-            .duration_since(UNIX_EPOCH)
-            .expect("process start time")
-            .as_secs();
-
-        #[cfg(not(target_os = "linux"))]
-        tracing::info!("System-level metrics are only supported on Linux");
-        Self {
-            start_time: Arc::new(t0.into()),
-
-            #[cfg(target_os = "linux")]
-            system: linux::System::new(),
-        }
-    }
-}
-
-impl FmtMetrics for Report {
-    fn fmt_metrics(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        process_start_time_seconds.fmt_help(f)?;
-        process_start_time_seconds.fmt_metric(f, self.start_time.as_ref())?;
-
-        #[cfg(target_os = "linux")]
-        self.system.fmt_metrics(f)?;
-
-        Ok(())
-    }
-}
-
-#[cfg(target_os = "linux")]
-mod linux {
-    use linkerd_metrics::{metrics, Counter, FmtMetrics, Gauge, MillisAsSeconds};
-    use linkerd_system as sys;
-    use std::fmt;
-    use tracing::warn;
-
-    metrics! {
-        process_cpu_seconds_total: Counter<MillisAsSeconds> {
-            "Total user and system CPU time spent in seconds."
-        },
-        process_open_fds: Gauge { "Number of open file descriptors." },
-        process_max_fds: Gauge { "Maximum number of open file descriptors." },
-        process_virtual_memory_bytes: Gauge {
-            "Virtual memory size in bytes."
-        },
-        process_resident_memory_bytes: Gauge {
-            "Resident memory size in bytes."
-        }
-    }
-
-    #[derive(Clone, Debug, Default)]
-    pub(super) struct System {
-        page_size: Option<u64>,
-        ms_per_tick: Option<u64>,
-    }
-
-    impl System {
-        pub fn new() -> Self {
-            let page_size = match sys::page_size() {
-                Ok(ps) => Some(ps),
-                Err(err) => {
-                    warn!("Failed to load page size: {}", err);
-                    None
-                }
-            };
-            let ms_per_tick = match sys::ms_per_tick() {
-                Ok(mpt) => Some(mpt),
-                Err(err) => {
-                    warn!("Failed to load cpu clock speed: {}", err);
-                    None
-                }
-            };
-            Self {
-                page_size,
-                ms_per_tick,
-            }
-        }
-    }
-
-    impl FmtMetrics for System {
-        fn fmt_metrics(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-            let stat = match sys::blocking_stat() {
-                Ok(stat) => stat,
-                Err(err) => {
-                    warn!("failed to read process stats: {}", err);
-                    return Ok(());
-                }
-            };
-
-            if let Some(mpt) = self.ms_per_tick {
-                let clock_ticks = stat.utime as u64 + stat.stime as u64;
-                let cpu_ms = clock_ticks * mpt;
-                process_cpu_seconds_total.fmt_help(f)?;
-                process_cpu_seconds_total.fmt_metric(f, &Counter::from(cpu_ms))?;
-            } else {
-                warn!("Could not determine process_cpu_seconds_total");
-            }
-
-            process_virtual_memory_bytes.fmt_help(f)?;
-            process_virtual_memory_bytes.fmt_metric(f, &Gauge::from(stat.vsize as u64))?;
-
-            if let Some(ps) = self.page_size {
-                process_resident_memory_bytes.fmt_help(f)?;
-                process_resident_memory_bytes.fmt_metric(f, &Gauge::from(stat.rss as u64 * ps))?;
-            } else {
-                warn!("Could not determine process_resident_memory_bytes");
-            }
-
-            match sys::open_fds(stat.pid) {
-                Ok(open_fds) => {
-                    process_open_fds.fmt_help(f)?;
-                    process_open_fds.fmt_metric(f, &open_fds.into())?;
-                }
-                Err(err) => {
-                    warn!("Could not determine process_open_fds: {}", err);
-                }
-            }
-
-            match sys::max_fds() {
-                Ok(None) => {}
-                Ok(Some(max_fds)) => {
-                    process_max_fds.fmt_help(f)?;
-                    process_max_fds.fmt_metric(f, &max_fds.into())?;
-                }
-                Err(err) => {
-                    warn!("Could not determine process_max_fds: {}", err);
-                }
-            }
-
-            Ok(())
-        }
-    }
-}

linkerd/app/core/src/tls_info.rs

@@ -0,0 +1,70 @@
+use linkerd_metrics::prom;
+use prometheus_client::encoding::{EncodeLabelSet, EncodeLabelValue, LabelValueEncoder};
+use std::{
+    fmt::{Error, Write},
+    sync::{Arc, OnceLock},
+};
+
+static TLS_INFO: OnceLock<Arc<TlsInfo>> = OnceLock::new();
+
+#[derive(Clone, Debug, Default, Hash, PartialEq, Eq, EncodeLabelSet)]
+pub struct TlsInfo {
+    tls_suites: MetricValueList,
+    tls_kx_groups: MetricValueList,
+    tls_rand: String,
+    tls_key_provider: String,
+    tls_fips: bool,
+}
+
+#[derive(Clone, Debug, Default, Hash, PartialEq, Eq)]
+struct MetricValueList {
+    values: Vec<&'static str>,
+}
+
+impl FromIterator<&'static str> for MetricValueList {
+    fn from_iter<T: IntoIterator<Item = &'static str>>(iter: T) -> Self {
+        MetricValueList {
+            values: iter.into_iter().collect(),
+        }
+    }
+}
+
+impl EncodeLabelValue for MetricValueList {
+    fn encode(&self, encoder: &mut LabelValueEncoder<'_>) -> Result<(), Error> {
+        for value in &self.values {
+            value.encode(encoder)?;
+            encoder.write_char(',')?;
+        }
+        Ok(())
+    }
+}
+
+pub fn metric() -> prom::Family<TlsInfo, prom::ConstGauge> {
+    let fam = prom::Family::<TlsInfo, prom::ConstGauge>::new_with_constructor(|| {
+        prom::ConstGauge::new(1)
+    });
+
+    let tls_info = TLS_INFO.get_or_init(|| {
+        let provider = linkerd_rustls::get_default_provider();
+
+        let tls_suites = provider
+            .cipher_suites
+            .iter()
+            .flat_map(|cipher_suite| cipher_suite.suite().as_str())
+            .collect::<MetricValueList>();
+        let tls_kx_groups = provider
+            .kx_groups
+            .iter()
+            .flat_map(|suite| suite.name().as_str())
+            .collect::<MetricValueList>();
+        Arc::new(TlsInfo {
+            tls_suites,
+            tls_kx_groups,
+            tls_rand: format!("{:?}", provider.secure_random),
+            tls_key_provider: format!("{:?}", provider.key_provider),
+            tls_fips: provider.fips(),
+        })
+    });
+    let _ = fam.get_or_create(tls_info);
+    fam
+}

linkerd/app/core/src/transport/labels.rs

@@ -1,6 +1,7 @@
-pub use crate::metrics::{Direction, OutboundEndpointLabels, ServerLabel as PolicyServerLabel};
+use crate::metrics::ServerLabel as PolicyServerLabel;
+pub use crate::metrics::{Direction, OutboundEndpointLabels};
 use linkerd_conditional::Conditional;
-use linkerd_metrics::FmtLabels;
+use linkerd_metrics::legacy::FmtLabels;
 use linkerd_tls as tls;
 use std::{fmt, net::SocketAddr};
 
@@ -19,16 +20,16 @@ pub enum Key {
 #[derive(Clone, Debug, Eq, PartialEq, Hash)]
 pub struct ServerLabels {
     direction: Direction,
-    tls: tls::ConditionalServerTls,
+    tls: tls::ConditionalServerTlsLabels,
     target_addr: SocketAddr,
     policy: Option<PolicyServerLabel>,
 }
 
 #[derive(Clone, Debug, Eq, PartialEq, Hash)]
-pub struct TlsAccept<'t>(pub &'t tls::ConditionalServerTls);
+pub struct TlsAccept<'t>(pub &'t tls::ConditionalServerTlsLabels);
 
 #[derive(Clone, Debug, Eq, PartialEq, Hash)]
-pub(crate) struct TlsConnect<'t>(&'t tls::ConditionalClientTls);
+pub(crate) struct TlsConnect<'t>(pub &'t tls::ConditionalClientTlsLabels);
 
 #[derive(Copy, Clone, Debug, Eq, PartialEq, Hash)]
 pub struct TargetAddr(pub SocketAddr);
@@ -37,7 +38,7 @@ pub struct TargetAddr(pub SocketAddr);
 
 impl Key {
     pub fn inbound_server(
-        tls: tls::ConditionalServerTls,
+        tls: tls::ConditionalServerTlsLabels,
         target_addr: SocketAddr,
         server: PolicyServerLabel,
     ) -> Self {
@@ -61,7 +62,7 @@ impl FmtLabels for Key {
             }
 
             Self::InboundClient => {
-                const NO_TLS: tls::client::ConditionalClientTls =
+                const NO_TLS: tls::client::ConditionalClientTlsLabels =
                     Conditional::None(tls::NoClientTls::Loopback);
 
                 Direction::In.fmt_labels(f)?;
@@ -74,7 +75,7 @@ impl FmtLabels for Key {
 
 impl ServerLabels {
     fn inbound(
-        tls: tls::ConditionalServerTls,
+        tls: tls::ConditionalServerTlsLabels,
         target_addr: SocketAddr,
         policy: PolicyServerLabel,
     ) -> Self {
@@ -89,7 +90,7 @@ impl ServerLabels {
     fn outbound(target_addr: SocketAddr) -> Self {
         ServerLabels {
             direction: Direction::Out,
-            tls: tls::ConditionalServerTls::None(tls::NoServerTls::Loopback),
+            tls: tls::ConditionalServerTlsLabels::None(tls::NoServerTls::Loopback),
             target_addr,
             policy: None,
         }
@@ -98,13 +99,17 @@ impl ServerLabels {
 
 impl FmtLabels for ServerLabels {
     fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        self.direction.fmt_labels(f)?;
+        let Self {
+            direction,
+            tls,
+            target_addr,
+            policy,
+        } = self;
+
+        direction.fmt_labels(f)?;
         f.write_str(",peer=\"src\",")?;
-        (
-            (TargetAddr(self.target_addr), TlsAccept(&self.tls)),
-            self.policy.as_ref(),
-        )
-            .fmt_labels(f)?;
+
+        ((TargetAddr(*target_addr), TlsAccept(tls)), policy.as_ref()).fmt_labels(f)?;
 
         Ok(())
     }
@@ -112,27 +117,28 @@ impl FmtLabels for ServerLabels {
 
 // === impl TlsAccept ===
 
-impl<'t> From<&'t tls::ConditionalServerTls> for TlsAccept<'t> {
-    fn from(c: &'t tls::ConditionalServerTls) -> Self {
+impl<'t> From<&'t tls::ConditionalServerTlsLabels> for TlsAccept<'t> {
+    fn from(c: &'t tls::ConditionalServerTlsLabels) -> Self {
         TlsAccept(c)
     }
 }
 
-impl<'t> FmtLabels for TlsAccept<'t> {
+impl FmtLabels for TlsAccept<'_> {
     fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        match self.0 {
+        let Self(tls) = self;
+        match tls {
             Conditional::None(tls::NoServerTls::Disabled) => {
                 write!(f, "tls=\"disabled\"")
             }
             Conditional::None(why) => {
-                write!(f, "tls=\"no_identity\",no_tls_reason=\"{}\"", why)
+                write!(f, "tls=\"no_identity\",no_tls_reason=\"{why}\"")
             }
-            Conditional::Some(tls::ServerTls::Established { client_id, .. }) => match client_id {
-                Some(id) => write!(f, "tls=\"true\",client_id=\"{}\"", id),
+            Conditional::Some(tls::ServerTlsLabels::Established { client_id }) => match client_id {
+                Some(id) => write!(f, "tls=\"true\",client_id=\"{id}\""),
                 None => write!(f, "tls=\"true\",client_id=\"\""),
             },
-            Conditional::Some(tls::ServerTls::Passthru { sni }) => {
-                write!(f, "tls=\"opaque\",sni=\"{}\"", sni)
+            Conditional::Some(tls::ServerTlsLabels::Passthru { sni }) => {
+                write!(f, "tls=\"opaque\",sni=\"{sni}\"")
             }
         }
     }
@@ -140,23 +146,25 @@ impl<'t> FmtLabels for TlsAccept<'t> {
 
 // === impl TlsConnect ===
 
-impl<'t> From<&'t tls::ConditionalClientTls> for TlsConnect<'t> {
-    fn from(s: &'t tls::ConditionalClientTls) -> Self {
+impl<'t> From<&'t tls::ConditionalClientTlsLabels> for TlsConnect<'t> {
+    fn from(s: &'t tls::ConditionalClientTlsLabels) -> Self {
         TlsConnect(s)
     }
 }
 
-impl<'t> FmtLabels for TlsConnect<'t> {
+impl FmtLabels for TlsConnect<'_> {
     fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        match self.0 {
+        let Self(tls) = self;
+
+        match tls {
             Conditional::None(tls::NoClientTls::Disabled) => {
                 write!(f, "tls=\"disabled\"")
             }
             Conditional::None(why) => {
-                write!(f, "tls=\"no_identity\",no_tls_reason=\"{}\"", why)
+                write!(f, "tls=\"no_identity\",no_tls_reason=\"{why}\"")
             }
-            Conditional::Some(tls::ClientTls { server_id, .. }) => {
-                write!(f, "tls=\"true\",server_id=\"{}\"", server_id)
+            Conditional::Some(tls::ClientTlsLabels { server_id }) => {
+                write!(f, "tls=\"true\",server_id=\"{server_id}\"")
             }
         }
     }
@@ -166,12 +174,13 @@ impl<'t> FmtLabels for TlsConnect<'t> {
 
 impl FmtLabels for TargetAddr {
     fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        let Self(target_addr) = self;
         write!(
             f,
             "target_addr=\"{}\",target_ip=\"{}\",target_port=\"{}\"",
-            self.0,
-            self.0.ip(),
-            self.0.port()
+            target_addr,
+            target_addr.ip(),
+            target_addr.port()
         )
     }
 }
@@ -188,20 +197,29 @@ mod tests {
 
     #[test]
     fn server_labels() {
+        use linkerd_proxy_server_policy::Meta;
+        use std::sync::Arc;
+
         let labels = ServerLabels::inbound(
-            tls::ConditionalServerTls::Some(tls::ServerTls::Established {
+            tls::ConditionalServerTlsLabels::Some(tls::ServerTlsLabels::Established {
                 client_id: Some("foo.id.example.com".parse().unwrap()),
-                negotiated_protocol: None,
             }),
             ([192, 0, 2, 4], 40000).into(),
-            PolicyServerLabel("testserver".into()),
+            PolicyServerLabel(
+                Arc::new(Meta::Resource {
+                    group: "policy.linkerd.io".into(),
+                    kind: "server".into(),
+                    name: "testserver".into(),
+                }),
+                40000,
+            ),
         );
         assert_eq!(
             labels.to_string(),
             "direction=\"inbound\",peer=\"src\",\
             target_addr=\"192.0.2.4:40000\",target_ip=\"192.0.2.4\",target_port=\"40000\",\
             tls=\"true\",client_id=\"foo.id.example.com\",\
-            srv_name=\"testserver\""
+            srv_group=\"policy.linkerd.io\",srv_kind=\"server\",srv_name=\"testserver\",srv_port=\"40000\""
         );
     }
 }

linkerd/app/gateway/Cargo.toml

@@ -1,25 +1,31 @@
 [package]
 name = "linkerd-app-gateway"
-version = "0.1.0"
-authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
-license = "Apache-2.0"
-edition = "2018"
-publish = false
+version = { workspace = true }
+authors = { workspace = true }
+license = { workspace = true }
+edition = { workspace = true }
+publish = { workspace = true }
 
 [dependencies]
-http = "0.2"
+http = { workspace = true }
 futures = { version = "0.3", default-features = false }
 linkerd-app-core = { path = "../core" }
 linkerd-app-inbound = { path = "../inbound" }
 linkerd-app-outbound = { path = "../outbound" }
-thiserror = "1.0"
+linkerd-proxy-client-policy = { path = "../../proxy/client-policy" }
+once_cell = "1"
+thiserror = "2"
 tokio = { version = "1", features = ["sync"] }
-tower = { version = "0.4.8", default-features = false }
-tracing = "0.1.28"
+tonic = { workspace = true, default-features = false }
+tower = { workspace = true, default-features = false }
+tracing = { workspace = true }
 
 [dev-dependencies]
+linkerd-app-inbound = { path = "../inbound", features = ["test-util"] }
+linkerd-app-outbound = { path = "../outbound", features = ["test-util"] }
+linkerd-proxy-server-policy = { path = "../../proxy/server-policy" }
 tokio = { version = "1", features = ["rt", "macros"] }
 tokio-test = "0.4"
-tower = { version = "0.4.8", default-features = false, features = ["util"] }
-tower-test = "0.4"
+tower = { workspace = true, default-features = false, features = ["util"] }
+tower-test = { workspace = true }
 linkerd-app-test = { path = "../test" }

linkerd/app/gateway/src/discover.rs

@@ -0,0 +1,110 @@
+use crate::Gateway;
+use futures::FutureExt;
+use linkerd_app_core::{errors, profiles, svc, Error};
+use linkerd_app_inbound::{GatewayAddr, GatewayDomainInvalid};
+use linkerd_app_outbound::{self as outbound};
+use linkerd_proxy_client_policy::{self as policy, ClientPolicy};
+use once_cell::sync::Lazy;
+use std::sync::Arc;
+use tokio::sync::watch;
+use tracing::Instrument;
+
+impl Gateway {
+    pub(crate) fn resolver(
+        &self,
+        profiles: impl profiles::GetProfile<Error = Error>,
+        policies: impl outbound::policy::GetPolicy,
+    ) -> impl svc::Service<
+        GatewayAddr,
+        Response = (
+            Option<profiles::Receiver>,
+            watch::Receiver<outbound::policy::ClientPolicy>,
+        ),
+        Error = Error,
+        Future = impl Send + Unpin,
+    > + Clone {
+        use futures::future;
+
+        let allowlist = self.config.allow_discovery.clone();
+        let detect_timeout = self.outbound.config().proxy.detect_protocol_timeout;
+        let queue = {
+            let queue = self.outbound.config().tcp_connection_queue;
+            policy::Queue {
+                capacity: queue.capacity,
+                failfast_timeout: queue.failfast_timeout,
+            }
+        };
+        svc::mk(move |GatewayAddr(addr)| {
+            tracing::debug!(%addr, "Discover");
+
+            if !allowlist.matches(addr.name()) {
+                tracing::debug!(%addr, "Address not in gateway discovery allowlist");
+                return future::Either::Left(future::err(GatewayDomainInvalid.into()));
+            }
+
+            let profile = profiles
+                .clone()
+                .get_profile(profiles::LookupAddr(addr.clone().into()))
+                .instrument(tracing::debug_span!("profiles").or_current());
+
+            let policy = policies
+                .get_policy(addr.into())
+                .instrument(tracing::debug_span!("policy").or_current());
+
+            let discovery = future::join(profile, policy).map(move |(profile, policy)| {
+                tracing::debug!("Discovered");
+
+                let profile = profile?.ok_or(GatewayDomainInvalid)?;
+
+                // If there was a policy resolution, return it with the profile so
+                // the stack can determine how to switch on them.
+                match policy {
+                    Ok(policy) => return Ok((Some(profile), policy)),
+                    // The policy controller currently rejects discovery for DNS
+                    // names that are not Services, so we will get a `NotFound`
+                    // error if we looked up a pod DNS name. In this case, we
+                    // will synthesize a default policy.
+                    Err(error) if errors::has_grpc_status(&error, tonic::Code::NotFound) =>
+                        tracing::debug!("Policy not found"),
+                    // Earlier versions of the Linkerd control plane (e.g.
+                    // 2.12.x) will return `Unimplemented` for requests to the
+                    // OutboundPolicy API. Log a warning and synthesize a policy
+                    // for backwards compatibility.
+                    Err(error) if errors::has_grpc_status(&error, tonic::Code::Unimplemented) =>
+                        tracing::warn!("Policy controller returned `Unimplemented`, the control plane may be out of date."),
+                    Err(error) => return Err(error),
+                }
+
+                let policy = outbound::spawn_synthesized_profile_policy(
+                    profile.clone().into(),
+                    move |profile| {
+                        static META: Lazy<Arc<policy::Meta>> = Lazy::new(|| {
+                            Arc::new(policy::Meta::Default {
+                                name: "gateway".into(),
+                            })
+                        });
+
+                        match profile.endpoint.clone() {
+                            Some((addr, meta)) => outbound::synthesize_forward_policy(
+                                &META,
+                                detect_timeout,
+                                queue,
+                                addr,
+                                meta.into(),
+                            ),
+                            None => {
+                                tracing::debug!(
+                                    "Gateway ServiceProfile does not contain an endpoint"
+                                );
+                                ClientPolicy::invalid(detect_timeout)
+                            }
+                        }
+                    },
+                );
+                Ok((Some(profile), policy))
+            });
+
+            future::Either::Right(discovery)
+        })
+    }
+}

linkerd/app/gateway/src/gateway.rs

@@ -1,215 +0,0 @@
-use super::HttpTarget;
-use futures::{future, TryFutureExt};
-use linkerd_app_core::{
-    dns, profiles,
-    proxy::http,
-    svc::{self, layer},
-    tls, Error, NameAddr,
-};
-use linkerd_app_inbound::{GatewayDomainInvalid, GatewayIdentityRequired, GatewayLoop};
-use linkerd_app_outbound as outbound;
-use std::{
-    future::Future,
-    pin::Pin,
-    task::{Context, Poll},
-};
-use tracing::{debug, warn};
-
-#[derive(Clone, Debug)]
-pub(crate) struct NewGateway<O> {
-    outbound: O,
-    local_id: Option<tls::LocalId>,
-}
-
-#[derive(Clone, Debug)]
-pub(crate) enum Gateway<O> {
-    NoIdentity,
-    BadDomain(dns::Name),
-    Outbound {
-        outbound: O,
-        local_identity: tls::LocalId,
-        host: String,
-    },
-}
-
-pub(crate) type Target = (Option<profiles::Receiver>, HttpTarget);
-
-// === impl NewGateway ===
-
-impl<O> NewGateway<O> {
-    pub fn new(outbound: O, local_id: Option<tls::LocalId>) -> Self {
-        Self { outbound, local_id }
-    }
-
-    pub fn layer(local_id: Option<tls::LocalId>) -> impl layer::Layer<O, Service = Self> + Clone {
-        layer::mk(move |outbound| Self::new(outbound, local_id.clone()))
-    }
-}
-
-impl<O> svc::NewService<Target> for NewGateway<O>
-where
-    O: svc::NewService<svc::Either<outbound::http::Logical, outbound::http::Endpoint>>
-        + Send
-        + Clone
-        + 'static,
-{
-    type Service = Gateway<O::Service>;
-
-    fn new_service(&self, (profile, http): Target) -> Self::Service {
-        let local_id = match self.local_id.clone() {
-            Some(id) => id,
-            None => return Gateway::NoIdentity,
-        };
-        let profile = match profile {
-            Some(profile) => profile,
-            None => return Gateway::BadDomain(http.target.name().clone()),
-        };
-
-        // Create an outbound target using the endpoint from the profile.
-        if let Some((addr, metadata)) = profile.endpoint() {
-            debug!("Creating outbound endpoint");
-            // Create empty list of inbound ips, TLS shouldn't be skipped in
-            // this case.
-            let svc = self
-                .outbound
-                .new_service(svc::Either::B(outbound::http::Endpoint::from((
-                    http.version,
-                    outbound::tcp::Endpoint::from_metadata(
-                        addr,
-                        metadata,
-                        tls::NoClientTls::NotProvidedByServiceDiscovery,
-                        profile.is_opaque_protocol(),
-                        // Address would not be a local IP so always treat
-                        // target as remote in this case.
-                        &Default::default(),
-                    ),
-                ))));
-            return Gateway::new(svc, http.target, local_id);
-        }
-
-        let logical_addr = match profile.logical_addr() {
-            Some(addr) => addr,
-            None => return Gateway::BadDomain(http.target.name().clone()),
-        };
-
-        // Create an outbound target using the resolved name and an address
-        // including the original port. We don't know the IP of the target, so
-        // we use an unroutable one.
-        debug!("Creating outbound service");
-        let svc = self
-            .outbound
-            .new_service(svc::Either::A(outbound::http::Logical {
-                profile,
-                protocol: http.version,
-                logical_addr,
-            }));
-
-        Gateway::new(svc, http.target, local_id)
-    }
-}
-
-// === impl Gateway ===
-
-impl<O> Gateway<O> {
-    pub fn new(outbound: O, dst: NameAddr, local_identity: tls::LocalId) -> Self {
-        let host = dst.as_http_authority().to_string();
-        Gateway::Outbound {
-            outbound,
-            local_identity,
-            host,
-        }
-    }
-}
-
-type ResponseFuture<T> = Pin<Box<dyn Future<Output = Result<T, Error>> + Send + 'static>>;
-
-impl<B, O> tower::Service<http::Request<B>> for Gateway<O>
-where
-    B: http::HttpBody + 'static,
-    O: tower::Service<http::Request<B>, Response = http::Response<http::BoxBody>>,
-    O::Error: Into<Error> + 'static,
-    O::Future: Send + 'static,
-{
-    type Response = O::Response;
-    type Error = Error;
-    type Future = ResponseFuture<O::Response>;
-
-    #[inline]
-    fn poll_ready(&mut self, cx: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
-        match self {
-            Self::Outbound { outbound, .. } => outbound.poll_ready(cx).map_err(Into::into),
-            _ => Poll::Ready(Ok(())),
-        }
-    }
-
-    fn call(&mut self, mut request: http::Request<B>) -> Self::Future {
-        match self {
-            Self::Outbound {
-                ref mut outbound,
-                ref host,
-                local_identity: tls::LocalId(local_id),
-            } => {
-                // Check forwarded headers to see if this request has already
-                // transited through this gateway.
-                for forwarded in request
-                    .headers()
-                    .get_all(http::header::FORWARDED)
-                    .into_iter()
-                    .filter_map(|h| h.to_str().ok())
-                {
-                    if let Some(by) = fwd_by(forwarded) {
-                        tracing::info!(%forwarded);
-                        if by == local_id.as_ref() {
-                            return Box::pin(future::err(GatewayLoop.into()));
-                        }
-                    }
-                }
-
-                // Determine the value of the forwarded header using the Client
-                // ID from the requests's extensions.
-                let fwd = match request.extensions_mut().remove::<tls::ClientId>() {
-                    Some(client_id) => {
-                        let fwd = format!(
-                            "by={};for={};host={};proto=https",
-                            local_id, client_id, host
-                        );
-                        http::header::HeaderValue::from_str(&fwd)
-                            .expect("Forwarded header value must be valid")
-                    }
-                    None => {
-                        warn!("Request missing ClientId extension");
-                        return Box::pin(future::err(GatewayIdentityRequired.into()));
-                    }
-                };
-                request.headers_mut().append(http::header::FORWARDED, fwd);
-
-                // If we're forwarding HTTP/1 requests, the old `Host` header
-                // was stripped on the peer's outbound proxy. But the request
-                // should have an updated `Host` header now that it's being
-                // routed in the cluster.
-                if let ::http::Version::HTTP_11 | ::http::Version::HTTP_10 = request.version() {
-                    request.headers_mut().insert(
-                        http::header::HOST,
-                        http::header::HeaderValue::from_str(host)
-                            .expect("Host header value must be valid"),
-                    );
-                }
-
-                tracing::debug!("Passing request to outbound");
-                Box::pin(outbound.call(request).map_err(Into::into))
-            }
-            Self::NoIdentity => Box::pin(future::err(GatewayIdentityRequired.into())),
-            Self::BadDomain(..) => Box::pin(future::err(GatewayDomainInvalid.into())),
-        }
-    }
-}
-
-fn fwd_by(fwd: &str) -> Option<&str> {
-    for kv in fwd.split(';') {
-        let mut kv = kv.split('=');
-        if let Some("by") = kv.next() {
-            return kv.next();
-        }
-    }
-    None
-}

linkerd/app/gateway/src/http.rs

@@ -0,0 +1,230 @@
+use super::Gateway;
+use inbound::{GatewayAddr, GatewayDomainInvalid};
+use linkerd_app_core::{
+    metrics::ServerLabel,
+    profiles,
+    proxy::{
+        api_resolve::{ConcreteAddr, Metadata},
+        core::Resolve,
+        http,
+    },
+    svc, tls,
+    transport::addrs::*,
+    Error,
+};
+use linkerd_app_inbound as inbound;
+use linkerd_app_outbound as outbound;
+use std::fmt::Debug;
+use tokio::sync::watch;
+
+mod gateway;
+#[cfg(test)]
+mod tests;
+
+pub(crate) use self::gateway::NewHttpGateway;
+
+/// Target for outbound HTTP gateway stacks.
+#[derive(Clone, Debug)]
+pub struct Target<T = ()> {
+    addr: GatewayAddr,
+    routes: watch::Receiver<outbound::http::Routes>,
+    version: http::Variant,
+    parent: T,
+}
+
+/// Implements `svc::router::SelectRoute` for outbound HTTP requests. An
+/// `OutboundHttp` target is returned for each request using the request's HTTP
+/// version.
+///
+/// The request's HTTP version may not match the target's original HTTP version
+/// when proxies use HTTP/2 to transport HTTP/1 requests.
+#[derive(Clone, Debug)]
+struct ByRequestVersion<T>(Target<T>);
+
+impl Gateway {
+    /// Wrap the provided outbound HTTP client with the inbound HTTP server,
+    /// inbound authorization, tagged-transport gateway routing, and the
+    /// outbound router.
+    pub fn http<T, R>(
+        &self,
+        inner: svc::ArcNewHttp<
+            outbound::http::concrete::Endpoint<
+                outbound::http::logical::Concrete<outbound::http::Http<Target>>,
+            >,
+        >,
+        resolve: R,
+    ) -> svc::Stack<
+        svc::ArcNewService<
+            T,
+            impl svc::Service<
+                    http::Request<http::BoxBody>,
+                    Response = http::Response<http::BoxBody>,
+                    Error = Error,
+                    Future = impl Send,
+                > + Clone,
+        >,
+    >
+    where
+        // Target describing an inbound gateway connection.
+        T: svc::Param<GatewayAddr>,
+        T: svc::Param<OrigDstAddr>,
+        T: svc::Param<Remote<ClientAddr>>,
+        T: svc::Param<ServerLabel>,
+        T: svc::Param<tls::ConditionalServerTls>,
+        T: svc::Param<tls::ClientId>,
+        T: svc::Param<inbound::policy::AllowPolicy>,
+        T: svc::Param<Option<watch::Receiver<profiles::Profile>>>,
+        T: svc::Param<http::Variant>,
+        T: svc::Param<http::normalize_uri::DefaultAuthority>,
+        T: Clone + Send + Sync + Unpin + 'static,
+        // Endpoint resolution.
+        R: Resolve<ConcreteAddr, Endpoint = Metadata, Error = Error>,
+        R::Resolution: Unpin,
+    {
+        let http = self
+            .outbound
+            .clone()
+            .with_stack(inner)
+            .push_http_cached(resolve)
+            .into_stack()
+            // Discard `T` and its associated client-specific metadata.
+            .push_map_target(Target::discard_parent)
+            .push(svc::ArcNewService::layer())
+            // Add headers to prevent loops.
+            .push(NewHttpGateway::layer(
+                self.inbound.identity().local_id().clone(),
+            ))
+            .push_on_service(svc::LoadShed::layer())
+            .lift_new()
+            .push(svc::ArcNewService::layer())
+            // After protocol-downgrade, we need to build an inner stack for
+            // each request-level HTTP version.
+            .push(svc::NewOneshotRoute::layer_via(|t: &Target<T>| {
+                ByRequestVersion(t.clone())
+            }))
+            // Only permit gateway traffic to endpoints for which we have
+            // discovery information.
+            .push_filter(|(_, parent): (_, T)| -> Result<_, GatewayDomainInvalid> {
+                let routes = {
+                    let mut profile =
+                        svc::Param::<Option<watch::Receiver<profiles::Profile>>>::param(&parent)
+                            .ok_or(GatewayDomainInvalid)?;
+                    let init =
+                        mk_routes(&profile.borrow_and_update()).ok_or(GatewayDomainInvalid)?;
+                    outbound::http::spawn_routes(profile, init, mk_routes)
+                };
+
+                Ok(Target {
+                    routes,
+                    addr: parent.param(),
+                    version: parent.param(),
+                    parent,
+                })
+            })
+            .push(svc::ArcNewService::layer())
+            // Authorize requests to the gateway.
+            .push(self.inbound.authorize_http())
+            .arc_new_clone_http();
+
+        self.inbound
+            .clone()
+            .with_stack(http.into_inner())
+            // Teminates HTTP connections.
+            // XXX Sets an identity header -- this should probably not be done
+            // in the gateway, though the value will be stripped by meshed
+            // servers.
+            .push_http_server()
+            .into_stack()
+            .arc_new_clone_http()
+    }
+}
+
+fn mk_routes(profile: &profiles::Profile) -> Option<outbound::http::Routes> {
+    if let Some(addr) = profile.addr.clone() {
+        return Some(outbound::http::Routes::Profile(
+            outbound::http::profile::Routes {
+                addr,
+                routes: profile.http_routes.clone(),
+                targets: profile.targets.clone(),
+            },
+        ));
+    }
+
+    if let Some((addr, metadata)) = profile.endpoint.clone() {
+        return Some(outbound::http::Routes::Endpoint(
+            Remote(ServerAddr(addr)),
+            metadata.into(),
+        ));
+    }
+
+    None
+}
+
+// === impl ByRequestVersion ===
+
+impl<B, T: Clone> svc::router::SelectRoute<http::Request<B>> for ByRequestVersion<T> {
+    type Key = Target<T>;
+    type Error = http::UnsupportedVariant;
+
+    fn select(&self, req: &http::Request<B>) -> Result<Self::Key, Self::Error> {
+        let mut t = self.0.clone();
+        t.version = req.version().try_into()?;
+        Ok(t)
+    }
+}
+
+// === impl Target ===
+
+impl<T> Target<T> {
+    fn discard_parent(self) -> Target {
+        Target {
+            addr: self.addr,
+            routes: self.routes,
+            version: self.version,
+            parent: (),
+        }
+    }
+}
+
+impl<T> svc::Param<GatewayAddr> for Target<T> {
+    fn param(&self) -> GatewayAddr {
+        self.addr.clone()
+    }
+}
+
+impl<T> svc::Param<http::Variant> for Target<T> {
+    fn param(&self) -> http::Variant {
+        self.version
+    }
+}
+
+impl<T> svc::Param<tls::ClientId> for Target<T>
+where
+    T: svc::Param<tls::ClientId>,
+{
+    fn param(&self) -> tls::ClientId {
+        self.parent.param()
+    }
+}
+
+impl<T> svc::Param<watch::Receiver<outbound::http::Routes>> for Target<T> {
+    fn param(&self) -> watch::Receiver<outbound::http::Routes> {
+        self.routes.clone()
+    }
+}
+
+impl<T> PartialEq for Target<T> {
+    fn eq(&self, other: &Self) -> bool {
+        self.addr == other.addr && self.version == other.version
+    }
+}
+
+impl<T> Eq for Target<T> {}
+
+impl<T: std::hash::Hash> std::hash::Hash for Target<T> {
+    fn hash<H: std::hash::Hasher>(&self, state: &mut H) {
+        self.addr.hash(state);
+        self.version.hash(state);
+        self.parent.hash(state);
+    }
+}

linkerd/app/gateway/src/http/gateway.rs

@@ -0,0 +1,142 @@
+use futures::{future, TryFutureExt};
+use linkerd_app_core::{
+    identity as id,
+    proxy::http,
+    svc::{self, layer},
+    tls, Error,
+};
+use linkerd_app_inbound::{GatewayAddr, GatewayLoop};
+use std::{
+    future::Future,
+    pin::Pin,
+    task::{Context, Poll},
+};
+
+/// A `NewService` that wraps inner services with [`HttpGateway`].
+#[derive(Clone, Debug)]
+pub(crate) struct NewHttpGateway<N> {
+    inner: N,
+    local_id: id::Id,
+}
+
+/// A `Service` middleware that fails requests that would loop. It reads and
+/// updates the `forwarded` header to detect loops.
+#[derive(Clone, Debug)]
+pub(crate) struct HttpGateway<S> {
+    inner: S,
+    host: String,
+    client_id: tls::ClientId,
+    local_id: id::Id,
+}
+
+type ResponseFuture<T> = Pin<Box<dyn Future<Output = Result<T, Error>> + Send + 'static>>;
+
+// === impl NewHttpGateway ===
+
+impl<N> NewHttpGateway<N> {
+    pub fn new(inner: N, local_id: id::Id) -> Self {
+        Self { inner, local_id }
+    }
+
+    pub fn layer(local_id: id::Id) -> impl layer::Layer<N, Service = Self> + Clone {
+        layer::mk(move |inner| Self::new(inner, local_id.clone()))
+    }
+}
+
+impl<T, N> svc::NewService<T> for NewHttpGateway<N>
+where
+    T: svc::Param<GatewayAddr>,
+    T: svc::Param<tls::ClientId>,
+    N: svc::NewService<T> + Clone + Send + 'static,
+{
+    type Service = HttpGateway<N::Service>;
+
+    fn new_service(&self, target: T) -> Self::Service {
+        let GatewayAddr(addr) = target.param();
+        HttpGateway {
+            host: addr.as_http_authority().to_string(),
+            client_id: target.param(),
+            local_id: self.local_id.clone(),
+            inner: self.inner.new_service(target),
+        }
+    }
+}
+
+// === impl HttpGateway ===
+
+impl<B, S> tower::Service<http::Request<B>> for HttpGateway<S>
+where
+    B: http::Body + 'static,
+    S: tower::Service<http::Request<B>, Response = http::Response<http::BoxBody>>,
+    S::Error: Into<Error> + 'static,
+    S::Future: Send + 'static,
+{
+    type Response = S::Response;
+    type Error = Error;
+    type Future = ResponseFuture<S::Response>;
+
+    #[inline]
+    fn poll_ready(&mut self, cx: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
+        // If the client ID is the same as the gateway's, then we're in a loop.
+        if *self.client_id == self.local_id {
+            return Poll::Ready(Err(GatewayLoop.into()));
+        }
+
+        self.inner.poll_ready(cx).map_err(Into::into)
+    }
+
+    fn call(&mut self, mut request: http::Request<B>) -> Self::Future {
+        // Check forwarded headers to see if this request has already
+        // transited through this gateway.
+        for forwarded in request
+            .headers()
+            .get_all(http::header::FORWARDED)
+            .into_iter()
+            .filter_map(|h| h.to_str().ok())
+        {
+            if let Some(by) = fwd_by(forwarded) {
+                tracing::info!(%forwarded);
+                if by == self.local_id.to_str() {
+                    return Box::pin(future::err(GatewayLoop.into()));
+                }
+            }
+        }
+
+        // Determine the value of the forwarded header using the Client
+        // ID from the requests's extensions.
+        let fwd = format!(
+            "by={};for={};host={};proto=https",
+            self.local_id, self.client_id, self.host
+        );
+        request.headers_mut().append(
+            http::header::FORWARDED,
+            http::header::HeaderValue::from_str(&fwd)
+                .expect("Forwarded header value must be valid"),
+        );
+
+        // If we're forwarding HTTP/1 requests, the old `Host` header
+        // was stripped on the peer's outbound proxy. But the request
+        // should have an updated `Host` header now that it's being
+        // routed in the cluster.
+        if let ::http::Version::HTTP_11 | ::http::Version::HTTP_10 = request.version() {
+            request.headers_mut().insert(
+                http::header::HOST,
+                http::header::HeaderValue::from_str(&self.host)
+                    .expect("Host header value must be valid"),
+            );
+        }
+
+        tracing::trace!("Passing request to outbound");
+        Box::pin(self.inner.call(request).map_err(Into::into))
+    }
+}
+
+fn fwd_by(fwd: &str) -> Option<&str> {
+    for kv in fwd.split(';') {
+        let mut kv = kv.split('=');
+        if let Some("by") = kv.next() {
+            return kv.next();
+        }
+    }
+    None
+}

linkerd/app/gateway/src/http/tests.rs

@@ -0,0 +1,277 @@
+use super::*;
+use linkerd_app_core::{
+    svc::{NewService, ServiceExt},
+    trace::test::trace_init,
+    NameAddr,
+};
+use linkerd_app_inbound::GatewayLoop;
+use linkerd_proxy_server_policy as policy;
+use std::{str::FromStr, sync::Arc, time};
+use tower_test::mock;
+
+#[tokio::test]
+async fn gateway() {
+    assert_eq!(
+        Test::default().run().await.unwrap().status(),
+        http::StatusCode::NO_CONTENT
+    );
+}
+
+#[tokio::test]
+async fn forward_loop() {
+    let test = Test {
+        orig_fwd: Some(
+            "by=gateway.id.test;for=client.id.test;host=dst.test.example.com:4321;proto=https",
+        ),
+        ..Default::default()
+    };
+    let e = test.run().await.unwrap_err();
+    assert!(e.is::<GatewayLoop>());
+}
+
+/// If the HTTP stack is misconfigured--specifically if two server stacks are
+/// instrumented--it may incorrectly determine that an upgraded origin-form
+/// HTTP/1.1 request should be in absolute-form.
+///
+/// This test validates that origin-form requests are not marked as
+/// absolute-form.
+#[tokio::test(flavor = "current_thread")]
+async fn upgraded_request_remains_relative_form() {
+    let _trace = trace_init();
+
+    #[derive(Clone, Debug)]
+    struct Target;
+
+    impl svc::Param<GatewayAddr> for Target {
+        fn param(&self) -> GatewayAddr {
+            GatewayAddr("web.test.example.com:80".parse().unwrap())
+        }
+    }
+
+    impl svc::Param<OrigDstAddr> for Target {
+        fn param(&self) -> OrigDstAddr {
+            OrigDstAddr(([10, 10, 10, 10], 4143).into())
+        }
+    }
+
+    impl svc::Param<Remote<ClientAddr>> for Target {
+        fn param(&self) -> Remote<ClientAddr> {
+            Remote(ClientAddr(([10, 10, 10, 11], 41430).into()))
+        }
+    }
+
+    impl svc::Param<ServerLabel> for Target {
+        fn param(&self) -> ServerLabel {
+            ServerLabel(policy::Meta::new_default("test"), 4143)
+        }
+    }
+
+    impl svc::Param<tls::ClientId> for Target {
+        fn param(&self) -> tls::ClientId {
+            tls::ClientId::from_str("client.id.test").unwrap()
+        }
+    }
+
+    impl svc::Param<tls::ConditionalServerTls> for Target {
+        fn param(&self) -> tls::ConditionalServerTls {
+            tls::ConditionalServerTls::Some(tls::ServerTls::Established {
+                client_id: Some(self.param()),
+                negotiated_protocol: None,
+            })
+        }
+    }
+
+    impl svc::Param<Option<profiles::Receiver>> for Target {
+        fn param(&self) -> Option<profiles::Receiver> {
+            Some(linkerd_app_test::profile::only(profiles::Profile {
+                addr: Some(profiles::LogicalAddr(
+                    "web.test.example.com:80".parse().unwrap(),
+                )),
+                ..profiles::Profile::default()
+            }))
+        }
+    }
+
+    impl svc::Param<Option<watch::Receiver<profiles::Profile>>> for Target {
+        fn param(&self) -> Option<watch::Receiver<profiles::Profile>> {
+            svc::Param::<Option<profiles::Receiver>>::param(self).map(Into::into)
+        }
+    }
+
+    impl svc::Param<http::Variant> for Target {
+        fn param(&self) -> http::Variant {
+            http::Variant::H2
+        }
+    }
+
+    impl svc::Param<http::normalize_uri::DefaultAuthority> for Target {
+        fn param(&self) -> http::normalize_uri::DefaultAuthority {
+            http::normalize_uri::DefaultAuthority(Some(
+                http::uri::Authority::from_str("web.test.example.com").unwrap(),
+            ))
+        }
+    }
+
+    impl svc::Param<inbound::policy::AllowPolicy> for Target {
+        fn param(&self) -> inbound::policy::AllowPolicy {
+            let policy = policy::ServerPolicy {
+                meta: inbound::policy::Meta::new_default("test"),
+                protocol: policy::Protocol::Detect {
+                    timeout: time::Duration::from_secs(10),
+                    tcp_authorizations: Arc::new([]),
+                    http: Arc::new([policy::http::default(Arc::new([policy::Authorization {
+                        authentication: policy::Authentication::TlsUnauthenticated,
+                        networks: vec![svc::Param::<Remote<ClientAddr>>::param(self).ip().into()],
+                        meta: Arc::new(policy::Meta::Resource {
+                            group: "policy.linkerd.io".into(),
+                            kind: "authorizationpolicy".into(),
+                            name: "testsaz".into(),
+                        }),
+                    }]))]),
+                },
+                local_rate_limit: Arc::new(Default::default()),
+            };
+            let (policy, tx) = inbound::policy::AllowPolicy::for_test(self.param(), policy);
+            tokio::spawn(async move {
+                tx.closed().await;
+            });
+            policy
+        }
+    }
+
+    let (inner, mut handle) =
+        mock::pair::<http::Request<http::BoxBody>, http::Response<http::BoxBody>>();
+    handle.allow(1);
+
+    let outer = {
+        let (outbound, _outbound_shutdown) = crate::Outbound::for_test();
+        let (inbound, _inbound_shutdown) = crate::Inbound::for_test();
+        let gateway = Gateway {
+            inbound,
+            outbound,
+            config: crate::Config {
+                allow_discovery: std::iter::once("example.com".parse().unwrap()).collect(),
+            },
+        };
+
+        let resolve = linkerd_app_test::resolver::Dst::default().endpoint_exists(
+            svc::Param::<GatewayAddr>::param(&Target).0,
+            svc::Param::<Remote<ClientAddr>>::param(&Target).into(),
+            Metadata::default(),
+        );
+        gateway
+            .http(
+                svc::ArcNewHttp::new(move |_: _| svc::BoxHttp::new(inner.clone())),
+                resolve,
+            )
+            .new_service(Target)
+    };
+
+    // Process a request in the background so we can handle it ourselves to see
+    // how the request was mutated
+    tokio::spawn(async move {
+        let (handle, _closed) =
+            http::ClientHandle::new(svc::Param::<Remote<ClientAddr>>::param(&Target).into());
+        let req = http::Request::builder()
+            .method(http::Method::GET)
+            .version(::http::Version::HTTP_2)
+            .uri("http://web-original.test.example.com/test.txt")
+            .header("l5d-orig-proto", "HTTP/1.1")
+            .extension(handle)
+            .body(http::BoxBody::default())
+            .unwrap();
+        let _rsp = outer.oneshot(req).await.unwrap();
+        drop(_closed);
+    });
+
+    let (request, _respond) = handle.next_request().await.unwrap();
+    assert!(request
+        .extensions()
+        .get::<http::h1::WasAbsoluteForm>()
+        .is_none());
+}
+
+struct Test {
+    target: NameAddr,
+    client_id: tls::ClientId,
+    orig_fwd: Option<&'static str>,
+}
+
+impl Default for Test {
+    fn default() -> Self {
+        Self {
+            target: NameAddr::from_str("dst.test.example.com:4321").unwrap(),
+            client_id: tls::ClientId::from_str("client.id.test").unwrap(),
+            orig_fwd: None,
+        }
+    }
+}
+
+impl Test {
+    async fn run(self) -> Result<http::Response<http::BoxBody>, Error> {
+        let Self {
+            target,
+            client_id,
+            orig_fwd,
+            ..
+        } = self;
+
+        let (outbound, mut handle) =
+            mock::pair::<http::Request<http::BoxBody>, http::Response<http::BoxBody>>();
+
+        let new = NewHttpGateway::new(
+            move |_: _| outbound.clone(),
+            "gateway.id.test".parse().unwrap(),
+        );
+
+        #[derive(Clone, Debug)]
+        struct Target {
+            addr: NameAddr,
+            client_id: tls::ClientId,
+        }
+
+        impl svc::Param<GatewayAddr> for Target {
+            fn param(&self) -> GatewayAddr {
+                GatewayAddr(self.addr.clone())
+            }
+        }
+
+        impl svc::Param<tls::ClientId> for Target {
+            fn param(&self) -> tls::ClientId {
+                self.client_id.clone()
+            }
+        }
+
+        let gateway = svc::stack(new)
+            .check_new_service::<Target, http::Request<http::BoxBody>>()
+            .new_service(Target {
+                addr: target.clone(),
+                client_id,
+            });
+
+        let bg = tokio::spawn(async move {
+            handle.allow(1);
+            let (req, rsp) = handle.next_request().await.unwrap();
+            assert_eq!(
+                req.headers().get(http::header::FORWARDED).unwrap(),
+                "by=gateway.id.test;for=client.id.test;host=dst.test.example.com:4321;proto=https"
+            );
+            rsp.send_response(
+                http::Response::builder()
+                    .status(http::StatusCode::NO_CONTENT)
+                    .body(Default::default())
+                    .unwrap(),
+            );
+        });
+
+        let req = http::Request::builder().uri(format!("http://{target}"));
+        let req = orig_fwd
+            .into_iter()
+            .fold(req, |req, fwd| req.header(http::header::FORWARDED, fwd))
+            .body(Default::default())
+            .unwrap();
+        let rsp = gateway.oneshot(req).await?;
+        bg.await?;
+        Ok(rsp)
+    }
+}