nit(app): remove frivolous code (#4094)

this commit removes a piece of code that has been commented out.

it additionally removes a variable binding that is not needed. `dst` is
not moved, so we do not need to bind the address of the destination
service to a variable, nor do we need to clone it.

Signed-off-by: katelyn martin <kate@buoyant.io>

.devcontainer/devcontainer.json

@@ -3,7 +3,7 @@
 	"build": {
 		"dockerfile": "Dockerfile",
 		"args": {
-			"DEV_VERSION": "v45",
+			"DEV_VERSION": "v47",
 			"http_proxy": "${localEnv:http_proxy}",
 			"https_proxy": "${localEnv:https_proxy}"
 		}
@@ -23,7 +23,15 @@
 				"zxh404.vscode-proto3"
 			],
 			"settings": {
-				"files.insertFinalNewline": true
+				"files.insertFinalNewline": true,
+				"[git-commit]": {
+					"editor.rulers": [
+						72,
+						80
+					],
+					"editor.wordWrap": "wordWrapColumn",
+					"editor.wordWrapColumn": 80
+				}
 			}
 		}
 	},

.github/copilot-instructions.md

@@ -0,0 +1,156 @@
+# Linkerd2 Proxy Copilot Instructions
+
+## Code Generation
+
+- Code MUST pass `cargo fmt`.
+- Code MUST pass `cargo clippy --all-targets --all-features -- -D warnings`.
+- Markdown MUST pass `markdownlint-cli2`.
+- Prefer `?` for error propagation.
+- Avoid `unwrap()` and `expect()` outside tests.
+- Use `tracing` crate macros (`tracing::info!`, etc.) for structured logging.
+
+### Comments
+
+Comments should explain **why**, not **what**. Focus on high-level rationale and
+design intent at the function or block level, rather than line-by-line
+descriptions.
+
+- Use comments to capture:
+  - System-facing or interface-level concerns
+  - Key invariants, preconditions, and postconditions
+  - Design decisions and trade-offs
+  - Cross-references to architecture or design documentation
+- Avoid:
+  - Line-by-line commentary explaining obvious code
+  - Restating what the code already clearly expresses
+- For public APIs:
+  - Use `///` doc comments to describe the contract, behavior, parameters, and
+    usage examples
+- For internal rationale:
+  - Use `//` comments sparingly to note non-obvious reasoning or edge-case
+    handling
+- Be neutral and factual.
+
+### Rust File Organization
+
+For Rust source files, enforce this layout:
+
+1. **Non‑public imports**  
+   - Declare all `use` statements for private/internal crates first.  
+   - Group imports to avoid duplicates and do **not** add blank lines between
+     `use` statements.
+
+2. **Module declarations**  
+   - List all `mod` declarations.
+
+3. **Re‑exports**  
+   - Follow with `pub use` statements.
+
+4. **Type definitions**  
+   - Define `struct`, `enum`, `type`, and `trait` declarations.  
+   - Sort by visibility: `pub` first, then `pub(crate)`, then private.
+   - Public types should be documented with `///` comments.
+
+5. **Impl blocks**  
+   - Implement methods in the same order as types above.  
+   - Precede each type’s `impl` block with a header comment: `// === <TypeName> ===`
+
+6. **Tests**  
+   - End with a `tests` module guarded by `#[cfg(test)]`.
+   - If the in‑file test module exceeds 100 lines, move it to
+     `tests/<filename>.rs` as a child integration‑test module.
+
+## Test Generation
+
+- Async tests MUST use `tokio::test`.
+- Synchronous tests use `#[test]`.
+- Include at least one failing‑edge‑case test per public function.
+- Use `tracing::info!` for logging in tests, usually in place of comments.
+
+## Code Review
+
+### Rust
+
+- Point out any `unsafe` blocks and justify their safety.
+- Flag functions >50 LOC for refactor suggestions.
+- Highlight missing docs on public items.
+
+### Markdown
+
+- Use `markdownlint-cli2` to check for linting errors.
+- Lines SHOULD be wrapped at 80 characters.
+- Fenced code blocks MUST include a language identifier.
+
+### Copilot Instructions
+
+- Start each instruction with an imperative, present‑tense verb.
+- Keep each instruction under 120 characters.
+- Provide one directive per instruction; avoid combining multiple ideas.
+- Use "MUST" and "SHOULD" sparingly to emphasize critical rules.
+- Avoid semicolons and complex punctuation within bullets.
+- Do not reference external links, documents, or specific coding standards.
+
+## Commit Messages
+
+Commits follow the Conventional Commits specification:
+
+### Subject
+
+Subjects are in the form: `<type>[optional scope]: <description>`
+
+- **Type**: feat, fix, docs, refactor, test, chore, ci, build, perf, revert
+  (others by agreement)
+- **Scope**: optional, lowercase; may include `/` to denote sub‑modules (e.g.
+  `http/detect`)
+- **Description**: imperative mood, present tense, no trailing period
+- MUST be less than 72 characters
+- Omit needless words!
+
+### Body
+
+Non-trivial commits SHOULD include a body summarizing the change.
+
+- Explain *why* the change was needed.  
+- Describe *what* was done at a high level.
+- Use present-tense narration.
+- Use complete sentences, paragraphs, and punctuation.
+- Preceded by a blank line.
+- Wrapped at 80 characters.
+- Omit needless words!
+
+### Breaking changes
+
+If the change introduces a backwards-incompatible change, it MUST be marked as
+such.
+
+- Indicated by `!` after the type/scope (e.g. `feat(inbound)!: …`)  
+- Optionally including a `BREAKING CHANGE:` section in the footer explaining the
+  change in behavior.
+
+### Examples
+
+```text
+feat(auth): add JWT refresh endpoint
+
+There is currently no way to refresh a JWT token.
+
+This exposes a new `/refresh` route that returns a refreshed token.
+```
+
+```text
+feat(api)!: remove deprecated v1 routes
+
+The `/v1/*` endpoints have been deprecated for a long time and are no
+longer called by clients.
+
+This change removes the `/v1/*` endpoints and all associated code,
+including integration tests and documentation.
+
+BREAKING CHANGE: The previously-deprecated `/v1/*` endpoints were removed.
+```
+
+## Pull Requests
+
+- The subject line MUST be in the conventional commit format.
+- Auto‑generate a PR body summarizing the problem, solution, and verification steps.
+- List breaking changes under a separate **Breaking Changes** heading.

.github/dependabot.yml

@@ -11,12 +11,6 @@ updates:
     allow:
       - dependency-type: "all"
     ignore:
-      # These dependencies will be updated via higher-level aggregator dependencies like `clap`,
-      # `futures`, `prost`, `tracing`, and `trust-dns-resolver`:
-      - dependency-name: "futures-*"
-      - dependency-name: "prost-derive"
-      - dependency-name: "tracing-*"
-      - dependency-name: "trust-dns-proto"
       # These dependencies are for platforms that we don't support:
       - dependency-name: "hermit-abi"
       - dependency-name: "redox_*"
@@ -25,9 +19,37 @@ updates:
       - dependency-name: "web-sys"
       - dependency-name: "windows*"
     groups:
+      boring:
+        patterns:
+          - "tokio-boring"
+          - "boring*"
+      futures:
+        patterns:
+          - "futures*"
+      grpc:
+        patterns:
+          - "prost*"
+          - "tonic*"
+      hickory:
+        patterns:
+          - "hickory*"
+      icu4x:
+        patterns:
+          - "icu_*"
       opentelemetry:
         patterns:
           - "opentelemetry*"
+      rustls:
+        patterns:
+          - "tokio-rustls"
+          - "rustls*"
+          - "ring"
+      symbolic:
+        patterns:
+          - "symbolic-*"
+      tracing:
+        patterns:
+          - "tracing*"
 
   - package-ecosystem: cargo
     directory: /linkerd/addr/fuzz

.github/workflows/beta.yml

@@ -22,13 +22,13 @@ permissions:
 
 jobs:
   build:
-    runs-on: ubuntu-24.04
-    container: ghcr.io/linkerd/dev:v45-rust
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    container: ghcr.io/linkerd/dev:v47-rust
     timeout-minutes: 20
     continue-on-error: true
     steps:
       - run: rustup toolchain install --profile=minimal beta
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
       - run: git config --global --add safe.directory "$PWD" # actions/runner#2033
       - run: just toolchain=beta fetch
       - run: just toolchain=beta build

.github/workflows/coverage.yml

@@ -21,11 +21,11 @@ env:
 jobs:
   meta:
     timeout-minutes: 5
-    runs-on: ubuntu-24.04
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
       - id: changed
-        uses: tj-actions/changed-files@dcc7a0cba800f454d79fff4b993e8c3555bcc0a8
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
         with:
           files: |
             .codecov.yml
@@ -40,19 +40,19 @@ jobs:
   codecov:
     needs: meta
     if: (github.event_name == 'push' && github.ref == 'refs/heads/main') || needs.meta.outputs.any_changed == 'true'
-    runs-on: ubuntu-24.04
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
     timeout-minutes: 30
     container:
-      image: docker://ghcr.io/linkerd/dev:v45-rust
+      image: docker://ghcr.io/linkerd/dev:v47-rust
       options: --security-opt seccomp=unconfined # 🤷
     env:
       CXX: "/usr/bin/clang++-19"
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-      - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0
       - run: cargo tarpaulin --locked --workspace --exclude=linkerd2-proxy --exclude=linkerd-transport-header --exclude=opencensus-proto --exclude=spire-proto --no-run
       - run: cargo tarpaulin --locked --workspace --exclude=linkerd2-proxy --exclude=linkerd-transport-header --exclude=opencensus-proto --exclude=spire-proto --skip-clean --ignore-tests --no-fail-fast --out=Xml
         # Some tests are especially flakey in coverage tests. That's fine. We
         # only really care to measure how much of our codebase is covered.
         continue-on-error: true
-      - uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3
+      - uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24

.github/workflows/fuzzers.yml

@@ -26,13 +26,13 @@ permissions:
 jobs:
   list-changed:
     timeout-minutes: 3
-    runs-on: ubuntu-24.04
-    container: docker://rust:1.83.0
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    container: docker://rust:1.88.0
     steps:
       - run: apt update && apt install -y jo
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
       - run: git config --global --add safe.directory "$PWD" # actions/runner#2033
-      - uses: tj-actions/changed-files@dcc7a0cba800f454d79fff4b993e8c3555bcc0a8
+      - uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
         id: changed-files
       - name: list changed crates
         id: list-changed
@@ -47,15 +47,15 @@ jobs:
   build:
     needs: [list-changed]
     timeout-minutes: 40
-    runs-on: ubuntu-24.04
-    container: docker://rust:1.83.0
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    container: docker://rust:1.88.0
     strategy:
       matrix:
         dir: ${{ fromJson(needs.list-changed.outputs.dirs) }}
     steps:
       - run: rustup toolchain add nightly
       - run: cargo install cargo-fuzz
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
       - run: git config --global --add safe.directory "$PWD" # actions/runner#2033
       - working-directory: ${{matrix.dir}}
         run: cargo +nightly fetch

.github/workflows/markdown.yml

@@ -12,9 +12,9 @@ on:
 jobs:
   markdownlint:
     timeout-minutes: 5
-    runs-on: ubuntu-24.04
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-      - uses: DavidAnson/markdownlint-cli2-action@05f32210e84442804257b2a6f20b273450ec8265
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - uses: DavidAnson/markdownlint-cli2-action@992badcdf24e3b8eb7e87ff9287fe931bcb00c6e
         with:
             globs: "**/*.md"

.github/workflows/nightly.yml

@@ -22,13 +22,13 @@ permissions:
 
 jobs:
   build:
-    runs-on: ubuntu-24.04
-    container: ghcr.io/linkerd/dev:v45-rust
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    container: ghcr.io/linkerd/dev:v47-rust
     timeout-minutes: 20
     continue-on-error: true
     steps:
       - run: rustup toolchain install --profile=minimal nightly
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
       - run: git config --global --add safe.directory "$PWD" # actions/runner#2033
       - run: just toolchain=nightly fetch
       - run: just toolchain=nightly profile=release build

.github/workflows/pr.yml

@@ -14,24 +14,24 @@ concurrency:
 jobs:
   meta:
     timeout-minutes: 5
-    runs-on: ubuntu-24.04
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
       - id: build
-        uses: tj-actions/changed-files@dcc7a0cba800f454d79fff4b993e8c3555bcc0a8
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
         with:
           files: |
             .github/workflows/pr.yml
             justfile
             Dockerfile
       - id: actions
-        uses: tj-actions/changed-files@dcc7a0cba800f454d79fff4b993e8c3555bcc0a8
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
         with:
           files: |
             .github/workflows/**
             .devcontainer/*
       - id: cargo
-        uses: tj-actions/changed-files@dcc7a0cba800f454d79fff4b993e8c3555bcc0a8
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
         with:
           files_ignore: "Cargo.toml"
           files: |
@@ -40,7 +40,7 @@ jobs:
         if: steps.cargo.outputs.any_changed == 'true'
         run: ./.github/list-crates.sh ${{ steps.cargo.outputs.all_changed_files }}
       - id: rust
-        uses: tj-actions/changed-files@dcc7a0cba800f454d79fff4b993e8c3555bcc0a8
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
         with:
           files: |
             **/*.rs
@@ -57,7 +57,7 @@ jobs:
   info:
     timeout-minutes: 3
     needs: meta
-    runs-on: ubuntu-24.04
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
     steps:
       - name: Info
         run: |
@@ -74,30 +74,27 @@ jobs:
   actions:
     needs: meta
     if: needs.meta.outputs.actions_changed == 'true'
-    runs-on: ubuntu-24.04
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
     steps:
-      - uses: linkerd/dev/actions/setup-tools@v45
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: linkerd/dev/actions/setup-tools@v47
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
       - run: just action-lint
       - run: just action-dev-check
 
   rust:
     needs: meta
     if: needs.meta.outputs.cargo_changed == 'true' || needs.meta.outputs.rust_changed == 'true'
-    runs-on: ubuntu-24.04
-    container: ghcr.io/linkerd/dev:v45-rust
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    container: ghcr.io/linkerd/dev:v47-rust
     permissions:
       contents: read
     timeout-minutes: 20
     steps:
       - run: git config --global --add safe.directory "$PWD" # actions/runner#2033
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-      - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0
       - run: just fetch
-      - name: Run cargo deny check bans licenses sources
-        uses: EmbarkStudios/cargo-deny-action@e2f4ede4a4e60ea15ff31bc0647485d80c66cfba
-        with:
-          command: check bans licenses sources
+      - run: cargo deny --all-features check bans licenses sources
       - run: just check-fmt
       - run: just clippy
       - run: just doc
@@ -110,15 +107,15 @@ jobs:
     needs: meta
     if: needs.meta.outputs.cargo_changed == 'true'
     timeout-minutes: 20
-    runs-on: ubuntu-24.04
-    container: ghcr.io/linkerd/dev:v45-rust
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    container: ghcr.io/linkerd/dev:v47-rust
     strategy:
       matrix:
         crate: ${{ fromJson(needs.meta.outputs.cargo_crates) }}
     steps:
       - run: git config --global --add safe.directory "$PWD" # actions/runner#2033
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-      - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0
       - run: just fetch
       - run: just check-crate ${{ matrix.crate }}
 
@@ -126,11 +123,11 @@ jobs:
     needs: meta
     if: needs.meta.outputs.cargo_changed == 'true' || needs.meta.outputs.rust_changed == 'true'
     timeout-minutes: 20
-    runs-on: ubuntu-24.04
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
     env:
       WAIT_TIMEOUT: 2m
     steps:
-      - uses: linkerd/dev/actions/setup-tools@v45
+      - uses: linkerd/dev/actions/setup-tools@v47
       - name: scurl https://run.linkerd.io/install-edge | sh
         run: |
           scurl https://run.linkerd.io/install-edge | sh
@@ -139,9 +136,9 @@ jobs:
           tag=$(linkerd version --client --short)
           echo "linkerd $tag"
           echo "LINKERD_TAG=$tag" >> "$GITHUB_ENV"
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
       - run: just docker
-      - run: just-k3d create
+      - run: just k3d-create
       - run: just k3d-load-linkerd
       - run: just linkerd-install
       - run: just linkerd-check-control-plane-proxy
@@ -152,7 +149,7 @@ jobs:
     timeout-minutes: 3
     needs: [meta, actions, rust, rust-crates, linkerd-install]
     if: always()
-    runs-on: ubuntu-24.04
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
 
     permissions:
       contents: write
@@ -171,7 +168,7 @@ jobs:
         if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')
         run: exit 1
 
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
         if: needs.meta.outputs.is_dependabot == 'true' && needs.meta.outputs.any_changed == 'true'
       - name: "Merge dependabot changes"
         if: needs.meta.outputs.is_dependabot == 'true' && needs.meta.outputs.any_changed == 'true'

.github/workflows/release-weekly.yml

@@ -13,7 +13,7 @@ concurrency:
 jobs:
   last-release:
     if: github.repository == 'linkerd/linkerd2-proxy' # Don't run this in forks.
-    runs-on: ubuntu-24.04
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
     timeout-minutes: 5
     env:
       GH_REPO: ${{ github.repository }}
@@ -41,10 +41,10 @@ jobs:
 
   last-commit:
     needs: last-release
-    runs-on: ubuntu-24.04
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
     timeout-minutes: 5
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
       - name: Check if the most recent commit is after the last release
         id: recency
         env:
@@ -62,7 +62,7 @@ jobs:
   trigger-release:
     needs: [last-release, last-commit]
     if: needs.last-release.outputs.recent == 'false' && needs.last-commit.outputs.after-release == 'true'
-    runs-on: ubuntu-24.04
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
     timeout-minutes: 5
     permissions:
       actions: write

.github/workflows/release.yml

@@ -46,6 +46,7 @@ on:
         default: true
 
 env:
+  CARGO: "cargo auditable"
   CARGO_INCREMENTAL: 0
   CARGO_NET_RETRY: 10
   RUSTFLAGS: "-D warnings -A deprecated --cfg tokio_unstable"
@@ -58,9 +59,25 @@ concurrency:
 jobs:
   meta:
     timeout-minutes: 5
-    runs-on: ubuntu-24.04
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
     steps:
-      - id: meta
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+        if: github.event_name == 'pull_request'
+      - id: workflow
+        if: github.event_name == 'pull_request'
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
+        with:
+          files: |
+            .github/workflows/release.yml
+      - id: build
+        if: github.event_name == 'pull_request'
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c
+        with:
+          files: |
+            justfile
+            Cargo.toml
+
+      - id: version
         env:
           VERSION: ${{ inputs.version }}
         shell: bash
@@ -68,44 +85,45 @@ jobs:
           set -euo pipefail
           shopt -s extglob
           if [[ "$GITHUB_EVENT_NAME" == pull_request ]]; then
-            echo version="0.0.0-test.${GITHUB_SHA:0:7}"
-            echo archs='["amd64"]'
+            echo version="0.0.0-test.${GITHUB_SHA:0:7}" >> "$GITHUB_OUTPUT"
             exit 0
-          fi >> "$GITHUB_OUTPUT"
+          fi
           if ! [[ "$VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z-]+)?(\+[0-9A-Za-z-]+)?$ ]]; then
             echo "Invalid version: $VERSION" >&2
             exit 1
           fi
-          ( echo version="${VERSION#v}"
-            echo archs='["amd64", "arm64", "arm"]'
+          echo version="${VERSION#v}" >> "$GITHUB_OUTPUT"
+
+      - id: platform
+        shell: bash
+        env:
+          WORKFLOW_CHANGED: ${{ steps.workflow.outputs.any_changed }}
+        run: |
+          if [[ "$GITHUB_EVENT_NAME" == pull_request && "$WORKFLOW_CHANGED" != 'true' ]]; then
+            ( echo archs='["amd64"]'
+              echo oses='["linux"]' ) >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          ( echo archs='["amd64", "arm64"]'
+            echo oses='["linux", "windows"]'
           ) >> "$GITHUB_OUTPUT"
 
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
-        if: github.event_name == 'pull_request'
-      - id: changed
-        if: github.event_name == 'pull_request'
-        uses: tj-actions/changed-files@dcc7a0cba800f454d79fff4b993e8c3555bcc0a8
-        with:
-          files: |
-            .github/workflows/release.yml
-            justfile
-            Cargo.toml
-
     outputs:
-      archs: ${{ steps.meta.outputs.archs }}
-      version: ${{ steps.meta.outputs.version }}
-      package: ${{ github.event_name == 'workflow_dispatch' || steps.changed.outputs.any_changed == 'true' }}
+      archs: ${{ steps.platform.outputs.archs }}
+      oses: ${{ steps.platform.outputs.oses }}
+      version: ${{ steps.version.outputs.version }}
+      package: ${{ github.event_name == 'workflow_dispatch' || steps.build.outputs.any_changed == 'true' || steps.workflow.outputs.any_changed == 'true' }}
       profile: ${{ inputs.profile || 'release' }}
       publish: ${{ inputs.publish }}
       ref: ${{ inputs.ref || github.sha }}
-      tag: "${{ inputs.tag-prefix || 'release/' }}v${{ steps.meta.outputs.version }}"
+      tag: "${{ inputs.tag-prefix || 'release/' }}v${{ steps.version.outputs.version }}"
       prerelease: ${{ inputs.prerelease }}
       draft: ${{ inputs.draft }}
       latest: ${{ inputs.latest }}
 
   info:
     needs: meta
-    runs-on: ubuntu-24.04
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
     timeout-minutes: 3
     steps:
       - name: Inputs
@@ -126,38 +144,50 @@ jobs:
     strategy:
       matrix:
         arch: ${{ fromJson(needs.meta.outputs.archs) }}
+        os: ${{ fromJson(needs.meta.outputs.oses) }}
         libc: [gnu] # musl
+        exclude:
+          - os: windows
+            arch: arm64
 
     # If we're not actually building on a release tag, don't short-circuit on
     # errors. This helps us know whether a failure is platform-specific.
     continue-on-error: ${{ needs.meta.outputs.publish != 'true' }}
-    runs-on: ubuntu-24.04
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
     timeout-minutes: 40
-    container: docker://ghcr.io/linkerd/dev:v45-rust-musl
+    container: docker://ghcr.io/linkerd/dev:v47-rust-musl
     env:
       LINKERD2_PROXY_VENDOR: ${{ github.repository_owner }}
       LINKERD2_PROXY_VERSION: ${{ needs.meta.outputs.version }}
     steps:
+      # TODO: add to dev image
+      - name: Install MiniGW
+        if: matrix.os == 'windows'
+        run: apt-get update && apt-get install -y mingw-w64
+      - name: Install cross compilation toolchain
+        if: matrix.arch == 'arm64'
+        run: apt-get update && apt-get install -y binutils-aarch64-linux-gnu
+
       - name: Configure git
         run: git config --global --add safe.directory "$PWD" # actions/runner#2033
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
         with:
           ref: ${{ needs.meta.outputs.ref }}
-      - uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3
+      - uses: Swatinem/rust-cache@98c8021b550208e191a6a3145459bfc9fb29c4c0
         with:
-          key: ${{ matrix.arch }}
+          key: ${{ matrix.os }}-${{ matrix.arch }}
       - run: just fetch
-      - run: just arch=${{ matrix.arch }} libc=${{ matrix.libc }} rustup
-      - run: just arch=${{ matrix.arch }} libc=${{ matrix.libc }} profile=${{ needs.meta.outputs.profile }} build
-      - run: just arch=${{ matrix.arch }} libc=${{ matrix.libc }} profile=${{ needs.meta.outputs.profile }} package
-      - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08
+      - run: just arch=${{ matrix.arch }} libc=${{ matrix.libc }} os=${{ matrix.os }} rustup
+      - run: just arch=${{ matrix.arch }} libc=${{ matrix.libc }} os=${{ matrix.os }} profile=${{ needs.meta.outputs.profile }} build
+      - run: just arch=${{ matrix.arch }} libc=${{ matrix.libc }} os=${{ matrix.os }} profile=${{ needs.meta.outputs.profile }} package
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
         with:
-          name: ${{ matrix.arch }}-artifacts
+          name: ${{ matrix.arch }}-${{ matrix.os }}-artifacts
           path: target/package/*
 
   publish:
     needs: [meta, package]
-    runs-on: ubuntu-24.04
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
     timeout-minutes: 5
     permissions:
       actions: write
@@ -174,13 +204,13 @@ jobs:
           git config --global user.name "$GITHUB_USERNAME"
           git config --global user.email "$GITHUB_USERNAME"@users.noreply.github.com
       # Tag the release.
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
         with:
           token: ${{ secrets.LINKERD2_PROXY_GITHUB_TOKEN || github.token }}
           ref: ${{ needs.meta.outputs.ref }}
       - run: git tag -a -m "$VERSION" "$TAG"
       # Fetch the artifacts.
-      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
         with:
           path: artifacts
       - run: du -h artifacts/**/*
@@ -188,7 +218,7 @@ jobs:
       - if: needs.meta.outputs.publish == 'true'
         run: git push origin "$TAG"
       - if: needs.meta.outputs.publish == 'true'
-        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda
+        uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8
         with:
           name: ${{ env.VERSION }}
           tag_name: ${{ env.TAG }}
@@ -212,7 +242,7 @@ jobs:
     needs: publish
     if: always()
     timeout-minutes: 3
-    runs-on: ubuntu-24.04
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
     steps:
       - name: Results
         run: |

.github/workflows/shellcheck.yml

@@ -13,8 +13,8 @@ on:
 jobs:
   sh-lint:
     timeout-minutes: 5
-    runs-on: ubuntu-24.04
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
     steps:
-      - uses: linkerd/dev/actions/setup-tools@v45
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: linkerd/dev/actions/setup-tools@v47
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
       - run: just sh-lint

.github/workflows/toolchain.yml

@@ -13,10 +13,10 @@ permissions:
 
 jobs:
   devcontainer:
-    runs-on: ubuntu-24.04
-    container: ghcr.io/linkerd/dev:v45-rust
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
+    container: ghcr.io/linkerd/dev:v47-rust
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
       - run: git config --global --add safe.directory "$PWD" # actions/runner#2033
       - run: |
           VERSION_REGEX='channel = "([0-9]+\.[0-9]+\.[0-9]+)"'
@@ -35,10 +35,10 @@ jobs:
 
 
   workflows:
-    runs-on: ubuntu-24.04
+    runs-on: ${{ vars.LINKERD2_PROXY_RUNNER || 'ubuntu-24.04' }}
     steps:
-      - uses: linkerd/dev/actions/setup-tools@v45
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      - uses: linkerd/dev/actions/setup-tools@v47
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
       - shell: bash
         run: |
           VERSION_REGEX='channel = "([0-9]+\.[0-9]+\.[0-9]+)"'

Cargo.toml

@@ -16,7 +16,6 @@ members = [
     "linkerd/app",
     "linkerd/conditional",
     "linkerd/distribute",
-    "linkerd/detect",
     "linkerd/dns/name",
     "linkerd/dns",
     "linkerd/duplex",
@@ -25,10 +24,9 @@ members = [
     "linkerd/error-respond",
     "linkerd/exp-backoff",
     "linkerd/http/access-log",
-    "linkerd/http/body-compat",
     "linkerd/http/box",
     "linkerd/http/classify",
-    "linkerd/http/executor",
+    "linkerd/http/detect",
     "linkerd/http/h2",
     "linkerd/http/insert",
     "linkerd/http/metrics",
@@ -44,8 +42,6 @@ members = [
     "linkerd/idle-cache",
     "linkerd/io",
     "linkerd/meshtls",
-    "linkerd/meshtls/boring",
-    "linkerd/meshtls/rustls",
     "linkerd/meshtls/verifier",
     "linkerd/metrics",
     "linkerd/mock/http-body",
@@ -73,12 +69,12 @@ members = [
     "linkerd/reconnect",
     "linkerd/retry",
     "linkerd/router",
+    "linkerd/rustls",
     "linkerd/service-profiles",
     "linkerd/signal",
     "linkerd/stack",
     "linkerd/stack/metrics",
     "linkerd/stack/tracing",
-    "linkerd/system",
     "linkerd/tonic-stream",
     "linkerd/tonic-watch",
     "linkerd/tls",
@@ -87,6 +83,7 @@ members = [
     "linkerd/tracing",
     "linkerd/transport-header",
     "linkerd/transport-metrics",
+    "linkerd/workers",
     "linkerd2-proxy",
     "opencensus-proto",
     "opentelemetry-proto",
@@ -98,22 +95,43 @@ members = [
 debug = 1
 lto = true
 
+[workspace.package]
+version = "0.1.0"
+authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
+license = "Apache-2.0"
+edition = "2021"
+publish = false
+
 [workspace.dependencies]
 bytes = { version = "1" }
-h2 = { version = "0.3" }
-http = { version = "0.2" }
-http-body = { version = "0.4" }
-hyper = { version = "0.14.32", default-features = false }
-prost = { version = "0.12" }
-prost-types = { version = "0.12" }
+drain = { version = "0.2", default-features = false }
+h2 = { version = "0.4" }
+http = { version = "1" }
+http-body = { version = "1" }
+hyper = { version = "1", default-features = false }
+prometheus-client = { version = "0.23" }
+prost = { version = "0.13" }
+prost-build = { version = "0.13", default-features = false }
+prost-types = { version = "0.13" }
 tokio-rustls = { version = "0.26", default-features = false, features = [
-    "ring",
     "logging",
 ] }
-tonic = { version = "0.10", default-features = false }
-tonic-build = { version = "0.10", default-features = false }
+tonic = { version = "0.13", default-features = false }
+tonic-build = { version = "0.13", default-features = false }
+tower = { version = "0.5", default-features = false }
+tower-service = { version = "0.3" }
+tower-test = { version = "0.4" }
+tracing = { version = "0.1" }
+
+[workspace.dependencies.http-body-util]
+version = "0.1.3"
+default-features = false
+features = ["channel"]
+
+[workspace.dependencies.hyper-util]
+version = "0.1"
+default-features = false
+features = ["tokio", "tracing"]
 
 [workspace.dependencies.linkerd2-proxy-api]
-version = "0.15.0"
-# git = "https://github.com/linkerd/linkerd2-proxy-api.git"
-# branch = "main"
+version = "0.17.0"

Dockerfile

@@ -3,7 +3,7 @@
 # This is intended **DEVELOPMENT ONLY**, i.e. so that proxy developers can
 # easily test the proxy in the context of the larger `linkerd2` project.
 
-ARG RUST_IMAGE=ghcr.io/linkerd/dev:v45-rust
+ARG RUST_IMAGE=ghcr.io/linkerd/dev:v47-rust
 
 # Use an arbitrary ~recent edge release image to get the proxy
 # identity-initializing and linkerd-await wrappers.
@@ -14,11 +14,16 @@ FROM $LINKERD2_IMAGE as linkerd2
 FROM --platform=$BUILDPLATFORM $RUST_IMAGE as fetch
 
 ARG PROXY_FEATURES=""
+ARG TARGETARCH="amd64"
 RUN apt-get update && \
     apt-get install -y time && \
     if [[ "$PROXY_FEATURES" =~ .*meshtls-boring.* ]] ; then \
       apt-get install -y golang ; \
     fi && \
+    case "$TARGETARCH" in \
+        amd64) true ;; \
+        arm64) apt-get install --no-install-recommends -y binutils-aarch64-linux-gnu ;; \
+    esac && \
     rm -rf /var/lib/apt/lists/*
 
 ENV CARGO_NET_RETRY=10
@@ -33,7 +38,6 @@ RUN --mount=type=cache,id=cargo,target=/usr/local/cargo/registry \
 FROM fetch as build
 ENV CARGO_INCREMENTAL=0
 ENV RUSTFLAGS="-D warnings -A deprecated --cfg tokio_unstable"
-ARG TARGETARCH="amd64"
 ARG PROFILE="release"
 ARG LINKERD2_PROXY_VERSION=""
 ARG LINKERD2_PROXY_VENDOR=""

README.md

@@ -86,8 +86,9 @@ minutes to review our [code of conduct][coc].
 We test our code by way of fuzzing and this is described in [FUZZING.md](/docs/FUZZING.md).
 
 A third party security audit focused on fuzzing Linkerd2-proxy was performed by
-Ada Logics in 2021. The full report is available
-[here](/docs/reports/linkerd2-proxy-fuzzing-report.pdf).
+Ada Logics in 2021. The
+[full report](/docs/reports/linkerd2-proxy-fuzzing-report.pdf) can be found in
+the `docs/reports/` directory.
 
 ## License
 

deny.toml

@@ -2,7 +2,6 @@
 targets = [
     { triple = "x86_64-unknown-linux-gnu" },
     { triple = "aarch64-unknown-linux-gnu" },
-    { triple = "armv7-unknown-linux-gnu" },
 ]
 
 [advisories]
@@ -18,27 +17,20 @@ allow = [
     "ISC",
     "MIT",
     "Unicode-3.0",
+    "Zlib",
 ]
 # Ignore local workspace license values for unpublished crates.
 private = { ignore = true }
 confidence-threshold = 0.8
 exceptions = [
     { allow = [
-        "Zlib",
-    ], name = "adler32", version = "*" },
+        "ISC",
+        "OpenSSL",
+    ], name = "aws-lc-sys", version = "*" },
     { allow = [
         "ISC",
-        "MIT",
         "OpenSSL",
-    ], name = "ring", version = "*" },
-]
-
-[[licenses.clarify]]
-name = "ring"
-version = "*"
-expression = "MIT AND ISC AND OpenSSL"
-license-files = [
-    { path = "LICENSE", hash = 0xbd0eed23 },
+    ], name = "aws-lc-fips-sys", version = "*" },
 ]
 
 [bans]
@@ -50,28 +42,35 @@ deny = [
     { name = "rustls", wrappers = ["tokio-rustls"] },
     # rustls-webpki should be used instead.
     { name = "webpki" },
+    # aws-lc-rs should be used instead.
+    { name = "ring" }
 ]
 skip = [
     # `linkerd-trace-context`, `rustls-pemfile` and `tonic` depend on `base64`
     # v0.13.1 while `rcgen` depends on v0.21.5
     { name = "base64" },
-    { name = "bitflags", version = "1" },
-    # https://github.com/hawkw/matchers/pull/4
-    { name = "regex-automata", version = "0.1" },
-    { name = "regex-syntax", version = "0.6" },
-    # Some dependencies still use indexmap v1.
-    { name = "indexmap", version = "1" },
-    { name = "hashbrown", version = "0.12" },
-
+    # tonic/axum depend on a newer `tower`, which we are still catching up to.
+    # see #3744.
+    { name = "tower", version = "0.5" },
 ]
 skip-tree = [
     # thiserror v2 is still propagating through the ecosystem
     { name = "thiserror", version = "1" },
-    # rand 0.9 is still propagating through the ecosystem
+    # rand v0.9 is still propagating through the ecosystem
     { name = "rand", version = "0.8" },
+    # rust v1.0 is still propagating through the ecosystem
+    { name = "rustix", version = "0.38" },
+    # `pprof` uses a number of old dependencies. for now, we skip its subtree.
+    { name = "pprof" },
+    # aws-lc-rs uses a slightly outdated version of bindgen
+    { name = "bindgen", version = "0.69.5" },
+    # socket v0.6 is still propagating through the ecosystem
+    { name = "socket2", version = "0.5" },
 ]
 
 [sources]
 unknown-registry = "deny"
 unknown-git = "deny"
-allow-registry = ["https://github.com/rust-lang/crates.io-index"]
+allow-registry = [
+    "https://github.com/rust-lang/crates.io-index",
+]

docs/FUZZING.md

@@ -12,9 +12,12 @@ engine.
 We place the fuzz tests into folders within the individual crates that the fuzz
 tests target. For example, we have a fuzz test that that target the crate
 `/linkerd/addr` and the code in `/linkerd/addr/src` and thus the fuzz test that
-targets this crate is put in `/linkerd/addr/fuzz`. The folder set up we use for
-each of the fuzz tests is automatically generated by `cargo fuzz init`
-(described [here](https://github.com/rust-fuzz/cargo-fuzz#cargo-fuzz-init)).
+targets this crate is put in `/linkerd/addr/fuzz`.
+
+The folder structure for each of the fuzz tests is automatically generated by
+`cargo fuzz init`. See cargo fuzz's
+[`README.md`](https://github.com/rust-fuzz/cargo-fuzz#cargo-fuzz-init) for more
+information.
 
 ### Fuzz targets
 
@@ -96,6 +99,5 @@ unit-test-like fuzzers, but are essentially just more substantial in nature. The
 idea behind these fuzzers is to test end-to-end concepts more so than individual
 components of the proxy.
 
-The inbound fuzzer
-[here](/linkerd/app/inbound/fuzz/fuzz_targets/fuzz_target_1.rs) is an example of
-this.
+The [inbound fuzzer](/linkerd/app/inbound/fuzz/fuzz_targets/fuzz_target_1.rs)
+is an example of this.

hyper-balance/Cargo.toml

@@ -1,18 +1,18 @@
 [package]
 name = "hyper-balance"
-version = "0.1.0"
-authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
-license = "Apache-2.0"
-edition = "2021"
-publish = false
+version = { workspace = true }
+authors = { workspace = true }
+license = { workspace = true }
+edition = { workspace = true }
+publish = { workspace = true }
 
 [dependencies]
 futures = { version = "0.3", default-features = false }
 http = { workspace = true }
 http-body = { workspace = true }
-hyper = { workspace = true, features = ["deprecated"] }
+hyper = { workspace = true }
 pin-project = "1"
-tower = { version = "0.4", default-features = false, features = ["load"] }
+tower = { workspace = true, default-features = false, features = ["load"] }
 tokio = { version = "1", features = ["macros"] }
 
 [dev-dependencies]

hyper-balance/src/lib.rs

@@ -102,32 +102,20 @@ where
         self.body.is_end_stream()
     }
 
-    fn poll_data(
+    fn poll_frame(
         self: Pin<&mut Self>,
         cx: &mut Context<'_>,
-    ) -> Poll<Option<Result<Self::Data, Self::Error>>> {
+    ) -> Poll<Option<Result<http_body::Frame<Self::Data>, Self::Error>>> {
         let this = self.project();
-        let ret = futures::ready!(this.body.poll_data(cx));
+        let ret = futures::ready!(this.body.poll_frame(cx));
 
-        // Once a data frame is received, the handle is dropped. On subsequent calls, this
+        // Once a frame is received, the handle is dropped. On subsequent calls, this
         // is a noop.
         drop(this.handle.take());
 
         Poll::Ready(ret)
     }
 
-    fn poll_trailers(
-        self: Pin<&mut Self>,
-        cx: &mut Context<'_>,
-    ) -> Poll<Result<Option<http::HeaderMap>, Self::Error>> {
-        let this = self.project();
-        // If this is being called, the handle definitely should have been dropped
-        // already.
-        drop(this.handle.take());
-
-        this.body.poll_trailers(cx)
-    }
-
     #[inline]
     fn size_hint(&self) -> hyper::body::SizeHint {
         self.body.size_hint()
@@ -157,35 +145,21 @@ impl<T: Send + 'static, B: Body> Body for PendingUntilEosBody<T, B> {
         self.body.is_end_stream()
     }
 
-    fn poll_data(
+    fn poll_frame(
         self: Pin<&mut Self>,
         cx: &mut Context<'_>,
-    ) -> Poll<Option<Result<Self::Data, Self::Error>>> {
+    ) -> Poll<Option<Result<http_body::Frame<Self::Data>, Self::Error>>> {
         let mut this = self.project();
         let body = &mut this.body;
         tokio::pin!(body);
-        let ret = futures::ready!(body.poll_data(cx));
+        let frame = futures::ready!(body.poll_frame(cx));
 
         // If this was the last frame, then drop the handle immediately.
         if this.body.is_end_stream() {
             drop(this.handle.take());
         }
 
-        Poll::Ready(ret)
-    }
-
-    fn poll_trailers(
-        self: Pin<&mut Self>,
-        cx: &mut Context<'_>,
-    ) -> Poll<Result<Option<http::HeaderMap>, Self::Error>> {
-        let this = self.project();
-        let ret = futures::ready!(this.body.poll_trailers(cx));
-
-        // Once trailers are received, the handle is dropped immediately (in case the body
-        // is retained longer for some reason).
-        drop(this.handle.take());
-
-        Poll::Ready(ret)
+        Poll::Ready(frame)
     }
 
     #[inline]
@@ -198,7 +172,7 @@ impl<T: Send + 'static, B: Body> Body for PendingUntilEosBody<T, B> {
 mod tests {
     use super::{PendingUntilEos, PendingUntilFirstData};
     use futures::future::poll_fn;
-    use http_body::Body;
+    use http_body::{Body, Frame};
     use std::collections::VecDeque;
     use std::io::Cursor;
     use std::pin::Pin;
@@ -225,11 +199,13 @@ mod tests {
         assert_ready!(task::spawn(poll_fn(|cx| {
             let body = &mut body;
             tokio::pin!(body);
-            body.poll_data(cx)
+            body.poll_frame(cx)
         }))
         .poll())
-        .expect("data some")
-        .expect("data ok");
+        .expect("frame is some")
+        .expect("frame is ok")
+        .into_data()
+        .expect("frame is data");
         assert!(wk.upgrade().is_none());
     }
 
@@ -282,10 +258,10 @@ mod tests {
         let res = assert_ready!(task::spawn(poll_fn(|cx| {
             let body = &mut body;
             tokio::pin!(body);
-            body.poll_data(cx)
+            body.poll_frame(cx)
         }))
         .poll());
-        assert!(res.expect("data is some").is_err());
+        assert!(res.expect("frame is some").is_err());
         assert!(wk.upgrade().is_none());
     }
 
@@ -308,21 +284,21 @@ mod tests {
         assert_ready!(task::spawn(poll_fn(|cx| {
             let body = &mut body;
             tokio::pin!(body);
-            body.poll_data(cx)
+            body.poll_frame(cx)
         }))
         .poll())
-        .expect("data some")
-        .expect("data ok");
+        .expect("frame is some")
+        .expect("frame is ok");
         assert!(wk.upgrade().is_some());
 
         assert_ready!(task::spawn(poll_fn(|cx| {
             let body = &mut body;
             tokio::pin!(body);
-            body.poll_data(cx)
+            body.poll_frame(cx)
         }))
         .poll())
-        .expect("data some")
-        .expect("data ok");
+        .expect("frame is some")
+        .expect("frame is ok");
         assert!(wk.upgrade().is_none());
     }
 
@@ -355,40 +331,42 @@ mod tests {
         assert_ready!(task::spawn(poll_fn(|cx| {
             let body = &mut body;
             tokio::pin!(body);
-            body.poll_data(cx)
+            body.poll_frame(cx)
         }))
         .poll())
-        .expect("data")
-        .expect("data ok");
+        .expect("frame is some")
+        .expect("frame is ok");
         assert!(wk.upgrade().is_some());
 
         assert_ready!(task::spawn(poll_fn(|cx| {
             let body = &mut body;
             tokio::pin!(body);
-            body.poll_data(cx)
+            body.poll_frame(cx)
         }))
         .poll())
-        .expect("data")
-        .expect("data ok");
+        .expect("frame is some")
+        .expect("frame is ok");
         assert!(wk.upgrade().is_some());
 
+        assert_ready!(task::spawn(poll_fn(|cx| {
+            let body = &mut body;
+            tokio::pin!(body);
+            body.poll_frame(cx)
+        }))
+        .poll())
+        .expect("frame is some")
+        .expect("frame is ok")
+        .into_trailers()
+        .expect("is trailers");
+        assert!(wk.upgrade().is_none());
+
         let poll = assert_ready!(task::spawn(poll_fn(|cx| {
             let body = &mut body;
             tokio::pin!(body);
-            body.poll_data(cx)
+            body.poll_frame(cx)
         }))
         .poll());
         assert!(poll.is_none());
-        assert!(wk.upgrade().is_some());
-
-        assert_ready!(task::spawn(poll_fn(|cx| {
-            let body = &mut body;
-            tokio::pin!(body);
-            body.poll_trailers(cx)
-        }))
-        .poll())
-        .expect("trailers ok")
-        .expect("trailers");
         assert!(wk.upgrade().is_none());
     }
 
@@ -411,7 +389,7 @@ mod tests {
         let poll = assert_ready!(task::spawn(poll_fn(|cx| {
             let body = &mut body;
             tokio::pin!(body);
-            body.poll_data(cx)
+            body.poll_frame(cx)
         }))
         .poll());
         assert!(poll.expect("some").is_err());
@@ -437,20 +415,21 @@ mod tests {
             self.0.is_empty() & self.1.is_none()
         }
 
-        fn poll_data(
+        fn poll_frame(
             mut self: Pin<&mut Self>,
             _: &mut Context<'_>,
-        ) -> Poll<Option<Result<Self::Data, Self::Error>>> {
-            Poll::Ready(self.as_mut().0.pop_front().map(Cursor::new).map(Ok))
-        }
-
-        fn poll_trailers(
-            mut self: Pin<&mut Self>,
-            _: &mut Context<'_>,
-        ) -> Poll<Result<Option<http::HeaderMap>, Self::Error>> {
+        ) -> Poll<Option<Result<http_body::Frame<Self::Data>, Self::Error>>> {
             let mut this = self.as_mut();
-            assert!(this.0.is_empty());
-            Poll::Ready(Ok(this.1.take()))
+
+            // Return the next data frame from the sequence of chunks.
+            if let Some(chunk) = this.0.pop_front() {
+                let frame = Some(Ok(Frame::data(Cursor::new(chunk))));
+                return Poll::Ready(frame);
+            }
+
+            // Yield the trailers once all data frames have been yielded.
+            let trailers = this.1.take().map(Frame::<Self::Data>::trailers).map(Ok);
+            Poll::Ready(trailers)
         }
     }
 
@@ -464,18 +443,13 @@ mod tests {
             self.0.is_none()
         }
 
-        fn poll_data(
+        fn poll_frame(
             mut self: Pin<&mut Self>,
             _: &mut Context<'_>,
-        ) -> Poll<Option<Result<Self::Data, Self::Error>>> {
-            Poll::Ready(Some(Err(self.as_mut().0.take().expect("err"))))
-        }
+        ) -> Poll<Option<Result<http_body::Frame<Self::Data>, Self::Error>>> {
+            let err = self.as_mut().0.take().expect("err");
 
-        fn poll_trailers(
-            mut self: Pin<&mut Self>,
-            _: &mut Context<'_>,
-        ) -> Poll<Result<Option<http::HeaderMap>, Self::Error>> {
-            Poll::Ready(Err(self.as_mut().0.take().expect("err")))
+            Poll::Ready(Some(Err(err)))
         }
     }
 }

justfile

@@ -15,9 +15,13 @@ toolchain := ""
 
 features := ""
 
-export LINKERD2_PROXY_VERSION := env_var_or_default("LINKERD2_PROXY_VERSION", "0.0.0-dev." + `git rev-parse --short HEAD`)
+export LINKERD2_PROXY_VERSION := env_var_or_default("LINKERD2_PROXY_VERSION", "0.0.0-dev" + `git rev-parse --short HEAD`)
 export LINKERD2_PROXY_VENDOR := env_var_or_default("LINKERD2_PROXY_VENDOR", `whoami` + "@" + `hostname`)
 
+# TODO: these variables will be included in dev v48
+export AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_gnu := env_var_or_default("AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_gnu", "-fuse-ld=/usr/aarch64-linux-gnu/bin/ld")
+export AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_musl := env_var_or_default("AWS_LC_SYS_CFLAGS_aarch64_unknown_linux_musl", "-fuse-ld=/usr/aarch64-linux-gnu/bin/ld")
+
 # The version name to use for packages.
 package_version := "v" + LINKERD2_PROXY_VERSION
 
@@ -26,28 +30,30 @@ docker-repo := "localhost/linkerd/proxy"
 docker-tag := `git rev-parse --abbrev-ref HEAD | sed 's|/|.|g'` + "." + `git rev-parse --short HEAD`
 docker-image := docker-repo + ":" + docker-tag
 
-# The architecture name to use for packages. Either 'amd64', 'arm64', or 'arm'.
+# The architecture name to use for packages. Either 'amd64' or 'arm64'.
 arch := "amd64"
+# The OS name to use for packages. Either 'linux' or 'windows'.
+os := "linux"
 
 libc := 'gnu'
 
 # If a `arch` is specified, then we change the default cargo `--target`
 # to support cross-compilation. Otherwise, we use `rustup` to find the default.
-_target := if arch == 'amd64' {
+_target := if os + '-' + arch == "linux-amd64" {
         "x86_64-unknown-linux-" + libc
-    } else if arch == "arm64" {
+    } else if os + '-' + arch == "linux-arm64" {
         "aarch64-unknown-linux-" + libc
-    } else if arch == "arm" {
-        "armv7-unknown-linux-" + libc + "eabihf"
+    } else if os + '-' + arch == "windows-amd64" {
+        "x86_64-pc-windows-" + libc
     } else {
-        error("unsupported arch=" + arch)
+        error("unsupported: os=" + os + " arch=" + arch + " libc=" + libc)
     }
 
 _cargo := 'just-cargo profile=' + profile + ' target=' + _target + ' toolchain=' + toolchain
 
 _target_dir := "target" / _target / profile
-_target_bin := _target_dir / "linkerd2-proxy"
-_package_name := "linkerd2-proxy-" + package_version + "-" + arch + if libc == 'musl' { '-static' } else { '' }
+_target_bin := _target_dir / "linkerd2-proxy" + if os == 'windows' { '.exe' } else { '' }
+_package_name := "linkerd2-proxy-" + package_version + "-" + os + "-" + arch + if libc == 'musl' { '-static' } else { '' }
 _package_dir := "target/package" / _package_name
 shasum := "shasum -a 256"
 
@@ -135,7 +141,7 @@ _strip:
 
 _package_bin := _package_dir / "bin" / "linkerd2-proxy"
 
-# XXX {aarch64,arm}-musl builds do not enable PIE, so we use target-specific
+# XXX aarch64-musl builds do not enable PIE, so we use target-specific
 # files to document those differences.
 _expected_checksec := '.checksec' / arch + '-' + libc + '.json'
 
@@ -254,6 +260,12 @@ _tag-set:
 _k3d-ready:
     @just-k3d ready
 
+export K3D_CLUSTER_NAME := "l5d-proxy"
+export K3D_CREATE_FLAGS := "--no-lb"
+export K3S_DISABLE := "local-storage,traefik,servicelb,metrics-server@server:*"
+k3d-create: && _k3d-ready
+    @just-k3d create
+
 k3d-load-linkerd: _tag-set _k3d-ready
     for i in \
         '{{ _controller-image }}:{{ linkerd-tag }}' \
@@ -270,6 +282,7 @@ k3d-load-linkerd: _tag-set _k3d-ready
 
 # Install crds on the test cluster.
 _linkerd-crds-install: _k3d-ready
+    {{ _kubectl }} apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.1/standard-install.yaml
     {{ _linkerd }} install --crds \
         | {{ _kubectl }} apply -f -
     {{ _kubectl }} wait crd --for condition=established \

linkerd/addr/Cargo.toml

@@ -1,10 +1,10 @@
 [package]
 name = "linkerd-addr"
-version = "0.1.0"
-authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
-license = "Apache-2.0"
-edition = "2021"
-publish = false
+version = { workspace = true }
+authors = { workspace = true }
+license = { workspace = true }
+edition = { workspace = true }
+publish = { workspace = true }
 
 [dependencies]
 http = { workspace = true }

linkerd/addr/fuzz/Cargo.toml

@@ -1,9 +1,10 @@
 [package]
 name = "linkerd-addr-fuzz"
-version = "0.0.0"
-authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
-publish = false
-edition = "2021"
+version = { workspace = true }
+authors = { workspace = true }
+license = { workspace = true }
+edition = { workspace = true }
+publish = { workspace = true }
 
 [package.metadata]
 cargo-fuzz = true
@@ -12,7 +13,7 @@ cargo-fuzz = true
 libfuzzer-sys = "0.4"
 linkerd-addr = { path = ".." }
 linkerd-tracing = { path = "../../tracing", features = ["ansi"] }
-tracing = "0.1"
+tracing = { workspace = true }
 
 # Prevent this from interfering with workspaces
 [workspace]

linkerd/addr/src/lib.rs

@@ -100,15 +100,11 @@ impl Addr {
                     // them ourselves.
                     format!("[{}]", a.ip())
                 };
-                http::uri::Authority::from_str(&ip).unwrap_or_else(|err| {
-                    panic!("SocketAddr ({}) must be valid authority: {}", a, err)
-                })
-            }
-            Addr::Socket(a) => {
-                http::uri::Authority::from_str(&a.to_string()).unwrap_or_else(|err| {
-                    panic!("SocketAddr ({}) must be valid authority: {}", a, err)
-                })
+                http::uri::Authority::from_str(&ip)
+                    .unwrap_or_else(|err| panic!("SocketAddr ({a}) must be valid authority: {err}"))
             }
+            Addr::Socket(a) => http::uri::Authority::from_str(&a.to_string())
+                .unwrap_or_else(|err| panic!("SocketAddr ({a}) must be valid authority: {err}")),
         }
     }
 
@@ -265,14 +261,14 @@ mod tests {
         ];
         for (host, expected_result) in cases {
             let a = Addr::from_str(host).unwrap();
-            assert_eq!(a.is_loopback(), *expected_result, "{:?}", host)
+            assert_eq!(a.is_loopback(), *expected_result, "{host:?}")
         }
     }
 
     fn test_to_http_authority(cases: &[&str]) {
         let width = cases.iter().map(|s| s.len()).max().unwrap_or(0);
         for host in cases {
-            print!("trying {:1$} ... ", host, width);
+            print!("trying {host:width$} ... ");
             Addr::from_str(host).unwrap().to_http_authority();
             println!("ok");
         }

linkerd/app/Cargo.toml

@@ -1,10 +1,10 @@
 [package]
 name = "linkerd-app"
-version = "0.1.0"
-authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
-license = "Apache-2.0"
-edition = "2021"
-publish = false
+version = { workspace = true }
+authors = { workspace = true }
+license = { workspace = true }
+edition = { workspace = true }
+publish = { workspace = true }
 description = """
 Configures and executes the proxy
 
@@ -18,6 +18,7 @@ pprof = ["linkerd-app-admin/pprof"]
 
 [dependencies]
 futures = { version = "0.3", default-features = false }
+hyper-util = { workspace = true }
 linkerd-app-admin = { path = "./admin" }
 linkerd-app-core = { path = "./core" }
 linkerd-app-gateway = { path = "./gateway" }
@@ -27,11 +28,12 @@ linkerd-error = { path = "../error" }
 linkerd-opencensus = { path = "../opencensus" }
 linkerd-opentelemetry = { path = "../opentelemetry" }
 linkerd-tonic-stream = { path = "../tonic-stream" }
+linkerd-workers = { path = "../workers" }
 rangemap = "1"
 regex = "1"
 thiserror = "2"
 tokio = { version = "1", features = ["rt"] }
 tokio-stream = { version = "0.1", features = ["time", "sync"] }
 tonic = { workspace = true, default-features = false, features = ["prost"] }
-tower = "0.4"
-tracing = "0.1"
+tower = { workspace = true }
+tracing = { workspace = true }

linkerd/app/admin/Cargo.toml

@@ -1,10 +1,10 @@
 [package]
 name = "linkerd-app-admin"
-version = "0.1.0"
-authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
-license = "Apache-2.0"
-edition = "2021"
-publish = false
+version = { workspace = true }
+authors = { workspace = true }
+license = { workspace = true }
+edition = { workspace = true }
+publish = { workspace = true }
 description = """
 The linkerd proxy's admin server.
 """
@@ -19,21 +19,22 @@ bytes = { workspace = true }
 deflate = { version = "1", optional = true, features = ["gzip"] }
 http = { workspace = true }
 http-body = { workspace = true }
-hyper = { workspace = true, features = ["deprecated", "http1", "http2"] }
+http-body-util = { workspace = true }
+hyper = { workspace = true, features = ["http1", "http2"] }
 futures = { version = "0.3", default-features = false }
-pprof = { version = "0.14", optional = true, features = ["prost-codec"] }
+pprof = { version = "0.15", optional = true, features = ["prost-codec"] }
 serde = "1"
 serde_json = "1"
 thiserror = "2"
 tokio = { version = "1", features = ["macros", "sync", "parking_lot"] }
-tracing = "0.1"
+tracing = { workspace = true }
 
 linkerd-app-core = { path = "../core" }
 linkerd-app-inbound = { path = "../inbound" }
 linkerd-tracing = { path = "../../tracing" }
 
 [dependencies.tower]
-version = "0.4"
+workspace = true
 default-features = false
 features = [
     "buffer",

linkerd/app/admin/src/server.rs

@@ -13,7 +13,7 @@
 use futures::future::{self, TryFutureExt};
 use http::StatusCode;
 use linkerd_app_core::{
-    metrics::{self as metrics, FmtMetrics},
+    metrics::{self as metrics, legacy::FmtMetrics},
     proxy::http::{Body, BoxBody, ClientHandle, Request, Response},
     trace, Error, Result,
 };
@@ -32,7 +32,7 @@ pub use self::readiness::{Latch, Readiness};
 
 #[derive(Clone)]
 pub struct Admin<M> {
-    metrics: metrics::Serve<M>,
+    metrics: metrics::legacy::Serve<M>,
     tracing: trace::Handle,
     ready: Readiness,
     shutdown_tx: mpsc::UnboundedSender<()>,
@@ -52,7 +52,7 @@ impl<M> Admin<M> {
         tracing: trace::Handle,
     ) -> Self {
         Self {
-            metrics: metrics::Serve::new(metrics),
+            metrics: metrics::legacy::Serve::new(metrics),
             ready,
             shutdown_tx,
             enable_shutdown,
@@ -172,14 +172,14 @@ impl<M> Admin<M> {
     fn not_found() -> Response<BoxBody> {
         Response::builder()
             .status(http::StatusCode::NOT_FOUND)
-            .body(BoxBody::new(hyper::Body::empty()))
+            .body(BoxBody::empty())
             .expect("builder with known status code must not fail")
     }
 
     fn method_not_allowed() -> Response<BoxBody> {
         Response::builder()
             .status(http::StatusCode::METHOD_NOT_ALLOWED)
-            .body(BoxBody::new(hyper::Body::empty()))
+            .body(BoxBody::empty())
             .expect("builder with known status code must not fail")
     }
 
@@ -329,7 +329,7 @@ mod tests {
                 let r = Request::builder()
                     .method(Method::GET)
                     .uri("http://0.0.0.0/ready")
-                    .body(hyper::Body::empty())
+                    .body(BoxBody::empty())
                     .unwrap();
                 let f = admin.clone().oneshot(r);
                 timeout(TIMEOUT, f).await.expect("timeout").expect("call")

linkerd/app/admin/src/server/json.rs

@@ -57,7 +57,7 @@ fn mk_rsp(status: StatusCode, val: &impl serde::Serialize) -> http::Response<Box
     // Serialize the value into JSON, and then place the bytes in a boxed response body.
     let json = serde_json::to_vec(val)
         .map(Bytes::from)
-        .map(http_body::Full::new)
+        .map(http_body_util::Full::new)
         .map(BoxBody::new);
 
     match json {

linkerd/app/admin/src/server/log/level.rs

@@ -22,14 +22,15 @@ where
         }
 
         http::Method::PUT => {
+            use http_body_util::BodyExt;
             let body = req
                 .into_body()
                 .collect()
                 .await
-                .map_err(|e| io::Error::new(io::ErrorKind::Other, e))?
+                .map_err(io::Error::other)?
                 .aggregate();
             match level.set_from(body.chunk()) {
-                Ok(_) => mk_rsp(StatusCode::NO_CONTENT, hyper::Body::empty()),
+                Ok(_) => mk_rsp(StatusCode::NO_CONTENT, BoxBody::empty()),
                 Err(error) => {
                     tracing::warn!(%error, "Setting log level failed");
                     mk_rsp(StatusCode::BAD_REQUEST, error)
@@ -41,7 +42,7 @@ where
             .status(StatusCode::METHOD_NOT_ALLOWED)
             .header(header::ALLOW, "GET")
             .header(header::ALLOW, "PUT")
-            .body(BoxBody::new(hyper::Body::empty()))
+            .body(BoxBody::empty())
             .expect("builder with known status code must not fail"),
     })
 }

linkerd/app/admin/src/server/log/stream.rs

@@ -51,11 +51,13 @@ where
         // If the request is a QUERY, use the request body
         method if method.as_str() == "QUERY" => {
             // TODO(eliza): validate that the request has a content-length...
+            use http_body_util::BodyExt;
             let body = recover!(
-                http_body::Body::collect(req.into_body())
+                req.into_body()
+                    .collect()
                     .await
                     .map_err(Into::into)
-                    .map(http_body::Collected::aggregate),
+                    .map(http_body_util::Collected::aggregate),
                 "Reading log stream request body",
                 StatusCode::BAD_REQUEST
             );
@@ -74,7 +76,7 @@ where
                 .status(StatusCode::METHOD_NOT_ALLOWED)
                 .header(header::ALLOW, "GET")
                 .header(header::ALLOW, "QUERY")
-                .body(BoxBody::new(hyper::Body::empty()))
+                .body(BoxBody::empty())
                 .expect("builder with known status code must not fail"));
         }
     };
@@ -99,7 +101,7 @@ where
     // https://github.com/hawkw/thingbuf/issues/62 would allow us to avoid the
     // copy by passing the channel's pooled buffer directly to hyper, and
     // returning it to the channel to be reused when hyper is done with it.
-    let (mut tx, body) = hyper::Body::channel();
+    let (mut tx, body) = http_body_util::channel::Channel::<Bytes, Error>::new(1024);
     tokio::spawn(
         async move {
             // TODO(eliza): we could definitely implement some batching here.

linkerd/app/admin/src/stack.rs

@@ -1,8 +1,8 @@
 use linkerd_app_core::{
     classify,
     config::ServerConfig,
-    detect, drain, errors, identity,
-    metrics::{self, FmtMetrics},
+    drain, errors, identity,
+    metrics::{self, legacy::FmtMetrics},
     proxy::http,
     serve,
     svc::{self, ExtractParam, InsertParam, Param},
@@ -122,6 +122,7 @@ impl Config {
             .push_on_service(http::BoxResponse::layer())
             .arc_new_clone_http();
 
+        let inbound::DetectMetrics(detect_metrics) = metrics.detect.clone();
         let tcp = http
             .unlift_new()
             .push(http::NewServeHttp::layer({
@@ -136,11 +137,11 @@ impl Config {
             }))
             .push_filter(
                 |(http, tcp): (
-                    Result<Option<http::Variant>, detect::DetectTimeoutError<_>>,
+                    http::Detection,
                     Tcp,
                 )| {
                     match http {
-                        Ok(Some(version)) => Ok(Http { version, tcp }),
+                        http::Detection::Http(version) => Ok(Http { version, tcp }),
                         // If detection timed out, we can make an educated guess at the proper
                         // behavior:
                         // - If the connection was meshed, it was most likely transported over
@@ -148,7 +149,7 @@ impl Config {
                         // - If the connection was unmeshed, it was mostly likely HTTP/1.
                         // - If we received some unexpected SNI, the client is mostly likely
                         //   confused/stale.
-                        Err(_timeout) => {
+                        http::Detection::ReadTimeout(_timeout) => {
                             let version = match tcp.tls {
                                 tls::ConditionalServerTls::None(_) => http::Variant::Http1,
                                 tls::ConditionalServerTls::Some(tls::ServerTls::Established {
@@ -166,7 +167,7 @@ impl Config {
                         }
                         // If the connection failed HTTP detection, check if we detected TLS for
                         // another target. This might indicate that the client is confused/stale.
-                        Ok(None) => match tcp.tls {
+                        http::Detection::NotHttp => match tcp.tls {
                             tls::ConditionalServerTls::Some(tls::ServerTls::Passthru { sni }) => {
                                 Err(UnexpectedSni(sni, tcp.client).into())
                             }
@@ -177,9 +178,12 @@ impl Config {
             )
             .arc_new_tcp()
             .lift_new_with_target()
-            .push(detect::NewDetectService::layer(svc::stack::CloneParam::from(
-                detect::Config::<http::DetectHttp>::from_timeout(DETECT_TIMEOUT),
-            )))
+            .push(http::NewDetect::layer(move |tcp: &Tcp| {
+                http::DetectParams {
+                    read_timeout: DETECT_TIMEOUT,
+                    metrics: detect_metrics.metrics(tcp.policy.server_label())
+                }
+            }))
             .push(transport::metrics::NewServer::layer(metrics.proxy.transport))
             .push_map_target(move |(tls, addrs): (tls::ConditionalServerTls, B::Addrs)| {
                 Tcp {
@@ -210,7 +214,7 @@ impl Config {
 impl Param<transport::labels::Key> for Tcp {
     fn param(&self) -> transport::labels::Key {
         transport::labels::Key::inbound_server(
-            self.tls.clone(),
+            self.tls.as_ref().map(|t| t.labels()),
             self.addr.into(),
             self.policy.server_label(),
         )
@@ -268,7 +272,8 @@ impl Param<metrics::ServerLabel> for Http {
 impl Param<metrics::EndpointLabels> for Permitted {
     fn param(&self) -> metrics::EndpointLabels {
         metrics::InboundEndpointLabels {
-            tls: self.http.tcp.tls.clone(),
+            tls: self.http.tcp.tls.as_ref().map(|t| t.labels()),
+            authority: None,
             target_addr: self.http.tcp.addr.into(),
             policy: self.permit.labels.clone(),
         }

linkerd/app/core/Cargo.toml

@@ -1,10 +1,10 @@
 [package]
 name = "linkerd-app-core"
-version = "0.1.0"
-authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
-license = "Apache-2.0"
-edition = "2021"
-publish = false
+version = { workspace = true }
+authors = { workspace = true }
+license = { workspace = true }
+edition = { workspace = true }
+publish = { workspace = true }
 description = """
 Core infrastructure for the proxy application
 
@@ -13,30 +13,23 @@ independently of the inbound and outbound proxy logic.
 """
 
 [dependencies]
-bytes = { workspace = true }
-drain = { version = "0.1", features = ["retain"] }
+drain = { workspace = true, features = ["retain"] }
 http = { workspace = true }
 http-body = { workspace = true }
-hyper = { workspace = true, features = ["deprecated", "http1", "http2"] }
+hyper = { workspace = true, features = ["http1", "http2"] }
 futures = { version = "0.3", default-features = false }
 ipnet = "2.11"
-prometheus-client = "0.22"
-regex = "1"
-serde_json = "1"
+prometheus-client = { workspace = true }
 thiserror = "2"
 tokio = { version = "1", features = ["macros", "sync", "parking_lot"] }
 tokio-stream = { version = "0.1", features = ["time"] }
 tonic = { workspace = true, default-features = false, features = ["prost"] }
-tracing = "0.1"
-parking_lot = "0.12"
+tracing = { workspace = true }
 pin-project = "1"
 
 linkerd-addr = { path = "../../addr" }
 linkerd-conditional = { path = "../../conditional" }
 linkerd-dns = { path = "../../dns" }
-linkerd-detect = { path = "../../detect" }
-linkerd-duplex = { path = "../../duplex" }
-linkerd-errno = { path = "../../errno" }
 linkerd-error = { path = "../../error" }
 linkerd-error-respond = { path = "../../error-respond" }
 linkerd-exp-backoff = { path = "../../exp-backoff" }
@@ -63,6 +56,7 @@ linkerd-proxy-tcp = { path = "../../proxy/tcp" }
 linkerd-proxy-transport = { path = "../../proxy/transport" }
 linkerd-reconnect = { path = "../../reconnect" }
 linkerd-router = { path = "../../router" }
+linkerd-rustls = { path = "../../rustls" }
 linkerd-service-profiles = { path = "../../service-profiles" }
 linkerd-stack = { path = "../../stack" }
 linkerd-stack-metrics = { path = "../../stack/metrics" }
@@ -74,17 +68,14 @@ linkerd-tls = { path = "../../tls" }
 linkerd-trace-context = { path = "../../trace-context" }
 
 [dependencies.tower]
-version = "0.4"
+workspace = true
 default-features = false
 features = ["make", "spawn-ready", "timeout", "util", "limit"]
 
-[target.'cfg(target_os = "linux")'.dependencies]
-linkerd-system = { path = "../../system" }
-
 [build-dependencies]
 semver = "1"
 
 [dev-dependencies]
-linkerd-http-body-compat = { path = "../../http/body-compat" }
+bytes = { workspace = true }
+http-body-util = { workspace = true }
 linkerd-mock-http-body = { path = "../../mock/http-body" }
-quickcheck = { version = "1", default-features = false }

linkerd/app/core/build.rs

@@ -4,11 +4,11 @@ fn set_env(name: &str, cmd: &mut Command) {
     let value = match cmd.output() {
         Ok(output) => String::from_utf8(output.stdout).unwrap(),
         Err(err) => {
-            println!("cargo:warning={}", err);
+            println!("cargo:warning={err}");
             "".to_string()
         }
     };
-    println!("cargo:rustc-env={}={}", name, value);
+    println!("cargo:rustc-env={name}={value}");
 }
 
 fn version() -> String {

linkerd/app/core/src/classify.rs

@@ -1,5 +1,4 @@
 use crate::profiles;
-pub use classify::gate;
 use linkerd_error::Error;
 use linkerd_proxy_client_policy as client_policy;
 use linkerd_proxy_http::{classify, HasH2Reason, ResponseTimeoutError};
@@ -214,7 +213,7 @@ fn h2_error(err: &Error) -> String {
     if let Some(reason) = err.h2_reason() {
         // This should output the error code in the same format as the spec,
         // for example: PROTOCOL_ERROR
-        format!("h2({:?})", reason)
+        format!("h2({reason:?})")
     } else {
         trace!("classifying found non-h2 error: {:?}", err);
         String::from("unclassified")

linkerd/app/core/src/config.rs

@@ -1,7 +1,7 @@
 pub use crate::exp_backoff::ExponentialBackoff;
 use crate::{
-    proxy::http::{self, h1, h2},
-    svc::{queue, CloneParam, ExtractParam, Param},
+    proxy::http::{h1, h2},
+    svc::{queue, ExtractParam, Param},
     transport::{DualListenAddr, Keepalive, ListenAddr, UserTimeout},
 };
 use std::time::Duration;
@@ -59,14 +59,6 @@ impl<T> ExtractParam<queue::Timeout, T> for QueueConfig {
     }
 }
 
-// === impl ProxyConfig ===
-
-impl ProxyConfig {
-    pub fn detect_http(&self) -> CloneParam<linkerd_detect::Config<http::DetectHttp>> {
-        linkerd_detect::Config::from_timeout(self.detect_protocol_timeout).into()
-    }
-}
-
 // === impl ServerConfig ===
 
 impl Param<DualListenAddr> for ServerConfig {

linkerd/app/core/src/control.rs

@@ -69,8 +69,10 @@ impl fmt::Display for ControlAddr {
     }
 }
 
-pub type RspBody =
-    linkerd_http_metrics::requests::ResponseBody<http::balance::Body<hyper::Body>, classify::Eos>;
+pub type RspBody = linkerd_http_metrics::requests::ResponseBody<
+    http::balance::Body<hyper::body::Incoming>,
+    classify::Eos,
+>;
 
 #[derive(Clone, Debug, Default)]
 pub struct Metrics {
@@ -99,7 +101,7 @@ impl Config {
         identity: identity::NewClient,
     ) -> svc::ArcNewService<
         (),
-        svc::BoxCloneSyncService<http::Request<tonic::body::BoxBody>, http::Response<RspBody>>,
+        svc::BoxCloneSyncService<http::Request<tonic::body::Body>, http::Response<RspBody>>,
     > {
         let addr = self.addr;
         tracing::trace!(%addr, "Building");
@@ -112,7 +114,7 @@ impl Config {
                 warn!(error, "Failed to resolve control-plane component");
                 if let Some(e) = crate::errors::cause_ref::<dns::ResolveError>(&*error) {
                     if let Some(ttl) = e.negative_ttl() {
-                        return Ok(Either::Left(
+                        return Ok::<_, Error>(Either::Left(
                             IntervalStream::new(time::interval(ttl)).map(|_| ()),
                         ));
                     }
@@ -129,9 +131,9 @@ impl Config {
             self.connect.user_timeout,
         ))
         .push(tls::Client::layer(identity))
-        .push_connect_timeout(self.connect.timeout)
+        .push_connect_timeout(self.connect.timeout) // Client<NewClient, ConnectTcp>
         .push_map_target(|(_version, target)| target)
-        .push(self::client::layer(self.connect.http2))
+        .push(self::client::layer::<_, _>(self.connect.http2))
         .push_on_service(svc::MapErr::layer_boxed())
         .into_new_service();
 

linkerd/app/core/src/dns.rs

@@ -1,25 +1,50 @@
-pub use linkerd_dns::*;
-use std::path::PathBuf;
+use self::metrics::Labels;
+use linkerd_metrics::prom::{Counter, Family, Registry};
 use std::time::Duration;
 
+pub use linkerd_dns::*;
+
+mod metrics;
+
 #[derive(Clone, Debug)]
 pub struct Config {
     pub min_ttl: Option<Duration>,
     pub max_ttl: Option<Duration>,
-    pub resolv_conf_path: PathBuf,
 }
 
 pub struct Dns {
-    pub resolver: Resolver,
+    resolver: Resolver,
+    resolutions: Family<Labels, Counter>,
+}
+
+// === impl Dns ===
+
+impl Dns {
+    /// Returns a new [`Resolver`].
+    pub fn resolver(&self, client: &'static str) -> Resolver {
+        let metrics = self.metrics(client);
+
+        self.resolver.clone().with_metrics(metrics)
+    }
 }
 
 // === impl Config ===
 
 impl Config {
-    pub fn build(self) -> Dns {
+    pub fn build(self, registry: &mut Registry) -> Dns {
+        let resolutions = Family::default();
+        registry.register(
+            "resolutions",
+            "Counts the number of DNS records that have been resolved.",
+            resolutions.clone(),
+        );
+
         let resolver =
             Resolver::from_system_config_with(&self).expect("system DNS config must be valid");
-        Dns { resolver }
+        Dns {
+            resolver,
+            resolutions,
+        }
     }
 }
 

linkerd/app/core/src/dns/metrics.rs

@@ -0,0 +1,115 @@
+use super::{Dns, Metrics};
+use linkerd_metrics::prom::encoding::{
+    EncodeLabel, EncodeLabelSet, EncodeLabelValue, LabelSetEncoder, LabelValueEncoder,
+};
+use std::fmt::{Display, Write};
+
+#[derive(Clone, Debug, Eq, Hash, PartialEq)]
+pub(super) struct Labels {
+    client: &'static str,
+    record_type: RecordType,
+    result: Outcome,
+}
+
+#[derive(Clone, Debug, Eq, Hash, PartialEq)]
+enum RecordType {
+    A,
+    Srv,
+}
+
+#[derive(Clone, Debug, Eq, Hash, PartialEq)]
+enum Outcome {
+    Ok,
+    NotFound,
+}
+
+// === impl Dns ===
+
+impl Dns {
+    pub(super) fn metrics(&self, client: &'static str) -> Metrics {
+        let family = &self.resolutions;
+
+        let a_records_resolved = (*family.get_or_create(&Labels {
+            client,
+            record_type: RecordType::A,
+            result: Outcome::Ok,
+        }))
+        .clone();
+        let a_records_not_found = (*family.get_or_create(&Labels {
+            client,
+            record_type: RecordType::A,
+            result: Outcome::NotFound,
+        }))
+        .clone();
+        let srv_records_resolved = (*family.get_or_create(&Labels {
+            client,
+            record_type: RecordType::Srv,
+            result: Outcome::Ok,
+        }))
+        .clone();
+        let srv_records_not_found = (*family.get_or_create(&Labels {
+            client,
+            record_type: RecordType::Srv,
+            result: Outcome::NotFound,
+        }))
+        .clone();
+
+        Metrics {
+            a_records_resolved,
+            a_records_not_found,
+            srv_records_resolved,
+            srv_records_not_found,
+        }
+    }
+}
+// === impl Labels ===
+
+impl EncodeLabelSet for Labels {
+    fn encode(&self, mut encoder: LabelSetEncoder<'_>) -> Result<(), std::fmt::Error> {
+        let Self {
+            client,
+            record_type,
+            result,
+        } = self;
+
+        ("client", *client).encode(encoder.encode_label())?;
+        ("record_type", record_type).encode(encoder.encode_label())?;
+        ("result", result).encode(encoder.encode_label())?;
+
+        Ok(())
+    }
+}
+
+// === impl Outcome ===
+
+impl EncodeLabelValue for &Outcome {
+    fn encode(&self, encoder: &mut LabelValueEncoder<'_>) -> Result<(), std::fmt::Error> {
+        encoder.write_str(self.to_string().as_str())
+    }
+}
+
+impl Display for Outcome {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.write_str(match self {
+            Self::Ok => "ok",
+            Self::NotFound => "not_found",
+        })
+    }
+}
+
+// === impl RecordType ===
+
+impl EncodeLabelValue for &RecordType {
+    fn encode(&self, encoder: &mut LabelValueEncoder<'_>) -> Result<(), std::fmt::Error> {
+        encoder.write_str(self.to_string().as_str())
+    }
+}
+
+impl Display for RecordType {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.write_str(match self {
+            Self::A => "A/AAAA",
+            Self::Srv => "SRV",
+        })
+    }
+}

linkerd/app/core/src/errors/body.rs

@@ -2,7 +2,8 @@ use super::{
     header::{GRPC_MESSAGE, GRPC_STATUS},
     respond::{HttpRescue, SyntheticHttpResponse},
 };
-use http::{header::HeaderValue, HeaderMap};
+use http::header::HeaderValue;
+use http_body::Frame;
 use linkerd_error::{Error, Result};
 use pin_project::pin_project;
 use std::{
@@ -31,7 +32,7 @@ enum Inner<R, B> {
         emit_headers: bool,
     },
     /// The underlying body `B` yielded an error and was "rescued".
-    Rescued { trailers: Option<http::HeaderMap> },
+    Rescued,
 }
 
 // === impl ResponseBody ===
@@ -66,41 +67,28 @@ where
     type Data = B::Data;
     type Error = B::Error;
 
-    fn poll_data(
+    fn poll_frame(
         mut self: Pin<&mut Self>,
         cx: &mut Context<'_>,
-    ) -> Poll<Option<Result<Self::Data, Self::Error>>> {
+    ) -> Poll<Option<std::result::Result<http_body::Frame<Self::Data>, Self::Error>>> {
         let ResponseBodyProj(inner) = self.as_mut().project();
         match inner.project() {
-            InnerProj::Passthru(inner) => inner.poll_data(cx),
-            InnerProj::Rescued { trailers: _ } => Poll::Ready(None),
+            InnerProj::Passthru(inner) => inner.poll_frame(cx),
             InnerProj::GrpcRescue {
                 inner,
                 rescue,
                 emit_headers,
-            } => match inner.poll_data(cx) {
+            } => match inner.poll_frame(cx) {
                 Poll::Ready(Some(Err(error))) => {
                     // The inner body has yielded an error, which we will try to rescue. If so,
-                    // store our synthetic trailers reporting the error.
+                    // yield synthetic trailers reporting the error.
                     let trailers = Self::rescue(error, rescue, *emit_headers)?;
-                    self.set_rescued(trailers);
-                    Poll::Ready(None)
+                    self.set(Self(Inner::Rescued));
+                    Poll::Ready(Some(Ok(Frame::trailers(trailers))))
                 }
-                data => data,
+                poll => poll,
             },
-        }
-    }
-
-    #[inline]
-    fn poll_trailers(
-        self: Pin<&mut Self>,
-        cx: &mut Context<'_>,
-    ) -> Poll<Result<Option<http::HeaderMap>, Self::Error>> {
-        let ResponseBodyProj(inner) = self.project();
-        match inner.project() {
-            InnerProj::Passthru(inner) => inner.poll_trailers(cx),
-            InnerProj::GrpcRescue { inner, .. } => inner.poll_trailers(cx),
-            InnerProj::Rescued { trailers } => Poll::Ready(Ok(trailers.take())),
+            InnerProj::Rescued => Poll::Ready(None),
         }
     }
 
@@ -110,7 +98,7 @@ where
         match inner {
             Inner::Passthru(inner) => inner.is_end_stream(),
             Inner::GrpcRescue { inner, .. } => inner.is_end_stream(),
-            Inner::Rescued { trailers } => trailers.is_none(),
+            Inner::Rescued => true,
         }
     }
 
@@ -120,7 +108,7 @@ where
         match inner {
             Inner::Passthru(inner) => inner.size_hint(),
             Inner::GrpcRescue { inner, .. } => inner.size_hint(),
-            Inner::Rescued { .. } => http_body::SizeHint::with_exact(0),
+            Inner::Rescued => http_body::SizeHint::with_exact(0),
         }
     }
 }
@@ -163,18 +151,6 @@ where
     }
 }
 
-impl<R, B> ResponseBody<R, B> {
-    /// Marks this body as "rescued".
-    ///
-    /// No more data frames will be yielded, and the given trailers will be returned when this
-    /// body is polled.
-    fn set_rescued(mut self: Pin<&mut Self>, trailers: HeaderMap) {
-        let trailers = Some(trailers);
-        let new = Self(Inner::Rescued { trailers });
-        self.set(new);
-    }
-}
-
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -205,7 +181,7 @@ mod tests {
                 .then_yield_data(Poll::Ready(Some(Ok("inter".into()))))
                 .then_yield_data(Poll::Ready(Some(Err("an error midstream".into()))))
                 .then_yield_data(Poll::Ready(Some(Ok("rupted".into()))))
-                .then_yield_trailer(Poll::Ready(Ok(Some(trailers))));
+                .then_yield_trailer(Poll::Ready(Some(Ok(trailers))));
             let rescue = MockRescue;
             let emit_headers = false;
             ResponseBody::grpc_rescue(inner, rescue, emit_headers)
@@ -235,7 +211,7 @@ mod tests {
                 .then_yield_data(Poll::Ready(Some(Ok("inter".into()))))
                 .then_yield_data(Poll::Ready(Some(Err("an error midstream".into()))))
                 .then_yield_data(Poll::Ready(Some(Ok("rupted".into()))))
-                .then_yield_trailer(Poll::Ready(Ok(Some(trailers))));
+                .then_yield_trailer(Poll::Ready(Some(Ok(trailers))));
             let rescue = MockRescue;
             let emit_headers = true;
             ResponseBody::grpc_rescue(inner, rescue, emit_headers)
@@ -289,7 +265,7 @@ mod tests {
             trls
         };
         let rescue = {
-            let inner = MockBody::default().then_yield_trailer(Poll::Ready(Ok(Some(trailers))));
+            let inner = MockBody::default().then_yield_trailer(Poll::Ready(Some(Ok(trailers))));
             let rescue = MockRescue;
             let emit_headers = false;
             ResponseBody::grpc_rescue(inner, rescue, emit_headers)
@@ -299,12 +275,13 @@ mod tests {
         assert_eq!(trailers.expect("has trailers")["trailer"], "caboose");
     }
 
-    async fn body_to_string<B>(body: B) -> (String, Option<HeaderMap>)
+    async fn body_to_string<B>(mut body: B) -> (String, Option<HeaderMap>)
     where
         B: http_body::Body + Unpin,
         B::Error: std::fmt::Debug,
     {
-        let mut body = linkerd_http_body_compat::ForwardCompatibleBody::new(body);
+        use http_body_util::BodyExt;
+
         let mut data = String::new();
         let mut trailers = None;
 

linkerd/app/core/src/lib.rs

@@ -25,6 +25,7 @@ pub mod metrics;
 pub mod proxy;
 pub mod serve;
 pub mod svc;
+pub mod tls_info;
 pub mod transport;
 
 pub use self::build_info::{BuildInfo, BUILD_INFO};
@@ -32,7 +33,6 @@ pub use drain;
 pub use ipnet::{IpNet, Ipv4Net, Ipv6Net};
 pub use linkerd_addr::{self as addr, Addr, AddrMatch, IpMatch, NameAddr, NameMatch};
 pub use linkerd_conditional::Conditional;
-pub use linkerd_detect as detect;
 pub use linkerd_dns;
 pub use linkerd_error::{cause_ref, is_caused_by, Error, Infallible, Recover, Result};
 pub use linkerd_exp_backoff as exp_backoff;

linkerd/app/core/src/metrics.rs

@@ -15,7 +15,7 @@ use crate::{
 use linkerd_addr::Addr;
 pub use linkerd_metrics::*;
 use linkerd_proxy_server_policy as policy;
-use prometheus_client::encoding::EncodeLabelValue;
+use prometheus_client::encoding::{EncodeLabelSet, EncodeLabelValue};
 use std::{
     fmt::{self, Write},
     net::SocketAddr,
@@ -54,7 +54,7 @@ pub struct Proxy {
 #[derive(Clone, Debug, PartialEq, Eq, Hash)]
 pub struct ControlLabels {
     addr: Addr,
-    server_id: tls::ConditionalClientTls,
+    server_id: tls::ConditionalClientTlsLabels,
 }
 
 #[derive(Clone, Debug, PartialEq, Eq, Hash)]
@@ -65,14 +65,15 @@ pub enum EndpointLabels {
 
 #[derive(Clone, Debug, PartialEq, Eq, Hash)]
 pub struct InboundEndpointLabels {
-    pub tls: tls::ConditionalServerTls,
+    pub tls: tls::ConditionalServerTlsLabels,
+    pub authority: Option<http::uri::Authority>,
     pub target_addr: SocketAddr,
     pub policy: RouteAuthzLabels,
 }
 
 /// A label referencing an inbound `Server` (i.e. for policy).
 #[derive(Clone, Debug, Eq, PartialEq, Hash)]
-pub struct ServerLabel(pub Arc<policy::Meta>);
+pub struct ServerLabel(pub Arc<policy::Meta>, pub u16);
 
 /// Labels referencing an inbound server and authorization.
 #[derive(Clone, Debug, Eq, PartialEq, Hash)]
@@ -97,7 +98,7 @@ pub struct RouteAuthzLabels {
 
 #[derive(Clone, Debug, PartialEq, Eq, Hash)]
 pub struct OutboundEndpointLabels {
-    pub server_id: tls::ConditionalClientTls,
+    pub server_id: tls::ConditionalClientTlsLabels,
     pub authority: Option<http::uri::Authority>,
     pub labels: Option<String>,
     pub zone_locality: OutboundZoneLocality,
@@ -154,10 +155,10 @@ where
     I: Iterator<Item = (&'i String, &'i String)>,
 {
     let (k0, v0) = labels_iter.next()?;
-    let mut out = format!("{}_{}=\"{}\"", prefix, k0, v0);
+    let mut out = format!("{prefix}_{k0}=\"{v0}\"");
 
     for (k, v) in labels_iter {
-        write!(out, ",{}_{}=\"{}\"", prefix, k, v).expect("label concat must succeed");
+        write!(out, ",{prefix}_{k}=\"{v}\"").expect("label concat must succeed");
     }
     Some(out)
 }
@@ -165,7 +166,7 @@ where
 // === impl Metrics ===
 
 impl Metrics {
-    pub fn new(retain_idle: Duration) -> (Self, impl FmtMetrics + Clone + Send + 'static) {
+    pub fn new(retain_idle: Duration) -> (Self, impl legacy::FmtMetrics + Clone + Send + 'static) {
         let (control, control_report) = {
             let m = http_metrics::Requests::<ControlLabels, Class>::default();
             let r = m.clone().into_report(retain_idle).with_prefix("control");
@@ -222,6 +223,7 @@ impl Metrics {
             opentelemetry,
         };
 
+        use legacy::FmtMetrics as _;
         let report = endpoint_report
             .and_report(profile_route_report)
             .and_report(retry_report)
@@ -242,15 +244,17 @@ impl svc::Param<ControlLabels> for control::ControlAddr {
     fn param(&self) -> ControlLabels {
         ControlLabels {
             addr: self.addr.clone(),
-            server_id: self.identity.clone(),
+            server_id: self.identity.as_ref().map(tls::ClientTls::labels),
         }
     }
 }
 
-impl FmtLabels for ControlLabels {
+impl legacy::FmtLabels for ControlLabels {
     fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        write!(f, "addr=\"{}\",", self.addr)?;
-        TlsConnect::from(&self.server_id).fmt_labels(f)?;
+        let Self { addr, server_id } = self;
+
+        write!(f, "addr=\"{addr}\",")?;
+        TlsConnect::from(server_id).fmt_labels(f)?;
 
         Ok(())
     }
@@ -278,13 +282,19 @@ impl ProfileRouteLabels {
     }
 }
 
-impl FmtLabels for ProfileRouteLabels {
+impl legacy::FmtLabels for ProfileRouteLabels {
     fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        self.direction.fmt_labels(f)?;
-        write!(f, ",dst=\"{}\"", self.addr)?;
+        let Self {
+            direction,
+            addr,
+            labels,
+        } = self;
 
-        if let Some(labels) = self.labels.as_ref() {
-            write!(f, ",{}", labels)?;
+        direction.fmt_labels(f)?;
+        write!(f, ",dst=\"{addr}\"")?;
+
+        if let Some(labels) = labels.as_ref() {
+            write!(f, ",{labels}")?;
         }
 
         Ok(())
@@ -305,7 +315,7 @@ impl From<OutboundEndpointLabels> for EndpointLabels {
     }
 }
 
-impl FmtLabels for EndpointLabels {
+impl legacy::FmtLabels for EndpointLabels {
     fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         match self {
             Self::Inbound(i) => (Direction::In, i).fmt_labels(f),
@@ -314,65 +324,98 @@ impl FmtLabels for EndpointLabels {
     }
 }
 
-impl FmtLabels for InboundEndpointLabels {
+impl legacy::FmtLabels for InboundEndpointLabels {
     fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        (
-            (TargetAddr(self.target_addr), TlsAccept::from(&self.tls)),
-            &self.policy,
-        )
-            .fmt_labels(f)?;
+        let Self {
+            tls,
+            authority,
+            target_addr,
+            policy,
+        } = self;
+
+        if let Some(a) = authority.as_ref() {
+            Authority(a).fmt_labels(f)?;
+            write!(f, ",")?;
+        }
+
+        ((TargetAddr(*target_addr), TlsAccept::from(tls)), policy).fmt_labels(f)?;
 
         Ok(())
     }
 }
 
-impl FmtLabels for ServerLabel {
+impl legacy::FmtLabels for ServerLabel {
     fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        let Self(meta, port) = self;
         write!(
             f,
-            "srv_group=\"{}\",srv_kind=\"{}\",srv_name=\"{}\"",
-            self.0.group(),
-            self.0.kind(),
-            self.0.name()
+            "srv_group=\"{}\",srv_kind=\"{}\",srv_name=\"{}\",srv_port=\"{}\"",
+            meta.group(),
+            meta.kind(),
+            meta.name(),
+            port
         )
     }
 }
 
-impl FmtLabels for ServerAuthzLabels {
+impl EncodeLabelSet for ServerLabel {
+    fn encode(&self, mut enc: prometheus_client::encoding::LabelSetEncoder<'_>) -> fmt::Result {
+        prom::EncodeLabelSetMut::encode_label_set(self, &mut enc)
+    }
+}
+
+impl prom::EncodeLabelSetMut for ServerLabel {
+    fn encode_label_set(&self, enc: &mut prom::encoding::LabelSetEncoder<'_>) -> fmt::Result {
+        use prometheus_client::encoding::EncodeLabel;
+        ("srv_group", self.0.group()).encode(enc.encode_label())?;
+        ("srv_kind", self.0.kind()).encode(enc.encode_label())?;
+        ("srv_name", self.0.name()).encode(enc.encode_label())?;
+        ("srv_port", self.1).encode(enc.encode_label())?;
+        Ok(())
+    }
+}
+
+impl legacy::FmtLabels for ServerAuthzLabels {
     fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        self.server.fmt_labels(f)?;
+        let Self { server, authz } = self;
+
+        server.fmt_labels(f)?;
         write!(
             f,
             ",authz_group=\"{}\",authz_kind=\"{}\",authz_name=\"{}\"",
-            self.authz.group(),
-            self.authz.kind(),
-            self.authz.name()
+            authz.group(),
+            authz.kind(),
+            authz.name()
         )
     }
 }
 
-impl FmtLabels for RouteLabels {
+impl legacy::FmtLabels for RouteLabels {
     fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        self.server.fmt_labels(f)?;
+        let Self { server, route } = self;
+
+        server.fmt_labels(f)?;
         write!(
             f,
             ",route_group=\"{}\",route_kind=\"{}\",route_name=\"{}\"",
-            self.route.group(),
-            self.route.kind(),
-            self.route.name(),
+            route.group(),
+            route.kind(),
+            route.name(),
         )
     }
 }
 
-impl FmtLabels for RouteAuthzLabels {
+impl legacy::FmtLabels for RouteAuthzLabels {
     fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        self.route.fmt_labels(f)?;
+        let Self { route, authz } = self;
+
+        route.fmt_labels(f)?;
         write!(
             f,
             ",authz_group=\"{}\",authz_kind=\"{}\",authz_name=\"{}\"",
-            self.authz.group(),
-            self.authz.kind(),
-            self.authz.name(),
+            authz.group(),
+            authz.kind(),
+            authz.name(),
         )
     }
 }
@@ -383,19 +426,28 @@ impl svc::Param<OutboundZoneLocality> for OutboundEndpointLabels {
     }
 }
 
-impl FmtLabels for OutboundEndpointLabels {
+impl legacy::FmtLabels for OutboundEndpointLabels {
     fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        if let Some(a) = self.authority.as_ref() {
+        let Self {
+            server_id,
+            authority,
+            labels,
+            // TODO(kate): this label is not currently emitted.
+            zone_locality: _,
+            target_addr,
+        } = self;
+
+        if let Some(a) = authority.as_ref() {
             Authority(a).fmt_labels(f)?;
             write!(f, ",")?;
         }
 
-        let ta = TargetAddr(self.target_addr);
-        let tls = TlsConnect::from(&self.server_id);
+        let ta = TargetAddr(*target_addr);
+        let tls = TlsConnect::from(server_id);
         (ta, tls).fmt_labels(f)?;
 
-        if let Some(labels) = self.labels.as_ref() {
-            write!(f, ",{}", labels)?;
+        if let Some(labels) = labels.as_ref() {
+            write!(f, ",{labels}")?;
         }
 
         Ok(())
@@ -411,19 +463,20 @@ impl fmt::Display for Direction {
     }
 }
 
-impl FmtLabels for Direction {
+impl legacy::FmtLabels for Direction {
     fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        write!(f, "direction=\"{}\"", self)
+        write!(f, "direction=\"{self}\"")
     }
 }
 
-impl FmtLabels for Authority<'_> {
+impl legacy::FmtLabels for Authority<'_> {
     fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        write!(f, "authority=\"{}\"", self.0)
+        let Self(authority) = self;
+        write!(f, "authority=\"{authority}\"")
     }
 }
 
-impl FmtLabels for Class {
+impl legacy::FmtLabels for Class {
     fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         let class = |ok: bool| if ok { "success" } else { "failure" };
 
@@ -445,8 +498,7 @@ impl FmtLabels for Class {
 
             Class::Error(msg) => write!(
                 f,
-                "classification=\"failure\",grpc_status=\"\",error=\"{}\"",
-                msg
+                "classification=\"failure\",grpc_status=\"\",error=\"{msg}\""
             ),
         }
     }
@@ -472,9 +524,15 @@ impl StackLabels {
     }
 }
 
-impl FmtLabels for StackLabels {
+impl legacy::FmtLabels for StackLabels {
     fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        self.direction.fmt_labels(f)?;
-        write!(f, ",protocol=\"{}\",name=\"{}\"", self.protocol, self.name)
+        let Self {
+            direction,
+            protocol,
+            name,
+        } = self;
+
+        direction.fmt_labels(f)?;
+        write!(f, ",protocol=\"{protocol}\",name=\"{name}\"")
     }
 }

linkerd/app/core/src/tls_info.rs

@@ -0,0 +1,70 @@
+use linkerd_metrics::prom;
+use prometheus_client::encoding::{EncodeLabelSet, EncodeLabelValue, LabelValueEncoder};
+use std::{
+    fmt::{Error, Write},
+    sync::{Arc, OnceLock},
+};
+
+static TLS_INFO: OnceLock<Arc<TlsInfo>> = OnceLock::new();
+
+#[derive(Clone, Debug, Default, Hash, PartialEq, Eq, EncodeLabelSet)]
+pub struct TlsInfo {
+    tls_suites: MetricValueList,
+    tls_kx_groups: MetricValueList,
+    tls_rand: String,
+    tls_key_provider: String,
+    tls_fips: bool,
+}
+
+#[derive(Clone, Debug, Default, Hash, PartialEq, Eq)]
+struct MetricValueList {
+    values: Vec<&'static str>,
+}
+
+impl FromIterator<&'static str> for MetricValueList {
+    fn from_iter<T: IntoIterator<Item = &'static str>>(iter: T) -> Self {
+        MetricValueList {
+            values: iter.into_iter().collect(),
+        }
+    }
+}
+
+impl EncodeLabelValue for MetricValueList {
+    fn encode(&self, encoder: &mut LabelValueEncoder<'_>) -> Result<(), Error> {
+        for value in &self.values {
+            value.encode(encoder)?;
+            encoder.write_char(',')?;
+        }
+        Ok(())
+    }
+}
+
+pub fn metric() -> prom::Family<TlsInfo, prom::ConstGauge> {
+    let fam = prom::Family::<TlsInfo, prom::ConstGauge>::new_with_constructor(|| {
+        prom::ConstGauge::new(1)
+    });
+
+    let tls_info = TLS_INFO.get_or_init(|| {
+        let provider = linkerd_rustls::get_default_provider();
+
+        let tls_suites = provider
+            .cipher_suites
+            .iter()
+            .flat_map(|cipher_suite| cipher_suite.suite().as_str())
+            .collect::<MetricValueList>();
+        let tls_kx_groups = provider
+            .kx_groups
+            .iter()
+            .flat_map(|suite| suite.name().as_str())
+            .collect::<MetricValueList>();
+        Arc::new(TlsInfo {
+            tls_suites,
+            tls_kx_groups,
+            tls_rand: format!("{:?}", provider.secure_random),
+            tls_key_provider: format!("{:?}", provider.key_provider),
+            tls_fips: provider.fips(),
+        })
+    });
+    let _ = fam.get_or_create(tls_info);
+    fam
+}

linkerd/app/core/src/transport/labels.rs

@@ -1,7 +1,7 @@
 use crate::metrics::ServerLabel as PolicyServerLabel;
 pub use crate::metrics::{Direction, OutboundEndpointLabels};
 use linkerd_conditional::Conditional;
-use linkerd_metrics::FmtLabels;
+use linkerd_metrics::legacy::FmtLabels;
 use linkerd_tls as tls;
 use std::{fmt, net::SocketAddr};
 
@@ -20,16 +20,16 @@ pub enum Key {
 #[derive(Clone, Debug, Eq, PartialEq, Hash)]
 pub struct ServerLabels {
     direction: Direction,
-    tls: tls::ConditionalServerTls,
+    tls: tls::ConditionalServerTlsLabels,
     target_addr: SocketAddr,
     policy: Option<PolicyServerLabel>,
 }
 
 #[derive(Clone, Debug, Eq, PartialEq, Hash)]
-pub struct TlsAccept<'t>(pub &'t tls::ConditionalServerTls);
+pub struct TlsAccept<'t>(pub &'t tls::ConditionalServerTlsLabels);
 
 #[derive(Clone, Debug, Eq, PartialEq, Hash)]
-pub(crate) struct TlsConnect<'t>(&'t tls::ConditionalClientTls);
+pub(crate) struct TlsConnect<'t>(pub &'t tls::ConditionalClientTlsLabels);
 
 #[derive(Copy, Clone, Debug, Eq, PartialEq, Hash)]
 pub struct TargetAddr(pub SocketAddr);
@@ -38,7 +38,7 @@ pub struct TargetAddr(pub SocketAddr);
 
 impl Key {
     pub fn inbound_server(
-        tls: tls::ConditionalServerTls,
+        tls: tls::ConditionalServerTlsLabels,
         target_addr: SocketAddr,
         server: PolicyServerLabel,
     ) -> Self {
@@ -62,7 +62,7 @@ impl FmtLabels for Key {
             }
 
             Self::InboundClient => {
-                const NO_TLS: tls::client::ConditionalClientTls =
+                const NO_TLS: tls::client::ConditionalClientTlsLabels =
                     Conditional::None(tls::NoClientTls::Loopback);
 
                 Direction::In.fmt_labels(f)?;
@@ -75,7 +75,7 @@ impl FmtLabels for Key {
 
 impl ServerLabels {
     fn inbound(
-        tls: tls::ConditionalServerTls,
+        tls: tls::ConditionalServerTlsLabels,
         target_addr: SocketAddr,
         policy: PolicyServerLabel,
     ) -> Self {
@@ -90,7 +90,7 @@ impl ServerLabels {
     fn outbound(target_addr: SocketAddr) -> Self {
         ServerLabels {
             direction: Direction::Out,
-            tls: tls::ConditionalServerTls::None(tls::NoServerTls::Loopback),
+            tls: tls::ConditionalServerTlsLabels::None(tls::NoServerTls::Loopback),
             target_addr,
             policy: None,
         }
@@ -99,14 +99,17 @@ impl ServerLabels {
 
 impl FmtLabels for ServerLabels {
     fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        self.direction.fmt_labels(f)?;
+        let Self {
+            direction,
+            tls,
+            target_addr,
+            policy,
+        } = self;
+
+        direction.fmt_labels(f)?;
         f.write_str(",peer=\"src\",")?;
 
-        (
-            (TargetAddr(self.target_addr), TlsAccept(&self.tls)),
-            self.policy.as_ref(),
-        )
-            .fmt_labels(f)?;
+        ((TargetAddr(*target_addr), TlsAccept(tls)), policy.as_ref()).fmt_labels(f)?;
 
         Ok(())
     }
@@ -114,27 +117,28 @@ impl FmtLabels for ServerLabels {
 
 // === impl TlsAccept ===
 
-impl<'t> From<&'t tls::ConditionalServerTls> for TlsAccept<'t> {
-    fn from(c: &'t tls::ConditionalServerTls) -> Self {
+impl<'t> From<&'t tls::ConditionalServerTlsLabels> for TlsAccept<'t> {
+    fn from(c: &'t tls::ConditionalServerTlsLabels) -> Self {
         TlsAccept(c)
     }
 }
 
 impl FmtLabels for TlsAccept<'_> {
     fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        match self.0 {
+        let Self(tls) = self;
+        match tls {
             Conditional::None(tls::NoServerTls::Disabled) => {
                 write!(f, "tls=\"disabled\"")
             }
             Conditional::None(why) => {
-                write!(f, "tls=\"no_identity\",no_tls_reason=\"{}\"", why)
+                write!(f, "tls=\"no_identity\",no_tls_reason=\"{why}\"")
             }
-            Conditional::Some(tls::ServerTls::Established { client_id, .. }) => match client_id {
-                Some(id) => write!(f, "tls=\"true\",client_id=\"{}\"", id),
+            Conditional::Some(tls::ServerTlsLabels::Established { client_id }) => match client_id {
+                Some(id) => write!(f, "tls=\"true\",client_id=\"{id}\""),
                 None => write!(f, "tls=\"true\",client_id=\"\""),
             },
-            Conditional::Some(tls::ServerTls::Passthru { sni }) => {
-                write!(f, "tls=\"opaque\",sni=\"{}\"", sni)
+            Conditional::Some(tls::ServerTlsLabels::Passthru { sni }) => {
+                write!(f, "tls=\"opaque\",sni=\"{sni}\"")
             }
         }
     }
@@ -142,23 +146,25 @@ impl FmtLabels for TlsAccept<'_> {
 
 // === impl TlsConnect ===
 
-impl<'t> From<&'t tls::ConditionalClientTls> for TlsConnect<'t> {
-    fn from(s: &'t tls::ConditionalClientTls) -> Self {
+impl<'t> From<&'t tls::ConditionalClientTlsLabels> for TlsConnect<'t> {
+    fn from(s: &'t tls::ConditionalClientTlsLabels) -> Self {
         TlsConnect(s)
     }
 }
 
 impl FmtLabels for TlsConnect<'_> {
     fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        match self.0 {
+        let Self(tls) = self;
+
+        match tls {
             Conditional::None(tls::NoClientTls::Disabled) => {
                 write!(f, "tls=\"disabled\"")
             }
             Conditional::None(why) => {
-                write!(f, "tls=\"no_identity\",no_tls_reason=\"{}\"", why)
+                write!(f, "tls=\"no_identity\",no_tls_reason=\"{why}\"")
             }
-            Conditional::Some(tls::ClientTls { server_id, .. }) => {
-                write!(f, "tls=\"true\",server_id=\"{}\"", server_id)
+            Conditional::Some(tls::ClientTlsLabels { server_id }) => {
+                write!(f, "tls=\"true\",server_id=\"{server_id}\"")
             }
         }
     }
@@ -168,12 +174,13 @@ impl FmtLabels for TlsConnect<'_> {
 
 impl FmtLabels for TargetAddr {
     fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        let Self(target_addr) = self;
         write!(
             f,
             "target_addr=\"{}\",target_ip=\"{}\",target_port=\"{}\"",
-            self.0,
-            self.0.ip(),
-            self.0.port()
+            target_addr,
+            target_addr.ip(),
+            target_addr.port()
         )
     }
 }
@@ -194,23 +201,25 @@ mod tests {
         use std::sync::Arc;
 
         let labels = ServerLabels::inbound(
-            tls::ConditionalServerTls::Some(tls::ServerTls::Established {
+            tls::ConditionalServerTlsLabels::Some(tls::ServerTlsLabels::Established {
                 client_id: Some("foo.id.example.com".parse().unwrap()),
-                negotiated_protocol: None,
             }),
             ([192, 0, 2, 4], 40000).into(),
-            PolicyServerLabel(Arc::new(Meta::Resource {
-                group: "policy.linkerd.io".into(),
-                kind: "server".into(),
-                name: "testserver".into(),
-            })),
+            PolicyServerLabel(
+                Arc::new(Meta::Resource {
+                    group: "policy.linkerd.io".into(),
+                    kind: "server".into(),
+                    name: "testserver".into(),
+                }),
+                40000,
+            ),
         );
         assert_eq!(
             labels.to_string(),
             "direction=\"inbound\",peer=\"src\",\
             target_addr=\"192.0.2.4:40000\",target_ip=\"192.0.2.4\",target_port=\"40000\",\
             tls=\"true\",client_id=\"foo.id.example.com\",\
-            srv_group=\"policy.linkerd.io\",srv_kind=\"server\",srv_name=\"testserver\""
+            srv_group=\"policy.linkerd.io\",srv_kind=\"server\",srv_name=\"testserver\",srv_port=\"40000\""
         );
     }
 }

linkerd/app/gateway/Cargo.toml

@@ -1,10 +1,10 @@
 [package]
 name = "linkerd-app-gateway"
-version = "0.1.0"
-authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
-license = "Apache-2.0"
-edition = "2021"
-publish = false
+version = { workspace = true }
+authors = { workspace = true }
+license = { workspace = true }
+edition = { workspace = true }
+publish = { workspace = true }
 
 [dependencies]
 http = { workspace = true }
@@ -17,8 +17,8 @@ once_cell = "1"
 thiserror = "2"
 tokio = { version = "1", features = ["sync"] }
 tonic = { workspace = true, default-features = false }
-tower = { version = "0.4", default-features = false }
-tracing = "0.1"
+tower = { workspace = true, default-features = false }
+tracing = { workspace = true }
 
 [dev-dependencies]
 linkerd-app-inbound = { path = "../inbound", features = ["test-util"] }
@@ -26,6 +26,6 @@ linkerd-app-outbound = { path = "../outbound", features = ["test-util"] }
 linkerd-proxy-server-policy = { path = "../../proxy/server-policy" }
 tokio = { version = "1", features = ["rt", "macros"] }
 tokio-test = "0.4"
-tower = { version = "0.4", default-features = false, features = ["util"] }
-tower-test = "0.4"
+tower = { workspace = true, default-features = false, features = ["util"] }
+tower-test = { workspace = true }
 linkerd-app-test = { path = "../test" }

linkerd/app/gateway/src/discover.rs

@@ -90,7 +90,7 @@ impl Gateway {
                                 detect_timeout,
                                 queue,
                                 addr,
-                                meta,
+                                meta.into(),
                             ),
                             None => {
                                 tracing::debug!(

linkerd/app/gateway/src/http.rs

@@ -153,7 +153,7 @@ fn mk_routes(profile: &profiles::Profile) -> Option<outbound::http::Routes> {
     if let Some((addr, metadata)) = profile.endpoint.clone() {
         return Some(outbound::http::Routes::Endpoint(
             Remote(ServerAddr(addr)),
-            metadata,
+            metadata.into(),
         ));
     }
 

linkerd/app/gateway/src/http/tests.rs

@@ -62,7 +62,7 @@ async fn upgraded_request_remains_relative_form() {
 
     impl svc::Param<ServerLabel> for Target {
         fn param(&self) -> ServerLabel {
-            ServerLabel(policy::Meta::new_default("test"))
+            ServerLabel(policy::Meta::new_default("test"), 4143)
         }
     }
 

linkerd/app/gateway/src/server.rs

@@ -64,10 +64,10 @@ impl Gateway {
                             SessionProtocol::Http1 => http::Variant::Http1,
                             SessionProtocol::Http2 => http::Variant::H2,
                         };
-                        return Ok(svc::Either::A(Http { parent, version }));
+                        return Ok(svc::Either::Left(Http { parent, version }));
                     }
 
-                    Ok(svc::Either::B(Opaq(parent)))
+                    Ok(svc::Either::Right(Opaq(parent)))
                 },
                 opaq,
             )

linkerd/app/inbound/Cargo.toml

@@ -1,10 +1,10 @@
 [package]
 name = "linkerd-app-inbound"
-version = "0.1.0"
-authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
-license = "Apache-2.0"
-edition = "2021"
-publish = false
+version = { workspace = true }
+authors = { workspace = true }
+license = { workspace = true }
+edition = { workspace = true }
+publish = { workspace = true }
 description = """
 Configures and runs the inbound proxy
 """
@@ -13,8 +13,7 @@ Configures and runs the inbound proxy
 test-util = [
     "linkerd-app-test",
     "linkerd-idle-cache/test-util",
-    "linkerd-meshtls/rustls",
-    "linkerd-meshtls-rustls/test-util",
+    "linkerd-meshtls/test-util",
 ]
 
 [dependencies]
@@ -25,8 +24,7 @@ linkerd-app-core = { path = "../core" }
 linkerd-app-test = { path = "../test", optional = true }
 linkerd-http-access-log = { path = "../../http/access-log" }
 linkerd-idle-cache = { path = "../../idle-cache" }
-linkerd-meshtls = { path = "../../meshtls", optional = true }
-linkerd-meshtls-rustls = { path = "../../meshtls/rustls", optional = true }
+linkerd-meshtls = { path = "../../meshtls", optional = true, default-features = false }
 linkerd-proxy-client-policy = { path = "../../proxy/client-policy" }
 linkerd-tonic-stream = { path = "../../tonic-stream" }
 linkerd-tonic-watch = { path = "../../tonic-watch" }
@@ -37,30 +35,32 @@ rangemap = "1"
 thiserror = "2"
 tokio = { version = "1", features = ["sync"] }
 tonic = { workspace = true, default-features = false }
-tower = { version = "0.4", features = ["util"] }
-tracing = "0.1"
+tower = { workspace = true, features = ["util"] }
+tracing = { workspace = true }
 
 [dependencies.linkerd-proxy-server-policy]
 path = "../../proxy/server-policy"
 features = ["proto"]
 
 [target.'cfg(fuzzing)'.dependencies]
-hyper = { workspace = true, features = ["deprecated", "http1", "http2"] }
+hyper = { workspace = true, features = ["http1", "http2"] }
 linkerd-app-test = { path = "../test" }
 arbitrary = { version = "1", features = ["derive"] }
 libfuzzer-sys = { version = "0.4", features = ["arbitrary-derive"] }
-linkerd-meshtls-rustls = { path = "../../meshtls/rustls", features = [
+linkerd-meshtls = { path = "../../meshtls", features = [
     "test-util",
 ] }
 
 [dev-dependencies]
-hyper = { workspace = true, features = ["deprecated", "http1", "http2"] }
+http-body-util = { workspace = true }
+hyper = { workspace = true, features = ["http1", "http2"] }
+hyper-util = { workspace = true }
 linkerd-app-test = { path = "../test" }
 linkerd-http-metrics = { path = "../../http/metrics", features = ["test-util"] }
+linkerd-http-box = { path = "../../http/box" }
 linkerd-idle-cache = { path = "../../idle-cache", features = ["test-util"] }
 linkerd-io = { path = "../../io", features = ["tokio-test"] }
-linkerd-meshtls = { path = "../../meshtls", features = ["rustls"] }
-linkerd-meshtls-rustls = { path = "../../meshtls/rustls", features = [
+linkerd-meshtls = { path = "../../meshtls", features = [
     "test-util",
 ] }
 linkerd-proxy-server-policy = { path = "../../proxy/server-policy", features = [

linkerd/app/inbound/fuzz/Cargo.toml

@@ -1,9 +1,10 @@
 [package]
 name = "linkerd-app-inbound-fuzz"
-version = "0.0.0"
+version = { workspace = true }
 authors = ["Automatically generated"]
-publish = false
-edition = "2021"
+license = { workspace = true }
+edition = { workspace = true }
+publish = { workspace = true }
 
 [package.metadata]
 cargo-fuzz = true
@@ -17,13 +18,12 @@ linkerd-app-core = { path = "../../core" }
 linkerd-app-inbound = { path = ".." }
 linkerd-app-test = { path = "../../test" }
 linkerd-idle-cache = { path = "../../../idle-cache", features = ["test-util"] }
-linkerd-meshtls = { path = "../../../meshtls", features = ["rustls"] }
-linkerd-meshtls-rustls = { path = "../../../meshtls/rustls", features = [
+linkerd-meshtls = { path = "../../../meshtls", features = [
     "test-util",
 ] }
 linkerd-tracing = { path = "../../../tracing", features = ["ansi"] }
 tokio = { version = "1", features = ["full"] }
-tracing = "0.1"
+tracing = { workspace = true }
 
 # Prevent this from interfering with workspaces
 [workspace]

linkerd/app/inbound/src/accept.rs

@@ -53,12 +53,12 @@ impl<N> Inbound<N> {
                     move |t: T| -> Result<_, Error> {
                         let addr: OrigDstAddr = t.param();
                         if addr.port() == proxy_port {
-                            return Ok(svc::Either::B(t));
+                            return Ok(svc::Either::Right(t));
                         }
 
                         let policy = policies.get_policy(addr);
                         tracing::debug!(policy = ?&*policy.borrow(), "Accepted");
-                        Ok(svc::Either::A(Accept {
+                        Ok(svc::Either::Left(Accept {
                             client_addr: t.param(),
                             orig_dst_addr: addr,
                             policy,
@@ -182,7 +182,11 @@ mod tests {
     }
 
     fn inbound() -> Inbound<()> {
-        Inbound::new(test_util::default_config(), test_util::runtime().0)
+        Inbound::new(
+            test_util::default_config(),
+            test_util::runtime().0,
+            &mut Default::default(),
+        )
     }
 
     fn new_panic<T>(msg: &'static str) -> svc::ArcNewTcp<T, io::DuplexStream> {

linkerd/app/inbound/src/detect.rs

@@ -3,8 +3,8 @@ use crate::{
     Inbound,
 };
 use linkerd_app_core::{
-    detect, identity, io,
-    metrics::ServerLabel,
+    identity, io,
+    metrics::{prom, ServerLabel},
     proxy::http,
     svc, tls,
     transport::{
@@ -20,6 +20,10 @@ use tracing::info;
 #[cfg(test)]
 mod tests;
 
+#[derive(Clone, Debug)]
+pub struct MetricsFamilies(pub HttpDetectMetrics);
+pub type HttpDetectMetrics = http::DetectMetricsFamilies<ServerLabel>;
+
 #[derive(Clone, Debug, PartialEq, Eq)]
 pub(crate) struct Forward {
     client_addr: Remote<ClientAddr>,
@@ -48,9 +52,6 @@ struct Detect {
     tls: Tls,
 }
 
-#[derive(Copy, Clone, Debug)]
-struct ConfigureHttpDetect;
-
 #[derive(Clone)]
 struct TlsParams {
     timeout: tls::server::Timeout,
@@ -64,7 +65,11 @@ type TlsIo<I> = tls::server::Io<identity::ServerIo<tls::server::DetectIo<I>>, I>
 impl Inbound<svc::ArcNewTcp<Http, io::BoxedIo>> {
     /// Builds a stack that terminates mesh TLS and detects whether the traffic is HTTP (as hinted
     /// by policy).
-    pub(crate) fn push_detect<T, I, F, FSvc>(self, forward: F) -> Inbound<svc::ArcNewTcp<T, I>>
+    pub(crate) fn push_detect<T, I, F, FSvc>(
+        self,
+        MetricsFamilies(metrics): MetricsFamilies,
+        forward: F,
+    ) -> Inbound<svc::ArcNewTcp<T, I>>
     where
         T: svc::Param<OrigDstAddr> + svc::Param<Remote<ClientAddr>> + svc::Param<AllowPolicy>,
         T: Clone + Send + 'static,
@@ -75,14 +80,18 @@ impl Inbound<svc::ArcNewTcp<Http, io::BoxedIo>> {
         FSvc::Error: Into<Error>,
         FSvc::Future: Send,
     {
-        self.push_detect_http(forward.clone())
+        self.push_detect_http(metrics, forward.clone())
             .push_detect_tls(forward)
     }
 
     /// Builds a stack that handles HTTP detection once TLS detection has been performed. If the
     /// connection is determined to be HTTP, the inner stack is used; otherwise the connection is
     /// passed to the provided 'forward' stack.
-    fn push_detect_http<I, F, FSvc>(self, forward: F) -> Inbound<svc::ArcNewTcp<Tls, I>>
+    fn push_detect_http<I, F, FSvc>(
+        self,
+        metrics: HttpDetectMetrics,
+        forward: F,
+    ) -> Inbound<svc::ArcNewTcp<Tls, I>>
     where
         I: io::AsyncRead + io::AsyncWrite + io::PeerAddr,
         I: Debug + Send + Sync + Unpin + 'static,
@@ -111,42 +120,59 @@ impl Inbound<svc::ArcNewTcp<Http, io::BoxedIo>> {
                 .push_switch(
                     |(detected, Detect { tls, .. })| -> Result<_, Infallible> {
                         match detected {
-                            Ok(Some(http)) => Ok(svc::Either::A(Http { http, tls })),
-                            Ok(None) => Ok(svc::Either::B(tls)),
+                            http::Detection::Http(http) => {
+                                Ok(svc::Either::Left(Http { http, tls }))
+                            }
+                            http::Detection::NotHttp => Ok(svc::Either::Right(tls)),
                             // When HTTP detection fails, forward the connection to the application as
                             // an opaque TCP stream.
-                            Err(timeout) => match tls.policy.protocol() {
-                                Protocol::Http1 { .. } => {
-                                    // If the protocol was hinted to be HTTP/1.1 but detection
-                                    // failed, we'll usually be handling HTTP/1, but we may actually
-                                    // be handling HTTP/2 via protocol upgrade. Our options are:
-                                    // handle the connection as HTTP/1, assuming it will be rare for
-                                    // a proxy to initiate TLS, etc and not send the 16B of
-                                    // connection header; or we can handle it as opaque--but there's
-                                    // no chance the server will be able to handle the H2 protocol
-                                    // upgrade. So, it seems best to assume it's HTTP/1 and let the
-                                    // proxy handle the protocol error if we're in an edge case.
-                                    info!(%timeout, "Handling connection as HTTP/1 due to policy");
-                                    Ok(svc::Either::A(Http {
-                                        http: http::Variant::Http1,
-                                        tls,
-                                    }))
+                            http::Detection::ReadTimeout(timeout) => {
+                                match tls.policy.protocol() {
+                                    Protocol::Http1 { .. } => {
+                                        // If the protocol was hinted to be HTTP/1.1 but detection
+                                        // failed, we'll usually be handling HTTP/1, but we may actually
+                                        // be handling HTTP/2 via protocol upgrade. Our options are:
+                                        // handle the connection as HTTP/1, assuming it will be rare for
+                                        // a proxy to initiate TLS, etc and not send the 16B of
+                                        // connection header; or we can handle it as opaque--but there's
+                                        // no chance the server will be able to handle the H2 protocol
+                                        // upgrade. So, it seems best to assume it's HTTP/1 and let the
+                                        // proxy handle the protocol error if we're in an edge case.
+                                        info!(
+                                            ?timeout,
+                                            "Handling connection as HTTP/1 due to policy"
+                                        );
+                                        Ok(svc::Either::Left(Http {
+                                            http: http::Variant::Http1,
+                                            tls,
+                                        }))
+                                    }
+                                    // Otherwise, the protocol hint must have
+                                    // been `Detect` or the protocol was updated
+                                    // after detection was initiated, otherwise
+                                    // we would have avoided detection below.
+                                    // Continue handling the connection as if it
+                                    // were opaque.
+                                    _ => {
+                                        info!(
+                                            ?timeout,
+                                            "Handling connection as opaque due to policy"
+                                        );
+                                        Ok(svc::Either::Right(tls))
+                                    }
                                 }
-                                // Otherwise, the protocol hint must have been `Detect` or the
-                                // protocol was updated after detection was initiated, otherwise we
-                                // would have avoided detection below. Continue handling the
-                                // connection as if it were opaque.
-                                _ => {
-                                    info!(%timeout, "Handling connection as opaque");
-                                    Ok(svc::Either::B(tls))
-                                }
-                            },
+                            }
                         }
                     },
                     forward.into_inner(),
                 )
                 .lift_new_with_target()
-                .push(detect::NewDetectService::layer(ConfigureHttpDetect))
+                .push(http::NewDetect::layer(
+                    move |Detect { timeout, tls }: &Detect| http::DetectParams {
+                        read_timeout: *timeout,
+                        metrics: metrics.metrics(tls.policy.server_label()),
+                    },
+                ))
                 .arc_new_tcp();
 
             http.push_on_service(svc::MapTargetLayer::new(io::BoxedIo::new))
@@ -159,7 +185,7 @@ impl Inbound<svc::ArcNewTcp<Http, io::BoxedIo>> {
                     move |tls: Tls| -> Result<_, Infallible> {
                         let http = match tls.policy.protocol() {
                             Protocol::Detect { timeout, .. } => {
-                                return Ok(svc::Either::B(Detect { timeout, tls }));
+                                return Ok(svc::Either::Right(Detect { timeout, tls }));
                             }
                             // Meshed HTTP/1 services may actually be transported over HTTP/2 connections
                             // between proxies, so we have to do detection.
@@ -167,7 +193,7 @@ impl Inbound<svc::ArcNewTcp<Http, io::BoxedIo>> {
                             // TODO(ver) outbound clients should hint this with ALPN so we don't
                             // have to detect this situation.
                             Protocol::Http1 { .. } if tls.status.is_some() => {
-                                return Ok(svc::Either::B(Detect {
+                                return Ok(svc::Either::Right(Detect {
                                     timeout: detect_timeout,
                                     tls,
                                 }));
@@ -178,7 +204,7 @@ impl Inbound<svc::ArcNewTcp<Http, io::BoxedIo>> {
                             Protocol::Http2 { .. } | Protocol::Grpc { .. } => http::Variant::H2,
                             _ => unreachable!("opaque protocols must not hit the HTTP stack"),
                         };
-                        Ok(svc::Either::A(Http { http, tls }))
+                        Ok(svc::Either::Left(Http { http, tls }))
                     },
                     detect.into_inner(),
                 )
@@ -232,10 +258,10 @@ impl<I> Inbound<svc::ArcNewTcp<Tls, TlsIo<I>>> {
                         // whether app TLS was employed, but we use this as a signal that we should
                         // not perform additional protocol detection.
                         if matches!(protocol, Protocol::Tls { .. }) {
-                            return Ok(svc::Either::B(tls));
+                            return Ok(svc::Either::Right(tls));
                         }
 
-                        Ok(svc::Either::A(tls))
+                        Ok(svc::Either::Left(tls))
                     },
                     forward
                         .clone()
@@ -259,14 +285,14 @@ impl<I> Inbound<svc::ArcNewTcp<Tls, TlsIo<I>>> {
                         if matches!(policy.protocol(), Protocol::Opaque { .. }) {
                             const TLS_PORT_SKIPPED: tls::ConditionalServerTls =
                                 tls::ConditionalServerTls::None(tls::NoServerTls::PortSkipped);
-                            return Ok(svc::Either::B(Tls {
+                            return Ok(svc::Either::Right(Tls {
                                 client_addr: t.param(),
                                 orig_dst_addr: t.param(),
                                 status: TLS_PORT_SKIPPED,
                                 policy,
                             }));
                         }
-                        Ok(svc::Either::A(t))
+                        Ok(svc::Either::Left(t))
                     },
                     forward
                         .push_on_service(svc::MapTargetLayer::new(io::BoxedIo::new))
@@ -299,7 +325,7 @@ impl svc::Param<Remote<ServerAddr>> for Forward {
 impl svc::Param<transport::labels::Key> for Forward {
     fn param(&self) -> transport::labels::Key {
         transport::labels::Key::inbound_server(
-            self.tls.clone(),
+            self.tls.as_ref().map(|t| t.labels()),
             self.orig_dst_addr.into(),
             self.permit.labels.server.clone(),
         )
@@ -332,14 +358,6 @@ impl svc::Param<tls::ConditionalServerTls> for Tls {
     }
 }
 
-// === impl ConfigureHttpDetect ===
-
-impl svc::ExtractParam<detect::Config<http::DetectHttp>, Detect> for ConfigureHttpDetect {
-    fn extract_param(&self, detect: &Detect) -> detect::Config<http::DetectHttp> {
-        detect::Config::from_timeout(detect.timeout)
-    }
-}
-
 // === impl Http ===
 
 impl svc::Param<http::Variant> for Http {
@@ -411,7 +429,7 @@ impl svc::Param<ServerLabel> for Http {
 impl svc::Param<transport::labels::Key> for Http {
     fn param(&self) -> transport::labels::Key {
         transport::labels::Key::inbound_server(
-            self.tls.status.clone(),
+            self.tls.status.as_ref().map(|t| t.labels()),
             self.tls.orig_dst_addr.into(),
             self.tls.policy.server_label(),
         )
@@ -442,3 +460,13 @@ impl<T> svc::InsertParam<tls::ConditionalServerTls, T> for TlsParams {
         (tls, target)
     }
 }
+
+// === impl MetricsFamilies ===
+
+impl MetricsFamilies {
+    pub fn register(reg: &mut prom::Registry) -> Self {
+        Self(http::DetectMetricsFamilies::register(
+            reg.sub_registry_with_prefix("http"),
+        ))
+    }
+}

linkerd/app/inbound/src/detect/tests.rs

@@ -13,6 +13,12 @@ const HTTP1: &[u8] = b"GET / HTTP/1.1\r\nhost: example.com\r\n\r\n";
 const HTTP2: &[u8] = b"PRI * HTTP/2.0\r\n";
 const NOT_HTTP: &[u8] = b"foo\r\nbar\r\nblah\r\n";
 
+const RESULTS_NOT_HTTP: &str = "results_total{result=\"not_http\",srv_group=\"policy.linkerd.io\",srv_kind=\"server\",srv_name=\"testsrv\",srv_port=\"1000\"}";
+const RESULTS_HTTP1: &str = "results_total{result=\"http/1\",srv_group=\"policy.linkerd.io\",srv_kind=\"server\",srv_name=\"testsrv\",srv_port=\"1000\"}";
+const RESULTS_HTTP2: &str = "results_total{result=\"http/2\",srv_group=\"policy.linkerd.io\",srv_kind=\"server\",srv_name=\"testsrv\",srv_port=\"1000\"}";
+const RESULTS_READ_TIMEOUT: &str = "results_total{result=\"read_timeout\",srv_group=\"policy.linkerd.io\",srv_kind=\"server\",srv_name=\"testsrv\",srv_port=\"1000\"}";
+const RESULTS_ERROR: &str = "results_total{result=\"error\",srv_group=\"policy.linkerd.io\",srv_kind=\"server\",srv_name=\"testsrv\",srv_port=\"1000\"}";
+
 fn authzs() -> Arc<[Authorization]> {
     Arc::new([Authorization {
         authentication: Authentication::Unauthenticated,
@@ -41,6 +47,35 @@ fn allow(protocol: Protocol) -> AllowPolicy {
     allow
 }
 
+macro_rules! assert_contains_metric {
+    ($registry:expr, $metric:expr, $value:expr) => {{
+        let mut buf = String::new();
+        prom::encoding::text::encode_registry(&mut buf, $registry).expect("encode registry failed");
+        let lines = buf.split_terminator('\n').collect::<Vec<_>>();
+        assert_eq!(
+            lines.iter().find(|l| l.starts_with($metric)),
+            Some(&&*format!("{} {}", $metric, $value)),
+            "metric '{}' not found in:\n{:?}",
+            $metric,
+            buf
+        );
+    }};
+}
+
+macro_rules! assert_not_contains_metric {
+    ($registry:expr, $pattern:expr) => {{
+        let mut buf = String::new();
+        prom::encoding::text::encode_registry(&mut buf, $registry).expect("encode registry failed");
+        let lines = buf.split_terminator('\n').collect::<Vec<_>>();
+        assert!(
+            !lines.iter().any(|l| l.starts_with($pattern)),
+            "metric '{}' found in:\n{:?}",
+            $pattern,
+            buf
+        );
+    }};
+}
+
 #[tokio::test(flavor = "current_thread")]
 async fn detect_tls_opaque() {
     let _trace = trace::test::trace_init();
@@ -77,14 +112,21 @@ async fn detect_http_non_http() {
     let (ior, mut iow) = io::duplex(100);
     iow.write_all(NOT_HTTP).await.unwrap();
 
+    let mut registry = prom::Registry::default();
     inbound()
         .with_stack(new_panic("http stack must not be used"))
-        .push_detect_http(new_ok())
+        .push_detect_http(super::HttpDetectMetrics::register(&mut registry), new_ok())
         .into_inner()
         .new_service(target)
         .oneshot(ior)
         .await
         .expect("should succeed");
+
+    assert_contains_metric!(&registry, RESULTS_NOT_HTTP, 1);
+    assert_contains_metric!(&registry, RESULTS_HTTP1, 0);
+    assert_contains_metric!(&registry, RESULTS_HTTP2, 0);
+    assert_contains_metric!(&registry, RESULTS_READ_TIMEOUT, 0);
+    assert_contains_metric!(&registry, RESULTS_ERROR, 0);
 }
 
 #[tokio::test(flavor = "current_thread")]
@@ -108,14 +150,24 @@ async fn detect_http() {
     let (ior, mut iow) = io::duplex(100);
     iow.write_all(HTTP1).await.unwrap();
 
+    let mut registry = prom::Registry::default();
     inbound()
         .with_stack(new_ok())
-        .push_detect_http(new_panic("tcp stack must not be used"))
+        .push_detect_http(
+            super::HttpDetectMetrics::register(&mut registry),
+            new_panic("tcp stack must not be used"),
+        )
         .into_inner()
         .new_service(target)
         .oneshot(ior)
         .await
         .expect("should succeed");
+
+    assert_contains_metric!(&registry, RESULTS_NOT_HTTP, 0);
+    assert_contains_metric!(&registry, RESULTS_HTTP1, 1);
+    assert_contains_metric!(&registry, RESULTS_HTTP2, 0);
+    assert_contains_metric!(&registry, RESULTS_READ_TIMEOUT, 0);
+    assert_contains_metric!(&registry, RESULTS_ERROR, 0);
 }
 
 #[tokio::test(flavor = "current_thread")]
@@ -134,14 +186,24 @@ async fn hinted_http1() {
     let (ior, mut iow) = io::duplex(100);
     iow.write_all(HTTP1).await.unwrap();
 
+    let mut registry = prom::Registry::default();
     inbound()
         .with_stack(new_ok())
-        .push_detect_http(new_panic("tcp stack must not be used"))
+        .push_detect_http(
+            super::HttpDetectMetrics::register(&mut registry),
+            new_panic("tcp stack must not be used"),
+        )
         .into_inner()
         .new_service(target)
         .oneshot(ior)
         .await
         .expect("should succeed");
+
+    assert_contains_metric!(&registry, RESULTS_NOT_HTTP, 0);
+    assert_contains_metric!(&registry, RESULTS_HTTP1, 1);
+    assert_contains_metric!(&registry, RESULTS_HTTP2, 0);
+    assert_contains_metric!(&registry, RESULTS_READ_TIMEOUT, 0);
+    assert_contains_metric!(&registry, RESULTS_ERROR, 0);
 }
 
 #[tokio::test(flavor = "current_thread")]
@@ -160,14 +222,24 @@ async fn hinted_http1_supports_http2() {
     let (ior, mut iow) = io::duplex(100);
     iow.write_all(HTTP2).await.unwrap();
 
+    let mut registry = prom::Registry::default();
     inbound()
         .with_stack(new_ok())
-        .push_detect_http(new_panic("tcp stack must not be used"))
+        .push_detect_http(
+            super::HttpDetectMetrics::register(&mut registry),
+            new_panic("tcp stack must not be used"),
+        )
         .into_inner()
         .new_service(target)
         .oneshot(ior)
         .await
         .expect("should succeed");
+
+    assert_contains_metric!(&registry, RESULTS_NOT_HTTP, 0);
+    assert_contains_metric!(&registry, RESULTS_HTTP1, 0);
+    assert_contains_metric!(&registry, RESULTS_HTTP2, 1);
+    assert_contains_metric!(&registry, RESULTS_READ_TIMEOUT, 0);
+    assert_contains_metric!(&registry, RESULTS_ERROR, 0);
 }
 
 #[tokio::test(flavor = "current_thread")]
@@ -185,14 +257,25 @@ async fn hinted_http2() {
 
     let (ior, _) = io::duplex(100);
 
+    let mut registry = prom::Registry::default();
     inbound()
         .with_stack(new_ok())
-        .push_detect_http(new_panic("tcp stack must not be used"))
+        .push_detect_http(
+            super::HttpDetectMetrics::register(&mut registry),
+            new_panic("tcp stack must not be used"),
+        )
         .into_inner()
         .new_service(target)
         .oneshot(ior)
         .await
         .expect("should succeed");
+
+    // No detection is performed when HTTP/2 is hinted, so no metrics are recorded.
+    assert_not_contains_metric!(&registry, RESULTS_NOT_HTTP);
+    assert_not_contains_metric!(&registry, RESULTS_HTTP1);
+    assert_not_contains_metric!(&registry, RESULTS_HTTP2);
+    assert_not_contains_metric!(&registry, RESULTS_READ_TIMEOUT);
+    assert_not_contains_metric!(&registry, RESULTS_ERROR);
 }
 
 fn client_id() -> tls::ClientId {
@@ -210,7 +293,11 @@ fn orig_dst_addr() -> OrigDstAddr {
 }
 
 fn inbound() -> Inbound<()> {
-    Inbound::new(test_util::default_config(), test_util::runtime().0)
+    Inbound::new(
+        test_util::default_config(),
+        test_util::runtime().0,
+        &mut Default::default(),
+    )
 }
 
 fn new_panic<T, I: 'static>(msg: &'static str) -> svc::ArcNewTcp<T, I> {

linkerd/app/inbound/src/direct.rs

@@ -15,6 +15,10 @@ use std::fmt::Debug;
 use thiserror::Error;
 use tracing::{debug_span, info_span};
 
+mod metrics;
+
+pub use self::metrics::MetricsFamilies;
+
 /// Creates I/O errors when a connection cannot be forwarded because no transport
 /// header was present.
 #[derive(Debug, Default)]
@@ -25,8 +29,8 @@ struct RefusedNoHeader;
 pub struct RefusedNoIdentity(());
 
 #[derive(Debug, Error)]
-#[error("a named target must be provided on gateway connections")]
-struct RefusedNoTarget;
+#[error("direct connections require transport header negotiation")]
+struct TransportHeaderRequired(());
 
 #[derive(Debug, Clone)]
 pub(crate) struct LocalTcp {
@@ -93,7 +97,7 @@ impl<N> Inbound<N> {
         self,
         policies: impl policy::GetPolicy + Clone + Send + Sync + 'static,
         gateway: svc::ArcNewTcp<GatewayTransportHeader, GatewayIo<I>>,
-        http: svc::ArcNewTcp<LocalHttp, io::PrefixedIo<TlsIo<I>>>,
+        http: svc::ArcNewTcp<LocalHttp, SensorIo<io::PrefixedIo<TlsIo<I>>>>,
     ) -> Inbound<svc::ArcNewTcp<T, I>>
     where
         T: Param<Remote<ClientAddr>> + Param<OrigDstAddr>,
@@ -108,11 +112,12 @@ impl<N> Inbound<N> {
     {
         self.map_stack(|config, rt, inner| {
             let detect_timeout = config.proxy.detect_protocol_timeout;
+            let metrics = rt.metrics.direct.clone();
 
             let identity = rt
                 .identity
                 .server()
-                .with_alpn(vec![transport_header::PROTOCOL.into()])
+                .spawn_with_alpn(vec![transport_header::PROTOCOL.into()])
                 .expect("TLS credential store must be held");
 
             inner
@@ -135,7 +140,14 @@ impl<N> Inbound<N> {
                 // forwarding, or we may be processing an HTTP gateway connection. HTTP gateway
                 // connections that have a transport header must provide a target name as a part of
                 // the header.
-                .push_switch(Ok::<Local, Infallible>, http)
+                .push_switch(
+                    Ok::<Local, Infallible>,
+                    svc::stack(http)
+                        .push(transport::metrics::NewServer::layer(
+                            rt.metrics.proxy.transport.clone(),
+                        ))
+                        .into_inner(),
+                )
                 .push_switch(
                     {
                         let policies = policies.clone();
@@ -145,14 +157,14 @@ impl<N> Inbound<N> {
                                     port,
                                     name: None,
                                     protocol,
-                                } => Ok(svc::Either::A({
+                                } => Ok(svc::Either::Left({
                                     // When the transport header targets an alternate port (but does
                                     // not identify an alternate target name), we check the new
                                     // target's policy (rather than the inbound proxy's address).
                                     let addr = (client.local_addr.ip(), port).into();
                                     let policy = policies.get_policy(OrigDstAddr(addr));
                                     match protocol {
-                                        None => svc::Either::A(LocalTcp {
+                                        None => svc::Either::Left(LocalTcp {
                                             server_addr: Remote(ServerAddr(addr)),
                                             client_addr: client.client_addr,
                                             client_id: client.client_id,
@@ -162,7 +174,7 @@ impl<N> Inbound<N> {
                                             // When TransportHeader includes the protocol, but does not
                                             // include an alternate name we go through the Inbound HTTP
                                             // stack.
-                                            svc::Either::B(LocalHttp {
+                                            svc::Either::Right(LocalHttp {
                                                 addr: Remote(ServerAddr(addr)),
                                                 policy,
                                                 protocol,
@@ -176,7 +188,7 @@ impl<N> Inbound<N> {
                                     port,
                                     name: Some(name),
                                     protocol,
-                                } => Ok(svc::Either::B({
+                                } => Ok(svc::Either::Right({
                                     // When the transport header provides an alternate target, the
                                     // connection is a gateway connection. We check the _gateway
                                     // address's_ policy (rather than the target address).
@@ -204,6 +216,7 @@ impl<N> Inbound<N> {
                 )
                 .check_new_service::<(TransportHeader, ClientInfo), _>()
                 // Use ALPN to determine whether a transport header should be read.
+                .push(metrics::NewRecord::layer(metrics))
                 .push(svc::ArcNewService::layer())
                 .push(NewTransportHeaderServer::layer(detect_timeout))
                 .check_new_service::<ClientInfo, _>()
@@ -215,7 +228,7 @@ impl<N> Inbound<N> {
                     if client.header_negotiated() {
                         Ok(client)
                     } else {
-                        Err(RefusedNoTarget.into())
+                        Err(TransportHeaderRequired(()).into())
                     }
                 })
                 .push(svc::ArcNewService::layer())
@@ -298,9 +311,8 @@ impl Param<Remote<ServerAddr>> for AuthorizedLocalTcp {
 impl Param<transport::labels::Key> for AuthorizedLocalTcp {
     fn param(&self) -> transport::labels::Key {
         transport::labels::Key::inbound_server(
-            tls::ConditionalServerTls::Some(tls::ServerTls::Established {
+            tls::ConditionalServerTlsLabels::Some(tls::ServerTlsLabels::Established {
                 client_id: Some(self.client_id.clone()),
-                negotiated_protocol: None,
             }),
             self.addr.into(),
             self.permit.labels.server.clone(),
@@ -331,9 +343,8 @@ impl Param<Remote<ClientAddr>> for LocalHttp {
 impl Param<transport::labels::Key> for LocalHttp {
     fn param(&self) -> transport::labels::Key {
         transport::labels::Key::inbound_server(
-            tls::ConditionalServerTls::Some(tls::ServerTls::Established {
+            tls::ConditionalServerTlsLabels::Some(tls::ServerTlsLabels::Established {
                 client_id: Some(self.client.client_id.clone()),
-                negotiated_protocol: None,
             }),
             self.addr.into(),
             self.policy.server_label(),
@@ -422,6 +433,14 @@ impl Param<tls::ConditionalServerTls> for GatewayTransportHeader {
     }
 }
 
+impl Param<tls::ConditionalServerTlsLabels> for GatewayTransportHeader {
+    fn param(&self) -> tls::ConditionalServerTlsLabels {
+        tls::ConditionalServerTlsLabels::Some(tls::ServerTlsLabels::Established {
+            client_id: Some(self.client.client_id.clone()),
+        })
+    }
+}
+
 impl Param<tls::ClientId> for GatewayTransportHeader {
     fn param(&self) -> tls::ClientId {
         self.client.client_id.clone()

linkerd/app/inbound/src/direct/metrics.rs

@@ -0,0 +1,91 @@
+use super::ClientInfo;
+use linkerd_app_core::{
+    metrics::prom::{self, EncodeLabelSetMut},
+    svc, tls,
+    transport_header::{SessionProtocol, TransportHeader},
+};
+
+#[cfg(test)]
+mod tests;
+
+#[derive(Clone, Debug)]
+pub struct NewRecord<N> {
+    inner: N,
+    metrics: MetricsFamilies,
+}
+
+#[derive(Clone, Debug, Default)]
+pub struct MetricsFamilies {
+    connections: prom::Family<Labels, prom::Counter>,
+}
+
+#[derive(Clone, Debug, PartialEq, Eq, Hash)]
+struct Labels {
+    header: TransportHeader,
+    client_id: tls::ClientId,
+}
+
+impl MetricsFamilies {
+    pub fn register(reg: &mut prom::Registry) -> Self {
+        let connections = prom::Family::default();
+        reg.register(
+            "connections",
+            "TCP connections with transport headers",
+            connections.clone(),
+        );
+
+        Self { connections }
+    }
+}
+
+impl<N> NewRecord<N> {
+    pub fn layer(metrics: MetricsFamilies) -> impl svc::layer::Layer<N, Service = Self> + Clone {
+        svc::layer::mk(move |inner| Self {
+            inner,
+            metrics: metrics.clone(),
+        })
+    }
+}
+
+impl<N> svc::NewService<(TransportHeader, ClientInfo)> for NewRecord<N>
+where
+    N: svc::NewService<(TransportHeader, ClientInfo)>,
+{
+    type Service = N::Service;
+
+    fn new_service(&self, (header, client): (TransportHeader, ClientInfo)) -> Self::Service {
+        self.metrics
+            .connections
+            .get_or_create(&Labels {
+                header: header.clone(),
+                client_id: client.client_id.clone(),
+            })
+            .inc();
+
+        self.inner.new_service((header, client))
+    }
+}
+
+impl prom::EncodeLabelSetMut for Labels {
+    fn encode_label_set(&self, enc: &mut prom::encoding::LabelSetEncoder<'_>) -> std::fmt::Result {
+        use prom::encoding::EncodeLabel;
+        (
+            "session_protocol",
+            self.header.protocol.as_ref().map(|p| match p {
+                SessionProtocol::Http1 => "http/1",
+                SessionProtocol::Http2 => "http/2",
+            }),
+        )
+            .encode(enc.encode_label())?;
+        ("target_port", self.header.port).encode(enc.encode_label())?;
+        ("target_name", self.header.name.as_deref()).encode(enc.encode_label())?;
+        ("client_id", self.client_id.to_str()).encode(enc.encode_label())?;
+        Ok(())
+    }
+}
+
+impl prom::encoding::EncodeLabelSet for Labels {
+    fn encode(&self, mut enc: prom::encoding::LabelSetEncoder<'_>) -> Result<(), std::fmt::Error> {
+        self.encode_label_set(&mut enc)
+    }
+}

linkerd/app/inbound/src/direct/metrics/tests.rs

@@ -0,0 +1,115 @@
+use super::*;
+use crate::direct::ClientInfo;
+use futures::future;
+use linkerd_app_core::{
+    io,
+    metrics::prom,
+    svc, tls,
+    transport::addrs::{ClientAddr, OrigDstAddr, Remote},
+    transport_header::{SessionProtocol, TransportHeader},
+    Error,
+};
+use std::str::FromStr;
+
+fn new_ok<T>() -> svc::ArcNewTcp<T, io::BoxedIo> {
+    svc::ArcNewService::new(|_| svc::BoxService::new(svc::mk(|_| future::ok::<(), Error>(()))))
+}
+
+macro_rules! assert_counted {
+    ($registry:expr, $proto:expr, $port:expr, $name:expr, $value:expr) => {{
+        let mut buf = String::new();
+        prom::encoding::text::encode_registry(&mut buf, $registry).expect("encode registry failed");
+        let metric = format!("connections_total{{session_protocol=\"{}\",target_port=\"{}\",target_name=\"{}\",client_id=\"test.client\"}}", $proto, $port, $name);
+        assert_eq!(
+            buf.split_terminator('\n')
+                .find(|l| l.starts_with(&*metric)),
+            Some(&*format!("{metric} {}", $value)),
+            "metric '{metric}' not found in:\n{buf}"
+        );
+    }};
+}
+
+// Added helper to setup and run the test
+fn run_metric_test(header: TransportHeader) -> prom::Registry {
+    let mut registry = prom::Registry::default();
+    let families = MetricsFamilies::register(&mut registry);
+    let new_record = svc::layer::Layer::layer(&NewRecord::layer(families.clone()), new_ok());
+    // common client info
+    let client_id = tls::ClientId::from_str("test.client").unwrap();
+    let client_addr = Remote(ClientAddr(([127, 0, 0, 1], 40000).into()));
+    let local_addr = OrigDstAddr(([127, 0, 0, 1], 4143).into());
+    let client_info = ClientInfo {
+        client_id: client_id.clone(),
+        alpn: Some(tls::NegotiatedProtocol("transport.l5d.io/v1".into())),
+        client_addr,
+        local_addr,
+    };
+    let _svc = svc::NewService::new_service(&new_record, (header.clone(), client_info.clone()));
+    registry
+}
+
+#[test]
+fn records_metrics_http1_local() {
+    let header = TransportHeader {
+        port: 8080,
+        name: None,
+        protocol: Some(SessionProtocol::Http1),
+    };
+    let registry = run_metric_test(header);
+    assert_counted!(&registry, "http/1", 8080, "", 1);
+}
+
+#[test]
+fn records_metrics_http2_local() {
+    let header = TransportHeader {
+        port: 8081,
+        name: None,
+        protocol: Some(SessionProtocol::Http2),
+    };
+    let registry = run_metric_test(header);
+    assert_counted!(&registry, "http/2", 8081, "", 1);
+}
+
+#[test]
+fn records_metrics_opaq_local() {
+    let header = TransportHeader {
+        port: 8082,
+        name: None,
+        protocol: None,
+    };
+    let registry = run_metric_test(header);
+    assert_counted!(&registry, "", 8082, "", 1);
+}
+
+#[test]
+fn records_metrics_http1_gateway() {
+    let header = TransportHeader {
+        port: 8080,
+        name: Some("mysvc.myns.svc.cluster.local".parse().unwrap()),
+        protocol: Some(SessionProtocol::Http1),
+    };
+    let registry = run_metric_test(header);
+    assert_counted!(&registry, "http/1", 8080, "mysvc.myns.svc.cluster.local", 1);
+}
+
+#[test]
+fn records_metrics_http2_gateway() {
+    let header = TransportHeader {
+        port: 8081,
+        name: Some("mysvc.myns.svc.cluster.local".parse().unwrap()),
+        protocol: Some(SessionProtocol::Http2),
+    };
+    let registry = run_metric_test(header);
+    assert_counted!(&registry, "http/2", 8081, "mysvc.myns.svc.cluster.local", 1);
+}
+
+#[test]
+fn records_metrics_opaq_gateway() {
+    let header = TransportHeader {
+        port: 8082,
+        name: Some("mysvc.myns.svc.cluster.local".parse().unwrap()),
+        protocol: None,
+    };
+    let registry = run_metric_test(header);
+    assert_counted!(&registry, "", 8082, "mysvc.myns.svc.cluster.local", 1);
+}

linkerd/app/inbound/src/http.rs

@@ -238,11 +238,14 @@ pub mod fuzz {
 
     impl svc::Param<policy::ServerLabel> for Target {
         fn param(&self) -> policy::ServerLabel {
-            policy::ServerLabel(Arc::new(policy::Meta::Resource {
-                group: "policy.linkerd.io".into(),
-                kind: "server".into(),
-                name: "testsrv".into(),
-            }))
+            policy::ServerLabel(
+                Arc::new(policy::Meta::Resource {
+                    group: "policy.linkerd.io".into(),
+                    kind: "server".into(),
+                    name: "testsrv".into(),
+                }),
+                1000,
+            )
         }
     }
 

linkerd/app/inbound/src/http/router.rs

@@ -83,6 +83,7 @@ impl<C> Inbound<C> {
     {
         self.map_stack(|config, rt, connect| {
             let allow_profile = config.allow_discovery.clone();
+            let unsafe_authority_labels = config.unsafe_authority_labels;
             let h1_params = config.proxy.connect.http1;
             let h2_params = config.proxy.connect.http2.clone();
 
@@ -122,7 +123,9 @@ impl<C> Inbound<C> {
                     rt.metrics
                         .proxy
                         .http_endpoint
-                        .to_layer::<classify::Response, _, _>(),
+                        .to_layer_via::<classify::Response, _, _, _>(
+                            endpoint_labels(unsafe_authority_labels),
+                        ),
                 )
                 .push_on_service(http_tracing::client(rt.span_sink.clone(), super::trace_labels()))
                 .push_on_service(http::BoxResponse::layer())
@@ -163,14 +166,14 @@ impl<C> Inbound<C> {
                     |(rx, logical): (Option<profiles::Receiver>, Logical)| -> Result<_, Infallible> {
                         if let Some(rx) = rx {
                             if let Some(addr) = rx.logical_addr() {
-                                return Ok(svc::Either::A(Profile {
+                                return Ok(svc::Either::Left(Profile {
                                     addr,
                                     logical,
                                     profiles: rx,
                                 }));
                             }
                         }
-                        Ok(svc::Either::B(logical))
+                        Ok(svc::Either::Right(logical))
                     },
                     http.clone().into_inner(),
                 )
@@ -189,7 +192,7 @@ impl<C> Inbound<C> {
                         // discovery (so that we skip the profile stack above).
                         let addr = match logical.logical.clone() {
                             Some(addr) => addr,
-                            None => return Ok(svc::Either::B((None, logical))),
+                            None => return Ok(svc::Either::Right((None, logical))),
                         };
                         if !allow_profile.matches(addr.name()) {
                             tracing::debug!(
@@ -197,9 +200,9 @@ impl<C> Inbound<C> {
                                 suffixes = %allow_profile,
                                 "Skipping discovery, address not in configured DNS suffixes",
                             );
-                            return Ok(svc::Either::B((None, logical)));
+                            return Ok(svc::Either::Right((None, logical)));
                         }
-                        Ok(svc::Either::A(logical))
+                        Ok(svc::Either::Left(logical))
                     },
                     router
                         .check_new_service::<(Option<profiles::Receiver>, Logical), http::Request<_>>()
@@ -387,12 +390,17 @@ impl Param<transport::labels::Key> for Logical {
     }
 }
 
-impl Param<metrics::EndpointLabels> for Logical {
-    fn param(&self) -> metrics::EndpointLabels {
+fn endpoint_labels(
+    unsafe_authority_labels: bool,
+) -> impl svc::ExtractParam<metrics::EndpointLabels, Logical> + Clone {
+    move |t: &Logical| -> metrics::EndpointLabels {
         metrics::InboundEndpointLabels {
-            tls: self.tls.clone(),
-            target_addr: self.addr.into(),
-            policy: self.permit.labels.clone(),
+            tls: t.tls.as_ref().map(|t| t.labels()),
+            authority: unsafe_authority_labels
+                .then(|| t.logical.as_ref().map(|d| d.as_http_authority()))
+                .flatten(),
+            target_addr: t.addr.into(),
+            policy: t.permit.labels.clone(),
         }
         .into()
     }

linkerd/app/inbound/src/http/tests.rs

@@ -11,8 +11,8 @@ use linkerd_app_core::{
     classify,
     errors::header::L5D_PROXY_ERROR,
     identity, io, metrics,
-    proxy::http::{self, Body as _, BoxBody},
-    svc::{self, http::TracingExecutor, NewService, Param},
+    proxy::http::{self, BoxBody},
+    svc::{self, http::TokioExecutor, NewService, Param},
     tls,
     transport::{ClientAddr, OrigDstAddr, Remote, ServerAddr},
     Error, NameAddr, ProxyRuntime,
@@ -33,7 +33,7 @@ fn build_server<I>(
 where
     I: io::AsyncRead + io::AsyncWrite + io::PeerAddr + Send + Unpin + 'static,
 {
-    Inbound::new(cfg, rt)
+    Inbound::new(cfg, rt, &mut Default::default())
         .with_stack(connect)
         .map_stack(|cfg, _, s| {
             s.push_map_target(|t| Param::<Remote<ServerAddr>>::param(&t))
@@ -47,8 +47,10 @@ where
 
 #[tokio::test(flavor = "current_thread")]
 async fn unmeshed_http1_hello_world() {
-    let server = hyper::server::conn::http1::Builder::new();
+    let mut server = hyper::server::conn::http1::Builder::new();
+    server.timer(hyper_util::rt::TokioTimer::new());
     let mut client = hyper::client::conn::http1::Builder::new();
+
     let _trace = trace_init();
 
     // Build a mock "connector" that returns the upstream "server" IO.
@@ -68,7 +70,7 @@ async fn unmeshed_http1_hello_world() {
     let req = Request::builder()
         .method(http::Method::GET)
         .uri("http://foo.svc.cluster.local:5550")
-        .body(hyper::Body::default())
+        .body(BoxBody::default())
         .unwrap();
     let rsp = client
         .send_request(req)
@@ -91,8 +93,10 @@ async fn unmeshed_http1_hello_world() {
 #[tokio::test(flavor = "current_thread")]
 async fn downgrade_origin_form() {
     // Reproduces https://github.com/linkerd/linkerd2/issues/5298
-    let server = hyper::server::conn::http1::Builder::new();
-    let client = hyper::client::conn::http2::Builder::new(TracingExecutor);
+    let mut server = hyper::server::conn::http1::Builder::new();
+    server.timer(hyper_util::rt::TokioTimer::new());
+    let mut client = hyper::client::conn::http2::Builder::new(TokioExecutor::new());
+    client.timer(hyper_util::rt::TokioTimer::new());
     let _trace = trace_init();
 
     // Build a mock "connector" that returns the upstream "server" IO.
@@ -112,7 +116,7 @@ async fn downgrade_origin_form() {
         let (client_io, server_io) = io::duplex(4096);
 
         let (client, conn) = client
-            .handshake(client_io)
+            .handshake(hyper_util::rt::TokioIo::new(client_io))
             .await
             .expect("Client must connect");
 
@@ -142,7 +146,7 @@ async fn downgrade_origin_form() {
         .uri("/")
         .header(http::header::HOST, "foo.svc.cluster.local")
         .header("l5d-orig-proto", "HTTP/1.1")
-        .body(hyper::Body::default())
+        .body(BoxBody::empty())
         .unwrap();
     let rsp = client
         .send_request(req)
@@ -164,8 +168,10 @@ async fn downgrade_origin_form() {
 
 #[tokio::test(flavor = "current_thread")]
 async fn downgrade_absolute_form() {
-    let client = hyper::client::conn::http2::Builder::new(TracingExecutor);
-    let server = hyper::server::conn::http1::Builder::new();
+    let mut client = hyper::client::conn::http2::Builder::new(TokioExecutor::new());
+    client.timer(hyper_util::rt::TokioTimer::new());
+    let mut server = hyper::server::conn::http1::Builder::new();
+    server.timer(hyper_util::rt::TokioTimer::new());
     let _trace = trace_init();
 
     // Build a mock "connector" that returns the upstream "server" IO.
@@ -186,7 +192,7 @@ async fn downgrade_absolute_form() {
         let (client_io, server_io) = io::duplex(4096);
 
         let (client, conn) = client
-            .handshake(client_io)
+            .handshake(hyper_util::rt::TokioIo::new(client_io))
             .await
             .expect("Client must connect");
 
@@ -216,7 +222,7 @@ async fn downgrade_absolute_form() {
         .uri("http://foo.svc.cluster.local:5550/")
         .header(http::header::HOST, "foo.svc.cluster.local")
         .header("l5d-orig-proto", "HTTP/1.1; absolute-form")
-        .body(hyper::Body::default())
+        .body(BoxBody::empty())
         .unwrap();
     let rsp = client
         .send_request(req)
@@ -260,7 +266,7 @@ async fn http1_bad_gateway_meshed_response_error_header() {
     let req = Request::builder()
         .method(http::Method::GET)
         .uri("http://foo.svc.cluster.local:5550")
-        .body(hyper::Body::default())
+        .body(BoxBody::default())
         .unwrap();
     let rsp = client
         .send_request(req)
@@ -272,7 +278,7 @@ async fn http1_bad_gateway_meshed_response_error_header() {
     // because we don't build a real HTTP endpoint stack, which adds error
     // context to this error, and the client rescue layer is below where the
     // logical error context is added.
-    check_error_header(rsp.headers(), "server is not listening");
+    check_error_header(rsp.headers(), "client error (Connect)");
 
     // Wait for all of the background tasks to complete, panicking if any returned an error.
     drop(client);
@@ -307,7 +313,7 @@ async fn http1_bad_gateway_unmeshed_response() {
     let req = Request::builder()
         .method(http::Method::GET)
         .uri("http://foo.svc.cluster.local:5550")
-        .body(hyper::Body::default())
+        .body(BoxBody::default())
         .unwrap();
     let rsp = client
         .send_request(req)
@@ -355,7 +361,7 @@ async fn http1_connect_timeout_meshed_response_error_header() {
     let req = Request::builder()
         .method(http::Method::GET)
         .uri("http://foo.svc.cluster.local:5550")
-        .body(hyper::Body::default())
+        .body(BoxBody::default())
         .unwrap();
     let rsp = client
         .send_request(req)
@@ -368,7 +374,7 @@ async fn http1_connect_timeout_meshed_response_error_header() {
     // because we don't build a real HTTP endpoint stack, which adds error
     // context to this error, and the client rescue layer is below where the
     // logical error context is added.
-    check_error_header(rsp.headers(), "connect timed out after 1s");
+    check_error_header(rsp.headers(), "client error (Connect)");
 
     // Wait for all of the background tasks to complete, panicking if any returned an error.
     drop(client);
@@ -405,7 +411,7 @@ async fn http1_connect_timeout_unmeshed_response_error_header() {
     let req = Request::builder()
         .method(http::Method::GET)
         .uri("http://foo.svc.cluster.local:5550")
-        .body(hyper::Body::default())
+        .body(BoxBody::empty())
         .unwrap();
     let rsp = client
         .send_request(req)
@@ -435,7 +441,8 @@ async fn h2_response_meshed_error_header() {
     let connect = support::connect().endpoint_fn_boxed(Target::addr(), connect_error());
 
     // Build a client using the connect that always errors.
-    let mut client = hyper::client::conn::http2::Builder::new(TracingExecutor);
+    let mut client = hyper::client::conn::http2::Builder::new(TokioExecutor::new());
+    client.timer(hyper_util::rt::TokioTimer::new());
     let profiles = profile::resolver();
     let profile_tx =
         profiles.profile_tx(NameAddr::from_str_and_port("foo.svc.cluster.local", 5550).unwrap());
@@ -450,7 +457,7 @@ async fn h2_response_meshed_error_header() {
     let req = Request::builder()
         .method(http::Method::GET)
         .uri("http://foo.svc.cluster.local:5550")
-        .body(hyper::Body::default())
+        .body(BoxBody::empty())
         .unwrap();
     let rsp = client
         .send_request(req)
@@ -475,7 +482,8 @@ async fn h2_response_unmeshed_error_header() {
     let connect = support::connect().endpoint_fn_boxed(Target::addr(), connect_error());
 
     // Build a client using the connect that always errors.
-    let mut client = hyper::client::conn::http2::Builder::new(TracingExecutor);
+    let mut client = hyper::client::conn::http2::Builder::new(TokioExecutor::new());
+    client.timer(hyper_util::rt::TokioTimer::new());
     let profiles = profile::resolver();
     let profile_tx =
         profiles.profile_tx(NameAddr::from_str_and_port("foo.svc.cluster.local", 5550).unwrap());
@@ -490,7 +498,7 @@ async fn h2_response_unmeshed_error_header() {
     let req = Request::builder()
         .method(http::Method::GET)
         .uri("http://foo.svc.cluster.local:5550")
-        .body(hyper::Body::default())
+        .body(BoxBody::default())
         .unwrap();
     let rsp = client
         .send_request(req)
@@ -517,7 +525,8 @@ async fn grpc_meshed_response_error_header() {
     let connect = support::connect().endpoint_fn_boxed(Target::addr(), connect_error());
 
     // Build a client using the connect that always errors.
-    let mut client = hyper::client::conn::http2::Builder::new(TracingExecutor);
+    let mut client = hyper::client::conn::http2::Builder::new(TokioExecutor::new());
+    client.timer(hyper_util::rt::TokioTimer::new());
     let profiles = profile::resolver();
     let profile_tx =
         profiles.profile_tx(NameAddr::from_str_and_port("foo.svc.cluster.local", 5550).unwrap());
@@ -533,7 +542,7 @@ async fn grpc_meshed_response_error_header() {
         .method(http::Method::GET)
         .uri("http://foo.svc.cluster.local:5550")
         .header(http::header::CONTENT_TYPE, "application/grpc")
-        .body(hyper::Body::default())
+        .body(BoxBody::default())
         .unwrap();
     let rsp = client
         .send_request(req)
@@ -558,7 +567,8 @@ async fn grpc_unmeshed_response_error_header() {
     let connect = support::connect().endpoint_fn_boxed(Target::addr(), connect_error());
 
     // Build a client using the connect that always errors.
-    let mut client = hyper::client::conn::http2::Builder::new(TracingExecutor);
+    let mut client = hyper::client::conn::http2::Builder::new(TokioExecutor::new());
+    client.timer(hyper_util::rt::TokioTimer::new());
     let profiles = profile::resolver();
     let profile_tx =
         profiles.profile_tx(NameAddr::from_str_and_port("foo.svc.cluster.local", 5550).unwrap());
@@ -574,7 +584,7 @@ async fn grpc_unmeshed_response_error_header() {
         .method(http::Method::GET)
         .uri("http://foo.svc.cluster.local:5550")
         .header(http::header::CONTENT_TYPE, "application/grpc")
-        .body(hyper::Body::default())
+        .body(BoxBody::default())
         .unwrap();
     let rsp = client
         .send_request(req)
@@ -599,7 +609,8 @@ async fn grpc_response_class() {
 
     // Build a mock connector serves a gRPC server that returns errors.
     let connect = {
-        let server = hyper::server::conn::http2::Builder::new(TracingExecutor);
+        let mut server = hyper::server::conn::http2::Builder::new(TokioExecutor::new());
+        server.timer(hyper_util::rt::TokioTimer::new());
         support::connect().endpoint_fn_boxed(
             Target::addr(),
             grpc_status_server(server, tonic::Code::Unknown),
@@ -607,7 +618,8 @@ async fn grpc_response_class() {
     };
 
     // Build a client using the connect that always errors.
-    let mut client = hyper::client::conn::http2::Builder::new(TracingExecutor);
+    let mut client = hyper::client::conn::http2::Builder::new(TokioExecutor::new());
+    client.timer(hyper_util::rt::TokioTimer::new());
     let profiles = profile::resolver();
     let profile_tx =
         profiles.profile_tx(NameAddr::from_str_and_port("foo.svc.cluster.local", 5550).unwrap());
@@ -628,32 +640,43 @@ async fn grpc_response_class() {
         .method(http::Method::POST)
         .uri("http://foo.svc.cluster.local:5550")
         .header(http::header::CONTENT_TYPE, "application/grpc")
-        .body(hyper::Body::default())
+        .body(BoxBody::default())
         .unwrap();
 
-    let mut rsp = client
+    let rsp = client
         .send_request(req)
         .await
         .expect("HTTP client request failed");
     tracing::info!(?rsp);
     assert_eq!(rsp.status(), http::StatusCode::OK);
 
-    rsp.body_mut().data().await;
-    let trls = rsp.body_mut().trailers().await.unwrap().unwrap();
+    use http_body_util::BodyExt;
+    let mut body = rsp.into_body();
+    let trls = body
+        .frame()
+        .await
+        .unwrap()
+        .unwrap()
+        .into_trailers()
+        .expect("trailers frame");
     assert_eq!(trls.get("grpc-status").unwrap().to_str().unwrap(), "2");
 
     let response_total = metrics
         .get_response_total(
             &metrics::EndpointLabels::Inbound(metrics::InboundEndpointLabels {
-                tls: Target::meshed_h2().1,
+                tls: Target::meshed_h2().1.map(|t| t.labels()),
+                authority: None,
                 target_addr: "127.0.0.1:80".parse().unwrap(),
                 policy: metrics::RouteAuthzLabels {
                     route: metrics::RouteLabels {
-                        server: metrics::ServerLabel(Arc::new(policy::Meta::Resource {
-                            group: "policy.linkerd.io".into(),
-                            kind: "server".into(),
-                            name: "testsrv".into(),
-                        })),
+                        server: metrics::ServerLabel(
+                            Arc::new(policy::Meta::Resource {
+                                group: "policy.linkerd.io".into(),
+                                kind: "server".into(),
+                                name: "testsrv".into(),
+                            }),
+                            80,
+                        ),
                         route: policy::Meta::new_default("default"),
                     },
                     authz: Arc::new(policy::Meta::Resource {
@@ -672,6 +695,104 @@ async fn grpc_response_class() {
     drop(bg);
 }
 
+#[tokio::test(flavor = "current_thread")]
+async fn unsafe_authority_labels_true() {
+    let _trace = trace_init();
+
+    let mut cfg = default_config();
+    cfg.unsafe_authority_labels = true;
+    test_unsafe_authority_labels(cfg, Some("foo.svc.cluster.local:5550".parse().unwrap())).await;
+}
+
+#[tokio::test(flavor = "current_thread")]
+async fn unsafe_authority_labels_false() {
+    let _trace = trace_init();
+
+    let cfg = default_config();
+    test_unsafe_authority_labels(cfg, None).await;
+}
+
+async fn test_unsafe_authority_labels(
+    cfg: Config,
+    expected_authority: Option<http::uri::Authority>,
+) {
+    let connect = {
+        let mut server = hyper::server::conn::http1::Builder::new();
+        server.timer(hyper_util::rt::TokioTimer::new());
+        support::connect().endpoint_fn_boxed(Target::addr(), hello_server(server))
+    };
+
+    // Build a client using the connect that always errors.
+    let mut client = hyper::client::conn::http1::Builder::new();
+    let profiles = profile::resolver();
+    let profile_tx =
+        profiles.profile_tx(NameAddr::from_str_and_port("foo.svc.cluster.local", 5550).unwrap());
+    profile_tx.send(profile::Profile::default()).unwrap();
+
+    let (rt, _shutdown) = runtime();
+    let metrics = rt
+        .metrics
+        .clone()
+        .http_endpoint
+        .into_report(time::Duration::from_secs(3600));
+    let server = build_server(cfg, rt, profiles, connect).new_service(Target::meshed_http1());
+    let (mut client, bg) = http_util::connect_and_accept_http1(&mut client, server).await;
+
+    // Send a request and assert that it is OK with the expected header
+    // message.
+    let req = Request::builder()
+        .method(http::Method::POST)
+        .uri("http://foo.svc.cluster.local:5550")
+        .header(http::header::CONTENT_TYPE, "text/plain")
+        .body(BoxBody::default())
+        .unwrap();
+
+    let rsp = client
+        .send_request(req)
+        .await
+        .expect("HTTP client request failed");
+    tracing::info!(?rsp);
+    assert_eq!(rsp.status(), http::StatusCode::OK);
+
+    use http_body_util::BodyExt;
+    let mut body = rsp.into_body();
+    while let Some(Ok(_)) = body.frame().await {}
+
+    tracing::info!("{metrics:#?}");
+    let response_total = metrics
+        .get_response_total(
+            &metrics::EndpointLabels::Inbound(metrics::InboundEndpointLabels {
+                tls: Target::meshed_http1().1.as_ref().map(|t| t.labels()),
+                authority: expected_authority,
+                target_addr: "127.0.0.1:80".parse().unwrap(),
+                policy: metrics::RouteAuthzLabels {
+                    route: metrics::RouteLabels {
+                        server: metrics::ServerLabel(
+                            Arc::new(policy::Meta::Resource {
+                                group: "policy.linkerd.io".into(),
+                                kind: "server".into(),
+                                name: "testsrv".into(),
+                            }),
+                            80,
+                        ),
+                        route: policy::Meta::new_default("default"),
+                    },
+                    authz: Arc::new(policy::Meta::Resource {
+                        group: "policy.linkerd.io".into(),
+                        kind: "serverauthorization".into(),
+                        name: "testsaz".into(),
+                    }),
+                },
+            }),
+            Some(http::StatusCode::OK),
+            &classify::Class::Http(Ok(http::StatusCode::OK)),
+        )
+        .expect("response_total not found");
+    assert_eq!(response_total, 1.0);
+
+    drop(bg);
+}
+
 #[tracing::instrument]
 fn hello_server(
     server: hyper::server::conn::http1::Builder,
@@ -681,13 +802,14 @@ fn hello_server(
         let _e = span.enter();
         tracing::info!("mock connecting");
         let (client_io, server_io) = support::io::duplex(4096);
-        let hello_svc = hyper::service::service_fn(|request: Request<hyper::Body>| async move {
-            tracing::info!(?request);
-            Ok::<_, io::Error>(Response::new(BoxBody::from_static("Hello world!")))
-        });
+        let hello_svc =
+            hyper::service::service_fn(|request: Request<hyper::body::Incoming>| async move {
+                tracing::info!(?request);
+                Ok::<_, io::Error>(Response::new(BoxBody::from_static("Hello world!")))
+            });
         tokio::spawn(
             server
-                .serve_connection(server_io, hello_svc)
+                .serve_connection(hyper_util::rt::TokioIo::new(server_io), hello_svc)
                 .in_current_span(),
         );
         Ok(io::BoxedIo::new(client_io))
@@ -696,7 +818,7 @@ fn hello_server(
 
 #[tracing::instrument]
 fn grpc_status_server(
-    server: hyper::server::conn::http2::Builder<TracingExecutor>,
+    server: hyper::server::conn::http2::Builder<TokioExecutor>,
     status: tonic::Code,
 ) -> impl Fn(Remote<ServerAddr>) -> io::Result<io::BoxedIo> {
     move |endpoint| {
@@ -707,26 +829,29 @@ fn grpc_status_server(
         tokio::spawn(
             server
                 .serve_connection(
-                    server_io,
-                    hyper::service::service_fn(move |request: Request<hyper::Body>| async move {
-                        tracing::info!(?request);
-                        let (mut tx, rx) = hyper::Body::channel();
-                        tokio::spawn(async move {
-                            let mut trls = ::http::HeaderMap::new();
-                            trls.insert(
-                                "grpc-status",
-                                (status as u32).to_string().parse().unwrap(),
-                            );
-                            tx.send_trailers(trls).await
-                        });
-                        Ok::<_, io::Error>(
-                            http::Response::builder()
-                                .version(::http::Version::HTTP_2)
-                                .header("content-type", "application/grpc")
-                                .body(rx)
-                                .unwrap(),
-                        )
-                    }),
+                    hyper_util::rt::TokioIo::new(server_io),
+                    hyper::service::service_fn(
+                        move |request: Request<hyper::body::Incoming>| async move {
+                            tracing::info!(?request);
+                            let (mut tx, rx) =
+                                http_body_util::channel::Channel::<bytes::Bytes, Error>::new(1024);
+                            tokio::spawn(async move {
+                                let mut trls = ::http::HeaderMap::new();
+                                trls.insert(
+                                    "grpc-status",
+                                    (status as u32).to_string().parse().unwrap(),
+                                );
+                                tx.send_trailers(trls).await
+                            });
+                            Ok::<_, io::Error>(
+                                http::Response::builder()
+                                    .version(::http::Version::HTTP_2)
+                                    .header("content-type", "application/grpc")
+                                    .body(rx)
+                                    .unwrap(),
+                            )
+                        },
+                    ),
                 )
                 .in_current_span(),
         );
@@ -736,12 +861,7 @@ fn grpc_status_server(
 
 #[tracing::instrument]
 fn connect_error() -> impl Fn(Remote<ServerAddr>) -> io::Result<io::BoxedIo> {
-    move |_| {
-        Err(io::Error::new(
-            io::ErrorKind::Other,
-            "server is not listening",
-        ))
-    }
+    move |_| Err(io::Error::other("server is not listening"))
 }
 
 #[tracing::instrument]
@@ -883,11 +1003,14 @@ impl svc::Param<policy::AllowPolicy> for Target {
 
 impl svc::Param<policy::ServerLabel> for Target {
     fn param(&self) -> policy::ServerLabel {
-        policy::ServerLabel(Arc::new(policy::Meta::Resource {
-            group: "policy.linkerd.io".into(),
-            kind: "server".into(),
-            name: "testsrv".into(),
-        }))
+        policy::ServerLabel(
+            Arc::new(policy::Meta::Resource {
+                group: "policy.linkerd.io".into(),
+                kind: "server".into(),
+                name: "testsrv".into(),
+            }),
+            80,
+        )
     }
 }
 

linkerd/app/inbound/src/lib.rs

@@ -20,12 +20,15 @@ pub mod test_util;
 
 #[cfg(fuzzing)]
 pub use self::http::fuzz as http_fuzz;
-pub use self::{metrics::InboundMetrics, policy::DefaultPolicy};
+pub use self::{
+    detect::MetricsFamilies as DetectMetrics, metrics::InboundMetrics, policy::DefaultPolicy,
+};
 use linkerd_app_core::{
     config::{ConnectConfig, ProxyConfig, QueueConfig},
     drain,
     http_tracing::SpanSink,
     identity, io,
+    metrics::prom,
     proxy::{tap, tcp},
     svc,
     transport::{self, Remote, ServerAddr},
@@ -52,6 +55,9 @@ pub struct Config {
 
     /// Configures how HTTP requests are buffered *for each inbound port*.
     pub http_request_queue: QueueConfig,
+
+    /// Enables unsafe authority labels.
+    pub unsafe_authority_labels: bool,
 }
 
 #[derive(Clone)]
@@ -107,10 +113,6 @@ impl<S> Inbound<S> {
         &self.runtime.identity
     }
 
-    pub fn proxy_metrics(&self) -> &metrics::Proxy {
-        &self.runtime.metrics.proxy
-    }
-
     /// A helper for gateways to instrument policy checks.
     pub fn authorize_http<N>(
         &self,
@@ -148,9 +150,9 @@ impl<S> Inbound<S> {
 }
 
 impl Inbound<()> {
-    pub fn new(config: Config, runtime: ProxyRuntime) -> Self {
+    pub fn new(config: Config, runtime: ProxyRuntime, prom: &mut prom::Registry) -> Self {
         let runtime = Runtime {
-            metrics: InboundMetrics::new(runtime.metrics),
+            metrics: InboundMetrics::new(runtime.metrics, prom),
             identity: runtime.identity,
             tap: runtime.tap,
             span_sink: runtime.span_sink,
@@ -166,7 +168,11 @@ impl Inbound<()> {
     #[cfg(any(test, feature = "test-util"))]
     pub fn for_test() -> (Self, drain::Signal) {
         let (rt, drain) = test_util::runtime();
-        let this = Self::new(test_util::default_config(), rt);
+        let this = Self::new(
+            test_util::default_config(),
+            rt,
+            &mut prom::Registry::default(),
+        );
         (this, drain)
     }
 

linkerd/app/inbound/src/metrics.rs

@@ -13,7 +13,7 @@ pub(crate) mod error;
 
 pub use linkerd_app_core::metrics::*;
 
-/// Holds outbound proxy metrics.
+/// Holds LEGACY inbound proxy metrics.
 #[derive(Clone, Debug)]
 pub struct InboundMetrics {
     pub http_authz: authz::HttpAuthzMetrics,
@@ -25,21 +25,32 @@ pub struct InboundMetrics {
     /// Holds metrics that are common to both inbound and outbound proxies. These metrics are
     /// reported separately
     pub proxy: Proxy,
+
+    pub detect: crate::detect::MetricsFamilies,
+    pub direct: crate::direct::MetricsFamilies,
 }
 
 impl InboundMetrics {
-    pub(crate) fn new(proxy: Proxy) -> Self {
+    pub(crate) fn new(proxy: Proxy, reg: &mut prom::Registry) -> Self {
+        let detect =
+            crate::detect::MetricsFamilies::register(reg.sub_registry_with_prefix("tcp_detect"));
+        let direct = crate::direct::MetricsFamilies::register(
+            reg.sub_registry_with_prefix("tcp_transport_header"),
+        );
+
         Self {
             http_authz: authz::HttpAuthzMetrics::default(),
             http_errors: error::HttpErrorMetrics::default(),
             tcp_authz: authz::TcpAuthzMetrics::default(),
             tcp_errors: error::TcpErrorMetrics::default(),
             proxy,
+            detect,
+            direct,
         }
     }
 }
 
-impl FmtMetrics for InboundMetrics {
+impl legacy::FmtMetrics for InboundMetrics {
     fn fmt_metrics(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         self.http_authz.fmt_metrics(f)?;
         self.http_errors.fmt_metrics(f)?;

linkerd/app/inbound/src/metrics/authz.rs

@@ -1,8 +1,9 @@
 use crate::policy::{AllowPolicy, HttpRoutePermit, Meta, ServerPermit};
 use linkerd_app_core::{
     metrics::{
-        metrics, Counter, FmtLabels, FmtMetrics, RouteAuthzLabels, RouteLabels, ServerAuthzLabels,
-        ServerLabel, TargetAddr, TlsAccept,
+        legacy::{Counter, FmtLabels, FmtMetrics},
+        metrics, RouteAuthzLabels, RouteLabels, ServerAuthzLabels, ServerLabel, TargetAddr,
+        TlsAccept,
     },
     tls,
     transport::OrigDstAddr,
@@ -67,7 +68,7 @@ pub struct HTTPLocalRateLimitLabels {
 #[derive(Debug, Hash, PartialEq, Eq)]
 struct Key<L> {
     target: TargetAddr,
-    tls: tls::ConditionalServerTls,
+    tls: tls::ConditionalServerTlsLabels,
     labels: L,
 }
 
@@ -80,7 +81,7 @@ type HttpLocalRateLimitKey = Key<HTTPLocalRateLimitLabels>;
 // === impl HttpAuthzMetrics ===
 
 impl HttpAuthzMetrics {
-    pub fn allow(&self, permit: &HttpRoutePermit, tls: tls::ConditionalServerTls) {
+    pub fn allow(&self, permit: &HttpRoutePermit, tls: tls::ConditionalServerTlsLabels) {
         self.0
             .allow
             .lock()
@@ -93,7 +94,7 @@ impl HttpAuthzMetrics {
         &self,
         labels: ServerLabel,
         dst: OrigDstAddr,
-        tls: tls::ConditionalServerTls,
+        tls: tls::ConditionalServerTlsLabels,
     ) {
         self.0
             .route_not_found
@@ -103,7 +104,12 @@ impl HttpAuthzMetrics {
             .incr();
     }
 
-    pub fn deny(&self, labels: RouteLabels, dst: OrigDstAddr, tls: tls::ConditionalServerTls) {
+    pub fn deny(
+        &self,
+        labels: RouteLabels,
+        dst: OrigDstAddr,
+        tls: tls::ConditionalServerTlsLabels,
+    ) {
         self.0
             .deny
             .lock()
@@ -116,7 +122,7 @@ impl HttpAuthzMetrics {
         &self,
         labels: HTTPLocalRateLimitLabels,
         dst: OrigDstAddr,
-        tls: tls::ConditionalServerTls,
+        tls: tls::ConditionalServerTlsLabels,
     ) {
         self.0
             .http_local_rate_limit
@@ -187,7 +193,7 @@ impl FmtMetrics for HttpAuthzMetrics {
 // === impl TcpAuthzMetrics ===
 
 impl TcpAuthzMetrics {
-    pub fn allow(&self, permit: &ServerPermit, tls: tls::ConditionalServerTls) {
+    pub fn allow(&self, permit: &ServerPermit, tls: tls::ConditionalServerTlsLabels) {
         self.0
             .allow
             .lock()
@@ -196,7 +202,7 @@ impl TcpAuthzMetrics {
             .incr();
     }
 
-    pub fn deny(&self, policy: &AllowPolicy, tls: tls::ConditionalServerTls) {
+    pub fn deny(&self, policy: &AllowPolicy, tls: tls::ConditionalServerTlsLabels) {
         self.0
             .deny
             .lock()
@@ -205,7 +211,7 @@ impl TcpAuthzMetrics {
             .incr();
     }
 
-    pub fn terminate(&self, policy: &AllowPolicy, tls: tls::ConditionalServerTls) {
+    pub fn terminate(&self, policy: &AllowPolicy, tls: tls::ConditionalServerTlsLabels) {
         self.0
             .terminate
             .lock()
@@ -246,18 +252,24 @@ impl FmtMetrics for TcpAuthzMetrics {
 
 impl FmtLabels for HTTPLocalRateLimitLabels {
     fn fmt_labels(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        self.server.fmt_labels(f)?;
-        if let Some(rl) = &self.rate_limit {
+        let Self {
+            server,
+            rate_limit,
+            scope,
+        } = self;
+
+        server.fmt_labels(f)?;
+        if let Some(rl) = rate_limit {
             write!(
                 f,
                 ",ratelimit_group=\"{}\",ratelimit_kind=\"{}\",ratelimit_name=\"{}\",ratelimit_scope=\"{}\"",
                 rl.group(),
                 rl.kind(),
                 rl.name(),
-                self.scope,
+                scope,
             )
         } else {
-            write!(f, ",ratelimit_scope=\"{}\"", self.scope)
+            write!(f, ",ratelimit_scope=\"{scope}\"")
         }
     }
 }
@@ -265,7 +277,7 @@ impl FmtLabels for HTTPLocalRateLimitLabels {
 // === impl Key ===
 
 impl<L> Key<L> {
-    fn new(labels: L, dst: OrigDstAddr, tls: tls::ConditionalServerTls) -> Self {
+    fn new(labels: L, dst: OrigDstAddr, tls: tls::ConditionalServerTlsLabels) -> Self {
         Self {
             tls,
             target: TargetAddr(dst.into()),
@@ -276,24 +288,30 @@ impl<L> Key<L> {
 
 impl<L: FmtLabels> FmtLabels for Key<L> {
     fn fmt_labels(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        (self.target, (&self.labels, TlsAccept(&self.tls))).fmt_labels(f)
+        let Self {
+            target,
+            tls,
+            labels,
+        } = self;
+
+        (target, (labels, TlsAccept(tls))).fmt_labels(f)
     }
 }
 
 impl ServerKey {
-    fn from_policy(policy: &AllowPolicy, tls: tls::ConditionalServerTls) -> Self {
+    fn from_policy(policy: &AllowPolicy, tls: tls::ConditionalServerTlsLabels) -> Self {
         Self::new(policy.server_label(), policy.dst_addr(), tls)
     }
 }
 
 impl RouteAuthzKey {
-    fn from_permit(permit: &HttpRoutePermit, tls: tls::ConditionalServerTls) -> Self {
+    fn from_permit(permit: &HttpRoutePermit, tls: tls::ConditionalServerTlsLabels) -> Self {
         Self::new(permit.labels.clone(), permit.dst, tls)
     }
 }
 
 impl ServerAuthzKey {
-    fn from_permit(permit: &ServerPermit, tls: tls::ConditionalServerTls) -> Self {
+    fn from_permit(permit: &ServerPermit, tls: tls::ConditionalServerTlsLabels) -> Self {
         Self::new(permit.labels.clone(), permit.dst, tls)
     }
 }

linkerd/app/inbound/src/metrics/error.rs

@@ -8,7 +8,7 @@ use crate::{
 };
 use linkerd_app_core::{
     errors::{FailFastError, LoadShedError},
-    metrics::FmtLabels,
+    metrics::legacy::FmtLabels,
     tls,
 };
 use std::fmt;

linkerd/app/inbound/src/metrics/error/http.rs

@@ -1,6 +1,9 @@
 use super::ErrorKind;
 use linkerd_app_core::{
-    metrics::{metrics, Counter, FmtMetrics, ServerLabel},
+    metrics::{
+        legacy::{Counter, FmtMetrics},
+        metrics, ServerLabel,
+    },
     svc::{self, stack::NewMonitor},
     transport::{labels::TargetAddr, OrigDstAddr},
     Error,

linkerd/app/inbound/src/metrics/error/tcp.rs

@@ -1,6 +1,9 @@
 use super::ErrorKind;
 use linkerd_app_core::{
-    metrics::{metrics, Counter, FmtMetrics},
+    metrics::{
+        legacy::{Counter, FmtMetrics},
+        metrics,
+    },
     svc::{self, stack::NewMonitor},
     transport::{labels::TargetAddr, OrigDstAddr},
     Error,

linkerd/app/inbound/src/policy.rs

@@ -133,7 +133,7 @@ impl AllowPolicy {
 
     #[inline]
     pub fn server_label(&self) -> ServerLabel {
-        ServerLabel(self.server.borrow().meta.clone())
+        ServerLabel(self.server.borrow().meta.clone(), self.dst.port())
     }
 
     pub fn ratelimit_label(&self, error: &RateLimitError) -> HTTPLocalRateLimitLabels {
@@ -220,7 +220,7 @@ impl ServerPermit {
             protocol: server.protocol.clone(),
             labels: ServerAuthzLabels {
                 authz: authz.meta.clone(),
-                server: ServerLabel(server.meta.clone()),
+                server: ServerLabel(server.meta.clone(), dst.port()),
             },
         }
     }

linkerd/app/inbound/src/policy/api.rs

@@ -33,9 +33,8 @@ static INVALID_POLICY: once_cell::sync::OnceCell<ServerPolicy> = once_cell::sync
 
 impl<S> Api<S>
 where
-    S: tonic::client::GrpcService<tonic::body::BoxBody, Error = Error> + Clone,
-    S::ResponseBody:
-        http::Body<Data = tonic::codegen::Bytes, Error = Error> + Default + Send + 'static,
+    S: tonic::client::GrpcService<tonic::body::Body, Error = Error> + Clone,
+    S::ResponseBody: http::Body<Data = tonic::codegen::Bytes, Error = Error> + Send + 'static,
 {
     pub(super) fn new(
         workload: Arc<str>,
@@ -58,10 +57,9 @@ where
 
 impl<S> Service<u16> for Api<S>
 where
-    S: tonic::client::GrpcService<tonic::body::BoxBody, Error = Error>,
+    S: tonic::client::GrpcService<tonic::body::Body, Error = Error>,
     S: Clone + Send + Sync + 'static,
-    S::ResponseBody:
-        http::Body<Data = tonic::codegen::Bytes, Error = Error> + Default + Send + 'static,
+    S::ResponseBody: http::Body<Data = tonic::codegen::Bytes, Error = Error> + Send + 'static,
     S::Future: Send + 'static,
 {
     type Response =

linkerd/app/inbound/src/policy/config.rs

@@ -40,10 +40,10 @@ impl Config {
         limits: ReceiveLimits,
     ) -> impl GetPolicy + Clone + Send + Sync + 'static
     where
-        C: tonic::client::GrpcService<tonic::body::BoxBody, Error = Error>,
+        C: tonic::client::GrpcService<tonic::body::Body, Error = Error>,
         C: Clone + Unpin + Send + Sync + 'static,
         C::ResponseBody: http::Body<Data = tonic::codegen::Bytes, Error = Error>,
-        C::ResponseBody: Default + Send + 'static,
+        C::ResponseBody: Send + 'static,
         C::Future: Send,
     {
         match self {

linkerd/app/inbound/src/policy/http.rs

@@ -248,8 +248,11 @@ impl<T, N> HttpPolicyService<T, N> {
                         );
                     }
                 }
-                self.metrics
-                    .deny(labels, self.connection.dst, self.connection.tls.clone());
+                self.metrics.deny(
+                    labels,
+                    self.connection.dst,
+                    self.connection.tls.as_ref().map(|t| t.labels()),
+                );
                 return Err(HttpRouteUnauthorized(()).into());
             }
         };
@@ -279,14 +282,19 @@ impl<T, N> HttpPolicyService<T, N> {
             }
         };
 
-        self.metrics.allow(&permit, self.connection.tls.clone());
+        self.metrics
+            .allow(&permit, self.connection.tls.as_ref().map(|t| t.labels()));
+
         Ok((permit, r#match, route))
     }
 
     fn mk_route_not_found(&self) -> Error {
         let labels = self.policy.server_label();
-        self.metrics
-            .route_not_found(labels, self.connection.dst, self.connection.tls.clone());
+        self.metrics.route_not_found(
+            labels,
+            self.connection.dst,
+            self.connection.tls.as_ref().map(|t| t.labels()),
+        );
         HttpRouteNotFound(()).into()
     }
 
@@ -306,7 +314,7 @@ impl<T, N> HttpPolicyService<T, N> {
                 self.metrics.ratelimit(
                     self.policy.ratelimit_label(&err),
                     self.connection.dst,
-                    self.connection.tls.clone(),
+                    self.connection.tls.as_ref().map(|t| t.labels()),
                 );
                 err.into()
             })

linkerd/app/inbound/src/policy/http/tests.rs

@@ -1,6 +1,7 @@
 use super::*;
 use crate::policy::{Authentication, Authorization, Meta, Protocol, ServerPolicy};
 use linkerd_app_core::{svc::Service, Infallible};
+use linkerd_http_box::BoxBody;
 use linkerd_proxy_server_policy::{LocalRateLimit, RateLimitError};
 
 macro_rules! conn {
@@ -40,7 +41,7 @@ macro_rules! new_svc {
             metrics: HttpAuthzMetrics::default(),
             inner: |(permit, _): (HttpRoutePermit, ())| {
                 let f = $rsp;
-                svc::mk(move |req: ::http::Request<hyper::Body>| {
+                svc::mk(move |req: ::http::Request<BoxBody>| {
                     futures::future::ready((f)(permit.clone(), req))
                 })
             },
@@ -56,9 +57,9 @@ macro_rules! new_svc {
         new_svc!(
             $proto,
             conn!(),
-            |permit: HttpRoutePermit, _req: ::http::Request<hyper::Body>| {
+            |permit: HttpRoutePermit, _req: ::http::Request<BoxBody>| {
                 let mut rsp = ::http::Response::builder()
-                    .body(hyper::Body::default())
+                    .body(BoxBody::default())
                     .unwrap();
                 rsp.extensions_mut().insert(permit.clone());
                 Ok::<_, Infallible>(rsp)
@@ -119,11 +120,7 @@ async fn http_route() {
 
     // Test that authorization policies allow requests:
     let rsp = svc
-        .call(
-            ::http::Request::builder()
-                .body(hyper::Body::default())
-                .unwrap(),
-        )
+        .call(::http::Request::builder().body(BoxBody::default()).unwrap())
         .await
         .expect("serves");
     let permit = rsp
@@ -137,7 +134,7 @@ async fn http_route() {
         .call(
             ::http::Request::builder()
                 .method(::http::Method::POST)
-                .body(hyper::Body::default())
+                .body(BoxBody::default())
                 .unwrap(),
         )
         .await
@@ -149,7 +146,7 @@ async fn http_route() {
         .call(
             ::http::Request::builder()
                 .method(::http::Method::DELETE)
-                .body(hyper::Body::default())
+                .body(BoxBody::default())
                 .unwrap(),
         )
         .await
@@ -213,11 +210,7 @@ async fn http_route() {
     .expect("must send");
 
     assert!(svc
-        .call(
-            ::http::Request::builder()
-                .body(hyper::Body::default())
-                .unwrap(),
-        )
+        .call(::http::Request::builder().body(BoxBody::default()).unwrap(),)
         .await
         .expect_err("fails")
         .is::<HttpRouteUnauthorized>());
@@ -226,7 +219,7 @@ async fn http_route() {
         .call(
             ::http::Request::builder()
                 .method(::http::Method::POST)
-                .body(hyper::Body::default())
+                .body(BoxBody::default())
                 .unwrap(),
         )
         .await
@@ -237,7 +230,7 @@ async fn http_route() {
         .call(
             ::http::Request::builder()
                 .method(::http::Method::DELETE)
-                .body(hyper::Body::default())
+                .body(BoxBody::default())
                 .unwrap(),
         )
         .await
@@ -285,14 +278,14 @@ async fn http_filter_header() {
             },
         }],
     }]));
-    let inner = |permit: HttpRoutePermit, req: ::http::Request<hyper::Body>| -> Result<_> {
+    let inner = |permit: HttpRoutePermit, req: ::http::Request<BoxBody>| -> Result<_> {
         assert_eq!(req.headers().len(), 1);
         assert_eq!(
             req.headers().get("testkey"),
             Some(&"testval".parse().unwrap())
         );
         let mut rsp = ::http::Response::builder()
-            .body(hyper::Body::default())
+            .body(BoxBody::default())
             .unwrap();
         rsp.extensions_mut().insert(permit);
         Ok(rsp)
@@ -300,11 +293,7 @@ async fn http_filter_header() {
     let (mut svc, _tx) = new_svc!(proto, conn!(), inner);
 
     let rsp = svc
-        .call(
-            ::http::Request::builder()
-                .body(hyper::Body::default())
-                .unwrap(),
-        )
+        .call(::http::Request::builder().body(BoxBody::default()).unwrap())
         .await
         .expect("serves");
     let permit = rsp
@@ -354,16 +343,12 @@ async fn http_filter_inject_failure() {
         }],
     }]));
     let inner = |_: HttpRoutePermit,
-                 _: ::http::Request<hyper::Body>|
-     -> Result<::http::Response<hyper::Body>> { unreachable!() };
+                 _: ::http::Request<BoxBody>|
+     -> Result<::http::Response<BoxBody>> { unreachable!() };
     let (mut svc, _tx) = new_svc!(proto, conn!(), inner);
 
     let err = svc
-        .call(
-            ::http::Request::builder()
-                .body(hyper::Body::default())
-                .unwrap(),
-        )
+        .call(::http::Request::builder().body(BoxBody::default()).unwrap())
         .await
         .expect_err("fails");
     assert_eq!(
@@ -397,22 +382,14 @@ async fn rate_limit_allow() {
 
     // First request should be allowed
     let rsp = svc
-        .call(
-            ::http::Request::builder()
-                .body(hyper::Body::default())
-                .unwrap(),
-        )
+        .call(::http::Request::builder().body(BoxBody::default()).unwrap())
         .await
         .expect("serves");
     assert_eq!(rsp.status(), ::http::StatusCode::OK);
 
     // Second request should be allowed as well
     let rsp = svc
-        .call(
-            ::http::Request::builder()
-                .body(hyper::Body::default())
-                .unwrap(),
-        )
+        .call(::http::Request::builder().body(BoxBody::default()).unwrap())
         .await
         .expect("serves");
     assert_eq!(rsp.status(), ::http::StatusCode::OK);
@@ -440,22 +417,14 @@ async fn rate_limit_deny() {
 
     // First request should be allowed
     let rsp = svc
-        .call(
-            ::http::Request::builder()
-                .body(hyper::Body::default())
-                .unwrap(),
-        )
+        .call(::http::Request::builder().body(BoxBody::default()).unwrap())
         .await
         .expect("serves");
     assert_eq!(rsp.status(), ::http::StatusCode::OK);
 
     // Second request should be denied
     let rsp = svc
-        .call(
-            ::http::Request::builder()
-                .body(hyper::Body::default())
-                .unwrap(),
-        )
+        .call(::http::Request::builder().body(BoxBody::default()).unwrap())
         .await
         .expect_err("should deny");
     let err = rsp
@@ -526,7 +495,7 @@ async fn grpc_route() {
             ::http::Request::builder()
                 .uri("/foo.bar.bah/baz")
                 .method(::http::Method::POST)
-                .body(hyper::Body::default())
+                .body(BoxBody::default())
                 .unwrap(),
         )
         .await
@@ -542,7 +511,7 @@ async fn grpc_route() {
             ::http::Request::builder()
                 .uri("/foo.bar.bah/qux")
                 .method(::http::Method::POST)
-                .body(hyper::Body::default())
+                .body(BoxBody::default())
                 .unwrap(),
         )
         .await
@@ -554,7 +523,7 @@ async fn grpc_route() {
             ::http::Request::builder()
                 .uri("/boo.bar.bah/bah")
                 .method(::http::Method::POST)
-                .body(hyper::Body::default())
+                .body(BoxBody::default())
                 .unwrap(),
         )
         .await
@@ -606,14 +575,14 @@ async fn grpc_filter_header() {
             },
         }],
     }]));
-    let inner = |permit: HttpRoutePermit, req: ::http::Request<hyper::Body>| -> Result<_> {
+    let inner = |permit: HttpRoutePermit, req: ::http::Request<BoxBody>| -> Result<_> {
         assert_eq!(req.headers().len(), 1);
         assert_eq!(
             req.headers().get("testkey"),
             Some(&"testval".parse().unwrap())
         );
         let mut rsp = ::http::Response::builder()
-            .body(hyper::Body::default())
+            .body(BoxBody::default())
             .unwrap();
         rsp.extensions_mut().insert(permit);
         Ok(rsp)
@@ -625,7 +594,7 @@ async fn grpc_filter_header() {
             ::http::Request::builder()
                 .uri("/foo.bar.bah/baz")
                 .method(::http::Method::POST)
-                .body(hyper::Body::default())
+                .body(BoxBody::default())
                 .unwrap(),
         )
         .await
@@ -683,8 +652,8 @@ async fn grpc_filter_inject_failure() {
         }],
     }]));
     let inner = |_: HttpRoutePermit,
-                 _: ::http::Request<hyper::Body>|
-     -> Result<::http::Response<hyper::Body>> { unreachable!() };
+                 _: ::http::Request<BoxBody>|
+     -> Result<::http::Response<BoxBody>> { unreachable!() };
     let (mut svc, _tx) = new_svc!(proto, conn!(), inner);
 
     let err = svc
@@ -692,7 +661,7 @@ async fn grpc_filter_inject_failure() {
             ::http::Request::builder()
                 .uri("/foo.bar.bah/baz")
                 .method(::http::Method::POST)
-                .body(hyper::Body::default())
+                .body(BoxBody::default())
                 .unwrap(),
         )
         .await

linkerd/app/inbound/src/policy/store.rs

@@ -74,11 +74,10 @@ impl<S> Store<S> {
         opaque_ports: RangeInclusiveSet<u16>,
     ) -> Self
     where
-        S: tonic::client::GrpcService<tonic::body::BoxBody, Error = Error>,
+        S: tonic::client::GrpcService<tonic::body::Body, Error = Error>,
         S: Clone + Send + Sync + 'static,
         S::Future: Send,
-        S::ResponseBody:
-            http::Body<Data = tonic::codegen::Bytes, Error = Error> + Default + Send + 'static,
+        S::ResponseBody: http::Body<Data = tonic::codegen::Bytes, Error = Error> + Send + 'static,
     {
         let opaque_default = Self::make_opaque(default.clone());
         // The initial set of policies never expire from the cache.
@@ -139,11 +138,10 @@ impl<S> Store<S> {
 
 impl<S> GetPolicy for Store<S>
 where
-    S: tonic::client::GrpcService<tonic::body::BoxBody, Error = Error>,
+    S: tonic::client::GrpcService<tonic::body::Body, Error = Error>,
     S: Clone + Send + Sync + 'static,
     S::Future: Send,
-    S::ResponseBody:
-        http::Body<Data = tonic::codegen::Bytes, Error = Error> + Default + Send + 'static,
+    S::ResponseBody: http::Body<Data = tonic::codegen::Bytes, Error = Error> + Send + 'static,
 {
     fn get_policy(&self, dst: OrigDstAddr) -> AllowPolicy {
         // Lookup the policy for the target port in the cache. If it doesn't

linkerd/app/inbound/src/policy/tcp.rs

@@ -77,7 +77,8 @@ where
                 // This new services requires a ClientAddr, so it must necessarily be built for each
                 // connection. So we can just increment the counter here since the service can only
                 // be used at most once.
-                self.metrics.allow(&permit, tls.clone());
+                self.metrics
+                    .allow(&permit, tls.as_ref().map(|t| t.labels()));
 
                 let inner = self.inner.new_service((permit, target));
                 TcpPolicy::Authorized(Authorized {
@@ -97,7 +98,7 @@ where
                     ?tls, %client,
                     "Connection denied"
                 );
-                self.metrics.deny(&policy, tls);
+                self.metrics.deny(&policy, tls.as_ref().map(|t| t.labels()));
                 TcpPolicy::Unauthorized(deny)
             }
         }
@@ -167,7 +168,7 @@ where
                                 %client,
                                 "Connection terminated due to policy change",
                             );
-                            metrics.terminate(&policy, tls);
+                            metrics.terminate(&policy, tls.as_ref().map(|t| t.labels()));
                             return Err(denied.into());
                         }
                     }

linkerd/app/inbound/src/policy/tcp/tests.rs

@@ -43,11 +43,14 @@ async fn unauthenticated_allowed() {
                     kind: "serverauthorization".into(),
                     name: "unauth".into()
                 }),
-                server: ServerLabel(Arc::new(Meta::Resource {
-                    group: "policy.linkerd.io".into(),
-                    kind: "server".into(),
-                    name: "test".into()
-                }))
+                server: ServerLabel(
+                    Arc::new(Meta::Resource {
+                        group: "policy.linkerd.io".into(),
+                        kind: "server".into(),
+                        name: "test".into()
+                    }),
+                    1000
+                )
             },
         }
     );
@@ -96,11 +99,14 @@ async fn authenticated_identity() {
                     kind: "serverauthorization".into(),
                     name: "tls-auth".into()
                 }),
-                server: ServerLabel(Arc::new(Meta::Resource {
-                    group: "policy.linkerd.io".into(),
-                    kind: "server".into(),
-                    name: "test".into()
-                }))
+                server: ServerLabel(
+                    Arc::new(Meta::Resource {
+                        group: "policy.linkerd.io".into(),
+                        kind: "server".into(),
+                        name: "test".into()
+                    }),
+                    1000
+                )
             }
         }
     );
@@ -159,11 +165,14 @@ async fn authenticated_suffix() {
                     kind: "serverauthorization".into(),
                     name: "tls-auth".into()
                 }),
-                server: ServerLabel(Arc::new(Meta::Resource {
-                    group: "policy.linkerd.io".into(),
-                    kind: "server".into(),
-                    name: "test".into()
-                })),
+                server: ServerLabel(
+                    Arc::new(Meta::Resource {
+                        group: "policy.linkerd.io".into(),
+                        kind: "server".into(),
+                        name: "test".into()
+                    }),
+                    1000
+                ),
             }
         }
     );
@@ -219,11 +228,14 @@ async fn tls_unauthenticated() {
                     kind: "serverauthorization".into(),
                     name: "tls-unauth".into()
                 }),
-                server: ServerLabel(Arc::new(Meta::Resource {
-                    group: "policy.linkerd.io".into(),
-                    kind: "server".into(),
-                    name: "test".into()
-                })),
+                server: ServerLabel(
+                    Arc::new(Meta::Resource {
+                        group: "policy.linkerd.io".into(),
+                        kind: "server".into(),
+                        name: "test".into()
+                    }),
+                    1000
+                ),
             }
         }
     );
@@ -251,7 +263,7 @@ fn orig_dst_addr() -> OrigDstAddr {
     OrigDstAddr(([192, 0, 2, 2], 1000).into())
 }
 
-impl tonic::client::GrpcService<tonic::body::BoxBody> for MockSvc {
+impl tonic::client::GrpcService<tonic::body::Body> for MockSvc {
     type ResponseBody = linkerd_app_core::control::RspBody;
     type Error = Error;
     type Future = futures::future::Pending<Result<http::Response<Self::ResponseBody>, Self::Error>>;
@@ -263,7 +275,7 @@ impl tonic::client::GrpcService<tonic::body::BoxBody> for MockSvc {
         unreachable!()
     }
 
-    fn call(&mut self, _req: http::Request<tonic::body::BoxBody>) -> Self::Future {
+    fn call(&mut self, _req: http::Request<tonic::body::Body>) -> Self::Future {
         unreachable!()
     }
 }

linkerd/app/inbound/src/server.rs

@@ -27,10 +27,10 @@ impl Inbound<()> {
         limits: ReceiveLimits,
     ) -> impl policy::GetPolicy + Clone + Send + Sync + 'static
     where
-        C: tonic::client::GrpcService<tonic::body::BoxBody, Error = Error>,
+        C: tonic::client::GrpcService<tonic::body::Body, Error = Error>,
         C: Clone + Unpin + Send + Sync + 'static,
         C::ResponseBody: http::Body<Data = tonic::codegen::Bytes, Error = Error>,
-        C::ResponseBody: Default + Send + 'static,
+        C::ResponseBody: Send + 'static,
         C::Future: Send,
     {
         self.config
@@ -55,6 +55,8 @@ impl Inbound<()> {
         I: Debug + Unpin + Send + Sync + 'static,
         P: profiles::GetProfile<Error = Error>,
     {
+        let detect_metrics = self.runtime.metrics.detect.clone();
+
         // Handles connections to ports that can't be determined to be HTTP.
         let forward = self
             .clone()
@@ -97,7 +99,7 @@ impl Inbound<()> {
         // Determines how to handle an inbound connection, dispatching it to the appropriate
         // stack.
         http.push_http_tcp_server()
-            .push_detect(forward)
+            .push_detect(detect_metrics, forward)
             .push_accept(addr.port(), policies, direct)
             .into_inner()
     }

linkerd/app/inbound/src/test_util.rs

@@ -3,9 +3,7 @@ pub use futures::prelude::*;
 use linkerd_app_core::{
     config,
     dns::Suffix,
-    drain, exp_backoff,
-    identity::rustls,
-    metrics,
+    drain, exp_backoff, identity, metrics,
     proxy::{
         http::{h1, h2},
         tap,
@@ -89,6 +87,7 @@ pub fn default_config() -> Config {
         },
         discovery_idle_timeout: Duration::from_secs(20),
         profile_skip_timeout: Duration::from_secs(1),
+        unsafe_authority_labels: false,
     }
 }
 
@@ -97,7 +96,7 @@ pub fn runtime() -> (ProxyRuntime, drain::Signal) {
     let (tap, _) = tap::new();
     let (metrics, _) = metrics::Metrics::new(std::time::Duration::from_secs(10));
     let runtime = ProxyRuntime {
-        identity: rustls::creds::default_for_test().1.into(),
+        identity: identity::creds::default_for_test().1,
         metrics: metrics.proxy,
         tap,
         span_sink: None,

linkerd/app/integration/Cargo.toml

@@ -1,10 +1,10 @@
 [package]
 name = "linkerd-app-integration"
-version = "0.1.0"
-authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
-license = "Apache-2.0"
-edition = "2021"
-publish = false
+version = { workspace = true }
+authors = { workspace = true }
+license = { workspace = true }
+edition = { workspace = true }
+publish = { workspace = true }
 description = """
 Proxy integration tests
 
@@ -22,40 +22,51 @@ futures = { version = "0.3", default-features = false, features = ["executor"] }
 h2 = { workspace = true }
 http = { workspace = true }
 http-body = { workspace = true }
-hyper = { workspace = true, features = [
-    "backports",
-    "deprecated",
-    "http1",
-    "http2",
-    "stream",
-    "client",
-    "server",
-] }
+http-body-util = { workspace = true }
+hyper-util = { workspace = true, features = ["service"] }
 ipnet = "2"
 linkerd-app = { path = "..", features = ["allow-loopback"] }
 linkerd-app-core = { path = "../core" }
-linkerd-metrics = { path = "../../metrics", features = ["test_util"] }
-linkerd2-proxy-api = { workspace = true, features = [
-    "destination",
-    "arbitrary",
-] }
 linkerd-app-test = { path = "../test" }
+linkerd-meshtls = { path = "../../meshtls", features = ["test-util"] }
+linkerd-metrics = { path = "../../metrics", features = ["test_util"] }
+linkerd-rustls = { path = "../../rustls" }
 linkerd-tracing = { path = "../../tracing" }
 maplit = "1"
 parking_lot = "0.12"
 regex = "1"
-socket2 = "0.5"
-tokio = { version = "1", features = ["io-util", "net", "rt", "macros"] }
-tokio-stream = { version = "0.1", features = ["sync"] }
-tokio-rustls = { workspace = true }
 rustls-pemfile = "2.2"
-tower = { version = "0.4", default-features = false }
-tonic = { workspace = true, features = ["transport"], default-features = false }
-tracing = "0.1"
-tracing-subscriber = { version = "0.3", default-features = false, features = [
+socket2 = "0.6"
+tokio = { version = "1", features = ["io-util", "net", "rt", "macros"] }
+tokio-rustls = { workspace = true }
+tokio-stream = { version = "0.1", features = ["sync"] }
+tonic = { workspace = true, features = ["transport", "router"], default-features = false }
+tower = { workspace = true, default-features = false }
+tracing = { workspace = true }
+
+[dependencies.hyper]
+workspace = true
+features = [
+    "client",
+    "http1",
+    "http2",
+    "server",
+]
+
+[dependencies.linkerd2-proxy-api]
+workspace = true
+features = [
+    "arbitrary",
+    "destination",
+]
+
+[dependencies.tracing-subscriber]
+version = "0.3"
+default-features = false
+features = [
     "fmt",
     "std",
-] }
+]
 
 [dev-dependencies]
 flate2 = { version = "1", default-features = false, features = [
@@ -63,8 +74,5 @@ flate2 = { version = "1", default-features = false, features = [
 ] }
 # Log streaming isn't enabled by default globally, but we want to test it.
 linkerd-app-admin = { path = "../admin", features = ["log-streaming"] }
-# No code from this crate is actually used; only necessary to enable the Rustls
-# implementation.
-linkerd-meshtls = { path = "../../meshtls", features = ["rustls"] }
 linkerd-tracing = { path = "../../tracing", features = ["ansi"] }
 serde_json = "1"

linkerd/app/integration/src/client.rs

@@ -1,15 +1,17 @@
 use super::*;
-use linkerd_app_core::proxy::http::TracingExecutor;
+use http::{Request, Response};
+use linkerd_app_core::{proxy::http::TokioExecutor, svc::http::BoxBody};
 use parking_lot::Mutex;
 use std::io;
 use tokio::{net::TcpStream, task::JoinHandle};
 use tokio_rustls::rustls::{self, ClientConfig};
 use tracing::info_span;
 
-type ClientError = hyper::Error;
-type Request = http::Request<hyper::Body>;
-type Response = http::Response<hyper::Body>;
-type Sender = mpsc::UnboundedSender<(Request, oneshot::Sender<Result<Response, ClientError>>)>;
+type ClientError = hyper_util::client::legacy::Error;
+type Sender = mpsc::UnboundedSender<(
+    Request<BoxBody>,
+    oneshot::Sender<Result<Response<hyper::body::Incoming>, ClientError>>,
+)>;
 
 #[derive(Clone)]
 pub struct TlsConfig {
@@ -74,9 +76,6 @@ pub fn http2_tls<T: Into<String>>(addr: SocketAddr, auth: T, tls: TlsConfig) ->
     Client::new(addr, auth.into(), Run::Http2, Some(tls))
 }
 
-pub fn tcp(addr: SocketAddr) -> tcp::TcpClient {
-    tcp::client(addr)
-}
 pub struct Client {
     addr: SocketAddr,
     run: Run,
@@ -132,11 +131,19 @@ impl Client {
     pub fn request(
         &self,
         builder: http::request::Builder,
-    ) -> impl Future<Output = Result<Response, ClientError>> + Send + Sync + 'static {
-        self.send_req(builder.body(Bytes::new().into()).unwrap())
+    ) -> impl Future<Output = Result<Response<hyper::body::Incoming>, ClientError>> + Send + 'static
+    {
+        let req = builder.body(BoxBody::empty()).unwrap();
+        self.send_req(req)
     }
 
-    pub async fn request_body(&self, req: Request) -> Response {
+    pub async fn request_body<B>(&self, req: Request<B>) -> Response<hyper::body::Incoming>
+    where
+        B: Body + Send + 'static,
+        B::Data: Send + 'static,
+        B::Error: Into<Error>,
+    {
+        let req = req.map(BoxBody::new);
         self.send_req(req).await.expect("response")
     }
 
@@ -152,11 +159,16 @@ impl Client {
         }
     }
 
-    #[tracing::instrument(skip(self))]
-    pub(crate) fn send_req(
+    #[tracing::instrument(skip(self, req))]
+    pub(crate) fn send_req<B>(
         &self,
-        mut req: Request,
-    ) -> impl Future<Output = Result<Response, ClientError>> + Send + Sync + 'static {
+        mut req: Request<B>,
+    ) -> impl Future<Output = Result<Response<hyper::body::Incoming>, ClientError>> + Send + 'static
+    where
+        B: Body + Send + 'static,
+        B::Data: Send + 'static,
+        B::Error: Into<Error>,
+    {
         if req.uri().scheme().is_none() {
             if self.tls.is_some() {
                 *req.uri_mut() = format!("https://{}{}", self.authority, req.uri().path())
@@ -170,7 +182,8 @@ impl Client {
         }
         tracing::debug!(headers = ?req.headers(), "request");
         let (tx, rx) = oneshot::channel();
-        let _ = self.tx.send((req.map(Into::into), tx));
+        let req = req.map(BoxBody::new);
+        let _ = self.tx.send((req, tx));
         async { rx.await.expect("request cancelled") }.in_current_span()
     }
 
@@ -220,13 +233,17 @@ enum Run {
     Http2,
 }
 
+pub type Running = Pin<Box<dyn Future<Output = ()> + Send + 'static>>;
+
 fn run(
     addr: SocketAddr,
     version: Run,
     tls: Option<TlsConfig>,
 ) -> (Sender, JoinHandle<()>, Running) {
-    let (tx, rx) =
-        mpsc::unbounded_channel::<(Request, oneshot::Sender<Result<Response, ClientError>>)>();
+    let (tx, rx) = mpsc::unbounded_channel::<(
+        Request<BoxBody>,
+        oneshot::Sender<Result<Response<hyper::body::Incoming>, ClientError>>,
+    )>();
 
     let test_name = thread_name();
     let absolute_uris = if let Run::Http1 { absolute_uris } = version {
@@ -235,7 +252,12 @@ fn run(
         false
     };
 
-    let (running_tx, running) = running();
+    let (running_tx, running) = {
+        let (tx, rx) = oneshot::channel();
+        let rx = Box::pin(rx.map(|_| ()));
+        (tx, rx)
+    };
+
     let conn = Conn {
         addr,
         absolute_uris,
@@ -250,10 +272,9 @@ fn run(
 
     let span = info_span!("test client", peer_addr = %addr, ?version, test = %test_name);
     let work = async move {
-        let client = hyper::Client::builder()
+        let client = hyper_util::client::legacy::Client::builder(TokioExecutor::new())
             .http2_only(http2_only)
-            .executor(TracingExecutor)
-            .build::<Conn, hyper::Body>(conn);
+            .build::<Conn, BoxBody>(conn);
         tracing::trace!("client task started");
         let mut rx = rx;
         let (drain_tx, drain) = drain::channel();
@@ -263,7 +284,6 @@ fn run(
         // instance would remain un-dropped.
         async move {
             while let Some((req, cb)) = rx.recv().await {
-                let req = req.map(hyper::Body::from);
                 tracing::trace!(?req);
                 let req = client.request(req);
                 tokio::spawn(
@@ -295,9 +315,11 @@ struct Conn {
 }
 
 impl tower::Service<hyper::Uri> for Conn {
-    type Response = RunningIo;
+    type Response = hyper_util::rt::TokioIo<RunningIo>;
     type Error = io::Error;
-    type Future = Pin<Box<dyn Future<Output = io::Result<RunningIo>> + Send + 'static>>;
+    type Future = Pin<
+        Box<dyn Future<Output = io::Result<hyper_util::rt::TokioIo<RunningIo>>> + Send + 'static>,
+    >;
 
     fn poll_ready(&mut self, _: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
         Poll::Ready(Ok(()))
@@ -327,19 +349,19 @@ impl tower::Service<hyper::Uri> for Conn {
             } else {
                 Box::pin(io) as Pin<Box<dyn Io + Send + 'static>>
             };
-            Ok(RunningIo {
+            Ok(hyper_util::rt::TokioIo::new(RunningIo {
                 io,
                 abs_form,
                 _running: Some(running),
-            })
+            }))
         })
     }
 }
 
-impl hyper::client::connect::Connection for RunningIo {
-    fn connected(&self) -> hyper::client::connect::Connected {
+impl hyper_util::client::legacy::connect::Connection for RunningIo {
+    fn connected(&self) -> hyper_util::client::legacy::connect::Connected {
         // Setting `proxy` to true will configure Hyper to use absolute-form
         // URIs on this connection.
-        hyper::client::connect::Connected::new().proxy(self.abs_form)
+        hyper_util::client::legacy::connect::Connected::new().proxy(self.abs_form)
     }
 }

linkerd/app/integration/src/controller.rs

@@ -2,7 +2,7 @@ use super::*;
 
 pub use linkerd2_proxy_api::destination as pb;
 use linkerd2_proxy_api::net;
-use linkerd_app_core::proxy::http::TracingExecutor;
+use linkerd_app_core::proxy::http::TokioExecutor;
 use parking_lot::Mutex;
 use std::collections::VecDeque;
 use std::net::IpAddr;
@@ -262,10 +262,7 @@ impl pb::destination_server::Destination for Controller {
                 }
 
                 tracing::warn!(?dst, ?updates, "request does not match");
-                let msg = format!(
-                    "expected get call for {:?} but got get call for {:?}",
-                    dst, req
-                );
+                let msg = format!("expected get call for {dst:?} but got get call for {req:?}");
                 calls.push_front(Dst::Call(dst, updates));
                 return Err(grpc::Status::new(grpc::Code::Unavailable, msg));
             }
@@ -343,7 +340,7 @@ pub(crate) async fn run<T, B>(
     delay: Option<Pin<Box<dyn Future<Output = ()> + Send>>>,
 ) -> Listening
 where
-    T: tower::Service<http::Request<hyper::body::Body>, Response = http::Response<B>>,
+    T: tower::Service<http::Request<hyper::body::Incoming>, Response = http::Response<B>>,
     T: Clone + Send + 'static,
     T::Error: Into<Box<dyn std::error::Error + Send + Sync>>,
     T::Future: Send,
@@ -372,11 +369,16 @@ where
                 let _ = listening_tx.send(());
             }
 
-            let http = hyper::server::conn::http2::Builder::new(TracingExecutor);
+            let mut http = hyper::server::conn::http2::Builder::new(TokioExecutor::new());
             loop {
                 let (sock, addr) = listener.accept().await?;
                 let span = tracing::debug_span!("conn", %addr).or_current();
-                let serve = http.serve_connection(sock, svc.clone());
+                let serve = http
+                    .timer(hyper_util::rt::TokioTimer::new())
+                    .serve_connection(
+                        hyper_util::rt::TokioIo::new(sock),
+                        hyper_util::service::TowerToHyperService::new(svc.clone()),
+                    );
                 let f = async move {
                     serve.await.map_err(|error| {
                         tracing::error!(

linkerd/app/integration/src/identity.rs

@@ -8,7 +8,8 @@ use std::{
 };
 
 use linkerd2_proxy_api::identity as pb;
-use tokio_rustls::rustls::{self, pki_types::CertificateDer, server::WebPkiClientVerifier};
+use linkerd_rustls::get_default_provider;
+use tokio_rustls::rustls::{self, server::WebPkiClientVerifier};
 use tonic as grpc;
 
 pub struct Identity {
@@ -34,10 +35,6 @@ type Certify = Box<
         > + Send,
 >;
 
-static TLS_VERSIONS: &[&rustls::SupportedProtocolVersion] = &[&rustls::version::TLS13];
-static TLS_SUPPORTED_CIPHERSUITES: &[rustls::SupportedCipherSuite] =
-    &[rustls::crypto::ring::cipher_suite::TLS13_CHACHA20_POLY1305_SHA256];
-
 struct Certificates {
     pub leaf: Vec<u8>,
     pub intermediates: Vec<Vec<u8>>,
@@ -54,13 +51,13 @@ impl Certificates {
         let leaf = certs
             .next()
             .expect("no leaf cert in pemfile")
-            .map_err(|_| io::Error::new(io::ErrorKind::Other, "rustls error reading certs"))?
+            .map_err(|_| io::Error::other("rustls error reading certs"))?
             .as_ref()
             .to_vec();
         let intermediates = certs
             .map(|cert| cert.map(|cert| cert.as_ref().to_vec()))
             .collect::<Result<Vec<_>, _>>()
-            .map_err(|_| io::Error::new(io::ErrorKind::Other, "rustls error reading certs"))?;
+            .map_err(|_| io::Error::other("rustls error reading certs"))?;
 
         Ok(Certificates {
             leaf,
@@ -104,19 +101,16 @@ impl Identity {
         use std::io::Cursor;
         let mut roots = rustls::RootCertStore::empty();
         let trust_anchors = rustls_pemfile::certs(&mut Cursor::new(trust_anchors))
-            .map(|bytes| bytes.map(CertificateDer::from))
             .collect::<Result<Vec<_>, _>>()
             .expect("error parsing pemfile");
         let (added, skipped) = roots.add_parsable_certificates(trust_anchors);
         assert_ne!(added, 0, "trust anchors must include at least one cert");
         assert_eq!(skipped, 0, "no certs in pemfile should be invalid");
 
-        let mut provider = rustls::crypto::ring::default_provider();
-        provider.cipher_suites = TLS_SUPPORTED_CIPHERSUITES.to_vec();
-        let provider = Arc::new(provider);
+        let provider = get_default_provider();
 
         let client_config = rustls::ClientConfig::builder_with_provider(provider.clone())
-            .with_protocol_versions(TLS_VERSIONS)
+            .with_safe_default_protocol_versions()
             .expect("client config must be valid")
             .with_root_certificates(roots.clone())
             .with_no_client_auth();
@@ -128,7 +122,7 @@ impl Identity {
                 .expect("server verifier must be valid");
 
         let server_config = rustls::ServerConfig::builder_with_provider(provider)
-            .with_protocol_versions(TLS_VERSIONS)
+            .with_safe_default_protocol_versions()
             .expect("server config must be valid")
             .with_client_cert_verifier(client_cert_verifier)
             .with_single_cert(certs.chain(), key)
@@ -219,7 +213,7 @@ impl Controller {
             let f = f.take().expect("called twice?");
             let fut = f(req)
                 .map_ok(grpc::Response::new)
-                .map_err(|e| grpc::Status::new(grpc::Code::Internal, format!("{}", e)));
+                .map_err(|e| grpc::Status::new(grpc::Code::Internal, format!("{e}")));
             Box::pin(fut)
         });
         self.expect_calls.lock().push_back(func);

linkerd/app/integration/src/lib.rs

@@ -3,6 +3,7 @@
 #![warn(rust_2018_idioms, clippy::disallowed_methods, clippy::disallowed_types)]
 #![forbid(unsafe_code)]
 #![recursion_limit = "256"]
+#![allow(clippy::result_large_err)]
 
 mod test_env;
 
@@ -28,7 +29,7 @@ pub use futures::{future, FutureExt, TryFuture, TryFutureExt};
 pub use http::{HeaderMap, Request, Response, StatusCode};
 pub use http_body::Body;
 pub use linkerd_app as app;
-pub use linkerd_app_core::{drain, Addr};
+pub use linkerd_app_core::{drain, Addr, Error};
 pub use linkerd_app_test::*;
 pub use linkerd_tracing::test::*;
 use socket2::Socket;
@@ -50,8 +51,6 @@ pub use tower::Service;
 pub const ENV_TEST_PATIENCE_MS: &str = "RUST_TEST_PATIENCE_MS";
 pub const DEFAULT_TEST_PATIENCE: Duration = Duration::from_millis(15);
 
-pub type Error = Box<dyn std::error::Error + Send + Sync + 'static>;
-
 /// Retry an assertion up to a specified number of times, waiting
 /// `RUST_TEST_PATIENCE_MS` between retries.
 ///
@@ -219,15 +218,6 @@ impl Shutdown {
 
 pub type ShutdownRx = Pin<Box<dyn Future<Output = ()> + Send>>;
 
-/// A channel used to signal when a Client's related connection is running or closed.
-pub fn running() -> (oneshot::Sender<()>, Running) {
-    let (tx, rx) = oneshot::channel();
-    let rx = Box::pin(rx.map(|_| ()));
-    (tx, rx)
-}
-
-pub type Running = Pin<Box<dyn Future<Output = ()> + Send + Sync + 'static>>;
-
 pub fn s(bytes: &[u8]) -> &str {
     ::std::str::from_utf8(bytes).unwrap()
 }
@@ -258,7 +248,7 @@ impl fmt::Display for HumanDuration {
         let secs = self.0.as_secs();
         let subsec_ms = self.0.subsec_nanos() as f64 / 1_000_000f64;
         if secs == 0 {
-            write!(fmt, "{}ms", subsec_ms)
+            write!(fmt, "{subsec_ms}ms")
         } else {
             write!(fmt, "{}s", secs as f64 + subsec_ms)
         }
@@ -267,7 +257,7 @@ impl fmt::Display for HumanDuration {
 
 pub async fn cancelable<E: Send + 'static>(
     drain: drain::Watch,
-    f: impl Future<Output = Result<(), E>> + Send + 'static,
+    f: impl Future<Output = Result<(), E>>,
 ) -> Result<(), E> {
     tokio::select! {
         res = f => res,

linkerd/app/integration/src/policy.rs

@@ -2,6 +2,7 @@ use super::*;
 pub use api::{inbound, outbound};
 use api::{inbound::inbound_server_policies_server, outbound::outbound_policies_server};
 use futures::stream;
+use http_body_util::combinators::UnsyncBoxBody;
 use linkerd2_proxy_api as api;
 use parking_lot::Mutex;
 use std::collections::VecDeque;
@@ -34,6 +35,9 @@ pub struct InboundSender(Tx<inbound::Server>);
 #[derive(Debug, Clone)]
 pub struct OutboundSender(Tx<outbound::OutboundPolicy>);
 
+#[derive(Clone)]
+struct RoutesSvc(grpc::service::Routes);
+
 type Tx<T> = mpsc::UnboundedSender<Result<T, grpc::Status>>;
 type Rx<T> = UnboundedReceiverStream<Result<T, grpc::Status>>;
 type WatchStream<T> = Pin<Box<dyn Stream<Item = Result<T, grpc::Status>> + Send + Sync + 'static>>;
@@ -298,7 +302,7 @@ impl Controller {
     }
 
     pub async fn run(self) -> controller::Listening {
-        let svc = grpc::transport::Server::builder()
+        let routes = grpc::service::Routes::default()
             .add_service(
                 inbound_server_policies_server::InboundServerPoliciesServer::new(Server(Arc::new(
                     self.inbound,
@@ -306,9 +310,9 @@ impl Controller {
             )
             .add_service(outbound_policies_server::OutboundPoliciesServer::new(
                 Server(Arc::new(self.outbound)),
-            ))
-            .into_service();
-        controller::run(svc, "support policy controller", None).await
+            ));
+
+        controller::run(RoutesSvc(routes), "support policy controller", None).await
     }
 }
 
@@ -509,6 +513,35 @@ impl<Req, Rsp> Inner<Req, Rsp> {
     }
 }
 
+// === impl RoutesSvc ===
+
+impl Service<Request<hyper::body::Incoming>> for RoutesSvc {
+    type Response =
+        <grpc::service::Routes as Service<Request<UnsyncBoxBody<Bytes, grpc::Status>>>>::Response;
+    type Error =
+        <grpc::service::Routes as Service<Request<UnsyncBoxBody<Bytes, grpc::Status>>>>::Error;
+    type Future =
+        <grpc::service::Routes as Service<Request<UnsyncBoxBody<Bytes, grpc::Status>>>>::Future;
+
+    fn poll_ready(&mut self, cx: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
+        let Self(routes) = self;
+        <grpc::service::Routes as Service<Request<UnsyncBoxBody<Bytes, grpc::Status>>>>::poll_ready(
+            routes, cx,
+        )
+    }
+
+    fn call(&mut self, req: Request<hyper::body::Incoming>) -> Self::Future {
+        use http_body_util::{combinators::UnsyncBoxBody, BodyExt};
+
+        let Self(routes) = self;
+        let req = req.map(|body| {
+            UnsyncBoxBody::new(body.map_err(|err| grpc::Status::from_error(Box::new(err))))
+        });
+
+        routes.call(req)
+    }
+}
+
 fn grpc_no_results() -> grpc::Status {
     grpc::Status::new(
         grpc::Code::NotFound,

linkerd/app/integration/src/proxy.rs

@@ -108,7 +108,7 @@ impl fmt::Debug for MockOrigDst {
         match self {
             Self::Addr(addr) => f
                 .debug_tuple("MockOrigDst::Addr")
-                .field(&format_args!("{}", addr))
+                .field(&format_args!("{addr}"))
                 .finish(),
             Self::Direct => f.debug_tuple("MockOrigDst::Direct").finish(),
             Self::None => f.debug_tuple("MockOrigDst::None").finish(),
@@ -416,9 +416,9 @@ async fn run(proxy: Proxy, mut env: TestEnv, random_ports: bool) -> Listening {
         use std::fmt::Write;
         let mut ports = inbound_default_ports.iter();
         if let Some(port) = ports.next() {
-            let mut var = format!("{}", port);
+            let mut var = format!("{port}");
             for port in ports {
-                write!(&mut var, ",{}", port).expect("writing to String should never fail");
+                write!(&mut var, ",{port}").expect("writing to String should never fail");
             }
             info!("{}={:?}", app::env::ENV_INBOUND_PORTS, var);
             env.put(app::env::ENV_INBOUND_PORTS, var);

linkerd/app/integration/src/server.rs

@@ -1,5 +1,7 @@
-use super::app_core::svc::http::TracingExecutor;
+use super::app_core::svc::http::TokioExecutor;
 use super::*;
+use http::{Request, Response};
+use linkerd_app_core::svc::http::BoxBody;
 use std::{
     io,
     sync::atomic::{AtomicUsize, Ordering},
@@ -12,23 +14,35 @@ pub fn new() -> Server {
 }
 
 pub fn http1() -> Server {
-    Server::http1()
+    Server {
+        routes: Default::default(),
+        version: Run::Http1,
+        tls: None,
+    }
 }
 
 pub fn http1_tls(tls: Arc<ServerConfig>) -> Server {
-    Server::http1_tls(tls)
+    Server {
+        routes: Default::default(),
+        version: Run::Http1,
+        tls: Some(tls),
+    }
 }
 
 pub fn http2() -> Server {
-    Server::http2()
+    Server {
+        routes: Default::default(),
+        version: Run::Http2,
+        tls: None,
+    }
 }
 
 pub fn http2_tls(tls: Arc<ServerConfig>) -> Server {
-    Server::http2_tls(tls)
-}
-
-pub fn tcp() -> tcp::TcpServer {
-    tcp::server()
+    Server {
+        routes: Default::default(),
+        version: Run::Http2,
+        tls: Some(tls),
+    }
 }
 
 pub struct Server {
@@ -45,9 +59,8 @@ pub struct Listening {
     pub(super) http_version: Option<Run>,
 }
 
-type Request = http::Request<hyper::Body>;
-type Response = http::Response<hyper::Body>;
-type RspFuture = Pin<Box<dyn Future<Output = Result<Response, BoxError>> + Send + Sync + 'static>>;
+type RspFuture<B = BoxBody> =
+    Pin<Box<dyn Future<Output = Result<Response<B>, Error>> + Send + 'static>>;
 
 impl Listening {
     pub fn connections(&self) -> usize {
@@ -92,29 +105,6 @@ impl Listening {
 }
 
 impl Server {
-    fn new(run: Run, tls: Option<Arc<ServerConfig>>) -> Self {
-        Server {
-            routes: HashMap::new(),
-            version: run,
-            tls,
-        }
-    }
-    fn http1() -> Self {
-        Server::new(Run::Http1, None)
-    }
-
-    fn http1_tls(tls: Arc<ServerConfig>) -> Self {
-        Server::new(Run::Http1, Some(tls))
-    }
-
-    fn http2() -> Self {
-        Server::new(Run::Http2, None)
-    }
-
-    fn http2_tls(tls: Arc<ServerConfig>) -> Self {
-        Server::new(Run::Http2, Some(tls))
-    }
-
     /// Return a string body as a 200 OK response, with the string as
     /// the response body.
     pub fn route(mut self, path: &str, resp: &str) -> Self {
@@ -126,11 +116,11 @@ impl Server {
     /// to send back.
     pub fn route_fn<F>(self, path: &str, cb: F) -> Self
     where
-        F: Fn(Request) -> Response + Send + Sync + 'static,
+        F: Fn(Request<BoxBody>) -> Response<BoxBody> + Send + Sync + 'static,
     {
         self.route_async(path, move |req| {
             let res = cb(req);
-            async move { Ok::<_, BoxError>(res) }
+            async move { Ok::<_, Error>(res) }
         })
     }
 
@@ -138,9 +128,9 @@ impl Server {
     /// a response to send back.
     pub fn route_async<F, U>(mut self, path: &str, cb: F) -> Self
     where
-        F: Fn(Request) -> U + Send + Sync + 'static,
-        U: TryFuture<Ok = Response> + Send + Sync + 'static,
-        U::Error: Into<BoxError> + Send + 'static,
+        F: Fn(Request<BoxBody>) -> U + Send + Sync + 'static,
+        U: TryFuture<Ok = Response<BoxBody>> + Send + 'static,
+        U::Error: Into<Error> + Send + 'static,
     {
         let func = move |req| Box::pin(cb(req).map_err(Into::into)) as RspFuture;
         self.routes.insert(path.into(), Route(Box::new(func)));
@@ -148,16 +138,17 @@ impl Server {
     }
 
     pub fn route_with_latency(self, path: &str, resp: &str, latency: Duration) -> Self {
-        let resp = Bytes::from(resp.to_string());
+        let body = resp.to_owned();
         self.route_async(path, move |_| {
-            let resp = resp.clone();
+            let body = body.clone();
             async move {
                 tokio::time::sleep(latency).await;
-                Ok::<_, BoxError>(
+                Ok::<_, Error>(
                     http::Response::builder()
-                        .status(200)
-                        .body(hyper::Body::from(resp.clone()))
-                        .unwrap(),
+                        .status(StatusCode::OK)
+                        .body(http_body_util::Full::new(Bytes::from(body.clone())))
+                        .unwrap()
+                        .map(BoxBody::new),
                 )
             }
         })
@@ -193,7 +184,7 @@ impl Server {
             drain.clone(),
             async move {
                 tracing::info!("support server running");
-                let mut new_svc = NewSvc(Arc::new(self.routes));
+                let svc = Svc(Arc::new(self.routes));
                 if let Some(delay) = delay {
                     let _ = listening_tx.take().unwrap().send(());
                     delay.await;
@@ -213,31 +204,40 @@ impl Server {
                         .instrument(span.clone())
                         .await?;
                     let srv_conn_count = srv_conn_count.clone();
-                    let svc = new_svc.call(());
+                    let svc = svc.clone();
                     let f = async move {
                         tracing::trace!("serving...");
-                        let svc = svc.await;
-                        tracing::trace!("service acquired");
                         srv_conn_count.fetch_add(1, Ordering::Release);
-                        let svc = svc.map_err(|e| {
-                            tracing::error!("support/server new_service error: {}", e)
-                        })?;
+                        use hyper_util::{rt::TokioIo, service::TowerToHyperService};
+                        let (sock, svc) = (TokioIo::new(sock), TowerToHyperService::new(svc));
                         let result = match self.version {
                             Run::Http1 => hyper::server::conn::http1::Builder::new()
+                                .timer(hyper_util::rt::TokioTimer::new())
                                 .serve_connection(sock, svc)
                                 .await
                                 .map_err(|e| tracing::error!("support/server error: {}", e)),
-                            Run::Http2 => hyper::server::conn::http2::Builder::new(TracingExecutor)
-                                .serve_connection(sock, svc)
-                                .await
-                                .map_err(|e| tracing::error!("support/server error: {}", e)),
+                            Run::Http2 => {
+                                hyper::server::conn::http2::Builder::new(TokioExecutor::new())
+                                    .timer(hyper_util::rt::TokioTimer::new())
+                                    .serve_connection(sock, svc)
+                                    .await
+                                    .map_err(|e| tracing::error!("support/server error: {}", e))
+                            }
                         };
                         tracing::trace!(?result, "serve done");
                         result
                     };
-                    tokio::spawn(
-                        cancelable(drain.clone(), f).instrument(span.clone().or_current()),
-                    );
+                    // let fut = Box::pin(cancelable(drain.clone(), f).instrument(span.clone().or_current()))
+                    let drain = drain.clone();
+                    tokio::spawn(async move {
+                        tokio::select! {
+                            res = f => res,
+                            _ = drain.signaled() => {
+                                tracing::debug!("canceled!");
+                                Ok(())
+                            }
+                        }
+                    });
                 }
             }
             .instrument(
@@ -266,17 +266,19 @@ pub(super) enum Run {
     Http2,
 }
 
-struct Route(Box<dyn Fn(Request) -> RspFuture + Send + Sync>);
+struct Route(Box<dyn Fn(Request<BoxBody>) -> RspFuture + Send + Sync>);
 
 impl Route {
     fn string(body: &str) -> Route {
-        let body = Bytes::from(body.to_string());
+        let body = http_body_util::Full::new(Bytes::from(body.to_string()));
         Route(Box::new(move |_| {
+            let body = body.clone();
             Box::pin(future::ok(
                 http::Response::builder()
-                    .status(200)
-                    .body(hyper::Body::from(body.clone()))
-                    .unwrap(),
+                    .status(StatusCode::OK)
+                    .body(body)
+                    .unwrap()
+                    .map(BoxBody::new),
             ))
         }))
     }
@@ -288,58 +290,53 @@ impl std::fmt::Debug for Route {
     }
 }
 
-type BoxError = Box<dyn std::error::Error + Send + Sync>;
-
-#[derive(Debug)]
+#[derive(Clone, Debug)]
 struct Svc(Arc<HashMap<String, Route>>);
 
 impl Svc {
-    fn route(&mut self, req: Request) -> RspFuture {
+    fn route<B>(
+        &mut self,
+        req: Request<B>,
+    ) -> impl Future<Output = Result<Response<BoxBody>, crate::app_core::Error>> + Send
+    where
+        B: Body + Send + Sync + 'static,
+        B::Data: Send + 'static,
+        B::Error: std::error::Error + Send + Sync + 'static,
+    {
         match self.0.get(req.uri().path()) {
             Some(Route(ref func)) => {
                 tracing::trace!(path = %req.uri().path(), "found route for path");
-                func(req)
+                func(req.map(BoxBody::new))
             }
             None => {
                 tracing::warn!("server 404: {:?}", req.uri().path());
-                let res = http::Response::builder()
-                    .status(404)
-                    .body(Default::default())
-                    .unwrap();
-                Box::pin(async move { Ok(res) })
+                Box::pin(futures::future::ok(
+                    http::Response::builder()
+                        .status(StatusCode::NOT_FOUND)
+                        .body(BoxBody::empty())
+                        .unwrap(),
+                ))
             }
         }
     }
 }
 
-impl tower::Service<Request> for Svc {
-    type Response = Response;
-    type Error = BoxError;
+impl<B> tower::Service<Request<B>> for Svc
+where
+    B: Body + Send + Sync + 'static,
+    B::Data: Send,
+    B::Error: std::error::Error + Send + Sync,
+{
+    type Response = Response<BoxBody>;
+    type Error = Error;
     type Future = RspFuture;
 
     fn poll_ready(&mut self, _: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
         Poll::Ready(Ok(()))
     }
 
-    fn call(&mut self, req: Request) -> Self::Future {
-        self.route(req)
-    }
-}
-
-#[derive(Debug)]
-struct NewSvc(Arc<HashMap<String, Route>>);
-
-impl Service<()> for NewSvc {
-    type Response = Svc;
-    type Error = ::std::io::Error;
-    type Future = future::Ready<Result<Svc, Self::Error>>;
-
-    fn poll_ready(&mut self, _: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
-        Poll::Ready(Ok(()))
-    }
-
-    fn call(&mut self, _: ()) -> Self::Future {
-        future::ok(Svc(Arc::clone(&self.0)))
+    fn call(&mut self, req: Request<B>) -> Self::Future {
+        Box::pin(self.route(req))
     }
 }
 
@@ -357,7 +354,6 @@ async fn accept_connection(
                 _running: None,
             })
         }
-
         None => Ok(RunningIo {
             io: Box::pin(io),
             abs_form: false,

linkerd/app/integration/src/tap.rs

@@ -2,6 +2,7 @@ use super::*;
 use futures::stream;
 use http_body::Body;
 use linkerd2_proxy_api::tap as pb;
+use linkerd_app_core::svc::http::BoxBody;
 
 pub fn client(addr: SocketAddr) -> Client {
     let api = pb::tap_client::TapClient::new(SyncSvc(client::http2(addr, "localhost")));
@@ -106,7 +107,6 @@ pub trait TapEventExt {
     //fn id(&self) -> (u32, u64);
     fn event(&self) -> &pb::tap_event::http::Event;
 
-    fn request_init_method(&self) -> String;
     fn request_init_authority(&self) -> &str;
     fn request_init_path(&self) -> &str;
 
@@ -134,41 +134,31 @@ impl TapEventExt for pb::TapEvent {
         }
     }
 
-    fn request_init_method(&self) -> String {
-        match self.event() {
-            pb::tap_event::http::Event::RequestInit(_ev) => {
-                //TODO: ugh
-                unimplemented!("method");
-            }
-            e => panic!("not RequestInit event: {:?}", e),
-        }
-    }
-
     fn request_init_authority(&self) -> &str {
         match self.event() {
             pb::tap_event::http::Event::RequestInit(ev) => &ev.authority,
-            e => panic!("not RequestInit event: {:?}", e),
+            e => panic!("not RequestInit event: {e:?}"),
         }
     }
 
     fn request_init_path(&self) -> &str {
         match self.event() {
             pb::tap_event::http::Event::RequestInit(ev) => &ev.path,
-            e => panic!("not RequestInit event: {:?}", e),
+            e => panic!("not RequestInit event: {e:?}"),
         }
     }
 
     fn response_init_status(&self) -> u16 {
         match self.event() {
             pb::tap_event::http::Event::ResponseInit(ev) => ev.http_status as u16,
-            e => panic!("not ResponseInit event: {:?}", e),
+            e => panic!("not ResponseInit event: {e:?}"),
         }
     }
 
     fn response_end_bytes(&self) -> u64 {
         match self.event() {
             pb::tap_event::http::Event::ResponseEnd(ev) => ev.response_bytes,
-            e => panic!("not ResponseEnd event: {:?}", e),
+            e => panic!("not ResponseEnd event: {e:?}"),
         }
     }
 
@@ -180,7 +170,7 @@ impl TapEventExt for pb::TapEvent {
                 }) => code,
                 _ => panic!("not Eos GrpcStatusCode: {:?}", ev.eos),
             },
-            ev => panic!("not ResponseEnd event: {:?}", ev),
+            ev => panic!("not ResponseEnd event: {ev:?}"),
         }
     }
 }
@@ -188,15 +178,14 @@ impl TapEventExt for pb::TapEvent {
 struct SyncSvc(client::Client);
 
 type ResponseFuture =
-    Pin<Box<dyn Future<Output = Result<http::Response<hyper::Body>, String>> + Send>>;
+    Pin<Box<dyn Future<Output = Result<http::Response<hyper::body::Incoming>, String>> + Send>>;
 
 impl<B> tower::Service<http::Request<B>> for SyncSvc
 where
-    B: Body + Send + 'static,
-    B::Data: Send + 'static,
-    B::Error: Send + 'static,
+    B: Body,
+    B::Error: std::fmt::Debug,
 {
-    type Response = http::Response<hyper::Body>;
+    type Response = http::Response<hyper::body::Incoming>;
     type Error = String;
     type Future = ResponseFuture;
 
@@ -205,20 +194,31 @@ where
     }
 
     fn call(&mut self, req: http::Request<B>) -> Self::Future {
-        // this is okay to do because the body should always be complete, we
-        // just can't prove it.
-        let req = futures::executor::block_on(async move {
-            let (parts, body) = req.into_parts();
-            let body = match body.collect().await.map(http_body::Collected::to_bytes) {
-                Ok(body) => body,
-                Err(_) => unreachable!("body should not fail"),
-            };
-            http::Request::from_parts(parts, body)
-        });
-        Box::pin(
-            self.0
-                .send_req(req.map(Into::into))
-                .map_err(|err| err.to_string()),
-        )
+        use http_body_util::Full;
+        let Self(client) = self;
+        let req = req.map(Self::collect_body).map(Full::new).map(BoxBody::new);
+        let fut = client.send_req(req).map_err(|err| err.to_string());
+        Box::pin(fut)
+    }
+}
+
+impl SyncSvc {
+    /// Collects the given [`Body`], returning a [`Bytes`].
+    ///
+    /// NB: This blocks the current thread until the provided body has been collected. This is
+    /// an acceptable practice in test code for the sake of simplicitly, because we will always
+    /// provide [`SyncSvc`] with bodies that are complete.
+    fn collect_body<B>(body: B) -> Bytes
+    where
+        B: Body,
+        B::Error: std::fmt::Debug,
+    {
+        futures::executor::block_on(async move {
+            use http_body_util::BodyExt;
+            body.collect()
+                .await
+                .expect("body should not fail")
+                .to_bytes()
+        })
     }
 }

linkerd/app/integration/src/tcp.rs

@@ -1,10 +1,11 @@
 use super::*;
-use std::collections::VecDeque;
-use std::io;
-use std::net::TcpListener as StdTcpListener;
-use std::sync::atomic::{AtomicUsize, Ordering};
-use tokio::net::TcpStream;
-use tokio::task::JoinHandle;
+use std::{
+    collections::VecDeque,
+    io,
+    net::TcpListener as StdTcpListener,
+    sync::atomic::{AtomicUsize, Ordering},
+};
+use tokio::{net::TcpStream, task::JoinHandle};
 
 type TcpConnSender = mpsc::UnboundedSender<(
     Option<Vec<u8>>,
@@ -148,10 +149,6 @@ impl TcpServer {
 }
 
 impl TcpConn {
-    pub fn target_addr(&self) -> SocketAddr {
-        self.addr
-    }
-
     pub async fn read(&self) -> Vec<u8> {
         self.try_read()
             .await

linkerd/app/integration/src/tests/discovery.rs

@@ -381,7 +381,7 @@ mod cross_version {
 }
 
 fn default_dst_name(port: u16) -> String {
-    format!("{}:{}", HOST, port)
+    format!("{HOST}:{port}")
 }
 
 fn send_default_dst(
@@ -484,7 +484,7 @@ mod http2 {
 
         let body = {
             let body = res.into_body();
-            let body = http_body::Body::collect(body)
+            let body = http_body_util::BodyExt::collect(body)
                 .await
                 .unwrap()
                 .to_bytes()

linkerd/app/integration/src/tests/identity.rs

@@ -24,7 +24,7 @@ async fn nonblocking_identity_detection() {
 
     let msg1 = "custom tcp hello\n";
     let msg2 = "custom tcp bye";
-    let srv = server::tcp()
+    let srv = crate::tcp::server()
         .accept(move |read| {
             assert_eq!(read, msg1.as_bytes());
             msg2
@@ -33,7 +33,7 @@ async fn nonblocking_identity_detection() {
         .await;
 
     let proxy = proxy.inbound(srv).run_with_test_env(env).await;
-    let client = client::tcp(proxy.inbound);
+    let client = crate::tcp::client(proxy.inbound);
 
     // Create an idle connection and then an active connection. Ensure that
     // protocol detection on the idle connection does not block communication on

linkerd/app/integration/src/tests/profile_dst_overrides.rs

@@ -1,5 +1,6 @@
 use crate::*;
 use linkerd2_proxy_api::destination as pb;
+use linkerd_app_core::svc::http::BoxBody;
 use std::sync::atomic::{AtomicUsize, Ordering};
 
 struct Service {
@@ -14,11 +15,17 @@ impl Service {
         let counter = response_counter.clone();
         let svc = server::http1()
             .route_fn("/load-profile", |_| {
-                Response::builder().status(201).body("".into()).unwrap()
+                Response::builder()
+                    .status(201)
+                    .body(BoxBody::empty())
+                    .unwrap()
             })
             .route_fn("/", move |_req| {
                 counter.fetch_add(1, Ordering::SeqCst);
-                Response::builder().status(200).body(name.into()).unwrap()
+                Response::builder()
+                    .status(200)
+                    .body(BoxBody::from_static(name))
+                    .unwrap()
             })
             .run()
             .await;
@@ -56,7 +63,7 @@ async fn wait_for_profile_stage(client: &client::Client, metrics: &client::Clien
     for _ in 0i32..10 {
         assert_eq!(client.get("/load-profile").await, "");
         let m = metrics.get("/metrics").await;
-        let stage_metric = format!("rt_load_profile=\"{}\"", stage);
+        let stage_metric = format!("rt_load_profile=\"{stage}\"");
         if m.contains(stage_metric.as_str()) {
             break;
         }

linkerd/app/integration/src/tests/profiles.rs

@@ -1,3 +1,5 @@
+use linkerd_app_core::svc::http::BoxBody;
+
 use crate::*;
 use std::sync::atomic::{AtomicUsize, Ordering};
 
@@ -71,7 +73,10 @@ impl TestBuilder {
             // This route is just called by the test setup, to trigger the proxy
             // to start fetching the ServiceProfile.
             .route_fn("/load-profile", |_| {
-                Response::builder().status(201).body("".into()).unwrap()
+                Response::builder()
+                    .status(201)
+                    .body(BoxBody::empty())
+                    .unwrap()
             });
 
         if self.default_routes {
@@ -83,12 +88,12 @@ impl TestBuilder {
         let port = srv.addr.port();
         let ctrl = controller::new();
 
-        let dst_tx = ctrl.destination_tx(format!("{}:{}", host, port));
+        let dst_tx = ctrl.destination_tx(format!("{host}:{port}"));
         dst_tx.send_addr(srv.addr);
 
         let ctrl = controller::new();
 
-        let dst_tx = ctrl.destination_tx(format!("{}:{}", host, port));
+        let dst_tx = ctrl.destination_tx(format!("{host}:{port}"));
         dst_tx.send_addr(srv.addr);
 
         let profile_tx = ctrl.profile_tx(srv.addr.to_string());
@@ -121,7 +126,7 @@ impl TestBuilder {
             ::std::thread::sleep(Duration::from_secs(1));
             Response::builder()
                 .status(200)
-                .body("slept".into())
+                .body(BoxBody::from_static("slept"))
                 .unwrap()
         })
         .route_async("/0.5", move |req| {
@@ -129,17 +134,20 @@ impl TestBuilder {
             async move {
                 // Read the entire body before responding, so that the
                 // client doesn't fail when writing it out.
-                let body = http_body::Body::collect(req.into_body())
+                let body = http_body_util::BodyExt::collect(req.into_body())
                     .await
-                    .map(http_body::Collected::to_bytes);
+                    .map(http_body_util::Collected::to_bytes);
                 let bytes = body.as_ref().map(Bytes::len);
                 tracing::debug!(?bytes, "recieved body");
                 Ok::<_, Error>(if fail {
-                    Response::builder().status(533).body("nope".into()).unwrap()
+                    Response::builder()
+                        .status(533)
+                        .body(BoxBody::from_static("nope"))
+                        .unwrap()
                 } else {
                     Response::builder()
                         .status(200)
-                        .body("retried".into())
+                        .body(BoxBody::from_static("retried"))
                         .unwrap()
                 })
             }
@@ -147,11 +155,14 @@ impl TestBuilder {
         .route_fn("/0.5/sleep", move |_req| {
             ::std::thread::sleep(Duration::from_secs(1));
             if counter2.fetch_add(1, Ordering::Relaxed) % 2 == 0 {
-                Response::builder().status(533).body("nope".into()).unwrap()
+                Response::builder()
+                    .status(533)
+                    .body(BoxBody::from_static("nope"))
+                    .unwrap()
             } else {
                 Response::builder()
                     .status(200)
-                    .body("retried".into())
+                    .body(BoxBody::from_static("retried"))
                     .unwrap()
             }
         })
@@ -159,12 +170,15 @@ impl TestBuilder {
             if counter3.fetch_add(1, Ordering::Relaxed) % 2 == 0 {
                 Response::builder()
                     .status(533)
-                    .body(vec![b'x'; 1024 * 100].into())
+                    .body(BoxBody::new(http_body_util::Full::new(Bytes::from(vec![
+                            b'x';
+                            1024 * 100
+                        ]))))
                     .unwrap()
             } else {
                 Response::builder()
                     .status(200)
-                    .body("retried".into())
+                    .body(BoxBody::from_static("retried"))
                     .unwrap()
             }
         })
@@ -185,6 +199,8 @@ impl TestBuilder {
 }
 
 mod cross_version {
+    use std::convert::Infallible;
+
     use super::*;
 
     pub(super) async fn retry_if_profile_allows(version: server::Server) {
@@ -248,7 +264,7 @@ mod cross_version {
         let req = client
             .request_builder("/0.5")
             .method(http::Method::POST)
-            .body("req has a body".into())
+            .body(BoxBody::from_static("req has a body"))
             .unwrap();
         let res = client.request_body(req).await;
         assert_eq!(res.status(), 200);
@@ -269,7 +285,7 @@ mod cross_version {
         let req = client
             .request_builder("/0.5")
             .method(http::Method::PUT)
-            .body("req has a body".into())
+            .body(BoxBody::from_static("req has a body"))
             .unwrap();
         let res = client.request_body(req).await;
         assert_eq!(res.status(), 200);
@@ -287,13 +303,14 @@ mod cross_version {
             .await;
 
         let client = test.client;
-        let (mut tx, body) = hyper::body::Body::channel();
+        let (mut tx, body) = http_body_util::channel::Channel::<Bytes, Infallible>::new(1024);
         let req = client
             .request_builder("/0.5")
             .method("POST")
             .body(body)
             .unwrap();
-        let res = tokio::spawn(async move { client.request_body(req).await });
+        let fut = client.send_req(req);
+        let res = tokio::spawn(fut);
         tx.send_data(Bytes::from_static(b"hello"))
             .await
             .expect("the whole body should be read");
@@ -301,7 +318,7 @@ mod cross_version {
             .await
             .expect("the whole body should be read");
         drop(tx);
-        let res = res.await.unwrap();
+        let res = res.await.unwrap().unwrap();
         assert_eq!(res.status(), 200);
     }
 
@@ -364,7 +381,9 @@ mod cross_version {
         let req = client
             .request_builder("/0.5")
             .method("POST")
-            .body(hyper::Body::from(&[1u8; 64 * 1024 + 1][..]))
+            .body(BoxBody::new(http_body_util::Full::new(Bytes::from(
+                &[1u8; 64 * 1024 + 1][..],
+            ))))
             .unwrap();
         let res = client.request_body(req).await;
         assert_eq!(res.status(), 533);
@@ -386,13 +405,14 @@ mod cross_version {
             .await;
 
         let client = test.client;
-        let (mut tx, body) = hyper::body::Body::channel();
+        let (mut tx, body) = http_body_util::channel::Channel::<Bytes, Infallible>::new(1024);
         let req = client
             .request_builder("/0.5")
             .method("POST")
             .body(body)
             .unwrap();
-        let res = tokio::spawn(async move { client.request_body(req).await });
+        let fut = client.send_req(req);
+        let res = tokio::spawn(fut);
         // send a 32k chunk
         tx.send_data(Bytes::from(&[1u8; 32 * 1024][..]))
             .await
@@ -406,7 +426,7 @@ mod cross_version {
             .await
             .expect("the whole body should be read");
         drop(tx);
-        let res = res.await.unwrap();
+        let res = res.await.unwrap().unwrap();
 
         assert_eq!(res.status(), 533);
     }
@@ -590,6 +610,8 @@ mod http2 {
 }
 
 mod grpc_retry {
+    use std::convert::Infallible;
+
     use super::*;
     use http::header::{HeaderName, HeaderValue};
     static GRPC_STATUS: HeaderName = HeaderName::from_static("grpc-status");
@@ -613,7 +635,7 @@ mod grpc_retry {
                 let rsp = Response::builder()
                     .header(GRPC_STATUS.clone(), header)
                     .status(200)
-                    .body(hyper::Body::empty())
+                    .body(BoxBody::empty())
                     .unwrap();
                 tracing::debug!(headers = ?rsp.headers());
                 rsp
@@ -661,9 +683,16 @@ mod grpc_retry {
                     let mut trailers = HeaderMap::with_capacity(1);
                     trailers.insert(GRPC_STATUS.clone(), status);
                     tracing::debug!(?trailers);
-                    let (mut tx, body) = hyper::body::Body::channel();
+                    let (mut tx, body) =
+                        http_body_util::channel::Channel::<Bytes, Error>::new(1024);
                     tx.send_trailers(trailers).await.unwrap();
-                    Ok::<_, Error>(Response::builder().status(200).body(body).unwrap())
+                    Ok::<_, Error>(
+                        Response::builder()
+                            .status(200)
+                            .body(body)
+                            .unwrap()
+                            .map(BoxBody::new),
+                    )
                 }
             }
         });
@@ -704,10 +733,17 @@ mod grpc_retry {
                     let mut trailers = HeaderMap::with_capacity(1);
                     trailers.insert(GRPC_STATUS.clone(), GRPC_STATUS_OK.clone());
                     tracing::debug!(?trailers);
-                    let (mut tx, body) = hyper::body::Body::channel();
+                    let (mut tx, body) =
+                        http_body_util::channel::Channel::<Bytes, Error>::new(1024);
                     tx.send_data("hello world".into()).await.unwrap();
                     tx.send_trailers(trailers).await.unwrap();
-                    Ok::<_, Error>(Response::builder().status(200).body(body).unwrap())
+                    Ok::<_, Error>(
+                        Response::builder()
+                            .status(200)
+                            .body(body)
+                            .unwrap()
+                            .map(BoxBody::new),
+                    )
                 }
             }
         });
@@ -752,13 +788,20 @@ mod grpc_retry {
                     let mut trailers = HeaderMap::with_capacity(1);
                     trailers.insert(GRPC_STATUS.clone(), GRPC_STATUS_OK.clone());
                     tracing::debug!(?trailers);
-                    let (mut tx, body) = hyper::body::Body::channel();
+                    let (mut tx, body) =
+                        http_body_util::channel::Channel::<Bytes, Infallible>::new(1024);
                     tokio::spawn(async move {
                         tx.send_data("hello".into()).await.unwrap();
                         tx.send_data("world".into()).await.unwrap();
                         tx.send_trailers(trailers).await.unwrap();
                     });
-                    Ok::<_, Error>(Response::builder().status(200).body(body).unwrap())
+                    Ok::<_, Error>(
+                        Response::builder()
+                            .status(200)
+                            .body(body)
+                            .unwrap()
+                            .map(BoxBody::new),
+                    )
                 }
             }
         });
@@ -790,21 +833,38 @@ mod grpc_retry {
         assert_eq!(retries.load(Ordering::Relaxed), 1);
     }
 
-    async fn data(body: &mut hyper::Body) -> Bytes {
+    async fn data<B>(body: &mut B) -> B::Data
+    where
+        B: http_body::Body + Unpin,
+        B::Data: std::fmt::Debug,
+        B::Error: std::fmt::Debug,
+    {
+        use http_body_util::BodyExt;
         let data = body
-            .data()
+            .frame()
             .await
-            .expect("body data frame must not be eaten")
-            .unwrap();
+            .expect("a result")
+            .expect("a frame")
+            .into_data()
+            .expect("a chunk of data");
         tracing::info!(?data);
         data
     }
-    async fn trailers(body: &mut hyper::Body) -> http::HeaderMap {
+
+    async fn trailers<B>(body: &mut B) -> http::HeaderMap
+    where
+        B: http_body::Body + Unpin,
+        B::Error: std::fmt::Debug,
+    {
+        use http_body_util::BodyExt;
         let trailers = body
-            .trailers()
+            .frame()
             .await
-            .expect("trailers future should not fail")
-            .expect("response should have trailers");
+            .expect("a result")
+            .expect("a frame")
+            .into_trailers()
+            .ok()
+            .expect("a trailers frame");
         tracing::info!(?trailers);
         trailers
     }

linkerd/app/integration/src/tests/shutdown.rs

@@ -1,3 +1,5 @@
+use linkerd_app_core::svc::http::BoxBody;
+
 use crate::*;
 
 #[tokio::test]
@@ -26,10 +28,13 @@ async fn h2_exercise_goaways_connections() {
 
     let (shdn, rx) = shutdown_signal();
 
-    let body = Bytes::from(vec![b'1'; RESPONSE_SIZE]);
+    let body = http_body_util::Full::new(Bytes::from(vec![b'1'; RESPONSE_SIZE]));
     let srv = server::http2()
         .route_fn("/", move |_req| {
-            Response::builder().body(body.clone().into()).unwrap()
+            Response::builder()
+                .body(body.clone())
+                .unwrap()
+                .map(BoxBody::new)
         })
         .run()
         .await;
@@ -50,8 +55,8 @@ async fn h2_exercise_goaways_connections() {
         .into_iter()
         .map(Response::into_body)
         .map(|body| {
-            http_body::Body::collect(body)
-                .map_ok(http_body::Collected::aggregate)
+            http_body_util::BodyExt::collect(body)
+                .map_ok(http_body_util::Collected::aggregate)
                 // Make sure the bodies weren't cut off
                 .map_ok(|buf| assert_eq!(buf.remaining(), RESPONSE_SIZE))
         })
@@ -72,7 +77,7 @@ async fn http1_closes_idle_connections() {
     let (shdn, rx) = shutdown_signal();
 
     const RESPONSE_SIZE: usize = 1024 * 16;
-    let body = Bytes::from(vec![b'1'; RESPONSE_SIZE]);
+    let body = http_body_util::Full::new(Bytes::from(vec![b'1'; RESPONSE_SIZE]));
 
     let shdn = Arc::new(Mutex::new(Some(shdn)));
     let srv = server::http1()
@@ -80,7 +85,10 @@ async fn http1_closes_idle_connections() {
             // Trigger a shutdown signal while the request is made
             // but a response isn't returned yet.
             shdn.lock().take().expect("only 1 request").signal();
-            Response::builder().body(body.clone().into()).unwrap()
+            Response::builder()
+                .body(body.clone())
+                .unwrap()
+                .map(BoxBody::new)
         })
         .run()
         .await;
@@ -101,7 +109,7 @@ async fn tcp_waits_for_proxies_to_close() {
     let msg1 = "custom tcp hello\n";
     let msg2 = "custom tcp bye";
 
-    let srv = server::tcp()
+    let srv = crate::tcp::server()
         // Trigger a shutdown while TCP stream is busy
         .accept_fut(move |mut sock| {
             async move {
@@ -117,7 +125,7 @@ async fn tcp_waits_for_proxies_to_close() {
         .await;
     let proxy = proxy::new().inbound(srv).shutdown_signal(rx).run().await;
 
-    let client = client::tcp(proxy.inbound);
+    let client = crate::tcp::client(proxy.inbound);
 
     let tcp_client = client.connect().await;
 

linkerd/app/integration/src/tests/tap.rs

@@ -254,7 +254,7 @@ async fn grpc_headers_end() {
     assert_eq!(res.status(), 200);
     assert_eq!(res.headers()["grpc-status"], "1");
     let body = res.into_body();
-    let bytes = http_body::Body::collect(body)
+    let bytes = http_body_util::BodyExt::collect(body)
         .await
         .unwrap()
         .to_bytes()

linkerd/app/integration/src/tests/telemetry.rs

@@ -119,7 +119,7 @@ impl TcpFixture {
     const BYE_MSG: &'static str = "custom tcp bye";
 
     async fn server() -> server::Listening {
-        server::tcp()
+        crate::tcp::server()
             .accept(move |read| {
                 assert_eq!(read, Self::HELLO_MSG.as_bytes());
                 TcpFixture::BYE_MSG
@@ -145,7 +145,7 @@ impl TcpFixture {
             .run()
             .await;
 
-        let client = client::tcp(proxy.inbound);
+        let client = crate::tcp::client(proxy.inbound);
         let metrics = client::http1(proxy.admin, "localhost");
 
         let src_labels = metrics::labels()
@@ -184,7 +184,7 @@ impl TcpFixture {
             .run()
             .await;
 
-        let client = client::tcp(proxy.outbound);
+        let client = crate::tcp::client(proxy.outbound);
         let metrics = client::http1(proxy.admin, "localhost");
 
         let src_labels = metrics::labels()
@@ -292,7 +292,7 @@ async fn metrics_endpoint_outbound_response_count() {
     test_http_count("response_total", Fixture::outbound()).await
 }
 
-async fn test_http_count(metric: &str, fixture: impl Future<Output = Fixture>) {
+async fn test_http_count(metric_name: &str, fixture: impl Future<Output = Fixture>) {
     let _trace = trace_init();
     let Fixture {
         client,
@@ -305,9 +305,13 @@ async fn test_http_count(metric: &str, fixture: impl Future<Output = Fixture>) {
         ..
     } = fixture.await;
 
-    let metric = labels.metric(metric);
+    let metric = labels.metric(metric_name);
 
-    assert!(metric.is_not_in(metrics.get("/metrics").await));
+    let scrape = metrics.get("/metrics").await;
+    assert!(
+        metric.is_not_in(scrape),
+        "{metric:?} should not be in /metrics"
+    );
 
     info!("client.get(/)");
     assert_eq!(client.get("/").await, "hello");
@@ -319,6 +323,7 @@ async fn test_http_count(metric: &str, fixture: impl Future<Output = Fixture>) {
 mod response_classification {
     use super::Fixture;
     use crate::*;
+    use linkerd_app_core::svc::http::BoxBody;
     use tracing::info;
 
     const REQ_STATUS_HEADER: &str = "x-test-status-requested";
@@ -353,7 +358,7 @@ mod response_classification {
                     // TODO: tests for grpc statuses
                     unreachable!("not called in test")
                 } else {
-                    Response::new("".into())
+                    Response::new(BoxBody::empty())
                 };
                 *rsp.status_mut() = status;
                 rsp
@@ -1304,7 +1309,7 @@ async fn metrics_compression() {
 
             let mut body = {
                 let body = resp.into_body();
-                http_body::Body::collect(body)
+                http_body_util::BodyExt::collect(body)
                     .await
                     .expect("response body concat")
                     .aggregate()
@@ -1313,9 +1318,9 @@ async fn metrics_compression() {
                 body.copy_to_bytes(body.remaining()),
             ));
             let mut scrape = String::new();
-            decoder.read_to_string(&mut scrape).unwrap_or_else(|_| {
-                panic!("decode gzip (requested Accept-Encoding: {})", encoding)
-            });
+            decoder
+                .read_to_string(&mut scrape)
+                .unwrap_or_else(|_| panic!("decode gzip (requested Accept-Encoding: {encoding})"));
             scrape
         }
     };

linkerd/app/integration/src/tests/telemetry/log_stream.rs

@@ -26,7 +26,7 @@ async fn is_valid_json() {
     assert!(!json.is_empty());
 
     for obj in json {
-        println!("{}\n", obj);
+        println!("{obj}\n");
     }
 }
 
@@ -53,7 +53,7 @@ async fn query_is_valid_json() {
     assert!(!json.is_empty());
 
     for obj in json {
-        println!("{}\n", obj);
+        println!("{obj}\n");
     }
 }
 
@@ -74,12 +74,9 @@ async fn valid_get_does_not_error() {
 
     let json = logs.await.unwrap();
     for obj in json {
-        println!("{}\n", obj);
+        println!("{obj}\n");
         if obj.get("error").is_some() {
-            panic!(
-                "expected the log stream to contain no error responses!\njson = {}",
-                obj
-            );
+            panic!("expected the log stream to contain no error responses!\njson = {obj}");
         }
     }
 }
@@ -101,12 +98,9 @@ async fn valid_query_does_not_error() {
 
     let json = logs.await.unwrap();
     for obj in json {
-        println!("{}\n", obj);
+        println!("{obj}\n");
         if obj.get("error").is_some() {
-            panic!(
-                "expected the log stream to contain no error responses!\njson = {}",
-                obj
-            );
+            panic!("expected the log stream to contain no error responses!\njson = {obj}");
         }
     }
 }
@@ -142,9 +136,7 @@ async fn multi_filter() {
                 level.and_then(|value| value.as_str()),
                 Some("DEBUG") | Some("INFO") | Some("WARN") | Some("ERROR")
             ),
-            "level must be DEBUG, INFO, WARN, or ERROR\n level: {:?}\n  json: {:#?}",
-            level,
-            obj
+            "level must be DEBUG, INFO, WARN, or ERROR\n level: {level:?}\n  json: {obj:#?}"
         );
     }
 
@@ -175,9 +167,9 @@ async fn get_log_stream(
     let req = client
         .request_body(
             client
-                .request_builder(&format!("{}?{}", PATH, filter))
+                .request_builder(&format!("{PATH}?{filter}"))
                 .method(http::Method::GET)
-                .body(hyper::Body::from(filter))
+                .body(http_body_util::Full::new(Bytes::from(filter)))
                 .unwrap(),
         )
         .await;
@@ -199,7 +191,7 @@ async fn query_log_stream(
             client
                 .request_builder(PATH)
                 .method("QUERY")
-                .body(hyper::Body::from(filter))
+                .body(http_body_util::Full::new(Bytes::from(filter)))
                 .unwrap(),
         )
         .await;
@@ -210,19 +202,28 @@ async fn query_log_stream(
 
 /// Spawns a task to collect all the logs in a streaming body and parse them as
 /// JSON.
-fn collect_logs(
-    mut body: hyper::Body,
-) -> (JoinHandle<Vec<serde_json::Value>>, oneshot::Sender<()>) {
+fn collect_logs<B>(mut body: B) -> (JoinHandle<Vec<serde_json::Value>>, oneshot::Sender<()>)
+where
+    B: Body<Data = Bytes> + Send + Unpin + 'static,
+    B::Error: std::error::Error,
+{
+    use http_body_util::BodyExt;
     let (done_tx, done_rx) = oneshot::channel();
     let result = tokio::spawn(async move {
         let mut result = Vec::new();
         let logs = &mut result;
         let fut = async move {
-            while let Some(res) = body.data().await {
+            while let Some(res) = body.frame().await {
                 let chunk = match res {
-                    Ok(chunk) => chunk,
+                    Ok(frame) => {
+                        if let Ok(data) = frame.into_data() {
+                            data
+                        } else {
+                            break;
+                        }
+                    }
                     Err(e) => {
-                        println!("body failed: {}", e);
+                        println!("body failed: {e}");
                         break;
                     }
                 };

linkerd/app/integration/src/tests/telemetry/tcp_errors.rs

@@ -80,10 +80,7 @@ impl Test {
                 .await
         };
 
-        env.put(
-            app::env::ENV_INBOUND_DETECT_TIMEOUT,
-            format!("{:?}", TIMEOUT),
-        );
+        env.put(app::env::ENV_INBOUND_DETECT_TIMEOUT, format!("{TIMEOUT:?}"));
 
         (self.set_env)(&mut env);
 
@@ -113,7 +110,7 @@ async fn inbound_timeout() {
     let _trace = trace_init();
 
     let (proxy, metrics) = Test::default().run().await;
-    let client = client::tcp(proxy.inbound);
+    let client = crate::tcp::client(proxy.inbound);
 
     let _tcp_client = client.connect().await;
 
@@ -127,26 +124,6 @@ async fn inbound_timeout() {
         .await;
 }
 
-/// Tests that the detect metric is labeled and incremented on I/O error.
-#[tokio::test]
-async fn inbound_io_err() {
-    let _trace = trace_init();
-
-    let (proxy, metrics) = Test::default().run().await;
-    let client = client::tcp(proxy.inbound);
-
-    let tcp_client = client.connect().await;
-
-    tcp_client.write(TcpFixture::HELLO_MSG).await;
-    drop(tcp_client);
-
-    metric(&proxy)
-        .label("error", "i/o")
-        .value(1u64)
-        .assert_in(&metrics)
-        .await;
-}
-
 /// Tests that the detect metric is not incremented when TLS is successfully
 /// detected.
 #[tokio::test]
@@ -167,7 +144,7 @@ async fn inbound_success() {
         "foo.ns1.svc.cluster.local",
         client_config.clone(),
     );
-    let no_tls_client = client::tcp(proxy.inbound);
+    let no_tls_client = crate::tcp::client(proxy.inbound);
 
     let metric = metric(&proxy)
         .label("error", "tls detection timeout")
@@ -192,44 +169,6 @@ async fn inbound_success() {
     metric.assert_in(&metrics).await;
 }
 
-/// Tests both of the above cases together.
-#[tokio::test]
-async fn inbound_multi() {
-    let _trace = trace_init();
-
-    let (proxy, metrics) = Test::default().run().await;
-    let client = client::tcp(proxy.inbound);
-
-    let metric = metric(&proxy);
-    let timeout_metric = metric.clone().label("error", "tls detection timeout");
-    let io_metric = metric.label("error", "i/o");
-
-    let tcp_client = client.connect().await;
-
-    tokio::time::sleep(TIMEOUT + Duration::from_millis(15)) // just in case
-        .await;
-
-    timeout_metric.clone().value(1u64).assert_in(&metrics).await;
-    drop(tcp_client);
-
-    let tcp_client = client.connect().await;
-
-    tcp_client.write(TcpFixture::HELLO_MSG).await;
-    drop(tcp_client);
-
-    io_metric.clone().value(1u64).assert_in(&metrics).await;
-    timeout_metric.clone().value(1u64).assert_in(&metrics).await;
-
-    let tcp_client = client.connect().await;
-
-    tokio::time::sleep(TIMEOUT + Duration::from_millis(15)) // just in case
-        .await;
-
-    io_metric.clone().value(1u64).assert_in(&metrics).await;
-    timeout_metric.clone().value(2u64).assert_in(&metrics).await;
-    drop(tcp_client);
-}
-
 /// Tests that TLS detect failure metrics are collected for the direct stack.
 #[tokio::test]
 async fn inbound_direct_multi() {
@@ -244,7 +183,7 @@ async fn inbound_direct_multi() {
     let proxy = proxy::new().inbound(srv).inbound_direct();
 
     let (proxy, metrics) = Test::new(proxy).run().await;
-    let client = client::tcp(proxy.inbound);
+    let client = crate::tcp::client(proxy.inbound);
 
     let metric = metrics::metric(METRIC).label("target_addr", proxy.inbound);
     let timeout_metric = metric.clone().label("error", "tls detection timeout");
@@ -291,7 +230,7 @@ async fn inbound_invalid_ip() {
         .run()
         .await;
 
-    let client = client::tcp(proxy.inbound);
+    let client = crate::tcp::client(proxy.inbound);
     let metric = metric(&proxy)
         .label("error", "unexpected")
         .label("target_addr", fake_ip);
@@ -354,7 +293,7 @@ async fn inbound_direct_success() {
         .await;
 
     let tls_client = client::http1(proxy2.outbound, auth);
-    let no_tls_client = client::tcp(proxy1.inbound);
+    let no_tls_client = crate::tcp::client(proxy1.inbound);
 
     let metric = metrics::metric(METRIC)
         .label("target_addr", proxy1.inbound)

linkerd/app/integration/src/tests/transparency.rs

@@ -1,5 +1,5 @@
 use crate::*;
-use linkerd_app_core::svc::http::TracingExecutor;
+use linkerd_app_core::svc::http::{BoxBody, TokioExecutor};
 use std::error::Error as _;
 use tokio::time::timeout;
 
@@ -53,7 +53,7 @@ async fn outbound_tcp() {
     let msg1 = "custom tcp hello\n";
     let msg2 = "custom tcp bye";
 
-    let srv = server::tcp()
+    let srv = crate::tcp::server()
         .accept(move |read| {
             assert_eq!(read, msg1.as_bytes());
             msg2
@@ -70,7 +70,7 @@ async fn outbound_tcp() {
         .run()
         .await;
 
-    let client = client::tcp(proxy.outbound);
+    let client = crate::tcp::client(proxy.outbound);
 
     let tcp_client = client.connect().await;
 
@@ -91,7 +91,7 @@ async fn outbound_tcp_external() {
     let msg1 = "custom tcp hello\n";
     let msg2 = "custom tcp bye";
 
-    let srv = server::tcp()
+    let srv = crate::tcp::server()
         .accept(move |read| {
             assert_eq!(read, msg1.as_bytes());
             msg2
@@ -109,7 +109,7 @@ async fn outbound_tcp_external() {
         .run()
         .await;
 
-    let client = client::tcp(proxy.outbound);
+    let client = crate::tcp::client(proxy.outbound);
 
     let tcp_client = client.connect().await;
 
@@ -130,7 +130,7 @@ async fn inbound_tcp() {
     let msg1 = "custom tcp hello\n";
     let msg2 = "custom tcp bye";
 
-    let srv = server::tcp()
+    let srv = crate::tcp::server()
         .accept(move |read| {
             assert_eq!(read, msg1.as_bytes());
             msg2
@@ -139,7 +139,7 @@ async fn inbound_tcp() {
         .await;
     let proxy = proxy::new().inbound(srv).run().await;
 
-    let client = client::tcp(proxy.inbound);
+    let client = crate::tcp::client(proxy.inbound);
 
     let tcp_client = client.connect().await;
 
@@ -201,7 +201,7 @@ async fn test_inbound_server_speaks_first(env: TestEnv) {
     let _trace = trace_init();
 
     let (tx, rx) = mpsc::channel(1);
-    let srv = server::tcp()
+    let srv = crate::tcp::server()
         .accept_fut(move |sock| serve_server_first(sock, tx))
         .run()
         .await;
@@ -231,7 +231,7 @@ async fn inbound_tcp_server_first_no_discovery() {
     let _trace = trace_init();
 
     let (tx, rx) = mpsc::channel(1);
-    let srv = server::tcp()
+    let srv = crate::tcp::server()
         .accept_fut(move |sock| serve_server_first(sock, tx))
         .run()
         .await;
@@ -303,7 +303,7 @@ async fn outbound_opaque_tcp_server_first() {
     let _trace = trace_init();
 
     let (tx, rx) = mpsc::channel(1);
-    let srv = server::tcp()
+    let srv = crate::tcp::server()
         .accept_fut(move |sock| serve_server_first(sock, tx))
         .run()
         .await;
@@ -360,7 +360,7 @@ async fn serve_server_first(mut sock: tokio::net::TcpStream, tx: mpsc::Sender<()
 
 async fn server_first_client(addr: SocketAddr, mut rx: mpsc::Receiver<()>) {
     const TIMEOUT: Duration = Duration::from_secs(5);
-    let client = client::tcp(addr);
+    let client = crate::tcp::client(addr);
 
     let tcp_client = client.connect().await;
 
@@ -383,7 +383,7 @@ async fn tcp_connections_close_if_client_closes() {
 
     let (tx, mut rx) = mpsc::channel::<()>(1);
 
-    let srv = server::tcp()
+    let srv = crate::tcp::server()
         .accept_fut(move |mut sock| {
             async move {
                 let _tx = tx;
@@ -402,7 +402,7 @@ async fn tcp_connections_close_if_client_closes() {
         .await;
     let proxy = proxy::new().inbound(srv).run().await;
 
-    let client = client::tcp(proxy.inbound);
+    let client = crate::tcp::client(proxy.inbound);
 
     let tcp_client = client.connect().await;
     tcp_client.write(msg1).await;
@@ -493,7 +493,7 @@ macro_rules! http1_tests {
                     assert_eq!(req.headers().get("host").unwrap(), host);
                     Response::builder()
                         .version(http::Version::HTTP_10)
-                        .body("".into())
+                        .body(linkerd_app_core::svc::http::BoxBody::empty())
                         .unwrap()
                 })
                 .run()
@@ -530,7 +530,7 @@ macro_rules! http1_tests {
                 .route_fn("/", move |req| {
                     assert_eq!(req.headers()["host"], host);
                     assert_eq!(req.uri().to_string(), format!("http://{}/", auth));
-                    Response::new("".into())
+                    Response::new(linkerd_app_core::svc::http::BoxBody::empty())
                 })
                 .run()
                 .await;
@@ -582,7 +582,7 @@ macro_rules! http1_tests {
             let chatproto_req = "[chatproto-c]{send}: hi all\n";
             let chatproto_res = "[chatproto-s]{recv}: welcome!\n";
 
-            let srv = server::tcp()
+            let srv = crate::tcp::server()
                 .accept_fut(move |mut sock| {
                     async move {
                         // Read upgrade_req...
@@ -608,7 +608,7 @@ macro_rules! http1_tests {
             let mk = $proxy;
             let proxy = mk(srv).await;
 
-            let client = client::tcp(proxy.inbound);
+            let client = crate::tcp::client(proxy.inbound);
 
             let tcp_client = client.connect().await;
 
@@ -731,7 +731,7 @@ macro_rules! http1_tests {
             let tunneled_req = b"{send}: hi all\n";
             let tunneled_res = b"{recv}: welcome!\n";
 
-            let srv = server::tcp()
+            let srv = crate::tcp::server()
                 .accept_fut(move |mut sock| {
                     async move {
                         // Read connect_req...
@@ -764,7 +764,7 @@ macro_rules! http1_tests {
             let mk = $proxy;
             let proxy = mk(srv).await;
 
-            let client = client::tcp(proxy.inbound);
+            let client = crate::tcp::client(proxy.inbound);
 
             let tcp_client = client.connect().await;
 
@@ -823,7 +823,7 @@ macro_rules! http1_tests {
             let tunneled_req = b"{send}: hi all\n";
             let tunneled_res = b"{recv}: welcome!\n";
 
-            let srv = server::tcp()
+            let srv = crate::tcp::server()
                 .accept_fut(move |mut sock| {
                     async move {
                         // Read connect_req...
@@ -856,7 +856,7 @@ macro_rules! http1_tests {
             let mk = $proxy;
             let proxy = mk(srv).await;
 
-            let client = client::tcp(proxy.inbound);
+            let client = crate::tcp::client(proxy.inbound);
 
             let tcp_client = client.connect().await;
 
@@ -887,7 +887,7 @@ macro_rules! http1_tests {
         async fn http11_connect_bad_requests() {
             let _trace = trace_init();
 
-            let srv = server::tcp()
+            let srv = crate::tcp::server()
                 .accept(move |_sock| -> Vec<u8> {
                     unreachable!("shouldn't get through the proxy");
                 })
@@ -898,7 +898,7 @@ macro_rules! http1_tests {
 
             // A TCP client is used since the HTTP client would stop these requests
             // from ever touching the network.
-            let client = client::tcp(proxy.inbound);
+            let client = crate::tcp::client(proxy.inbound);
 
             let bad_uris = vec!["/origin-form", "/", "http://test/bar", "http://test", "*"];
 
@@ -970,7 +970,7 @@ macro_rules! http1_tests {
             let req = client
                 .request_builder("/")
                 .method("POST")
-                .body("hello".into())
+                .body(linkerd_app_core::svc::http::BoxBody::from_static("hello"))
                 .unwrap();
 
             let resp = client.request_body(req).await;
@@ -993,7 +993,7 @@ macro_rules! http1_tests {
                     Ok::<_, std::io::Error>(
                         Response::builder()
                             .header("transfer-encoding", "chunked")
-                            .body("world".into())
+                            .body(linkerd_app_core::svc::http::BoxBody::from_static("world"))
                             .unwrap(),
                     )
                 })
@@ -1007,7 +1007,7 @@ macro_rules! http1_tests {
                 .request_builder("/")
                 .method("POST")
                 .header("transfer-encoding", "chunked")
-                .body("hello".into())
+                .body(linkerd_app_core::svc::http::BoxBody::from_static("hello"))
                 .unwrap();
 
             let resp = client.request_body(req).await;
@@ -1032,7 +1032,7 @@ macro_rules! http1_tests {
                     } else {
                         StatusCode::OK
                     };
-                    let mut res = Response::new("".into());
+                    let mut res = Response::new(linkerd_app_core::svc::http::BoxBody::empty());
                     *res.status_mut() = status;
                     res
                 })
@@ -1071,7 +1071,7 @@ macro_rules! http1_tests {
                     Response::builder()
                         .status(status)
                         .header("content-length", "0")
-                        .body("".into())
+                        .body(linkerd_app_core::svc::http::BoxBody::empty())
                         .unwrap()
                 })
                 .run()
@@ -1117,7 +1117,10 @@ macro_rules! http1_tests {
                         })
                         .unwrap_or(200);
 
-                    Response::builder().status(status).body("".into()).unwrap()
+                    Response::builder()
+                        .status(status)
+                        .body(linkerd_app_core::svc::http::BoxBody::empty())
+                        .unwrap()
                 })
                 .run()
                 .await;
@@ -1180,7 +1183,7 @@ macro_rules! http1_tests {
                     assert_eq!(req.method(), "HEAD");
                     Response::builder()
                         .header("content-length", "55")
-                        .body("".into())
+                        .body(linkerd_app_core::svc::http::BoxBody::empty())
                         .unwrap()
                 })
                 .run()
@@ -1210,7 +1213,7 @@ macro_rules! http1_tests {
             let _trace = trace_init();
 
             // test both http/1.0 and 1.1
-            let srv = server::tcp()
+            let srv = crate::tcp::server()
                 .accept(move |_read| {
                     "\
                      HTTP/1.0 200 OK\r\n\
@@ -1390,14 +1393,14 @@ async fn http10_without_host() {
             assert_eq!(req.uri().to_string(), "/");
             Response::builder()
                 .version(http::Version::HTTP_10)
-                .body("".into())
+                .body(BoxBody::empty())
                 .unwrap()
         })
         .run()
         .await;
     let proxy = proxy::new().inbound(srv).run().await;
 
-    let client = client::tcp(proxy.inbound);
+    let client = crate::tcp::client(proxy.inbound);
 
     let tcp_client = client.connect().await;
 
@@ -1587,7 +1590,7 @@ async fn http2_request_without_authority() {
     let srv = server::http2()
         .route_fn("/", |req| {
             assert_eq!(req.uri().authority(), None);
-            Response::new("".into())
+            Response::new(BoxBody::empty())
         })
         .run()
         .await;
@@ -1602,14 +1605,15 @@ async fn http2_request_without_authority() {
     let io = tokio::net::TcpStream::connect(&addr)
         .await
         .expect("connect error");
-    let (mut client, conn) = hyper::client::conn::http2::Builder::new(TracingExecutor)
-        .handshake(io)
+    let (mut client, conn) = hyper::client::conn::http2::Builder::new(TokioExecutor::new())
+        .timer(hyper_util::rt::TokioTimer::new())
+        .handshake(hyper_util::rt::TokioIo::new(io))
         .await
         .expect("handshake error");
 
     tokio::spawn(conn.map_err(|e| tracing::info!("conn error: {:?}", e)));
 
-    let req = Request::new(hyper::Body::empty());
+    let req = Request::new(BoxBody::empty());
     // these properties are specifically what we want, and set by default
     assert_eq!(req.uri(), "/");
     assert_eq!(req.version(), http::Version::HTTP_11);
@@ -1633,12 +1637,14 @@ async fn http2_rst_stream_is_propagated() {
     let proxy = proxy::new().inbound(srv).run().await;
     let client = client::http2(proxy.inbound, "transparency.example.com");
 
-    let err: hyper::Error = client
+    let err: hyper_util::client::legacy::Error = client
         .request(client.request_builder("/"))
         .await
         .expect_err("client request should error");
 
     let rst = err
+        .source()
+        .expect("error should have a source")
         .source()
         .expect("error should have a source")
         .downcast_ref::<h2::Error>()

linkerd/app/outbound/Cargo.toml

@@ -1,10 +1,10 @@
 [package]
 name = "linkerd-app-outbound"
-version = "0.1.0"
-authors = ["Linkerd Developers <cncf-linkerd-dev@lists.cncf.io>"]
-license = "Apache-2.0"
-edition = "2021"
-publish = false
+version = { workspace = true }
+authors = { workspace = true }
+license = { workspace = true }
+edition = { workspace = true }
+publish = { workspace = true }
 description = """
 Configures and runs the outbound proxy
 """
@@ -13,7 +13,7 @@ Configures and runs the outbound proxy
 default = []
 allow-loopback = []
 test-subscriber = []
-test-util = ["linkerd-app-test", "linkerd-meshtls-rustls/test-util"]
+test-util = ["linkerd-app-test", "linkerd-meshtls/test-util", "dep:http-body"]
 
 prometheus-client-rust-242 = [] # TODO
 
@@ -21,17 +21,18 @@ prometheus-client-rust-242 = [] # TODO
 ahash = "0.8"
 bytes = { workspace = true }
 http = { workspace = true }
+http-body = { workspace = true, optional = true }
 futures = { version = "0.3", default-features = false }
 linkerd2-proxy-api = { workspace = true, features = ["outbound"] }
 once_cell = "1"
 parking_lot = "0.12"
 pin-project = "1"
-prometheus-client = "0.22"
+prometheus-client = { workspace = true }
 thiserror = "2"
 tokio = { version = "1", features = ["sync"] }
 tonic = { workspace = true, default-features = false }
-tower = { version = "0.4", features = ["util"] }
-tracing = "0.1"
+tower = { workspace = true, features = ["util"] }
+tracing = { workspace = true }
 
 linkerd-app-core = { path = "../core" }
 linkerd-app-test = { path = "../test", optional = true }
@@ -41,7 +42,7 @@ linkerd-http-prom = { path = "../../http/prom" }
 linkerd-http-retry = { path = "../../http/retry" }
 linkerd-http-route = { path = "../../http/route" }
 linkerd-identity = { path = "../../identity" }
-linkerd-meshtls-rustls = { path = "../../meshtls/rustls", optional = true }
+linkerd-meshtls = { path = "../../meshtls", optional = true, default-features = false }
 linkerd-opaq-route = { path = "../../opaq-route" }
 linkerd-proxy-client-policy = { path = "../../proxy/client-policy", features = [
     "proto",
@@ -54,19 +55,22 @@ linkerd-tonic-watch = { path = "../../tonic-watch" }
 [dev-dependencies]
 futures-util = "0.3"
 http-body = { workspace = true }
-hyper = { workspace = true, features = ["backports", "deprecated", "http1", "http2"] }
+http-body-util = { workspace = true, features = ["channel"] }
+hyper = { workspace = true, features = ["http1", "http2"] }
+hyper-util = { workspace = true }
 tokio = { version = "1", features = ["macros", "sync", "time"] }
 tokio-rustls = { workspace = true }
 tokio-test = "0.4"
-tower-test = "0.4"
+tower-test = { workspace = true }
 
 linkerd-app-test = { path = "../test", features = ["client-policy"] }
+linkerd-http-box = { path = "../../http/box" }
 linkerd-http-prom = { path = "../../http/prom", features = ["test-util"] }
 linkerd-io = { path = "../../io", features = ["tokio-test"] }
-linkerd-meshtls = { path = "../../meshtls", features = ["rustls"] }
-linkerd-meshtls-rustls = { path = "../../meshtls/rustls", features = [
+linkerd-meshtls = { path = "../../meshtls", features = [
     "test-util",
 ] }
+linkerd-mock-http-body = { path = "../../mock/http-body" }
 linkerd-stack = { path = "../../stack", features = ["test-util"] }
 linkerd-tracing = { path = "../../tracing", features = ["ansi"] }
 

linkerd/app/outbound/src/discover.rs

@@ -134,7 +134,13 @@ impl<N> Outbound<N> {
                                 .unwrap_or_else(|| (orig_dst, Default::default()));
                             // TODO(ver) We should be able to figure out resource coordinates for
                             // the endpoint?
-                            synthesize_forward_policy(&META, detect_timeout, queue, addr, meta)
+                            synthesize_forward_policy(
+                                &META,
+                                detect_timeout,
+                                queue,
+                                addr,
+                                meta.into(),
+                            )
                         },
                     );
                     return Ok((Some(profile), policy));
@@ -189,7 +195,7 @@ pub fn synthesize_forward_policy(
     timeout: Duration,
     queue: policy::Queue,
     addr: SocketAddr,
-    metadata: policy::EndpointMetadata,
+    metadata: Arc<policy::EndpointMetadata>,
 ) -> ClientPolicy {
     policy_for_backend(
         meta,

linkerd/app/outbound/src/http/concrete.rs

@@ -32,7 +32,7 @@ pub use self::balance::BalancerMetrics;
 #[derive(Clone, Debug, PartialEq, Eq, Hash)]
 pub enum Dispatch {
     Balance(NameAddr, EwmaConfig),
-    Forward(Remote<ServerAddr>, Metadata),
+    Forward(Remote<ServerAddr>, Arc<Metadata>),
     /// A backend dispatcher that explicitly fails all requests.
     Fail {
         message: Arc<str>,
@@ -49,7 +49,7 @@ pub struct DispatcherFailed(Arc<str>);
 pub struct Endpoint<T> {
     addr: Remote<ServerAddr>,
     is_local: bool,
-    metadata: Metadata,
+    metadata: Arc<Metadata>,
     parent: T,
     queue: QueueConfig,
     close_server_connection_on_remote_proxy_error: bool,
@@ -120,28 +120,30 @@ impl<N> Outbound<N> {
                     move |parent: T| -> Result<_, Infallible> {
                         Ok(match parent.param() {
                             Dispatch::Balance(addr, ewma) => {
-                                svc::Either::A(svc::Either::A(balance::Balance {
+                                svc::Either::Left(svc::Either::Left(balance::Balance {
                                     addr,
                                     ewma,
                                     parent,
                                     queue,
                                 }))
                             }
-                            Dispatch::Forward(addr, metadata) => svc::Either::A(svc::Either::B({
-                                let is_local = inbound_ips.contains(&addr.ip());
-                                let http2 = http2.override_from(metadata.http2_client_params());
-                                Endpoint {
-                                    is_local,
-                                    addr,
-                                    metadata,
-                                    parent,
-                                    queue,
-                                    close_server_connection_on_remote_proxy_error: true,
-                                    http1,
-                                    http2,
-                                }
-                            })),
-                            Dispatch::Fail { message } => svc::Either::B(message),
+                            Dispatch::Forward(addr, metadata) => {
+                                svc::Either::Left(svc::Either::Right({
+                                    let is_local = inbound_ips.contains(&addr.ip());
+                                    let http2 = http2.override_from(metadata.http2_client_params());
+                                    Endpoint {
+                                        is_local,
+                                        addr,
+                                        metadata,
+                                        parent,
+                                        queue,
+                                        close_server_connection_on_remote_proxy_error: true,
+                                        http1,
+                                        http2,
+                                    }
+                                }))
+                            }
+                            Dispatch::Fail { message } => svc::Either::Right(message),
                         })
                     },
                     svc::stack(fail).check_new_clone().into_inner(),
@@ -277,6 +279,13 @@ impl<T> svc::Param<tls::ConditionalClientTls> for Endpoint<T> {
     }
 }
 
+impl<T> svc::Param<tls::ConditionalClientTlsLabels> for Endpoint<T> {
+    fn param(&self) -> tls::ConditionalClientTlsLabels {
+        let tls: tls::ConditionalClientTls = self.param();
+        tls.as_ref().map(tls::ClientTls::labels)
+    }
+}
+
 impl<T> svc::Param<http::Variant> for Endpoint<T>
 where
     T: svc::Param<http::Variant>,

linkerd/app/outbound/src/http/concrete/balance.rs

@@ -121,7 +121,7 @@ where
                         let http2 = http2.override_from(metadata.http2_client_params());
                         Endpoint {
                             addr: Remote(ServerAddr(addr)),
-                            metadata,
+                            metadata: metadata.into(),
                             is_local,
                             parent: target.parent,
                             queue: http_queue,