linkerd
/
linkerd2
mirror of https://github.com/linkerd/linkerd2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove conduit references from proxy-init codebase (#1325) 

* Remove conduit references from proxy-init codebase
* Removing linkerd.io link from long description

Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
This commit is contained in:
Kevin Lingerfelt 2018-07-17 10:29:30 -07:00 committed by GitHub
parent 1b38310019
commit 3357a06f09
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 46 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
proxy-init/cmd/root.go
View File

@ -34,10 +34,8 @@ func NewRootCmd() *cobra.Command {
cmd := &cobra.Command{ cmd := &cobra.Command{
Use: "proxy-init", Use: "proxy-init",
Short: "Adds a Kubernetes pod to the Conduit Service Mesh", Short: "proxy-init adds a Kubernetes pod to the Linkerd service mesh",
Long: `proxy-init Adds a Kubernetes pod to the Conduit Service Mesh. Long: "proxy-init adds a Kubernetes pod to the Linkerd service mesh.",
Find more information at https://conduit.io/.`,
RunE: func(cmd *cobra.Command, args []string) error { RunE: func(cmd *cobra.Command, args []string) error {
config, err := buildFirewallConfiguration(options) config, err := buildFirewallConfiguration(options)
if err != nil { if err != nil {

2
proxy-init/integration_test/iptables/Dockerfile-tester
View File

@ -4,4 +4,4 @@ ADD iptables/ /go
# Kubernetes Jobs will be retried until they return status 0, # Kubernetes Jobs will be retried until they return status 0,
# so we need to output the status for processing but make sure # so we need to output the status for processing but make sure
# that the container exits with 0 # that the container exits with 0
ENTRYPOINT cd /go && (go test -v ; echo "status:$?") ENTRYPOINT cd /go && (go test -v -integration-tests; echo "status:$?")

57
proxy-init/integration_test/iptables/http_test.go
View File

@ -1,6 +1,7 @@
package iptablestest package iptablestest
import ( import (
"flag"
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"net/http" "net/http"
@ -11,35 +12,44 @@ import (
) )
const ( const (
ignoredContainerPort = "7070" ignoredContainerPort = "7070"
proxyContainerPort = "8080" proxyContainerPort = "8080"
notTheProxyContainerPort = "9090" notTheProxyContainerPort = "9090"
integrationTestsEnvironmentVariable = "CONDUIT_INTEGRATION_TESTS_ENABLED"
) )
func TestMain(m *testing.M) {
runTests := flag.Bool("integration-tests", false, "must be provided to run the integration tests")
flag.Parse()
if !*runTests {
fmt.Fprintln(os.Stderr, "integration tests not enabled: enable with -integration-tests")
os.Exit(0)
}
os.Exit(m.Run())
}
func TestPodWithNoRules(t *testing.T) { func TestPodWithNoRules(t *testing.T) {
t.Parallel()
podWithNoRulesIp := os.Getenv("POD_WITH_NO_RULES_IP") podWithNoRulesIp := os.Getenv("POD_WITH_NO_RULES_IP")
svcName := "svc-pod-with-no-rules" svcName := "svc-pod-with-no-rules"
t.Run("succeeds connecting to pod directly through container's exposed port", func(t *testing.T) { t.Run("succeeds connecting to pod directly through container's exposed port", func(t *testing.T) {
checkIfIntegrationTestsAreEnabled(t)
expectSuccessfulGetRequestTo(t, podWithNoRulesIp, proxyContainerPort) expectSuccessfulGetRequestTo(t, podWithNoRulesIp, proxyContainerPort)
}) })
t.Run("fails to connect to pod directly through any port that isn't the container's exposed port", func(t *testing.T) { t.Run("fails to connect to pod directly through any port that isn't the container's exposed port", func(t *testing.T) {
checkIfIntegrationTestsAreEnabled(t)
expectCannotConnectGetRequestTo(t, podWithNoRulesIp, "8088") expectCannotConnectGetRequestTo(t, podWithNoRulesIp, "8088")
expectCannotConnectGetRequestTo(t, podWithNoRulesIp, "8888") expectCannotConnectGetRequestTo(t, podWithNoRulesIp, "8888")
expectCannotConnectGetRequestTo(t, podWithNoRulesIp, "8988") expectCannotConnectGetRequestTo(t, podWithNoRulesIp, "8988")
}) })
t.Run("succeeds connecting to pod via a service through container's exposed port", func(t *testing.T) { t.Run("succeeds connecting to pod via a service through container's exposed port", func(t *testing.T) {
checkIfIntegrationTestsAreEnabled(t)
expectSuccessfulGetRequestTo(t, svcName, proxyContainerPort) expectSuccessfulGetRequestTo(t, svcName, proxyContainerPort)
}) })
t.Run("fails to connect to pod via a service through any port that isn't the container's exposed port", func(t *testing.T) { t.Run("fails to connect to pod via a service through any port that isn't the container's exposed port", func(t *testing.T) {
checkIfIntegrationTestsAreEnabled(t)
expectCannotConnectGetRequestTo(t, svcName, "8088") expectCannotConnectGetRequestTo(t, svcName, "8088")
expectCannotConnectGetRequestTo(t, svcName, "8888") expectCannotConnectGetRequestTo(t, svcName, "8888")
expectCannotConnectGetRequestTo(t, svcName, "8988") expectCannotConnectGetRequestTo(t, svcName, "8988")
@ -47,16 +57,16 @@ func TestPodWithNoRules(t *testing.T) {
} }
func TestPodRedirectsAllPorts(t *testing.T) { func TestPodRedirectsAllPorts(t *testing.T) {
t.Parallel()
podRedirectsAllPortsIp := os.Getenv("POD_REDIRECTS_ALL_PORTS_IP") podRedirectsAllPortsIp := os.Getenv("POD_REDIRECTS_ALL_PORTS_IP")
svcName := "svc-pod-redirects-all-ports" svcName := "svc-pod-redirects-all-ports"
t.Run("succeeds connecting to pod directly through container's exposed port", func(t *testing.T) { t.Run("succeeds connecting to pod directly through container's exposed port", func(t *testing.T) {
checkIfIntegrationTestsAreEnabled(t)
expectSuccessfulGetRequestTo(t, podRedirectsAllPortsIp, proxyContainerPort) expectSuccessfulGetRequestTo(t, podRedirectsAllPortsIp, proxyContainerPort)
}) })
t.Run("succeeds connecting to pod directly through any port that isn't the container's exposed port", func(t *testing.T) { t.Run("succeeds connecting to pod directly through any port that isn't the container's exposed port", func(t *testing.T) {
checkIfIntegrationTestsAreEnabled(t)
expectSuccessfulGetRequestTo(t, podRedirectsAllPortsIp, "8088") expectSuccessfulGetRequestTo(t, podRedirectsAllPortsIp, "8088")
expectSuccessfulGetRequestTo(t, podRedirectsAllPortsIp, "8888") expectSuccessfulGetRequestTo(t, podRedirectsAllPortsIp, "8888")
expectSuccessfulGetRequestTo(t, podRedirectsAllPortsIp, "8988") expectSuccessfulGetRequestTo(t, podRedirectsAllPortsIp, "8988")
@ -64,12 +74,10 @@ func TestPodRedirectsAllPorts(t *testing.T) {
}) })
t.Run("succeeds connecting to pod via a service through container's exposed port", func(t *testing.T) { t.Run("succeeds connecting to pod via a service through container's exposed port", func(t *testing.T) {
checkIfIntegrationTestsAreEnabled(t)
expectSuccessfulGetRequestTo(t, svcName, proxyContainerPort) expectSuccessfulGetRequestTo(t, svcName, proxyContainerPort)
}) })
t.Run("fails to connect to pod via a service through any port that isn't the container's exposed port", func(t *testing.T) { t.Run("fails to connect to pod via a service through any port that isn't the container's exposed port", func(t *testing.T) {
checkIfIntegrationTestsAreEnabled(t)
expectCannotConnectGetRequestTo(t, svcName, "8088") expectCannotConnectGetRequestTo(t, svcName, "8088")
expectCannotConnectGetRequestTo(t, svcName, "8888") expectCannotConnectGetRequestTo(t, svcName, "8888")
expectCannotConnectGetRequestTo(t, svcName, "8988") expectCannotConnectGetRequestTo(t, svcName, "8988")
@ -77,21 +85,20 @@ func TestPodRedirectsAllPorts(t *testing.T) {
} }
func TestPodWithSomePortsRedirected(t *testing.T) { func TestPodWithSomePortsRedirected(t *testing.T) {
t.Parallel()
podRedirectsSomePortsIp := os.Getenv("POD_REDIRECTS_WHITELISTED_IP") podRedirectsSomePortsIp := os.Getenv("POD_REDIRECTS_WHITELISTED_IP")
t.Run("succeeds connecting to pod directly through container's exposed port", func(t *testing.T) { t.Run("succeeds connecting to pod directly through container's exposed port", func(t *testing.T) {
checkIfIntegrationTestsAreEnabled(t)
expectSuccessfulGetRequestTo(t, podRedirectsSomePortsIp, proxyContainerPort) expectSuccessfulGetRequestTo(t, podRedirectsSomePortsIp, proxyContainerPort)
}) })
t.Run("succeeds connecting to pod directly through ports configured to redirect", func(t *testing.T) { t.Run("succeeds connecting to pod directly through ports configured to redirect", func(t *testing.T) {
checkIfIntegrationTestsAreEnabled(t)
expectSuccessfulGetRequestTo(t, podRedirectsSomePortsIp, "9090") expectSuccessfulGetRequestTo(t, podRedirectsSomePortsIp, "9090")
expectSuccessfulGetRequestTo(t, podRedirectsSomePortsIp, "9099") expectSuccessfulGetRequestTo(t, podRedirectsSomePortsIp, "9099")
}) })
t.Run("fails to connect to pod via through any port that isn't configured to redirect", func(t *testing.T) { t.Run("fails to connect to pod via through any port that isn't configured to redirect", func(t *testing.T) {
checkIfIntegrationTestsAreEnabled(t)
expectCannotConnectGetRequestTo(t, podRedirectsSomePortsIp, "8088") expectCannotConnectGetRequestTo(t, podRedirectsSomePortsIp, "8088")
expectCannotConnectGetRequestTo(t, podRedirectsSomePortsIp, "8888") expectCannotConnectGetRequestTo(t, podRedirectsSomePortsIp, "8888")
expectCannotConnectGetRequestTo(t, podRedirectsSomePortsIp, "8988") expectCannotConnectGetRequestTo(t, podRedirectsSomePortsIp, "8988")
@ -99,21 +106,20 @@ func TestPodWithSomePortsRedirected(t *testing.T) {
} }
func TestPodWithSomePortsIgnored(t *testing.T) { func TestPodWithSomePortsIgnored(t *testing.T) {
t.Parallel()
podIgnoredSomePortsIp := os.Getenv("POD_DOEST_REDIRECT_BLACKLISTED_IP") podIgnoredSomePortsIp := os.Getenv("POD_DOEST_REDIRECT_BLACKLISTED_IP")
t.Run("succeeds connecting to pod directly through container's exposed port", func(t *testing.T) { t.Run("succeeds connecting to pod directly through container's exposed port", func(t *testing.T) {
checkIfIntegrationTestsAreEnabled(t)
expectSuccessfulGetRequestTo(t, podIgnoredSomePortsIp, proxyContainerPort) expectSuccessfulGetRequestTo(t, podIgnoredSomePortsIp, proxyContainerPort)
}) })
t.Run("succeeds connecting to pod directly through ports configured to redirect", func(t *testing.T) { t.Run("succeeds connecting to pod directly through ports configured to redirect", func(t *testing.T) {
checkIfIntegrationTestsAreEnabled(t)
expectSuccessfulGetRequestTo(t, podIgnoredSomePortsIp, "9090") expectSuccessfulGetRequestTo(t, podIgnoredSomePortsIp, "9090")
expectSuccessfulGetRequestTo(t, podIgnoredSomePortsIp, "9099") expectSuccessfulGetRequestTo(t, podIgnoredSomePortsIp, "9099")
}) })
t.Run("doesnt redirect when through port that is ignored", func(t *testing.T) { t.Run("doesnt redirect when through port that is ignored", func(t *testing.T) {
checkIfIntegrationTestsAreEnabled(t)
response := expectSuccessfulGetRequestTo(t, podIgnoredSomePortsIp, ignoredContainerPort) response := expectSuccessfulGetRequestTo(t, podIgnoredSomePortsIp, ignoredContainerPort)
if response == "proxy" { if response == "proxy" {
@ -127,6 +133,8 @@ func TestPodWithSomePortsIgnored(t *testing.T) {
} }
func TestPodMakesOutboundConnection(t *testing.T) { func TestPodMakesOutboundConnection(t *testing.T) {
t.Parallel()
podIgnoredSomePortsIp := os.Getenv("POD_DOEST_REDIRECT_BLACKLISTED_IP") podIgnoredSomePortsIp := os.Getenv("POD_DOEST_REDIRECT_BLACKLISTED_IP")
podWithNoRulesIp := os.Getenv("POD_WITH_NO_RULES_IP") podWithNoRulesIp := os.Getenv("POD_WITH_NO_RULES_IP")
podWithNoRulesName := "pod-with-no-rules" podWithNoRulesName := "pod-with-no-rules"
@ -135,7 +143,6 @@ func TestPodMakesOutboundConnection(t *testing.T) {
proxyPodIp := podIgnoredSomePortsIp proxyPodIp := podIgnoredSomePortsIp
t.Run("connecting to another pod from non-proxy container gets redirected to proxy", func(t *testing.T) { t.Run("connecting to another pod from non-proxy container gets redirected to proxy", func(t *testing.T) {
checkIfIntegrationTestsAreEnabled(t)
portOfContainerToMAkeTheRequest := ignoredContainerPort portOfContainerToMAkeTheRequest := ignoredContainerPort
targetPodIp := podWithNoRulesIp targetPodIp := podWithNoRulesIp
targetPort := ignoredContainerPort targetPort := ignoredContainerPort
@ -149,7 +156,6 @@ func TestPodMakesOutboundConnection(t *testing.T) {
}) })
t.Run("connecting to another pod from proxy container does not get redirected to proxy", func(t *testing.T) { t.Run("connecting to another pod from proxy container does not get redirected to proxy", func(t *testing.T) {
checkIfIntegrationTestsAreEnabled(t)
targetPodName := podWithNoRulesName targetPodName := podWithNoRulesName
targetPodIp := podWithNoRulesIp targetPodIp := podWithNoRulesIp
@ -162,8 +168,6 @@ func TestPodMakesOutboundConnection(t *testing.T) {
}) })
t.Run("connecting to loopback from non-proxy container does not get redirected to proxy", func(t *testing.T) { t.Run("connecting to loopback from non-proxy container does not get redirected to proxy", func(t *testing.T) {
checkIfIntegrationTestsAreEnabled(t)
response := makeCallFromContainerToAnother(t, proxyPodIp, ignoredContainerPort, "127.0.0.1", notTheProxyContainerPort) response := makeCallFromContainerToAnother(t, proxyPodIp, ignoredContainerPort, "127.0.0.1", notTheProxyContainerPort)
expectedDownstreamResponse := fmt.Sprintf("me:[%s:%s]downstream:[%s:%s]", proxyPodName, ignoredContainerPort, proxyPodName, notTheProxyContainerPort) expectedDownstreamResponse := fmt.Sprintf("me:[%s:%s]downstream:[%s:%s]", proxyPodName, ignoredContainerPort, proxyPodName, notTheProxyContainerPort)
@ -181,15 +185,6 @@ func makeCallFromContainerToAnother(t *testing.T, fromPodNamed string, fromConta
return expectSuccessfulGetRequestToUrl(t, targetUrl) return expectSuccessfulGetRequestToUrl(t, targetUrl)
} }
func checkIfIntegrationTestsAreEnabled(t *testing.T) {
if _, isSet := os.LookupEnv(integrationTestsEnvironmentVariable); !isSet {
fmt.Printf("=> Environment variable [%s] isn't set, skipping this test\n", integrationTestsEnvironmentVariable)
t.SkipNow()
} else {
t.Parallel()
}
}
func expectCannotConnectGetRequestTo(t *testing.T, host string, port string) { func expectCannotConnectGetRequestTo(t *testing.T, host string, port string) {
targetUrl := fmt.Sprintf("http://%s:%s/", host, port) targetUrl := fmt.Sprintf("http://%s:%s/", host, port)
fmt.Printf("Expecting failed GET to %s\n", targetUrl) fmt.Printf("Expecting failed GET to %s\n", targetUrl)

2
proxy-init/integration_test/run_tests.sh
View File

@ -82,8 +82,6 @@ spec:
- name: tester - name: tester
image: buoyantio/iptables-tester:v1 image: buoyantio/iptables-tester:v1
env: env:
- name: CONDUIT_INTEGRATION_TESTS_ENABLED
value: "1"
- name: POD_REDIRECTS_ALL_PORTS_IP - name: POD_REDIRECTS_ALL_PORTS_IP
value: ${POD_REDIRECTS_ALL_PORTS_IP} value: ${POD_REDIRECTS_ALL_PORTS_IP}
- name: POD_WITH_NO_RULES_IP - name: POD_WITH_NO_RULES_IP

34
proxy-init/iptables/iptables.go
View File

@ -68,48 +68,48 @@ func ConfigureFirewall(firewallConfiguration FirewallConfiguration) error {
//formatComment is used to format iptables comments in such way that it is possible to identify when the rules were added. //formatComment is used to format iptables comments in such way that it is possible to identify when the rules were added.
// This helps debug when iptables has some stale rules from previous runs, something that can happen frequently on minikube. // This helps debug when iptables has some stale rules from previous runs, something that can happen frequently on minikube.
func formatComment(text string) string { func formatComment(text string) string {
return fmt.Sprintf("conduit/%s/%s", text, ExecutionTraceId) return fmt.Sprintf("proxy-init/%s/%s", text, ExecutionTraceId)
} }
func addOutgoingTrafficRules(commands []*exec.Cmd, firewallConfiguration FirewallConfiguration) []*exec.Cmd { func addOutgoingTrafficRules(commands []*exec.Cmd, firewallConfiguration FirewallConfiguration) []*exec.Cmd {
ConduitOutputChainName := "CONDUIT_OUTPUT" outputChainName := "PROXY_INIT_OUTPUT"
executeCommand(firewallConfiguration, makeFlushChain(ConduitOutputChainName)) executeCommand(firewallConfiguration, makeFlushChain(outputChainName))
executeCommand(firewallConfiguration, makeDeleteChain(ConduitOutputChainName)) executeCommand(firewallConfiguration, makeDeleteChain(outputChainName))
commands = append(commands, makeCreateNewChain(ConduitOutputChainName, "redirect-common-chain")) commands = append(commands, makeCreateNewChain(outputChainName, "redirect-common-chain"))
// Ingore traffic from the proxy // Ingore traffic from the proxy
if firewallConfiguration.ProxyUid > 0 { if firewallConfiguration.ProxyUid > 0 {
log.Printf("Ignoring uid %d", firewallConfiguration.ProxyUid) log.Printf("Ignoring uid %d", firewallConfiguration.ProxyUid)
commands = append(commands, makeIgnoreUserId(ConduitOutputChainName, firewallConfiguration.ProxyUid, "ignore-proxy-user-id")) commands = append(commands, makeIgnoreUserId(outputChainName, firewallConfiguration.ProxyUid, "ignore-proxy-user-id"))
} else { } else {
log.Println("Not ignoring any uid") log.Println("Not ignoring any uid")
} }
// Ignore loopback // Ignore loopback
commands = append(commands, makeIgnoreLoopback(ConduitOutputChainName, "ignore-loopback")) commands = append(commands, makeIgnoreLoopback(outputChainName, "ignore-loopback"))
// Ignore ports // Ignore ports
commands = addRulesForIgnoredPorts(firewallConfiguration.OutboundPortsToIgnore, ConduitOutputChainName, commands) commands = addRulesForIgnoredPorts(firewallConfiguration.OutboundPortsToIgnore, outputChainName, commands)
log.Printf("Redirecting all OUTPUT to %d", firewallConfiguration.ProxyOutgoingPort) log.Printf("Redirecting all OUTPUT to %d", firewallConfiguration.ProxyOutgoingPort)
commands = append(commands, makeRedirectChainToPort(ConduitOutputChainName, firewallConfiguration.ProxyOutgoingPort, "redirect-all-outgoing-to-proxy-port")) commands = append(commands, makeRedirectChainToPort(outputChainName, firewallConfiguration.ProxyOutgoingPort, "redirect-all-outgoing-to-proxy-port"))
//Redirect all remaining outbound traffic to the proxy. //Redirect all remaining outbound traffic to the proxy.
commands = append(commands, makeJumpFromChainToAnotherForAllProtocols(IptablesOutputChainName, ConduitOutputChainName, "install-conduit-output")) commands = append(commands, makeJumpFromChainToAnotherForAllProtocols(IptablesOutputChainName, outputChainName, "install-proxy-init-output"))
return commands return commands
} }
func addIncomingTrafficRules(commands []*exec.Cmd, firewallConfiguration FirewallConfiguration) []*exec.Cmd { func addIncomingTrafficRules(commands []*exec.Cmd, firewallConfiguration FirewallConfiguration) []*exec.Cmd {
ConduitRedirectChainName := "CONDUIT_REDIRECT" redirectChainName := "PROXY_INIT_REDIRECT"
executeCommand(firewallConfiguration, makeFlushChain(ConduitRedirectChainName)) executeCommand(firewallConfiguration, makeFlushChain(redirectChainName))
executeCommand(firewallConfiguration, makeDeleteChain(ConduitRedirectChainName)) executeCommand(firewallConfiguration, makeDeleteChain(redirectChainName))
commands = append(commands, makeCreateNewChain(ConduitRedirectChainName, "redirect-common-chain")) commands = append(commands, makeCreateNewChain(redirectChainName, "redirect-common-chain"))
commands = addRulesForIgnoredPorts(firewallConfiguration.InboundPortsToIgnore, ConduitRedirectChainName, commands) commands = addRulesForIgnoredPorts(firewallConfiguration.InboundPortsToIgnore, redirectChainName, commands)
commands = addRulesForInboundPortRedirect(firewallConfiguration, ConduitRedirectChainName, commands) commands = addRulesForInboundPortRedirect(firewallConfiguration, redirectChainName, commands)
//Redirect all remaining inbound traffic to the proxy. //Redirect all remaining inbound traffic to the proxy.
commands = append(commands, makeJumpFromChainToAnotherForAllProtocols(IptablesPreroutingChainName, ConduitRedirectChainName, "install-conduit-prerouting")) commands = append(commands, makeJumpFromChainToAnotherForAllProtocols(IptablesPreroutingChainName, redirectChainName, "install-proxy-init-prerouting"))
return commands return commands
} }