From 7cc5e5c64685c0a5a8e06f0f40ed79f8e16bb1d2 Mon Sep 17 00:00:00 2001 From: Oliver Gould Date: Tue, 2 Jun 2020 19:37:14 -0700 Subject: [PATCH] multicluster: Use the proxy as an HTTP gateway (#4528) This change modifies the linkerd-gateway component to use the inbound proxy, rather than nginx, for gateway. This allows us to detect loops and propagate identity through the gateway. This change also cleans up port naming to `mc-gateway` and `mc-probe` to resolve conflicts with Kubernetes validation. --- * proxy: v2.99.0 The proxy can now operate as gateway, routing requests from its inbound proxy to the outbound proxy, without passing the requests to a local application. This supports Linkerd's multicluster feature by adding a `Forwarded` header to propagate the original client identity and assist in loop detection. --- * Add loop detection to inbound & TCP forwarding (linkerd/linkerd2-proxy#527) * Test loop detection (linkerd/linkerd2-proxy#532) * fallback: Unwrap errors recursively (linkerd/linkerd2-proxy#534) * app: Split inbound/outbound constructors into components (linkerd/linkerd2-proxy#533) * Introduce a gateway between inbound and outbound (linkerd/linkerd2-proxy#540) * gateway: Add a Forwarded header (linkerd/linkerd2-proxy#544) * gateway: Return errors instead of responses (linkerd/linkerd2-proxy#547) * Fail requests that loop through the gateway (linkerd/linkerd2-proxy#545) * inject: Support config.linkerd.io/enable-gateway This change introduces a new annotation, config.linkerd.io/enable-gateway, that, when set, enables the proxy to act as a gateway, routing all traffic targetting the inbound listener through the outbound proxy. This also removes the nginx default listener and gateway port of 4180, instead using 4143 (the inbound port). * proxy: v2.100.0 This change modifies the inbound gateway caching so that requests may be routed to multiple leaves of a traffic split. --- * inbound: Do not cache gateway services (linkerd/linkerd2-proxy#549) --- .proxy-version | 2 +- charts/linkerd2-multicluster/README.md | 2 +- .../templates/gateway.yaml | 25 +- charts/linkerd2-multicluster/values.yaml | 2 +- charts/partials/templates/_proxy.tpl | 11 +- .../cluster_watcher_test_util.go | 8 +- .../data/inject-sidecar-container-spec.yaml | 2 +- .../fake/data/pod-with-debug.patch.json | 275 +++++++++--------- .../proxy-injector/fake/data/pod.patch.json | 262 +++++++++-------- pkg/charts/linkerd2/values.go | 1 + pkg/inject/inject.go | 10 + pkg/k8s/labels.go | 8 +- test/inject/testdata/injected_params.golden | 2 +- 13 files changed, 312 insertions(+), 298 deletions(-) diff --git a/.proxy-version b/.proxy-version index 59b976d01..5ea2ba0d8 100644 --- a/.proxy-version +++ b/.proxy-version @@ -1 +1 @@ -v2.98.0 +v2.100.0 diff --git a/charts/linkerd2-multicluster/README.md b/charts/linkerd2-multicluster/README.md index f817df5b8..4770c764d 100644 --- a/charts/linkerd2-multicluster/README.md +++ b/charts/linkerd2-multicluster/README.md @@ -22,7 +22,7 @@ linkerd2-multicluster chart and their default values. |`gatewayName` | The name of the gateway that will be installed |`linkerd-gateway` | |`gatewayNginxImage` | The Nginx image |`nginx` | |`gatewayNginxImageVersion` | The version of the Nginx image |`1.17` | -|`gatewayPort` | The port on which all the gateway will accept incoming traffic |`4180` | +|`gatewayPort` | The port on which all the gateway will accept incoming traffic |`4143` | |`gatewayProbePath` | The path that will be used by remote clusters for determining whether the gateway is alive |`/health` | |`gatewayProbePort` | The port used for liveliness probing |`4181` | |`gatewayProbeSeconds` | The interval (in seconds) between liveness probes |`3` | diff --git a/charts/linkerd2-multicluster/templates/gateway.yaml b/charts/linkerd2-multicluster/templates/gateway.yaml index 7932f1116..14c894acb 100644 --- a/charts/linkerd2-multicluster/templates/gateway.yaml +++ b/charts/linkerd2-multicluster/templates/gateway.yaml @@ -11,12 +11,12 @@ data: nginx.conf: |- events { } - stream { - server { - listen {{.Values.gatewayPort}}; - proxy_pass 127.0.0.1:{{.Values.proxyOutboundPort}}; - } - } + stream { + server { + listen 4180; + proxy_pass 127.0.0.1:{{.Values.proxyOutboundPort}}; + } + } http { server { listen {{.Values.gatewayProbePort}}; @@ -56,7 +56,8 @@ spec: annotations: {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}} linkerd.io/inject: enabled - config.linkerd.io/proxy-require-identity-inbound-ports: "{{.Values.gatewayProbePort}},{{.Values.gatewayPort}}" + config.linkerd.io/proxy-require-identity-inbound-ports: "{{.Values.gatewayProbePort}},{{.Values.gatewayPort}},4180" + config.linkerd.io/enable-gateway: "true" labels: app: {{.Values.gatewayName}} spec: @@ -78,9 +79,9 @@ spec: initialDelaySeconds: 10 image: {{.Values.gatewayNginxImage}}:{{.Values.gatewayNginxImageVersion}} ports: - - name: linkerd-gateway - containerPort: {{.Values.gatewayPort}} - - name: linkerd-gateway-probe + - name: mc-relay + containerPort: 4180 + - name: mc-probe containerPort: {{.Values.gatewayProbePort}} - name: local-probe containerPort: {{.Values.gatewayLocalProbePort}} @@ -102,10 +103,10 @@ metadata: {{.Values.createdByAnnotation}}: {{default (printf "linkerd/helm %s" .Values.linkerdVersion) .Values.cliVersion}} spec: ports: - - name: linkerd-gateway + - name: mc-gateway port: {{.Values.gatewayPort}} protocol: TCP - - name: linkerd-gateway-probe + - name: mc-probe port: {{.Values.gatewayProbePort}} protocol: TCP selector: diff --git a/charts/linkerd2-multicluster/values.yaml b/charts/linkerd2-multicluster/values.yaml index 6fcfe6c1b..edf82a2f4 100644 --- a/charts/linkerd2-multicluster/values.yaml +++ b/charts/linkerd2-multicluster/values.yaml @@ -8,7 +8,7 @@ gatewayLocalProbePort: 8888 gatewayName: linkerd-gateway gatewayNginxImage: nginx gatewayNginxImageVersion: 1.17 -gatewayPort: 4180 +gatewayPort: 4143 gatewayProbePath: /health gatewayProbePort: 4181 gatewayProbeSeconds: 3 diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index 31fc83eb9..7203f1b82 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -18,12 +18,15 @@ env: value: 127.0.0.1:{{.Values.global.proxy.ports.outbound}} - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR value: 0.0.0.0:{{.Values.global.proxy.ports.inbound}} +{{ if .Values.global.proxy.isGateway -}} +- name: LINKERD2_PROXY_INBOUND_GATEWAY_SUFFIXES + value: {{printf "svc.%s." .Values.global.clusterDomain}} +{{ end -}} - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES - {{- $internalProfileSuffix := printf "svc.%s." .Values.global.clusterDomain }} - value: {{ternary "." $internalProfileSuffix .Values.global.proxy.enableExternalProfiles}} + value: {{printf "svc.%s." .Values.global.clusterDomain}} - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES - {{- $internalProfileSuffix := printf "svc.%s." .Values.global.clusterDomain }} - value: {{ternary "." $internalProfileSuffix .Values.global.proxy.enableExternalProfiles}} + {{- $internalDomain := printf "svc.%s." .Values.global.clusterDomain }} + value: {{ternary "." $internalDomain .Values.global.proxy.enableExternalProfiles}} - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE value: 10000ms - name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE diff --git a/controller/cmd/service-mirror/cluster_watcher_test_util.go b/controller/cmd/service-mirror/cluster_watcher_test_util.go index 84cc8a4b3..c2605163f 100644 --- a/controller/cmd/service-mirror/cluster_watcher_test_util.go +++ b/controller/cmd/service-mirror/cluster_watcher_test_util.go @@ -104,7 +104,7 @@ var createServiceWrongGatewaySpec = &testEnvironment{ }, }, remoteResources: []string{ - gatewayAsYaml("existing-gateway", "existing-namespace", "222", "192.0.2.127", "linkerd-gateway-wrong", 888, "", 111, "/path", 666), + gatewayAsYaml("existing-gateway", "existing-namespace", "222", "192.0.2.127", "mc-wrong", 888, "", 111, "/path", 666), }, } @@ -130,7 +130,7 @@ var createServiceOkeGatewaySpec = &testEnvironment{ }, }, remoteResources: []string{ - gatewayAsYaml("existing-gateway", "existing-namespace", "222", "192.0.2.127", "linkerd-gateway", 888, "gateway-identity", defaultProbePort, defaultProbePath, defaultProbePeriod), + gatewayAsYaml("existing-gateway", "existing-namespace", "222", "192.0.2.127", "mc-gateway", 888, "gateway-identity", defaultProbePort, defaultProbePath, defaultProbePeriod), }, } @@ -193,7 +193,7 @@ var updateServiceToNewGateway = &testEnvironment{ }, }, remoteResources: []string{ - gatewayAsYaml("gateway-new", "gateway-ns", "currentGatewayResVersion", "0.0.0.0", "linkerd-gateway", 999, "", defaultProbePort, defaultProbePath, defaultProbePeriod), + gatewayAsYaml("gateway-new", "gateway-ns", "currentGatewayResVersion", "0.0.0.0", "mc-gateway", 999, "", defaultProbePort, defaultProbePath, defaultProbePeriod), }, localResources: []string{ mirroredServiceAsYaml("test-service-remote", "test-namespace", "gateway", "gateway-ns", "past", "pastGatewayResVersion", []corev1.ServicePort{ @@ -269,7 +269,7 @@ var updateServiceWithChangedPorts = &testEnvironment{ }, }, remoteResources: []string{ - gatewayAsYaml("gateway", "gateway-ns", "currentGatewayResVersion", "192.0.2.127", "linkerd-gateway", 888, "", defaultProbePort, defaultProbePath, defaultProbePeriod), + gatewayAsYaml("gateway", "gateway-ns", "currentGatewayResVersion", "192.0.2.127", "mc-gateway", 888, "", defaultProbePort, defaultProbePath, defaultProbePeriod), }, localResources: []string{ mirroredServiceAsYaml("test-service-remote", "test-namespace", "gateway", "gateway-ns", "past", "pastGatewayResVersion", []corev1.ServicePort{ diff --git a/controller/proxy-injector/fake/data/inject-sidecar-container-spec.yaml b/controller/proxy-injector/fake/data/inject-sidecar-container-spec.yaml index b136c844d..9ed7d5aaf 100644 --- a/controller/proxy-injector/fake/data/inject-sidecar-container-spec.yaml +++ b/controller/proxy-injector/fake/data/inject-sidecar-container-spec.yaml @@ -12,7 +12,7 @@ env: - name: LINKERD2_PROXY_INBOUND_LISTENER value: tcp://0.0.0.0:4143 - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES - value: . + value: svc.cluster.local. - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES value: . - name: LINKERD2_PROXY_POD_NAMESPACE diff --git a/controller/proxy-injector/fake/data/pod-with-debug.patch.json b/controller/proxy-injector/fake/data/pod-with-debug.patch.json index 03f4133c9..bdf69f886 100644 --- a/controller/proxy-injector/fake/data/pod-with-debug.patch.json +++ b/controller/proxy-injector/fake/data/pod-with-debug.patch.json @@ -32,57 +32,55 @@ { "op": "add", "path": "/spec/initContainers/-", - "value": - { - "args": [ - "--incoming-proxy-port", - "4143", - "--outgoing-proxy-port", - "4140", - "--proxy-uid", - "2102", - "--inbound-ports-to-ignore", - "4190,4191" - ], - "image": "gcr.io/linkerd-io/proxy-init:v1.3.3", - "imagePullPolicy": "IfNotPresent", - "name": "linkerd-init", - "resources": { - "limits": { - "cpu": "100m", - "memory": "50Mi" - }, - "requests": { - "cpu": "10m", - "memory": "10Mi" - } + "value": { + "args": [ + "--incoming-proxy-port", + "4143", + "--outgoing-proxy-port", + "4140", + "--proxy-uid", + "2102", + "--inbound-ports-to-ignore", + "4190,4191" + ], + "image": "gcr.io/linkerd-io/proxy-init:v1.3.3", + "imagePullPolicy": "IfNotPresent", + "name": "linkerd-init", + "resources": { + "limits": { + "cpu": "100m", + "memory": "50Mi" }, - "securityContext": { - "allowPrivilegeEscalation": false, - "capabilities": { - "add": [ - "NET_ADMIN", - "NET_RAW" - ] - }, - "privileged": false, - "readOnlyRootFilesystem": true, - "runAsNonRoot": false, - "runAsUser": 0 + "requests": { + "cpu": "10m", + "memory": "10Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ] }, - "terminationMessagePolicy": "FallbackToLogsOnError" - } + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePolicy": "FallbackToLogsOnError" + } }, { "op": "add", "path": "/spec/containers/-", - "value": - { - "image": "gcr.io/linkerd-io/debug:debug-image-version", - "imagePullPolicy": "IfNotPresent", - "name": "linkerd-debug", - "terminationMessagePolicy": "FallbackToLogsOnError" - } + "value": { + "image": "gcr.io/linkerd-io/debug:debug-image-version", + "imagePullPolicy": "IfNotPresent", + "name": "linkerd-debug", + "terminationMessagePolicy": "FallbackToLogsOnError" + } }, { "op": "add", @@ -92,104 +90,103 @@ { "op": "add", "path": "/spec/containers/-", - "value": - { - "env": [ - { - "name": "LINKERD2_PROXY_LOG", - "value": "warn,linkerd=info" - }, - { - "name": "LINKERD2_PROXY_DESTINATION_SVC_ADDR", - "value": "linkerd-dst.linkerd.svc.cluster.local:8086" - }, - { - "name": "LINKERD2_PROXY_DESTINATION_GET_NETWORKS", - "value": "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" - }, - { - "name": "LINKERD2_PROXY_CONTROL_LISTEN_ADDR", - "value": "0.0.0.0:4190" - }, - { - "name": "LINKERD2_PROXY_ADMIN_LISTEN_ADDR", - "value": "0.0.0.0:4191" - }, - { - "name": "LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR", - "value": "127.0.0.1:4140" - }, - { - "name": "LINKERD2_PROXY_INBOUND_LISTEN_ADDR", - "value": "0.0.0.0:4143" - }, - { - "name": "LINKERD2_PROXY_DESTINATION_GET_SUFFIXES", - "value": "." - }, - { - "name": "LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES", - "value": "." - }, - { - "name": "LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE", - "value": "10000ms" - }, - { - "name": "LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE", - "value": "10000ms" - }, - { - "name": "_pod_ns", - "valueFrom": { - "fieldRef": { - "fieldPath": "metadata.namespace" - } + "value": { + "env": [ + { + "name": "LINKERD2_PROXY_LOG", + "value": "warn,linkerd=info" + }, + { + "name": "LINKERD2_PROXY_DESTINATION_SVC_ADDR", + "value": "linkerd-dst.linkerd.svc.cluster.local:8086" + }, + { + "name": "LINKERD2_PROXY_DESTINATION_GET_NETWORKS", + "value": "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" + }, + { + "name": "LINKERD2_PROXY_CONTROL_LISTEN_ADDR", + "value": "0.0.0.0:4190" + }, + { + "name": "LINKERD2_PROXY_ADMIN_LISTEN_ADDR", + "value": "0.0.0.0:4191" + }, + { + "name": "LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR", + "value": "127.0.0.1:4140" + }, + { + "name": "LINKERD2_PROXY_INBOUND_LISTEN_ADDR", + "value": "0.0.0.0:4143" + }, + { + "name": "LINKERD2_PROXY_DESTINATION_GET_SUFFIXES", + "value": "svc.cluster.local." + }, + { + "name": "LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES", + "value": "." + }, + { + "name": "LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE", + "value": "10000ms" + }, + { + "name": "LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE", + "value": "10000ms" + }, + { + "name": "_pod_ns", + "valueFrom": { + "fieldRef": { + "fieldPath": "metadata.namespace" } - }, - { - "name": "LINKERD2_PROXY_DESTINATION_CONTEXT", - "value": "ns:$(_pod_ns)" - }, - { - "name": "LINKERD2_PROXY_IDENTITY_DISABLED", - "value": "disabled" } - ], - "image": "gcr.io/linkerd-io/proxy:dev-undefined", - "imagePullPolicy": "IfNotPresent", - "livenessProbe": { - "httpGet": { - "path": "/live", - "port": 4191 - }, - "initialDelaySeconds": 10 }, - "name": "linkerd-proxy", - "ports": [ - { - "containerPort": 4143, - "name": "linkerd-proxy" - }, - { - "containerPort": 4191, - "name": "linkerd-admin" - } - ], - "readinessProbe": { - "httpGet": { - "path": "/ready", - "port": 4191 - }, - "initialDelaySeconds": 2 + { + "name": "LINKERD2_PROXY_DESTINATION_CONTEXT", + "value": "ns:$(_pod_ns)" }, - "resources": null, - "securityContext": { - "allowPrivilegeEscalation": false, - "readOnlyRootFilesystem": true, - "runAsUser": 2102 + { + "name": "LINKERD2_PROXY_IDENTITY_DISABLED", + "value": "disabled" + } + ], + "image": "gcr.io/linkerd-io/proxy:dev-undefined", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "httpGet": { + "path": "/live", + "port": 4191 }, - "terminationMessagePolicy": "FallbackToLogsOnError" - } + "initialDelaySeconds": 10 + }, + "name": "linkerd-proxy", + "ports": [ + { + "containerPort": 4143, + "name": "linkerd-proxy" + }, + { + "containerPort": 4191, + "name": "linkerd-admin" + } + ], + "readinessProbe": { + "httpGet": { + "path": "/ready", + "port": 4191 + }, + "initialDelaySeconds": 2 + }, + "resources": null, + "securityContext": { + "allowPrivilegeEscalation": false, + "readOnlyRootFilesystem": true, + "runAsUser": 2102 + }, + "terminationMessagePolicy": "FallbackToLogsOnError" + } } ] diff --git a/controller/proxy-injector/fake/data/pod.patch.json b/controller/proxy-injector/fake/data/pod.patch.json index 03919b8b6..fcc725dfe 100644 --- a/controller/proxy-injector/fake/data/pod.patch.json +++ b/controller/proxy-injector/fake/data/pod.patch.json @@ -32,46 +32,45 @@ { "op": "add", "path": "/spec/initContainers/-", - "value": - { - "args": [ - "--incoming-proxy-port", - "4143", - "--outgoing-proxy-port", - "4140", - "--proxy-uid", - "2102", - "--inbound-ports-to-ignore", - "4190,4191" - ], - "image": "gcr.io/linkerd-io/proxy-init:v1.3.3", - "imagePullPolicy": "IfNotPresent", - "name": "linkerd-init", - "resources": { - "limits": { - "cpu": "100m", - "memory": "50Mi" - }, - "requests": { - "cpu": "10m", - "memory": "10Mi" - } + "value": { + "args": [ + "--incoming-proxy-port", + "4143", + "--outgoing-proxy-port", + "4140", + "--proxy-uid", + "2102", + "--inbound-ports-to-ignore", + "4190,4191" + ], + "image": "gcr.io/linkerd-io/proxy-init:v1.3.3", + "imagePullPolicy": "IfNotPresent", + "name": "linkerd-init", + "resources": { + "limits": { + "cpu": "100m", + "memory": "50Mi" }, - "securityContext": { - "allowPrivilegeEscalation": false, - "capabilities": { - "add": [ - "NET_ADMIN", - "NET_RAW" - ] - }, - "privileged": false, - "readOnlyRootFilesystem": true, - "runAsNonRoot": false, - "runAsUser": 0 + "requests": { + "cpu": "10m", + "memory": "10Mi" + } + }, + "securityContext": { + "allowPrivilegeEscalation": false, + "capabilities": { + "add": [ + "NET_ADMIN", + "NET_RAW" + ] }, - "terminationMessagePolicy": "FallbackToLogsOnError" - } + "privileged": false, + "readOnlyRootFilesystem": true, + "runAsNonRoot": false, + "runAsUser": 0 + }, + "terminationMessagePolicy": "FallbackToLogsOnError" + } }, { "op": "add", @@ -81,104 +80,103 @@ { "op": "add", "path": "/spec/containers/-", - "value": - { - "env": [ - { - "name": "LINKERD2_PROXY_LOG", - "value": "warn,linkerd=info" - }, - { - "name": "LINKERD2_PROXY_DESTINATION_SVC_ADDR", - "value": "linkerd-dst.linkerd.svc.cluster.local:8086" - }, - { - "name": "LINKERD2_PROXY_DESTINATION_GET_NETWORKS", - "value": "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" - }, - { - "name": "LINKERD2_PROXY_CONTROL_LISTEN_ADDR", - "value": "0.0.0.0:4190" - }, - { - "name": "LINKERD2_PROXY_ADMIN_LISTEN_ADDR", - "value": "0.0.0.0:4191" - }, - { - "name": "LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR", - "value": "127.0.0.1:4140" - }, - { - "name": "LINKERD2_PROXY_INBOUND_LISTEN_ADDR", - "value": "0.0.0.0:4143" - }, - { - "name": "LINKERD2_PROXY_DESTINATION_GET_SUFFIXES", - "value": "." - }, - { - "name": "LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES", - "value": "." - }, - { - "name": "LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE", - "value": "10000ms" - }, - { - "name": "LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE", - "value": "10000ms" - }, - { - "name": "_pod_ns", - "valueFrom": { - "fieldRef": { - "fieldPath": "metadata.namespace" - } + "value": { + "env": [ + { + "name": "LINKERD2_PROXY_LOG", + "value": "warn,linkerd=info" + }, + { + "name": "LINKERD2_PROXY_DESTINATION_SVC_ADDR", + "value": "linkerd-dst.linkerd.svc.cluster.local:8086" + }, + { + "name": "LINKERD2_PROXY_DESTINATION_GET_NETWORKS", + "value": "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" + }, + { + "name": "LINKERD2_PROXY_CONTROL_LISTEN_ADDR", + "value": "0.0.0.0:4190" + }, + { + "name": "LINKERD2_PROXY_ADMIN_LISTEN_ADDR", + "value": "0.0.0.0:4191" + }, + { + "name": "LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR", + "value": "127.0.0.1:4140" + }, + { + "name": "LINKERD2_PROXY_INBOUND_LISTEN_ADDR", + "value": "0.0.0.0:4143" + }, + { + "name": "LINKERD2_PROXY_DESTINATION_GET_SUFFIXES", + "value": "svc.cluster.local." + }, + { + "name": "LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES", + "value": "." + }, + { + "name": "LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE", + "value": "10000ms" + }, + { + "name": "LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE", + "value": "10000ms" + }, + { + "name": "_pod_ns", + "valueFrom": { + "fieldRef": { + "fieldPath": "metadata.namespace" } - }, - { - "name": "LINKERD2_PROXY_DESTINATION_CONTEXT", - "value": "ns:$(_pod_ns)" - }, - { - "name": "LINKERD2_PROXY_IDENTITY_DISABLED", - "value": "disabled" } - ], - "image": "gcr.io/linkerd-io/proxy:dev-undefined", - "imagePullPolicy": "IfNotPresent", - "livenessProbe": { - "httpGet": { - "path": "/live", - "port": 4191 - }, - "initialDelaySeconds": 10 }, - "name": "linkerd-proxy", - "ports": [ - { - "containerPort": 4143, - "name": "linkerd-proxy" - }, - { - "containerPort": 4191, - "name": "linkerd-admin" - } - ], - "readinessProbe": { - "httpGet": { - "path": "/ready", - "port": 4191 - }, - "initialDelaySeconds": 2 + { + "name": "LINKERD2_PROXY_DESTINATION_CONTEXT", + "value": "ns:$(_pod_ns)" }, - "resources": null, - "securityContext": { - "allowPrivilegeEscalation": false, - "readOnlyRootFilesystem": true, - "runAsUser": 2102 + { + "name": "LINKERD2_PROXY_IDENTITY_DISABLED", + "value": "disabled" + } + ], + "image": "gcr.io/linkerd-io/proxy:dev-undefined", + "imagePullPolicy": "IfNotPresent", + "livenessProbe": { + "httpGet": { + "path": "/live", + "port": 4191 }, - "terminationMessagePolicy": "FallbackToLogsOnError" - } + "initialDelaySeconds": 10 + }, + "name": "linkerd-proxy", + "ports": [ + { + "containerPort": 4143, + "name": "linkerd-proxy" + }, + { + "containerPort": 4191, + "name": "linkerd-admin" + } + ], + "readinessProbe": { + "httpGet": { + "path": "/ready", + "port": 4191 + }, + "initialDelaySeconds": 2 + }, + "resources": null, + "securityContext": { + "allowPrivilegeEscalation": false, + "readOnlyRootFilesystem": true, + "runAsUser": 2102 + }, + "terminationMessagePolicy": "FallbackToLogsOnError" + } } ] diff --git a/pkg/charts/linkerd2/values.go b/pkg/charts/linkerd2/values.go index 0b5471b09..0af09c6e3 100644 --- a/pkg/charts/linkerd2/values.go +++ b/pkg/charts/linkerd2/values.go @@ -112,6 +112,7 @@ type ( Trace *Trace `json:"trace"` UID int64 `json:"uid"` WaitBeforeExitSeconds uint64 `json:"waitBeforeExitSeconds"` + IsGateway bool `json:"isGateway"` RequireIdentityOnInboundPorts string `json:"requireIdentityOnInboundPorts"` } diff --git a/pkg/inject/inject.go b/pkg/inject/inject.go index 85689d22f..5b92ca82f 100644 --- a/pkg/inject/inject.go +++ b/pkg/inject/inject.go @@ -498,6 +498,7 @@ func (conf *ResourceConfig) injectPodSpec(values *patch) { UID: conf.proxyUID(), Resources: conf.proxyResourceRequirements(), WaitBeforeExitSeconds: conf.proxyWaitBeforeExitSeconds(), + IsGateway: conf.isGateway(), RequireIdentityOnInboundPorts: conf.requireIdentityOnInboundPorts(), } @@ -806,6 +807,15 @@ func (conf *ResourceConfig) requireIdentityOnInboundPorts() string { return conf.getOverride(k8s.ProxyRequireIdentityOnInboundPortsAnnotation) } +func (conf *ResourceConfig) isGateway() bool { + if override := conf.getOverride(k8s.ProxyEnableGatewayAnnotation); override != "" { + value, err := strconv.ParseBool(override) + return err == nil && value + } + + return false +} + func (conf *ResourceConfig) proxyWaitBeforeExitSeconds() uint64 { if override := conf.getOverride(k8s.ProxyWaitBeforeExitSecondsAnnotation); override != "" { waitBeforeExitSeconds, err := strconv.ParseUint(override, 10, 64) diff --git a/pkg/k8s/labels.go b/pkg/k8s/labels.go index 2465074e6..31f03b125 100644 --- a/pkg/k8s/labels.go +++ b/pkg/k8s/labels.go @@ -195,6 +195,10 @@ const ( // to always require identity on inbound ports ProxyRequireIdentityOnInboundPortsAnnotation = ProxyConfigAnnotationsPrefix + "/proxy-require-identity-inbound-ports" + // ProxyEnableGatewayAnnotation can be used to configure the proxy + // to operate as a gateway, routing requests that target the inbound router. + ProxyEnableGatewayAnnotation = ProxyConfigAnnotationsPrefix + "/enable-gateway" + // ProxyDisableIdentityAnnotation can be used to disable identity on the injected proxy. ProxyDisableIdentityAnnotation = ProxyConfigAnnotationsPrefix + "/disable-identity" @@ -433,10 +437,10 @@ const ( ConfigKeyName = "kubeconfig" // GatewayPortName is the name of the incoming port of the gateway - GatewayPortName = "linkerd-gateway" + GatewayPortName = "mc-gateway" // ProbePortName is the name of the probe port of the gateway - ProbePortName = "linkerd-gateway-probe" + ProbePortName = "mc-probe" // ServiceMirrorLabel is the value used in the controller component label ServiceMirrorLabel = "servicemirror" diff --git a/test/inject/testdata/injected_params.golden b/test/inject/testdata/injected_params.golden index 4986da1f0..1a65f894e 100644 --- a/test/inject/testdata/injected_params.golden +++ b/test/inject/testdata/injected_params.golden @@ -64,7 +64,7 @@ spec: - name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR value: 0.0.0.0:678 - name: LINKERD2_PROXY_DESTINATION_GET_SUFFIXES - value: . + value: svc.cluster.local. - name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES value: . - name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE