Commit Graph

13 Commits

Author SHA1 Message Date
Björn Wenzel 0ee18eb168
Allow Multicluster Service to be non LoadBalancer ServiceType (#5307)
Signed-off-by: Björn Wenzel <bjoern.wenzel@dbschenker.com>
2020-12-03 13:03:49 -05:00
Shai Katz 4ffb41ab44
Add MC Gateway Service Annotations (#5185)
Fixes #5182

That will allow setting the load balancer as internal.

Signed-off-by: Shai Katz <shai@soluto.com>
2020-11-12 11:19:19 -08:00
Markus f8e7295bdc
MC chart load balancer ip (#5048)
adding loadBalancerIP to linkerd2-multicluster chart

Sometimes you are in need to tell the gateway service to pick up / request a specific IP from the LB.
e.g. when you talk to another cluster that is having another firewall in front and not permitting access from random IPs.

Solution
Minor change in the chart for Multicluster.

Validation
Example in a GKE:
Register a static IP, note it. Then

helm install linkerd-mc linkerd2/linkerd2-multicluster --set loadBalancerIP="<IP>"

Your gateway service will come up with the IP you have given it.
If you don't set the parameter, then the LB will give out a random IP.

If you don't have a cluster, look at the yaml produced by helm template...
and look if the loadBalancerIP: <IP>  is there

```
`apiVersion: v1
kind: Service
.
.
.
  selector:
    app: linkerd-gateway
  type: LoadBalancer
  loadBalancerIP: 1.1.1.1`
```

Signed-off-by: Markus Bettsteller <markus@bettsteller.de>
2020-10-13 18:08:40 +03:00
Alex Leong 6ef9cab3d0
Fix up multicluster component labels (#4806)
Fixes #4511

Add the `linkerd.io/control-plane-component: gateway` label to the multicluster gateway.  Change the value of `linkerd.io/control-plane-component` from `linkerd-service-mirror` to `service-mirror` for the service mirror controller.

These changes are for consistency and should not result in any change in functionality.

Signed-off-by: Alex Leong <alex@buoyant.io>
2020-08-11 17:02:20 -07:00
cpretzer ebb9cfe492
adding tmp volume for restrictive pod secuity policies (#4566)
Signed-off-by: Charles Pretzer <charles@buoyant.io>
2020-06-08 13:58:47 -07:00
cpretzer b36544980d
Run linkerd-gateway as non-root (#4543)
Container-optimized OS on GKE runs with a set of read/write rules that prevent the linkerd-gateway from starting up.

These changes move the directories that nginx needs to write to /tmp and configures the error_log to write to stderr

Signed-off-by: Charles Pretzer charles@buoyant.io
2020-06-05 13:14:36 -07:00
Alejandro Pedraza 7d9525e316
Removed trailing spaces from entries in configmaps (#4544)
Fixes #4454

As explained
[here](https://github.com/kubernetes/kubernetes/issues/36222#issuecomment-553966166),
trailing spaces in configmap data makes it to look funky when retrieved
later on. This is currently affecting `linkerd-config-addons` and
`linkerd-gateway-config`:

```
$ k -n linkerd-multicluster get cm linkerd-gateway-config -oyaml
apiVersion: v1
data:
  nginx.conf: "events {\n}\nstream {                                                                                                                                                                                  \n
    \  server {                                                                                                                                                                                \n
    \      listen     4180;                                                                                                                                                 \n
    \      proxy_pass 127.0.0.1:4140;                                                                                                                                 \n
    \  }                                                                                                                                                                                       \n}
    \nhttp {\n  server {\n      listen     4181;\n      location /health {\n        access_log
    off;\n        return 200 \"healthy\\n\";\n      }\n  }\n  server {\n      listen
    \    8888;\n      location /health-local {\n        access_log off;\n        return
    200 \"healthy\\n\";\n      }\n  }    \n}"
kind: ConfigMap
```

AFAIK this is only cosmetic and doesn't affect functionality.
2020-06-04 09:06:37 -05:00
Tarun Pothulapati 33308e397f
Use templated value for Gateway cm name (#4534)
Fixes #4531 

This PR updates the `linkerd-gateway` cm's name to be templated. To allow multiple Gateway installations in the same cluster with different configmaps.

(Installing multiple gateways in the same cluster is possible only through Helm, as the CLI dosen't expose those commands currently.)

Signed-off-by: Tarun Pothulapati <tarunpothulapati@outlook.com>
2020-06-03 14:43:28 -04:00
Oliver Gould 7cc5e5c646
multicluster: Use the proxy as an HTTP gateway (#4528)
This change modifies the linkerd-gateway component to use the inbound
proxy, rather than nginx, for gateway. This allows us to detect loops and
propagate identity through the gateway.

This change also cleans up port naming to `mc-gateway` and `mc-probe`
to resolve conflicts with Kubernetes validation.

---

* proxy: v2.99.0

The proxy can now operate as gateway, routing requests from its inbound
proxy to the outbound proxy, without passing the requests to a local
application. This supports Linkerd's multicluster feature by adding a
`Forwarded` header to propagate the original client identity and assist
in loop detection.

---

* Add loop detection to inbound & TCP forwarding (linkerd/linkerd2-proxy#527)
* Test loop detection (linkerd/linkerd2-proxy#532)
* fallback: Unwrap errors recursively (linkerd/linkerd2-proxy#534)
* app: Split inbound/outbound constructors into components (linkerd/linkerd2-proxy#533)
* Introduce a gateway between inbound and outbound (linkerd/linkerd2-proxy#540)
* gateway: Add a Forwarded header (linkerd/linkerd2-proxy#544)
* gateway: Return errors instead of responses (linkerd/linkerd2-proxy#547)
* Fail requests that loop through the gateway (linkerd/linkerd2-proxy#545)

* inject: Support config.linkerd.io/enable-gateway

This change introduces a new annotation,
config.linkerd.io/enable-gateway, that, when set, enables the proxy to
act as a gateway, routing all traffic targetting the inbound listener
through the outbound proxy.

This also removes the nginx default listener and gateway port of 4180,
instead using 4143 (the inbound port).

* proxy: v2.100.0

This change modifies the inbound gateway caching so that requests may be
routed to multiple leaves of a traffic split.

---

* inbound: Do not cache gateway services (linkerd/linkerd2-proxy#549)
2020-06-02 19:37:14 -07:00
Alex Leong 91a067c924
Rename gateway ports (#4526)
* Rename gateway ports

Signed-off-by: Alex Leong <alex@buoyant.io>

* fmt

Signed-off-by: Alex Leong <alex@buoyant.io>
2020-06-02 09:08:23 +03:00
Zahari Dichev 6c3922a7f1
Probe manager simplification (#4510)
There are a few notable things happening in this PR: 

- the probe manager has been decoupled from the cluster_watcher. Now its only responsibility is to watch for mirrored gateways beeing created and to probe them. This means that probes are initiated for all gateways no matter whether there are mirrored services being paired
- the number of paired services is derived from the existing services in the cluster rather than being published as a metric by the prober
- there are no events being exchanged between the cluster watcher and the probe manager

Signed-off-by: Zahari Dichev <zaharidichev@gmail.com>
2020-06-01 14:41:29 -07:00
Mayank Shah 2f710f48c0
multicluster: normalize nginx configmap naming (#4508)
For the Edge-20.5.6 release notes: Mention under the Helm section that the user might wanna manually remove the `nginx-configuration` configmap that is left over after this upgrade.

Signed-off-by: Mayank Shah <mayankshah1614@gmail.com>
2020-06-01 14:55:53 -05:00
Zahari Dichev 7b46682841
Add allow and link commands (#4466)
This change adds a `allow` and `link` commands, effectivelly enabling a cluster to have more than one set of credentials that allow it to be mirrored. 

Fx #4461

Signed-off-by: Zahari Dichev <zaharidichev@gmail.com>

Co-authored-by: Alex Leong <alex@buoyant.io>
2020-05-27 14:30:55 -07:00