There is no longer a proxy config `DESTINATION_GET_NETWORKS`. Instead of
reflecting this implementation in our values.yaml, this changes this
variable to the more general `clusterNetworks` to emphasize its
similarity to `clusterDomain` for the purposes of discovery.
The proxy no longer honors DESTINATION_GET variables, as profile lookups
inform when endpoint resolution is performed. Also, there is no longer
a router capacity limit.
As described in #5105, it's not currently possible to set the proxy log
level to `off`. The proxy injector's template does not quote the log
level value, and so the `off` value is handled as `false`. Thanks, YAML.
This change updates the proxy template to use helm's `quote` function
throughout, replacing manually quoted values and fixing the quoting for
the log level value.
We also remove the default logFormat value, as the default is specified
in values.yaml.
Currently the tracing deployments do not start on clusters where
restricted PodSecurityPolicies are enforced.
This PR adds the subchart's ServiceAccounts to the `linkerd-psp`
RoleBinding, thereby allowing the deployments to be satisfied.
Signed-off-by: Simon Weald <glitchcrab-github@simonweald.com>
This release fixes a minor regression in outbound tap data, where the
source TCP address was omitted.
This release also improves logging:
- uptime formatting is fixed to only display microsecond granularity,
which fixes formatting/alignment inconsistencies.
- The `off` log level is now special-cased to entirely disable the
logging subsystem. This can substantially reduce memory usage.
---
* telemetry: Include git SHA in build_info (linkerd/linkerd2-proxy#716)
* outbound: Set source address in Tap metadata (linkerd/linkerd2-proxy#718)
* outbound: test profile search nets filtering (linkerd/linkerd2-proxy#714)
* app: Consolidate metrics types in `core::metrics` (linkerd/linkerd2-proxy#709)
* outbound: test load balancer adding/removing TCP endpoints (linkerd/linkerd2-proxy#717)
* Remove hardcoded list of ports to skip (linkerd/linkerd2-proxy#719)
* admin: Simplify metrics server (linkerd/linkerd2-proxy#720)
* Split tracing init & admin handlers into crate (linkerd/linkerd2-proxy#721)
* tracing: Fix time formatting to ensure alignment (linkerd/linkerd2-proxy#722)
* tracing: Support disabling tracing entirely (linkerd/linkerd2-proxy#723)
It appears that Amazon can use the `100.64.0.0/10` network, which is
technically private, for a cluster's Pod network.
Wikipedia describes the network as:
> Shared address space for communications between a service provider
> and its subscribers when using a carrier-grade NAT.
In order to avoid requiring additional configuration on EKS clusters, we
should permit discovery for this network by default.
## Motivations
Closes#5080
## Solution
When the `--all-namespaces` (`-A`) flag is set for the `linkerd edges` command,
ignore the `namespace` value set by default or `-n`.
This is similar to the behavior for `kubectl`. `kubectl get -A -n linkerd pods`
showing pods in all namespaces.
### Behavior changes
With linkerd and emojivoto installed, this results in:
Before:
```
❯ linkerd edges -A pods
No edges found.
```
After:
```
❯ linkerd edges -A pods
SRC DST SRC_NS DST_NS SECURED
vote-bot-6cb9cb9569-wl6w5 web-5d69bcfdb7-mxf8f emojivoto emojivoto √
web-5d69bcfdb7-mxf8f emoji-7dc976587b-rb9c5 emojivoto emojivoto √
web-5d69bcfdb7-mxf8f voting-bdf4f778c-pjkjg emojivoto emojivoto √
linkerd-prometheus-68d6897d75-ghmgm emoji-7dc976587b-rb9c5 linkerd emojivoto √
linkerd-prometheus-68d6897d75-ghmgm vote-bot-6cb9cb9569-wl6w5 linkerd emojivoto √
linkerd-prometheus-68d6897d75-ghmgm voting-bdf4f778c-pjkjg linkerd emojivoto √
linkerd-prometheus-68d6897d75-ghmgm web-5d69bcfdb7-mxf8f linkerd emojivoto √
linkerd-controller-7d965cf78d-qw6xj linkerd-prometheus-68d6897d75-ghmgm linkerd linkerd √
linkerd-prometheus-68d6897d75-ghmgm linkerd-controller-7d965cf78d-qw6xj linkerd linkerd √
linkerd-prometheus-68d6897d75-ghmgm linkerd-destination-74dbb9c46b-nkxgh linkerd linkerd √
linkerd-prometheus-68d6897d75-ghmgm linkerd-grafana-5d9fb67dc6-sn2l8 linkerd linkerd √
linkerd-prometheus-68d6897d75-ghmgm linkerd-identity-c875b5d58-b756v linkerd linkerd √
linkerd-prometheus-68d6897d75-ghmgm linkerd-proxy-injector-767b55988d-n9r6f linkerd linkerd √
linkerd-prometheus-68d6897d75-ghmgm linkerd-sp-validator-6c8df84fb9-4w8kc linkerd linkerd √
linkerd-prometheus-68d6897d75-ghmgm linkerd-tap-777fbf7656-p87dm linkerd linkerd √
linkerd-prometheus-68d6897d75-ghmgm linkerd-web-546c9444b5-68xpx linkerd linkerd √
```
`linkerd edges -A -n linkerd pods` results in all edges as well (the result
above).
The behavior of `linkerd edges pods` does not change and shows edges in the
`default` namespace.
```
❯ linkerd edges pods
No edges found.
```
Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
The proxy has a default, hardcoded set of ports on which it doesn't do
protocol detection (25, 587, 3306 -- all of which are server-first
protocols). In a recent change, this default set was removed from
the outbound proxy, since there was no way to configure it to anything
other than the default set. I had thought that there was a default set
applied to proxy-init, but this appears to not be the case.
This change adds these ports to the default Helm values to restore the
prior behavior.
I have also elected to include 443 in this set, as it is generally our
recommendation to avoid proxying HTTPS traffic, since the proxy provides
very little value on these connections today.
Additionally, the memcached port 11211 is skipped by default, as clients
do not issue any sort of preamble that is immediately detectable.
These defaults may change in the future, but seem like good choices for
the 2.9 release.
Most invocations of `TestHelper.LinkerdRun` don't actually need the stderr
output except to encode it in the error message. This changes this helper
to return an error that includes the full invoked command and error message.
Invocations that need direct access to stderr must call `TestHelper.PipeToLinkerdRun`
This reverts commit 85cbcb4a85.
We disable the ARM integration tests for now until we have more confidence in them.
Signed-off-by: Alex Leong <alex@buoyant.io>
The SMI metrics image does not yet support arm. Thus we must skip the SMI metrics integration test when using arm.
Signed-off-by: Alex Leong <alex@buoyant.io>
The release workflow uses the `-skip-kind-create` flag when the flag is actually called `-skip-cluster-create`. This causes the workflow to fail.
We correct the flag name.
Signed-off-by: Alex Leong <alex@buoyant.io>
This edge release is a release candidate for stable-2.9.0. It overhauls the
discovery and routing logic implemented by the proxy, simplifies the way that
Linkerd stores configuration, and adds new Helm values to configure additional
labels, annotations, and namespace selectors for webhooks.
* Added podLabels and podAnnotations Helm values to allow adding additional
labels or annotations to Linkerd control plane pods (thanks @tustvold!)
* Added namespaceSelector Helm value for configuring the namespace selector
used by admission webhooks (thanks @tustvold!)
* Expanded the 'linkerd edges' command to show TCP connections
* Overhauled the discovery and routing logic implemented by the proxy:
* The `l5d-dst-override` header is no longer honored
* When the application attempts to connect to a pod IP, the proxy no
longer load balances these requests among all pods in the service.
The proxy will now honor session-stickiness as selected by an
application-level load balancer
* `TrafficSplits` are only applied when a client targets a service's IP
* The proxy no longer performs DNS "canonicalization" to translate
relative host header names to a fully-qualified form
* Simplified the way that Linkerd stores its configuration. Configuration is
now stored as Helm values in the linkerd-config ConfigMap
* Renamed the --addon-config flag to --config to clarify this flag can be used
to set any Helm value
Signed-off-by: Alex Leong <alex@buoyant.io>
The purpose of this test is to validate that the auto injector configures the proxy and the additional containers according to the specified config.
This is done by providing a helper that can generate the desired annotations and later inspect an injected pod in order to determine that every bit of configuration has been accounted for. This test is to provide further assurance that #5036 did not introduce any regressions.
Signed-off-by: Zahari Dichev <zaharidichev@gmail.com>
We've encountered errors like the following in CI:
```
Error updating Endpoint Slices for Service linkerd/linkerd-proxy-injector: Error updating linkerd-proxy-injector-27vgh EndpointSlice for Service linkerd/linkerd-proxy-injector: endpointslices.discovery.k8s.io "linkerd-proxy-injector-27vgh" not found
```
There is a regex to prevent similar errors from failing a test, but it
is too restrictive. This change relaxes the regex to ignore all errors
of this kind ("updating Endpoint Slices for Service").
This release fixes several recent regressions:
1. The proxy could incorrectly emit inbound requests with absolute-form
URIs.
2. Inbound tap metadata did not include source addresses or identities.
3. Gateway requests included the incorrect port in the
`l5d-dst-canonical` header.
4. Gateway requests never included a `Host` header.
Furthermore, support for the
`LINKERD2_PROXY_OUTBOUND_PORTS_DISABLE_PROTOCOL_DETECTION` environment
variable has been removed in anticipation of control plane changes that
will provide this configuration via service profiles. This configuration
is never set by the proxy injector, so this change does not pose any
issues with regard to compatibility.
---
* metrics: Coerce targets to metric labels by-reference (linkerd/linkerd2-proxy#706)
* outbound: Unify TCP & HTTP target types (linkerd/linkerd2-proxy#707)
* inbound: Fix source tap annotations (linkerd/linkerd2-proxy#712)
* trace-context: Simplify implementation with async (linkerd/linkerd2-proxy#710)
* outbound: Use profile to inform protocol detection (linkerd/linkerd2-proxy#708)
* inbound: Fix URI normalization for orig-proto requests (linkerd/linkerd2-proxy#713)
* outbound: more TCP tests, test cleanup (linkerd/linkerd2-proxy#711)
* gateway: Ensure proper outbound metadata (linkerd/linkerd2-proxy#715)
The TestUpgradeOverwriteRemoveAddonKeys was not actually verifying that the fields which should be removed were actually removed. Thus it failed to catch an error with the test itself where the `addon-overwrite` flag was spelled incorrectly and not properly registered.
We update the test to verify that the field is removed and fix the test by correcting the spelling of the flag and properly registering it.
Signed-off-by: Alex Leong <alex@buoyant.io>
The `--addon-config` flag allows users to supply a yaml config file which will override the Values used to install or upgrade Linkerd. While this is useful for supplying config for addons, it can be used to configure any part of the Values struct. Thus, we rename the flag to `--config`.
Signed-off-by: Alex Leong <alex@buoyant.io>
* Handle grafana add-on config repair
Fixes#5014
In Grafana Add-On, Default fields i.e `grafana.image.name`, `grafana.name`
have been removed from `linkerd-config-addons` after `2.8.1`. Only
overriden values are stored in `linkerd-config-addons` as of now.
Hence, `grafana.image.name` has to be removed from
`linkerd-config-addons` unless they are overriden so that updates
to it can take place especially the move from `gcr` to `ghcr`.
This also removes `grafana.name` field if they are set to default, as
its removed.
This problem will not occur again even if we update default values, as
default values are not stored in `linekrd-config-addons` anymore for all
add-ons.
Signed-off-by: Tarun Pothulapati <tarunpothulapati@outlook.com>
adding loadBalancerIP to linkerd2-multicluster chart
Sometimes you are in need to tell the gateway service to pick up / request a specific IP from the LB.
e.g. when you talk to another cluster that is having another firewall in front and not permitting access from random IPs.
Solution
Minor change in the chart for Multicluster.
Validation
Example in a GKE:
Register a static IP, note it. Then
helm install linkerd-mc linkerd2/linkerd2-multicluster --set loadBalancerIP="<IP>"
Your gateway service will come up with the IP you have given it.
If you don't set the parameter, then the LB will give out a random IP.
If you don't have a cluster, look at the yaml produced by helm template...
and look if the loadBalancerIP: <IP> is there
```
`apiVersion: v1
kind: Service
.
.
.
selector:
app: linkerd-gateway
type: LoadBalancer
loadBalancerIP: 1.1.1.1`
```
Signed-off-by: Markus Bettsteller <markus@bettsteller.de>
This is a major refactor of the install/upgrade code which removes the config protobuf and replaces it with a config overrides secret which stores overrides to the values struct. Further background on this change can be found here: https://github.com/linkerd/linkerd2/discussions/4966
Note: as-is this PR breaks injection. There is work to move injection onto a Values-based config which must land before this can be merged.
A summary of the high level changes:
* the install, global, and proxy fields of linkerd-config ConfigMap are no longer populated
* the CLI install flow now follows these simple steps:
* load default Values from the chart
* update the Values based on the provided CLI flags
* render the chart with these values
* also render a Secret/linkerd-config-overrides which describes the values which have been changed from their defaults
* the CLI upgrade flow now follows these simple stesp:
* load the default Values from the chart
* if Secret/linkerd-config-overrides exists, apply the overrides onto the values
* otherwise load the legacy ConfigMap/linkerd-config and use it to updates the values
* further update the values based on the provided CLI flags
* render the chart and the Secret/linkerd-config-overrides as above
* Helm install and upgrade is unchanged
Signed-off-by: Alex Leong <alex@buoyant.io>
This release overhauls the discovery and routing logic implemented by
the proxy: instead of looking at HTTP request metadata for service
discovery, the outbound proxy now exclusively use each connection's
target IP:PORT. This eager resolution eliminates per-request cache
binding; and supports using TrafficSplit with non-HTTP services.
This has a few side effects:
- The `l5d-dst-override` header is no longer honored.
- When the application attempts to connect to a pod IP, the proxy no
longer load balances these requests among all pods in the service.
The proxy will now honor session-stickiness as selected by an
application-level load balancer.
- `TrafficSplits` are only applied when a client targets a service's IP.
- The proxy no longer performs DNS "canonicalization" to translate
relative host header names to a fully-qualified form.
---
* Unify RequestFilter and Admit middlewares (linkerd/linkerd2-proxy#692)
* Only allow name-based profile discovery for inbound requests (linkerd/linkerd2-proxy#695)
* outbound: initial tests for TCP mTLS (with fewer moving parts) (linkerd/linkerd2-proxy#693)
* Stop honoring DESTINATION_GET_* configuration (linkerd/linkerd2-proxy#696)
* stack: add SwitchReady service (linkerd/linkerd2-proxy#694)
* telemetry: Remove trailing comma in build_info labels (linkerd/linkerd2-proxy#699)
* Update Rust to 1.47.0 (linkerd/linkerd2-proxy#701)
* cache: Delete benchmarks (linkerd/linkerd2-proxy#705)
* outbound: Discover profiles for each unique TCP target (linkerd/linkerd2-proxy#704)
Currently the --wait flag times out when creating a calico cluster. The result is that we end up waiting for 5 minutes to simply emit a warning and continue. Instead we can check the readiness of some k8s components to ensure our cluster is up and running and avoid the delay.
Signed-off-by: Zahari Dichev zaharidichev@gmail.com
* Expand 'linkerd edges' to work with TCP connections
Fixes#4999
Before:
```
$ bin/linkerd edges po -owide
SRC DST SRC_NS DST_NS CLIENT_ID SERVER_ID SECURED
linkerd-prometheus-764ddd4f88-t6c2j rabbitmq-controller-5c6cf7cc6d-8lxp2 linkerd default √
linkerd-prometheus-764ddd4f88-t6c2j temp linkerd default √
```
After:
```
$ bin/linkerd edges po -owide
SRC DST SRC_NS DST_NS CLIENT_ID SERVER_ID SECURED
temp rabbitmq-controller-5c6cf7cc6d-5fpsc default default default.default default.default √
linkerd-prometheus-66fb97b7fc-vpnxf rabbitmq-controller-5c6cf7cc6d-5fpsc linkerd default √
linkerd-prometheus-66fb97b7fc-vpnxf temp linkerd default √
```
With the latest proxy upgrade to v2.113.0 (#5037), the `tcp_open_total` metric now contains the `client_id` label so that we can replace the http-only metric `response_total` with this one to determine edges for TCP-only connections.
This change basically performs the same query as before, but two times, one for `response_total` and another for `tcp_open_total`. For each resulting entry, the latter is kept if `client_id` is present, otherwise the former is used (if present at all). That way things keep on working for older proxies.
Disclaimers:
- This doesn't fix#3706: if two sources connect to the same destination there's no way to tell them appart from the metrics perspective and their edges can get mangled. To fix that, the proxy would have to expose `src_resource` labels in the `tcp_open_total` total inbound metric.
- Note connections coming from prometheus are still unidentified. The reason is those hit the proxy's admin server (instead of the main container) which doesn't expose metrics.
PR https://github.com/linkerd/linkerd2/pull/5027 added `podLabels` and `podAnnotations` to `values.yaml` to allow setting labels and annotations on pods in the Helm template. However, these fields were not added to the `Values` struct in `Values.go`. This means that these fields were not serialized out to the `linkerd-config` or to the `linkerd-config-overrides`. Furthermore, in PR #5005 which moves to using the `Values` struct more authoritatively, the `podLabels` and `podAnnotations` fields would not take effect at all.
Add these fields to the `Values` struct and update all test fixtures accordingly.
Signed-off-by: Alex Leong <alex@buoyant.io>
The `bin/tests` script takes command-line arguments, but it requires
that all arguments are specified before the linkerd binary path; and it
silently ignores flags that follow the linkerd binary. Furthermore,
unexpected flags may be incorrectly parsed as the linkerd binary path.
This changes argument parsing to be more flexible about ordering; and it
prints the full usage error when unexpected flags are encountered.
This adds the `podAnnotations` and `podLabels` values in `values.yml` for adding custom annotations/labels to all the control plane pods.
Closes (#5025)
Signed-off-by: Raphael Taylor-Davies <r.taylordavies@googlemail.com>
Since k8s 1.16 cadvisor uses the `container` label instead of
`container_name` in the prometheus metrics it exposes.
The heartbeat queries were using the latter, so they were broken
for k8s version since 1.16.
Note that the `p99-handle-us` value is still missing because the
`request_handle_us` metrics is always zero.
Seems that Helm is cleaning orphaned resources. Pods that depend on them seem to be not upgraded on time, causing some warnings to be emitted and he CI process to fail
Signed-off-by: Zahari Dichev <zaharidichev@gmail.com>
## edge-20.10.2
This edge release adds more improvements for mTLS for all TCP traffic.
It also includes significant internal improvements to the way Linkerd
configuration is stored within the cluster.
* Changed TCP metrics exported by the proxy to ensure that peer
identities are encoded via the `client_id` and `server_id` labels.
* Removed the dependency of control plane components on `linkerd-config`
* Updated the data structure `proxy-injector` uses to derive the configuration
used when injecting workloads
This PR Updates the Injection Logic (both CLI and proxy-injector)
to use `Values` struct instead of protobuf Config, part of our move
in removing the protobuf.
This does not touch any of the flags, install related code.
Signed-off-by: Tarun Pothulapati <tarunpothulapati@outlook.com>
Co-authored-by: Alex Leong <alex@buoyant.io>
* Remove dependency of linkerd-config for most control plane components
This PR removes the dependency of `linkerd-config` into control
plane components by making all that information passed through CLI
flags. As most of these components require a couple of flags, passing
them as flags could be more helpful, as updations to the flags trigger a
rollout unlike a configMap update.
This does not update the proxy-injector as it needs a lot more data
and mounting `linkerd-config` is better.
One of the challenges with using the Cobra flag library is that it is difficult to differentiate between a flag that has been set explicitly to its default value and one that has been unset (and thus remains at its default value). In particular, when processing CLI flags for the purposes of install and upgrade, this distinction is important because we want to persist the effects of flags which have been set.
Flag is an interface which describes a command line flag that affects the Helm Values used to render Helm charts. This interface allows us to iterate over flags which have been set and apply their effects to the Values. To see how this library is to be used, see https://github.com/linkerd/linkerd2/pull/5005
Signed-off-by: Alex Leong <alex@buoyant.io>
Previously, `releases.yaml` was trying to load images into the kind
clusters but that failed because those images were already in `ghcr.io`
and not in the local docker cache, but that failure was masked.
Unmasking that failure revealed some flaws that this change addresses:
- In `bin/_test_helpers` (used by `bin/tests`), modified the `images`
arg to accept `docker(default)|archive|skip`, for determining how to
load the images into the cluster (if loading them at all)
- In `bin/image-load`, changed arg `images` to `archive` which is more
descriptive.
- Have `kind_integration.yml` call `bin/tests --images archive`.
- Have `release.yml` call `bin/tests --images skip`.
* Edge-20.10.1 changes
## edge-20.10.1
This edge release includes a couple of external contributions towards
improved cert-manager support and Grafana charts fixes, among other
enhancements.
* Changed the type of the injector and tap API secrets to `kubernetes.io/tls`,
so they can be provisioned by cert-manager (thanks @cypherfox!)
* Fixed the "Kubernetes cluster monitoring" Grafana dashboard that had a few
charts with incomplete data (thanks @aimbot31!)
* Fixed the `service-mirror` multicluster component so that it retries
connections to the target cluster's Kubernetes API when it's not reachable,
instead of blocking
* Increased the proxy's default timeout for DNS resolution to 500ms, as there
were reports that 100ms was too restrictive
Co-authored-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
This branch updates the check functionality to read
the new `linkerd-config.values` which contains the full
Values struct showing the current state of the Linkerd
installation. (being added in #5020 )
This is done by adding a new `FetchCurrentConfiguraiton`
which first tries to get the latest, if not falls back
to the older `linkerd-config` protobuf format.`
Signed-off-by: Tarun Pothulapati <tarunpothulapati@outlook.com>
## Motivation
Closes#5016
Depends on linkerd/linkerd2-proxy-api#44
## Solution
A `profileTranslator` exists for each service and now has a new
`fullyQualifiedName` field.
This field is used to set the `FullyQualifiedName` field of
`DestinationProfile`s each time an update is sent.
In the case that no service profile exists for a service, a default
`DestinationProfile` is created and we can use the field to set the correct
name.
In the case that a service profile does exist for a service, we still use this
field to set the name to keep it consistent.
### Example
Install linkerd on a cluster and run the destination server:
```
go run controller/cmd/main.go destination -kubeconfig ~/.kube/config
```
Get the IP of a service. Here, we'll get the ip for `linkerd-identity`:
```
> kubectl get -n linkerd svc/linkerd-identity
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
linkerd-identity ClusterIP 10.43.161.68 <none> 8080/TCP 4h25m
```
Get the profile of `linkerd-identity` from service name or IP and note the
`FullyQualifiedName` field:
```
> go run controller/script/destination-client/main.go -method getProfile -path 10.43.161.68:8080
INFO[0000] fully_qualified_name:"linkerd-identity.linkerd.svc.cluster.local" ..
```
```
> go run controller/script/destination-client/main.go -method getProfile -path linkerd-identity.linkerd.svc.cluster.local
INFO[0000] fully_qualified_name:"linkerd-identity.linkerd.svc.cluster.local" ..
```
Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
Fixes#5008
We add a `values` file to the `ConfigMap/linkerd-config` resource. This file holds the full Values which were used to render the chart except that private data such as the identity issuer key are redacted. This file is currently unused but will eventually be used by CLI commands such as `check` and `inject` which need to load Linkerd's configuration (as described in #5009).
This is one step in a larger effort to eventually get rid of the other files in `ConfigMap/linkerd-config`.
Signed-off-by: Alex Leong <alex@buoyant.io>
Alejandro Pedraza
Zahari Dichev
Oliver Gould
George Garces
Simon Weald
Kevin Leimkuhler
Alex Leong
Tarun Pothulapati
Markus
Chris Campbell
Raphael Taylor-Davies