Commit Graph

212 Commits

Author SHA1 Message Date
Kevin Lingerfelt 4450a7536d
Add --wait flag for CLI check and dashboard commands (#1503)
Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
2018-08-22 12:56:42 -07:00
Kevin Lingerfelt 49f6c4c770
Refactor healthcheck init and observe setup (#1502)
Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
2018-08-22 12:30:45 -07:00
Kevin Lingerfelt 53cd3b50d5
Add --pre flag for linkerd check command (#1497)
* Add --pre flag for linkerd check command
* Small adjustments to check help text

Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
2018-08-20 17:09:43 -07:00
Kevin Lingerfelt e97be1f5da
Move all healthcheck-related code to pkg/healthcheck (#1492)
* Move all healthcheck-related code to pkg/healthcheck
* Fix failed check formatting
* Better version check wording

Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
2018-08-20 16:50:22 -07:00
Eliza Weisman b8434d60d4
Add resource metadata to Tap CLI output (#1437)
Closes #1170.

This branch adds a `-o wide` (or `--output wide`) flag to the Tap CLI.
Passing this flag adds `src_res` and `dst_res` elements to the Tap
output, as described in #1170. These use the metadata labels in the tap
event to describe what Kubernetes resource the source and destination
peers belong to, based on what resource type is being tapped, and fall
back to pods if either peer is not a member of the specified resource
type.

In addition, when the resource type is not `namespace`, `src_ns` and
`dst_ns` elements are added, which show what namespaces the the source
and destination peers are in. For peers which are not in the Kubernetes
cluster, none of these labels are displayed.

The source metadata added in #1434 is used to populate the `src_res` and
`src_ns` fields.

Also, this branch includes some refactoring to how tap output is
formatted.

Signed-off-by: Eliza Weisman <eliza@buoyant.io>
2018-08-20 14:25:26 -07:00
Kevin Lingerfelt 7c07ba0d53
Upgrade to dep 0.5.0, go 1.10.3 (#1479)
* Upgrade to dep 0.5.0, go 1.10.3
* Remove existing dep binary if it's the wrong version
* Add version in filename of dep binary to prevent version conflicts

Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
2018-08-17 16:04:50 -07:00
Alex Leong 094a375015
[RFC] linkerd top (#1435)
This an initial implementation of the `linkerd top` command.  This command launches an ncurses style tabular view of current requests (using data from tap).  Most of the command line arguments are the same as tap and allow selecting the resource to inspect and filtering which requests to view.  

Fixes #1283 

Signed-off-by: Alex Leong <alex@buoyant.io>
2018-08-15 18:10:23 -07:00
Kevin Lingerfelt 00a0572098
Better CLI error messages when control plane is unavailable (#1428)
Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
2018-08-09 15:40:41 -07:00
Eliza Weisman 9d8f58cb16
Add additional validation for stat command-line arguments (#1415)
Closes #776.

This branch adds the following validation to the `linkerd stat` command:

* The `--to` and `--from` flags are now mutually exclusive
* The `--to-namespace` and `--from-namespace` commands are also mutually
  exclusive.
* The `namespace` resource type conflicts with the `--namespace`, 
  `--to-namespace`, and `--from-namespace` flags.

Examples:

```
$ bin/go-run cli/main.go stat deploy --to deploy/foo --from deploy/bar
Error: --to and --from flags are mutually exclusive
Usage:
  linkerd stat [flags] (RESOURCE)
  ...
```

```
$ bin/go-run cli/main.go stat deploy --to-namespace foo --from-namespace bar
Error: --to-namespace and --from-namespace flags are mutually exclusive
Usage:
  linkerd stat [flags] (RESOURCE)
  ...
```

```
$ bin/go-run cli/main.go stat namespace foo --namespace bar
Error: --namespace flag is incompatible with namespace resource type
Usage:
  linkerd stat [flags] (RESOURCE)
  ...
```

```
$ bin/go-run cli/main.go stat ns --to-namespace bar
Error: --to-namespace flag is incompatible with namespace resource type
Usage:
  linkerd stat [flags] (RESOURCE)
  ...
```

```
$ bin/go-run cli/main.go stat namespace --from-namespace bar
Error: --from-namespace flag is incompatible with namespace resource type
Usage:
  linkerd stat [flags] (RESOURCE)
  ...
```

```
$ bin/go-run cli/main.go stat ns/foo --from-namespace bar
Error: --from-namespace flag is incompatible with namespace resource type
Usage:
  linkerd stat [flags] (RESOURCE)
  ...
```

Signed-off-by: Eliza Weisman <eliza@buoyant.io>
2018-08-08 15:35:47 -07:00
Kevin Lingerfelt 82940990e9
Rename mailing lists, remove all remaining conduit references (#1416)
Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
2018-08-07 17:00:55 -07:00
Kevin Lingerfelt 4845b4ec04
Restore linkerd.io/control-plane* labels (#1411)
Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
2018-08-07 13:53:29 -07:00
Kevin Lingerfelt e0a01c5dd8
Remove node scrape target, kubernetes grafana dashboard (#1410)
Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
2018-08-07 13:41:38 -07:00
Kevin Lingerfelt bd19e8aaff
Update prometheus to only scrape proxies in the same mesh (#1402)
Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
2018-08-06 12:05:55 -07:00
Kevin Lingerfelt f70ad7de11
Use stable version for linkerd2-proxy-api dep (#1400)
Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
2018-08-03 11:59:42 -07:00
Sean McArthur c035193313
add H2 protocol to destination addrs if managed by linkerd (#1380)
Signed-off-by: Sean McArthur <sean@buoyant.io>
2018-08-03 10:14:30 -07:00
Eliza Weisman 01cc30d102
Increase outbound router capacity for Prometheus pod's proxy (#1358)
Currently, when a cluster has over 100 pods injected with the Linkerd2
proxy, Prometheus metrics are not collected correctly. This is because
Prometheus appears to be making more concurrent requests than its'
proxy's outbound router cache can handle See issue #1322 for further 
details.

This branch introduces a workaround for this issue, by increasing the
outbound router cache capacity to 10000 routes for the Prometheus pod's
proxy only. The router capacity limit of 100 active routes is primarily
due to the limitation of the number of active Destination service 
lookups, so increasing the capacity for the Prometheus pod specifically
is probably okay, as the scrape requests are made to IP addresses 
directly and therefore will not cause service discovery lookups. 

This change was originally implemented and tested in @siggy's PR #1228.
I've rebased his branch onto the current `master`, and updated the code
to reflect the project name change.

Signed-off-by: Eliza Weisman <eliza@buoyant.io>
Co-authored-by: Andrew Seigner <siggy@buoyant.io>
2018-08-02 16:44:11 -07:00
Ivan Sim eb04217a12 Update inject cmd to read from folder (#1377)
This change is a simplified implementation of the Builder.Path() and
Visitor().ExpandPathsToFileVisitors() functions used by kubectl to parse files
and directories. The filepath.Walk() function is used to recursively traverse
directories. Every .yaml or .json resource file in the directory is read
into its own io.Reader. All the readers are then passed to the YAMLDecoder in the
InjectYAML() function.

Fixes #1376

Signed-off-by: ihcsim <ihcsim@gmail.com>
2018-08-01 17:12:00 -07:00
Kevin Lingerfelt 8fe9e53f67
Remove remaining conduit references in codebase (#1381)
* Remove remaining conduit references in codebase
* Shorten emojivoto config url

Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
2018-07-31 11:19:34 -07:00
Kevin Lingerfelt c362d5e114
Update k8s.io dependencies to 1.11.1 (#1369)
Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
2018-07-27 15:23:03 -07:00
Kevin Lingerfelt 51848230a0
Send glog logs to stderr by default (#1367)
* Send glog logs to stderr by default
* Factor out more shared flag parsing code

Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
2018-07-25 12:59:24 -07:00
Risha Mars ec3c861743
Enable Tap from the Web UI (#1356)
Adds a tap endpoint in the web api that communicates with the dashboard 
via websockets.
I've moved a bunch of code from the cli tap.go into utils so that the code 
can be shared between web and CLI. I think we should consider making the 
display more suited to web, but in the short term, reusing the CLI's 
rendering of tap events works.

Adds a Tap page in the Web UI that you can use to make tap requests. 
The form currently only allows you to enter a resource and namespace, 
other filters coming in a follow-up branch.
2018-07-24 14:23:42 -04:00
Kevin Lingerfelt 4b9700933a
Update prometheus labels to match k8s resource names (#1355)
Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
2018-07-23 15:45:05 -07:00
Brian Smith a98bfb1ca7
Rename `ca-bundle-distributor` to `ca`. (#1340)
`ca-bundle-distributor` described the original role of the program but
`ca` ("Certificate Authority") better describes its current role.

Signed-off-by: Brian Smith <brian@briansmith.org>
2018-07-17 14:10:40 -10:00
Brian Smith 1b38310019
Remove executable bit from non-executable files. (#1335)
These files were created with the executable bit set accidentally due
to the way my network file system setup was configured.

Signed-off-by: Brian Smith <brian@briansmith.org>
2018-07-16 13:55:52 -10:00
Brian Smith 0fcfd2bffb
Stop using `installsuffix` when building Go code. (#1327)
* Stop using `installsuffix` when building Go code.

See https://plus.google.com/117192131596509381660/posts/eNnNePihYnK.
`-installsuffix cgo` isn't necessary as of Go 1.10 (where build caching
changed substantially) and it probably wasn't necessary earlier.

Signed-off-by: Brian Smith <brian@briansmith.org>
2018-07-16 13:48:50 -10:00
Franziska von der Goltz c7ac072acc
update grafana dashboards: conduit to linkerd (#1320)
* update grafana dashboards to remove conduit reference and replace with linkerd instances
* update test install fixtures to reflect changes

Fixes: #1315

Signed-off-by: Franziska von der Goltz <franziska@vdgoltz.eu>
2018-07-16 13:05:01 -07:00
Kevin Lingerfelt e5cce1abaf
Rename CLI from conduit to linkerd (#1312)
* Rename CLI binary
* Update integration tests for new binary name
* Rename --conduit-namespace flag, change default ns
* Rename occurrences of conduit in rest of CLI
* Rename inject and install components
* Remove conduit occurrences in docker files
* Additional miscellaneous cleanup
* Move protobuf definitions to linkerd2 package
* Rename conduit.io labels to use linkerd.io
* Rename conduit-managed segment to linkerd-managed
* Fix conduit references in web project

Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
2018-07-12 17:14:07 -07:00
Andrew Seigner e18fa48135
Name ClusterRole objects to be namespace-specific (#1295)
The control-plane's `ClusterRole` and `ClusterRoleBinding` objects are
global. Because their names did not vary across multiple control-plane
deployments, it prevented multiple control-planes from coexisting (when
RBAC is enabled).

Modify the `ClusterRole` and `ClusterRoleBinding` objects to include the
control-plane's namespace in their names. Also modify the integration
test to first install two control-planes, and then perform its full
suite of tests, to prevent regression.

Fixes #1292.

Signed-off-by: Andrew Seigner <siggy@buoyant.io>
2018-07-10 16:21:20 -07:00
Oliver Gould 941cad4a9c
Migrate build infrastructure to linkerd2 (#1298)
This PR begins to migrate Conduit to Linkerd2:
* The proxy has been completely removed from this repo, and is now located at
  github.com/linkerd/linkerd2-proxy.
* A `Dockerfile-proxy` has been added to fetch the most-recently published proxy
  binary from build.l5d.io.
* Proxy-specific protobuf bindings have been moved to
  github.com/linkerd/linkerd2-proxy-api.
* All docker images now use the gcr.io/linkerd-io registry.
* `inject` now uses `LINKERD2_PROXY_` environment variables
* Go paths have been updated to reflect the new (future) repo location.
2018-07-09 15:38:38 -07:00
Kevin Lingerfelt fd1aecfa63
Unhide --tls flag in conduit CLI (#1278)
Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
2018-07-05 15:49:19 -07:00
Kevin Lingerfelt 693acdbf26
Update ListPods endpoint to return all pod owner types (#1275)
Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
2018-07-05 15:14:16 -07:00
Kevin Lingerfelt f0ba8f3ee8
Fix owner types in TLS identity strings (#1257)
* Fix owner types in TLS identity strings
* Update documentation on TLSIdentity struct

Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
2018-07-03 14:20:24 -07:00
Risha Mars 83b982b25a
Change CLI and web TLS indicators from Secured to TLS (#1247)
Previously, we had "Secured" columns in the web and CLI for the percentage of traffic 
that is TLSed. Change this to "TLS"
2018-07-03 10:51:38 -07:00
Brian Smith 252a8d39d3
Generate an ephemeral CA at startup that distributes TLS credentials (#1245)
Create a ephemeral, in-memory TLS certificate authority and integrate it into the certificate distributor.

Remove the re-creation of deleted ConfigMaps; this will be added back later in #1248.

Signed-off-by: Brian Smith brian@briansmith.org
Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
2018-07-02 18:09:31 -10:00
Oliver Gould 20276b106e
tap: Support `tls` labeling (#1244)
The proxy's metrics are instrumented with a `tls` label that describes
the state of TLS for each connection and associated messges.

This same level of detail is useful to get in `tap` output as well.

This change updates Tap in the following ways:
* `TapEvent` protobuf updated:
  * Added `source_meta` field including source labels
  * `proxy_direction` enum indicates which proxy server was used.
* The proxy adds a `tls` label to both source and destination meta indicating the state of each peer's connection
* The CLI uses the `proxy_direction` field to determine which `tls` label should be rendered.
2018-07-02 17:19:20 -07:00
Kevin Lingerfelt a685dba873
Use parent name instead of pod name in identity string (#1236)
* Use parent name instead of pod name in identity string
* Update protobuf comment

Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
2018-06-29 14:28:13 -07:00
Brian Smith f989c56127
Proxy: Skip TLS for control plane loopback connections. (#1229)
If the controller address has a loopback host then don't use TLS to connect
to it. TLS isn't needed for security in that case. In mormal configurations
the proxy isn't terminating TLS for loopback connections anyway.

Signed-off-by: Brian Smith <brian@briansmith.org>
2018-06-28 17:24:09 -10:00
Risha Mars 5ed7fc563c
Add controller component pod uptimes to the ServiceMesh page (#1205)
- Return pod uptimes from the GetPods endpoint
- Adds filtering by namespace to api.GetPods
- Adds a --namespace filter to conduit get pods
- Adds pod uptimes to the controller component toolitps on the ServiceMesh page
- Moves the ServiceMesh page back to using /api/pods
2018-06-28 15:42:00 -07:00
Risha Mars 68586fe697
Add the ability to query stats by authority (#1181)
Adds the ability to query by a new non-kubernetes resource type, "authorities",
in the StatSummary api.

This includes an extensive refactor of stat_summary.go to deal with non-kubernetes 
resource types.

- Add documentation to Resource in the public api so we can use it for authority
- Handle non-k8s resource requests in the StatSummary endpoint
- Rewrite stat summary fetching and parsing to handle non-k8s resources
- keys stat summary metric handling by Resource instead of a generated string
- Adds authority to the CLI
- Adds /authorities to the Web UI
- Adds some more stat integration and unit tests
2018-06-28 14:31:44 -07:00
Kevin Lingerfelt ef9c890505 Fix issue with injected resource name, add test (#1226)
Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
2018-06-28 10:23:38 -10:00
Oliver Gould 9f274526d6
cli: tap: Use safe accessors (#1224)
The `tap` command is prone to panic due to use of `nil` values.
This is  because we don't use the safe `Get*()` field accessors
provided by protobuf.

This change fixes several unsafe field access paths.

Fixes #47
2018-06-28 11:10:56 -07:00
Thomas Rampelberg fafce1b8b3
Add important comment back (#1219) 2018-06-28 08:18:52 -07:00
Brian Smith cca8e7077d
Add TLS support to `conduit inject`. (#1220)
* Add TLS support to `conduit inject`.

Add the settings needed to enable TLs when `--tls=optional` is passed on the
commend line. Later the requirement to add `--tls` will be removed.

Signed-off-by: Brian Smith <brian@briansmith.org>
2018-06-27 16:04:07 -10:00
Thomas Rampelberg 97868f654f
Add Pod to injectable types (#1213)
* Add Pod to injectable types

* Remove the pod label for pods
2018-06-27 14:37:05 -07:00
Kevin Lingerfelt 1f1968ad4d
Add --registry flag support for inject command (#1188)
Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
2018-06-22 12:52:42 -07:00
Kevin Lingerfelt 5cf8ab00df
Switch to multi-value --tls flag, add to inject (#1182)
Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
2018-06-21 15:52:14 -07:00
Kevin Lingerfelt af85d1714f
Add probes and log termination policy for distributor (#1178)
Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
2018-06-21 14:02:41 -07:00
Kevin Lingerfelt 12f869e7fc
Add CA certificate bundle distributor to conduit install (#675)
* Add CA certificate bundle distributor to conduit install
* Update ca-distributor to use shared informers
* Only install CA distributor when --enable-tls flag is set
* Only copy CA bundle into namespaces where inject pods have the same controller
* Update API config to only watch pods and configmaps
* Address review feedback

Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
2018-06-21 13:12:21 -07:00
Kevin Lingerfelt e80356de34
Upgrade prometheus to v2.3.1 (#1174)
Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
2018-06-21 11:02:21 -07:00
Kevin Lingerfelt 682b0274b5
Add controller admin servers and readiness probes (#1168)
* Add controller admin servers and readiness probes
* Tweak readiness probes to be more sane
* Refactor based on review feedback

Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
2018-06-20 17:32:44 -07:00