* Simplify port-forwarding code
Simplifies the establishment of a port-forwarding by moving the common
logic into `PortForward.Init()`
Stemmed from this
[comment](https://github.com/linkerd/linkerd2/pull/2937#discussion_r295078800)
Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
## edge-19.6.3
* CLI
* Updated `linkerd check` to validate the caller can create
`PodSecurityPolicy` resources
* Controller
* Default the mutating and validating webhook configurations `sideEffects`
property to `None` to indicate that the webhooks have no side effects on
other resources (thanks @Pothulapati!)
* Proxy
* Added the `NET_RAW` capability to the proxy-init container to be compatible
with `PodSecurityPolicy`s that use `drop: all`
* Fixed the proxy rejecting HTTP2 requests that don't have an `:authority`
* Improved idle service eviction to reduce resource consumption for clients
that send requests to many services
* Web UI
* Removed the "Debug" page from the Linkerd dashboard while the functionality
of that page is being redesigned
* Added an Edges table to the resource detail view that shows the source,
destination name, and identity for proxied connections
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
* Fixed the proxy rejecting HTTP2 requests that don't have an `:authority`
* Improved idle service eviction to reduce resource consumption for clients
that send requests to many services
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
* Have `GetOwnerKindAndName` be able to skip the cache
Refactored `GetOwnerKindAndName` so it can optionally skip the
shared informer cache and instead hit the k8s API directly.
Useful for the proxy injector, when the pod's replicaset got just
created and might not be in ready in the cache yet.
Fixes#2738
Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
Adds an Edges table to the resource detail view that shows the source,
destination name and identity for proxied connections to and from the resource
shown.
Problem:
For logrus logging, When a TTY is detected, the default format is elapsed timestamp.
This caused not-readable timestamps when running the go processes locally.
Solution:
Have logrus print full timestamps instead of the time elapsed since starting
in the controller go processes when running them
* Set logrus timestamps on public-api and web startup
* Move log level setting to flags.go
`linkerd check` validates whether PSP's exist, and if the caller has the
`NET_ADMIN` capability. This check was previously failing if `NET_ADMIN`
was not found, even in the case where the PSP admission controller was
not running. Related, `linkerd install` now includes a PSP, so
`linkerd check` should also validate that the caller can create PSP's.
Modify the `NET_ADMIN` check to warn, but not fail, if PSP's are found
but the caller does not have `NET_ADMIN`. Update the warning message to
mention that this is only a problem if the PSP admission controller is
running (and will only be a problem during injection, since #2920
handles control plane installation by adding its own PSP).
Also introduce a check to validate the caller can create PSP's.
Fixes#2884, #2849
Signed-off-by: Andrew Seigner <siggy@buoyant.io>
This PR allows components to import specific FontAwesome icons using the
@fortawesome/react-fontawesome library. This cuts down on package size and the
number of files loaded.
Fixes#2927
Also moved `TestInstallSP` after `TestCheckPostInstall` so we're sure
the validating webhook is ready before installing a service profile.
Signed-off-by: Alejandro Pedraza Borrero <alejandro@buoyant.io>
## edge-19.6.2
* CLI
* Added the `--linkerd-cni-enabled` flag to the `install` subcommands so that
`NET_ADMIN` capability is omitted from the CNI-enabled control plane's PSP
* Controller
* Default to least-privilege security context values for the proxy container
so that auto-inject does not fail on restricted PSPs (thanks @codeman9!)
* Defined least privilege default security context values for the proxy
container so that auto-injection does not fail on (thanks @codeman9!)
* Default the webhook failure policy to `Fail` in order to account for
unexpected errors during auto-inject; this ensures uninjected applications
are not deployed
* Introduced control plane's PSP and RBAC resources into Helm templates;
these policies are only in effect if the PSP admission controller is
enabled
* Fixed MWC namespace value so that when installing multiple control planes,
there is a unique configuration for each one
* Removed `UPDATE` operation from proxy-injector webhook because pod
mutations are disallowed during update operations
* Proxy
* The `l5d-override-dst` header is now used for inbound service profile
discovery
* Include errors in `response_total` metrics
* Changed the load balancer to require that Kubernetes services are resolved
via the control plane
* Web UI
* Fixed dashboard behavior that caused incorrect table sorting
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
When installing multiple control planes, the mutatingwebhookconfiguration of the first control plane gets overwritten by any subsequent control plane install. This is caused by the fixed name given to the mutatingwebhookconfiguration manifest at install time.
This commit adds in the namespace to the manifest so that there is a unique configuration for each control plane.
Fixes#2887
* Add control plane and CNI PSP and RBAC resources
* Add the '--linkerd-cni-enabled' flag to the multi-stage install subcommands
This flag ensures that the NET_ADMIN capability is omitted from the control
plane's PSP during 'install config' and the proxy-init containers aren't
injected during 'install control-plane'.
Signed-off-by: Ivan Sim <ivan@buoyant.io>
I noticed that the tables weren't maintaining sort order.
This branch fixes sorting by using lodash orderBy.
Before: Look at the tables, for example in the Service Mesh page, the meshed
resource table, or in Top Routes. Note that both these tables have a default
sort order, but do not appear sorted.
After: These tables should be sorted by their default order.
* If HA, set the webhooks failure policy to 'Fail'
I'm adding to the linkerd namespace a new label
`linkerd.io/is-control-plane: true` that is used in the webhook configs'
selector to skip the proxy injector for this namespace. This avoids
running into the timing issues described in #2852.
Fixes#2852
Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
The patch provided by @ihcsim applies correct values for the securityContext during injection, namely: `allowPrivilegeEscalation = false`, `readOnlyRootFilesystem = true`, and the capabilities are copied from the primary container. Additionally, the proxy-init container securityContext has been updated with appropriate values.
Signed-off-by: Cody Vandermyn <cody.vandermyn@nordstrom.com>
Add support for querying TrafficSplit resources through the common API layer. This is done by depending on the TrafficSplit client bindings from smi-sdk-go.
Signed-off-by: Alex Leong <alex@buoyant.io>
Updates and pins package version numbers in `package.json` to reflect the actual
versions in `yarn.lock`. Pins `react-iframe` to `1.7.16` and `jest` to `23.6.0`
- in both cases, there are later versions but they include breaking changes.
Modifies `webpack.config.js` to work with the updated `css-loader` library.
Fixes#2908.
## edge-19.6.1
* CLI
* Fixed an issue where, when Linkerd is installed with `--ha`, running
`linkerd upgrade` without `--ha` will disable the high availability
control plane
* Added a `--init-image-version` flag to `linkerd inject` to override the
injected proxy-init container version
* Controller
* Added multiple replicas for the `proxy-injector` and `sp-validator`
controllers when run in high availability mode (thanks to @Pothulapati!)
* Proxy
* Fixed a memory leak that can occur if an HTTP/2 request with a payload
ends before the entire payload is sent to the destination
* Internal
* Moved the proxy-init container to a separate `linkerd/proxy-init` Git
repository
* Fix HA during upgrade
If we have a Linkerd installation with HA, and then we do `linkerd
upgrade` without specifying `--ha`, the replicas will get set back to 1,
yet the resource requests will keep their HA values.
Desired behavior: `linkerd install --ha` adds the `ha` value into the
linkerd-config, so it should be used during upgrade even if `--ha` is
not passed to `linkerd upgrade`.
Note we still can do `linkerd upgrade --ha=false` to disable HA.
This is a prerequesite to address #2852
Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
## stable-2.3.2
This stable release fixes a memory leak in the proxy.
To install this release, run: `curl https://run.linkerd.io/install | sh`
**Full release notes**:
* Proxy
* Fixed a memory leak that can occur if an HTTP/2 request with a payload
ends before the entire payload is sent to the destination
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
commit 790a86aa9db463af479647bb91b8b55280d74d4
Author: Sean McArthur <sean@buoyant.io>
Date: Tue Jun 4 20:28:05 2019 -0700
Update h2 to v0.1.23 (#264)
- Fixes leaked DATA frames if never polled.
Signed-off-by: Sean McArthur <sean@buoyant.io>
This is a major refactor of the destination service. The goals of this refactor are to simplify the code for improved maintainability. In particular:
* Remove the "resolver" interfaces. These were a holdover from when our decision tree was more complex about how to handle different kinds of authorities. The current implementation only accepts fully qualified kubernetes service names and thus this was an unnecessary level of indirection.
* Moved the endpoints and profile watchers into their own package for a more clear separation of concerns. These watchers deal only in Kubernetes primitives and are agnostic to how they are used. This allows a cleaner layering when we use them from our gRPC service.
* Renamed the "listener" types to "translator" to make it more clear that the function of these structs is to translate kubernetes updates from the watcher to gRPC messages.
Signed-off-by: Alex Leong <alex@buoyant.io>
Split proxy-init into separate repo
Fixes#2563
The new repo is https://github.com/linkerd/linkerd2-proxy-init, and I
tagged the latest there `v1.0.0`.
Here, I've removed the `/proxy-init` dir and pinned the injected
proxy-init version to `v1.0.0` in the injector code and tests.
`/cni-plugin` depends on proxy-init, so I updated the import paths
there, and could verify CNI is still working (there is some flakiness
but unrelated to this PR).
For consistency, I added a `--init-image-version` flag to `linkerd
inject` along with its corresponding override config annotation.
Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
* Added labels to webhook configurations in charts/
* Multiple replicas of proxy-injector and sp-validator in HA
* Use ControllerComponent template variable for webhookconfigurations
Signed-off-by: Tarun Pothulapati <tarunpothulapati@outlook.com>
## edge-19.5.4
* CLI
* Added a JSON option to the `linkerd edges` command so that output is
scripting friendly and can be parsed easily (thanks @alenkacz!)
* Controller
* **New** Control plane installations now generate a self-signed certificate
and private key pair for each webhook, to prepare for future work to make
the proxy injector and service profile validator HA
* Added a debug container annotation, allowing the `--enable-debug-sidecar`
flag to work when auto-injecting Linkerd proxies
* Proxy
* Changed the proxy's routing behavior so that, when the control plane does
not resolve a destination, the proxy forwards the request with minimal
additional routing logic
* Fixed a bug in the proxy's HPACK codec that could cause requests with very
large header values to hang indefinitely
* Web UI
* Removed the Authorities table and sidebar link from the dashboard to prepare
for a new, improved dashboard view communicating authority data
* Internal
* Modified the integration test for `linkerd upgrade` to test upgrading from
the latest stable release instead of the latest edge, to reflect the typical
use case
This stable release adds a number of proxy stability improvements.
To install this release, run: `curl https://run.linkerd.io/install | sh`
**Special thanks to**: @zaharidichev and @11Takanori!
**Full release notes**:
* Proxy
* Changed the proxy's routing behavior so that, when the control plane
does not resolve a destination, the proxy forwards the request with minimal
additional routing logic
* Fixed a bug in the proxy's HPACK codec that could cause requests with
very large header values to hang indefinitely
* Replaced the fixed reconnect backoff with an exponential one (thanks,
@zaharidichev!)
* Fixed an issue where requests could be held indefinitely by the load balancer
* Added a dispatch timeout that limits the amount of time a request can be
buffered in the proxy
* Removed the limit on the number of concurrently active service discovery
queries to the destination service
* Fixed an epoll notification issue that could cause excessive CPU usage
* Added the ability to disable tap by setting an env var (thanks,
@zaharidichev!)
* * Update webpack-dev-server to "^3.2.0" in package.json with generated yarn.lock file
* * Update webpack-dev-server to "^3.2.0" in package.json with generated yarn.lock file
Signed-off-by: cpretzer <charles@buoyant.io>
* * #2817 enable shorthands for lodash
Signed-off-by: cpretzer <charles@buoyant.io>
* * #2817 enable shorthands for lodash
Signed-off-by: cpretzer <charles@buoyant.io>
* Pin webpack-dev-server to version 3.3.1
Signed-off-by: Charles Pretzer <charles@buoyant.io>
* Subject:
Remove unnecessary linting configs and rules for lodash
Problem:
Work related to supporting newer versions of node allows for the removal of lodash linting
Solution:
Remove lodash lint rules
Remove eslint-plugin-lodash from package.json
Remove lodash from plugins section of .eslintrc
Validation:
Ran all build commands (setup, dev, and run) with node versions 12 and 10
Fixes#2817#2809
Signed-off-by: Charles Pretzer <charles@buoyant.io>
* Signed-off-by: Charles Pretzer <charles@buoyant.io>
Update yarn.lock after merge with master
Fixes#2103. Hides the Authorities table in the Overview and Namespace views on
the dashboard, and removes the link to Authorities in the Resources sidebar.
This change makes way for a future dashboard view incorporating traffic split
data and communicating Authority data in a more understandable way.
When `linkerd edges` returns JSON, the data will now be sorted alphabetically by
SRC name, meaning edges will be returned in a consistent order. Logic in the CLI
`edges.go` has also been simplified. These changes should result in the Travis
CI builds passing consistently.
This commit refactors the changes introduced by #2842 where the debug
container spec is created in the 'cli' and 'pkg' packages. This change
follows the existing pattern of annotating the YAML in the CLI code,
and injecting the sidecar spec in the shared library.
Signed-off-by: Ivan Sim <ivan@buoyant.io>
Alejandro Pedraza
dependabot[bot]
Kevin Leimkuhler
Andrew Seigner
Carol A. Scott
Tarun Pothulapati
Risha Mars
Dennis Adjei-Baah
Ivan Sim
Andrew Seigner
Oliver Gould
Cody Vandermyn
Alex Leong
Dan
Eliza Weisman
cpretzer