Commit Graph

2572 Commits

Author SHA1 Message Date
Alejandro Pedraza 4687dc52aa
Refactor webhook framework to allow webhooks define their flags (#5256)
* Refactor webhook framework to allow webhook define their flags

Pulled out of `launcher.go` the flag parsing logic and moved it into the `Main` methods of the webhooks (under `controller/cmd/proxy.injector/main.go` and `controller/cmd/sp-validator/main.go`), so that individual webhooks themselves can define the flags they want to use.

Also no longer require that webhooks have cluster-wide access.

Finally, renamed the type `webhook.handlerFunc` to `webhook.Handler` so it can be exported. This will be used in the upcoming jaeger webhook.
2020-11-23 10:40:30 -05:00
cpretzer 60f7aa324a
Fix some grammar and typos (#5261)
Signed-off-by: Charles Pretzer <charles@buoyant.io>
2020-11-23 09:23:32 -05:00
Kevin Leimkuhler 9a520ec2ca
Add notes for edge-20.11.4 (#5268)
## edge-20.11.4

* Fixed an issue in the destination service where endpoints always included a
  protocol hint, regardless of the controller label being present or not

Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
2020-11-20 16:56:45 -05:00
Kevin Leimkuhler 92f9387997
Check correct label value when setting protocl hint (#5267)
This fixes an issue where the protocol hint is always set on endpoint responses.
We now check the right value which determines if the pod has the required label.

A test for this has been added to #5266.

Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
2020-11-20 13:32:50 -08:00
Devdutt Shenoi 8ab6177c1f
Simplified boolean expression (#5251)
Simplified boolean expressions in routes command

Signed-off-by: Devdutt Shenoi <devdutt@outlook.in>
2020-11-20 09:37:06 -05:00
Takumi Sue 53afc7dbc4
Fix an odd indent (and test data) (#5262)
Signed-off-by: Takumi Sue <u630868b@alumni.osaka-u.ac.jp>
2020-11-20 09:34:40 -05:00
cpretzer c0a64946fb
edge-20.11.3 changes (#5255)
* edge-20.11.3 changes

Signed-off-by: Charles Pretzer <charles@buoyant.io>

* linting

Signed-off-by: Charles Pretzer <charles@buoyant.io>
2020-11-19 12:08:25 -08:00
ksummersill 8f8c6e7508
Update ADOPTERS.md (#5254)
Updated the Adopters to include Appddiction Studio.
2020-11-19 11:55:02 -08:00
Oliver Gould 375ffd782f
proxy: v2.121.0 (#5253)
This release changes error handling to teardown the server-side
connection when an unexpected error is encountered.

Additionally, the outbound TCP routing stack can now skip redundant
service discovery lookups when profile responses include endpoint
information.

Finally, the cache implementation has been updated to reduce latency by
removing unnecessary buffers.

---

* h2: enable HTTP/2 keepalive PING frames (linkerd/linkerd2-proxy#737)
* actions: Add timeouts to GitHub actions (linkerd/linkerd2-proxy#738)
* outbound: Skip endpoint resolution on profile hint (linkerd/linkerd2-proxy#736)
* Add a FromStr for dns::Name (linkerd/linkerd2-proxy#746)
* outbound: Avoid redundant TCP endpoint resolution (linkerd/linkerd2-proxy#742)
* cache: Make the cache cloneable with RwLock (linkerd/linkerd2-proxy#743)
* http: Teardown serverside connections on error (linkerd/linkerd2-proxy#747)
2020-11-18 16:55:53 -08:00
Tarun Pothulapati b389054d53
cli: Don't check for SAN in root and intermediate certs (#5237)
As discussed in #5228, it is not correct for root and intermediate
certs to have SAN. This PR updates the check to not verify the
intermediate issuer cert with the identity dns name (which checks with
SAN and not CN as the the `verify` func is used to verify leaf certs and
not root and intermediate certs). This PR also avoids setting a SAN
field when generating certs in the `install` command.

Fixes #5228
2020-11-18 15:30:39 -08:00
Tarun Pothulapati 42f3be4319
cli: Fix custom namespace installation (#5241)
The `--linkerd-namespace` flag was not honored by the `install`
command. This change updates the install templating to use the
value of this flag.
2020-11-18 15:27:53 -08:00
Kevin Leimkuhler e65f216d52
Add endpoint to GetProfile response (#5227)
Context: #5209

This updates the destination service to set the `Endpoint` field in `GetProfile`
responses.

The `Endpoint` field is only set if the IP maps to a Pod--not a Service.

Additionally in this scenario, the default Service Profile is used as the base
profile so no other significant fields are set.

### Examples

```
# GetProfile for an IP that maps to a Service
❯ go run controller/script/destination-client/main.go -method getProfile -path 10.43.222.0:9090
INFO[0000] fully_qualified_name:"linkerd-prometheus.linkerd.svc.cluster.local"  retry_budget:{retry_ratio:0.2  min_retries_per_second:10  ttl:{seconds:10}}  dst_overrides:{authority:"linkerd-prometheus.linkerd.svc.cluster.local.:9090"  weight:10000}
```

Before:

```
# GetProfile for an IP that maps to a Pod
❯ go run controller/script/destination-client/main.go -method getProfile -path 10.42.0.20
INFO[0000] retry_budget:{retry_ratio:0.2 min_retries_per_second:10 ttl:{seconds:10}}
```


After:

```
# GetProfile for an IP that maps to a Pod
❯ go run controller/script/destination-client/main.go -method getProfile -path 10.42.0.20
INFO[0000] retry_budget:{retry_ratio:0.2  min_retries_per_second:10  ttl:{seconds:10}}  endpoint:{addr:{ip:{ipv4:170524692}}  weight:10000  metric_labels:{key:"control_plane_ns"  value:"linkerd"}  metric_labels:{key:"deployment"  value:"fast-1"}  metric_labels:{key:"pod"  value:"fast-1-5cc87f64bc-9hx7h"}  metric_labels:{key:"pod_template_hash"  value:"5cc87f64bc"}  metric_labels:{key:"serviceaccount"  value:"default"}  tls_identity:{dns_like_identity:{name:"default.default.serviceaccount.identity.linkerd.cluster.local"}}  protocol_hint:{h2:{}}}
```

Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
2020-11-18 15:41:25 -05:00
Alejandro Pedraza deca7ede08
Consolidate integration tests under k3d (#5245)
* Consolidate integration tests under k3d

Fixes #5007

Simplified integration tests by moving all to k3d. Previously things were running in Kind, except for the multicluster tests, which implied some extra complexity in the supporting scripts.

Removed the KinD config files under `test/integration/configs`, as config is now passed as flags into the `k3d` command.

Also renamed `kind_integration.yml` to `integration_tests.yml`

Test skipping logic under ARM was also simplified.
2020-11-18 14:33:16 -05:00
Agnivesh Adhikari 865aeeabe2
Updated debian image tags (#5249)
Signed-off-by: Agnivesh Adhikari <agnivesh.adhikari@gmail.com>
2020-11-18 10:51:15 -05:00
Alex Leong 2e5087b9f6
Update install-pr to use image-load script (#5226)
The `bin/kind-load` script no longer exists and has been renamed to `bin/image-load`.

Signed-off-by: Alex Leong <alex@buoyant.io>
2020-11-13 14:38:20 -08:00
Alejandro Pedraza 948aa23b2a
Remove logs comparisons in integration tests (#5223)
The rare cases where these tests were useful don't make up for the burden of
maintaing them, having different k8s version change the messages and
having unexpected warnings come up that didn't affect the final
convergence of the system.

With this we also revert the indirection added back in #4538 that
fetched unmatched warnings after a test had failed.
2020-11-13 16:00:16 -05:00
Alejandro Pedraza 5a707323e6
Update proxy-init to v1.3.7 (#5221)
This upgrades both the proxy-init image itself, and the go dependency on
proxy-init as a library, which fixes CNI in k3s and any host using
binaries coming from BusyBox, where `nsenter` has an
issue parsing arguments (see rancher/k3s#1434).
2020-11-13 15:59:14 -05:00
Ty cc0edffce8
Updating ADOPTERS.md to include M1 Finance (#5225)
Adopters did not include M1 Finance.

Add M1 Finance to ADOPTERS.md

Once Merged, Check https://github.com/linkerd/linkerd2/blob/main/ADOPTERS.md

Fixes #N/A

Signed-off-by: Ty Schreiner <t.schreiner@m1finance.com>
2020-11-12 16:10:35 -08:00
Alex Leong 1a91f6b0df
Increase ARM integration test timeout (#5222)
The ARM integration tests take a very long time to run for some reason.  For example, in the stable-2.9.0 release, they took 
38 minutes.  Thus, this test needs a longer timeout.

Increase the ARM integration test timeout from 30 minutes to 60 minutes.

Signed-off-by: Alex Leong <alex@buoyant.io>
2020-11-12 13:57:28 -08:00
Alex Leong b07347c3a6
edge-20.11.2 (#5220)
This edge release reduces memory consumption of Linkerd proxies which maintain
many idle connections (such as Prometheus).  It also removes some obsolete
commands from the CLI and allows setting custom annotations on multicluster
gateways.

* Reduced the default idle connection timeout to 5s for outbound clients and
  20s for inbound clients to reduce the proxy's memory footprint, especially on
  Prometheus instances
* Added support for setting annotations on the multicluster gateway in Helm
  which allows setting the load balancer as internal (thanks @shaikatz!)
* Removed the `get` and `logs` command from the CLI

Signed-off-by: Alex Leong <alex@buoyant.io>
2020-11-12 12:29:29 -08:00
Tarun Pothulapati 1fe70dc16d
cli: remove logs subcommand and tests (#5203)
Fixes #5191

The logs command adds a external dependency that we forked to work but
does not fit within linkerd's core set of responsibilities. Hence, This
is being removed.

For capabilities like this, The Kubernetes plugin ecosystem has better
and well maintained tools that can be used.

Signed-off-by: Tarun Pothulapati <tarunpothulapati@outlook.com>
2020-11-12 11:23:36 -08:00
Tarun Pothulapati e4c354985c
cli: Remove get cmd and relevant tests (#5202)
Fixes #5190

`linkerd get` is not used currently and works only for pods. This can be
removed instead as per the issue. This branch removes the command and
also the associated unit and integration tests.

Signed-off-by: Tarun Pothulapati <tarunpothulapati@outlook.com>
2020-11-12 11:19:46 -08:00
Shai Katz 4ffb41ab44
Add MC Gateway Service Annotations (#5185)
Fixes #5182

That will allow setting the load balancer as internal.

Signed-off-by: Shai Katz <shai@soluto.com>
2020-11-12 11:19:19 -08:00
Oliver Gould 440a201997
actions: Limit job runtime to <= 30 minutes (#5216)
The default job timeout is 6 hours! This allows runaway builds to
consume our actions resources unnecessarily.

This change limits integration test jobs to 30 minutes. Static checks
are limited to 10 minutes.
2020-11-12 08:30:02 -08:00
Alejandro Pedraza 7a0c64a9e2
Update BUILD.md with multiarch stuff and some extras (#5199)
* Update BUILD.md with multiarch stuff and some extras

Adds to `BUILD.md` a new section `Publishing images` explaining the
workflow for testing custom builds.

Also updates and gives more precision to the section `Building CLI for
development`.

Finally, a new `Multi-architecture builds` section is added.

This PR also removes `SUPPORTED_ARCHS` from `bin/docker-build-cli` that
is no longer used.

Note I'm leaving some references to Minikube. I might change that in a
separate PR to point to k3d if we manage to migrate the KinD stuff to
k3d.
2020-11-12 09:36:54 -05:00
bohrasd 4e2c86acc4
Update ADOPTERS.md (#5187) 2020-11-10 15:05:14 -08:00
Cole Packingham 218e3ea0b5
Subject (#5207)
Adds "The Zebra" to adopters list

Signed-off-by: Cole <cpackingham@thezebra.com>
2020-11-10 15:04:43 -08:00
Oliver Gould 7010138d72
proxy: v2.119.0 (#5200)
This release modifies the default idle timeout to 5s for outbound
clients and 20s for inbound clients. This prevents idle clients from
consuming memory at the cost of performing more discovery resolutions
for periodic but infrequent traffic. This is intended to reduce the
proxy's memory footprint, especially on Prometheus instances.

The proxy's *ring* and rustls dependencies have also been updated.

---

* Update *ring* and rustls dependencies (linkerd/linkerd2-proxy#735)
* http: Configure client connection pools (linkerd/linkerd2-proxy#734)
2020-11-10 09:29:38 -08:00
Alejandro Pedraza 2ff70d4c7d
Changes for `stable-2.9.0` (#5174)
* Changes for `stable-2.9.0`

Only user-facing items were mentioned. There were previous edge release
notes contained a summary of a change, I preferred using that summary
instead of the more technical bullet point. Given the large list of
items, I separated into sections for easier digestion. Also, I didn't
repeat the TCP mTLS stuff (nor ARM support) below in the bullet points
as it was already well described in the summary.

## stable-2.9.0

This release extends Linkerd's zero-config mutual TLS (mTLS) support to all TCP
connections, allowing Linkerd to transparently encrypt and authenticate all TCP
connections in the cluster the moment it's installed. It also adds ARM support,
introduces a new multi-core proxy runtime for higher throughput, adds support
for Kubernetes service topologies, and lots, lots more, as described below:

* Proxy
  * Performed internal improvements for lower latencies under high concurrency
  * Reduced performance impact of logging , especially when the `debug` or
    `trace` log levels are disabled
  * Improved error handling for DNS errors encountered when discovering control
    plane addresses, which can be common during installation, before all
    components have been started, allowing linkerd to continue to operate
    normally in HA during node outages

* Control Plane
  * Added support for [topology-aware service
    routing](https://kubernetes.io/docs/concepts/services-networking/service-topology/)
    to the Destination controller; when providing service discovery updates to
    proxies the Destination controller will now filter endpoints based on the
    service's topology preferences
  * Added support for the new Kubernetes
    [EndpointSlice](https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/)
    resource to the Destination controller; Linkerd can be installed with
    `--enable-endpoint-slices` flag to use this resource rather than the
    Endpoints API in clusters where this new API is supported

* Dashboard
  * Added new Spanish translations (please help us translate into your
    language!)
  * Added new section for exposing multicluster gateway metrics

* CLI
  * Renamed the `--addon-config` flag to `--config` to clarify this flag can be
    used
  * Added fish shell completions to the `linkerd` command to set any Helm value

* Multicluster
  * Replaced the single `service-mirror` controller, with separate controllers
    that will be installed per target cluster through `linkerd multicluster
    link`
  * Changed the mechanism for mirroring services: instead of relying on
    annotations on the target services, now the source cluster should specify
    which services from the target cluster should be exported by using a label
    selector
  * Added support for creating multiple service accounts when installing
    multicluster with Helm to allow more granular revocation
  * Added a multicluster `unlink` command for removing multicluster links

* Prometheus
  * Moved Linkerd's bundled Prometheus into an add-on (enabled by default); this
    makes the Linkerd Prometheus more configurable, gives it a separate upgrade
    lifecycle from the rest of the control plane, and will allow users to
    disable the bundled Prometheus instance
  * The long-awaited Bring-Your-Own-Prometheus case has been finally addressed:
    added `global.prometheusUrl` to the Helm config to have linkerd use an
    external Prometheus instance instead of the one provided by default
  * Added an option to persist data to a volume instead of memory, so that
    historical metrics are available when prometheus is restarted
  * The helm chart can now configure persistent storage and limits

* Other
  * Added a new `linkerd.io/inject: ingress` annotation and accompanying
    `--ingress` flag to the `inject command, to configure the proxy to support
    service profiles and enable per-route metrics and traffic splits for HTTP
    ingress controllers
  * Changed the type of the injector and tap API secrets to `kubernetes.io/tls`
    so they can be provisioned by cert-manager
  * Changed default docker image repository to `ghcr.io` from `gcr.io`; **Users
    who pull the images into private repositories should take note of this
    change**
  * Introduced support for authenticated docker registries
  * Simplified the way that Linkerd stores its configuration; configuration is
    now stored as Helm values in the `linkerd-config` ConfigMap
  * Added support for Helm configuration of per-component proxy resources
    requests

This release includes changes from a massive list of contributors. A special
thank-you to everyone who helped make this release possible: --long
list, see file --

* Fixed some bad copypasta

* Apply suggestions from code review

Co-authored-by: Kevin Leimkuhler <kevin@kleimkuhler.com>

Co-authored-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
2020-11-06 12:54:06 -05:00
Kevin Leimkuhler dc6e2114c9
Add changes for edge-20.11.1 (#5167)
This edge supersedes edge-20.10.6 as a release candidate for stable-2.9.0.

* Fixed issue where the `check` command would error when there is no Prometheus
  configured
* Fixed recent regression that caused multicluster on EKS to not work properly
* Changed the `check` command to warn instead of error when webhook certificates
  are near expiry
* Added the `--ingress` flag to the `inject` command which adds the recently
  introduced `linkerd.io/inject: ingress` annotation
* Fixed issue with upgrades where external certs would be fetched and stored
  even though this does not happen on fresh installs with externally created
  certs
* Fixed issue with upgrades where the issuer cert expiration was being reset
* Removed the `--registry` flag from the `multicluster install` command
* Removed default CPU limits for the proxy and control plane components in HA
  mode

Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
2020-11-03 13:21:16 -05:00
Tarun Pothulapati d9a6e217f9
nit: return crtExpiry even for External Certs (#5173)
This change updates `FetchExternalIssuerData` to be more like
`FetchIssuerData` and return expiry correctly.

This field is currently not used anywhere and is just done for
consistentcy purposes.

Signed-off-by: Tarun Pothulapati <tarunpothulapati@outlook.com>
2020-11-03 13:15:53 -05:00
Oliver Gould 4d85b6cd65
inject: Set LINKERD2_PROXY_CORES from the cpu limit (#5170)
Per #5165, Kubernetes does not necessarily limit the proxy's access to
cores via `cgroups` when a CPU limit is set. As of #5168, the proxy now
supports a `LINKERD2_PROXY_CORES` environment configuration that
augments CPU detection from the host operating system.

This change modifies the proxy injector to ensure that this environment
is configured from the `Values.proxy.cores` Helm value, the
`config.linkerd.io/proxy-cpu-limit` annotation, and the `--proxy-cpu-limit`
install flag.
2020-11-03 10:02:31 -08:00
Oliver Gould d6cb0c56cb
ha: Remove CPU limits for control plane components (#5171)
As discussed in #5167 & #5169, Kubernetes CPU limits are not necessarily
discoverable from within the pod. This means that the control plane
processes may allocate far more threads than can actually be used by the
process given its process limits.

This change removes the default CPU limits for all control plane
components. CPU limits may still be set via Helm configuration.
2020-11-03 09:18:36 -08:00
Oliver Gould 04e15c8544
ha: Do not set a default CPU limit (#5169)
Now that the proxy can use more than one core, this behavior should be
enabled by default, even in HA mode.

This change modifies the default HA helm values to unset the cpu limit
for proxy containers.
2020-11-03 07:53:36 -08:00
Oliver Gould 8540cd617d
proxy: v2.118.0 (#5168)
This release adds support for the LINKERD2_PROXY_CORES environment
variable. When set, the value may limit the proxy's runtime resources
so that it does not allocate a thread per core available from the host
operating system.

---

* inbound: use MakeSwitch for loopback (linkerd/linkerd2-proxy#729)
* buffer: Remove readiness watch (linkerd/linkerd2-proxy#731)
* Allow specifying the number of available cores via the env (linkerd/linkerd2-proxy#733)
2020-11-02 16:36:52 -08:00
Alejandro Pedraza 92fac9a962
Remove `--registry` flag from `linkerd mc install` (#5164)
After the 2.9 multicluster refactoring, `linkerd mc install`'s only
workload installed is the nginx gateway, whose docker image is
configured through the flags `--gateway-nginx-image` and
`--gateway-nginx-image-version`. Thus there's no longer need of the
`--registry` flag, which is used OTOH by `linkerd mc link` which deploys the service mirror.
2020-11-02 17:23:32 -05:00
Tarun Pothulapati 2d117be80f
upgrade: do not use external certs with upgrades (#5166)
Currently, For legacy upgrades we are fetching even external certs and
using it for upgrades which contradicts the condition at
https://github.com/linkerd/linkerd2/blob/master/cli/cmd/options.go#L550
used with install and thus causing errors.

Instead we don't retrieve them with upgrades and hence they don't get
stored into the config and secrets which seems correct as we do not want
to store certs in the config and use them with upgrades when they are
created externally.

This touches only the upgrade path i.e `fetchIssuers` and would not
effect the retrievel of external certs for checks, etc.

Signed-off-by: Tarun Pothulapati <tarunpothulapati@outlook.com>
2020-11-02 17:06:44 -05:00
Tarun Pothulapati 14b8b8c792
upgrade: set identity.issuer.crtExpiry correctly with legacy upgrades (#5161)
With legacy upgrades, we can parse the cert and store the expiry
correctly instead of storing it as the default value which could be a
problem when we use that field. Currently, we do not use this field and
hence it did not cause any problems.

Install on the latest edges, This field is correctly set and works
as expected. Thus, upgrades also have the right value.

Signed-off-by: Tarun Pothulapati <tarunpothulapati@outlook.com>
2020-11-03 00:19:18 +05:30
Tarun Pothulapati 262d5e041c
charts: Do not store .component in linkerd-config (#5144)
* charts: Do not store .component in linkerd-config

This removes the `.component` fields from `Values.go` and also prevents them from being emitted into `linkerd-config` by attaching them into a temporary variable during injection.

This also simplies inbound and outbound Skip ports helm logic and adds quotes to them.

Signed-off-by: Tarun Pothulapati <tarunpothulapati@outlook.com>
2020-11-02 20:41:37 +05:30
Tarun Pothulapati a30b5e49a6
cli: add `--ingress` flag to inject cmd (#5154)
* cli: add `--ingress` flag to inject cmd

This PR adds a new inject flag called `--ingress` which when enabled
adds a new annotation i.e `linkerd.io/inject: ingress`.

This annotation is not applied in the `--manual` case and the env
variable is directly set.

Signed-off-by: Tarun Pothulapati <tarunpothulapati@outlook.com>
2020-11-02 14:47:16 +05:30
Alex Leong da194f5dc3
Warn when webhook certificates near expiry (#5155)
Fixes #5149 

Before:

```
linkerd-webhooks-and-apisvc-tls
-------------------------------
× tap API server has valid cert
    certificate will expire on 2020-10-28T20:22:32Z
    see https://linkerd.io/checks/#l5d-tap-cert-valid for hints
```

After:

```
linkerd-webhooks-and-apisvc-tls
-------------------------------
√ tap API server has valid cert
‼ tap API server cert is valid for at least 60 days
    certificate will expire on 2020-10-28T20:22:32Z
    see https://linkerd.io/checks/#l5d-webhook-cert-not-expiring-soon for hints
√ proxy-injector webhook has valid cert
‼ proxy-injector cert is valid for at least 60 days
    certificate will expire on 2020-10-29T18:17:03Z
    see https://linkerd.io/checks/#l5d-webhook-cert-not-expiring-soon for hints
√ sp-validator webhook has valid cert
‼ sp-validator cert is valid for at least 60 days
    certificate will expire on 2020-10-28T20:21:34Z
    see https://linkerd.io/checks/#l5d-webhook-cert-not-expiring-soon for hints
```

Signed-off-by: Alex Leong <alex@buoyant.io>
2020-10-30 11:48:51 -07:00
Alejandro Pedraza ee085f7ae8
Fix multicluster for EKS (#5159)
`linkerd mc link` wasn't properly setting the `gatewayAddresses` field
when such address had a `Hostname` field instead of `Ip`, like is the
case in EKS services of type LoadBalancer.
2020-10-29 16:38:41 -05:00
Tarun Pothulapati 4c106e9c08
cli: make check return SkipError when there is no prometheus configured (#5150)
Fixes #5143

The availability of prometheus is useful for some calls in public-api
that the check uses. This change updates the ListPods in public-api
to still return the pods even when prometheus is not configured.

For a test that exclusively checks for prometheus metrics, we have a gate
which checks if a prometheus is configured and skips it othervise.

Signed-off-by: Tarun Pothulapati tarunpothulapati@outlook.com
2020-10-29 19:57:11 +05:30
Tarun Pothulapati 3a16baa141
Use errors.Is instead of checking underlying err messages (#5140)
* Use errors.Is instead of checking underlying err messages

Fixes #5132

This PR replaces the usage of `strings.hasSuffix` with `errors.Is`
wherever error messages are being checked. So, that the code is not
effected by changes in the underlying message. Also adds a string
const for http2 response body closed error

Signed-off-by: Tarun Pothulapati <tarunpothulapati@outlook.com>
2020-10-28 21:33:17 +05:30
Tarun Pothulapati dd42da343f
docs: Update external prom and grafana readme (#5142)
* docs: Update external prom and grafana readme

Update `Values.yaml` to make it more clear about reverse proxy
configuration with external grafana instances.

Also, adds `global.prometheusUrl` and `global.grafanaUrl` into charts
`README`

Signed-off-by: Tarun Pothulapati <tarunpothulapati@outlook.com>
2020-10-28 07:30:40 +05:30
Tarun Pothulapati 80794876e0
Restrict controlPlaneTracing field only to control plane components (#5117)
* Restrict controlPlaneTracing field only to control plane components

Previously, `global.controlPlaneTracing` was not available during
injection and thus not affecting it.

This commit creates a new method which checks if controlPlaneTracing is
enabled and sets to the defaults if it is. This is done on the
duplicates thus preventing it from not being propagated into
`linkerd-config`

Signed-off-by: Tarun Pothulapati <tarunpothulapati@outlook.com>
2020-10-28 07:24:56 +05:30
Eliza Weisman 8c6a2c576c
update changelog for edge-20.10.6 (#5145)
This edge supersedes edge-20.10.5 as a release candidate for
stable-2.9.0. It adds a new `linkerd.io/inject: ingress` annotation to
support service profiles and enable per-route metrics and traffic splits
for HTTP ingress controllers

* Added a new `linkerd.io/inject: ingress` annotation to configure the
  proxy to support service profiles and enable per-route metrics and
  traffic splits for HTTP ingress controllers
* Reduced performance impact of logging in the proxy, especially when
  the `debug` or `trace` log levels are disabled
* Fixed spurious warnings logged by the `linkerd profile` CLI command

Signed-off-by: Eliza Weisman <eliza@buoyant.io>
2020-10-27 11:06:15 -07:00
Tarun Pothulapati 39e7f84773
cli: fix and update timeout warnings in profile cmd (#5122)
Fixes #5121

* cli: skip emitting warnings in Profile


Whenever the tapDuration gets completed, there is a warning occured
which we do not emit. This looks like it has been changed in the latest
versions of the dependency.

* Use context.withDeadline instead of client.timeout

The usage of `client.Timeout` is not working correctly causing `W1022
17:20:12.372780   19049 transport.go:260] Unable to cancel request for
   promhttp.RoundTripperFunc` to be emitted by the Kubernetes Client.

This is fixed by using context.WithDeadline and passing that into the
http Request.

Signed-off-by: Tarun Pothulapati <tarunpothulapati@outlook.com>
2020-10-27 22:08:21 +05:30
Alex Leong b7c5bd07ae
Add 'linkerd.io/inject: ingress' mode (#5130)
Fixes #5118

This PR adds a new supported value for the `linkerd.io/inject` annotation.  In addition to `enabled` and `disabled`, this annotation may now be set to `ingress`.  This functions identically to `enabled` but it also causes the `LINKERD2_PROXY_INGRESS_MODE="true"` environment variable to be set on the proxy.  This causes the proxy to operate in ingress mode as described in #5118 

With this set, ingresses are able to properly load service profiles based on the l5d-dst-override header.

Signed-off-by: Alex Leong <alex@buoyant.io>
2020-10-26 14:32:19 -07:00
Oliver Gould 1f9433209f
proxy: v2.117.0 (#5137)
This release adds an 'ingress mode' to support per-request routing for
HTTP ingresses.

Additionally, the performance impact of logging should be reduced,
especially when the proxy log level is not set to `debug` or `trace`.

---

* router: Use NewService instead of MakeService (linkerd/linkerd2-proxy#724)
* outbound: Split TCP stack into dedicated modules (linkerd/linkerd2-proxy#725)
* trace: update `tracing-subscriber` to 0.2.14 (linkerd/linkerd2-proxy#726)
* outbound: Extract HTTP and server modules (linkerd/linkerd2-proxy#727)
* outbound: Introduce 'ingress mode' (linkerd/linkerd2-proxy#728)
* Reduce tracing spans to the debug level (linkerd/linkerd2-proxy#730)
2020-10-26 12:09:08 -07:00