# Problem
When a route does not specify a timeout, the proxy-api defaults to the default
timeout and logs an error:
```
time="2019-02-13T16:29:12Z" level=error msg="failed to parse duration for route POST /io.linkerd.proxy.destination.Destination/GetProfile: time: invalid duration"
```
# Solution
We now check if a route timeout is blank. If it is not set, it is set to
`DefaultRouteTimeout`. If it is set, we try to parse it into a `Duration`.
A request was made to improve logging to include the service profile and
namespace as well.
# Validation
With valid service profiles installed, edit the `.yaml` to include an invalid
`timeout`:
```
...
name: GET /
timeout: foo
```
We should now see the following errors:
```
proxy-api time="2019-02-13T22:27:32Z" level=error msg="failed to parse duration for route 'GET /' in service profile 'webapp.default.svc.cluster.local' in namespace 'default': time: invalid duration foo"
```
This error does not show up when `timeout` is blank.
Fixes#2276
Signed-off-by: Kevin Leimkuhler <kevinl@buoyant.io>
golangci-lint disables some checks for golint, including checks for
well-formed comments on all exported symbols
This change disables the golangci-lint's `exclude-use-default` setting,
to run golint with default settings.
Also introduce a `.golangci.yml` file to centralize config.
Signed-off-by: Andrew Seigner <siggy@buoyant.io>
The way these tests compare the hard-coded base64-encoded JSON
patches with those generated by the proxy injector, is extremely
brittle. Changing any of the proxy configuration causes these tests
to break, even though the proxy injector itself isn't affected.
Also, the AdmissionRequest and AdmissionResponse types are "boundary
objects" that are largely irrelevant to our code.
Fixes#2201
Signed-off-by: Ivan Sim <ivan@buoyant.io>
`Dockerfile-proxy` executes several commands following
`bin/fetch-proxy`, but the subsequent commands were separated by
semicolon, so the overall RUN command would succeed regardless of what
`bin/fetch-proxy` returned. This meant that if `bin/docker-build-proxy`
was run on a proxy SHA prior to it being available, it would fail the
build, but cache the unsuccessful `fetch-proxy` command, and continue to
fail after the proxy becomes available.
This change concatenates `fetch-proxy` and subsequent commands using
ampersands, failing the build if `fetch-proxy` fails.
Signed-off-by: Andrew Seigner <siggy@buoyant.io>
Add a `-cover` param to the Go tests in ci, along with instructions in
`TEST.md` for manually evaluating test coverage.
Signed-off-by: Andrew Seigner <siggy@buoyant.io>
`golangci-lint` performs numerous checks on Go code, including golint,
ineffassign, govet, and gofmt.
This change modifies `bin/lint` to use `golangci-lint`, and replaces
usage of golint and govet.
Also perform a one-time gofmt cleanup:
- `gofmt -s -w controller/`
- `gofmt -s -w pkg/`
Part of #217
Signed-off-by: Andrew Seigner <siggy@buoyant.io>
Fixes#2255.
When Kubernetes periodically pinged booksapp to perform a health check, the
lack of namespace violated the `TapLink` component's propTypes requirement.
This triggered a warning in the browser console when on the web UI Top view.
Working with @rmars, I removed the namespace requirement from propTypes and
moved the check for an empty namespace to the top of the component to avoid an
unnecessary queryString construction.
edge-19.2.1 included a breaking change related to the namespace where
`ServiceProfile`s are defined.
This change updates the release notes for that release to indicate the
breaking change.
Relates to linkerd/website#156
Signed-off-by: Andrew Seigner <siggy@buoyant.io>
Fixes#2232
The Linkerd logo on the top left of the web UI is now wrapped in a
`react-router-dom` Link component so that clicking it redirects to `/overview`.
commit 59d00f69653730353ec246b8cb2eb39d80a54d3e
Author: Oliver Gould <ver@buoyant.io>
Date: Mon Feb 11 10:51:37 2019 -0800
Log canonicalization warnings on only the first error (#189)
When a canonicalization task fails to resolve a name, our logging is not
particularly clear about the current state of the stack. Specifically,
it's difficult to know whether the stack has resolved the name
successfully before.
With this change, canonicalization failures are logged (at warning, not
error) only when the task has not previously resolved a name.
Subsequent errors are now logged at the debug level (instead of
warning).
The existing hint URLs printing by `linkerd check` pointed to locations
that would change if the linkerd.io website was reorganized.
linkerd/website#148 introduces an alias for hint URLs at
https://linkerd.io/checks/. This is the corresponding change to update
`linkerd check` output.
Depends on linkerd/website#148, relates to linkerd/website#146.
Signed-off-by: Andrew Seigner <siggy@buoyant.io>
Fixes#2220
The service profile validation which is part of `linkerd check` only validates service profiles in the Linkerd namespace. Due to a recent change, service profiles now can exist in any namespace.
Update the logic so that service profiles in all namespaces are validated.
Additionally:
* Relax validation of service profile names to support external names
Signed-off-by: Alex Leong <alex@buoyant.io>
@rmars and I set out to replace all instances of lodash filter with native
filter in order to prevent the additional import. However, there was only one
use of _filter that could be easily replaced, since our other uses depend on
lodash's ability to handle empty variables, and the ability to filter both
objects and arrays (JS's native filter is only for arrays). Switching to native
filter in those cases would have required us to manually check the value of the
variable, set it to an empty array and/or convert it from an object to an array.
Signed-off-by: Carol Scott <carol@buoyant.io>
Running `linkerd routes` for some resource was returning, besides the data for the resource, additional rows for each `ExternalName` service in the namespace.
Fixes#2216
Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
Fixes#2077
When looking up service profiles, Linkerd always looks for the service profile objects in the Linkerd control namespace. This is limiting because service owners who wish to create service profiles may not have write access to the Linkerd control namespace.
Instead, we have the control plane look for the service profile in both the client namespace (as read from the proxy's `proxy_id` field from the GetProfiles request and from the service's namespace. If a service profile exists in both namespaces, the client namespace takes priority. In this way, clients may override the behavior dictated by the service.
Signed-off-by: Alex Leong <alex@buoyant.io>
The `linkerd check` command was doing limited validation on
ServiceProfiles.
Make ServiceProfile validation more complete, specifically validate:
- types of all fields
- presence of required fields
- presence of unknown fields
- recursive fields
Also move all validation code into a new `Validate` function in the
profiles package.
Validation of field types and required fields is handled via
`yaml.UnmarshalStrict` in the `Validate` function. This motivated
migrating from github.com/ghodss/yaml to a fork, sigs.k8s.io/yaml.
Fixes#2190
The Proxy API service lacked introspection of its internal state.
Introduce a new gRPC Discovery API, implemented by two servers:
1) Proxy API Server: returns a snapshot of discovery state
2) Public API Server: pass-through to the Proxy API Server
Also wire up a new `linkerd endpoints` command.
Fixes#2165
Signed-off-by: Andrew Seigner <siggy@buoyant.io>
The controller logs innocuous messages when control plane proxies aren't ready to route requests during startup from each control plane component. i.e. tap, public-api and proxy-api. Setting the log level in the control plane to `INFO` would not hide these log messages and would still show up on control plane startup.
This PR modifies `klogs` initial flag set to route innocuous logs to `/dev/null` if the controller log level is set to INFO. If set to debug, we output all loglines to stderr.
Fixes#2171#2168
Signed-off-by: Dennis Adjei-Baah <dennis@buoyant.io>
* Remove destination address from endpoint metric labels
(linkerd/linkerd2#187)
* Set proxy_id in calls to Get and GetProfile (linkerd/linkerd2#183)
* Add l5d-client-id on inbound requests if meshed TLS (linkerd/linkerd2#184)
Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
Adds the ability to generate a service profile by running a tap for a configurable
amount of time, and using the route results from the routes seen during the tap.
e.g. `linkerd profile web --tap deploy/web -n emojivoto --tap-duration 2s`
Consolidate timeouts for `linkerd check`
- Moved the creation of contexts from inside the methods targeted by the
checks into a single place in the runCheck() and runCheckRPC() methods
where the context is built using a hard-coded timeout of 30 seconds.
- k8s' client-go doesn't allow passing along contexts, but it let's us
setting the Timeout manually.
- Reworded the description for the --wait option.
Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
# Problem
In order to switch Linkerd template rendering to use `.yaml` files, static
assets must be bundled in the Go binary for use by `linkerd install`.
# Solution
The solution should not affect the local development process of building and
testing.
[vfsgen](https://github.com/shurcooL/vfsgen) generates Go code that statically
implements the provided `http.FileSystem`. Paired with `go generate` and Go
[build tags](https://golang.org/pkg/go/build/), we can continue to use the
template files on disk when developing with no change required.
In `!prod` Go builds, the `cli/static/templates.go` file provides a
`http.FileSystem` to the local templates. In `prod` Go builds, `go generate
./cli` generates `cli/static/generated_templates.gogen.go` that statically
provides the template files.
When built with `-tags prod`, the executable will be built with the staticlly
generated file instead of the local files.
# Validation
The binaries were compiled locally with `bin/docker-build`. The binaries were
then tested with `bin/test-run (pwd)/target/cli/darwin/linkerd`. All tests
passed.
No change was required to successfully run `bin/go-run cli install`. No change
was required to run `bin/linkerd install`.
Fixes#2153
Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
In linkerd/linkerd2-proxy#186, the proxy supports configuration of TCP
keepalive values.
This change sets `LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE` and
`LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE` to 10s when injecting the
proxy, so that remote connections are configured with a keepalive.
This configuration is NOT yet exposed through the CLI. This may be done
in a followup, if necessary.
Fixes#1949
Since 37ae423, deployments have been prefixed with linkerd-; however
the inject logic was not changed to take this into consideration when
constructing the controller's identity.
This means that the proxy's client to the control plane has been unable to
establish TLS'd communcation to the proxy-api. Previously, the proxy would
silently fall back to plaintext, but in master this behavior recently changed to
be stricter, so this bug will prevent the proxy from connecting to proxy-api
in any way.
* Add pod spec annotation to disable injection in CLI and auto-injector
* Remove support for linkerd.io/auto-inject label entirely
* Update based on review feedback
* Fix issue with finding the namespace of deployments applied to the default ns
Signed-off-by: Kevin Lingerfelt <kl@buoyant.io>
Kevin Leimkuhler
Andrew Seigner
Ivan Sim
Alejandro Pedraza
William Morgan
Kevin Lingerfelt
Carol A. Scott
Oliver Gould
Alex Leong
Dennis Adjei-Baah
Cody Vandermyn
Risha Mars
Ye Ben