The openAPIV3Schema validation in the ServiceProfiles CRD is very limited in what it can validate and is obviated by more sophisticated validation done by the validating admission controller. Therefore, we would like to remove the openAPIV3Schema validation to reduce the size and complexity of the CRD object.
To do so, we must also bump the version of the ServiceProfile custom resource from v1alpha1 to v1alpha2. This ensures that when the controller is upgraded, it will attempt to watch the v1alpha2 resource. If it cannot (because, for example, the controller pod started before the ServiceProfile CRD was updated and therefore the v1alpha2 version does not exist) then it will go into a crash loop backoff until it can. This essentially means that the controller will wait for the CRD to be upgraded to include v1alpha2 before it will start.
Bumping the version is necessary because if we did not, it would be possible for the controller to start before the CRD is updated (removing the validation). In this case, when the CRD is edited, the controller will lose its list watch on ServiceProfiles and will stop getting updates.
Signed-off-by: Alex Leong <alex@buoyant.io>
To give better visibility into the inner workings of the kubernetes watchers in the destination service, we add some prometheus metrics.
Signed-off-by: Alex Leong <alex@buoyant.io>
This change implements the DstOverrides feature of the destination profile API (aka traffic splitting).
We add a TrafficSplitWatcher to the destination service which watches for TrafficSplit resources and notifies subscribers about TrafficSplits for services that they are subscribed to. A new TrafficSplitAdaptor then merges the TrafficSplit logic into the DstOverrides field of the destination profile.
Signed-off-by: Alex Leong <alex@buoyant.io>
This PR improves the UI for the Edges table in the dashboard, including changing column names, adding a "Secured" icon and showing an empty Edges table in the case of no returned edges.
Adds an Edges table to the resource detail view that shows the source,
destination name and identity for proxied connections to and from the resource
shown.
This PR allows components to import specific FontAwesome icons using the
@fortawesome/react-fontawesome library. This cuts down on package size and the
number of files loaded.
I noticed that the tables weren't maintaining sort order.
This branch fixes sorting by using lodash orderBy.
Before: Look at the tables, for example in the Service Mesh page, the meshed
resource table, or in Top Routes. Note that both these tables have a default
sort order, but do not appear sorted.
After: These tables should be sorted by their default order.
Add support for querying TrafficSplit resources through the common API layer. This is done by depending on the TrafficSplit client bindings from smi-sdk-go.
Signed-off-by: Alex Leong <alex@buoyant.io>
Updates and pins package version numbers in `package.json` to reflect the actual
versions in `yarn.lock`. Pins `react-iframe` to `1.7.16` and `jest` to `23.6.0`
- in both cases, there are later versions but they include breaking changes.
Modifies `webpack.config.js` to work with the updated `css-loader` library.
Fixes#2908.
This is a major refactor of the destination service. The goals of this refactor are to simplify the code for improved maintainability. In particular:
* Remove the "resolver" interfaces. These were a holdover from when our decision tree was more complex about how to handle different kinds of authorities. The current implementation only accepts fully qualified kubernetes service names and thus this was an unnecessary level of indirection.
* Moved the endpoints and profile watchers into their own package for a more clear separation of concerns. These watchers deal only in Kubernetes primitives and are agnostic to how they are used. This allows a cleaner layering when we use them from our gRPC service.
* Renamed the "listener" types to "translator" to make it more clear that the function of these structs is to translate kubernetes updates from the watcher to gRPC messages.
Signed-off-by: Alex Leong <alex@buoyant.io>
Split proxy-init into separate repo
Fixes#2563
The new repo is https://github.com/linkerd/linkerd2-proxy-init, and I
tagged the latest there `v1.0.0`.
Here, I've removed the `/proxy-init` dir and pinned the injected
proxy-init version to `v1.0.0` in the injector code and tests.
`/cni-plugin` depends on proxy-init, so I updated the import paths
there, and could verify CNI is still working (there is some flakiness
but unrelated to this PR).
For consistency, I added a `--init-image-version` flag to `linkerd
inject` along with its corresponding override config annotation.
Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
* * Update webpack-dev-server to "^3.2.0" in package.json with generated yarn.lock file
* * Update webpack-dev-server to "^3.2.0" in package.json with generated yarn.lock file
Signed-off-by: cpretzer <charles@buoyant.io>
* * #2817 enable shorthands for lodash
Signed-off-by: cpretzer <charles@buoyant.io>
* * #2817 enable shorthands for lodash
Signed-off-by: cpretzer <charles@buoyant.io>
* Pin webpack-dev-server to version 3.3.1
Signed-off-by: Charles Pretzer <charles@buoyant.io>
* Subject:
Remove unnecessary linting configs and rules for lodash
Problem:
Work related to supporting newer versions of node allows for the removal of lodash linting
Solution:
Remove lodash lint rules
Remove eslint-plugin-lodash from package.json
Remove lodash from plugins section of .eslintrc
Validation:
Ran all build commands (setup, dev, and run) with node versions 12 and 10
Fixes#2817#2809
Signed-off-by: Charles Pretzer <charles@buoyant.io>
* Signed-off-by: Charles Pretzer <charles@buoyant.io>
Update yarn.lock after merge with master
Fixes#2103. Hides the Authorities table in the Overview and Namespace views on
the dashboard, and removes the link to Authorities in the Resources sidebar.
This change makes way for a future dashboard view incorporating traffic split
data and communicating Authority data in a more understandable way.
CustomResourceDefinition parsing and retrieval is not available via
client-go's `kubernetes.Interface`, but rather via a separate
`k8s.io/apiextensions-apiserver` package.
Introduce support for CustomResourceDefintion object parsing and
retrieval. This change facilitates retrieval of CRDs from the k8s API
server, and also provides CRD resources as mock objects.
Also introduce a `NewFakeAPI` constructor, deprecating
`NewFakeClientSets`. Callers need no longer be concerned with discreet
clientsets (for k8s resources vs. CRDs vs. (eventually)
ServiceProfiles), and can instead use the unified `KubernetesAPI`.
Part of #2337, in service to multi-stage check.
Signed-off-by: Andrew Seigner <siggy@buoyant.io>
Makes the Font Awesome CSS stylesheet available offline. Users loading the dashboard with no/limited internet will see both the Font Awesome and Material-UI sidebar icons consistently. Before, only the Material-UI icons were available offline.
Signed-off-by: Gaurav Kumar <gaurav.kumar9825@gmail.com>
In some non-tty environments, the `linkerd check` spinner can render
unexpected control characters.
Disable the spinner when run without a tty.
Fixes#2700
Signed-off-by: Andrew Seigner <siggy@buoyant.io>
Makes the "overview" view of the Linkerd dashboard functional on mobile devices, with responsive tables and a minimized sidebar.
Also lines up the sidebar icons and makes them a uniform size on both desktop and mobile views.
This is a first step towards a fully-responsive dashboard.
The UUID implementation we use to generate install IDs is technically
not random enough for secure uses, which ours is not. To prevent
security scanners like SNYK from flagging this false-positive, let's
just switch to the other UUID implementation (Already in our
dependencies).
Add validation webhook for service profiles
Fixes#2075
Todo in a follow-up PRs: remove the SP check from the CLI check.
Signed-off-by: Alejandro Pedraza <alejandro@buoyant.io>
Problem:
In #2532 I removed the Tap/Top tables if there was no http traffic, but the
check I used depended on a stats object being present in the processed metrics
(spoiler: it isn't present in the processed metrics).
Solution:
Use a better check for no traffic.
The new check checks for both no requests (so nil request rate) and
also no latency (in the case that the service is http but receiving no traffic).
Fixes#2641
Adds local and cloud integration testing for the dashboard using WebdriverIO and
SauceLabs. Includes documentation on how to set up and run the Sauce Connect
proxy locally. Adds a `bin/web integration` script that takes `local` or `cloud`
arguments to run the tests.
Note: for web development, the web server launched by `bin/web run` and `bin/web
dev` is now 7777, not 8084, because the Sauce Connect proxy can only tunnel to
certain ports.
Fixes#2490
The following PR adds validation to the New Service Profile popup form in the linkerd dashboard for the service and namespace user input.
* Add validation to the Service Profile form (#2490)
Signed-off-by: Gaurav Kumar <gaurav.kumar9825@gmail.com>
* Change RegExp to handle all cases
Signed-off-by: Gaurav Kumar <gaurav.kumar9825@gmail.com>
* Fix link and error msg issue
Signed-off-by: Gaurav Kumar <gaurav.kumar9825@gmail.com>
* Refactor code
Signed-off-by: Gaurav Kumar <gaurav.kumar9825@gmail.com>
* Revert to onBlur and remove warning on field clear
Signed-off-by: Gaurav Kumar <gaurav.kumar9825@gmail.com>
* Refactor code to make it more readable
Signed-off-by: Gaurav Kumar <gaurav.kumar9825@gmail.com>
* Reset state to initialstate on form close
Signed-off-by: Gaurav Kumar <gaurav.kumar9825@gmail.com>
When installing Linkerd, a user may override default settings, or may
explicitly configure defaults. Consider install options like `--ha
--controller-replicas=4` -- the `--ha` flag sets a new default value for
the controller-replicas, and then we override it.
When we later upgrade this cluster, how can we know how to configure the
cluster?
We could store EnableHA and ControllerReplicas configurations in the
config, but what if, in a later upgrade, the default value changes? How
can we know whether the user specified an override or just used the
default?
To solve this, we add an `Install` message into a new config.
This message includes (at least) the CLI flags used to invoke
install.
upgrade does not specify defaults for install/proxy-options fields and,
instead, uses the persisted install flags to populate default values,
before applying overrides from the upgrade invocation.
This change breaks the protobuf compatibility by altering the
`installation_uuid` field introduced in 9c442f6885.
Because this change was not yet released (even in an edge release), we
feel that it is safe to break.
Fixes https://github.com/linkerd/linkerd2/issues/2574
When a resource only has TCP traffic and no HTTP traffic, the dashboard looks
weird in a bunch of places.
This branch:
- updates the main resource card in the Octopus graph to show TCP stats if no HTTP
stats are available
- cleans up the resource detail page to show fewer blank
tables if the resource only has TCP traffic.
This change introduces a new Identity service implementation for the
`io.linkerd.proxy.identity.Identity` gRPC service.
The `pkg/identity` contains a core, abstract implementation of the service
(generic over both the CA and (Kubernetes) Validator interfaces).
`controller/identity` includes a concrete implementation that uses the
Kubernetes TokenReview API to validate serviceaccount tokens when
issuing certificates.
This change does **NOT** alter installation or runtime to include the
identity service. This will be included in a follow-up.
The proxy's TLS implementation has changed to use a new _Identity_ controller.
In preparation for this, the `--tls=optional` CLI flag has been removed
from install and inject; and the `ca` controller has been deleted. Metrics
and UI treatments for TLS have **not** been removed, as they will continue to
be valuable for the new Identity system.
With the removal of the old identity scheme, the Destination service's proxy
ID field is now set with an opaque string (e.g. `ns:emojivoto`) to enable
locality awareness.
Fixes#2420.
Sorts the data returned from a Top Routes query before rendering the tables in the web UI. Previously we rendered the data tables without sorting, leading to inadvertent flipping of table order if the API returned data in a different order.
Signed-off-by: Gaurav Kumar <gaurav.kumar9825@gmail.com>
Fixes#2347
Previously, running a Top query for a namespace and resource that did not return
data would permanently disable the 'start query' button even if a user chose a
new namespace/resource combination. This allows the user to perform a new query
after their previous query does not return data.
Signed-off-by: Gaurav Kumar <gaurav.kumar9825@gmail.com>
* Add TCP stats to the Linkerd Pod Grafana dashboard (#2329)
* Minimize tcp stats and link it to dashboard tcp tables
* Add rows to fix minimization issues
Signed-off-by: Gaurav Kumar <gaurav.kumar9825@gmail.com>
Closes#2327.
This PR creates a "Community" menu item on the dashboard sidebar that, when clicked, displays an iFrame of a page on linkerd.io. A yellow badge appears on the menu item if there has been an update since the user last clicked the "Community" menu item. This is calculated by comparing a date in the user's localStorage to a JSON feed at linkerd.io.
linkerd/linkerd2#1721 introduced a `--single-namespace` install flag,
enabling the control-plane to function within a single namespace. With
the introduction of ServiceProfiles, and upcoming identity changes, this
single namespace mode of operation is becoming less viable.
This change removes the `--single-namespace` install flag, and all
underlying support. The control-plane must have cluster-wide access to
operate.
A few related changes:
- Remove `--single-namespace` from `linkerd check`, this motivates
combining some check categories, as we can always assume cluster-wide
requirements.
- Simplify the `k8s.ResourceAuthz` API, as callers no longer need to
make a decision based on cluster-wide vs. namespace-wide access.
Components either have access, or they error out.
- Modify the web dashboard to always assume ServiceProfiles are enabled.
Reverts #1721
Part of #2337
Signed-off-by: Andrew Seigner <siggy@buoyant.io>
Some time ago, I fixed sorting on these tables so that the default route ([default])
was sorted to the bottom. The name was changed to [DEFAULT] causing that sort
to no longer put the default route at the bottom. Update to correct case.
Alex Leong
dependabot[bot]
Carol A. Scott
Alejandro Pedraza
Risha Mars
cpretzer
dependabot[bot]
Dennis Adjei-Baah
Andrew Seigner
Gaurav Kumar
Andrew Seigner
Kevin Lingerfelt
Katerina
Oliver Gould
Alejandro Pedraza