linkerd2

Commit Graph

Author	SHA1	Message	Date
Tarun Pothulapati	5c1a375a51	destination: pass opaque-ports through cmd flag (#5829 ) * destination: pass opaque-ports through cmd flag Fixes #5817 Currently, Default opaque ports are stored at two places i.e `Values.yaml` and also at `opaqueports/defaults.go`. As these ports are used only in destination, We can instead pass these values as a cmd flag for destination component from Values.yaml and remove defaultPorts in `defaults.go`. This means that users if they override `Values.yaml`'s opauePorts field, That change is propogated both for injection and also discovery like expected. Signed-off-by: Tarun Pothulapati <tarunpothulapati@outlook.com>	2021-03-01 16:00:20 +05:30
Kevin Leimkuhler	51a965e228	Return default opaque ports in the destination service (#5814 ) This changes the destination service to always use a default set of opaque ports for pods and services. This is so that after Linkerd is installed onto a cluster, users can benefit from common opaque ports without having to annotate the workloads that serve the applications. After #5810 merges, the proxy containers will be have the default opaque ports `25,443,587,3306,5432,11211`. This value on the proxy container does not affect traffic though; it only configures the proxy. In order for clients and servers to detect opaque protocols and determine opaque transports, the pods and services need to have these annotations. The ports `25,443,587,3306,5432,11211` are now handled opaquely when a pod or service does not have the opaque ports annotation. If the annotation is present with a different value, this is used instead of the default. If the annotation is present but is an empty string, there are no opaque ports for the workload. Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>	2021-02-24 14:55:31 -05:00
Kevin Leimkuhler	ff93d2d317	Mirror opaque port annotations on services (#5770 ) This change introduces an opaque ports annotation watcher that will send destination profile updates when a service has its opaque ports annotation change. The user facing change introduced by this is that the opaque ports annotation is now required on services when using the multicluster extension. This is because the service mirror will create mirrored services in the source cluster, and destination lookups in the source cluster need to discover that the workloads in the target cluster are opaque protocols. ### Why Closes #5650 ### How The destination server now has a new opaque ports annotation watcher. When a client subscribes to updates for a service name or cluster IP, the `GetProfile` method creates a profile translator stack that passes updates through resource adaptors such as: traffic split adaptor, service profile adaptor, and now opaque ports adaptor. When the annotation on a service changes, the update is passed through to the client where the `opaque_protocol` field will either be set to true or false. A few scenarios to consider are: - If the annotation is removed from the service, the client should receive an update with no opaque ports set. - If the service is deleted, the stream stays open so the client should receive an update with no opaque ports set. - If the service has the annotation added, the client should receive that update. ### Testing Unit test have been added to the watcher as well as the destination server. An integration test has been added that tests the opaque port annotation on a service. For manual testing, using the destination server scripts is easiest: ``` # install Linkerd # start the destination server $ go run controller/cmd/main.go destination -kubeconfig ~/.kube/config # Create a service or namespace with the annotation and inject it # get the destination profile for that service and observe the opaque protocol field $ go run controller/script/destination-client/main.go -method getProfile -path test-svc.default.svc.cluster.local:8080 INFO[0000] fully_qualified_name:"terminus-svc.default.svc.cluster.local" opaque_protocol:true retry_budget:{retry_ratio:0.2 min_retries_per_second:10 ttl:{seconds:10}} dst_overrides:{authority:"terminus-svc.default.svc.cluster.local.:8080" weight:10000} INFO[0000] INFO[0000] fully_qualified_name:"terminus-svc.default.svc.cluster.local" opaque_protocol:true retry_budget:{retry_ratio:0.2 min_retries_per_second:10 ttl:{seconds:10}} dst_overrides:{authority:"terminus-svc.default.svc.cluster.local.:8080" weight:10000} INFO[0000] ``` Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>	2021-02-23 13:36:17 -05:00

Author

SHA1

Message

Date

Tarun Pothulapati

5c1a375a51

destination: pass opaque-ports through cmd flag (#5829 )

* destination: pass opaque-ports through cmd flag

Fixes #5817

Currently, Default opaque ports are stored at two places i.e
`Values.yaml` and also at `opaqueports/defaults.go`. As these
ports are used only in destination, We can instead pass these
values as a cmd flag for destination component from Values.yaml
and remove defaultPorts in `defaults.go`.

This means that users if they override `Values.yaml`'s opauePorts
field, That change is propogated both for injection and also
discovery like expected.

Signed-off-by: Tarun Pothulapati <tarunpothulapati@outlook.com>

2021-03-01 16:00:20 +05:30

Kevin Leimkuhler

51a965e228

Return default opaque ports in the destination service (#5814 )

This changes the destination service to always use a default set of opaque ports
for pods and services. This is so that after Linkerd is installed onto a
cluster, users can benefit from common opaque ports without having to annotate
the workloads that serve the applications.

After #5810 merges, the proxy containers will be have the default opaque ports
`25,443,587,3306,5432,11211`. This value on the proxy container does not affect
traffic though; it only configures the proxy.

In order for clients and servers to detect opaque protocols and determine opaque
transports, the pods and services need to have these annotations.

The ports `25,443,587,3306,5432,11211` are now handled opaquely when a pod or
service does not have the opaque ports annotation. If the annotation is present
with a different value, this is used instead of the default. If the annotation
is present but is an empty string, there are no opaque ports for the workload.

Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>

2021-02-24 14:55:31 -05:00

Kevin Leimkuhler

ff93d2d317

Mirror opaque port annotations on services (#5770 )

This change introduces an opaque ports annotation watcher that will send
destination profile updates when a service has its opaque ports annotation
change.

The user facing change introduced by this is that the opaque ports annotation is
now required on services when using the multicluster extension. This is because
the service mirror will create mirrored services in the source cluster, and
destination lookups in the source cluster need to discover that the workloads in
the target cluster are opaque protocols.

### Why

Closes #5650

### How

The destination server now has a new opaque ports annotation watcher. When a
client subscribes to updates for a service name or cluster IP, the `GetProfile`
method creates a profile translator stack that passes updates through resource
adaptors such as: traffic split adaptor, service profile adaptor, and now opaque
ports adaptor.

When the annotation on a service changes, the update is passed through to the
client where the `opaque_protocol` field will either be set to true or false.

A few scenarios to consider are:

  - If the annotation is removed from the service, the client should receive
    an update with no opaque ports set.
  - If the service is deleted, the stream stays open so the client should
    receive an update with no opaque ports set.
  - If the service has the annotation added, the client should receive that
    update.

### Testing

Unit test have been added to the watcher as well as the destination server.

An integration test has been added that tests the opaque port annotation on a
service.

For manual testing, using the destination server scripts is easiest:

```
# install Linkerd

# start the destination server
$ go run controller/cmd/main.go destination -kubeconfig ~/.kube/config

# Create a service or namespace with the annotation and inject it

# get the destination profile for that service and observe the opaque protocol field
$ go run controller/script/destination-client/main.go -method getProfile -path test-svc.default.svc.cluster.local:8080
INFO[0000] fully_qualified_name:"terminus-svc.default.svc.cluster.local" opaque_protocol:true retry_budget:{retry_ratio:0.2 min_retries_per_second:10 ttl:{seconds:10}} dst_overrides:{authority:"terminus-svc.default.svc.cluster.local.:8080" weight:10000} 
INFO[0000]                                              
INFO[0000] fully_qualified_name:"terminus-svc.default.svc.cluster.local" opaque_protocol:true retry_budget:{retry_ratio:0.2 min_retries_per_second:10 ttl:{seconds:10}} dst_overrides:{authority:"terminus-svc.default.svc.cluster.local.:8080" weight:10000} 
INFO[0000]
```

Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>

2021-02-23 13:36:17 -05:00

3 Commits