* proxy: v2.246.0
Release notes: https://github.com/linkerd/linkerd2-proxy/releases/tag/release/v2.246.0
Signed-off-by: l5d-bot <l5d-bot@users.noreply.github.com>
* pin max k3s to known working version in integration tests
Signed-off-by: Alex Leong <alex@buoyant.io>
---------
Signed-off-by: l5d-bot <l5d-bot@users.noreply.github.com>
Signed-off-by: Alex Leong <alex@buoyant.io>
Co-authored-by: l5d-bot <l5d-bot@users.noreply.github.com>
Co-authored-by: Alex Leong <alex@buoyant.io>
When stream limits cause a graceful stream end, we should not log a
warning.
---
* pool: Fix tracing context on pool task (linkerd/linkerd2-proxy#2592)
* control: Avoid logging warnings on reconnect (linkerd/linkerd2-proxy#2593)
Signed-off-by: Oliver Gould <ver@buoyant.io>
When connecting to a control plane API, the API server can return an
HTTP response long before it returns the first stream response. To bound
this time, we now enforce timeouts so that failures may result in attempting
to use an alternate controller instances.
All controller response streams now use a generic gRPC middleware with
initial, idle, and lifetime timeouts. When an initial timeout is
encountered, a DeadlineExceeded grpc status is synthesized. When the
other timeouts are encountered, the stream terminates gracefully.
These timeouts are configurable by the proxy injector. Timeouts are not
enabled without configuration:
* LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT
* LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT
* LINKERD2_PROXY_CONTROL_STREAM_LIFETIME
Each of these parameters is optional.
---
* build(deps): bump semver from 1.0.17 to 1.0.20 (linkerd/linkerd2-proxy#2576)
* build(deps): bump memchr from 2.5.0 to 2.6.4 (linkerd/linkerd2-proxy#2577)
* build(deps): bump arbitrary from 1.2.3 to 1.3.2 (linkerd/linkerd2-proxy#2578)
* build(deps): bump data-encoding from 2.3.3 to 2.5.0 (linkerd/linkerd2-proxy#2579)
* build(deps): bump tj-actions/changed-files from 40.2.3 to 41.0.1 (linkerd/linkerd2-proxy#2586)
* build(deps): bump ahash from 0.8.5 to 0.8.6 (linkerd/linkerd2-proxy#2582)
* build(deps): bump jemallocator from 0.5.0 to 0.5.4 (linkerd/linkerd2-proxy#2581)
* build(deps): bump anyhow from 1.0.69 to 1.0.76 (linkerd/linkerd2-proxy#2583)
* build(deps): bump symbolic-common from 12.6.0 to 12.8.0 (linkerd/linkerd2-proxy#2584)
* build(deps): bump gimli from 0.28.0 to 0.28.1 (linkerd/linkerd2-proxy#2588)
* build(deps): bump foreign-types-macros from 0.2.2 to 0.2.3 (linkerd/linkerd2-proxy#2590)
* build(deps): bump symbolic-demangle from 12.6.0 to 12.8.0 (linkerd/linkerd2-proxy#2591)
* control: Enforce timeouts on response stream (linkerd/linkerd2-proxy#2587)
Signed-off-by: Oliver Gould <ver@buoyant.io>
This change culminates recent work to restructure the balancer to use a
PoolQueue so that balancer changes may occur independently of request
processing. This replaces independent discovery buffering so that the
balancer task is responsible for polling discovery streams without
independent buffering. Requests are buffered and processed as soon as
the pool has available backends. Fail-fast circuit breaking is enforced
on the balancer's queue so that requests can't get stuck in a queue
indefinitely.
In general, the new balancer is instrumented directly with metrics, and
the relevant metric name prefix and labelset is provided by the stack.
In addition to detailed queue metrics including request (in-queue)
latency histograms, but also failfast states, discovery updates counts,
and balancer endpoint pool sizes.
---
* outbound: Move queues into the concrete stack (linkerd/linkerd2-proxy#2539)
* metrics: Remove unused features (linkerd/linkerd2-proxy#2542)
* Add the PoolQueue middleware (linkerd/linkerd2-proxy#2540)
* ci: Fixup codecov config (linkerd/linkerd2-proxy#2545)
* ci: Cancel prior runs (linkerd/linkerd2-proxy#2546)
* ci: Skip ARM builds during non-release CI (linkerd/linkerd2-proxy#2547)
* deps: Update tokio, tonic, and prost (linkerd/linkerd2-proxy#2544)
* build(deps): bump tj-actions/changed-files from 40.2.0 to 40.2.1 (linkerd/linkerd2-proxy#2549)
* metrics: Use prometheus-client for proxy_build_info (linkerd/linkerd2-proxy#2551)
* balance: Add a p2c Pool implementation (linkerd/linkerd2-proxy#2541)
* metrics: Export process metrics using prometheus-client (linkerd/linkerd2-proxy#2552)
* linkerd_identity: split `linkerd_identity::Id` into DNS and URI variants (linkerd/linkerd2-proxy#2538)
* outbound: Move HTTP balancer into its own module (linkerd/linkerd2-proxy#2554)
* app: Setup prom registry for use in balancers (linkerd/linkerd2-proxy#2555)
* vscode: Move workspace settings to devcontainer (linkerd/linkerd2-proxy#2557)
* build(deps): bump tj-actions/changed-files from 40.2.1 to 40.2.2 (linkerd/linkerd2-proxy#2556)
* balance: Instrument metrics in pool balancer (linkerd/linkerd2-proxy#2558)
* Enable PoolQueue balancer (linkerd/linkerd2-proxy#2559)
Signed-off-by: Oliver Gould <ver@buoyant.io>
This release includes several bugfixes. Notably, inbound proxies would
not properly reflect grpc-status in metrics by default.
Furthermore, proxies now long warnings when they receive unexpected
error responses from the control plane.
---
* chore: change `rust-toolchain` file to toml format (linkerd/linkerd2-proxy#2487)
* gate: Detect disconnected inner services in readiness (linkerd/linkerd2-proxy#2491)
* Bump ahash to v0.8.5 (linkerd/linkerd2-proxy#2498)
* gate: Fix readiness deadlock (linkerd/linkerd2-proxy#2493)
* Log a warning when the controller clients receive an error (linkerd/linkerd2-proxy#2499)
* inbound: Fix gRPC response classification (linkerd/linkerd2-proxy#2496)
Signed-off-by: Oliver Gould <ver@buoyant.io>
328826caa updated the balancer's discovery channel to prevent backing up
into the discovery stream by dropping the discovery stream. This results
in balancers becoming permanently stale (should they ever be used
again).
This change modifies the discovery stream so that these errors are fatal
for the balancer. These errors are recorded distinctly by the error counters.
To fix this, we replace the `DiscoverNew` module with a
`discover::NewServices` module that wraps the buffering layer. The
buffer now only holds target metadata, and services are only built as
the entry is dequeued from channel.
This has the (positive) side-effect that the proxy's stack_create_total
metric will not be incremented before the balancer actually uses an
endpoint stack. Previously, this metric would be incremented for all
queued endpoint updates.
We also now log at INFO the address of all additions and removals from a
balancer. This should dramatically improve diagnostics in stale endpoint
situations.
---
* build(deps): bump DavidAnson/markdownlint-cli2-action (linkerd/linkerd2-proxy#2460)
* build(deps): bump tj-actions/changed-files from 36.2.1 to 39.0.2 (linkerd/linkerd2-proxy#2468)
* build(deps): bump EmbarkStudios/cargo-deny-action from 1.5.0 to 1.5.4 (linkerd/linkerd2-proxy#2448)
* meshtls: log errors parsing client certs (linkerd/linkerd2-proxy#2467)
* build(deps): bump actions/checkout from 3.5.0 to 4.1.0 (linkerd/linkerd2-proxy#2474)
* build(deps): bump tj-actions/changed-files from 39.0.2 to 39.2.0 (linkerd/linkerd2-proxy#2475)
* build(deps): bump EmbarkStudios/cargo-deny-action from 1.5.4 to 1.5.5 (linkerd/linkerd2-proxy#2478)
* build(deps): bump DavidAnson/markdownlint-cli2-action (linkerd/linkerd2-proxy#2476)
* build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 (linkerd/linkerd2-proxy#2479)
* Render grpc_status metric label as number (linkerd/linkerd2-proxy#2480)
* balance: Log and fail stuck discovery streams. (linkerd/linkerd2-proxy#2484)
* build(deps): update `rustix` to v0.36.16/v0.37.7 (linkerd/linkerd2-proxy#2488)
* balance: Fail the discovery stream on queue backup (linkerd/linkerd2-proxy#2486)
Signed-off-by: Oliver Gould <ver@buoyant.io>
Currently, the proxy [depends on an outdated version of `rustls`][1],
v0.20.8. The `rustls` dependency is via our dependency on `tokio-rustls`
v0.23.4; we don't have a direct `rustls` dependency, in order to ensure
that the version of `rustls` is always the same version as used by
`tokio-rustls`. `rustls` also has a dependency on `webpki`, and v0.20.x
of `rustls` uses the original `webpki` crate, rather than the
`rustls-webpki` crate. So, unfortunately, because we have a transitive
dep on `webpki` via `rustls`, PR linkerd/linkerd2-proxy#2465 did not
remove _all_ `webpki` deps from our dependency tree, only the direct
dependency.
This branch updates to `rustls` v0.21.x, which depends on
`rustls-webpki` rather than `webpki`, removing the `webpki` dependency.
This is accomplished by updating `tokio-rustls` to v0.24.x, implicitly
updating the transitive `rustls` dep. In order to update to the
semver-incompatible version of `rustls`, it was necessary to modify our
code in order to track some breaking API changes. I've also added a
`cargo-deny` ban for `webpki` to our `deny.toml`, to ensure that we
always use the actively-maintained `rustls-webpki` crate rather than
`webpki` classic.
Since peer certificate validation is performed through `rustls` rather
than through the direct `rustls-webpki` dependency, this should
hopefully resolve issues with issuer certs that contain name constraints
--- these were not fixed by linkerd/linkerd2-proxy#2465, because the
failure with certs containing name constraints occurred inside of the
*`webpki` version depended on by `rustls`*, rather than inside of the
proxy's direct dep. See [this comment][2] for details.
In addition, it was necessary to update `rustls-webpki` to v0.101.6,
since v0.101.5 was yanked due to an accidental API breaking change.
[1]:
8afc72258b/Cargo.lock (L2450-L2460C2)
[2]:
https://github.com/linkerd/linkerd2/issues/9299#issuecomment-1730094953
---
* meshtls: use published `rustls-webpki` v0.101.5 (linkerd/linkerd2-proxy#2470)
* Replace `procinfo` with `procfs` (linkerd/linkerd2-proxy#2433)
* meshtls: update to `rustls` v0.21.7 (linkerd/linkerd2-proxy#2472)
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
This commit changes the `linkerd-meshtls-rustls` crate to use the
upstream `rustls-webpki` crate, maintained by Rustls, rather than our
fork of `briansmith/webpki` from GitHub. Since `rustls-webpki` includes
the change which was the initial motivation for the `linkerd/webpki`
fork (rustls/webpki#42), we can now depend on upstream.
Currently, we must take a Git dependency on `rustls-webpki`, since a
release including a fix for an issue (rustls/webpki#167) which prevents
`rustls-webpki` from parsing our test certificates has not yet been
published. Once v0.101.5 of `rustls-webpki` is published (PR see
rustls/webpki#170), we can remove the Git dep. For now, I've updated
`cargo-deny` to allow the Git dependency.
---
* use `rustls-webpki` instead of `linkerd/webpki` (linkerd/linkerd2-proxy#2465)
Signed-off-by: Eliza Weisman <eliza@buoyant.io>
l5d-bot