outbound: discover client policies from the OutboundPolicy API#2265
Merged
outbound: discover client policies from the OutboundPolicy API#2265
OutboundPolicy API#2265Conversation
And, pull the discovery allowlist out into a wrapper around `GetProfile`. This way, a discovery service performing profile discovery, policy discovery, or both can be passed into `push_discover`, depending on the stack.
This reverts commit 04f4dcf.
6602162 to
0e1cbc8
Compare
; Conflicts: ; linkerd/app/inbound/src/policy/config.rs ; linkerd/app/inbound/src/policy/store.rs ; linkerd/app/inbound/src/server.rs ; linkerd/app/inbound/src/test_util.rs ; linkerd/app/src/env.rs
Contributor
Author
|
pushed test docker image |
olix0r
reviewed
Mar 11, 2023
olix0r
previously approved these changes
Mar 11, 2023
* Split out synthetic policies for readability * wi * fix discovery integration tests * fixup integration * golf * clarity * Differentiate forward metadata * Update linkerd/app/outbound/src/discover.rs --------- Co-authored-by: Eliza Weisman <eliza@buoyant.io>
olix0r
reviewed
Mar 11, 2023
olix0r
reviewed
Mar 11, 2023
| let profiles = support::profile::resolver().profile(addr, profiles::Profile::default()); | ||
| svc::mk(move |OrigDstAddr(addr)| { | ||
| // TODO(eliza): policy! | ||
| profiles.clone().oneshot(profiles::LookupAddr(addr.into())) |
Member
There was a problem hiding this comment.
does this test care about profiles or policies at all, really? What are we testing?
Contributor
Author
There was a problem hiding this comment.
i don't think this test actually cares besides that it needs something it can construct an inner stack from. if we remove theFrom<(Option<profile::Receiver>, T)> impl for Discovery<T> (making both a policy rx mandatory), we will need to return both a policy and profile rx here as well.
i believe this test is testing the behavior of the push_discover stack, so we can't just remove that entirely.
olix0r
reviewed
Mar 11, 2023
olix0r
reviewed
Mar 11, 2023
Co-authored-by: Oliver Gould <ver@buoyant.io>
olix0r
reviewed
Mar 11, 2023
olix0r
reviewed
Mar 11, 2023
olix0r
reviewed
Mar 11, 2023
Make clearer assertions about supported routing states.
olix0r
added a commit
to linkerd/linkerd2
that referenced
this pull request
Mar 11, 2023
To support Gateway API-style routes in the outbound proxy, we need to begin discovering this route configuration from the control plane (via the new `OutboundPolicies` API). This change updates the proxy as follows: 1. Policy controller configuration is now required for the proxy. Previously, the policy API was optionally configured for the inbound proxy. 2. The sidecar and ingress proxies are updated to use client policies. Service profile configurations continue to be used when they include HTTP routes and/or traffic split. Otherwise, a client policy is used to route traffic. Outbound policies are currently discovered for *all* outbound IP addresses. Over time, the policy controller will assume responsibility to make *all* routing decisions. It does not yet serve responses for all cases, however, so some fallback behavior exists to use endpoint metadata from profile discovery, if it exists. The multi-cluster gateway configuration does not yet use policies for outbound routing. Furthermore, the proxy reports an IP logical address for policy routes (instead of a named address, as is done with profiles). There are no new metrics or labels introduced in this PR. Metrics changes will be made in follow-up changes. --- * outbound: Decouple backend caching from request distribution (linkerd/linkerd2-proxy#2284) * build(deps): bump socket2 from 0.4.7 to 0.4.9 (linkerd/linkerd2-proxy#2290) * README: comment just-cargo and make it more clear (linkerd/linkerd2-proxy#2292) * build(deps): bump prettyplease from 0.1.23 to 0.1.24 (linkerd/linkerd2-proxy#2293) * build(deps): bump tokio from 1.25.0 to 1.26.0 (linkerd/linkerd2-proxy#2286) * build(deps): bump petgraph from 0.6.2 to 0.6.3 (linkerd/linkerd2-proxy#2285) * client-policy: add protobuf conversion (linkerd/linkerd2-proxy#2289) * integration: add test policy controller (linkerd/linkerd2-proxy#2288) * outbound: change `push_discover` to take a `Service` (linkerd/linkerd2-proxy#2291) * build(deps): bump rustix from 0.36.7 to 0.36.9 (linkerd/linkerd2-proxy#2295) * build(deps): bump serde_json from 1.0.93 to 1.0.94 (linkerd/linkerd2-proxy#2296) * build(deps): bump async-trait from 0.1.64 to 0.1.66 (linkerd/linkerd2-proxy#2297) * build(deps): bump thiserror from 1.0.38 to 1.0.39 (linkerd/linkerd2-proxy#2298) * build(deps): bump mio from 0.8.5 to 0.8.6 (linkerd/linkerd2-proxy#2299) * separate policy client config from `inbound::Config` (linkerd/linkerd2-proxy#2307) * outbound: Require ClientPolicy discovery (linkerd/linkerd2-proxy#2265) Signed-off-by: Oliver Gould <ver@buoyant.io>
olix0r
added a commit
to linkerd/linkerd2
that referenced
this pull request
Mar 13, 2023
To support Gateway API-style routes in the outbound proxy, we need to begin discovering this route configuration from the control plane (via the new `OutboundPolicies` API). This change updates the proxy as follows: 1. Policy controller configuration is now required for the proxy. Previously, the policy API was optionally configured for the inbound proxy. 2. The sidecar and ingress proxies are updated to use client policies. Service profile configurations continue to be used when they include HTTP routes and/or traffic split. Otherwise, a client policy is used to route traffic. Outbound policies are currently discovered for *all* outbound IP addresses. Over time, the policy controller will assume responsibility to make *all* routing decisions. It does not yet serve responses for all cases, however, so some fallback behavior exists to use endpoint metadata from profile discovery, if it exists. The multi-cluster gateway configuration does not yet use policies for outbound routing. Furthermore, the proxy reports an IP logical address for policy routes (instead of a named address, as is done with profiles). There are no new metrics or labels introduced in this PR. Metrics changes will be made in follow-up changes. --- * outbound: Decouple backend caching from request distribution (linkerd/linkerd2-proxy#2284) * build(deps): bump socket2 from 0.4.7 to 0.4.9 (linkerd/linkerd2-proxy#2290) * README: comment just-cargo and make it more clear (linkerd/linkerd2-proxy#2292) * build(deps): bump prettyplease from 0.1.23 to 0.1.24 (linkerd/linkerd2-proxy#2293) * build(deps): bump tokio from 1.25.0 to 1.26.0 (linkerd/linkerd2-proxy#2286) * build(deps): bump petgraph from 0.6.2 to 0.6.3 (linkerd/linkerd2-proxy#2285) * client-policy: add protobuf conversion (linkerd/linkerd2-proxy#2289) * integration: add test policy controller (linkerd/linkerd2-proxy#2288) * outbound: change `push_discover` to take a `Service` (linkerd/linkerd2-proxy#2291) * build(deps): bump rustix from 0.36.7 to 0.36.9 (linkerd/linkerd2-proxy#2295) * build(deps): bump serde_json from 1.0.93 to 1.0.94 (linkerd/linkerd2-proxy#2296) * build(deps): bump async-trait from 0.1.64 to 0.1.66 (linkerd/linkerd2-proxy#2297) * build(deps): bump thiserror from 1.0.38 to 1.0.39 (linkerd/linkerd2-proxy#2298) * build(deps): bump mio from 0.8.5 to 0.8.6 (linkerd/linkerd2-proxy#2299) * separate policy client config from `inbound::Config` (linkerd/linkerd2-proxy#2307) * outbound: Require ClientPolicy discovery (linkerd/linkerd2-proxy#2265) * just: Fix docker tag formatting (linkerd/linkerd2-proxy#2312) * outbound: Report concrete authorities for policies (linkerd/linkerd2-proxy#2313) Signed-off-by: Oliver Gould <ver@buoyant.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This branch changes the outbound proxy to resolve client policies using
the
OutboundPolicyproxy-api service (added inlinkerd/linkerd2-proxy-api#165). The proxy will preferentially use an
OutboundPolicyresolution over aServiceProfileresolution in thecase that both are resolved and the
OutboundPolicyis not a defaultpolicy. If the
OutboundPolicyis a default policy, it is used onlywhen no
ServiceProfileis resolved. The ingress-mode proxy alsoperforms
OutboundPolicyresolutions.This branch also adds an implementation of the
OutboundPolicyserviceto the mock policy controller in
linkerd-app-integration, and someintegration tests for client policies (including header-based routing).
Some notes:
identifier environment variables are now mandatory, since the proxy
will always attempt to resolve outbound client policies.
OutboundPolicywill reportthe original destination address as their
LogicalAddr, rather thanan authority. In the future, we will change the way metrics, tap, and
error labels work to obviate the need for
LogicalAddrs, and usestructured metadata here instead.
TargetAddrtype, which is the targetaddress for both
ServiceProfileandOutboundPolicyresolutions,has to live in the
linkerd-client-policycrate. But unfortunately,it cannot be defined in
linkerd-app-outbound, as the direct stack inlinkerd-app-inboundmust also implementParam<TargetAddr>.follow-up PR for that ready shortly.