Merged
Conversation
Currently, `linkerd-app-outbound`'s stack tests construct a discovery service for `push_discover` which only discovers service profiles, and does not resolve client policies. This works fine currently, as `Discovery` can be constructed with only a profile receiver, as the client policy receiver is optional. However, when we add client policy discovery to the gateway, we will be able to make the policy receiver no longer optional, as a client policy will always be discovered. In that case, these tests will no longer compile. Therefore, this branch adds an implementation of a mock client policy resolver in `linkerd-test`, and updates these stack tests to actually use it. This was factored out of the change that actually adds policy discovery to the gateway, and is a prerequisite for that change.
olix0r
reviewed
Mar 14, 2023
linkerd/app/test/src/resolver.rs
Outdated
Comment on lines
+35
to
+36
| #[cfg(feature = "client-policy")] | ||
| pub type ClientPolicies = Resolver<Addr, watch::Receiver<client_policy::ClientPolicy>>; |
Member
There was a problem hiding this comment.
Is it worth sticking this stuff into a new file/submodule? We can minimize cfg blocks to the top level module
Contributor
Author
There was a problem hiding this comment.
yeah, i also thought about this, didn't do it because there were just a couple impl blocks, but then it rapidly grew in size...
olix0r
approved these changes
Mar 14, 2023
hawkw
added a commit
that referenced
this pull request
Mar 14, 2023
Depends on #2314. Currently, the gateway stack does not resolve client policies, and only uses service profiles for client-side policy discovery. This branch updates the gateway proxy to also perform client policy discovery, similarly to the outbound proxy. Because all outbound stacks, including the one constructed by the gateway, will now discover client policies, the client policy `Receiver` in the `Discovery` type, which is currently an `Option`, can now be made non-optional. This simplifies some code a little bit and removes some `expect`s.
hawkw
added a commit
to linkerd/linkerd2
that referenced
this pull request
Mar 15, 2023
This proxy release changes the multicluster gateway to discover Gateway API routes via the `OutboundPolicy` API. This builds on the similar changes to the outbound proxy in v2.192. --- * gateway: discover client policies from the policy controller (linkerd/linkerd2-proxy#2315) * build(deps): bump windows_x86_64_msvc from 0.42.1 to 0.42.2 (linkerd/linkerd2-proxy#2319) * build(deps): bump proc-macro2 from 1.0.51 to 1.0.52 (linkerd/linkerd2-proxy#2320) * outbound: Apply filters to outbound requests (linkerd/linkerd2-proxy#2260) * test: add mock client policy resolver (linkerd/linkerd2-proxy#2314) * build(deps): bump tj-actions/changed-files from 35.6.4 to 35.7.0 (linkerd/linkerd2-proxy#2318) * build(deps): bump axum from 0.6.10 to 0.6.11 (linkerd/linkerd2-proxy#2321) * build(deps): bump ryu from 1.0.12 to 1.0.13 (linkerd/linkerd2-proxy#2322) * build(deps): bump windows_x86_64_gnullvm from 0.42.1 to 0.42.2 (linkerd/linkerd2-proxy#2323) * outbound: Eagerly cancel synthesized profile task (linkerd/linkerd2-proxy#2317) * outbound: Simplify discovery debug logging (linkerd/linkerd2-proxy#2316) * build(deps): bump tj-actions/changed-files from 35.6.1 to 35.6.4 (linkerd/linkerd2-proxy#2309)
olix0r
added a commit
to linkerd/linkerd2
that referenced
this pull request
Mar 21, 2023
* proxy: v2.193.0 This proxy release changes the multicluster gateway to discover Gateway API routes via the `OutboundPolicy` API. This builds on the similar changes to the outbound proxy in v2.192. --- * gateway: discover client policies from the policy controller (linkerd/linkerd2-proxy#2315) * build(deps): bump windows_x86_64_msvc from 0.42.1 to 0.42.2 (linkerd/linkerd2-proxy#2319) * build(deps): bump proc-macro2 from 1.0.51 to 1.0.52 (linkerd/linkerd2-proxy#2320) * outbound: Apply filters to outbound requests (linkerd/linkerd2-proxy#2260) * test: add mock client policy resolver (linkerd/linkerd2-proxy#2314) * build(deps): bump tj-actions/changed-files from 35.6.4 to 35.7.0 (linkerd/linkerd2-proxy#2318) * build(deps): bump axum from 0.6.10 to 0.6.11 (linkerd/linkerd2-proxy#2321) * build(deps): bump ryu from 1.0.12 to 1.0.13 (linkerd/linkerd2-proxy#2322) * build(deps): bump windows_x86_64_gnullvm from 0.42.1 to 0.42.2 (linkerd/linkerd2-proxy#2323) * outbound: Eagerly cancel synthesized profile task (linkerd/linkerd2-proxy#2317) * outbound: Simplify discovery debug logging (linkerd/linkerd2-proxy#2316) * build(deps): bump tj-actions/changed-files from 35.6.1 to 35.6.4 (linkerd/linkerd2-proxy#2309) * proxy: v2.193.1 * outbound: fix `Balance::Dispatch` "authority" labels (linkerd/linkerd2-proxy#2332) * outbound: refactor `discover::resolver` into a method (linkerd/linkerd2-proxy#2331) * proxy: v2.193.2 Both outbound and gateway proxies now resolve client policies from the OutboundPolicies API. When the outbound proxy attempts to discover a policy and the policy controller returns NotFound, it synthesizes a default policy from the discovered ServiceProfile. However, when the gateway proxy receives a NotFound, it will currently fail the connection, based on the assumption that only valid cluster DNS names are gatewayed (and not arbitrary IPs that might be forwards). Unfortunately, this is not quite true. Gateway proxies may attempt to discover cluster DNS names that are Pod DNS names, rather than Service DNS names, and the policy controller will return NotFound for those names. This branch therefore changes the gateway proxy to also synthesize default ClientPolicies based on the ServiceProfile when receiving a NotFound status. Some of the code for synthesizing a client policy from a ServiceProfile that's currently used in the outbound proxy was factored out so that it could be reused here. --- * gateway: move discovery resolver into its own file (linkerd/linkerd2-proxy#2343) * outbound: Fix incorrect l5d-proxy-connection logs (linkerd/linkerd2-proxy#2344) * gateway: synthesize ClientPolicies when the controller returns `NotFound` (linkerd/linkerd2-proxy#2333) Signed-off-by: Oliver Gould <ver@buoyant.io> --------- Signed-off-by: Oliver Gould <ver@buoyant.io> Co-authored-by: Oliver Gould <ver@buoyant.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Currently,
linkerd-app-outbound's stack tests construct a discovery service forpush_discoverwhich only discovers service profiles, and does not resolve client policies. This works fine currently, asDiscoverycan be constructed with only a profile receiver, as the client policy receiver is optional.However, when we add client policy discovery to the gateway, we will be able to make the policy receiver no longer optional, as a client policy will always be discovered. In that case, these tests will no longer compile. Therefore, this branch adds an implementation of a mock client policy resolver in
linkerd-test, and updates these stack tests to actually use it.This was factored out of the change that actually adds policy discovery to the gateway, and is a prerequisite for that change.