gateway: synthesize ClientPolicies when the controller returns NotFound#2333
Merged
gateway: synthesize ClientPolicies when the controller returns NotFound#2333
NotFound#2333Conversation
hawkw
commented
Mar 15, 2023
olix0r
reviewed
Mar 17, 2023
olix0r
reviewed
Mar 17, 2023
olix0r
reviewed
Mar 17, 2023
hawkw
added a commit
that referenced
this pull request
Mar 17, 2023
This branch moves the `Gateway::discover` method from `gateway/src/server.rs` into its own file. This is to prepare for future changes that will add more discovery-related logic to the gateway proxy, which made sense to put in its own module (see #2333 for details). In addition, I renamed the `Gateway::discover` method to `Gateway::resolver`, for consistency with the similar method on `Outbound`. No functional changes.
f1eba76 to
7c756d8
Compare
hawkw
added a commit
that referenced
this pull request
Mar 17, 2023
This branch moves the `Gateway::discover` method from `gateway/src/server.rs` into its own file. This is to prepare for future changes that will add more discovery-related logic to the gateway proxy, which made sense to put in its own module (see #2333 for details). In addition, I renamed the `Gateway::discover` method to `Gateway::resolver`, for consistency with the similar method on `Outbound`. No functional changes.
7c756d8 to
8944489
Compare
hawkw
commented
Mar 17, 2023
olix0r
approved these changes
Mar 21, 2023
olix0r
added a commit
to linkerd/linkerd2
that referenced
this pull request
Mar 21, 2023
Both outbound and gateway proxies now resolve client policies from the OutboundPolicies API. When the outbound proxy attempts to discover a policy and the policy controller returns NotFound, it synthesizes a default policy from the discovered ServiceProfile. However, when the gateway proxy receives a NotFound, it will currently fail the connection, based on the assumption that only valid cluster DNS names are gatewayed (and not arbitrary IPs that might be forwards). Unfortunately, this is not quite true. Gateway proxies may attempt to discover cluster DNS names that are Pod DNS names, rather than Service DNS names, and the policy controller will return NotFound for those names. This branch therefore changes the gateway proxy to also synthesize default ClientPolicies based on the ServiceProfile when receiving a NotFound status. Some of the code for synthesizing a client policy from a ServiceProfile that's currently used in the outbound proxy was factored out so that it could be reused here. --- * gateway: move discovery resolver into its own file (linkerd/linkerd2-proxy#2343) * outbound: Fix incorrect l5d-proxy-connection logs (linkerd/linkerd2-proxy#2344) * gateway: synthesize ClientPolicies when the controller returns `NotFound` (linkerd/linkerd2-proxy#2333) Signed-off-by: Oliver Gould <ver@buoyant.io>
olix0r
added a commit
to linkerd/linkerd2
that referenced
this pull request
Mar 21, 2023
* proxy: v2.193.0 This proxy release changes the multicluster gateway to discover Gateway API routes via the `OutboundPolicy` API. This builds on the similar changes to the outbound proxy in v2.192. --- * gateway: discover client policies from the policy controller (linkerd/linkerd2-proxy#2315) * build(deps): bump windows_x86_64_msvc from 0.42.1 to 0.42.2 (linkerd/linkerd2-proxy#2319) * build(deps): bump proc-macro2 from 1.0.51 to 1.0.52 (linkerd/linkerd2-proxy#2320) * outbound: Apply filters to outbound requests (linkerd/linkerd2-proxy#2260) * test: add mock client policy resolver (linkerd/linkerd2-proxy#2314) * build(deps): bump tj-actions/changed-files from 35.6.4 to 35.7.0 (linkerd/linkerd2-proxy#2318) * build(deps): bump axum from 0.6.10 to 0.6.11 (linkerd/linkerd2-proxy#2321) * build(deps): bump ryu from 1.0.12 to 1.0.13 (linkerd/linkerd2-proxy#2322) * build(deps): bump windows_x86_64_gnullvm from 0.42.1 to 0.42.2 (linkerd/linkerd2-proxy#2323) * outbound: Eagerly cancel synthesized profile task (linkerd/linkerd2-proxy#2317) * outbound: Simplify discovery debug logging (linkerd/linkerd2-proxy#2316) * build(deps): bump tj-actions/changed-files from 35.6.1 to 35.6.4 (linkerd/linkerd2-proxy#2309) * proxy: v2.193.1 * outbound: fix `Balance::Dispatch` "authority" labels (linkerd/linkerd2-proxy#2332) * outbound: refactor `discover::resolver` into a method (linkerd/linkerd2-proxy#2331) * proxy: v2.193.2 Both outbound and gateway proxies now resolve client policies from the OutboundPolicies API. When the outbound proxy attempts to discover a policy and the policy controller returns NotFound, it synthesizes a default policy from the discovered ServiceProfile. However, when the gateway proxy receives a NotFound, it will currently fail the connection, based on the assumption that only valid cluster DNS names are gatewayed (and not arbitrary IPs that might be forwards). Unfortunately, this is not quite true. Gateway proxies may attempt to discover cluster DNS names that are Pod DNS names, rather than Service DNS names, and the policy controller will return NotFound for those names. This branch therefore changes the gateway proxy to also synthesize default ClientPolicies based on the ServiceProfile when receiving a NotFound status. Some of the code for synthesizing a client policy from a ServiceProfile that's currently used in the outbound proxy was factored out so that it could be reused here. --- * gateway: move discovery resolver into its own file (linkerd/linkerd2-proxy#2343) * outbound: Fix incorrect l5d-proxy-connection logs (linkerd/linkerd2-proxy#2344) * gateway: synthesize ClientPolicies when the controller returns `NotFound` (linkerd/linkerd2-proxy#2333) Signed-off-by: Oliver Gould <ver@buoyant.io> --------- Signed-off-by: Oliver Gould <ver@buoyant.io> Co-authored-by: Oliver Gould <ver@buoyant.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Depends on #2343
Both outbound and gateway proxies now resolve client policies from the
OutboundPolicies API. When the outbound proxy attempts to discover a
policy and the policy controller returns
NotFound, it synthesizes adefault policy from the discovered ServiceProfile. However, when the
gateway proxy receives a
NotFound, it will currently fail theconnection, based on the assumption that only valid cluster DNS names
are gatewayed (and not arbitrary IPs that might be forwards).
Unfortunately, this is not quite true. Gateway proxies may attempt to
discover cluster DNS names that are Pod DNS names, rather than Service
DNS names, and the policy controller will return
NotFoundfor thosenames.
This branch therefore changes the gateway proxy to also synthesize
default ClientPolicies based on the ServiceProfile when receiving a
NotFoundstatus. Some of the code for synthesizing a client policyfrom a ServiceProfile that's currently used in the outbound proxy was
factored out so that it could be reused here.