Require identity on tap requests

[kleimkuhler]

Motivation

With linkerd/linkerd2#3155 merging, proxy containers will now always have the LINKERD2_PROXY_TAP_SVC_NAME variable in their environment. This variable can now be reliably used to check that the client names of incoming tap requests match this value.

If the values do not match, we will always return the gRPC Unauthenticated status code. If the values do match, we will accept the connection.

If there is no client identity, we will similarly return the gRPC Unauthenticated status code.

Closes linkerd/linkerd2#3157
Closes linkerd/linkerd2#3163

Signed-off by: Kevin Leimkuhler kleimkuhler@icloud.com

[adleong]

If the environment variable is not provided, this will return Unauthenticated on every request? Wouldn't it be better to simply error out at startup time if the variable is missing?

Or, rather, how does this interact with the setting to disable the tap server? I'd expect this behavior:

Tap disabled + No tap svc name => Don't listen on the tap port
Tap disabled + tap svc name => Don't listen on the tap port
Tap enabled + No tap svc name => config error on startup
Tap enabled + tap svc name => listen on tap port and require client name to match

[kleimkuhler]

@adleong @hawkw Tap has now been tied to identity in the proxy config. This prevents a user from accidentally setting up a proxy environment where there is an error in expecting tap to work if identity has been explicitly disabled.

The behavior now ensures that if identity has been disabled, tap must also be explicitly disabled. If identity is enabled, then tap can either be enabled or disabled.

Once the above configuration has been verified, if tap is disabled then the tap service name is set to None. If tap is enabled, then LINKERD2_PROXY_TAP_SVC_NAME must be set.

[adleong]

What do you think about changing the type of Config.control_listener from Option<Listener> to Option<(Listener, identity::Name)> and getting rid of the config.tap_svc_name field? This structurally enforces that a tap server MUST have a name.

This lets us consolidate parse_control_listener and parse_tap_svc_name into one function and brings all the tap config error handling into one place.

It also simplifies serve_tap since we can be guaranteed that there will be tap_svc_name.

[kleimkuhler]

@adleong serve_tap now assumes that LINKERD2_PROXY_TAP_SVC_NAME is set in the environment if it is spawning the tap server!

[kleimkuhler]

I kept this as a tuple because we destructure it right away here. I could be convinced to add a similar TapSettings type in tap.rs, but after trying that out it seemed like a lot of boilerplate for not much of an abstraction.

[hawkw]

@kleimkuhler FWIW, it looks like we also access a field of the tuple here, which is a little unclear out of context (though not a big deal).

[kleimkuhler]

Yep I should have pointed that out too. For the clarity we gain in that access though, it still seemed a little unnecessary to add a new struct for it.

[hawkw]

I noticed some potential test improvements + some other nits that are not really blocking.

[hawkw]

Nit/TIOLI: If this is tap-specific, and contains more than just a listener configuration, what do you think of renaming the field to tap_settings or something?

[kleimkuhler]

Yep sounds good!

[kleimkuhler]

@hawkw A naming change like this touches a few places in main.rs that were not before. I may default to a separate PR to keep the diff down. I feel like we usually default to this so I'm going to as well in this case.

[kleimkuhler]

Especially since @adleong has already approved. I don't want to introduce additional changes that were not there before

[hawkw]

@kleimkuhler FWIW, it looks like we also access a field of the tuple here, which is a little unclear out of context (though not a big deal).

[adleong]

⭐ 🗜

[kleimkuhler]

I opened linkerd/linkerd2#3197 to track renaming control_listener and possible LINKERD2_PROXY_CONTROL_LISTEN_ADDR