Enable identity by default for all benchmarks#2
Merged
olix0r merged 5 commits intoolix0r:mainfrom Aug 18, 2020
Merged
Conversation
This was referenced Aug 10, 2020
Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
95389b4 to
74948a3
Compare
Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
olix0r
reviewed
Aug 17, 2020
kleimkuhler
added a commit
to linkerd/linkerd2-proxy
that referenced
this pull request
Aug 17, 2020
## Motivation The proxy identity-initializing wrapper is responsible for generating a CSR and key for the proxy upon startup. These files (located in `end-entity/`) are used by the proxy for establishing identity. When mocking identity, we'd like to be able to provide a pre-generated CSR and key so that we can expect certain certificates in the Signed certificate request. Therefore, when building a proxy to be used with mock identity there should be a way to remove this wrapper so that the identity files are not overwritten. ## Solution Introduce a new `SKIP_IDENTITY_WRAPPER` build-arg that when set, removes the proxy identity-initializing script that is run at starup. The use of it below will build a proxy with the `mock-orig-dst` feature and skip identity generation. ``` :; docker buildx build . --build-arg PROXY_FEATURES=mock-orig-dst --build-arg SKIP_IDENTITY_WRAPPER=1 --load --tag=kevinlbuoyant/l2-proxy:proxy-identity-v1 ``` I have confirmed this works with the changes in olix0r/l2-proxy-harness#2. Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Identity can now be enabled in bechmarks using the CSR, key, and signed
certificate generated by
gen-certs.sh.By default, this creates the
foo.ns1.serviceaccount.identity.linkerd.cluster.localidentity and it's filesare located in
identity/.This must be run with with a proxy built from the changes introduced by
linkerd/linkerd2-proxy#624. You can use
kevinlbuoyant/l2-proxy:proxy-identity-v1until that merges inmain.With identity being enabled by default, running the high concurrency tests is
done with:
Identity can be disabled by setting the
PROXY_IDENTITY_DISABLEDenv variable:If you make changes to the identity created by
gen-certs.sh, you can specifythe identity that the single proxy for use with the
PROXY_IDENTITY_LOCAL_NAMEenv variable.
Signed-off-by: Kevin Leimkuhler kevin@kleimkuhler.com