Introduce the Identity controller implementation#2521
Conversation
olix0r
changed the title
olix0r
force-pushed
the
ver/identity-service
branch
from
22c79bd to
b4b3bbf
Compare
olix0r
force-pushed
the
ver/identity-service
branch
from
b4b3bbf to
00225b5
Compare
This change introduces a new Identity service implementation for the `io.linkerd.proxy.identity.Identity` gRPC service. The `pkg/identity` contains a core, abstract implentation of the service (generic over both the CA and (Kubernetes) Validator interfaces). `controller/identity` inclues a concrete implementation that uses the Kubernetes TokenReview API to validate serviceaccount tokens when issuing certificates. This change does **NOT** alter installation or runtime to include the identity service. This will be included in a follow-up.
olix0r
force-pushed
the
ver/identity-service
branch
from
00225b5 to
771e7a3
Compare
klingerf
left a comment
klingerf
left a comment
There was a problem hiding this comment.
Nice, seems like a good approach. I just had a bunch of misc feedback. It would also be good see some tests in the controller/identity package, but doesn't have to happen as part of this PR.
| // Register registers an identity service implementation in the provided gRPC | ||
| // server. | ||
| func Register(g *grpc.Server, s *Service) { | ||
| pb.RegisterIdentityServer(g, s) |
There was a problem hiding this comment.
This doesn't compile for me. Our pattern in most of our other gRPC servers is to include a NewServer initialization func that handles registration and returns *grpc.Server and net.Listener. For instance:
linkerd2/controller/tap/server.go
Lines 430 to 452 in 81f645d
Can we do something like that here?
There was a problem hiding this comment.
This pkg module is intentionally kubernetes-agnostic; and it exposes this helper so that the caller doesn't need to import the protobuf library just for this one call.
It would be a shame to make this module pull in a kubernetes dependency just for this builder. But perhaps the controller module should export a constructor like this?
There was a problem hiding this comment.
The point about kubernetes isn't exactly relevant I guess.. but the larger point is that the pkg/ module is just a "library" and doesn't have any grpc.Server/net.Listener dependencies -- it only deals in the interfaces. I think the controller/identity package should be responsible for this, if we care to split out of the main...
There was a problem hiding this comment.
Ah, sorry, I didn't even realize that this file was in pkg. I'd expect a file that implements a controller gRPC interface to be in controller, not pkg. How would you feel about moving this file to controller/identity? It would also be ok to leave it in pkg, if controller/identity provided a NewServer func like I suggested. But that said, it feels weird to have something that satisfies the IdentityServer interface defined outside of the controller directory.
Btw I totally agree that none of the pkg/... packages should depend on the controller/... packages, with the exception of controller/gen/... (which we should move out of the controller directory anyway). It looks like we abide by that for the most part, with a few lapses:
pkg/healthcheck/healthcheck.go: "github.com/linkerd/linkerd2/controller/api/public"
pkg/profiles/tap.go: "github.com/linkerd/linkerd2/controller/api/util"
There was a problem hiding this comment.
My thought process is the following: pkg/identity implements the grpc interface in terms of two other interfaces: Validator, and Issuer. The controller, which handles configuration and runtime logic, builds a validator and Issuer. I structured this specifically this way because I know of another user that wants to implement another identity service. Providing a clear library interface for implementing this seemed preferable to bundling the logical service and the concrete server.
There was a problem hiding this comment.
Ok, that all makes sense. Since this implementation deviates from the implementation of the rest of our gRPC services in the project, it's adding complexity to the codebase. We can certainly justify the complexity, as it exists to satisfy some external use case, but I wanted to at least note it.
|
@klingerf I've addressed most of your feedback. I can't reproduce the compilation errors you're seeing, so I have not fixed those. And I would prefer to keep |
klingerf
left a comment
klingerf
left a comment
There was a problem hiding this comment.
⭐️ Thanks for making those updates, and sorry for the compilation comments -- my vendored deps had gotten into a weird state. After reinstalling them, everything builds as expected. I had one more comment about project organization, but would be fine addressing that in a separate branch. 🚢
| // Register registers an identity service implementation in the provided gRPC | ||
| // server. | ||
| func Register(g *grpc.Server, s *Service) { | ||
| pb.RegisterIdentityServer(g, s) |
There was a problem hiding this comment.
Ah, sorry, I didn't even realize that this file was in pkg. I'd expect a file that implements a controller gRPC interface to be in controller, not pkg. How would you feel about moving this file to controller/identity? It would also be ok to leave it in pkg, if controller/identity provided a NewServer func like I suggested. But that said, it feels weird to have something that satisfies the IdentityServer interface defined outside of the controller directory.
Btw I totally agree that none of the pkg/... packages should depend on the controller/... packages, with the exception of controller/gen/... (which we should move out of the controller directory anyway). It looks like we abide by that for the most part, with a few lapses:
pkg/healthcheck/healthcheck.go: "github.com/linkerd/linkerd2/controller/api/public"
pkg/profiles/tap.go: "github.com/linkerd/linkerd2/controller/api/util"
klingerf
left a comment
klingerf
left a comment
There was a problem hiding this comment.
⭐️ Thanks for the additional info. Just had a few follow-up comments, but looks good to me.
| // Register registers an identity service implementation in the provided gRPC | ||
| // server. | ||
| func Register(g *grpc.Server, s *Service) { | ||
| pb.RegisterIdentityServer(g, s) |
There was a problem hiding this comment.
Ok, that all makes sense. Since this implementation deviates from the implementation of the rest of our gRPC services in the project, it's adding complexity to the codebase. We can certainly justify the complexity, as it exists to satisfy some external use case, but I wanted to at least note it.
#2521 introduces an "Identity" controller, but there is no way to include it in linkerd installation. This change alters the `install` flow as follows: - An Identity service is _always_ installed; - Issuer credentials may be specified via the CLI; - If no Issuer credentials are provided, they are generated each time `install` is called. - It's possible to override the credential generation logic, especially for tests; - Proxies are NOT configured to use the identity service.
alpeb
left a comment
alpeb
left a comment
There was a problem hiding this comment.
It all looked great to me 👍 I just added some nits below.
klingerf
left a comment
klingerf
left a comment
There was a problem hiding this comment.
⭐️ Latest updates look great -- thanks for making those changes.
alpeb
left a comment
alpeb
left a comment
There was a problem hiding this comment.
Just one typo, and good to go IMO 
#2521 introduces an "Identity" controller, but there is no way to include it in linkerd installation. This change alters the `install` flow as follows: - An Identity service is _always_ installed; - Issuer credentials may be specified via the CLI; - If no Issuer credentials are provided, they are generated each time `install` is called. - Proxies are NOT configured to use the identity service. - It's possible to override the credential generation logic---especially for tests---via install options that can be configured via the CLI.
#2521 introduces an "Identity" controller, but there is no way to include it in linkerd installation. This change alters the `install` flow as follows: - An Identity service is _always_ installed; - Issuer credentials may be specified via the CLI; - If no Issuer credentials are provided, they are generated each time `install` is called. - Proxies are NOT configured to use the identity service. - It's possible to override the credential generation logic---especially for tests---via install options that can be configured via the CLI.
## stable-2.14.5 This stable release fixes a proxy regression where bursts of TCP connections could result in EOF errors, due to an incorrect queue capacity. In addition, it includes fixes for the control plane, dependency upgrades, and support for image digests in Linkerd manifests. * Added a controlPlaneVersion override to the `linkerd-control-plane`` Helm chart to support including SHA256 image digests in Linkerd manifests (thanks @cromulentbanana!) ([#11406]; fixes [#11312]) * Added a `checksum/config `annotation to the destination and proxy injector deployment manifests, to force restarting those workloads whenever their webhook secrets change during upgrade (thanks @iAnomaly!) ([#11440]; fixes [#6940]) * Updated the Policy controller's OpenSSL dependency to v3, as OpenSSL 1.1.1 is EOL ([#11625]) * proxy: Increased `DEFAULT_OUTBOUND_TCP_QUEUE_CAPACITY` to prevent EOF errors during bursts of TCP connections (proxy PR [#2521][proxy-2521]) [#11406]: #11406 [#11312]: #11312 [#11440]: #11440 [#6940]: #6940 [#11625]: #11625 [proxy-2521]: linkerd/linkerd2-proxy#2521
## stable-2.14.5 This stable release fixes a proxy regression where bursts of TCP connections could result in EOF errors, due to an incorrect queue capacity. In addition, it includes fixes for the control plane, dependency upgrades, and support for image digests in Linkerd manifests. * Added a controlPlaneVersion override to the `linkerd-control-plane`` Helm chart to support including SHA256 image digests in Linkerd manifests (thanks @cromulentbanana!) ([#11406]; fixes [#11312]) * Added a `checksum/config `annotation to the destination and proxy injector deployment manifests, to force restarting those workloads whenever their webhook secrets change during upgrade (thanks @iAnomaly!) ([#11440]; fixes [#6940]) * Updated the Policy controller's OpenSSL dependency to v3, as OpenSSL 1.1.1 is EOL ([#11625]) * proxy: Increased `DEFAULT_OUTBOUND_TCP_QUEUE_CAPACITY` to prevent EOF errors during bursts of TCP connections (proxy PR [#2521][proxy-2521]) [#11406]: #11406 [#11312]: #11312 [#11440]: #11440 [#6940]: #6940 [#11625]: #11625 [proxy-2521]: linkerd/linkerd2-proxy#2521
## stable-2.14.5 This stable release fixes a proxy regression where bursts of TCP connections could result in EOF errors, due to an incorrect queue capacity. In addition, it includes fixes for the control plane, dependency upgrades, and support for image digests in Linkerd manifests. * Added a controlPlaneVersion override to the `linkerd-control-plane`` Helm chart to support including SHA256 image digests in Linkerd manifests (thanks @cromulentbanana!) ([#11406]; fixes [#11312]) * Added a `checksum/config `annotation to the destination and proxy injector deployment manifests, to force restarting those workloads whenever their webhook secrets change during upgrade (thanks @iAnomaly!) ([#11440]; fixes [#6940]) * Updated the Policy controller's OpenSSL dependency to v3, as OpenSSL 1.1.1 is EOL ([#11625]) * proxy: Increased `DEFAULT_OUTBOUND_TCP_QUEUE_CAPACITY` to prevent EOF errors during bursts of TCP connections (proxy PR [#2521][proxy-2521]) [#11406]: #11406 [#11312]: #11312 [#11440]: #11440 [#6940]: #6940 [#11625]: #11625 [proxy-2521]: linkerd/linkerd2-proxy#2521
3 participants
This change introduces a new Identity service implementation for the
ioo.linkerd.proxy.identity.IdentitygRPC service.The
pkg/identitycontains a core, abstract implentation of the service(generic over both the CA and (Kubernetes) Validator interfaces).
controller/identityinclues a concrete implementation that uses theKubernetes TokenReview API to validate serviceaccount tokens when
issuing certificates.
This change does NOT alter installation or runtime to include the
identity service. This will be included in a follow-up.