Skip to content

multicluster: Use the proxy as an HTTP gateway#4528

Merged
olix0r merged 13 commits intomasterfrom
ver/proxy-gateway
Jun 3, 2020
Merged

multicluster: Use the proxy as an HTTP gateway#4528
olix0r merged 13 commits intomasterfrom
ver/proxy-gateway

Conversation

@olix0r
Copy link
Member

@olix0r olix0r commented Jun 1, 2020

This change introduces a new annotation,
config.linkerd.io/enable-gateway, that, when set, enables the proxy to
act as a gateway, routing all traffic targetting the inbound listener
through the outbound proxy.

This also removes the nginx default listener and gateway port of 4180,
instead using 4143 (the inbound port).

This includes an update to the proxy version v2.99.0.

The proxy can now operate as gateway, routing requests from its inbound
proxy to the outbound proxy, without passing the requests to a local
application. This supports Linkerd's multicluster feature by adding a
Forwarded header to propagate the original client identity and assist
in loop detection.

olix0r added 5 commits June 1, 2020 22:31
@olix0r
proxy: v2.99.0
c36f862 
The proxy can now operate as gateway, routing requests from its inbound
proxy to the outbound proxy, without passing the requests to a local
application. This supports Linkerd's multicluster feature by adding a
`Forwarded` header to propagate the original client identity and assist
in loop detection.

---

* Add loop detection to inbound & TCP forwarding (linkerd/linkerd2-proxy#527)
* Test loop detection (linkerd/linkerd2-proxy#532)
* fallback: Unwrap errors recursively (linkerd/linkerd2-proxy#534)
* app: Split inbound/outbound constructors into components (linkerd/linkerd2-proxy#533)
* Introduce a gateway between inbound and outbound (linkerd/linkerd2-proxy#540)
* gateway: Add a Forwarded header (linkerd/linkerd2-proxy#544)
* gateway: Return errors instead of responses (linkerd/linkerd2-proxy#547)
* Fail requests that loop through the gateway (linkerd/linkerd2-proxy#545)
@olix0r
inject: Support config.linkerd.io/enable-gateway
57e8906 
This change introduces a new annotation,
config.linkerd.io/enable-gateway, that, when set, enables the proxy to
act as a gateway, routing all traffic targetting the inbound listener
through the outbound proxy.

This also removes the nginx default listener and gateway port of 4180,
instead using 4143 (the inbound port).
@olix0r
-unused
8eb72b6
@olix0r
fix annotation
4e5a3a9
@olix0r
fix golden
2bf1f4c
@zaharidichev
Copy link
Member

zaharidichev commented Jun 2, 2020

I verified that works with the k3d script

@olix0r olix0r marked this pull request as ready for review June 2, 2020 15:23
@olix0r olix0r changed the title Ver/proxy gateway multicluster: Use the proxy as an HTTP gateway Jun 2, 2020
@olix0r olix0r requested a review from a team June 2, 2020 15:24
@alpeb
Copy link
Member

alpeb commented Jun 2, 2020

Note that the merge brought the "linkerd-gateway-probe": must be no more than 15 characters problem

@olix0r olix0r requested a review from kleimkuhler as a code owner June 2, 2020 17:28
@zaharidichev
Copy link
Member

zaharidichev commented Jun 2, 2020
edited
Loading

For anyone who wants to test this, I have verified it works with this branch olix0r/l2-k3d-multi#2

zaharidichev
zaharidichev approved these changes Jun 2, 2020
View reviewed changes
Copy link
Member

@zaharidichev zaharidichev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

adleong
adleong reviewed Jun 2, 2020
View reviewed changes
charts/partials/templates/_proxy.tpl
- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR
value: 0.0.0.0:{{.Values.global.proxy.ports.inbound}}
{{ if .Values.global.proxy.isGateway -}}
- name: LINKERD2_PROXY_INBOUND_GATEWAY_SUFFIXES
Copy link
Member

@adleong adleong Jun 2, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What are the semantics of this variable? When set, any requests to the inbound listener that match this suffix will be routed directly to the outbound proxy?

Copy link
Member Author

@olix0r olix0r Jun 2, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct. (After DNS resolution)

@alpeb
Copy link
Member

alpeb commented Jun 2, 2020

For some reason I can't get this to work with the l2-k3d-multi setup...

$ curl -v http://localhost:8080/api/list
*   Trying ::1:8080...
* TCP_NODELAY set
* Connected to localhost (::1) port 8080 (#0)
> GET /api/list HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 500 Internal Server Error
< Content-Type: application/json; charset=UTF-8
< Date: Tue, 02 Jun 2020 20:29:45 GMT
< Content-Length: 109
< 
{"error":"rpc error: code = Unknown desc = OK: HTTP status code 200; transport: missing content-type field"}

@olix0r
proxy: v2.100.0
61b3e03 
This change modifies the inbound gateway caching so that requests may be
routed to multiple leaves of a traffic split.

---

* inbound: Do not cache gateway services (linkerd/linkerd2-proxy#549)
@olix0r
Copy link
Member Author

olix0r commented Jun 3, 2020

OK. I've tested this with https://github.com/olix0r/l2-k3d-multi and it works as I'd expect with regard to loop detection and traffic split updating.

@olix0r olix0r merged commit 7cc5e5c into master Jun 3, 2020
@olix0r olix0r deleted the ver/proxy-gateway branch June 3, 2020 02:37
@zaharidichev zaharidichev mentioned this pull request Jun 3, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adleong adleong adleong approved these changes

@zaharidichev zaharidichev zaharidichev approved these changes

@alpeb alpeb Awaiting requested review from alpeb

@kleimkuhler kleimkuhler Awaiting requested review from kleimkuhler

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@olix0r @zaharidichev @alpeb @adleong