populate policy cache with defaults configured by env vars #2076
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Currently, the proxy-injector may set the following environment variables to configure the policies that the proxy should use for specific inbound ports: - `LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION` - `LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_IDENTITY` - `LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_TLS` However, when the proxy is configured with a policy service address, these environment variables are never used, even when they are set. Instead, the proxy will always look up those ports with the policy controller, which will then tell it to do...what the environment variable would have already told it to do (because the env vars are generated based on the same annotations that would tell the policy controller what policy to send). This means we do unnecessary policy resolutions for those ports. This branch updates the proxy so that these environment variables are always honored, even when a policy controller is configured. This way, the unnecessary lookups are avoided. Critically, we should note that we will never do a policy lookup for a port that is configured by one of these environment variables. If a port is present in both `LINKERD2_PROXY_INBOUND_PORTS` (the list of ports for which we proactively start policy controller watches), as well as configured by one of the policy env vars, we will still look that port up with the policy controller, rather than using the env var configuration. A warning is logged in this case.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently, the proxy-injector may set the following environment variables to configure the policies that the proxy should use for specific inbound ports:
LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTIONLINKERD2_PROXY_INBOUND_PORTS_REQUIRE_IDENTITYLINKERD2_PROXY_INBOUND_PORTS_REQUIRE_TLSHowever, when the proxy is configured with a policy service address, these environment variables are never used, even when they are set. Instead, the proxy will always look up those ports with the policy controller, which will then tell it to do...what the environment variable would have already told it to do (because the env vars are generated based on the same annotations that would tell the policy controller what policy to send). This means we do unnecessary policy resolutions for those ports.
This branch updates the proxy so that these environment variables are always honored, even when a policy controller is configured. This way, the unnecessary lookups are avoided. Critically, we should note that we will never do a policy lookup for a port that is configured by one of these environment variables.
If a port is present in both
LINKERD2_PROXY_INBOUND_PORTS(the list of ports for which we proactively start policy controller watches), as well as configured by one of the policy env vars, we will still look that port up with the policy controller, rather than using the env var configuration. A warning is logged in this case.