outbound: initial tests for TCP mTLS (with fewer moving parts)#693
Merged
outbound: initial tests for TCP mTLS (with fewer moving parts)#693
Conversation
Signed-off-by: Eliza Weisman <[email protected]>
This reverts commit 787a117. Turns out we actually no longer need any of that! Signed-off-by: Eliza Weisman <[email protected]>
olix0r
added a commit
to linkerd/linkerd2
that referenced
this pull request
Oct 10, 2020
This release overhauls the discovery and routing logic implemented by the proxy: instead of looking at HTTP request metadata for service discovery, the outbound proxy now exclusively use each connection's target IP:PORT. This eager resolution eliminates per-request cache binding; and supports using TrafficSplit with non-HTTP services. This has a few side effects: - The `l5d-dst-override` header is no longer honored. - When the application attempts to connect to a pod IP, the proxy no longer load balances these requests among all pods in the service. The proxy will now honor session-stickiness as selected by an application-level load balancer. - `TrafficSplits` are only applied when a client targets a service's IP. - The proxy no longer performs DNS "canonicalization" to translate relative host header names to a fully-qualified form. --- * Unify RequestFilter and Admit middlewares (linkerd/linkerd2-proxy#692) * Only allow name-based profile discovery for inbound requests (linkerd/linkerd2-proxy#695) * outbound: initial tests for TCP mTLS (with fewer moving parts) (linkerd/linkerd2-proxy#693) * Stop honoring DESTINATION_GET_* configuration (linkerd/linkerd2-proxy#696) * stack: add SwitchReady service (linkerd/linkerd2-proxy#694) * telemetry: Remove trailing comma in build_info labels (linkerd/linkerd2-proxy#699) * Update Rust to 1.47.0 (linkerd/linkerd2-proxy#701)
olix0r
added a commit
to linkerd/linkerd2
that referenced
this pull request
Oct 12, 2020
This release overhauls the discovery and routing logic implemented by the proxy: instead of looking at HTTP request metadata for service discovery, the outbound proxy now exclusively use each connection's target IP:PORT. This eager resolution eliminates per-request cache binding; and supports using TrafficSplit with non-HTTP services. This has a few side effects: - The `l5d-dst-override` header is no longer honored. - When the application attempts to connect to a pod IP, the proxy no longer load balances these requests among all pods in the service. The proxy will now honor session-stickiness as selected by an application-level load balancer. - `TrafficSplits` are only applied when a client targets a service's IP. - The proxy no longer performs DNS "canonicalization" to translate relative host header names to a fully-qualified form. --- * Unify RequestFilter and Admit middlewares (linkerd/linkerd2-proxy#692) * Only allow name-based profile discovery for inbound requests (linkerd/linkerd2-proxy#695) * outbound: initial tests for TCP mTLS (with fewer moving parts) (linkerd/linkerd2-proxy#693) * Stop honoring DESTINATION_GET_* configuration (linkerd/linkerd2-proxy#696) * stack: add SwitchReady service (linkerd/linkerd2-proxy#694) * telemetry: Remove trailing comma in build_info labels (linkerd/linkerd2-proxy#699) * Update Rust to 1.47.0 (linkerd/linkerd2-proxy#701) * cache: Delete benchmarks (linkerd/linkerd2-proxy#705) * outbound: Discover profiles for each unique TCP target (linkerd/linkerd2-proxy#704)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This branch introduces a second pass at unit tests for TCP mTLS in the
outbound proxy, without the complexity of actually performing handshakes
on mock IOs (as proposed in #658). The new tests just rely on assertions
that the connect stack receives the expected peer identity metadata. We
can test that the handshake is performed correctly in separate tests for
just the TLS client layer, while avoiding the complexity necessary to
use mock IOs in the existing connect stack. This also means we don't
have to actually load and parse all the test key material we use in the
integration tests.
If this approach seems better, I'll open further PRs to add more tests
in this style.
Closes #658