Only allow name-based profile discovery for inbound requests#695
Merged
Only allow name-based profile discovery for inbound requests#695
Conversation
The proxy uses a single profile client for both inbound and outbound resolutions. We now want to perform profile discovery for all outbound traffic; but this is overkill for inbound traffic. We should only do profile lookup for traffic that includes a valid service name and not, for instance, healtchecks and prometheus scrapes. This changes inbound to only do resolution for valid names, skipping traffic that is not targetting a valid service name. In order to do this, the following has changed: - An `AddrMatch` utility is introduced to `core` so that this logic need not be propagated. - `app::dst` now simply builds a profile client without filtering or recovery. - The profile client is no longer responsible for synthesizing a default profile on timeout -- this will be extracted into the stack in a followup. - The `profiles::discovery::layer` utility now applies filtering and discovery, so that the inbound and outbound proxies may supply their own filters.
hawkw
approved these changes
Oct 6, 2020
Contributor
hawkw
left a comment
There was a problem hiding this comment.
this all looks good to me, i like how the filtering logic was factored out.
Comment on lines
+27
to
+28
| Addr::Name(ref name) => self.0.matches(name.name()), | ||
| Addr::Socket(sa) => self.1.matches(sa.ip()), |
Contributor
There was a problem hiding this comment.
nit/TIOLI: this might read nicer if we named the two fields of AddrMatch, but that's not a huge deal...
Comment on lines
+250
to
+251
| // TODO: Profile resolution should be time-bounded so that slowness | ||
| // cannot cause inbound requests to fail. |
Contributor
There was a problem hiding this comment.
shall we merge #694 first and use that here, or should we do that as a follow-up? probably fine either way?
Member
Author
There was a problem hiding this comment.
i think it's fine either way. we'll need both in before the next release, but ordering doesn't really matter.
| const DEFAULT_DESTINATION_GET_SUFFIXES: &str = "svc.cluster.local."; | ||
| const DEFAULT_DESTINATION_PROFILE_SUFFIXES: &str = "svc.cluster.local."; | ||
| const DEFAULT_DESTINATION_PROFILE_INITIAL_TIMEOUT: Duration = Duration::from_millis(500); | ||
| //const DEFAULT_DESTINATION_PROFILE_INITIAL_TIMEOUT: Duration = Duration::from_millis(500); |
Contributor
There was a problem hiding this comment.
i'm assuming that we want to add this back once we start bounding the time it takes to become ready?
typo Co-authored-by: Eliza Weisman <[email protected]>
olix0r
added a commit
to linkerd/linkerd2
that referenced
this pull request
Oct 10, 2020
This release overhauls the discovery and routing logic implemented by the proxy: instead of looking at HTTP request metadata for service discovery, the outbound proxy now exclusively use each connection's target IP:PORT. This eager resolution eliminates per-request cache binding; and supports using TrafficSplit with non-HTTP services. This has a few side effects: - The `l5d-dst-override` header is no longer honored. - When the application attempts to connect to a pod IP, the proxy no longer load balances these requests among all pods in the service. The proxy will now honor session-stickiness as selected by an application-level load balancer. - `TrafficSplits` are only applied when a client targets a service's IP. - The proxy no longer performs DNS "canonicalization" to translate relative host header names to a fully-qualified form. --- * Unify RequestFilter and Admit middlewares (linkerd/linkerd2-proxy#692) * Only allow name-based profile discovery for inbound requests (linkerd/linkerd2-proxy#695) * outbound: initial tests for TCP mTLS (with fewer moving parts) (linkerd/linkerd2-proxy#693) * Stop honoring DESTINATION_GET_* configuration (linkerd/linkerd2-proxy#696) * stack: add SwitchReady service (linkerd/linkerd2-proxy#694) * telemetry: Remove trailing comma in build_info labels (linkerd/linkerd2-proxy#699) * Update Rust to 1.47.0 (linkerd/linkerd2-proxy#701)
olix0r
added a commit
to linkerd/linkerd2
that referenced
this pull request
Oct 12, 2020
This release overhauls the discovery and routing logic implemented by the proxy: instead of looking at HTTP request metadata for service discovery, the outbound proxy now exclusively use each connection's target IP:PORT. This eager resolution eliminates per-request cache binding; and supports using TrafficSplit with non-HTTP services. This has a few side effects: - The `l5d-dst-override` header is no longer honored. - When the application attempts to connect to a pod IP, the proxy no longer load balances these requests among all pods in the service. The proxy will now honor session-stickiness as selected by an application-level load balancer. - `TrafficSplits` are only applied when a client targets a service's IP. - The proxy no longer performs DNS "canonicalization" to translate relative host header names to a fully-qualified form. --- * Unify RequestFilter and Admit middlewares (linkerd/linkerd2-proxy#692) * Only allow name-based profile discovery for inbound requests (linkerd/linkerd2-proxy#695) * outbound: initial tests for TCP mTLS (with fewer moving parts) (linkerd/linkerd2-proxy#693) * Stop honoring DESTINATION_GET_* configuration (linkerd/linkerd2-proxy#696) * stack: add SwitchReady service (linkerd/linkerd2-proxy#694) * telemetry: Remove trailing comma in build_info labels (linkerd/linkerd2-proxy#699) * Update Rust to 1.47.0 (linkerd/linkerd2-proxy#701) * cache: Delete benchmarks (linkerd/linkerd2-proxy#705) * outbound: Discover profiles for each unique TCP target (linkerd/linkerd2-proxy#704)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The proxy uses a single profile client for both inbound and outbound
resolutions. We now want to perform profile discovery for all outbound
traffic; but this is overkill for inbound traffic. We should only do
profile lookup for traffic that includes a valid service name and not,
for instance, healtchecks and prometheus scrapes.
This changes inbound to only do resolution for valid names, skipping
traffic that is not targetting a valid service name.
In order to do this, the following has changed:
AddrMatchutility is introduced tocoreso that this logic neednot be propagated.
app::dstnow simply builds a profile client without filtering orrecovery.
default profile on timeout -- this will be extracted into the stack in
a followup.
profiles::discovery::layerutility now applies filtering anddiscovery, so that the inbound and outbound proxies may supply their own
filters.
error codes now