-
Notifications
You must be signed in to change notification settings - Fork 265
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
profiles: perform profile resolution for IP addresses (#626)
linkerd/linkerd2#3916 added support for resolving service profiles for IP addresses to the Destination service. This branch updates the proxy's profiles client to look up profiles for IP addresses, rather than always rejecting addresses that are IPs rather than DNS names. Similarly to the Destination service-discovery client, a new `LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS` enviroment variable is used to configure a list of subnets to match which IPs the proxy will look up profiles for. By default, this is empty. Since the logic for filtering requests to a service based on IPs and DNS prefixes is now identical between the profile and destination clients, I factored it out into a new layer that's used for both. Fixes linkerd/linkerd2#4877 Signed-off-by: Eliza Weisman <eliza@buoyant.io>
- Loading branch information
Showing
12 changed files
with
228 additions
and
174 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
use ipnet::{Contains, IpNet}; | ||
use linkerd2_app_core::{dns::Suffix, request_filter, Addr, DiscoveryRejected, Error}; | ||
use std::marker::PhantomData; | ||
use std::net::IpAddr; | ||
use std::sync::Arc; | ||
|
||
pub struct PermitConfiguredDsts<E = DiscoveryRejected> { | ||
name_suffixes: Arc<Vec<Suffix>>, | ||
networks: Arc<Vec<IpNet>>, | ||
_error: PhantomData<fn(E)>, | ||
} | ||
|
||
// === impl PermitConfiguredDsts === | ||
|
||
impl PermitConfiguredDsts { | ||
pub fn new( | ||
name_suffixes: impl IntoIterator<Item = Suffix>, | ||
nets: impl IntoIterator<Item = IpNet>, | ||
) -> Self { | ||
Self { | ||
name_suffixes: Arc::new(name_suffixes.into_iter().collect()), | ||
networks: Arc::new(nets.into_iter().collect()), | ||
_error: PhantomData, | ||
} | ||
} | ||
|
||
/// Configures the returned error type when the target is outside of the | ||
/// configured set of destinations. | ||
pub fn with_error<E>(self) -> PermitConfiguredDsts<E> | ||
where | ||
E: Into<Error> + From<Addr>, | ||
{ | ||
PermitConfiguredDsts { | ||
name_suffixes: self.name_suffixes, | ||
networks: self.networks, | ||
_error: PhantomData, | ||
} | ||
} | ||
} | ||
|
||
impl<E> Clone for PermitConfiguredDsts<E> { | ||
fn clone(&self) -> Self { | ||
Self { | ||
name_suffixes: self.name_suffixes.clone(), | ||
networks: self.networks.clone(), | ||
_error: PhantomData, | ||
} | ||
} | ||
} | ||
|
||
impl<T, E> request_filter::RequestFilter<T> for PermitConfiguredDsts<E> | ||
where | ||
E: Into<Error> + From<Addr>, | ||
T: AsRef<Addr>, | ||
{ | ||
type Error = E; | ||
|
||
fn filter(&self, t: T) -> Result<T, Self::Error> { | ||
let addr = t.as_ref(); | ||
let permitted = match addr { | ||
Addr::Name(ref name) => self | ||
.name_suffixes | ||
.iter() | ||
.any(|suffix| suffix.contains(name.name())), | ||
Addr::Socket(sa) => self.networks.iter().any(|net| match (net, sa.ip()) { | ||
(IpNet::V4(net), IpAddr::V4(addr)) => net.contains(&addr), | ||
(IpNet::V6(net), IpAddr::V6(addr)) => net.contains(&addr), | ||
_ => false, | ||
}), | ||
}; | ||
|
||
if permitted { | ||
Ok(t) | ||
} else { | ||
Err(E::from(addr.clone())) | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.