Add support for profile lookups by IP address #4727
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
kleimkuhler
changed the title
Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
zaharidichev
approved these changes
Jul 8, 2020
controller/api/destination/server.go
Outdated
| log.Warnf("Failed to subscribe to profile %s: %s", path, err) | ||
| return err | ||
| } | ||
| defer s.profiles.Unsubscribe(nil, primary) |
There was a problem hiding this comment.
I think the error that Unsubsribe can sometimes return will be muted when calling it via defer. Maybe better to leave the function without a return value and just log on error.
There was a problem hiding this comment.
Yes you are correct here that errors that occur in Unsubscribe will fail silently.
I tested this by inserting return fmt.Errorf("this is an error") in Unsubscribe, and then subscribed to and quit a profile stream.
I expected to see this error in the server, but nothing occurred.
This occurs in the other places that we unsubscribe in this file, so I lean towards making this change separately.
Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
…le-ip Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
Remove additional changes from a previous simplification Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
olix0r
reviewed
Jul 9, 2020
| if err != nil { | ||
| log.Debugf("Invalid service %s", dest.GetPath()) | ||
| return status.Errorf(codes.InvalidArgument, "invalid service: %s", err) | ||
| return nil |
There was a problem hiding this comment.
So, Thinking a bit more. I do think we're going to have to watch for updates. Just because a service isn't in our index doesn't mean it's not about to show up there. That doesn't have to be a hard blocker -- we can merge this and be incremental. But I think we should support the service being known by the app before it is known by the controller...
This is also jogging some ideas for things we may want to do in a followup re: supporting returning all profiles for a pod:ip target.
Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>
adleong
approved these changes
Jul 9, 2020
#4743 is the follow-up issue for this |
han-so1omon
pushed a commit
to han-so1omon/linkerd2
that referenced
this pull request
Jul 15, 2020
## Motivation Closes linkerd#3916 This adds the ability to get profiles for services by IP address. ### Change in behavior When the destination server receives a `GetProfile` request with an IP address, it now tries to map that IP address to a service. If the IP address maps to an existing service, then the destination server returns the profile stream subscribes for updates to the _service_--this is the existing behavior. If the IP changes to a new service, the stream will still send updates for the first service the IP address corresponded to since that is what it is subscribed to. If the IP address does not map to an existing service, then the destination server returns the profile stream but does not subscribe for updates. The stream will receive one update, the default profile. ### Solution This change uses the `IPWatcher` within the destination server to check for what services an IP address correspond to. By adding a new method `GetSvc` to `IPWatcher`, the server now calls this method if `GetProfile` receives a request with an IP address. ## Testing Install linkerd on a cluster and get the cluster IP of any service: ```bash ❯ kubectl get -n linkerd svc/linkerd-tap -o wide NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR linkerd-tap ClusterIP 10.104.57.90 <none> 8088/TCP,443/TCP 16h linkerd.io/control-plane-component=tap ``` Run the destination server: ```bash ❯ go run controller/cmd/main.go destination -kubeconfig ~/.kube/config ``` Get the profile for the tap service by IP address: ```bash ❯ go run controller/script/destination-client/main.go -method getProfile -path 10.104.57.90:8088 INFO[0000] retry_budget:{retry_ratio:0.2 min_retries_per_second:10 ttl:{seconds:10}} INFO[0000] ``` Get the profile for an IP address that does not correspond to a service: ```bash ❯ go run controller/script/destination-client/main.go -method getProfile -path 10.256.0.1:8088 INFO[0000] retry_budget:{retry_ratio:0.2 min_retries_per_second:10 ttl:{seconds:10}} INFO[0000] ``` You can add and remove settings for the service profile for tap and get updates. Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com> Signed-off-by: Eric Solomon <errcsool@engineer.com>
olix0r
added a commit
that referenced
this pull request
Sep 10, 2020
The proxy performs endpoint discovery for unnamed services, but not service profiles. The destination controller and proxy have been updated to support lookups for unnamed services in #4727 and linkerd/linkerd2-proxy#626, respectively. This change modifies the injection template so that the `proxy.destinationGetNetworks` configuration enables profile discovery for all networks on which endpoint discovery is permitted.
olix0r
added a commit
that referenced
this pull request
Sep 10, 2020
…#4960) The proxy performs endpoint discovery for unnamed services, but not service profiles. The destination controller and proxy have been updated to support lookups for unnamed services in #4727 and linkerd/linkerd2-proxy#626, respectively. This change modifies the injection template so that the `proxy.destinationGetNetworks` configuration enables profile discovery for all networks on which endpoint discovery is permitted.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
Closes #3916
This adds the ability to get profiles for services by IP address.
Change in behavior
When the destination server receives a
GetProfilerequest with an IP address,it now tries to map that IP address to a service.
If the IP address maps to an existing service, then the destination server
returns the profile stream subscribes for updates to the service--this is the
existing behavior. If the IP changes to a new service, the stream will still
send updates for the first service the IP address corresponded to since that is
what it is subscribed to.
If the IP address does not map to an existing service, then the destination
server returns the profile stream but does not subscribe for updates. The stream
will receive one update, the default profile.
Solution
This change uses the
IPWatcherwithin the destination server to check for whatservices an IP address correspond to. By adding a new method
GetSvctoIPWatcher, the server now calls this method ifGetProfilereceives a requestwith an IP address.
Testing
Install linkerd on a cluster and get the cluster IP of any service:
Run the destination server:
❯ go run controller/cmd/main.go destination -kubeconfig ~/.kube/configGet the profile for the tap service by IP address:
❯ go run controller/script/destination-client/main.go -method getProfile -path 10.104.57.90:8088 INFO[0000] retry_budget:{retry_ratio:0.2 min_retries_per_second:10 ttl:{seconds:10}} INFO[0000]Get the profile for an IP address that does not correspond to a service:
❯ go run controller/script/destination-client/main.go -method getProfile -path 10.256.0.1:8088 INFO[0000] retry_budget:{retry_ratio:0.2 min_retries_per_second:10 ttl:{seconds:10}} INFO[0000]You can add and remove settings for the service profile for tap and get updates.
Signed-off-by: Kevin Leimkuhler kevin@kleimkuhler.com