Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gateway: Add a Forwarded header #544

Merged
merged 1 commit into from
Jun 1, 2020
Merged

gateway: Add a Forwarded header #544

merged 1 commit into from
Jun 1, 2020

Conversation

olix0r
Copy link
Member

@olix0r olix0r commented May 30, 2020

When the gateway forwards requests, it now adds a Forwarded header
including the source identity, the local identity, and the destination
authority.


I've tested this manually. I'll follow up with tests as we port this to tokio-0.2 (where the test infra is much friendlier).

Also, the gateway, in general, seems to incur a pretty heavy compile-time hit... we'll have to revisit that post-release as well.

Verified

This commit was signed with the committer’s verified signature.
olix0r Oliver Gould
When the gateway forwards requests, it now adds a `Forwarded` header
including the source identity, the local identity, and the destination
authority.
@olix0r olix0r requested a review from a team May 30, 2020 19:07
Copy link
Contributor

@kleimkuhler kleimkuhler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Copy link
Contributor

@hawkw hawkw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm! it would be nice to figure out the compile time impact, but we can do that separately.

// canonical name as well as an IP that can be used as the outbound
// original dst.
resolve
.call(orig_dst.name().clone())
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we stick a trace span on this for the original destinaton name, or is that added somewhere else in the stack?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, we get that on the stack ;)

.instrument(|name: &dns::Name| info_span!("refine", %name))

@olix0r olix0r merged commit 8c98760 into master Jun 1, 2020
@olix0r olix0r deleted the ver/gateway-forwarded branch June 1, 2020 16:48
olix0r added a commit to linkerd/linkerd2 that referenced this pull request Jun 1, 2020

Verified

This commit was signed with the committer’s verified signature.
olix0r Oliver Gould
The proxy can now operate as gateway, routing requests from its inbound
proxy to the outbound proxy, without passing the requests to a local
application. This supports Linkerd's multicluster feature by adding a
`Forwarded` header to propagate the original client identity and assist
in loop detection.

---

* Add loop detection to inbound & TCP forwarding (linkerd/linkerd2-proxy#527)
* Test loop detection (linkerd/linkerd2-proxy#532)
* fallback: Unwrap errors recursively (linkerd/linkerd2-proxy#534)
* app: Split inbound/outbound constructors into components (linkerd/linkerd2-proxy#533)
* Introduce a gateway between inbound and outbound (linkerd/linkerd2-proxy#540)
* gateway: Add a Forwarded header (linkerd/linkerd2-proxy#544)
* gateway: Return errors instead of responses (linkerd/linkerd2-proxy#547)
* Fail requests that loop through the gateway (linkerd/linkerd2-proxy#545)
olix0r added a commit to linkerd/linkerd2 that referenced this pull request Jun 3, 2020

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
This change modifies the linkerd-gateway component to use the inbound
proxy, rather than nginx, for gateway. This allows us to detect loops and
propagate identity through the gateway.

This change also cleans up port naming to `mc-gateway` and `mc-probe`
to resolve conflicts with Kubernetes validation.

---

* proxy: v2.99.0

The proxy can now operate as gateway, routing requests from its inbound
proxy to the outbound proxy, without passing the requests to a local
application. This supports Linkerd's multicluster feature by adding a
`Forwarded` header to propagate the original client identity and assist
in loop detection.

---

* Add loop detection to inbound & TCP forwarding (linkerd/linkerd2-proxy#527)
* Test loop detection (linkerd/linkerd2-proxy#532)
* fallback: Unwrap errors recursively (linkerd/linkerd2-proxy#534)
* app: Split inbound/outbound constructors into components (linkerd/linkerd2-proxy#533)
* Introduce a gateway between inbound and outbound (linkerd/linkerd2-proxy#540)
* gateway: Add a Forwarded header (linkerd/linkerd2-proxy#544)
* gateway: Return errors instead of responses (linkerd/linkerd2-proxy#547)
* Fail requests that loop through the gateway (linkerd/linkerd2-proxy#545)

* inject: Support config.linkerd.io/enable-gateway

This change introduces a new annotation,
config.linkerd.io/enable-gateway, that, when set, enables the proxy to
act as a gateway, routing all traffic targetting the inbound listener
through the outbound proxy.

This also removes the nginx default listener and gateway port of 4180,
instead using 4143 (the inbound port).

* proxy: v2.100.0

This change modifies the inbound gateway caching so that requests may be
routed to multiple leaves of a traffic split.

---

* inbound: Do not cache gateway services (linkerd/linkerd2-proxy#549)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants