outbound: Introduce 'ingress mode' #728
Conversation
| }, | ||
| } = config.clone(); | ||
|
|
||
| let http = svc::stack(http) |
There was a problem hiding this comment.
I haven't looked closely yet but it feels like there's probably some common code between the ingress-mode and normal mode http stacks that we might want to share. nbd if not, but adding more places that future changes will have to update always worries me a little bit...
There was a problem hiding this comment.
I agree, but deduping things is easier said than done. If you can get it working, I'll merge it ;)
There was a problem hiding this comment.
i'm not sure if it makes sense here or not, but i can take a look.
When the LINKERD2_PROXY_INGRESS_MODE environment variable is set to `true`, the outbound proxy alters its discovery behavior as follows: * All outbound traffic is assumed to be HTTP traffic or unmeshed opaque TCP traffic. Discovery, routing, balancing, and mTLS is only applied for outbound THTTP traffic. * The `l5d-dst-override` request header is used to specify the target authority. * If the header is not present, the original dst address is used. * Service profiles, traffic split, and balancing are only applied when the header is present or when the original dst addr refers to a service address (and not a pod address).
There was a problem hiding this comment.
this seems good to me!
i'd like to figure out if we could factor out some of the repeated code between the ingress and non-ingress stacks but it's definitely not a blocker, and we can come back and clean it up later. other than that, just some minor style nits you can feel free to ignore.
it would also be good to have some tests for the ingress mode behavior, as well, but that can also land in a follow-up.
| pub fn from_logical(reason: tls::ReasonForNoPeerName) -> impl (Fn(Logical<P>) -> Self) + Clone { | ||
| move |logical| Self { |
| // In "ingress mode", we assume we are always routing HTTP requests and do | ||
| // not perform per-target-address discovery. Non-HTTP connections are | ||
| // forwarded without discovery/routing/mTLS. | ||
| pub ingress_mode: bool, |
There was a problem hiding this comment.
very nitpicky: shouldn't this go on the outbound config, or do we intend to change inbound behavior based on ingress mode as well? what would we do differently on inbound? my guess is most/all inbound traffic to an ingress is just gonna be metrics scrapes, readiness probes, and similar...
There was a problem hiding this comment.
Yeah, this was put here intentionally because we may opt to change inbound behavior in the future; and, more importantly, nothing in the outbound crate needs to be aware of this flag currently.
| fn recognize(&self, req: &http::Request<B>) -> Self::Key { | ||
| Target { | ||
| accept: self.0, | ||
| dst: http_request_l5d_override_dst_addr(req).unwrap_or_else(|_| self.0.orig_dst.into()), |
There was a problem hiding this comment.
nit/TIOLI: it might be worth having a debug event indicating whether or not we saw the override header, or something, since this is kinda load-bearing?
There was a problem hiding this comment.
It should be pretty obvious based on the resulting target, which is ends up in span metadata
This release adds an 'ingress mode' to support per-request routing for HTTP ingresses. Additionally, the performance impact of logging should be reduced when the proxy log level is not set to `debug` or `trace`. --- * router: Use NewService instead of MakeService (linkerd/linkerd2-proxy#724) * outbound: Split TCP stack into dedicated modules (linkerd/linkerd2-proxy#725) * trace: update `tracing-subscriber` to 0.2.14 (linkerd/linkerd2-proxy#726) * outbound: Extract HTTP and server modules (linkerd/linkerd2-proxy#727) * outbound: Introduce 'ingress mode' (linkerd/linkerd2-proxy#728) * Reduce tracing spans to the debug level (linkerd/linkerd2-proxy#730)
This release adds an 'ingress mode' to support per-request routing for HTTP ingresses. Additionally, the performance impact of logging should be reduced, especially when the proxy log level is not set to `debug` or `trace`. --- * router: Use NewService instead of MakeService (linkerd/linkerd2-proxy#724) * outbound: Split TCP stack into dedicated modules (linkerd/linkerd2-proxy#725) * trace: update `tracing-subscriber` to 0.2.14 (linkerd/linkerd2-proxy#726) * outbound: Extract HTTP and server modules (linkerd/linkerd2-proxy#727) * outbound: Introduce 'ingress mode' (linkerd/linkerd2-proxy#728) * Reduce tracing spans to the debug level (linkerd/linkerd2-proxy#730)
When the
LINKERD2_PROXY_INGRESS_MODEenvironment variable is set totrue, the outbound proxy alters its discovery behavior as follows:TCP traffic. Discovery, routing, balancing, and mTLS is only applied
for outbound THTTP traffic.
l5d-dst-overriderequest header is used to specify the targetauthority.
the header is present or when the original dst addr refers to a service
address (and not a pod address).