Merge branch 'main' into alpeb/helm-versioning

linkerd · Dec 10, 2021 · dc6d78b · dc6d78b
2 parents 0f2db9f + e54061b
commit dc6d78b
Show file tree

Hide file tree

Showing 28 changed files with 824 additions and 513 deletions.
diff --git a/.github/workflows/integration_tests.yml b/.github/workflows/integration_tests.yml
@@ -51,7 +51,7 @@ jobs:
     # absolute path is used here.
     # https://github.com/actions/upload-artifact/issues/8
     - name: Upload artifact
-      uses: actions/upload-artifact@27121b0bdffd731efa15d66772be8dc71245d074
+      uses: actions/upload-artifact@da838ae9595ac94171fa2d4de5a2f117b3e7ac32
       with:
         name: image-archives
         path: /home/runner/archives
@@ -88,7 +88,7 @@ jobs:
       run: |
         echo "TAG=$(CI_FORCE_CLEAN=1 bin/root-tag)" >> $GITHUB_ENV
     - name: Download image archives
-      uses: actions/download-artifact@3be87be14a055c47b01d3bd88f8fe02320a9bb60
+      uses: actions/download-artifact@f023be2c48cc18debc3bacd34cb396e0295e2869
       with:
         name: image-archives
         path: image-archives

diff --git a/.github/workflows/policy_controller.yml b/.github/workflows/policy_controller.yml
@@ -42,7 +42,7 @@ jobs:
     continue-on-error: ${{ matrix.checks == 'advisories' }}
     steps:
     - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
-    - uses: EmbarkStudios/cargo-deny-action@0ca727bbae7b7b578b9a5f98186caac35aa2a00d
+    - uses: EmbarkStudios/cargo-deny-action@f2d2f98857d524436b31aa639bac5edc10863b08
       with:
         command: check bans licenses sources
 

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -59,7 +59,7 @@ jobs:
     # https://github.com/actions/upload-artifact/issues/8
     - name: Upload artifact
       if: matrix.component == 'cli-bin'
-      uses: actions/upload-artifact@27121b0bdffd731efa15d66772be8dc71245d074
+      uses: actions/upload-artifact@da838ae9595ac94171fa2d4de5a2f117b3e7ac32
       with:
         name: image-archives
         path: /home/runner/archives
@@ -145,7 +145,7 @@ jobs:
       with:
         go-version: '1.17'
     - name: Download image archives
-      uses: actions/download-artifact@3be87be14a055c47b01d3bd88f8fe02320a9bb60
+      uses: actions/download-artifact@f023be2c48cc18debc3bacd34cb396e0295e2869
       with:
         name: image-archives
         path: image-archives
@@ -258,7 +258,7 @@ jobs:
         args: pack bin/win/linkerd.nuspec
     - name: Chocolatey - upload package
       if: startsWith(github.ref, 'refs/tags/stable')
-      uses: actions/upload-artifact@27121b0bdffd731efa15d66772be8dc71245d074
+      uses: actions/upload-artifact@da838ae9595ac94171fa2d4de5a2f117b3e7ac32
       with:
         name: choco
         path: ./linkerd.*.nupkg
@@ -282,7 +282,7 @@ jobs:
         extract_release_notes NOTES.md
     - name: Download choco package
       if: startsWith(github.ref, 'refs/tags/stable')
-      uses: actions/download-artifact@3be87be14a055c47b01d3bd88f8fe02320a9bb60
+      uses: actions/download-artifact@f023be2c48cc18debc3bacd34cb396e0295e2869
       with:
         name: choco
         path: choco

diff --git a/ADOPTERS.md b/ADOPTERS.md
@@ -60,6 +60,7 @@
 - [Purdue University Global](https://www.purdueglobal.edu/)
 - [reDock](https://www.redock.com/)
 - [ReliMail](https://relimail.com/)
+- [S&P Global Platts](https://www.spglobal.com/platts/en)
 - [Salt Security](https://salt.security/)
 - [SCA](https://sca.com.au)
 - [Search365](https://search365.ai/)
@@ -70,6 +71,7 @@
 - [Tradeshift](https://tradeshift.com/)
 - [Transit](https://transit.app)
 - [Vernacular.ai](https://vernacular.ai/)
+- [Web Summit](https://websummit.com)
 - [xCloud](https://www.xbox.com/en-US/xbox-game-streaming/project-xcloud)
 - [YouMail](https://www.youmail.com)
 - [Zimpler](https://www.zimpler.com/)

diff --git a/bin/image-load b/bin/image-load
@@ -149,5 +149,5 @@ fi
 
 if [ -n "$k3d" ]; then
   printf 'Importing %s...\n' "${images[@]}"
-  "$bin" "${image_sub_cmd[@]}" "${images[@]}"
+  "$bin" "${image_sub_cmd[@]}" "${images[@]}" -m tools-node
 fi
diff --git a/charts/partials/templates/_proxy-init.tpl b/charts/partials/templates/_proxy-init.tpl
@@ -47,7 +47,11 @@ securityContext:
     {{- end }}
     {{- end }}
   {{- if or .Values.proxyInit.closeWaitTimeoutSecs .Values.proxyInit.runAsRoot }}
+  {{- if .Values.proxyInit.closeWaitTimeoutSecs }}
   privileged: true
+  {{- else }}
+  privileged: false
+  {{- end }}
   runAsNonRoot: false
   runAsUser: 0
   {{- else }}

diff --git a/controller/api/destination/endpoint_profile_translator.go b/controller/api/destination/endpoint_profile_translator.go
@@ -0,0 +1,63 @@
+package destination
+
+import (
+	pb "github.com/linkerd/linkerd2-proxy-api/go/destination"
+	"github.com/sirupsen/logrus"
+	v1 "k8s.io/api/core/v1"
+)
+
+type endpointProfileTranslator struct {
+	pod      *v1.Pod
+	port     uint32
+	endpoint *pb.WeightedAddr
+	stream   pb.Destination_GetProfileServer
+	log      *logrus.Entry
+}
+
+// newEndpointProfileTranslator translates protocol updates to
+// DestinationProfiles for endpoints. When a Server on the cluster is updated
+// it is possible that it selects an endpoint that is being watched, if that
+// is the case then an update will be sent to the client if the Server has
+// changed the endpoint's supported protocol—mainly being opaque or not.
+func newEndpointProfileTranslator(pod *v1.Pod, port uint32, endpoint *pb.WeightedAddr, stream pb.Destination_GetProfileServer, log *logrus.Entry) *endpointProfileTranslator {
+	return &endpointProfileTranslator{
+		pod:      pod,
+		port:     port,
+		endpoint: endpoint,
+		stream:   stream,
+		log:      log,
+	}
+}
+
+func (ept *endpointProfileTranslator) UpdateProtocol(opaqueProtocol bool) {
+	// The protocol for an endpoint should only be updated if there is a pod,
+	// endpoint, and the endpoint has a protocol hint. If there is an endpoint
+	// but it does not have a protocol hint, that means we could not determine
+	// if it has a peer proxy so a opaque traffic would not be supported.
+	if ept.pod != nil && ept.endpoint != nil && ept.endpoint.ProtocolHint != nil {
+		if !opaqueProtocol {
+			ept.endpoint.ProtocolHint.OpaqueTransport = nil
+		} else if ept.endpoint.ProtocolHint.OpaqueTransport == nil {
+			port, err := getInboundPort(&ept.pod.Spec)
+			if err != nil {
+				ept.log.Error(err)
+			} else {
+				ept.endpoint.ProtocolHint.OpaqueTransport = &pb.ProtocolHint_OpaqueTransport{
+					InboundPort: port,
+				}
+			}
+		}
+
+	}
+	profile := ept.createDefaultProfile(opaqueProtocol)
+	ept.log.Debugf("sending protocol update: %+v", profile)
+	ept.stream.Send(profile)
+}
+
+func (ept *endpointProfileTranslator) createDefaultProfile(opaqueProtocol bool) *pb.DestinationProfile {
+	return &pb.DestinationProfile{
+		RetryBudget:    defaultRetryBudget(),
+		Endpoint:       ept.endpoint,
+		OpaqueProtocol: opaqueProtocol,
+	}
+}
diff --git a/controller/api/destination/endpoint_translator.go b/controller/api/destination/endpoint_translator.go
@@ -220,11 +220,11 @@ func (et *endpointTranslator) sendClientAdd(set watcher.AddressSet) {
 			err         error
 		)
 		if address.Pod != nil {
-			opaquePorts, err = getPodOpaquePorts(address.Pod, et.defaultOpaquePorts)
+			opaquePorts, err = getAnnotatedOpaquePorts(address.Pod, et.defaultOpaquePorts)
 			if err != nil {
 				et.log.Errorf("failed to get opaque ports for pod %s/%s: %s", address.Pod.Namespace, address.Pod.Name, err)
 			}
-			wa, err = toWeightedAddr(address, opaquePorts, et.enableH2Upgrade, et.identityTrustDomain, et.controllerNS, et.log)
+			wa, err = createWeightedAddr(address, opaquePorts, et.enableH2Upgrade, et.identityTrustDomain, et.controllerNS, et.log)
 		} else {
 			var authOverride *pb.AuthorityOverride
 			if address.AuthorityOverride != "" {
@@ -314,7 +314,7 @@ func toAddr(address watcher.Address) (*net.TcpAddress, error) {
 	}, nil
 }
 
-func toWeightedAddr(address watcher.Address, opaquePorts map[uint32]struct{}, enableH2Upgrade bool, identityTrustDomain string, controllerNS string, log *logging.Entry) (*pb.WeightedAddr, error) {
+func createWeightedAddr(address watcher.Address, opaquePorts map[uint32]struct{}, enableH2Upgrade bool, identityTrustDomain string, controllerNS string, log *logging.Entry) (*pb.WeightedAddr, error) {
 	// When converting an address to a weighted addr, it should be backed by a Pod.
 	if address.Pod == nil {
 		return nil, fmt.Errorf("endpoint not backed by Pod: %s:%d", address.IP, address.Port)

diff --git a/controller/api/destination/profile_translator.go b/controller/api/destination/profile_translator.go
@@ -22,16 +22,14 @@ type profileTranslator struct {
 	log                *logging.Entry
 	fullyQualifiedName string
 	port               uint32
-	endpoint           *pb.WeightedAddr
 }
 
-func newProfileTranslator(stream pb.Destination_GetProfileServer, log *logging.Entry, fqn string, port uint32, endpoint *pb.WeightedAddr) *profileTranslator {
+func newProfileTranslator(stream pb.Destination_GetProfileServer, log *logging.Entry, fqn string, port uint32) *profileTranslator {
 	return &profileTranslator{
 		stream:             stream,
 		log:                log.WithField("component", "profile-translator"),
 		fullyQualifiedName: fqn,
 		port:               port,
-		endpoint:           endpoint,
 	}
 }
 
@@ -40,7 +38,7 @@ func (pt *profileTranslator) Update(profile *sp.ServiceProfile) {
 		pt.stream.Send(pt.defaultServiceProfile())
 		return
 	}
-	destinationProfile, err := pt.toServiceProfile(profile)
+	destinationProfile, err := pt.createDestinationProfile(profile)
 	if err != nil {
 		pt.log.Error(err)
 		return
@@ -54,7 +52,6 @@ func (pt *profileTranslator) defaultServiceProfile() *pb.DestinationProfile {
 		Routes:             []*pb.Route{},
 		RetryBudget:        defaultRetryBudget(),
 		FullyQualifiedName: pt.fullyQualifiedName,
-		Endpoint:           pt.endpoint,
 	}
 }
 
@@ -78,9 +75,9 @@ func toDuration(d time.Duration) *duration.Duration {
 	}
 }
 
-// toServiceProfile returns a Proxy API DestinationProfile, given a
+// createDestinationProfile returns a Proxy API DestinationProfile, given a
 // ServiceProfile.
-func (pt *profileTranslator) toServiceProfile(profile *sp.ServiceProfile) (*pb.DestinationProfile, error) {
+func (pt *profileTranslator) createDestinationProfile(profile *sp.ServiceProfile) (*pb.DestinationProfile, error) {
 	routes := make([]*pb.Route, 0)
 	for _, route := range profile.Spec.Routes {
 		pbRoute, err := toRoute(profile, route)
@@ -108,7 +105,6 @@ func (pt *profileTranslator) toServiceProfile(profile *sp.ServiceProfile) (*pb.D
 		RetryBudget:        budget,
 		DstOverrides:       toDstOverrides(profile.Spec.DstOverrides, pt.port),
 		FullyQualifiedName: pt.fullyQualifiedName,
-		Endpoint:           pt.endpoint,
 		OpaqueProtocol:     opaqueProtocol,
 	}, nil
 }
@@ -256,7 +252,7 @@ func toResponseMatch(rspMatch *sp.ResponseMatch) (*pb.ResponseMatch, error) {
 	}
 
 	if len(matches) == 0 {
-		return nil, errors.New("A response match must have a field set")
+		return nil, errors.New("a response match must have a field set")
 	}
 	if len(matches) == 1 {
 		return matches[0], nil
@@ -350,7 +346,7 @@ func toRequestMatch(reqMatch *sp.RequestMatch) (*pb.RequestMatch, error) {
 	}
 
 	if len(matches) == 0 {
-		return nil, errors.New("A request match must have a field set")
+		return nil, errors.New("a request match must have a field set")
 	}
 	if len(matches) == 1 {
 		return matches[0], nil