Add destination-get-networks option #4608
Conversation
zaharidichev
force-pushed
the
zd/make-dst-get-nets-configurable
branch
from
bda5f0d to
703f293
Compare
| @@ -226,6 +227,7 @@ type proxyConfigOptions struct { | |||
| debugImageVersion string | |||
| dockerRegistry string | |||
| imagePullPolicy string | |||
| destinationGetNetworks []string | |||
There was a problem hiding this comment.
I think for now we should omit this from the CLI flags, leaving it only as an annotation or helm setting.
There was a problem hiding this comment.
Okey, we can do that. Would that mean that we do not want it in the config map or this is not related. @alpeb WDYT ?
There was a problem hiding this comment.
I think it would be preferable to omit it, but I think it's ultimately an implementation detail.
|
Ok @olix0r I have removed that flag from the CLI but by the looks of it it makes sense to leave that setting in the config map. This allows us to leave the Helm flag as well as override what the default is via an annotation. Moreover if we leave it out of the cli for now, this allows us to easily expose it whenever we want. Let me know if all that works. |
There was a problem hiding this comment.
Injection works as expected, and modifications are reflected in the env based on annotation.
But when I mark this annotation of the deployment as empty string, I don't see the env variable being removed/empty for the newly created pod. Is that the expected outcome? In that case, How should I specify that I don't want any destination lookups for ips, as no annotation fallback to the default value. 🤔
|
@Pothulapati Yes I guess this is the byproduct of trating empty strings the same way we treat the NON presence of a value. Go's type system is all sorts of great..... |
|
@zaharidichev The empty string case works well for me now. But when I do - env:
- name: LINKERD2_PROXY_LOG
value: warn,linkerd=info
- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR
value: linkerd-dst.linkerd.svc.cluster.local:8086
- name: LINKERD2_PROXY_DESTINATION_GET_NETWORKS
- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
value: 0.0.0.0:4190How about having a if condition to only set if not empty in the helm yaml templating to make it more cleaner? 🤔 like we do for other env's |
|
@Pothulapati I think that makes sense yes |
There was a problem hiding this comment.
Looks and works fine for me, barring @Pothulapati's empty string case 👍
|
@Pothulapati I addressed your feedback :) |
There was a problem hiding this comment.
I think this PR is missing a change in _config.tpl which actually sets the value of the get networks into the configmap.
It would also be helpful to have a more detailed PR description which describes the mechanics of how this works. Especially the fact that there is no install or inject flag for this and the value in the configmap can only be set via a helm install. It would also be helpful to describe the ways ways in which a user can interact with this. As far as I can tell there are two:
- setting the
destinationGetNetworksfields in values.yaml during a Helm install allows users to change the default destinationGetNetworks on all injected pods - setting the annotation on an injected workload will also allow you to change the destinationGetNetworks and overrides the value configured by values.yaml
If I understand correctly there is no change in behavior for the linkerd install or linkerd inject commands (except in the case of --manual injection).
cli/cmd/inject.go
Outdated
| @@ -437,6 +437,12 @@ func (options *proxyConfigOptions) overrideConfigs(configs *cfg.All, overrideAnn | |||
| overrideAnnotations[k8s.ProxyRequireIdentityOnInboundPortsAnnotation] = strings.Join(options.requireIdentityOnInboundPorts, ",") | |||
| } | |||
|
|
|||
| if len(options.destinationGetNetworks) > 0 { | |||
There was a problem hiding this comment.
since there is no inject flag for this, this code is unreachable, right?
| @@ -778,6 +779,7 @@ func (options *installOptions) buildValuesWithoutIdentity(configs *pb.All) (*l5d | |||
| installValues.SMIMetrics.Enabled = options.smiMetricsEnabled | |||
|
|
|||
| installValues.Global.Proxy = &l5dcharts.Proxy{ | |||
| DestinationGetNetworks: strings.Join(options.destinationGetNetworks, ","), | |||
There was a problem hiding this comment.
this is basically just here for consistency, right? In practice this will always be the default value.
Signed-off-by: Zahari Dichev <zaharidichev@gmail.com>
Signed-off-by: Zahari Dichev <zaharidichev@gmail.com>
Signed-off-by: Zahari Dichev <zaharidichev@gmail.com>
Signed-off-by: Zahari Dichev <zaharidichev@gmail.com>
Signed-off-by: Zahari Dichev <zaharidichev@gmail.com>
Signed-off-by: Zahari Dichev <zaharidichev@gmail.com>
zaharidichev
force-pushed
the
zd/make-dst-get-nets-configurable
branch
from
20194aa to
f93299a
Compare
|
@adleong I tweaked the PR description |
Signed-off-by: Zahari Dichev <zaharidichev@gmail.com>
There was a problem hiding this comment.
Looks good, thanks for updating, @zaharidichev.
Something that I discussed with @olix0r yesterday that I just want to write down here is that I think we want to potentially decouple this change from the problem of preventing loops. In other words, I think this change is good on its own: it's nice to have a mechanism to configure the destination get networks. But I'm not sure it's the right solution to the looping ingress problem.
The problem with removing the node network from the destination get network list is that we'll lose identity and http metrics for calls from the ingress to the default backend. We'll also lose identity and http metrics for all calls to any nodeport services. We'll need to do some followup work to investigate what our options are for preventing loops.
|
@adleong Yes that makes absolute sense. |
In #4585 we are observing an issue where a loop is encountered when using nginx ingress. The problem is that the outbound proxy does a dst lookup on the IP address which happens to be the very same address the ingress is listening on.
In order to avoid situations like that this PR introduces a way to modify the set of networks for which the proxy shall do IP based discovery. The change introduces a helm flag
.Values.global.proxy.destinationGetNetworksthat can be used to modify this value. There are two ways a user can affect the this setting:destinationGetNetworksfield in values during a Helm install, which changes the default on all injected podsconfig.linkerd.io/proxy-destination-get-networksfor injected workloads to override this valueNote that this setting cannot be tweaked through the
installorinjectcommandFix: #4585