Split linkerd-tls from linkerd-proxy-transport (#837)

The `linkerd-proxy-transport` crate has too many concerns. This change
splits out the tls module into a dedicated crate, decoupled from the
transport types.

Additionally, the transport crate no longer re-exports the `linkerd-io`
crate.

The linkerd-proxy-transport crate has a lingering dependency on
linkerd-tls for metric labels. This will be addressed in a followup
change.

This change sets up additional simplification of the TLS infrastructure
to support ALPN.

Author: olix0r

Cargo.lock

@@ -683,6 +683,7 @@ dependencies = [
  "linkerd-http-classify",
  "linkerd-http-metrics",
  "linkerd-identity",
+ "linkerd-io",
  "linkerd-metrics",
  "linkerd-opencensus",
  "linkerd-proxy-api-resolve",
@@ -702,6 +703,7 @@ dependencies = [
  "linkerd-stack-metrics",
  "linkerd-stack-tracing",
  "linkerd-timeout",
+ "linkerd-tls",
  "linkerd-trace-context",
  "linkerd-tracing",
  "linkerd-transport-header",
@@ -1175,7 +1177,7 @@ dependencies = [
  "linkerd-error",
  "linkerd-identity",
  "linkerd-metrics",
- "linkerd-proxy-transport",
+ "linkerd-tls",
  "linkerd2-proxy-api",
  "pin-project 1.0.2",
  "tokio",
@@ -1207,9 +1209,11 @@ dependencies = [
  "linkerd-conditional",
  "linkerd-error",
  "linkerd-identity",
+ "linkerd-io",
  "linkerd-proxy-http",
  "linkerd-proxy-transport",
  "linkerd-stack",
+ "linkerd-tls",
  "linkerd2-proxy-api",
  "pin-project 1.0.2",
  "prost-types",
@@ -1243,28 +1247,18 @@ dependencies = [
  "async-trait",
  "bytes",
  "futures",
- "indexmap",
  "libc",
- "linkerd-conditional",
- "linkerd-dns-name",
  "linkerd-errno",
  "linkerd-error",
- "linkerd-identity",
  "linkerd-io",
  "linkerd-metrics",
  "linkerd-stack",
+ "linkerd-tls",
  "pin-project 1.0.2",
- "rustls",
  "socket2",
  "tokio",
- "tokio-rustls",
- "tokio-util",
  "tower",
  "tracing",
- "tracing-futures",
- "tracing-subscriber",
- "untrusted",
- "webpki",
 ]
 
 [[package]]
@@ -1379,6 +1373,31 @@ dependencies = [
  "tracing",
 ]
 
+[[package]]
+name = "linkerd-tls"
+version = "0.1.0"
+dependencies = [
+ "async-trait",
+ "bytes",
+ "futures",
+ "linkerd-conditional",
+ "linkerd-dns-name",
+ "linkerd-error",
+ "linkerd-identity",
+ "linkerd-io",
+ "linkerd-proxy-transport",
+ "linkerd-stack",
+ "rustls",
+ "tokio",
+ "tokio-rustls",
+ "tower",
+ "tracing",
+ "tracing-futures",
+ "tracing-subscriber",
+ "untrusted",
+ "webpki",
+]
+
 [[package]]
 name = "linkerd-trace-context"
 version = "0.1.0"

Cargo.toml

@@ -49,6 +49,7 @@ members = [
     "linkerd/stack/metrics",
     "linkerd/stack/tracing",
     "linkerd/timeout",
+    "linkerd/tls",
     "linkerd/tracing",
     "linkerd2-proxy",
     "opencensus-proto",

linkerd/app/core/Cargo.toml

@@ -39,6 +39,7 @@ linkerd-exp-backoff = { path = "../../exp-backoff" }
 linkerd-http-classify = { path = "../../http-classify" }
 linkerd-http-metrics = { path = "../../http-metrics" }
 linkerd-identity = { path = "../../identity" }
+linkerd-io = { path = "../../io" }
 linkerd-metrics = { path = "../../metrics" }
 linkerd-transport-header = { path = "../../transport-header" }
 linkerd-opencensus = { path = "../../opencensus" }
@@ -61,6 +62,7 @@ linkerd-service-profiles = { path = "../../service-profiles" }
 linkerd-stack = { path = "../../stack" }
 linkerd-stack-metrics = { path = "../../stack/metrics" }
 linkerd-stack-tracing = { path = "../../stack/tracing" }
+linkerd-tls = { path = "../../tls" }
 linkerd-trace-context = { path = "../../trace-context" }
 regex = "1.0.0"
 tokio = { version = "1", features = ["macros", "sync", "parking_lot"]}

linkerd/app/core/src/admin/mod.rs

@@ -4,9 +4,10 @@
 //! * `/ready` -- returns 200 when the proxy is ready to participate in meshed traffic.
 
 use crate::{
+    io,
     proxy::http::{ClientHandle, SetClientHandle},
-    svc, trace,
-    transport::{io, tls},
+    svc, tls, trace,
+    transport::listen::Addrs,
 };
 use futures::future;
 use http::StatusCode;
@@ -15,6 +16,7 @@ use linkerd_error::{Error, Never};
 use linkerd_metrics::{self as metrics, FmtMetrics};
 use std::{
     future::Future,
+    net::SocketAddr,
     pin::Pin,
     task::{Context, Poll},
 };
@@ -33,10 +35,16 @@ pub struct Admin<M> {
 }
 
 #[derive(Clone)]
-pub struct Accept<M>(Admin<M>, hyper::server::conn::Http);
+pub struct Accept<M> {
+    service: Admin<M>,
+    server: hyper::server::conn::Http,
+}
 
 #[derive(Clone)]
-pub struct Serve<M>(tls::accept::Meta, Accept<M>);
+pub struct Serve<M> {
+    client_addr: SocketAddr,
+    inner: Accept<M>,
+}
 
 pub type ResponseFuture =
     Pin<Box<dyn Future<Output = Result<Response<Body>, Never>> + Send + 'static>>;
@@ -57,7 +65,10 @@ impl<M> Admin<M> {
     }
 
     pub fn into_accept(self) -> Accept<M> {
-        Accept(self, hyper::server::conn::Http::new())
+        Accept {
+            service: self,
+            server: hyper::server::conn::Http::new(),
+        }
     }
 
     fn ready_rsp(&self) -> Response<Body> {
@@ -199,11 +210,14 @@ impl<M: FmtMetrics> tower::Service<http::Request<Body>> for Admin<M> {
     }
 }
 
-impl<M: Clone> svc::NewService<tls::accept::Meta> for Accept<M> {
+impl<M: Clone> svc::NewService<tls::accept::Meta<Addrs>> for Accept<M> {
     type Service = Serve<M>;
 
-    fn new_service(&mut self, meta: tls::accept::Meta) -> Self::Service {
-        Serve(meta, self.clone())
+    fn new_service(&mut self, (_, addrs): tls::accept::Meta<Addrs>) -> Self::Service {
+        Serve {
+            client_addr: addrs.peer(),
+            inner: self.clone(),
+        }
     }
 }
 
@@ -221,13 +235,11 @@ where
     }
 
     fn call(&mut self, io: I) -> Self::Future {
-        let Self(ref meta, Accept(ref svc, ref server)) = self;
-
         // Since the `/proxy-log-level` controls access based on the
         // client's IP address, we wrap the service with a new service
         // that adds the remote IP as a request extension.
-        let (svc, closed) = SetClientHandle::new(meta.addrs.peer(), svc.clone());
-        let mut conn = server.serve_connection(io, svc);
+        let (svc, closed) = SetClientHandle::new(self.client_addr, self.inner.service.clone());
+        let mut conn = self.inner.server.serve_connection(io, svc);
 
         Box::pin(async move {
             tokio::select! {

linkerd/app/core/src/control.rs

@@ -3,7 +3,8 @@ use crate::{
     proxy::http,
     reconnect,
     svc::{self, NewService},
-    transport::{tls, ConnectTcp},
+    tls,
+    transport::ConnectTcp,
     Addr, Error,
 };
 use std::fmt;
@@ -197,8 +198,7 @@ mod balance {
 
 /// Creates a client suitable for gRPC.
 mod client {
-    use crate::transport::tls;
-    use crate::{proxy::http, svc};
+    use crate::{proxy::http, svc, tls};
     use linkerd_proxy_http::h2::Settings as H2Settings;
     use std::{
         net::SocketAddr,

linkerd/app/core/src/lib.rs

@@ -18,11 +18,13 @@ pub use linkerd_error::{Error, Never, Recover};
 pub use linkerd_exp_backoff as exp_backoff;
 pub use linkerd_http_metrics as http_metrics;
 pub use linkerd_identity as identity;
+pub use linkerd_io as io;
 pub use linkerd_opencensus as opencensus;
 pub use linkerd_reconnect as reconnect;
 pub use linkerd_service_profiles as profiles;
 pub use linkerd_stack_metrics as stack_metrics;
 pub use linkerd_stack_tracing as stack_tracing;
+pub use linkerd_tls as tls;
 pub use linkerd_trace_context::TraceContext;
 pub use linkerd_tracing as trace;
 pub use linkerd_transport_header as transport_header;

linkerd/app/core/src/retry.rs

@@ -3,7 +3,6 @@ use super::dst::Route;
 // use super::handle_time;
 use super::http_metrics::retries::Handle;
 use super::metrics::HttpRouteRetry;
-use super::transport::tls;
 use crate::profiles;
 use futures::future;
 use hyper::body::HttpBody;
@@ -128,10 +127,6 @@ impl<B: Default + HttpBody> CloneRequest<http::Request<B>> for () {
         *clone.headers_mut() = req.headers().clone();
         *clone.version_mut() = req.version();
 
-        if let Some(ext) = req.extensions().get::<tls::accept::Meta>() {
-            clone.extensions_mut().insert(ext.clone());
-        }
-
         // // Count retries toward the request's total handle time.
         // if let Some(ext) = req.extensions().get::<handle_time::Tracker>() {
         //     clone.extensions_mut().insert(ext.clone());

linkerd/app/core/src/transport/labels.rs

@@ -1,7 +1,7 @@
-use super::tls;
 pub use crate::metrics::{Direction, EndpointLabels, TlsId};
 use linkerd_conditional::Conditional;
 use linkerd_metrics::FmtLabels;
+use linkerd_tls as tls;
 use std::fmt;
 
 /// Describes a class of transport.

linkerd/app/gateway/src/lib.rs

@@ -15,8 +15,7 @@ mod test {
         profiles,
         proxy::{http, identity},
         svc::NewService,
-        transport::tls,
-        Error, NameAddr, NameMatch, Never,
+        tls, Error, NameAddr, NameMatch, Never,
     };
     use linkerd_app_inbound::endpoint as inbound;
     use linkerd_app_test as support;

linkerd/app/gateway/src/make.rs

@@ -1,5 +1,5 @@
 use super::gateway::Gateway;
-use linkerd_app_core::{identity, profiles, svc, transport::tls, NameAddr};
+use linkerd_app_core::{identity, profiles, svc, tls, NameAddr};
 use linkerd_app_inbound::endpoint as inbound;
 use linkerd_app_outbound as outbound;
 use tracing::debug;