inbound: Expose permit labels on HTTP metrics (#1216)

This change follows #1215, which exposes policy
labels on inbound TCP server metrics, by adding these same labels to
HTTP metrics.

The HTTP router target types are updated to take a `Permit` which
includes server and authz labels so that the inbound HTTP metrics can
include these labels. This will enable `linkerd viz stat` to work on
these resources. This change shouldn't impact metrics cardinality, since
client IDs are already exposed in metrics labeling.

Author: olix0r

linkerd/app/admin/src/stack.rs

@@ -181,6 +181,7 @@ impl Param<metrics::EndpointLabels> for Http {
             tls: self.tcp.tls.clone(),
             authority: None,
             target_addr: self.tcp.addr.into(),
+            policy: Default::default(),
         }
         .into()
     }

linkerd/app/core/src/metrics/mod.rs

@@ -14,6 +14,7 @@ use crate::{
 use linkerd_addr::Addr;
 use linkerd_metrics::FmtLabels;
 pub use linkerd_metrics::*;
+use linkerd_server_policy as policy;
 use std::{
     fmt::{self, Write},
     net::SocketAddr,
@@ -67,6 +68,13 @@ pub struct InboundEndpointLabels {
     pub tls: tls::ConditionalServerTls,
     pub authority: Option<http::uri::Authority>,
     pub target_addr: SocketAddr,
+    pub policy: PolicyLabels,
+}
+
+#[derive(Clone, Debug, Default, Eq, PartialEq, Hash)]
+pub struct PolicyLabels {
+    pub server: policy::Labels,
+    pub authz: policy::Labels,
 }
 
 #[derive(Clone, Debug, PartialEq, Eq, Hash)]
@@ -285,6 +293,13 @@ impl FmtLabels for InboundEndpointLabels {
 
         (TargetAddr(self.target_addr), TlsAccept::from(&self.tls)).fmt_labels(f)?;
 
+        for (k, v) in self.policy.server.iter() {
+            write!(f, ",srv_{}=\"{}\"", k, v)?;
+        }
+        for (k, v) in self.policy.authz.iter() {
+            write!(f, ",saz_{}=\"{}\"", k, v)?;
+        }
+
         Ok(())
     }
 }

linkerd/app/core/src/transport/labels.rs

@@ -1,4 +1,4 @@
-pub use crate::metrics::{Direction, OutboundEndpointLabels};
+pub use crate::metrics::{Direction, OutboundEndpointLabels, PolicyLabels};
 use linkerd_conditional::Conditional;
 use linkerd_metrics::FmtLabels;
 use linkerd_server_policy as policy;
@@ -34,12 +34,6 @@ pub(crate) struct TlsConnect<'t>(&'t tls::ConditionalClientTls);
 #[derive(Copy, Clone, Debug, Eq, PartialEq, Hash)]
 pub(crate) struct TargetAddr(pub(crate) SocketAddr);
 
-#[derive(Clone, Debug, Eq, PartialEq, Hash)]
-pub(crate) struct PolicyLabels {
-    server: policy::Labels,
-    authz: policy::Labels,
-}
-
 // === impl Key ===
 
 impl Key {

linkerd/app/inbound/src/detect.rs

@@ -299,6 +299,12 @@ impl svc::Param<Option<identity::Name>> for Http {
     }
 }
 
+impl svc::Param<Permit> for Http {
+    fn param(&self) -> Permit {
+        self.tls.permit.clone()
+    }
+}
+
 // === TlsParams ===
 
 impl<T> svc::ExtractParam<tls::server::Timeout, T> for TlsParams {

linkerd/app/inbound/src/http/mod.rs

@@ -14,6 +14,7 @@ fn trace_labels() -> std::collections::HashMap<String, String> {
 pub mod fuzz {
     use crate::{
         http::router::Http,
+        policy,
         test_util::{
             support::{connect::Connect, http_util, profile, resolver},
             *,
@@ -200,9 +201,14 @@ pub mod fuzz {
         }
     }
 
-    impl svc::Param<tls::ConditionalServerTls> for Target {
-        fn param(&self) -> tls::ConditionalServerTls {
-            tls::ConditionalServerTls::None(tls::NoServerTls::NoClientHello)
+    impl svc::Param<policy::Permit> for Target {
+        fn param(&self) -> policy::Permit {
+            policy::Permit {
+                protocol: policy::Protocol::Http1,
+                tls: tls::ConditionalServerTls::None(tls::NoServerTls::NoClientHello),
+                server_labels: Default::default(),
+                authz_labels: Default::default(),
+            }
         }
     }
 

linkerd/app/inbound/src/http/router.rs

@@ -1,4 +1,4 @@
-use crate::{stack_labels, Inbound};
+use crate::{policy, stack_labels, Inbound};
 use linkerd_app_core::{
     classify, dst, http_tracing, io, metrics,
     profiles::{self, DiscoveryRejected},
@@ -16,14 +16,14 @@ use tracing::{debug, debug_span};
 pub struct Http {
     port: u16,
     settings: http::client::Settings,
-    tls: tls::ConditionalServerTls,
+    permit: policy::Permit,
 }
 
 /// Builds `Logical` targets for each HTTP request.
 #[derive(Clone, Debug)]
 struct LogicalPerRequest {
     addr: Remote<ServerAddr>,
-    tls: tls::ConditionalServerTls,
+    permit: policy::Permit,
 }
 
 /// Describes a logical request target.
@@ -33,7 +33,7 @@ struct Logical {
     logical: Option<NameAddr>,
     addr: Remote<ServerAddr>,
     http: http::Version,
-    tls: tls::ConditionalServerTls,
+    permit: policy::Permit,
 }
 
 /// Describes a resolved profile for a logical service.
@@ -47,7 +47,7 @@ struct Profile {
 // === impl Inbound ===
 
 impl<C> Inbound<C> {
-    pub fn push_http_router<T, P>(
+    pub(crate) fn push_http_router<T, P>(
         self,
         profiles: P,
     ) -> Inbound<
@@ -65,7 +65,7 @@ impl<C> Inbound<C> {
         T: Param<http::Version>
             + Param<Remote<ServerAddr>>
             + Param<Remote<ClientAddr>>
-            + Param<tls::ConditionalServerTls>,
+            + Param<policy::Permit>,
         T: Clone + Send + 'static,
         P: profiles::GetProfile<profiles::LookupAddr> + Clone + Send + Sync + 'static,
         P::Future: Send,
@@ -219,10 +219,10 @@ impl<C> Inbound<C> {
                 .push(svc::BoxNewService::layer())
                 .push(svc::NewRouter::layer(|t: T| LogicalPerRequest {
                     addr: t.param(),
-                    tls: t.param(),
+                    permit: t.param(),
                 }))
                 // Used by tap.
-                .push_http_insert_target::<tls::ConditionalServerTls>()
+                .push_http_insert_target::<policy::Permit>()
                 .push_http_insert_target::<Remote<ClientAddr>>()
                 .push(svc::BoxNewService::layer())
         })
@@ -259,7 +259,7 @@ impl<A> svc::stack::RecognizeRoute<http::Request<A>> for LogicalPerRequest {
         Ok(Logical {
             logical,
             addr: self.addr,
-            tls: self.tls.clone(),
+            permit: self.permit.clone(),
             // Use the request's HTTP version (i.e. as modified by orig-proto downgrading).
             http: req
                 .version()
@@ -300,9 +300,13 @@ impl Param<transport::labels::Key> for Logical {
 impl Param<metrics::EndpointLabels> for Logical {
     fn param(&self) -> metrics::EndpointLabels {
         metrics::InboundEndpointLabels {
-            tls: self.tls.clone(),
+            tls: self.permit.tls.clone(),
             authority: self.logical.as_ref().map(|d| d.as_http_authority()),
             target_addr: self.addr.into(),
+            policy: metrics::PolicyLabels {
+                server: self.permit.server_labels.clone(),
+                authz: self.permit.authz_labels.clone(),
+            },
         }
         .into()
     }
@@ -325,8 +329,8 @@ impl tap::Inspect for Logical {
 
     fn src_tls<B>(&self, req: &http::Request<B>) -> tls::ConditionalServerTls {
         req.extensions()
-            .get::<tls::ConditionalServerTls>()
-            .cloned()
+            .get::<policy::Permit>()
+            .map(|p| p.tls.clone())
             .unwrap_or_else(|| tls::ConditionalServerTls::None(tls::NoServerTls::Disabled))
     }
 
@@ -372,7 +376,7 @@ impl From<Logical> for Http {
         Self {
             port: l.addr.as_ref().port(),
             settings: l.http.into(),
-            tls: l.tls,
+            permit: l.permit,
         }
     }
 }

linkerd/app/inbound/src/http/tests.rs

@@ -1,4 +1,5 @@
 use crate::{
+    policy,
     test_util::{
         support::{connect::Connect, http_util, profile, resolver},
         *,
@@ -403,9 +404,14 @@ impl svc::Param<http::Version> for Target {
     }
 }
 
-impl svc::Param<tls::ConditionalServerTls> for Target {
-    fn param(&self) -> tls::ConditionalServerTls {
-        tls::ConditionalServerTls::None(tls::NoServerTls::NoClientHello)
+impl svc::Param<policy::Permit> for Target {
+    fn param(&self) -> policy::Permit {
+        policy::Permit {
+            protocol: policy::Protocol::Http1,
+            tls: tls::ConditionalServerTls::None(tls::NoServerTls::Disabled),
+            server_labels: Default::default(),
+            authz_labels: Default::default(),
+        }
     }
 }
 

linkerd/app/inbound/src/policy/mod.rs

@@ -34,7 +34,7 @@ pub(crate) struct AllowPolicy {
     server: Arc<ServerPolicy>,
 }
 
-#[derive(Clone, Debug, PartialEq, Eq)]
+#[derive(Clone, Debug, PartialEq, Eq, Hash)]
 pub(crate) struct Permit {
     pub protocol: Protocol,
     pub tls: tls::ConditionalServerTls,

linkerd/server-policy/src/lib.rs

@@ -20,7 +20,7 @@ pub struct ServerPolicy {
 #[derive(Clone, Debug, Default, PartialEq, Eq, Hash)]
 pub struct Labels(Arc<BTreeMap<String, String>>);
 
-#[derive(Copy, Clone, Debug, PartialEq, Eq)]
+#[derive(Copy, Clone, Debug, PartialEq, Eq, Hash)]
 pub enum Protocol {
     Detect { timeout: time::Duration },
     Http1,