outbound: Discover profiles for each unique TCP target (#704)

The proxy has classically discovered profiles & endpoints by looking at
each HTTP request's headers. This change removes all per-request
discovery. Instead, resolution is now done for each unique outbound TCP
target (regardless of whether the connection serves HTTP or not). This
eager resolution eliminates per-request cache binding; and supports
using `TrafficSplit` with non-HTTP services.

This has a few side effects:

- The `l5d-dst-override` header is no longer honored.
- When the application attempts to connect to a pod IP, the proxy no
  longer load balances these requests among all pods in the service.
  The proxy will now honor session-stickiness as selected by an
  application-level load balancer (see linkerd/linkerd2#4956).
- TrafficSplits are only applied when a client targets a service's IP.
- The proxy no longer performs DNS "canonicalization" to translate
  relative host header names to a fully-qualified form.

Co-authored-by: Eliza Weisman <[email protected]>

Author: olix0r

Cargo.lock

@@ -771,13 +771,11 @@ dependencies = [
  "linkerd2-metrics",
  "linkerd2-opencensus",
  "linkerd2-proxy-api",
- "quickcheck",
  "regex 1.3.9",
  "ring",
  "rustls",
  "tokio",
  "tokio-connect",
- "tokio-current-thread",
  "tokio-io",
  "tokio-rustls",
  "tonic",
@@ -840,7 +838,6 @@ dependencies = [
  "pin-project",
  "procinfo",
  "prost-types",
- "quickcheck",
  "rand 0.7.2",
  "regex 1.3.9",
  "serde_json",
@@ -882,7 +879,6 @@ dependencies = [
  "http 0.2.1",
  "indexmap",
  "linkerd2-app-core",
- "quickcheck",
  "tokio",
  "tower",
  "tracing",
@@ -904,7 +900,6 @@ dependencies = [
  "linkerd2-app-test",
  "linkerd2-metrics",
  "linkerd2-proxy-api",
- "quickcheck",
  "regex 0.1.80",
  "ring",
  "rustls",
@@ -933,7 +928,6 @@ dependencies = [
  "linkerd2-identity",
  "linkerd2-retry",
  "pin-project",
- "quickcheck",
  "tokio",
  "tower",
  "tracing",
@@ -1018,12 +1012,9 @@ dependencies = [
  "futures 0.3.5",
  "linkerd2-dns-name",
  "linkerd2-error",
- "linkerd2-stack",
  "pin-project",
  "tokio",
- "tower",
  "tracing",
- "tracing-futures",
  "trust-dns-resolver",
 ]
 
@@ -1094,7 +1085,6 @@ name = "linkerd2-exp-backoff"
 version = "0.1.0"
 dependencies = [
  "futures 0.3.5",
- "linkerd2-error",
  "pin-project",
  "quickcheck",
  "rand 0.7.2",
@@ -1166,7 +1156,6 @@ dependencies = [
  "pin-project",
  "tokio",
  "tokio-rustls",
- "tokio-test",
 ]
 
 [[package]]
@@ -1191,7 +1180,6 @@ dependencies = [
  "http-body",
  "linkerd2-error",
  "linkerd2-metrics",
- "linkerd2-stack",
  "opencensus-proto",
  "pin-project",
  "tokio",
@@ -1254,9 +1242,7 @@ dependencies = [
  "futures 0.3.5",
  "linkerd2-error",
  "pin-project",
- "tokio",
  "tower",
- "tracing-futures",
 ]
 
 [[package]]
@@ -1271,9 +1257,7 @@ dependencies = [
  "linkerd2-stack",
  "pin-project",
  "tokio",
- "tokio-test",
  "tower",
- "tower-test",
  "tracing",
  "tracing-futures",
 ]
@@ -1288,7 +1272,6 @@ dependencies = [
  "linkerd2-error",
  "linkerd2-proxy-core",
  "tokio",
- "tokio-test",
  "tower",
  "tracing",
  "tracing-futures",
@@ -1307,15 +1290,12 @@ dependencies = [
  "hyper",
  "hyper-balance",
  "indexmap",
- "linkerd2-addr",
- "linkerd2-dns",
  "linkerd2-drain",
  "linkerd2-duplex",
  "linkerd2-error",
  "linkerd2-http-box",
  "linkerd2-identity",
  "linkerd2-io",
- "linkerd2-proxy-transport",
  "linkerd2-stack",
  "linkerd2-timeout",
  "pin-project",
@@ -1348,11 +1328,9 @@ name = "linkerd2-proxy-resolve"
 version = "0.1.0"
 dependencies = [
  "futures 0.3.5",
- "indexmap",
  "linkerd2-error",
  "linkerd2-proxy-core",
  "pin-project",
- "tokio",
  "tower",
  "tracing",
 ]
@@ -1371,13 +1349,11 @@ dependencies = [
  "linkerd2-error",
  "linkerd2-identity",
  "linkerd2-proxy-api",
- "linkerd2-proxy-core",
  "linkerd2-proxy-http",
  "linkerd2-proxy-transport",
  "linkerd2-stack",
  "pin-project",
  "prost-types",
- "quickcheck",
  "rand 0.7.2",
  "tokio",
  "tonic",
@@ -1405,7 +1381,6 @@ name = "linkerd2-proxy-transport"
 version = "0.1.0"
 dependencies = [
  "async-stream",
- "async-trait",
  "bytes 0.5.4",
  "futures 0.3.5",
  "indexmap",
@@ -1417,7 +1392,6 @@ dependencies = [
  "linkerd2-identity",
  "linkerd2-io",
  "linkerd2-metrics",
- "linkerd2-proxy-core",
  "linkerd2-stack",
  "pin-project",
  "ring",
@@ -2567,16 +2541,6 @@ dependencies = [
  "tokio-io",
 ]
 
-[[package]]
-name = "tokio-current-thread"
-version = "0.1.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d16217cad7f1b840c5a97dfb3c43b0c871fef423a6e8d2118c604e843662a443"
-dependencies = [
- "futures 0.1.26",
- "tokio-executor",
-]
-
 [[package]]
 name = "tokio-executor"
 version = "0.1.10"

linkerd/addr/src/lib.rs

@@ -129,6 +129,12 @@ impl From<NameAddr> for Addr {
     }
 }
 
+impl From<(Name, u16)> for Addr {
+    fn from((n, p): (Name, u16)) -> Self {
+        Addr::Name((n, p).into())
+    }
+}
+
 impl AsRef<Self> for Addr {
     fn as_ref(&self) -> &Self {
         self
@@ -137,11 +143,13 @@ impl AsRef<Self> for Addr {
 
 // === impl NameAddr ===
 
-impl NameAddr {
-    pub fn new(name: Name, port: u16) -> Self {
+impl From<(Name, u16)> for NameAddr {
+    fn from((name, port): (Name, u16)) -> Self {
         NameAddr { name, port }
     }
+}
 
+impl NameAddr {
     pub fn from_str(hostport: &str) -> Result<Self, Error> {
         let mut parts = hostport.rsplitn(2, ':');
         let port = parts

linkerd/app/Cargo.toml

@@ -39,11 +39,9 @@ http = "0.2"
 hyper = "0.13.7"
 linkerd2-metrics = { path = "../metrics", features = ["test_util"] }
 linkerd2-proxy-api = { git = "https://github.com/linkerd/linkerd2-proxy-api", tag = "v0.1.14", features = ["arbitrary"] }
-quickcheck = { version = "0.9", default-features = false }
 ring = "0.16"
 rustls = "0.17"
 tokio-connect = { git = "https://github.com/carllerche/tokio-connect" }
 tokio-io = "0.1.6"
-tokio-current-thread = "0.1.4"
 tokio-rustls = "0.13"
 webpki = "0.21"

linkerd/app/core/Cargo.toml

@@ -100,4 +100,3 @@ procinfo = "0.4.2"
 [dev-dependencies]
 linkerd2-proxy-api = { git = "https://github.com/linkerd/linkerd2-proxy-api", tag = "v0.1.14", features = ["arbitrary"] }
 prost-types = "0.6.0"
-quickcheck = { version = "0.9", default-features = false }

linkerd/app/core/src/addr_match.rs

@@ -3,16 +3,16 @@ use linkerd2_addr::Addr;
 use linkerd2_dns::{Name, Suffix};
 use std::{net::IpAddr, sync::Arc};
 
-#[derive(Clone, Debug)]
+#[derive(Clone, Debug, Default)]
 pub struct AddrMatch {
     names: NameMatch,
     nets: IpMatch,
 }
 
-#[derive(Clone, Debug)]
+#[derive(Clone, Debug, Default)]
 pub struct NameMatch(Arc<Vec<Suffix>>);
 
-#[derive(Clone, Debug)]
+#[derive(Clone, Debug, Default)]
 pub struct IpMatch(Arc<Vec<IpNet>>);
 
 // === impl NameMatch ===

linkerd/app/gateway/src/config.rs

@@ -1,51 +1,76 @@
 use super::make::MakeGateway;
-use indexmap::IndexSet;
-use linkerd2_app_core::proxy::http;
-use linkerd2_app_core::{dns, transport::tls, Error};
+use linkerd2_app_core::{
+    discovery_rejected, profiles, proxy::http, svc, transport::tls, Error, NameAddr, NameMatch,
+};
 use linkerd2_app_inbound::endpoint as inbound;
 use linkerd2_app_outbound::endpoint as outbound;
-use std::net::IpAddr;
+use std::net::SocketAddr;
 
 #[derive(Clone, Debug, Default)]
 pub struct Config {
-    pub suffixes: IndexSet<dns::Suffix>,
+    pub allow_discovery: NameMatch,
 }
 
+#[derive(Clone, Debug)]
+struct Allow(NameMatch);
+
 impl Config {
-    pub fn build<R, O, S>(
+    pub fn build<O, P, S>(
         self,
-        resolve: R,
         outbound: O,
+        profiles: P,
+        default_addr: SocketAddr,
         local_id: tls::PeerIdentity,
-    ) -> impl Clone
-           + Send
-           + tower::Service<
+    ) -> impl svc::NewService<
         inbound::Target,
-        Error = impl Into<Error>,
-        Future = impl Send + 'static,
-        Response = impl Send
-                       + tower::Service<
+        Service = impl tower::Service<
             http::Request<http::boxed::Payload>,
             Response = http::Response<http::boxed::Payload>,
             Error = impl Into<Error>,
             Future = impl Send,
-        > + 'static,
-    >
+        > + Send
+                      + 'static,
+    > + Clone
+           + Send
     where
-        R: tower::Service<dns::Name, Response = (dns::Name, IpAddr)> + Send + Clone,
-        R::Error: Into<Error> + 'static,
-        R::Future: Send + 'static,
-        O: tower::Service<outbound::HttpLogical, Response = S> + Send + Clone + 'static,
-        O::Error: Into<Error> + Send + 'static,
-        O::Future: Send + 'static,
-        S: Send
-            + tower::Service<
+        P: profiles::GetProfile<NameAddr> + Clone + Send + 'static,
+        P::Future: Send + 'static,
+        P::Error: Send,
+        O: svc::NewService<outbound::HttpLogical, Service = S> + Clone + Send + 'static,
+        S: tower::Service<
                 http::Request<http::boxed::Payload>,
                 Response = http::Response<http::boxed::Payload>,
-            > + 'static,
-        S::Error: Into<Error> + Send + 'static,
-        S::Future: Send,
+            > + Send
+            + 'static,
+        S::Error: Into<Error>,
+        S::Future: Send + 'static,
     {
-        MakeGateway::new(resolve, outbound, local_id, self.suffixes.clone())
+        svc::stack(MakeGateway::new(outbound, default_addr, local_id))
+            .check_new_service::<super::make::Target, http::Request<http::boxed::Payload>>()
+            .push(profiles::discover::layer(
+                profiles,
+                Allow(self.allow_discovery),
+            ))
+            .check_new_service::<inbound::Target, http::Request<http::boxed::Payload>>()
+            .into_inner()
+    }
+}
+
+impl svc::stack::FilterRequest<inbound::Target> for Allow {
+    type Request = NameAddr;
+
+    fn filter(&self, target: inbound::Target) -> Result<NameAddr, Error> {
+        // Skip discovery when the client does not have an identity.
+        if target.tls_client_id.is_some() {
+            // Discovery needs to have resolved a service name.
+            if let Some(addr) = target.dst.into_name_addr() {
+                // The service name needs to exist in the configured set of suffixes.
+                if self.0.matches(addr.name()) {
+                    return Ok(addr);
+                }
+            }
+        }
+
+        Err(discovery_rejected().into())
     }
 }

linkerd/app/gateway/src/gateway.rs

@@ -20,13 +20,13 @@ pub(crate) enum Gateway<O> {
 impl<O> Gateway<O> {
     pub fn new(
         outbound: O,
+        dst: NameAddr,
         source_identity: identity::Name,
-        dst_name: NameAddr,
         local_identity: identity::Name,
     ) -> Self {
         let fwd = format!(
             "by={};for={};host={};proto=https",
-            local_identity, source_identity, dst_name
+            local_identity, source_identity, dst
         );
         Gateway::Outbound {
             outbound,