Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

linkerd mc link|gateways small improvements #11265

Merged
merged 1 commit into from
Sep 5, 2023
Merged

linkerd mc link|gateways small improvements #11265

merged 1 commit into from
Sep 5, 2023

Conversation

alpeb
Copy link
Member

@alpeb alpeb commented Aug 17, 2023

When issuing linkerd mc gateways with no links, the command waited till it timed out (30s by default) before showing an empty table. This change refactors the concurrency code in getGatewayMetrics() to avoid that.

Also the linkerd mc link -h help text for the --gateway flag was showing a dupe default value:

If false, allows a link to be created against a cluster that does not have a gateway service (default true) (default true)

@alpeb
linkerd mc link|gateways small improvements
34af86c 
When issuing `linkerd mc gateways` with no links, the command waited
till it timed out (30s by default) before showing an empty table. This
change refactors the concurrency code in `getGatewayMetrics()` to avoid
that.

Also the `linkerd mc link -h` help text for the `--gateway` flag was
showing a dupe default value:

```
If false, allows a link to be created against a cluster that does not have a gateway service (default true) (default true)
```
@alpeb alpeb requested a review from a team as a code owner August 17, 2023 19:00
@alpeb alpeb merged commit 9b8d6e9 into main Sep 5, 2023
35 checks passed
@alpeb alpeb deleted the alpeb/mc-gateways-timeout branch September 5, 2023 13:57
mateiidavid added a commit that referenced this pull request Sep 7, 2023
@mateiidavid
edge-23.9.1
e02cd89 
This edge release introduces a fix for service discovery on endpoints that use
hostPorts. Previously, the destination service would return the pod IP for the
discovery request which could break connectivity on pod restart. To fix this,
direct pod communication for a pod bound on a hostPort will always return the
hostIP. In addition, this change fixes a security vulnerability (CVE-2023-2603)
detected in the CNI plugin and proxy-init images and includes a number of other
fixes and small improvements.

* Addressed security vulnerability CVE-2023-2603 in proxy-init and CNI plugin
  ([11296])
* Introduced resource requests/limits for the policy controller resource in the
  control plane helm chart ([11301])
* Fixed an issue where an empty `remoteDiscoverySelector` field in a
  multicluster link would cause all services to be mirrored ([11309])
* Removed time out from `linkerd multicluster gateways` command; when no
  metrics exist the command will return instantly ([11265])
* Improved help messaging for `linkerd multicluster link` ([11265])
* Changed hostPort lookup behaviour in the destination service; previously,
  endpoint lookups for pods bound on a hostPort would return the Pod IP which
  would result in loss of connectivity on pod restart, hostIPs are now always
  returned when a pod uses a hostPort ([11328])
* Updated HTTPRoute webhook rule to validate all apiVersions of the resource
  (thanks @mikutas!) ([11149])
* Fixed erroneous `skipped` messages when injecting namespaces with `linkerd
  inject` (thanks @mikutas!) ([10231])

[11309]: #11309
[11296]: #11296
[11328]: #11328
[11301]: #11301
[11265]: #11265
[11149]: #11149
[10231]: #10231

Signed-off-by: Matei David <[email protected]>
@mateiidavid mateiidavid mentioned this pull request Sep 7, 2023
Merged
mateiidavid added a commit that referenced this pull request Sep 11, 2023
@mateiidavid @hawkw
edge-23.9.1 (#11350)
a9f845c 
This edge release introduces a fix for service discovery on endpoints that use
hostPorts. Previously, the destination service would return the pod IP for the
discovery request which could break connectivity on pod restart. To fix this,
direct pod communication for a pod bound on a hostPort will always return the
hostIP. In addition, this release fixes a security vulnerability (CVE-2023-2603)
detected in the CNI plugin and proxy-init images, and includes a number of other
fixes and small improvements.

* Addressed security vulnerability CVE-2023-2603 in proxy-init and CNI plugin
  ([#11296])
* Introduced resource requests/limits for the policy controller resource in the
  control plane helm chart ([#11301])
* Fixed an issue where an empty `remoteDiscoverySelector` field in a
  multicluster link would cause all services to be mirrored ([#11309])
* Removed time out from `linkerd multicluster gateways` command; when no
  metrics exist the command will return instantly ([#11265])
* Improved help messaging for `linkerd multicluster link` ([#11265])
* Changed how hostPort lookups are handled in the destination service.
  Previously, when doing service discovery for an endpoint bound on a hostPort,
  the destination service would return the corresponding pod IP. On pod
  restart, this could lead to loss of connectivity on the client's side. The
  destination service now always returns host IPs for service discovery on an
  endpoint that uses hostPorts ([#11328])
* Updated HTTPRoute webhook rule to validate all apiVersions of the resource
  (thanks @mikutas!) ([#11149])
* Fixed erroneous `skipped` messages when injecting namespaces with `linkerd
  inject` (thanks @mikutas!) ([#10231])

[#11309]: #11309
[#11296]: #11296
[#11328]: #11328
[#11301]: #11301
[#11265]: #11265
[#11149]: #11149
[#10231]: #10231

---------

Signed-off-by: Matei David <[email protected]>
Co-authored-by: Eliza Weisman <[email protected]>
adamshawvipps pushed a commit to adamshawvipps/linkerd2 that referenced this pull request Sep 18, 2023
@alpeb @adamshawvipps
linkerd mc link|gateways small improvements (linkerd#11265)
670e746 
When issuing `linkerd mc gateways` with no links, the command waited
till it timed out (30s by default) before showing an empty table. This
change refactors the concurrency code in `getGatewayMetrics()` to avoid
that.

Also the `linkerd mc link -h` help text for the `--gateway` flag was
showing a dupe default value:

```
If false, allows a link to be created against a cluster that does not have a gateway service (default true) (default true)
```
adamshawvipps pushed a commit to adamshawvipps/linkerd2 that referenced this pull request Sep 18, 2023
@mateiidavid @hawkw @adamshawvipps
edge-23.9.1 (linkerd#11350)
602b878 
This edge release introduces a fix for service discovery on endpoints that use
hostPorts. Previously, the destination service would return the pod IP for the
discovery request which could break connectivity on pod restart. To fix this,
direct pod communication for a pod bound on a hostPort will always return the
hostIP. In addition, this release fixes a security vulnerability (CVE-2023-2603)
detected in the CNI plugin and proxy-init images, and includes a number of other
fixes and small improvements.

* Addressed security vulnerability CVE-2023-2603 in proxy-init and CNI plugin
  ([linkerd#11296])
* Introduced resource requests/limits for the policy controller resource in the
  control plane helm chart ([linkerd#11301])
* Fixed an issue where an empty `remoteDiscoverySelector` field in a
  multicluster link would cause all services to be mirrored ([linkerd#11309])
* Removed time out from `linkerd multicluster gateways` command; when no
  metrics exist the command will return instantly ([linkerd#11265])
* Improved help messaging for `linkerd multicluster link` ([linkerd#11265])
* Changed how hostPort lookups are handled in the destination service.
  Previously, when doing service discovery for an endpoint bound on a hostPort,
  the destination service would return the corresponding pod IP. On pod
  restart, this could lead to loss of connectivity on the client's side. The
  destination service now always returns host IPs for service discovery on an
  endpoint that uses hostPorts ([linkerd#11328])
* Updated HTTPRoute webhook rule to validate all apiVersions of the resource
  (thanks @mikutas!) ([linkerd#11149])
* Fixed erroneous `skipped` messages when injecting namespaces with `linkerd
  inject` (thanks @mikutas!) ([linkerd#10231])

[linkerd#11309]: linkerd#11309
[linkerd#11296]: linkerd#11296
[linkerd#11328]: linkerd#11328
[linkerd#11301]: linkerd#11301
[linkerd#11265]: linkerd#11265
[linkerd#11149]: linkerd#11149
[linkerd#10231]: linkerd#10231

---------

Signed-off-by: Matei David <[email protected]>
Co-authored-by: Eliza Weisman <[email protected]>
adamshawvipps pushed a commit to adamshawvipps/linkerd2 that referenced this pull request Sep 18, 2023
@alpeb @adamshawvipps
linkerd mc link|gateways small improvements (linkerd#11265)
583ec79 
When issuing `linkerd mc gateways` with no links, the command waited
till it timed out (30s by default) before showing an empty table. This
change refactors the concurrency code in `getGatewayMetrics()` to avoid
that.

Also the `linkerd mc link -h` help text for the `--gateway` flag was
showing a dupe default value:

```
If false, allows a link to be created against a cluster that does not have a gateway service (default true) (default true)
```

Signed-off-by: Adam Shaw <[email protected]>
adamshawvipps pushed a commit to adamshawvipps/linkerd2 that referenced this pull request Sep 18, 2023
@mateiidavid @hawkw @adamshawvipps
edge-23.9.1 (linkerd#11350)
bf3e2ce 
This edge release introduces a fix for service discovery on endpoints that use
hostPorts. Previously, the destination service would return the pod IP for the
discovery request which could break connectivity on pod restart. To fix this,
direct pod communication for a pod bound on a hostPort will always return the
hostIP. In addition, this release fixes a security vulnerability (CVE-2023-2603)
detected in the CNI plugin and proxy-init images, and includes a number of other
fixes and small improvements.

* Addressed security vulnerability CVE-2023-2603 in proxy-init and CNI plugin
  ([linkerd#11296])
* Introduced resource requests/limits for the policy controller resource in the
  control plane helm chart ([linkerd#11301])
* Fixed an issue where an empty `remoteDiscoverySelector` field in a
  multicluster link would cause all services to be mirrored ([linkerd#11309])
* Removed time out from `linkerd multicluster gateways` command; when no
  metrics exist the command will return instantly ([linkerd#11265])
* Improved help messaging for `linkerd multicluster link` ([linkerd#11265])
* Changed how hostPort lookups are handled in the destination service.
  Previously, when doing service discovery for an endpoint bound on a hostPort,
  the destination service would return the corresponding pod IP. On pod
  restart, this could lead to loss of connectivity on the client's side. The
  destination service now always returns host IPs for service discovery on an
  endpoint that uses hostPorts ([linkerd#11328])
* Updated HTTPRoute webhook rule to validate all apiVersions of the resource
  (thanks @mikutas!) ([linkerd#11149])
* Fixed erroneous `skipped` messages when injecting namespaces with `linkerd
  inject` (thanks @mikutas!) ([linkerd#10231])

[linkerd#11309]: linkerd#11309
[linkerd#11296]: linkerd#11296
[linkerd#11328]: linkerd#11328
[linkerd#11301]: linkerd#11301
[linkerd#11265]: linkerd#11265
[linkerd#11149]: linkerd#11149
[linkerd#10231]: linkerd#10231

---------

Signed-off-by: Matei David <[email protected]>
Co-authored-by: Eliza Weisman <[email protected]>
Signed-off-by: Adam Shaw <[email protected]>
mateiidavid added a commit that referenced this pull request Sep 21, 2023
@mateiidavid
stable-2.14.1
6339cbc 
This stable release introduces a fix for service discovery on endpoints that
use hostPorts. Previously, the destination service would return the pod IP
associated with the endpoint which could break connectivity on pod restarts.
Discovery responses have been changed to instead return the host IP. This
release also fixes an issue in the multicluster extension where an empty
`remoteDiscoverySelector` field in the `Link` resource would cause all services
to be exported. Finally, this release addresses two security vulnerabilities,
[CVE-2023-2603] and [RUSTSEC-2023-0052] respectively, and includes numerous
other fixes and enhancements.

* CLI
  * Fixed `linkerd check --proxy` incorrectly checking the proxy version of
    pods in the `completed` state (thanks @mikutas!) ([#11295]; fixes [#11280])
  * Fixed erroneous `skipped` messages when injecting namespaces with `linkerd
    inject` (thanks @mikutas!) ([#10231])

* CNI
  * Addressed security vulnerability [CVE-2023-2603] in proxy-init and CNI
    plugin ([#11296])

* Control Plane
  * Changed how hostPort lookups are handled in the destination service.
    Previously, when doing service discovery for an endpoint bound on a
    hostPort, the destination service would return the corresponding pod IP. On
    pod restart, this could lead to loss of connectivity on the client's side.
    The destination service now always returns host IPs for service discovery
    on an endpoint that uses hostPorts ([#11328])
  * Updated HTTPRoute webhook rule to validate all apiVersions of the resource
    (thanks @mikutas!) ([#11149])

* Helm
  * Removed unnecessary `linkerd.io/helm-release-version` annotation from the
    `linkerd-control-plane` Helm chart (thanks @mikutas!) ([#11329]; fixes
    [#10778])
  * Introduced resource requests/limits for the policy controller resource in
    the control plane helm chart ([#11301])

* Multicluster
  * Fixed an issue where an empty `remoteDiscoverySelector` field in a
    multicluster link would cause all services to be mirrored ([#11309])
  * Removed time out from `linkerd multicluster gateways` command; when no
    metrics exist the command will return instantly ([#11265])
  * Improved help messaging for `linkerd multicluster link` ([#11265])

* Proxy
  * Addressed security vulnerability [RUSTSEC-2023-0052] in the proxy
    ([#11361])

[CVE-2023-2603]: GHSA-wp54-pwvg-rqq5
[RUSTSEC-2023-0052]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html
[#11295]: #11295
[#11280]: #11280
[#11361]: #11361
[#11329]: #11329
[#10778]: #10778
[#11309]: #11309
[#11296]: #11296
[#11328]: #11328
[#11301]: #11301
[#11265]: #11265
[#11149]: #11149
[#10231]: #10231

Signed-off-by: Matei David <[email protected]>
@mateiidavid mateiidavid mentioned this pull request Sep 21, 2023
Merged
mateiidavid added a commit that referenced this pull request Sep 25, 2023
@mateiidavid @hawkw
stable-2.14.1 (#11405)
f496587 
* stable-2.14.1

This stable release introduces a fix for service discovery on endpoints that
use hostPorts. Previously, the destination service would return the pod IP
associated with the endpoint which could break connectivity on pod restarts.
Discovery responses have been changed to instead return the host IP. This
release also fixes an issue in the multicluster extension where an empty
`remoteDiscoverySelector` field in the `Link` resource would cause all services
to be exported. Finally, this release addresses two security vulnerabilities,
[CVE-2023-2603] and [RUSTSEC-2023-0052] respectively, and includes numerous
other fixes and enhancements.

* CLI
  * Fixed `linkerd check --proxy` incorrectly checking the proxy version of
    pods in the `completed` state (thanks @mikutas!) ([#11295]; fixes [#11280])
  * Fixed erroneous `skipped` messages when injecting namespaces with `linkerd
    inject` (thanks @mikutas!) ([#10231])

* CNI
  * Addressed security vulnerability [CVE-2023-2603] in proxy-init and CNI
    plugin ([#11296])

* Control Plane
  * Changed how hostPort lookups are handled in the destination service.
    Previously, when doing service discovery for an endpoint bound on a
    hostPort, the destination service would return the corresponding pod IP. On
    pod restart, this could lead to loss of connectivity on the client's side.
    The destination service now always returns host IPs for service discovery
    on an endpoint that uses hostPorts ([#11328])
  * Updated HTTPRoute webhook rule to validate all apiVersions of the resource
    (thanks @mikutas!) ([#11149])

* Helm
  * Removed unnecessary `linkerd.io/helm-release-version` annotation from the
    `linkerd-control-plane` Helm chart (thanks @mikutas!) ([#11329]; fixes
    [#10778])
  * Introduced resource requests/limits for the policy controller resource in
    the control plane helm chart ([#11301])

* Multicluster
  * Fixed an issue where an empty `remoteDiscoverySelector` field in a
    multicluster link would cause all services to be mirrored ([#11309])
  * Removed time out from `linkerd multicluster gateways` command; when no
    metrics exist the command will return instantly ([#11265])
  * Improved help messaging for `linkerd multicluster link` ([#11265])

* Proxy
  * Addressed security vulnerability [RUSTSEC-2023-0052] in the proxy
    ([#11361])

[CVE-2023-2603]: GHSA-wp54-pwvg-rqq5
[RUSTSEC-2023-0052]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html
[#11295]: #11295
[#11280]: #11280
[#11361]: #11361
[#11329]: #11329
[#10778]: #10778
[#11309]: #11309
[#11296]: #11296
[#11328]: #11328
[#11301]: #11301
[#11265]: #11265
[#11149]: #11149
[#10231]: #10231

Signed-off-by: Matei David <[email protected]>
Signed-off-by: Eliza Weisman <[email protected]>
Co-authored-by: Eliza Weisman <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mateiidavid mateiidavid mateiidavid approved these changes

@adleong adleong adleong approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@alpeb @adleong @mateiidavid