From 1e6a019b31e6e228164fd56edf773cec543a08bb Mon Sep 17 00:00:00 2001 From: Matei David Date: Thu, 2 Nov 2023 14:03:50 +0000 Subject: [PATCH] Introduce configurable values for protocol detection (#11536) This change allows users to configure protocol detection timeout values (outbound and inbound). Certain environments may find that protocol detection inhibits debugging and makes it harder to reason with a client's behaviour. In such cases (and not only) it may be deseriable to change the default protocol detection timeout to a higher value than the default 10s. Through this change, users may configure their timeout values either with install-time settings or through annotations; this follows our usual proxy configuration model. The proxy uses different timeout values for the inbound and outbound stacks (even though they use the same default value) and this change respects that by adding two separate fields. Signed-off-by: Matei David --- charts/linkerd-control-plane/README.md | 2 + charts/linkerd-control-plane/values.yaml | 6 ++ charts/partials/templates/_proxy.tpl | 8 ++ cli/cmd/doc.go | 8 ++ ...install_controlplane_tracing_output.golden | 2 + cli/cmd/testdata/install_custom_domain.golden | 2 + .../testdata/install_custom_registry.golden | 2 + cli/cmd/testdata/install_default.golden | 2 + ...stall_default_override_dst_get_nets.golden | 2 + cli/cmd/testdata/install_default_token.golden | 2 + cli/cmd/testdata/install_ha_output.golden | 2 + .../install_ha_with_overrides_output.golden | 2 + .../install_heartbeat_disabled_output.golden | 2 + .../install_helm_control_plane_output.golden | 2 + ...nstall_helm_control_plane_output_ha.golden | 2 + .../install_helm_output_ha_labels.golden | 2 + ...l_helm_output_ha_namespace_selector.golden | 2 + .../testdata/install_no_init_container.golden | 2 + cli/cmd/testdata/install_output.golden | 2 + cli/cmd/testdata/install_proxy_ignores.golden | 2 + cli/cmd/testdata/install_values_file.golden | 2 + pkg/charts/linkerd2/values.go | 48 ++++++----- pkg/charts/linkerd2/values_test.go | 20 +++-- pkg/inject/inject.go | 20 +++++ pkg/inject/inject_test.go | 86 +++++++++++-------- pkg/k8s/labels.go | 10 +++ 26 files changed, 174 insertions(+), 68 deletions(-) diff --git a/charts/linkerd-control-plane/README.md b/charts/linkerd-control-plane/README.md index d3586ed46cb43..46b8447b292f9 100644 --- a/charts/linkerd-control-plane/README.md +++ b/charts/linkerd-control-plane/README.md @@ -229,6 +229,8 @@ Kubernetes: `>=1.21.0-0` | proxy.await | bool | `true` | If set, the application container will not start until the proxy is ready | | proxy.cores | int | `0` | The `cpu.limit` and `cores` should be kept in sync. The value of `cores` must be an integer and should typically be set by rounding up from the limit. E.g. if cpu.limit is '1500m', cores should be 2. | | proxy.defaultInboundPolicy | string | "all-unauthenticated" | The default allow policy to use when no `Server` selects a pod. One of: "all-authenticated", "all-unauthenticated", "cluster-authenticated", "cluster-unauthenticated", "deny" | +| proxy.disableInboundProtocolDetectTimeout | bool | `false` | When set to true, disables the protocol detection timeout on the inbound side of the proxy by setting it to a very high value | +| proxy.disableOutboundProtocolDetectTimeout | bool | `false` | When set to true, disables the protocol detection timeout on the outbound side of the proxy by setting it to a very high value | | proxy.enableExternalProfiles | bool | `false` | Enable service profiles for non-Kubernetes services | | proxy.image.name | string | `"cr.l5d.io/linkerd/proxy"` | Docker image for the proxy | | proxy.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy container image | diff --git a/charts/linkerd-control-plane/values.yaml b/charts/linkerd-control-plane/values.yaml index 659a179bb2791..0fb82cc2f3819 100644 --- a/charts/linkerd-control-plane/values.yaml +++ b/charts/linkerd-control-plane/values.yaml @@ -115,6 +115,12 @@ proxy: # -- Maximum time allowed before an unused inbound discovery result # is evicted from the cache inboundDiscoveryCacheUnusedTimeout: "90s" + # -- When set to true, disables the protocol detection timeout on the + # outbound side of the proxy by setting it to a very high value + disableOutboundProtocolDetectTimeout: false + # -- When set to true, disables the protocol detection timeout on the inbound + # side of the proxy by setting it to a very high value + disableInboundProtocolDetectTimeout: false image: # -- Docker image for the proxy name: cr.l5d.io/linkerd/proxy diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index c70c149005459..30257b536cab2 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -57,6 +57,14 @@ env: - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT value: {{.Values.proxy.inboundDiscoveryCacheUnusedTimeout | quote}} {{ end -}} +{{ if .Values.proxy.DisableOutboundProtocolDetectTimeout -}} +- name: LINKERD2_PROXY_OUTBOUND_DETECT_TIMEOUT + value: "365d" +{{ end -}} +{{ if .Values.proxy.DisableInboundProtocolDetectTimeout -}} +- name: LINKERD2_PROXY_INBOUND_DETECT_TIMEOUT + value: "365d" +{{ end -}} - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR value: 0.0.0.0:{{.Values.proxy.ports.control}} - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR diff --git a/cli/cmd/doc.go b/cli/cmd/doc.go index 592a9e620c707..20867238085ea 100644 --- a/cli/cmd/doc.go +++ b/cli/cmd/doc.go @@ -252,6 +252,14 @@ func generateAnnotationsDocs() []annotationDoc { Name: k8s.ProxyInboundDiscoveryCacheUnusedTimeout, Description: "Maximum time allowed before an unused inbound discovery result is evicted from the cache. Defaults to `90s`", }, + { + Name: k8s.ProxyDisableOutboundProtocolDetectTimeout, + Description: "When set to true, disables the protocol detection timeout on the outbound side of the proxy by setting it to a very high value", + }, + { + Name: k8s.ProxyDisableInboundProtocolDetectTimeout, + Description: "When set to true, disables the protocol detection timeout on the inbound side of the proxy by setting it to a very high value", + }, { Name: k8s.ProxyWaitBeforeExitSecondsAnnotation, Description: "The proxy sidecar will stay alive for at least the given period after receiving SIGTERM signal from Kubernetes but no longer than pod's `terminationGracePeriodSeconds`. Defaults to `0`", diff --git a/cli/cmd/testdata/install_controlplane_tracing_output.golden b/cli/cmd/testdata/install_controlplane_tracing_output.golden index eb91581431e2f..ebcd0b21dac44 100644 --- a/cli/cmd/testdata/install_controlplane_tracing_output.golden +++ b/cli/cmd/testdata/install_controlplane_tracing_output.golden @@ -621,6 +621,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/cli/cmd/testdata/install_custom_domain.golden b/cli/cmd/testdata/install_custom_domain.golden index 932d47dd1886e..0306f1a465e7a 100644 --- a/cli/cmd/testdata/install_custom_domain.golden +++ b/cli/cmd/testdata/install_custom_domain.golden @@ -621,6 +621,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/cli/cmd/testdata/install_custom_registry.golden b/cli/cmd/testdata/install_custom_registry.golden index d00e1765dda60..cb07eb109bfa0 100644 --- a/cli/cmd/testdata/install_custom_registry.golden +++ b/cli/cmd/testdata/install_custom_registry.golden @@ -621,6 +621,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: my.custom.registry/linkerd-io/proxy diff --git a/cli/cmd/testdata/install_default.golden b/cli/cmd/testdata/install_default.golden index 932d47dd1886e..0306f1a465e7a 100644 --- a/cli/cmd/testdata/install_default.golden +++ b/cli/cmd/testdata/install_default.golden @@ -621,6 +621,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/cli/cmd/testdata/install_default_override_dst_get_nets.golden b/cli/cmd/testdata/install_default_override_dst_get_nets.golden index 7bb1e47358b42..a355cf87ffa1c 100644 --- a/cli/cmd/testdata/install_default_override_dst_get_nets.golden +++ b/cli/cmd/testdata/install_default_override_dst_get_nets.golden @@ -621,6 +621,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/cli/cmd/testdata/install_default_token.golden b/cli/cmd/testdata/install_default_token.golden index d178d3c74466a..332d1a68874f5 100644 --- a/cli/cmd/testdata/install_default_token.golden +++ b/cli/cmd/testdata/install_default_token.golden @@ -621,6 +621,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/cli/cmd/testdata/install_ha_output.golden b/cli/cmd/testdata/install_ha_output.golden index c29b95442eb44..21162d710c681 100644 --- a/cli/cmd/testdata/install_ha_output.golden +++ b/cli/cmd/testdata/install_ha_output.golden @@ -648,6 +648,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/cli/cmd/testdata/install_ha_with_overrides_output.golden b/cli/cmd/testdata/install_ha_with_overrides_output.golden index 624b167c810e2..f1dcae1f530f1 100644 --- a/cli/cmd/testdata/install_ha_with_overrides_output.golden +++ b/cli/cmd/testdata/install_ha_with_overrides_output.golden @@ -648,6 +648,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/cli/cmd/testdata/install_heartbeat_disabled_output.golden b/cli/cmd/testdata/install_heartbeat_disabled_output.golden index 9a13ca6c21091..d0ced48d3849f 100644 --- a/cli/cmd/testdata/install_heartbeat_disabled_output.golden +++ b/cli/cmd/testdata/install_heartbeat_disabled_output.golden @@ -552,6 +552,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/cli/cmd/testdata/install_helm_control_plane_output.golden b/cli/cmd/testdata/install_helm_control_plane_output.golden index 8cead0b7bf167..9ac6c65276378 100644 --- a/cli/cmd/testdata/install_helm_control_plane_output.golden +++ b/cli/cmd/testdata/install_helm_control_plane_output.golden @@ -598,6 +598,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/cli/cmd/testdata/install_helm_control_plane_output_ha.golden b/cli/cmd/testdata/install_helm_control_plane_output_ha.golden index b3b1672d81eb8..66f3ef2a3962a 100644 --- a/cli/cmd/testdata/install_helm_control_plane_output_ha.golden +++ b/cli/cmd/testdata/install_helm_control_plane_output_ha.golden @@ -625,6 +625,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/cli/cmd/testdata/install_helm_output_ha_labels.golden b/cli/cmd/testdata/install_helm_output_ha_labels.golden index 6a5fdc1a6a386..f976a0a4e19b6 100644 --- a/cli/cmd/testdata/install_helm_output_ha_labels.golden +++ b/cli/cmd/testdata/install_helm_output_ha_labels.golden @@ -629,6 +629,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden index f593efacec404..f6d39a2a3d938 100644 --- a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden +++ b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden @@ -620,6 +620,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/cli/cmd/testdata/install_no_init_container.golden b/cli/cmd/testdata/install_no_init_container.golden index 5f4380817f32c..fcea6e8714f69 100644 --- a/cli/cmd/testdata/install_no_init_container.golden +++ b/cli/cmd/testdata/install_no_init_container.golden @@ -621,6 +621,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/cli/cmd/testdata/install_output.golden b/cli/cmd/testdata/install_output.golden index f35f19ca9a576..9d14e1d1a4174 100644 --- a/cli/cmd/testdata/install_output.golden +++ b/cli/cmd/testdata/install_output.golden @@ -601,6 +601,8 @@ data: await: true capabilities: null defaultInboundPolicy: default-allow-policy + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: ProxyImageName diff --git a/cli/cmd/testdata/install_proxy_ignores.golden b/cli/cmd/testdata/install_proxy_ignores.golden index 9f07dfed6ddf9..81dee954ee422 100644 --- a/cli/cmd/testdata/install_proxy_ignores.golden +++ b/cli/cmd/testdata/install_proxy_ignores.golden @@ -621,6 +621,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/cli/cmd/testdata/install_values_file.golden b/cli/cmd/testdata/install_values_file.golden index 3a1fefc410c5b..6451a20bfd251 100644 --- a/cli/cmd/testdata/install_values_file.golden +++ b/cli/cmd/testdata/install_values_file.golden @@ -621,6 +621,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/pkg/charts/linkerd2/values.go b/pkg/charts/linkerd2/values.go index a219ce29e88f0..791318a45a61b 100644 --- a/pkg/charts/linkerd2/values.go +++ b/pkg/charts/linkerd2/values.go @@ -94,29 +94,31 @@ type ( Proxy struct { Capabilities *Capabilities `json:"capabilities"` // This should match .Resources.CPU.Limit, but must be a whole number - Cores int64 `json:"cores,omitempty"` - EnableExternalProfiles bool `json:"enableExternalProfiles"` - Image *Image `json:"image"` - LogLevel string `json:"logLevel"` - LogFormat string `json:"logFormat"` - SAMountPath *VolumeMountPath `json:"saMountPath"` - Ports *Ports `json:"ports"` - Resources *Resources `json:"resources"` - UID int64 `json:"uid"` - WaitBeforeExitSeconds uint64 `json:"waitBeforeExitSeconds"` - IsGateway bool `json:"isGateway"` - IsIngress bool `json:"isIngress"` - RequireIdentityOnInboundPorts string `json:"requireIdentityOnInboundPorts"` - OutboundConnectTimeout string `json:"outboundConnectTimeout"` - InboundConnectTimeout string `json:"inboundConnectTimeout"` - OutboundDiscoveryCacheUnusedTimeout string `json:"outboundDiscoveryCacheUnusedTimeout"` - InboundDiscoveryCacheUnusedTimeout string `json:"inboundDiscoveryCacheUnusedTimeout"` - PodInboundPorts string `json:"podInboundPorts"` - OpaquePorts string `json:"opaquePorts"` - Await bool `json:"await"` - DefaultInboundPolicy string `json:"defaultInboundPolicy"` - AccessLog string `json:"accessLog"` - ShutdownGracePeriod string `json:"shutdownGracePeriod"` + Cores int64 `json:"cores,omitempty"` + EnableExternalProfiles bool `json:"enableExternalProfiles"` + Image *Image `json:"image"` + LogLevel string `json:"logLevel"` + LogFormat string `json:"logFormat"` + SAMountPath *VolumeMountPath `json:"saMountPath"` + Ports *Ports `json:"ports"` + Resources *Resources `json:"resources"` + UID int64 `json:"uid"` + WaitBeforeExitSeconds uint64 `json:"waitBeforeExitSeconds"` + IsGateway bool `json:"isGateway"` + IsIngress bool `json:"isIngress"` + RequireIdentityOnInboundPorts string `json:"requireIdentityOnInboundPorts"` + OutboundConnectTimeout string `json:"outboundConnectTimeout"` + InboundConnectTimeout string `json:"inboundConnectTimeout"` + OutboundDiscoveryCacheUnusedTimeout string `json:"outboundDiscoveryCacheUnusedTimeout"` + InboundDiscoveryCacheUnusedTimeout string `json:"inboundDiscoveryCacheUnusedTimeout"` + DisableOutboundProtocolDetectTimeout bool `json:"disableOutboundProtocolDetectTimeout"` + DisableInboundProtocolDetectTimeout bool `json:"disableInboundProtocolDetectTimeout"` + PodInboundPorts string `json:"podInboundPorts"` + OpaquePorts string `json:"opaquePorts"` + Await bool `json:"await"` + DefaultInboundPolicy string `json:"defaultInboundPolicy"` + AccessLog string `json:"accessLog"` + ShutdownGracePeriod string `json:"shutdownGracePeriod"` } // ProxyInit contains the fields to set the proxy-init container diff --git a/pkg/charts/linkerd2/values_test.go b/pkg/charts/linkerd2/values_test.go index c033ebc6205fe..91c6b3c6fb020 100644 --- a/pkg/charts/linkerd2/values_test.go +++ b/pkg/charts/linkerd2/values_test.go @@ -123,15 +123,17 @@ func TestNewValues(t *testing.T) { Request: "", }, }, - UID: 2102, - WaitBeforeExitSeconds: 0, - OutboundConnectTimeout: "1000ms", - InboundConnectTimeout: "100ms", - OpaquePorts: "25,587,3306,4444,5432,6379,9300,11211", - Await: true, - DefaultInboundPolicy: "all-unauthenticated", - OutboundDiscoveryCacheUnusedTimeout: "5s", - InboundDiscoveryCacheUnusedTimeout: "90s", + UID: 2102, + WaitBeforeExitSeconds: 0, + OutboundConnectTimeout: "1000ms", + InboundConnectTimeout: "100ms", + OpaquePorts: "25,587,3306,4444,5432,6379,9300,11211", + Await: true, + DefaultInboundPolicy: "all-unauthenticated", + OutboundDiscoveryCacheUnusedTimeout: "5s", + InboundDiscoveryCacheUnusedTimeout: "90s", + DisableOutboundProtocolDetectTimeout: false, + DisableInboundProtocolDetectTimeout: false, }, ProxyInit: &ProxyInit{ IptablesMode: "legacy", diff --git a/pkg/inject/inject.go b/pkg/inject/inject.go index edf7f54616904..31bc0ef2dd12c 100644 --- a/pkg/inject/inject.go +++ b/pkg/inject/inject.go @@ -75,6 +75,8 @@ var ( k8s.ProxyShutdownGracePeriodAnnotation, k8s.ProxyOutboundDiscoveryCacheUnusedTimeout, k8s.ProxyInboundDiscoveryCacheUnusedTimeout, + k8s.ProxyDisableOutboundProtocolDetectTimeout, + k8s.ProxyDisableInboundProtocolDetectTimeout, } // ProxyAlphaConfigAnnotations is the list of all alpha configuration // (config.alpha prefix) that can be applied to a pod or namespace. @@ -954,6 +956,24 @@ func (conf *ResourceConfig) applyAnnotationOverrides(values *l5dcharts.Values) { } } + if override, ok := annotations[k8s.ProxyDisableOutboundProtocolDetectTimeout]; ok { + value, err := strconv.ParseBool(override) + if err == nil { + values.Proxy.DisableOutboundProtocolDetectTimeout = value + } else { + log.Warnf("unrecognised value used on pod annotation %s: %s", k8s.ProxyDisableOutboundProtocolDetectTimeout, err.Error()) + } + } + + if override, ok := annotations[k8s.ProxyDisableInboundProtocolDetectTimeout]; ok { + value, err := strconv.ParseBool(override) + if err == nil { + values.Proxy.DisableInboundProtocolDetectTimeout = value + } else { + log.Warnf("unrecognised value used on pod annotation %s: %s", k8s.ProxyDisableInboundProtocolDetectTimeout, err.Error()) + } + } + if override, ok := annotations[k8s.ProxyShutdownGracePeriodAnnotation]; ok { duration, err := time.ParseDuration(override) if err != nil { diff --git a/pkg/inject/inject_test.go b/pkg/inject/inject_test.go index 3f8599c07ff79..41177b8f53b98 100644 --- a/pkg/inject/inject_test.go +++ b/pkg/inject/inject_test.go @@ -72,6 +72,8 @@ func TestGetOverriddenValues(t *testing.T) { k8s.ProxyShutdownGracePeriodAnnotation: "30s", k8s.ProxyOutboundDiscoveryCacheUnusedTimeout: "50000ms", k8s.ProxyInboundDiscoveryCacheUnusedTimeout: "900s", + k8s.ProxyDisableOutboundProtocolDetectTimeout: "true", + k8s.ProxyDisableInboundProtocolDetectTimeout: "true", }, }, Spec: corev1.PodSpec{}, @@ -122,6 +124,8 @@ func TestGetOverriddenValues(t *testing.T) { values.Proxy.ShutdownGracePeriod = "30000ms" values.Proxy.OutboundDiscoveryCacheUnusedTimeout = "50s" values.Proxy.InboundDiscoveryCacheUnusedTimeout = "900s" + values.Proxy.DisableOutboundProtocolDetectTimeout = true + values.Proxy.DisableInboundProtocolDetectTimeout = true return values }, }, @@ -140,34 +144,36 @@ func TestGetOverriddenValues(t *testing.T) { }, {id: "use namespace overrides", nsAnnotations: map[string]string{ - k8s.ProxyImageAnnotation: "cr.l5d.io/linkerd/proxy", - k8s.ProxyImagePullPolicyAnnotation: pullPolicy, - k8s.ProxyInitImageAnnotation: "cr.l5d.io/linkerd/proxy-init", - k8s.ProxyControlPortAnnotation: "4000", - k8s.ProxyInboundPortAnnotation: "5000", - k8s.ProxyAdminPortAnnotation: "5001", - k8s.ProxyOutboundPortAnnotation: "5002", - k8s.ProxyPodInboundPortsAnnotation: "1234,5678", - k8s.ProxyIgnoreInboundPortsAnnotation: "4222,6222", - k8s.ProxyIgnoreOutboundPortsAnnotation: "8079,8080", - k8s.ProxyCPURequestAnnotation: "0.15", - k8s.ProxyMemoryRequestAnnotation: "120", - k8s.ProxyCPULimitAnnotation: "1.5", - k8s.ProxyMemoryLimitAnnotation: "256", - k8s.ProxyUIDAnnotation: "8500", - k8s.ProxyLogLevelAnnotation: "debug,linkerd=debug", - k8s.ProxyLogFormatAnnotation: "json", - k8s.ProxyEnableExternalProfilesAnnotation: "false", - k8s.ProxyVersionOverrideAnnotation: proxyVersionOverride, - k8s.ProxyWaitBeforeExitSecondsAnnotation: "123", - k8s.ProxyOutboundConnectTimeout: "6000ms", - k8s.ProxyInboundConnectTimeout: "600ms", - k8s.ProxyOpaquePortsAnnotation: "4320-4325,3306", - k8s.ProxyAwait: "enabled", - k8s.ProxyAccessLogAnnotation: "apache", - k8s.ProxyInjectAnnotation: "ingress", - k8s.ProxyOutboundDiscoveryCacheUnusedTimeout: "50s", - k8s.ProxyInboundDiscoveryCacheUnusedTimeout: "6000ms", + k8s.ProxyImageAnnotation: "cr.l5d.io/linkerd/proxy", + k8s.ProxyImagePullPolicyAnnotation: pullPolicy, + k8s.ProxyInitImageAnnotation: "cr.l5d.io/linkerd/proxy-init", + k8s.ProxyControlPortAnnotation: "4000", + k8s.ProxyInboundPortAnnotation: "5000", + k8s.ProxyAdminPortAnnotation: "5001", + k8s.ProxyOutboundPortAnnotation: "5002", + k8s.ProxyPodInboundPortsAnnotation: "1234,5678", + k8s.ProxyIgnoreInboundPortsAnnotation: "4222,6222", + k8s.ProxyIgnoreOutboundPortsAnnotation: "8079,8080", + k8s.ProxyCPURequestAnnotation: "0.15", + k8s.ProxyMemoryRequestAnnotation: "120", + k8s.ProxyCPULimitAnnotation: "1.5", + k8s.ProxyMemoryLimitAnnotation: "256", + k8s.ProxyUIDAnnotation: "8500", + k8s.ProxyLogLevelAnnotation: "debug,linkerd=debug", + k8s.ProxyLogFormatAnnotation: "json", + k8s.ProxyEnableExternalProfilesAnnotation: "false", + k8s.ProxyVersionOverrideAnnotation: proxyVersionOverride, + k8s.ProxyWaitBeforeExitSecondsAnnotation: "123", + k8s.ProxyOutboundConnectTimeout: "6000ms", + k8s.ProxyInboundConnectTimeout: "600ms", + k8s.ProxyOpaquePortsAnnotation: "4320-4325,3306", + k8s.ProxyAwait: "enabled", + k8s.ProxyAccessLogAnnotation: "apache", + k8s.ProxyInjectAnnotation: "ingress", + k8s.ProxyOutboundDiscoveryCacheUnusedTimeout: "50s", + k8s.ProxyInboundDiscoveryCacheUnusedTimeout: "6000ms", + k8s.ProxyDisableOutboundProtocolDetectTimeout: "true", + k8s.ProxyDisableInboundProtocolDetectTimeout: "false", }, spec: appsv1.DeploymentSpec{ Template: corev1.PodTemplateSpec{ @@ -213,15 +219,19 @@ func TestGetOverriddenValues(t *testing.T) { values.Proxy.IsIngress = true values.Proxy.OutboundDiscoveryCacheUnusedTimeout = "50s" values.Proxy.InboundDiscoveryCacheUnusedTimeout = "6s" + values.Proxy.DisableOutboundProtocolDetectTimeout = true + values.Proxy.DisableInboundProtocolDetectTimeout = false return values }, }, {id: "use invalid duration for proxy timeouts", nsAnnotations: map[string]string{ - k8s.ProxyOutboundConnectTimeout: "6000", - k8s.ProxyInboundConnectTimeout: "600", - k8s.ProxyOutboundDiscoveryCacheUnusedTimeout: "50", - k8s.ProxyInboundDiscoveryCacheUnusedTimeout: "5000", + k8s.ProxyOutboundConnectTimeout: "6000", + k8s.ProxyInboundConnectTimeout: "600", + k8s.ProxyOutboundDiscoveryCacheUnusedTimeout: "50", + k8s.ProxyInboundDiscoveryCacheUnusedTimeout: "5000", + k8s.ProxyDisableOutboundProtocolDetectTimeout: "9000", + k8s.ProxyDisableInboundProtocolDetectTimeout: "9", }, spec: appsv1.DeploymentSpec{ Template: corev1.PodTemplateSpec{ @@ -237,10 +247,12 @@ func TestGetOverriddenValues(t *testing.T) { {id: "use valid duration for proxy timeouts", nsAnnotations: map[string]string{ // Validate we're converting time values into ms for the proxy to parse correctly. - k8s.ProxyOutboundConnectTimeout: "6s5ms", - k8s.ProxyInboundConnectTimeout: "2s5ms", - k8s.ProxyOutboundDiscoveryCacheUnusedTimeout: "6s5000ms", - k8s.ProxyInboundDiscoveryCacheUnusedTimeout: "6s5000ms", + k8s.ProxyOutboundConnectTimeout: "6s5ms", + k8s.ProxyInboundConnectTimeout: "2s5ms", + k8s.ProxyOutboundDiscoveryCacheUnusedTimeout: "6s5000ms", + k8s.ProxyInboundDiscoveryCacheUnusedTimeout: "6s5000ms", + k8s.ProxyDisableOutboundProtocolDetectTimeout: "false", + k8s.ProxyDisableInboundProtocolDetectTimeout: "true", }, spec: appsv1.DeploymentSpec{ Template: corev1.PodTemplateSpec{ @@ -254,6 +266,8 @@ func TestGetOverriddenValues(t *testing.T) { values.Proxy.InboundConnectTimeout = "2005ms" values.Proxy.OutboundDiscoveryCacheUnusedTimeout = "11s" values.Proxy.InboundDiscoveryCacheUnusedTimeout = "11s" + values.Proxy.DisableOutboundProtocolDetectTimeout = false + values.Proxy.DisableInboundProtocolDetectTimeout = true return values }, }, diff --git a/pkg/k8s/labels.go b/pkg/k8s/labels.go index 64c62b0132460..512894145ace3 100644 --- a/pkg/k8s/labels.go +++ b/pkg/k8s/labels.go @@ -238,6 +238,16 @@ const ( // that will evict unused inbound discovery results ProxyInboundDiscoveryCacheUnusedTimeout = ProxyConfigAnnotationsPrefix + "/proxy-inbound-discovery-cache-unused-timeout" + // ProxyDisableOutboundProtocolDetectTimeout can be used to disable protocol + // detection timeouts for outbound connections by setting them to a very + // high value. + ProxyDisableOutboundProtocolDetectTimeout = ProxyConfigAnnotationsPrefix + "/proxy-outbound-protocol-detect-timeout" + + // ProxyDisableInboundProtocolDetectTimeout can be used to disable protocol + // detection timeouts for inbound connections by setting them to a very + // high value. + ProxyDisableInboundProtocolDetectTimeout = ProxyConfigAnnotationsPrefix + "/proxy-inbound-protocol-detect-timeout" + // ProxyEnableGatewayAnnotation can be used to configure the proxy // to operate as a gateway, routing requests that target the inbound router. ProxyEnableGatewayAnnotation = ProxyConfigAnnotationsPrefix + "/enable-gateway"