From ef8116050db05e4f2174affc38b46df5d6540089 Mon Sep 17 00:00:00 2001 From: Matei David Date: Thu, 2 Nov 2023 14:03:50 +0000 Subject: [PATCH] Introduce configurable values for protocol detection (#11536) This change allows users to configure protocol detection timeout values (outbound and inbound). Certain environments may find that protocol detection inhibits debugging and makes it harder to reason with a client's behaviour. In such cases (and not only) it may be deseriable to change the default protocol detection timeout to a higher value than the default 10s. Through this change, users may configure their timeout values either with install-time settings or through annotations; this follows our usual proxy configuration model. The proxy uses different timeout values for the inbound and outbound stacks (even though they use the same default value) and this change respects that by adding two separate fields. Signed-off-by: Matei David --- charts/linkerd-control-plane/README.md | 2 + charts/linkerd-control-plane/values.yaml | 6 ++ charts/partials/templates/_proxy.tpl | 8 ++ cli/cmd/doc.go | 8 ++ ...install_controlplane_tracing_output.golden | 2 + cli/cmd/testdata/install_custom_domain.golden | 2 + .../testdata/install_custom_registry.golden | 2 + cli/cmd/testdata/install_default.golden | 2 + ...stall_default_override_dst_get_nets.golden | 2 + cli/cmd/testdata/install_default_token.golden | 2 + cli/cmd/testdata/install_ha_output.golden | 2 + .../install_ha_with_overrides_output.golden | 2 + .../install_heartbeat_disabled_output.golden | 2 + .../install_helm_control_plane_output.golden | 2 + ...nstall_helm_control_plane_output_ha.golden | 2 + .../install_helm_output_ha_labels.golden | 2 + ...l_helm_output_ha_namespace_selector.golden | 2 + .../testdata/install_no_init_container.golden | 2 + cli/cmd/testdata/install_output.golden | 2 + cli/cmd/testdata/install_proxy_ignores.golden | 2 + cli/cmd/testdata/install_values_file.golden | 2 + pkg/charts/linkerd2/values.go | 48 ++++++----- pkg/charts/linkerd2/values_test.go | 20 +++-- pkg/inject/inject.go | 20 +++++ pkg/inject/inject_test.go | 86 +++++++++++-------- pkg/k8s/labels.go | 10 +++ 26 files changed, 174 insertions(+), 68 deletions(-) diff --git a/charts/linkerd-control-plane/README.md b/charts/linkerd-control-plane/README.md index ca27549e34c40..394a16b2a2e3b 100644 --- a/charts/linkerd-control-plane/README.md +++ b/charts/linkerd-control-plane/README.md @@ -226,6 +226,8 @@ Kubernetes: `>=1.21.0-0` | proxy.await | bool | `true` | If set, the application container will not start until the proxy is ready | | proxy.cores | int | `0` | The `cpu.limit` and `cores` should be kept in sync. The value of `cores` must be an integer and should typically be set by rounding up from the limit. E.g. if cpu.limit is '1500m', cores should be 2. | | proxy.defaultInboundPolicy | string | "all-unauthenticated" | The default allow policy to use when no `Server` selects a pod. One of: "all-authenticated", "all-unauthenticated", "cluster-authenticated", "cluster-unauthenticated", "deny" | +| proxy.disableInboundProtocolDetectTimeout | bool | `false` | When set to true, disables the protocol detection timeout on the inbound side of the proxy by setting it to a very high value | +| proxy.disableOutboundProtocolDetectTimeout | bool | `false` | When set to true, disables the protocol detection timeout on the outbound side of the proxy by setting it to a very high value | | proxy.enableExternalProfiles | bool | `false` | Enable service profiles for non-Kubernetes services | | proxy.image.name | string | `"cr.l5d.io/linkerd/proxy"` | Docker image for the proxy | | proxy.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy container Docker image | diff --git a/charts/linkerd-control-plane/values.yaml b/charts/linkerd-control-plane/values.yaml index ee54757be5421..22e45c72fcb09 100644 --- a/charts/linkerd-control-plane/values.yaml +++ b/charts/linkerd-control-plane/values.yaml @@ -115,6 +115,12 @@ proxy: # -- Maximum time allowed before an unused inbound discovery result # is evicted from the cache inboundDiscoveryCacheUnusedTimeout: "90s" + # -- When set to true, disables the protocol detection timeout on the + # outbound side of the proxy by setting it to a very high value + disableOutboundProtocolDetectTimeout: false + # -- When set to true, disables the protocol detection timeout on the inbound + # side of the proxy by setting it to a very high value + disableInboundProtocolDetectTimeout: false image: # -- Docker image for the proxy name: cr.l5d.io/linkerd/proxy diff --git a/charts/partials/templates/_proxy.tpl b/charts/partials/templates/_proxy.tpl index 1f644894b9308..12aff10a9b1ac 100644 --- a/charts/partials/templates/_proxy.tpl +++ b/charts/partials/templates/_proxy.tpl @@ -57,6 +57,14 @@ env: - name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT value: {{.Values.proxy.inboundDiscoveryCacheUnusedTimeout | quote}} {{ end -}} +{{ if .Values.proxy.DisableOutboundProtocolDetectTimeout -}} +- name: LINKERD2_PROXY_OUTBOUND_DETECT_TIMEOUT + value: "365d" +{{ end -}} +{{ if .Values.proxy.DisableInboundProtocolDetectTimeout -}} +- name: LINKERD2_PROXY_INBOUND_DETECT_TIMEOUT + value: "365d" +{{ end -}} - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR value: 0.0.0.0:{{.Values.proxy.ports.control}} - name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR diff --git a/cli/cmd/doc.go b/cli/cmd/doc.go index 592a9e620c707..20867238085ea 100644 --- a/cli/cmd/doc.go +++ b/cli/cmd/doc.go @@ -252,6 +252,14 @@ func generateAnnotationsDocs() []annotationDoc { Name: k8s.ProxyInboundDiscoveryCacheUnusedTimeout, Description: "Maximum time allowed before an unused inbound discovery result is evicted from the cache. Defaults to `90s`", }, + { + Name: k8s.ProxyDisableOutboundProtocolDetectTimeout, + Description: "When set to true, disables the protocol detection timeout on the outbound side of the proxy by setting it to a very high value", + }, + { + Name: k8s.ProxyDisableInboundProtocolDetectTimeout, + Description: "When set to true, disables the protocol detection timeout on the inbound side of the proxy by setting it to a very high value", + }, { Name: k8s.ProxyWaitBeforeExitSecondsAnnotation, Description: "The proxy sidecar will stay alive for at least the given period after receiving SIGTERM signal from Kubernetes but no longer than pod's `terminationGracePeriodSeconds`. Defaults to `0`", diff --git a/cli/cmd/testdata/install_controlplane_tracing_output.golden b/cli/cmd/testdata/install_controlplane_tracing_output.golden index c1b45513f35b6..e69b8b86e57b8 100644 --- a/cli/cmd/testdata/install_controlplane_tracing_output.golden +++ b/cli/cmd/testdata/install_controlplane_tracing_output.golden @@ -616,6 +616,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/cli/cmd/testdata/install_custom_domain.golden b/cli/cmd/testdata/install_custom_domain.golden index 25f44246e8308..3cc34ae918fa0 100644 --- a/cli/cmd/testdata/install_custom_domain.golden +++ b/cli/cmd/testdata/install_custom_domain.golden @@ -616,6 +616,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/cli/cmd/testdata/install_custom_registry.golden b/cli/cmd/testdata/install_custom_registry.golden index 0bae6565accfd..d484db327ef5e 100644 --- a/cli/cmd/testdata/install_custom_registry.golden +++ b/cli/cmd/testdata/install_custom_registry.golden @@ -616,6 +616,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: my.custom.registry/linkerd-io/proxy diff --git a/cli/cmd/testdata/install_default.golden b/cli/cmd/testdata/install_default.golden index 25f44246e8308..3cc34ae918fa0 100644 --- a/cli/cmd/testdata/install_default.golden +++ b/cli/cmd/testdata/install_default.golden @@ -616,6 +616,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/cli/cmd/testdata/install_default_override_dst_get_nets.golden b/cli/cmd/testdata/install_default_override_dst_get_nets.golden index 13424ec771fa6..cdc1871d51c27 100644 --- a/cli/cmd/testdata/install_default_override_dst_get_nets.golden +++ b/cli/cmd/testdata/install_default_override_dst_get_nets.golden @@ -616,6 +616,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/cli/cmd/testdata/install_default_token.golden b/cli/cmd/testdata/install_default_token.golden index 3cec6f269700d..ad8cc19469500 100644 --- a/cli/cmd/testdata/install_default_token.golden +++ b/cli/cmd/testdata/install_default_token.golden @@ -616,6 +616,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/cli/cmd/testdata/install_ha_output.golden b/cli/cmd/testdata/install_ha_output.golden index 69ff8e81a44aa..994f6cd962e0d 100644 --- a/cli/cmd/testdata/install_ha_output.golden +++ b/cli/cmd/testdata/install_ha_output.golden @@ -643,6 +643,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/cli/cmd/testdata/install_ha_with_overrides_output.golden b/cli/cmd/testdata/install_ha_with_overrides_output.golden index 10a344b2847ab..e7f7c49a5b537 100644 --- a/cli/cmd/testdata/install_ha_with_overrides_output.golden +++ b/cli/cmd/testdata/install_ha_with_overrides_output.golden @@ -643,6 +643,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/cli/cmd/testdata/install_heartbeat_disabled_output.golden b/cli/cmd/testdata/install_heartbeat_disabled_output.golden index 769754dc0c3ee..66681bbb42c15 100644 --- a/cli/cmd/testdata/install_heartbeat_disabled_output.golden +++ b/cli/cmd/testdata/install_heartbeat_disabled_output.golden @@ -547,6 +547,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/cli/cmd/testdata/install_helm_control_plane_output.golden b/cli/cmd/testdata/install_helm_control_plane_output.golden index b440c9741803a..72f09cc1ca7fa 100644 --- a/cli/cmd/testdata/install_helm_control_plane_output.golden +++ b/cli/cmd/testdata/install_helm_control_plane_output.golden @@ -593,6 +593,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/cli/cmd/testdata/install_helm_control_plane_output_ha.golden b/cli/cmd/testdata/install_helm_control_plane_output_ha.golden index 2cd6a3cc30a35..e9da71ef18c8d 100644 --- a/cli/cmd/testdata/install_helm_control_plane_output_ha.golden +++ b/cli/cmd/testdata/install_helm_control_plane_output_ha.golden @@ -620,6 +620,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/cli/cmd/testdata/install_helm_output_ha_labels.golden b/cli/cmd/testdata/install_helm_output_ha_labels.golden index 9acc79073a3e9..65effe6d64c37 100644 --- a/cli/cmd/testdata/install_helm_output_ha_labels.golden +++ b/cli/cmd/testdata/install_helm_output_ha_labels.golden @@ -624,6 +624,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden index e65be022cb6de..fc44316726c7c 100644 --- a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden +++ b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden @@ -615,6 +615,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/cli/cmd/testdata/install_no_init_container.golden b/cli/cmd/testdata/install_no_init_container.golden index 7d3c8d811e4b9..32d33d64161d7 100644 --- a/cli/cmd/testdata/install_no_init_container.golden +++ b/cli/cmd/testdata/install_no_init_container.golden @@ -616,6 +616,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/cli/cmd/testdata/install_output.golden b/cli/cmd/testdata/install_output.golden index b14675bee51ae..66cd3aaa4ae3e 100644 --- a/cli/cmd/testdata/install_output.golden +++ b/cli/cmd/testdata/install_output.golden @@ -596,6 +596,8 @@ data: await: true capabilities: null defaultInboundPolicy: default-allow-policy + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: ProxyImageName diff --git a/cli/cmd/testdata/install_proxy_ignores.golden b/cli/cmd/testdata/install_proxy_ignores.golden index e486aa5b3b43b..4490e3e62d2e1 100644 --- a/cli/cmd/testdata/install_proxy_ignores.golden +++ b/cli/cmd/testdata/install_proxy_ignores.golden @@ -616,6 +616,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/cli/cmd/testdata/install_values_file.golden b/cli/cmd/testdata/install_values_file.golden index 0717eb8e646d4..6e021021ac30f 100644 --- a/cli/cmd/testdata/install_values_file.golden +++ b/cli/cmd/testdata/install_values_file.golden @@ -616,6 +616,8 @@ data: await: true capabilities: null defaultInboundPolicy: all-unauthenticated + disableInboundProtocolDetectTimeout: false + disableOutboundProtocolDetectTimeout: false enableExternalProfiles: false image: name: cr.l5d.io/linkerd/proxy diff --git a/pkg/charts/linkerd2/values.go b/pkg/charts/linkerd2/values.go index a219ce29e88f0..791318a45a61b 100644 --- a/pkg/charts/linkerd2/values.go +++ b/pkg/charts/linkerd2/values.go @@ -94,29 +94,31 @@ type ( Proxy struct { Capabilities *Capabilities `json:"capabilities"` // This should match .Resources.CPU.Limit, but must be a whole number - Cores int64 `json:"cores,omitempty"` - EnableExternalProfiles bool `json:"enableExternalProfiles"` - Image *Image `json:"image"` - LogLevel string `json:"logLevel"` - LogFormat string `json:"logFormat"` - SAMountPath *VolumeMountPath `json:"saMountPath"` - Ports *Ports `json:"ports"` - Resources *Resources `json:"resources"` - UID int64 `json:"uid"` - WaitBeforeExitSeconds uint64 `json:"waitBeforeExitSeconds"` - IsGateway bool `json:"isGateway"` - IsIngress bool `json:"isIngress"` - RequireIdentityOnInboundPorts string `json:"requireIdentityOnInboundPorts"` - OutboundConnectTimeout string `json:"outboundConnectTimeout"` - InboundConnectTimeout string `json:"inboundConnectTimeout"` - OutboundDiscoveryCacheUnusedTimeout string `json:"outboundDiscoveryCacheUnusedTimeout"` - InboundDiscoveryCacheUnusedTimeout string `json:"inboundDiscoveryCacheUnusedTimeout"` - PodInboundPorts string `json:"podInboundPorts"` - OpaquePorts string `json:"opaquePorts"` - Await bool `json:"await"` - DefaultInboundPolicy string `json:"defaultInboundPolicy"` - AccessLog string `json:"accessLog"` - ShutdownGracePeriod string `json:"shutdownGracePeriod"` + Cores int64 `json:"cores,omitempty"` + EnableExternalProfiles bool `json:"enableExternalProfiles"` + Image *Image `json:"image"` + LogLevel string `json:"logLevel"` + LogFormat string `json:"logFormat"` + SAMountPath *VolumeMountPath `json:"saMountPath"` + Ports *Ports `json:"ports"` + Resources *Resources `json:"resources"` + UID int64 `json:"uid"` + WaitBeforeExitSeconds uint64 `json:"waitBeforeExitSeconds"` + IsGateway bool `json:"isGateway"` + IsIngress bool `json:"isIngress"` + RequireIdentityOnInboundPorts string `json:"requireIdentityOnInboundPorts"` + OutboundConnectTimeout string `json:"outboundConnectTimeout"` + InboundConnectTimeout string `json:"inboundConnectTimeout"` + OutboundDiscoveryCacheUnusedTimeout string `json:"outboundDiscoveryCacheUnusedTimeout"` + InboundDiscoveryCacheUnusedTimeout string `json:"inboundDiscoveryCacheUnusedTimeout"` + DisableOutboundProtocolDetectTimeout bool `json:"disableOutboundProtocolDetectTimeout"` + DisableInboundProtocolDetectTimeout bool `json:"disableInboundProtocolDetectTimeout"` + PodInboundPorts string `json:"podInboundPorts"` + OpaquePorts string `json:"opaquePorts"` + Await bool `json:"await"` + DefaultInboundPolicy string `json:"defaultInboundPolicy"` + AccessLog string `json:"accessLog"` + ShutdownGracePeriod string `json:"shutdownGracePeriod"` } // ProxyInit contains the fields to set the proxy-init container diff --git a/pkg/charts/linkerd2/values_test.go b/pkg/charts/linkerd2/values_test.go index 10d05f37dbce4..eb16ac515bce2 100644 --- a/pkg/charts/linkerd2/values_test.go +++ b/pkg/charts/linkerd2/values_test.go @@ -123,15 +123,17 @@ func TestNewValues(t *testing.T) { Request: "", }, }, - UID: 2102, - WaitBeforeExitSeconds: 0, - OutboundConnectTimeout: "1000ms", - InboundConnectTimeout: "100ms", - OpaquePorts: "25,587,3306,4444,5432,6379,9300,11211", - Await: true, - DefaultInboundPolicy: "all-unauthenticated", - OutboundDiscoveryCacheUnusedTimeout: "5s", - InboundDiscoveryCacheUnusedTimeout: "90s", + UID: 2102, + WaitBeforeExitSeconds: 0, + OutboundConnectTimeout: "1000ms", + InboundConnectTimeout: "100ms", + OpaquePorts: "25,587,3306,4444,5432,6379,9300,11211", + Await: true, + DefaultInboundPolicy: "all-unauthenticated", + OutboundDiscoveryCacheUnusedTimeout: "5s", + InboundDiscoveryCacheUnusedTimeout: "90s", + DisableOutboundProtocolDetectTimeout: false, + DisableInboundProtocolDetectTimeout: false, }, ProxyInit: &ProxyInit{ IptablesMode: "legacy", diff --git a/pkg/inject/inject.go b/pkg/inject/inject.go index edf7f54616904..31bc0ef2dd12c 100644 --- a/pkg/inject/inject.go +++ b/pkg/inject/inject.go @@ -75,6 +75,8 @@ var ( k8s.ProxyShutdownGracePeriodAnnotation, k8s.ProxyOutboundDiscoveryCacheUnusedTimeout, k8s.ProxyInboundDiscoveryCacheUnusedTimeout, + k8s.ProxyDisableOutboundProtocolDetectTimeout, + k8s.ProxyDisableInboundProtocolDetectTimeout, } // ProxyAlphaConfigAnnotations is the list of all alpha configuration // (config.alpha prefix) that can be applied to a pod or namespace. @@ -954,6 +956,24 @@ func (conf *ResourceConfig) applyAnnotationOverrides(values *l5dcharts.Values) { } } + if override, ok := annotations[k8s.ProxyDisableOutboundProtocolDetectTimeout]; ok { + value, err := strconv.ParseBool(override) + if err == nil { + values.Proxy.DisableOutboundProtocolDetectTimeout = value + } else { + log.Warnf("unrecognised value used on pod annotation %s: %s", k8s.ProxyDisableOutboundProtocolDetectTimeout, err.Error()) + } + } + + if override, ok := annotations[k8s.ProxyDisableInboundProtocolDetectTimeout]; ok { + value, err := strconv.ParseBool(override) + if err == nil { + values.Proxy.DisableInboundProtocolDetectTimeout = value + } else { + log.Warnf("unrecognised value used on pod annotation %s: %s", k8s.ProxyDisableInboundProtocolDetectTimeout, err.Error()) + } + } + if override, ok := annotations[k8s.ProxyShutdownGracePeriodAnnotation]; ok { duration, err := time.ParseDuration(override) if err != nil { diff --git a/pkg/inject/inject_test.go b/pkg/inject/inject_test.go index 3f8599c07ff79..41177b8f53b98 100644 --- a/pkg/inject/inject_test.go +++ b/pkg/inject/inject_test.go @@ -72,6 +72,8 @@ func TestGetOverriddenValues(t *testing.T) { k8s.ProxyShutdownGracePeriodAnnotation: "30s", k8s.ProxyOutboundDiscoveryCacheUnusedTimeout: "50000ms", k8s.ProxyInboundDiscoveryCacheUnusedTimeout: "900s", + k8s.ProxyDisableOutboundProtocolDetectTimeout: "true", + k8s.ProxyDisableInboundProtocolDetectTimeout: "true", }, }, Spec: corev1.PodSpec{}, @@ -122,6 +124,8 @@ func TestGetOverriddenValues(t *testing.T) { values.Proxy.ShutdownGracePeriod = "30000ms" values.Proxy.OutboundDiscoveryCacheUnusedTimeout = "50s" values.Proxy.InboundDiscoveryCacheUnusedTimeout = "900s" + values.Proxy.DisableOutboundProtocolDetectTimeout = true + values.Proxy.DisableInboundProtocolDetectTimeout = true return values }, }, @@ -140,34 +144,36 @@ func TestGetOverriddenValues(t *testing.T) { }, {id: "use namespace overrides", nsAnnotations: map[string]string{ - k8s.ProxyImageAnnotation: "cr.l5d.io/linkerd/proxy", - k8s.ProxyImagePullPolicyAnnotation: pullPolicy, - k8s.ProxyInitImageAnnotation: "cr.l5d.io/linkerd/proxy-init", - k8s.ProxyControlPortAnnotation: "4000", - k8s.ProxyInboundPortAnnotation: "5000", - k8s.ProxyAdminPortAnnotation: "5001", - k8s.ProxyOutboundPortAnnotation: "5002", - k8s.ProxyPodInboundPortsAnnotation: "1234,5678", - k8s.ProxyIgnoreInboundPortsAnnotation: "4222,6222", - k8s.ProxyIgnoreOutboundPortsAnnotation: "8079,8080", - k8s.ProxyCPURequestAnnotation: "0.15", - k8s.ProxyMemoryRequestAnnotation: "120", - k8s.ProxyCPULimitAnnotation: "1.5", - k8s.ProxyMemoryLimitAnnotation: "256", - k8s.ProxyUIDAnnotation: "8500", - k8s.ProxyLogLevelAnnotation: "debug,linkerd=debug", - k8s.ProxyLogFormatAnnotation: "json", - k8s.ProxyEnableExternalProfilesAnnotation: "false", - k8s.ProxyVersionOverrideAnnotation: proxyVersionOverride, - k8s.ProxyWaitBeforeExitSecondsAnnotation: "123", - k8s.ProxyOutboundConnectTimeout: "6000ms", - k8s.ProxyInboundConnectTimeout: "600ms", - k8s.ProxyOpaquePortsAnnotation: "4320-4325,3306", - k8s.ProxyAwait: "enabled", - k8s.ProxyAccessLogAnnotation: "apache", - k8s.ProxyInjectAnnotation: "ingress", - k8s.ProxyOutboundDiscoveryCacheUnusedTimeout: "50s", - k8s.ProxyInboundDiscoveryCacheUnusedTimeout: "6000ms", + k8s.ProxyImageAnnotation: "cr.l5d.io/linkerd/proxy", + k8s.ProxyImagePullPolicyAnnotation: pullPolicy, + k8s.ProxyInitImageAnnotation: "cr.l5d.io/linkerd/proxy-init", + k8s.ProxyControlPortAnnotation: "4000", + k8s.ProxyInboundPortAnnotation: "5000", + k8s.ProxyAdminPortAnnotation: "5001", + k8s.ProxyOutboundPortAnnotation: "5002", + k8s.ProxyPodInboundPortsAnnotation: "1234,5678", + k8s.ProxyIgnoreInboundPortsAnnotation: "4222,6222", + k8s.ProxyIgnoreOutboundPortsAnnotation: "8079,8080", + k8s.ProxyCPURequestAnnotation: "0.15", + k8s.ProxyMemoryRequestAnnotation: "120", + k8s.ProxyCPULimitAnnotation: "1.5", + k8s.ProxyMemoryLimitAnnotation: "256", + k8s.ProxyUIDAnnotation: "8500", + k8s.ProxyLogLevelAnnotation: "debug,linkerd=debug", + k8s.ProxyLogFormatAnnotation: "json", + k8s.ProxyEnableExternalProfilesAnnotation: "false", + k8s.ProxyVersionOverrideAnnotation: proxyVersionOverride, + k8s.ProxyWaitBeforeExitSecondsAnnotation: "123", + k8s.ProxyOutboundConnectTimeout: "6000ms", + k8s.ProxyInboundConnectTimeout: "600ms", + k8s.ProxyOpaquePortsAnnotation: "4320-4325,3306", + k8s.ProxyAwait: "enabled", + k8s.ProxyAccessLogAnnotation: "apache", + k8s.ProxyInjectAnnotation: "ingress", + k8s.ProxyOutboundDiscoveryCacheUnusedTimeout: "50s", + k8s.ProxyInboundDiscoveryCacheUnusedTimeout: "6000ms", + k8s.ProxyDisableOutboundProtocolDetectTimeout: "true", + k8s.ProxyDisableInboundProtocolDetectTimeout: "false", }, spec: appsv1.DeploymentSpec{ Template: corev1.PodTemplateSpec{ @@ -213,15 +219,19 @@ func TestGetOverriddenValues(t *testing.T) { values.Proxy.IsIngress = true values.Proxy.OutboundDiscoveryCacheUnusedTimeout = "50s" values.Proxy.InboundDiscoveryCacheUnusedTimeout = "6s" + values.Proxy.DisableOutboundProtocolDetectTimeout = true + values.Proxy.DisableInboundProtocolDetectTimeout = false return values }, }, {id: "use invalid duration for proxy timeouts", nsAnnotations: map[string]string{ - k8s.ProxyOutboundConnectTimeout: "6000", - k8s.ProxyInboundConnectTimeout: "600", - k8s.ProxyOutboundDiscoveryCacheUnusedTimeout: "50", - k8s.ProxyInboundDiscoveryCacheUnusedTimeout: "5000", + k8s.ProxyOutboundConnectTimeout: "6000", + k8s.ProxyInboundConnectTimeout: "600", + k8s.ProxyOutboundDiscoveryCacheUnusedTimeout: "50", + k8s.ProxyInboundDiscoveryCacheUnusedTimeout: "5000", + k8s.ProxyDisableOutboundProtocolDetectTimeout: "9000", + k8s.ProxyDisableInboundProtocolDetectTimeout: "9", }, spec: appsv1.DeploymentSpec{ Template: corev1.PodTemplateSpec{ @@ -237,10 +247,12 @@ func TestGetOverriddenValues(t *testing.T) { {id: "use valid duration for proxy timeouts", nsAnnotations: map[string]string{ // Validate we're converting time values into ms for the proxy to parse correctly. - k8s.ProxyOutboundConnectTimeout: "6s5ms", - k8s.ProxyInboundConnectTimeout: "2s5ms", - k8s.ProxyOutboundDiscoveryCacheUnusedTimeout: "6s5000ms", - k8s.ProxyInboundDiscoveryCacheUnusedTimeout: "6s5000ms", + k8s.ProxyOutboundConnectTimeout: "6s5ms", + k8s.ProxyInboundConnectTimeout: "2s5ms", + k8s.ProxyOutboundDiscoveryCacheUnusedTimeout: "6s5000ms", + k8s.ProxyInboundDiscoveryCacheUnusedTimeout: "6s5000ms", + k8s.ProxyDisableOutboundProtocolDetectTimeout: "false", + k8s.ProxyDisableInboundProtocolDetectTimeout: "true", }, spec: appsv1.DeploymentSpec{ Template: corev1.PodTemplateSpec{ @@ -254,6 +266,8 @@ func TestGetOverriddenValues(t *testing.T) { values.Proxy.InboundConnectTimeout = "2005ms" values.Proxy.OutboundDiscoveryCacheUnusedTimeout = "11s" values.Proxy.InboundDiscoveryCacheUnusedTimeout = "11s" + values.Proxy.DisableOutboundProtocolDetectTimeout = false + values.Proxy.DisableInboundProtocolDetectTimeout = true return values }, }, diff --git a/pkg/k8s/labels.go b/pkg/k8s/labels.go index 64c62b0132460..512894145ace3 100644 --- a/pkg/k8s/labels.go +++ b/pkg/k8s/labels.go @@ -238,6 +238,16 @@ const ( // that will evict unused inbound discovery results ProxyInboundDiscoveryCacheUnusedTimeout = ProxyConfigAnnotationsPrefix + "/proxy-inbound-discovery-cache-unused-timeout" + // ProxyDisableOutboundProtocolDetectTimeout can be used to disable protocol + // detection timeouts for outbound connections by setting them to a very + // high value. + ProxyDisableOutboundProtocolDetectTimeout = ProxyConfigAnnotationsPrefix + "/proxy-outbound-protocol-detect-timeout" + + // ProxyDisableInboundProtocolDetectTimeout can be used to disable protocol + // detection timeouts for inbound connections by setting them to a very + // high value. + ProxyDisableInboundProtocolDetectTimeout = ProxyConfigAnnotationsPrefix + "/proxy-inbound-protocol-detect-timeout" + // ProxyEnableGatewayAnnotation can be used to configure the proxy // to operate as a gateway, routing requests that target the inbound router. ProxyEnableGatewayAnnotation = ProxyConfigAnnotationsPrefix + "/enable-gateway"