Linkerd 2.10 (Step by Step)—Ingress Traffic

Linkerd 2.10 (Step by Step)—Ingress Traffic

[[406692]]

The Linkerd 2.10 Chinese manual is being continuously revised and updated:

  • https://linkerd.hacker-linner.com

As of Linkerd version 2.9, there are two ways to run a Linkerd proxy with your Ingress Controller.

Default Mode

When an ingress controller injects the linkerd.io/inject: enabled annotation, the Linkerd proxy will obey the load balancing decisions made by the ingress controller, rather than applying its own EWMA load balancing. This also means that the Linkerd proxy will not use Service Profiles for this traffic, and thus will not expose per-route metrics or do traffic splitting.

If your Ingress controller injects no additional Ingress-specific configuration, the Linkerd proxy will run in default mode.

Proxy Ingress Mode

If you need Linkerd features like Service Profiles, Traffic Splits, etc., additional configuration is required to enable the Ingress controller's Linkerd proxy to run in ingress mode. This causes Linkerd to route requests based on their :authority, Host, or l5d-dst-override headers instead of the original destination, which allows Linkerd to do its own load balancing and use Service Profiles to expose per-route metrics and enable traffic splitting.

You can enable the proxy of the Ingress controller deployment to run in ingress mode by adding the following annotation linkerd.io/inject: ingress to the Pod Spec of the Ingress Controller.

The same can be done by using the --ingress flag in the injection command. 

  1.  kubectl get deployment <ingress-controller> -n <ingress-namespace> -o yaml | linkerd inject --ingress - | kubectl apply -f -  

This can be verified by checking that the Ingress controller's pod has the relevant annotation set.

  1.  kubectl describe pod/<ingress-pod> | grep "linkerd.io/inject: ingress"  

For ingress, most controllers do not rewrite incoming headers (example.com) to internal service names (example.default.svc.cluster.local) by default. In this case, when Linkerd receives an outgoing request, it thinks the request is destined for example.com instead of example.default.svc.cluster.local. This can create a very frustrating infinite loop!

Fortunately, many ingress controllers allow you to modify the Host header or add custom headers to outgoing requests. Here are some descriptions of common ingress controllers:

  • Nginx
  • Traefik
  • GCE
  • Ambassador
  • Gloo
  • Contour
  • Kong

If your ingress controller is terminating HTTPS, Linkerd will only provide TCP statistics for incoming requests, since all traffic the proxy sees is encrypted. It will provide full statistics for outgoing requests from the controller to the backend services, since that's plaintext from the controller to Linkerd.

If requests experience 2-3 seconds of latency after being injected into your ingress controller, this may be because the type: LoadBalancer service is hiding the client source IP. You can resolve this issue by setting externalTrafficPolicy: Local in the ingress service definition.

While the Kubernetes Ingress API definition allows the backend's servicePort to be a string value, Linkerd can only use numeric servicePort values. If a string value is encountered, Linkerd will default to using port 80.

Nginx

Here we take emojivoto as an example

An example ingress definition is:

  1.  apiVersion: extensions/v1beta1
  2.  kind: Ingress
  3.  metadata:
  4.  name : web-ingress
  5.  namespace: emojivoto
  6.  annotations:
  7.     kubernetes.io/ingress.class: "nginx"  
  8.     nginx.ingress.kubernetes.io/configuration-snippet: |
  9.       proxy_set_header l5d-dst-override $service_name.$namespace.svc.cluster. local :$service_port;
  10.       grpc_set_header l5d-dst-override $service_name.$namespace.svc.cluster. local :$service_port; 
  11.  
  12.  spec:
  13.  rules:
  14.  - host: example.com
  15.  http:
  16.  paths:
  17.  - backend:
  18.           serviceName: web-svc
  19.  servicePort: 80

The important annotations here are:

  1.  nginx.ingress.kubernetes.io/configuration-snippet: |
  2.     proxy_set_header l5d-dst-override $service_name.$namespace.svc.cluster. local :$service_port;
  3.     grpc_set_header l5d-dst-override $service_name.$namespace.svc.cluster. local :$service_port;

If you are using auth-url, you will also need to add the following snippet.

  1.  nginx.ingress.kubernetes.io/auth-snippet: |
  2.    proxy_set_header l5d-dst-override authn- name .authn-namespace.svc.cluster. local :authn-port;
  3.    grpc_set_header l5d-dst-override authn- name .authn-namespace.svc.cluster. local :authn-port;

This example combines two directives that NGINX uses to proxy HTTP and gRPC traffic. In practice, depending on the protocol used by the service, only the proxy_set_header or grpc_set_header directive needs to be set, but NGINX will ignore any directives that are not required.

This example ingress definition uses a single ingress for an application with multiple endpoints that use different ports.

  1.  apiVersion: extensions/v1beta1
  2.  kind: Ingress
  3.  metadata:
  4.  name : web-ingress
  5.  namespace: emojivoto
  6.  annotations:
  7.     kubernetes.io/ingress.class: "nginx"  
  8.     nginx.ingress.kubernetes.io/configuration-snippet: |
  9.       proxy_set_header l5d-dst-override $service_name.$namespace.svc.cluster. local :$service_port;
  10.       grpc_set_header l5d-dst-override $service_name.$namespace.svc.cluster. local :$service_port;
  11.  spec:
  12.  rules:
  13.  - host: example.com
  14.  http:
  15.  paths:
  16.  - path: /
  17.  backend:
  18.           serviceName: web-svc
  19.  servicePort: 80
  20.       - path: /another-endpoint
  21.  backend:
  22.           serviceName: another-svc
  23.  servicePort: 8080

Nginx will add a l5d-dst-override header to instruct Linkerd what service the request is destined for. You need to include both the Kubernetes service FQDN (web-svc.emojivoto.svc.cluster.local) and the target servicePort.

To test this, you need to get the external IP address of the controller. If you installed nginx-ingress via helm, you can get that IP address by running:

  1.  kubectl get svc --all-namespaces \  
  2.   -l app=nginx-ingress,component=controller \
  3.   -o=custom-columns=EXTERNAL-IP:.status.loadBalancer.ingress[0].ip

You can then use this IP via curl:

  1.  curl -H "Host: example.com" http://external-ip

If you are using the default backend, you will need to create an ingress definition for that backend to ensure the l5d-dst-override header is set. For example:

  1.  apiVersion: extensions/v1beta1
  2.  kind: Ingress
  3.  metadata:
  4.  name : default -ingress
  5.  namespace: backends
  6.  annotations:
  7.     kubernetes.io/ingress.class: "nginx"  
  8.     nginx.ingress.kubernetes.io/configuration-snippet: |
  9.       proxy_set_header l5d-dst-override $service_name.$namespace.svc.cluster. local :$service_port;
  10.       grpc_set_header l5d-dst-override $service_name.$namespace.svc.cluster. local :$service_port;
  11.  spec:
  12.  backend:
  13.     serviceName: default -backend
  14.  servicePort: 80

Traefik

Here we take emojivoto as an example. See getting started to review how to install it.

The simplest way to use Traefik as a Linkerd ingress is to configure the Kubernetes Ingress resource using ingress.kubernetes.io/custom-request-headers as follows:

  1.  apiVersion: extensions/v1beta1
  2.  kind: Ingress
  3.  metadata:
  4.  name : web-ingress
  5.  namespace: emojivoto
  6.  annotations:
  7.     kubernetes.io/ingress.class: "traefik"  
  8.     ingress.kubernetes.io/custom-request-headers: l5d-dst-override:web-svc.emojivoto.svc.cluster. local :80
  9.  spec:
  10.  rules:
  11.  - host: example.com
  12.  http:
  13.  paths:
  14.  - backend:
  15.           serviceName: web-svc
  16.  servicePort: 80

The important annotations here are:

  1.  ingress.kubernetes.io/custom-request-headers: l5d-dst-override:web-svc.emojivoto.svc.cluster. local :80

Traefik will add a l5d-dst-override header to instruct Linkerd what service the request is destined for. You need to include both the Kubernetes service FQDN (web-svc.emojivoto.svc.cluster.local) and the target servicePort. For more information, see the Traefik website.

To test this, you need to get the external IP address of the controller. If you installed Traefik via helm, you can get that IP address by running:

  1.  kubectl get svc --all-namespaces \  
  2.  -l app=traefik \
  3.   -o= 'custom-columns=EXTERNAL-IP:.status.loadBalancer.ingress[0].ip'  

You can then use this IP via curl:

  1.  curl -H "Host: example.com" http://external-ip

This solution won't work if you're using Traefik's service weights, since Linkerd will always send requests to the service name in l5d-dst-override. A workaround is to use traefik.frontend.passHostHeader: "false" instead. Note that if you're using TLS, the connection between Traefik and the backend service will not be encrypted. There is an open issue tracking a solution to this issue.

Traefik 2.x

Traefik 2.x added support for path-based request routing through a Custom Resource Definition (CRD) called IngressRoute.

If you choose to use IngressRoute instead of the default Kubernetes Ingress resource, you will also need to use Traefik's Middleware Custom Resource Definition to add the l5d-dst-override header.

The following YAML produces the same results for the emojivoto application using the Traefik CRD as described above.

  1.  apiVersion: traefik.containo.us/v1alpha1
  2.  kind: Middleware
  3.  metadata:
  4.  name : l5d-header-middleware
  5.  namespace: traefik
  6.  spec:
  7.  headers:
  8.  customRequestHeaders:
  9.       l5d-dst-override: "web-svc.emojivoto.svc.cluster.local:80"  
  10.  ---  
  11.  apiVersion: traefik.containo.us/v1alpha1
  12.  kind: IngressRoute
  13.  metadata:
  14.  annotations:
  15.     kubernetes.io/ingress.class: traefik
  16.  creationTimestamp: null  
  17.  name : emojivoto-web-ingress-route
  18.  namespace: emojivoto
  19.  spec:
  20.  entryPoints: []
  21.  routes:
  22.  - kind: Rule  
  23.  match: PathPrefix(`/`)
  24.  priority: 0
  25.  middlewares:
  26.     - name : l5d-header-middleware
  27.  services:
  28.  - kind: Service
  29.  name : web-svc
  30.  port: 80

GCE

This example is similar to Traefik and also uses emojivoto as an example. See getting started to review how to install it.

In addition to the custom headers found in the Traefik example, it also shows how to use a Google Cloud Static External IP Address and TLS with a Google-managed certificate.

An example ingress definition is:

  1.  apiVersion: extensions/v1beta1
  2.  kind: Ingress
  3.  metadata:
  4.  name : web-ingress
  5.  namespace: emojivoto
  6.  annotations:
  7.     kubernetes.io/ingress.class: "gce"  
  8.     ingress.kubernetes.io/custom-request-headers: "l5d-dst-override: web-svc.emojivoto.svc.cluster.local:80"  
  9.     ingress.gcp.kubernetes.io/pre-shared-cert: "managed-cert-name"  
  10.     kubernetes.io/ingress. global - static -ip- name : "static-ip-name"  
  11.  spec:
  12.  rules:
  13.  - host: example.com
  14.  http:
  15.  paths:
  16.  - backend:
  17.           serviceName: web-svc
  18.  servicePort: 80

To use this example definition, replace managed-cert-name and static-ip-name with the short names defined in your project (nb use the name of the IP address, not the address itself).

The managed certificate will take approximately 30-60 minutes to provision, but the status of the ingress should be healthy within a few minutes. After the managed certificate is provisioned, the ingress should be visible to the Internet.

Ambassador

Here we take emojivoto as an example. See getting started to review how to install it.

Ambassador does not use Ingress resources, but relies on Services. An example service definition is:

  1.  apiVersion: v1
  2.  kind: Service
  3.  metadata:
  4.  name : web-ambassador
  5.  namespace: emojivoto
  6.  annotations:
  7.     getambassador.io/config: |
  8.  ---  
  9.       apiVersion: ambassador/v1
  10.  kind: Mapping
  11.  name : web-ambassador-mapping
  12.       service: http://web-svc.emojivoto.svc.cluster. local :80
  13.  host: example.com
  14.  prefix: /
  15.       add_linkerd_headers: true  
  16.  spec:
  17.  selector:
  18.  app: web-svc
  19.  ports:
  20.  - name : http
  21.  port: 80
  22.  targetPort: http

The important annotations here are:

  1.  add_linkerd_headers: true  

Ambassador will add an l5d-dst-override header to indicate to Linkerd what service the request is for. This will contain the Kubernetes service FQDN (web-svc.emojivoto.svc.cluster.local) and the destination servicePort.

To make it global, add add_linkerd_headers to your Module config.

To test this, you need to get the external IP address of the controller. If you installed Ambassador via helm, you can get that IP address by running:

  1.  kubectl get svc --all-namespaces \  
  2.   -l "app.kubernetes.io/name=ambassador" \
  3.   -o= 'custom-columns=EXTERNAL-IP:.status.loadBalancer.ingress[0].ip'  

If you have installed the management interface, this will return two IPs, one of which is . Just ignore that and use the actual IP address.

You can then use this IP via curl:

  1.  curl -H "Host: example.com" http://external-ip

You can also find a more detailed guide on using Linkerd with Emissary Ingress (aka Ambassador) from the folks at Buoyant here.

Gloo

Here we take books as an example, check Demo: Books to learn how to run it.

If you installed Gloo using the Gateway method (gloo install gateway), then you will need a VirtualService to route traffic to your Books application.

To use Gloo with Linkerd, you can choose one of two options.

Automatic

Starting with Gloo v0.13.20, Gloo has native integration with Linkerd, so the required Linkerd headers are automatically added.

Assuming you installed gloo to the default location, you can enable native integration by running:

  1.  kubectl patch settings -n gloo-system default \
  2.   -p '{"spec":{"linkerd":true}}'   --type=merge  

Gloo now automatically adds the l5d-dst-override header to each kubernetes upstream.

Now we just need to add a route to the upstream books app:

  1.  glooctl add route --path-prefix=/ --dest-name booksapp-webapp-7000  

Manual

As mentioned at the beginning of this document, you need to instruct Gloo to add a header to allow Linkerd to identify where to send traffic.

  1.  apiVersion: gateway.solo.io/v1
  2.  kind: VirtualService
  3.  metadata:
  4.  name : books
  5.  namespace: gloo-system
  6.  spec:
  7.  virtualHost:
  8.  domains:
  9.  - '*'  
  10.  name : gloo-system.books
  11.  routes:
  12.  - matcher:
  13.  prefix: /
  14.  routeAction:
  15.  single:
  16.  upstream:
  17.  name : booksapp-webapp-7000
  18.             namespace: gloo-system
  19.  routePlugins:
  20.  transformations:
  21.           requestTransformation:
  22.             transformationTemplate:
  23.  headers:
  24.                 l5d-dst-override:
  25.                   text: webapp.booksapp.svc.cluster. local :7000
  26.                 passthrough: {}

The important annotations here are:

  1.  routePlugins:
  2.  transformations:
  3.  requestTransformation:
  4.        transformationTemplate:
  5.  headers:
  6.  l5d-dst-override:
  7.              text: webapp.booksapp.svc.cluster. local :7000
  8.  passthrough: {}

Using the built-in content transformation engine in Gloo, you can instruct it to add the required l5d-dst-override header, which in the example above points to the FDQN and port of the service: webapp.booksapp.svc.cluster.local:7000

Test

To easily test this, you can get the URL of the Gloo proxy by running:

  1.  glooctl proxy URL

This will return something like:

  1.  $ glooctl proxy url
  2.  http://192.168.99.132:30969

For the example VirtualService above, which listens on any domain and path, accessing the proxy URL (http://192.168.99.132:30969) in a browser should open the Books application.

Contour

Contour does not support automatic setting of the l5d-dst-override header. The following example uses Contour getting started to demonstrate how to manually set the required header:

First, inject Linkerd into your Contour installation:

  1.  linkerd inject https://projectcontour.io/quickstart/contour.yaml | kubectl apply -f -

Envoy does not automatically mount the service account token. To fix this, you need to set automountServiceAccountToken: true. You can choose to create a dedicated service account to avoid using the default.

  1.  # create a service account (optional)
  2.  kubectl apply -f - << EOF
  3.  apiVersion: v1
  4.  kind: ServiceAccount
  5.  metadata:
  6.  name : envoy
  7.  namespace: projectcontour
  8.  EOF 
  9.  
  10.  # add service account to envoy (optional)
  11.  kubectl patch daemonset envoy -n projectcontour --type json -p='[{"op": "add", "path": "/spec/template/spec/serviceAccount", "value": "envoy"}]'   
  12.  
  13.  # auto mount the service account token (required)
  14.  kubectl patch daemonset envoy -n projectcontour --type json -p='[{"op": "replace", "path": "/spec/template/spec/automountServiceAccountToken", "value": true}]'  

Verify that your Contour and Envoy installations have a running Linkerd sidecar.

Next we will deploy a demo service:

  1.  linkerd inject https://projectcontour.io/examples/kuard.yaml | kubectl apply -f -

To route external traffic to your service, you need to provide an HTTPProxy:

  1.  apiVersion: projectcontour.io/v1
  2.  kind: HTTPProxy
  3.  metadata:
  4.  name : kuard
  5.  namespace: default  
  6.  spec:
  7.  routes:
  8.  - requestHeadersPolicy:
  9.  set :
  10.       - name : l5d-dst-override
  11.         value: kuard. default .svc.cluster. local :80
  12.  services:
  13.  - name : kuard
  14.  namespace: default  
  15.  port: 80
  16.  virtualhost:
  17.  fqdn: 127.0.0.1.xip.io

Note that the l5d-dst-override header is explicitly set to the destination service.

Finally, you can test your working service mesh:

  1.  kubectl port- forward svc/envoy -n projectcontour 3200:80
  2.  http://127.0.0.1.xip.io:3200

If you use Contour with flagger, the l5d-dst-override request header will be set automatically.

Kong

Kong does not automatically support the header l5d-dst-override. This document will use the following elements:

  • Kong
  • Emojivoto

Before installing the Emojivoto demo application, install Linkerd and Kong on your cluster. Remember to use the --ingress flag (or annotation) mentioned above when injecting the Kong deployment!

We also need to declare these objects:

  • KongPlugin, CRD provided by Kong
  • Ingress
  1.  apiVersion: configuration.konghq.com/v1
  2.  kind: KongPlugin
  3.  metadata:
  4.  name : set -l5d-header
  5.  namespace: emojivoto
  6.  plugin: request-transformer
  7.  config:
  8.  add :
  9.  headers:
  10.     - l5d-dst-override:$(headers.host) .svc.cluster.local  
  11.  ---  
  12.  apiVersion: extensions/v1beta1
  13.  kind: Ingress
  14.  metadata:
  15.  name : web-ingress
  16.  namespace: emojivoto
  17.  annotations:
  18.     kubernetes.io/ingress.class: "kong"  
  19.     konghq.com/plugins: set -l5d-header
  20.  spec:
  21.  rules:
  22.  - http:
  23.  paths:
  24.  - path: /api/vote
  25.  backend:
  26.               serviceName: web-svc
  27.               servicePort: http
  28.  - path: /api/list
  29.  backend:
  30.               serviceName: web-svc
  31.               servicePort: http

We explicitly set l5d-dst-override in KongPlugin. Using templates as values, we can use the host header from the request and set the l5d-dst-override value based on that.

Finally, let's install Emojivoto so that its deploy/vote-bot targets the ingress and contains a host header for the web-svc.emojivoto service.

Before applying the injected Emojivoto application, make the following changes to the vote-bot deployment:

  1.  env:
  2.  # Target the Kong ingress instead   of the Emojivoto web service
  3.  - name : WEB_HOST
  4.  value: kong-proxy.kong:80
  5.  # Override the host header on requests so that it can be used to   set the l5d-dst-override header
  6.  - name : HOST_OVERRIDE
  7.  value: web-svc.emojivoto

【Editor's recommendation】

  1. Remote desktop developed by Chinese programmers is popular! Available for Mac, only 9MB, supports self-built repeaters
  2. 3 minutes to help you understand Kafka thoroughly
  3. How big is the bandwidth of Tik Tok's server to accommodate hundreds of millions of people watching at the same time?
  4. Github is hot! Can this so-called postmodern editor surpass Vim?
  5. The seven most dangerous attack techniques in 2021

<<:  my country's network infrastructure already fully supports IPv6

>>:  Linkerd 2.10 (Step by Step)—Install Multi-Cluster Components

Recommend

China Unicom SMS has a large-scale failure: mobile phones cannot receive verification codes. Official: Emergency processing is in progress

On February 10, the last working day, China Unico...

Ruijie attends the Smart Airport Construction and Development Summit! Giving airports smart wings

From April 17 to 19, the 4th "National Civil...

Nginx log analysis: writing shell scripts for comprehensive log statistics

Nginx is a high-performance HTTP and reverse prox...

The Best Open Source Network Monitoring Tools of 2017

The demand for open source software continues to ...

The development of 5G should be based on facts and not just pursue book data

At present, the three major telecom operators hav...

WiFi, Bluetooth, NFC, three major technologies covered in one article!

Wi-Fi, Bluetooth, NFC, I believe everyone is fami...

Hosteons: New 1Gbps bandwidth KVM host starting at $21/year, AMD Ryzen CPU+NVMe high-performance host starting at $24/year

In December last year, we shared the news that Ho...

Massive Data officially releases AtlasDB, an enterprise-level private cloud database

[51CTO.com original article] On July 28, Beijing ...

edgeNAT newly launched South Korea SK direct connection VPS with 20% discount on monthly payment and 30% discount on annual payment, 2G memory package starts at 48 yuan/month

edgeNAT has newly launched the Korean three-netwo...

5G cannot enhance industry?

There are already more than 1,100 “5G+Industrial ...

How to make 5G a reality and what are the current challenges facing 5G?

5G will significantly increase data transmission ...

Interviewer: What are the common HTTP request headers?

[[401820]] This article is reprinted from the WeC...

Let us say goodbye to TCP together!

PS: This article does not involve knowledge about...

Innovation empowers and builds the foundation for the future-"2021 China IPv6 Innovation and Development Conference" was held in Beijing

In order to implement the deployment requirements...

UUUVPS: 60 yuan/month-1GB/30GB/4M/Hong Kong CN2 line

UUUVPS is now holding a three-year anniversary ev...