I want to run linkerd2-proxy on bare-metal server.
something like this:
bare-metal server kubernetes node
_____________________________ ____________________________
| | | |
| nginx -> linkerd2-proxy | ----> | linkerd2-proxy -> app |
|___________________________| |___________________________|
all control-palne components in kubernetes cluster as usual
List what I do
- create entrypoint to identity and destination pods by calico floatingIP
- create ServiceAccount for bare-metal server (front-servers) in kubernetes
- grab token from this SA and place it on front server
- configure all LINKERD2_* variables in .env file on front server (IDENTITY_SVC_ADDR, DESTINATION_SVC_ADDR, IDENTITY_TRUST_ANCHORS, IDENTITY_TOKEN_FILE etc)
- start linkerd2-proxy by linkerd2-proxy-run wrapper what generate certs from identity by linkerd2-proxy-identity
- configure iptables on front server for access from tap and prometheus to ports 4190 and 4191
- configure prometheus to scrap metrics from linkerd2-proxy on front servers
- configure header l5d-dst-override $service_name.$namespace.svc.cluster.local:$service_port in nginx
And proxying works as design. mtls, dst service all good.
response_latency_ms_bucket{
authority="nginx-my-api.vkp.svc.cluster.local",
direction="outbound",
dst_control_plane_ns="pfm-admins",
dst_deployment="nginx-my-api",
dst_namespace="vkp",
dst_pod="nginx-my-api-7d4dcfb9b8-ftr5x",
dst_pod_template_hash="7d4dcfb9b8",
dst_service="nginx-my-api",
dst_serviceaccount="nginx-my-api",
tls="true",
server_id="nginx-my-api.vkp.serviceaccount.identity.pfm-admins.cluster.local",
status_code="200",
le="3000"
}
But in linkerd-web i see this proxy as unmeshed
in prometheus I set all labels as on linkerd-proxy job
what else needs to be done to make linkerd2-proxy on front server meshed?
In kubernetes we don’t use xvlan or ipip tunels, all pods ip is announced by bird in 10/8 network so front servers have direct access to pods ip