Linkerd2-proxy unmeshed

sbvitok · September 4, 2020, 11:04am

I want to run linkerd2-proxy on bare-metal server.
something like this:

bare-metal server                                          kubernetes node 
_____________________________                      ____________________________
|                           |                      |                           |
|   nginx -> linkerd2-proxy |    ---->             |  linkerd2-proxy -> app    |
|___________________________|                      |___________________________|

all control-palne components in kubernetes cluster as usual

List what I do

create entrypoint to identity and destination pods by calico floatingIP
create ServiceAccount for bare-metal server (front-servers) in kubernetes
grab token from this SA and place it on front server
configure all LINKERD2_* variables in .env file on front server (IDENTITY_SVC_ADDR, DESTINATION_SVC_ADDR, IDENTITY_TRUST_ANCHORS, IDENTITY_TOKEN_FILE etc)
start linkerd2-proxy by linkerd2-proxy-run wrapper what generate certs from identity by linkerd2-proxy-identity
configure iptables on front server for access from tap and prometheus to ports 4190 and 4191
configure prometheus to scrap metrics from linkerd2-proxy on front servers
configure header l5d-dst-override $service_name.$namespace.svc.cluster.local:$service_port in nginx

And proxying works as design. mtls, dst service all good.

response_latency_ms_bucket{
authority="nginx-my-api.vkp.svc.cluster.local",
direction="outbound",
dst_control_plane_ns="pfm-admins",
dst_deployment="nginx-my-api",
dst_namespace="vkp",
dst_pod="nginx-my-api-7d4dcfb9b8-ftr5x",
dst_pod_template_hash="7d4dcfb9b8",
dst_service="nginx-my-api",
dst_serviceaccount="nginx-my-api",
tls="true",
server_id="nginx-my-api.vkp.serviceaccount.identity.pfm-admins.cluster.local",
status_code="200",
le="3000"
}

But in linkerd-web i see this proxy as unmeshed
Screenshot_2020-09-04 Linkerd

in prometheus I set all labels as on linkerd-proxy job

what else needs to be done to make linkerd2-proxy on front server meshed?

In kubernetes we don’t use xvlan or ipip tunels, all pods ip is announced by bird in 10/8 network so front servers have direct access to pods ip

sbvitok · September 4, 2020, 11:58am

In dashbord I can see my front servers as a pod

sbvitok · September 4, 2020, 12:27pm

found in linkerd2-proxy on front server:
outbound: linkerd2_proxy_transport::listen::sys::linux: failed to read SO_ORIGINAL_DST: Os { code: 92, kind: Other, message: "Protocol not available"

sbvitok · September 4, 2020, 3:06pm

identity works:

But linkerd2-proxy on front servrer still unmeshed

sbvitok · September 7, 2020, 3:04pm

I create virtual-kubelet node with my custom provider, when create StatefulSet for each bare metal node with node ip and now all works!

# kubectl get pods -o wide
NAME           READY   STATUS    RESTARTS   AGE     IP           NODE              NOMINATED NODE   READINESS GATES
vkp-front1-0   2/2     Running   0          3m42s   10.11.57.0   virtual-kubelet   <none>           <none>
vkp-front2-0   2/2     Running   0          2m26s   10.11.57.1   virtual-kubelet   <none>           <none>
vkp-front3-0   2/2     Running   0          110s    10.11.57.2   virtual-kubelet   <none>           <none>
vkp-front4-0   2/2     Running   0          12s     10.11.57.3   virtual-kubelet   <none>           <none>

cpretzer · September 7, 2020, 4:49pm

@sbvitok this is a really interesting application of the Linkerd proxy. Since the proxy is designed to run in the same cluster as the control plane, it’s not too surprising that you’ve had to set up infrastructure like this to get it to work.

Pretty amazing hacking there ! Thanks for sharing your process.

Can you share the wrapper script that you created and any additional virtual kubelet and custom provider configurations?

sbvitok · September 8, 2020, 12:39pm

# cat /usr/bin/linkerd2-proxy-run 
#!/usr/bin/env bash
set -eu
set -a
cd /etc/linkerd2-proxy
source config.env
set +a
set +eu
rm -f $LINKERD2_PROXY_IDENTITY_DIR/* 2>/dev/null
set -eu
/usr/lib/linkerd/linkerd2-proxy-identity -dir "$LINKERD2_PROXY_IDENTITY_DIR" -name "$LINKERD2_PROXY_IDENTITY_LOCAL_NAME"

exec /usr/lib/linkerd/linkerd2-proxy

cpretzer · September 9, 2020, 5:46am

Thanks @sbvitok ! I hope someone will find this useful if they have the same use-case as you.

hakeemsyd · October 22, 2020, 3:10am

@sbvitok I am trying to accomplish similar. I am trying to run linkerd2-proxy on my machine but unable to get it to talk to linkerd-identity service running inside k8s cluster.

Can you clarify what you mean by running 1) running linkerd2-proxy-run wrapper? Where is it located? 2) How do you setup a Service Account for bare metal.

Thanks & appreciate help here.

cpretzer · October 22, 2020, 4:05am

@hakeemsyd, this looks like the linkerd-run-wrapper script.

My guess is that there is more info in the config.env file that enables this to run by setting the environment variables.

I think that the identity part that might be missing is the linkerd-proxy-identity executable here

sbvitok:

# cat /usr/bin/linkerd2-proxy-run 
#!/usr/bin/env bash
set -eu
set -a
cd /etc/linkerd2-proxy
source config.env
set +a
set +eu
rm -f $LINKERD2_PROXY_IDENTITY_DIR/* 2>/dev/null
set -eu
/usr/lib/linkerd/linkerd2-proxy-identity -dir "$LINKERD2_PROXY_IDENTITY_DIR" -name "$LINKERD2_PROXY_IDENTITY_LOCAL_NAME"

exec /usr/lib/linkerd/linkerd2-proxy