SSL Propagation With Linkerd


#1

I’m attempting to hit an external endpoint that runs on https from a pod in Kubernetes running on the Linkerd Mesh.

My Http-outgoing dtab looks as follows:
dtab: |
/ph => /$/io.buoyant.rinet ; # /ph/80/google.com -> /$/io.buoyant.rinet/80/google.com
/svc => /ph/80 ; # /svc/google.com -> /ph/80/google.com
/svc => /$/io.buoyant.porthostPfx/ph ; # /svc/google.com:80 -> /ph/80/google.com
/k8s => /#/io.l5d.k8s.http/default/8080 ; # /k8s/default/http/foo -> /#/io.l5d.k8s.http/default/http/foo
/portNsSvc => /#/portNsSvcToK8s ; # /portNsSvc/http/default/foo -> /k8s/default/http/foo
/host => /portNsSvc/http/default ;
/host => /portNsSvc/http ; # /host/default/foo -> /portNsSvc/http/default/foo
/svc => /$/io.buoyant.http.domainToPathPfx/host ; # /svc/foo.default -> /host/default/foo
/svc => /$/io.buoyant.hostportPfx/host ;

I have the namers described here: https://buoyant.io/2017/06/20/a-service-mesh-for-kubernetes-part-xi-egress/.

I also have the following client configs as a part of the http-outgoing:
configs:
{{ if eq .Values.CloudType “digital” }}
- prefix: “/#/io.l5d.k8s.http/dev/8080”
{{ else }}
- prefix: “/#/io.l5d.k8s.http/default/8080”
{{ end }}
failureAccrual:
kind: io.l5d.successRate
successRate: 0.9
requests: 1000
backoff:
kind: jittered
minMs: 5000
maxMs: 300000
# Use HTTPS if sending to port 443
- prefix: "/$/io.buoyant.rinet/443/{service}"
tls:
commonName: "{service}"
failureAccrual:
kind: io.l5d.successRate
successRate: 0.9
requests: 1000
backoff:
kind: jittered
minMs: 5000
maxMs: 300000

Any ideas what might be going wrong?


#2

Hi @abhiInCalif. Nothing immediately jumps out. Would you mind trying a few things to help us debug the issue:

  1. Deploy a setup following exactly what’s documented in https://buoyant.io/2017/06/20/a-service-mesh-for-kubernetes-part-xi-egress/, that way we can determine if it’s something specific to your environment, or something in the modifications you have made from the blog post.
  2. Update this ticket with more complete and formatted kubernetes and linkerd configs. Ideally complete files, and use triple backticks, for example:
apiVersion: v1
kind: ConfigMap
metadata:
  name: l5d-config
data:
  config.yaml: |-
    admin:
      ip: 0.0.0.0
      port: 9990
    namers:
    - kind: io.l5d.k8s # This namer has the daemonset transformer "built-in"
      prefix: /io.l5d.k8s.ds # We reference this in the outgoing router's dtab
      transformers:
      - kind: io.l5d.k8s.daemonset
        namespace: default
        port: incoming
        service: l5d
    - kind: io.l5d.k8s # The "basic" k8s namer.  We reference this in the incoming router's dtab
    telemetry:
    - kind: io.l5d.prometheus
    - kind: io.l5d.recentRequests
      sampleRate: 0.25
    usage:
      orgId: linkerd-examples-daemonset-egress
    routers:
    - protocol: http
      label: outgoing
      dtab: |
        /ph        => /$/io.buoyant.rinet ; # Lookup the name in DNS
        /srv       => /ph/80 ; # Use port 80 if unspecified
        /srv       => /$/io.buoyant.porthostPfx/ph ; # Attempt to extract the port from the hostname
        /srv       => /#/io.l5d.k8s.ds/default/http ; # Lookup the name in Kubernetes, use the linkerd daemonset pod
        /svc       => /srv ;
        /svc/world => /srv/world-v1 ;
      servers:
      - port: 4140
        ip: 0.0.0.0
      service:
        responseClassifier:
          kind: io.l5d.http.retryableRead5XX
      client:
        kind: io.l5d.static
        configs:
        - prefix: "/$/io.buoyant.rinet/443/{service}"
          tls:
            commonName: "{service}"
...