handle egress network changes

Signed-off-by: Zahari Dichev <[email protected]>
linkerd · Oct 23, 2024 · 4144b19 · 4144b19
1 parent 130050d
commit 4144b19
Show file tree

Hide file tree

Showing 17 changed files with 708 additions and 332 deletions.
diff --git a/policy-controller/core/src/outbound.rs b/policy-controller/core/src/outbound.rs
@@ -6,11 +6,14 @@ use ahash::AHashMap as HashMap;
 use anyhow::Result;
 use chrono::{offset::Utc, DateTime};
 use futures::prelude::*;
-use std::{
-    net::{IpAddr, SocketAddr},
-    num::NonZeroU16,
-    pin::Pin,
-    time,
+use std::{net::IpAddr, num::NonZeroU16, pin::Pin, time};
+
+mod policy;
+mod target;
+
+pub use self::{
+    policy::{OutboundPolicy, OutboundPolicyKind, ParentMeta, ResourceOutboundPolicy},
+    target::{Kind, OutboundDiscoverTarget, ResourceTarget},
 };
 
 pub trait Route {
@@ -20,14 +23,15 @@ pub trait Route {
 /// Models outbound policy discovery.
 #[async_trait::async_trait]
 pub trait DiscoverOutboundPolicy<T> {
-    async fn get_outbound_policy(&self, target: T) -> Result<Option<OutboundPolicy>>;
+    async fn get_outbound_policy(&self, target: T) -> Result<Option<OutboundPolicyKind>>;
 
     async fn watch_outbound_policy(&self, target: T) -> Result<Option<OutboundPolicyStream>>;
 
     fn lookup_ip(&self, addr: IpAddr, port: NonZeroU16, source_namespace: String) -> Option<T>;
 }
 
-pub type OutboundPolicyStream = Pin<Box<dyn Stream<Item = OutboundPolicy> + Send + Sync + 'static>>;
+pub type OutboundPolicyStream =
+    Pin<Box<dyn Stream<Item = OutboundPolicyKind> + Send + Sync + 'static>>;
 
 pub type HttpRoute = OutboundRoute<HttpRouteMatch, HttpRetryCondition>;
 pub type GrpcRoute = OutboundRoute<GrpcRouteMatch, GrpcRetryCondition>;
@@ -40,41 +44,6 @@ pub enum TrafficPolicy {
     Deny,
 }
 
-#[derive(Debug, Copy, Clone, Hash, PartialEq, Eq)]
-pub enum Kind {
-    EgressNetwork {
-        original_dst: SocketAddr,
-        traffic_policy: TrafficPolicy,
-    },
-    Service,
-}
-
-#[derive(Clone, Debug)]
-pub struct OutboundDiscoverTarget {
-    pub name: String,
-    pub namespace: String,
-    pub port: NonZeroU16,
-    pub source_namespace: String,
-    pub kind: Kind,
-}
-
-#[derive(Clone, Debug, PartialEq)]
-pub struct OutboundPolicy {
-    pub http_routes: RouteSet<HttpRoute>,
-    pub grpc_routes: RouteSet<GrpcRoute>,
-    pub tls_routes: RouteSet<TlsRoute>,
-    pub tcp_routes: RouteSet<TcpRoute>,
-    pub service_authority: String,
-    pub name: String,
-    pub namespace: String,
-    pub port: NonZeroU16,
-    pub opaque: bool,
-    pub accrual: Option<FailureAccrual>,
-    pub http_retry: Option<RouteRetry<HttpRetryCondition>>,
-    pub grpc_retry: Option<RouteRetry<GrpcRetryCondition>>,
-    pub timeouts: RouteTimeouts,
-}
-
 #[derive(Clone, Debug, PartialEq, Eq)]
 pub struct OutboundRoute<M, R> {
     pub hostnames: Vec<HostMatch>,

diff --git a/policy-controller/core/src/outbound/policy.rs b/policy-controller/core/src/outbound/policy.rs
@@ -0,0 +1,67 @@
+use super::{
+    FailureAccrual, GrpcRetryCondition, GrpcRoute, HttpRetryCondition, HttpRoute, RouteRetry,
+    RouteSet, RouteTimeouts, TcpRoute, TlsRoute, TrafficPolicy,
+};
+
+use std::{net::SocketAddr, num::NonZeroU16};
+
+/// OutboundPolicyKind describes a resolved outbound policy that is
+/// either attributed to a resource or is a fallback one.
+#[allow(clippy::large_enum_variant)]
+#[derive(Clone, Debug, PartialEq)]
+pub enum OutboundPolicyKind {
+    Fallback(SocketAddr),
+    Resource(ResourceOutboundPolicy),
+}
+
+/// ResourceOutboundPolicy expresses the known resource types
+/// that can be parents for outbound policy. They each come with
+/// specific metadata that is used when putting together the final
+/// policy response.
+#[derive(Clone, Debug, PartialEq)]
+pub enum ResourceOutboundPolicy {
+    Service {
+        authority: String,
+        policy: OutboundPolicy,
+    },
+    Egress {
+        traffic_policy: TrafficPolicy,
+        original_dst: SocketAddr,
+        policy: OutboundPolicy,
+    },
+}
+
+// ParentMeta carries information resource-specific
+// information about the parent to which outbound policy
+// is associated.
+#[derive(Clone, Debug, Hash, PartialEq, Eq)]
+pub enum ParentMeta {
+    Service { authority: String },
+    EgressNetwork(TrafficPolicy),
+}
+
+#[derive(Clone, Debug, PartialEq)]
+pub struct OutboundPolicy {
+    pub parent_meta: ParentMeta,
+    pub http_routes: RouteSet<HttpRoute>,
+    pub grpc_routes: RouteSet<GrpcRoute>,
+    pub tls_routes: RouteSet<TlsRoute>,
+    pub tcp_routes: RouteSet<TcpRoute>,
+    pub name: String,
+    pub namespace: String,
+    pub port: NonZeroU16,
+    pub opaque: bool,
+    pub accrual: Option<FailureAccrual>,
+    pub http_retry: Option<RouteRetry<HttpRetryCondition>>,
+    pub grpc_retry: Option<RouteRetry<GrpcRetryCondition>>,
+    pub timeouts: RouteTimeouts,
+}
+
+impl ResourceOutboundPolicy {
+    pub fn policy(&self) -> &OutboundPolicy {
+        match self {
+            Self::Egress { policy, .. } => policy,
+            Self::Service { policy, .. } => policy,
+        }
+    }
+}
diff --git a/policy-controller/core/src/outbound/target.rs b/policy-controller/core/src/outbound/target.rs
@@ -0,0 +1,26 @@
+use std::{net::SocketAddr, num::NonZeroU16};
+
+/// OutboundDiscoverTarget allows us to express the fact that
+/// a policy resolution can be fulfilled by either a resource
+/// we know about (a specific EgressNetwork or a Service) or
+/// by our fallback mechanism.
+#[derive(Clone, Debug)]
+pub enum OutboundDiscoverTarget {
+    Resource(ResourceTarget),
+    Fallback(SocketAddr),
+}
+
+#[derive(Clone, Debug)]
+pub struct ResourceTarget {
+    pub name: String,
+    pub namespace: String,
+    pub port: NonZeroU16,
+    pub source_namespace: String,
+    pub kind: Kind,
+}
+
+#[derive(Debug, Copy, Clone, Hash, PartialEq, Eq)]
+pub enum Kind {
+    EgressNetwork(SocketAddr),
+    Service,
+}