Skip to content

Introduce a dedicated direct::LocalHttp target type #1417

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
olix0r merged 4 commits into from
Dec 20, 2021
Merged

Introduce a dedicated direct::LocalHttp target type #1417

olix0r merged 4 commits into from
Dec 20, 2021

Conversation

@olix0r
Copy link
Member

@olix0r olix0r commented Dec 20, 2021

No description provided.

@olix0r olix0r requested a review from a team December 20, 2021 18:27
@olix0r olix0r mentioned this pull request Dec 20, 2021
Merged
mateiidavid
mateiidavid approved these changes Dec 20, 2021
View reviewed changes
Copy link
Member

@mateiidavid mateiidavid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes for a much nicer read now :) It also seems to put me at ease with the policy questions I had. The only thing that I'm really unsure of (and that I put in a comment) is whether through the old approach we'd end up checking the policy twice: once here, and once through the http stack.

linkerd/app/inbound/src/direct.rs
negotiated_protocol: client.alpn,
},
);
let permit = policy
Copy link
Member

@mateiidavid mateiidavid Dec 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah nice, so when we go direct w/o a protocol we can just check the policy here. This is something I was wondering about in my approach; if we check the policy in the direct stack, it'll be checked once again in the http stack?

Copy link
Member Author

@olix0r olix0r Dec 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah, in this case we only check the authorization for the tcp stack -- this is why the LocalTcp type takes a permit: to prove that it has been authorized.

the http stack will do its own authorization checks on requests.

linkerd/app/inbound/src/direct.rs
protocol: SessionProtocol,
}

type Local = svc::Either<LocalTcp, LocalHttp>;
Copy link
Member

@mateiidavid mateiidavid Dec 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is neat! So this basically allows us to just return the inner predicate on L129 and have the switch layer in one line? That's really cool.

@olix0r olix0r merged commit 8a5ed77 into matei/opaque-n-http-traffic Dec 20, 2021
@olix0r olix0r deleted the ver/matei/opaque-n-http-traffic branch December 20, 2021 20:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@mateiidavid mateiidavid mateiidavid approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@olix0r @mateiidavid