/
k8s_resolver.go
171 lines (147 loc) · 4.85 KB
/
k8s_resolver.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
package destination
import (
"errors"
"fmt"
"reflect"
"regexp"
"strings"
"github.com/linkerd/linkerd2/controller/k8s"
log "github.com/sirupsen/logrus"
)
var dnsCharactersRegexp = regexp.MustCompile("^[a-zA-Z0-9_-]{0,63}$")
var containsAlphaRegexp = regexp.MustCompile("[a-zA-Z]")
// implements the streamingDestinationResolver interface
type k8sResolver struct {
k8sDNSZoneLabels []string
endpointsWatcher *endpointsWatcher
}
func newK8sResolver(k8sDNSZoneLabels []string, k8sAPI *k8s.API) *k8sResolver {
return &k8sResolver{
k8sDNSZoneLabels: k8sDNSZoneLabels,
endpointsWatcher: newEndpointsWatcher(k8sAPI),
}
}
type serviceId struct {
namespace string
name string
}
func (s serviceId) String() string {
return fmt.Sprintf("%s.%s", s.name, s.namespace)
}
func (k *k8sResolver) canResolve(host string, port int) (bool, error) {
id, err := k.localKubernetesServiceIdFromDNSName(host)
if err != nil {
return false, err
}
return id != nil, nil
}
func (k *k8sResolver) streamResolution(host string, port int, listener updateListener) error {
id, err := k.localKubernetesServiceIdFromDNSName(host)
if err != nil {
log.Error(err)
return err
}
if id == nil {
err = fmt.Errorf("cannot resolve service that isn't a local Kubernetes service: %s", host)
log.Error(err)
return err
}
listener.SetServiceId(id)
return k.resolveKubernetesService(id, port, listener)
}
func (k *k8sResolver) stop() {
k.endpointsWatcher.stop()
}
func (k *k8sResolver) resolveKubernetesService(id *serviceId, port int, listener updateListener) error {
k.endpointsWatcher.subscribe(id, uint32(port), listener)
select {
case <-listener.ClientClose():
return k.endpointsWatcher.unsubscribe(id, uint32(port), listener)
case <-listener.ServerClose():
return nil
}
}
// localKubernetesServiceIdFromDNSName returns the name of the service in
// "namespace-name/service-name" form if `host` is a DNS name in a form used
// for local Kubernetes services. It returns nil if `host` isn't in such a
// form.
func (k *k8sResolver) localKubernetesServiceIdFromDNSName(host string) (*serviceId, error) {
hostLabels, err := splitDNSName(host)
if err != nil {
return nil, err
}
// Verify that `host` ends with ".svc.$zone", ".svc.cluster.local," or ".svc".
matched := false
if len(k.k8sDNSZoneLabels) > 0 {
hostLabels, matched = maybeStripSuffixLabels(hostLabels, k.k8sDNSZoneLabels)
}
// Accept "cluster.local" as an alias for "$zone". The Kubernetes DNS
// specification
// (https://github.com/kubernetes/dns/blob/master/docs/specification.md)
// doesn't require Kubernetes to do this, but some hosting providers like
// GKE do it, and so we need to support it for transparency.
if !matched {
hostLabels, matched = maybeStripSuffixLabels(hostLabels, []string{"cluster", "local"})
}
// TODO:
// ```
// if !matched {
// return nil, nil
// }
// ```
//
// This is technically wrong since the protocol definition for the
// Destination service indicates that `host` is a FQDN and so we should
// never append a ".$zone" suffix to it, but we need to do this as a
// workaround until the proxies are configured to know "$zone."
hostLabels, matched = maybeStripSuffixLabels(hostLabels, []string{"svc"})
if !matched {
return nil, nil
}
// Extract the service name and namespace. TODO: Federated services have
// *three* components before "svc"; see
// https://github.com/linkerd/linkerd2/issues/156.
if len(hostLabels) != 2 {
return nil, fmt.Errorf("not a service: %s", host)
}
return &serviceId{
namespace: hostLabels[1],
name: hostLabels[0],
}, nil
}
func splitDNSName(dnsName string) ([]string, error) {
// If the name is fully qualified, strip off the final dot.
if strings.HasSuffix(dnsName, ".") {
dnsName = dnsName[:len(dnsName)-1]
}
labels := strings.Split(dnsName, ".")
// Rejects any empty labels, which is especially important to do for
// the beginning and the end because we do matching based on labels'
// relative positions. For example, we need to reject ".example.com"
// instead of splitting it into ["", "example", "com"].
for _, l := range labels {
if l == "" {
return []string{}, errors.New("Empty label in DNS name: " + dnsName)
}
if !dnsCharactersRegexp.MatchString(l) {
return []string{}, errors.New("DNS name is too long or contains invalid characters: " + dnsName)
}
if strings.HasPrefix(l, "-") || strings.HasSuffix(l, "-") {
return []string{}, errors.New("DNS name cannot start or end with a dash: " + dnsName)
}
if !containsAlphaRegexp.MatchString(l) {
return []string{}, errors.New("DNS name cannot only contain digits and hyphens: " + dnsName)
}
}
return labels, nil
}
func maybeStripSuffixLabels(input []string, suffix []string) ([]string, bool) {
n := len(input) - len(suffix)
if n < 0 {
return input, false
}
if !reflect.DeepEqual(input[n:], suffix) {
return input, false
}
return input[:n], true
}