Add mock identity service (#10)

Motivation

The mock destination server has been particuarly useful in benchmarking changes to linkerd2-proxy. This is because a single proxy can run without needing the linkerd2 control plane running; it sends all destination requests to the server and uses the responses to send requests to the correct destinations.

A current limitation is that identity must be disabled on the proxy as seen here. This is because similar to the destination service, the identity service is also run as part of the control plane; without that there is way to get identity for a specific service.

Solution

Run an identity service that returns pre-signed certificates for specific identity names.

A new LINKERD2_MOCK_DST_IDENTITIES_DIR environment variable can be set which points to a directory that contains subdirectories–each corresponding to an identity that should be served by the identity service.

When the identity service is created, it looks at each subdirectory which should contain at least a crt.pem. (It’s likely that it will also contain a csr.der and key.p8 which will be used by the proxy’s ENV_IDENTITY_DIR.)

Taking the subdirectory name as the identity name, it will serve the certificates in crt.pem for that directory name.

For example, for the foo-ns1-ca1 identity, I have directory with the following:

:; ls /path/to/identities/
ca-config.json ca1-key.pem ca1.pem foo-ns1-ca1/

:; ls /path/to/identities/foo-ns1-ca1/
crt.pem  csr.der  key.p8

When a request is made for the foo-ns1-ca1 identity, the certifcates in crt.pem are returned.

Generating files

These all contain valid values and were generated similar to the proxy’s test harness gen-certs.sh script.

I lean towards including this script as part of the l2-proxy-harness project where these certificates, CSRs, and keys will actually be used.

Testing

This was tested with a gRPC client that sends a CertifyRequest for the foo-ns1-ca1 identity to the identity server running locally on :8080.

Gist here

Signed-off-by: Kevin Leimkuhler kevin@kleimkuhler.com

linkerd2-mock-dst

This repository contains a mock implementation of Linkerd 2’s Destination service, intended for proxy testing and benchmarking.

Unlike the real Destination service, which serves service discovery requests from proxies based on information in the Kubernetes API, the mock implementation currently serves a fixed set of destinations and endpoints. In the future, it will also support simulating changes in cluster state for testing purposes.

The mock Destination service may be run in a standalone process as a command-line application. Additionally, it can also be used as a Rust library, to embed a mock Destination service in Rust tests.

Usage

linkerd2-mock-dst 0.1.0
A mock Linkerd 2 Destination server.

USAGE:
    linkerd2-mock-dst [OPTIONS] <DSTS>

FLAGS:
    -h, --help       
            Prints help information

    -V, --version    
            Prints version information


OPTIONS:
    -a, --addr <addr>    
            The address that the mock destination service will listen on [default: 0.0.0.0:8086]


ARGS:
    <DSTS>    
            A list of mock destinations to serve.
            
            This is parsed as a list of `DESTINATION=ENDPOINTS` pairs, where `DESTINATION` is a scheme, DNS name, and
            port, and `ENDPOINTS` is a comma-separated list of socket addresses. Each pair is separated by semicolons.
            [env: LINKERD2_MOCK_DSTS=]

Examples

Mock destinations for the foo.ns.svc.cluster.local service:

:; RUST_LOG=linkerd2_mock_dst=info \
   LINKERD2_MOCK_DSTS='http://foo.ns.svc.cluster.local:8080=127.0.0.1:1234,127.0.0.1:1235;http://bar.ns.svc.cluster.local:8081=127.0.0.1:4321' \
   cargo run

Mock identity for the foo-ns1-ca1 identity name:

:; ls /path/to/identities
foo-ns1-ca1/

:; ls /path/to/identities/foo-ns1-ca1/
crt.pem csr.der key.p8

:; RUST_LOG=linkerd2_mock_dst=info \
   LINKERD2_MOCK_DST_IDENTITIES_DIR='/path/to/identities/' \
   cargo run