Move tap from core into Viz extension (#5651)

Closes #5545.

This change moves all tap and tap-injector code into the viz directory. 

The tap and tap-injector components now also use a new tap image—separating
these components from the controller image that they are currently part of. This
means the controller image has removed all its build dependencies related to
tap.

Finally, the tap Protobuf has been separated from the metrics-api and moved into
it's own `.proto` file and gen directory. This introduces a clear split between
metrics-api and tap Protobuf.

There is no change in behavior for the `viz tap` command.

### Reviewing

#### Docker images

All the bin directory scripts should be updated to build and load the tap image.
All the CI workflows should be updated to build and push the tap image.

#### Controller and pkg directories

This is primarily deletions. Most of the deleted code in this directory is now
in the tap directory of the Viz extension.

#### viz/tap

This is the location that all the tap related code now lives in. New files are
mostly moved from the controller and pkg directories. Imports have all been
updated to point at the right locations and Protobuf.

The Protobuf here is taken from metrics-api and contains all tap-related
Protobuf.

Signed-off-by: Kevin Leimkuhler <kevin@kleimkuhler.com>

.github/workflows/integration_tests.yml

@@ -16,7 +16,7 @@ jobs:
     strategy:
       matrix:
         # Keep in sync with release.yaml matrix build
-        target: [proxy, controller, metrics-api, web, cni-plugin, debug, cli-bin, grafana, jaeger-webhook]
+        target: [proxy, controller, metrics-api, web, cni-plugin, debug, cli-bin, grafana, jaeger-webhook, tap]
     name: Docker build (${{ matrix.target }})
     timeout-minutes: 30
     steps:

.github/workflows/release.yml

@@ -12,7 +12,7 @@ jobs:
     strategy:
       matrix:
         # Keep in sync with integration_tests.yaml matrix build
-        target: [proxy, controller, metrics-api, web, cni-plugin, debug, cli-bin, grafana, jaeger-webhook]
+        target: [proxy, controller, metrics-api, web, cni-plugin, debug, cli-bin, grafana, jaeger-webhook, tap]
     name: Docker build (${{ matrix.target }})
     timeout-minutes: 30
     steps:

bin/docker-build

@@ -22,4 +22,4 @@ fi
 "$bindir"/docker-build-grafana
 "$bindir"/docker-build-jaeger-webhook
 "$bindir"/docker-build-metrics-api
-
+"$bindir"/docker-build-tap

bin/docker-build-tap

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+set -eu
+
+if [ $# -ne 0 ]; then
+    echo "no arguments allowed for ${0##*/}, given: $*" >&2
+    exit 64
+fi
+
+bindir=$( cd "${BASH_SOURCE[0]%/*}" && pwd )
+rootdir=$( cd "$bindir"/.. && pwd )
+
+# shellcheck source=_docker.sh
+. "$bindir"/_docker.sh
+# shellcheck source=_tag.sh
+. "$bindir"/_tag.sh
+
+dockerfile=$rootdir/viz/tap/Dockerfile
+tag=$(head_root_tag)
+docker_build tap "$tag" "$dockerfile"

bin/docker-push

@@ -14,6 +14,6 @@ bindir=$( cd "${BASH_SOURCE[0]%/*}" && pwd )
 # shellcheck source=_docker.sh
 . "$bindir"/_docker.sh
 
-for img in cli-bin cni-plugin controller metrics-api debug grafana proxy web ; do
+for img in cli-bin cni-plugin controller metrics-api debug grafana proxy web jaeger-webhook tap; do
     docker_push $img "$tag"
 done

bin/image-load

@@ -10,7 +10,7 @@ while :
 do
   case $1 in
     -h|--help)
-      echo "Load into KinD/k3d the images for Linkerd's proxy, controller, metrics-api, web, grafana, cli-bin, debug and cni-plugin."
+      echo "Load into KinD/k3d the images for Linkerd's proxy, controller, metrics-api, web, grafana, cli-bin, tap, debug and cni-plugin."
       echo ""
       echo "Usage:"
       echo "    bin/image-load [--kind] [--k3d] [--archive]"
@@ -79,7 +79,7 @@ fi
 "$bin" version
 
 rm -f load_fail
-for img in proxy controller web metrics-api grafana cli-bin debug cni-plugin jaeger-webhook; do
+for img in proxy controller web metrics-api grafana cli-bin debug cni-plugin jaeger-webhook tap; do
   printf 'Importing %s...\n' $img
   if [ $archive ]; then
     param="image-archives/$img.tar"

bin/protoc-go.sh

@@ -6,15 +6,16 @@ bindir=$( cd "${0%/*}" && pwd )
 
 go install -mod=readonly github.com/golang/protobuf/protoc-gen-go
 
-rm -rf controller/gen/common controller/gen/public controller/gen/config viz/metrics-api/gen
-mkdir -p controller/gen/common/net controller/gen/public viz/metrics-api/gen/viz
+rm -rf controller/gen/common controller/gen/public controller/gen/config viz/metrics-api/gen viz/tap/gen
+mkdir -p controller/gen/common/net controller/gen/public viz/metrics-api/gen/viz viz/tap/gen/tap
 
 "$bindir"/protoc -I proto --go_out=plugins=grpc,paths=source_relative:controller/gen proto/common/net.proto
 "$bindir"/protoc -I proto --go_out=plugins=grpc,paths=source_relative:controller/gen proto/public.proto
 "$bindir"/protoc -I proto --go_out=plugins=grpc,paths=source_relative:controller/gen proto/config/config.proto
 "$bindir"/protoc -I proto -I viz/metrics-api/proto --go_out=plugins=grpc,paths=source_relative:viz/metrics-api/gen viz/metrics-api/proto/viz.proto
+"$bindir"/protoc -I proto -I viz/tap/proto -I viz/metrics-api/proto --go_out=plugins=grpc,paths=source_relative:viz/tap/gen viz/tap/proto/viz_tap.proto
 
 mv controller/gen/common/net.pb.go   controller/gen/common/net/
 mv controller/gen/public.pb.go controller/gen/public/
 mv viz/metrics-api/gen/viz.pb.go viz/metrics-api/gen/viz/viz.pb.go
-
+mv viz/tap/gen/viz_tap.pb.go viz/tap/gen/tap/viz_tap.pb.go

charts/linkerd2/README.md

@@ -124,7 +124,7 @@ Kubernetes: `>=1.13.0-0`
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| controllerImage | string | `"ghcr.io/linkerd/controller"` | Docker image for the controller, tap and identity components |
+| controllerImage | string | `"ghcr.io/linkerd/controller"` | Docker image for the controller and identity components |
 | controllerReplicas | int | `1` | Number of replicas for each control plane pod |
 | controllerUID | int | `2103` | User ID for the control plane components |
 | debugContainer.image.name | string | `"ghcr.io/linkerd/debug"` | Docker image for the debug container |

charts/linkerd2/values.yaml

@@ -174,7 +174,7 @@ omitWebhookSideEffects: false
 webhookFailurePolicy: Ignore
 
 
-# controllerImage -- Docker image for the controller, tap and identity
+# controllerImage -- Docker image for the controller and identity
 # components
 controllerImage: ghcr.io/linkerd/controller
 # -- Number of replicas for each control plane pod

controller/Dockerfile

@@ -13,10 +13,9 @@ RUN ./bin/install-deps $TARGETARCH
 FROM go-deps as golang
 WORKDIR /linkerd-build
 COPY controller/gen controller/gen
-# TODO: remove when tap code gets moved to /viz
+# TODO: remove when BuildResource is refactored
+# /~https://github.com/linkerd/linkerd2/issues/5589
 COPY viz/metrics-api/gen/viz viz/metrics-api/gen/viz
-# TODO: remove when tap code gets moved to /viz
-COPY viz/pkg/labels viz/pkg/labels
 COPY pkg pkg
 COPY controller controller
 COPY charts/patch charts/patch

controller/api/util/api_utils.go

@@ -1,12 +1,9 @@
 package util
 
 import (
-	"encoding/binary"
 	"errors"
-	"fmt"
 	"strings"
 
-	netPb "github.com/linkerd/linkerd2/controller/gen/common/net"
 	"github.com/linkerd/linkerd2/pkg/k8s"
 	pb "github.com/linkerd/linkerd2/viz/metrics-api/gen/viz"
 	"google.golang.org/grpc/codes"
@@ -19,56 +16,6 @@ import (
   Shared utilities for interacting with the controller public api
 */
 
-var (
-	// ValidTargets specifies resource types allowed as a target:
-	// target resource on an inbound query
-	// target resource on an outbound 'to' query
-	// destination resource on an outbound 'from' query
-	ValidTargets = []string{
-		k8s.Authority,
-		k8s.CronJob,
-		k8s.DaemonSet,
-		k8s.Deployment,
-		k8s.Job,
-		k8s.Namespace,
-		k8s.Pod,
-		k8s.ReplicaSet,
-		k8s.ReplicationController,
-		k8s.StatefulSet,
-	}
-
-	// ValidTapDestinations specifies resource types allowed as a tap destination:
-	// destination resource on an outbound 'to' query
-	ValidTapDestinations = []string{
-		k8s.CronJob,
-		k8s.DaemonSet,
-		k8s.Deployment,
-		k8s.Job,
-		k8s.Namespace,
-		k8s.Pod,
-		k8s.ReplicaSet,
-		k8s.ReplicationController,
-		k8s.Service,
-		k8s.StatefulSet,
-	}
-)
-
-// TapRequestParams contains parameters that are used to build a
-// TapByResourceRequest.
-type TapRequestParams struct {
-	Resource      string
-	Namespace     string
-	ToResource    string
-	ToNamespace   string
-	MaxRps        float32
-	Scheme        string
-	Method        string
-	Authority     string
-	Path          string
-	Extract       bool
-	LabelSelector string
-}
-
 // GRPCError generates a gRPC error code, as defined in
 // google.golang.org/grpc/status.
 // If the error is nil or already a gRPC error, return the error.
@@ -198,143 +145,3 @@ func buildResource(namespace string, resType string, name string) (*pb.Resource,
 		Name:      name,
 	}, nil
 }
-
-// BuildTapByResourceRequest builds a Public API TapByResourceRequest from a
-// TapRequestParams.
-func BuildTapByResourceRequest(params TapRequestParams) (*pb.TapByResourceRequest, error) {
-	target, err := BuildResource(params.Namespace, params.Resource)
-	if err != nil {
-		return nil, fmt.Errorf("target resource invalid: %s", err)
-	}
-	if !contains(ValidTargets, target.Type) {
-		return nil, fmt.Errorf("unsupported resource type [%s]", target.Type)
-	}
-
-	matches := []*pb.TapByResourceRequest_Match{}
-
-	if params.ToResource != "" {
-		destination, err := BuildResource(params.ToNamespace, params.ToResource)
-		if err != nil {
-			return nil, fmt.Errorf("destination resource invalid: %s", err)
-		}
-		if !contains(ValidTapDestinations, destination.Type) {
-			return nil, fmt.Errorf("unsupported resource type [%s]", destination.Type)
-		}
-
-		match := pb.TapByResourceRequest_Match{
-			Match: &pb.TapByResourceRequest_Match_Destinations{
-				Destinations: &pb.ResourceSelection{
-					Resource: destination,
-				},
-			},
-		}
-		matches = append(matches, &match)
-	}
-
-	if params.Scheme != "" {
-		match := buildMatchHTTP(&pb.TapByResourceRequest_Match_Http{
-			Match: &pb.TapByResourceRequest_Match_Http_Scheme{Scheme: params.Scheme},
-		})
-		matches = append(matches, &match)
-	}
-	if params.Method != "" {
-		match := buildMatchHTTP(&pb.TapByResourceRequest_Match_Http{
-			Match: &pb.TapByResourceRequest_Match_Http_Method{Method: params.Method},
-		})
-		matches = append(matches, &match)
-	}
-	if params.Authority != "" {
-		match := buildMatchHTTP(&pb.TapByResourceRequest_Match_Http{
-			Match: &pb.TapByResourceRequest_Match_Http_Authority{Authority: params.Authority},
-		})
-		matches = append(matches, &match)
-	}
-	if params.Path != "" {
-		match := buildMatchHTTP(&pb.TapByResourceRequest_Match_Http{
-			Match: &pb.TapByResourceRequest_Match_Http_Path{Path: params.Path},
-		})
-		matches = append(matches, &match)
-	}
-
-	extract := &pb.TapByResourceRequest_Extract{}
-	if params.Extract {
-		extract = buildExtractHTTP(&pb.TapByResourceRequest_Extract_Http{
-			Extract: &pb.TapByResourceRequest_Extract_Http_Headers_{
-				Headers: &pb.TapByResourceRequest_Extract_Http_Headers{},
-			},
-		})
-	}
-
-	return &pb.TapByResourceRequest{
-		Target: &pb.ResourceSelection{
-			Resource:      target,
-			LabelSelector: params.LabelSelector,
-		},
-		MaxRps: params.MaxRps,
-		Match: &pb.TapByResourceRequest_Match{
-			Match: &pb.TapByResourceRequest_Match_All{
-				All: &pb.TapByResourceRequest_Match_Seq{
-					Matches: matches,
-				},
-			},
-		},
-		Extract: extract,
-	}, nil
-}
-
-func buildMatchHTTP(match *pb.TapByResourceRequest_Match_Http) pb.TapByResourceRequest_Match {
-	return pb.TapByResourceRequest_Match{
-		Match: &pb.TapByResourceRequest_Match_Http_{
-			Http: match,
-		},
-	}
-}
-
-func buildExtractHTTP(extract *pb.TapByResourceRequest_Extract_Http) *pb.TapByResourceRequest_Extract {
-	return &pb.TapByResourceRequest_Extract{
-		Extract: &pb.TapByResourceRequest_Extract_Http_{
-			Http: extract,
-		},
-	}
-}
-
-func contains(list []string, s string) bool {
-	for _, elem := range list {
-		if s == elem {
-			return true
-		}
-	}
-	return false
-}
-
-// CreateTapEvent generates tap events for use in tests
-func CreateTapEvent(eventHTTP *pb.TapEvent_Http, dstMeta map[string]string, proxyDirection pb.TapEvent_ProxyDirection) *pb.TapEvent {
-	event := &pb.TapEvent{
-		ProxyDirection: proxyDirection,
-		Source: &netPb.TcpAddress{
-			Ip: &netPb.IPAddress{
-				Ip: &netPb.IPAddress_Ipv4{
-					Ipv4: uint32(1),
-				},
-			},
-		},
-		Destination: &netPb.TcpAddress{
-			Ip: &netPb.IPAddress{
-				Ip: &netPb.IPAddress_Ipv6{
-					Ipv6: &netPb.IPv6{
-						// All nodes address: https://www.iana.org/assignments/ipv6-multicast-addresses/ipv6-multicast-addresses.xhtml
-						First: binary.BigEndian.Uint64([]byte{0xff, 0x01, 0, 0, 0, 0, 0, 0}),
-						Last:  binary.BigEndian.Uint64([]byte{0, 0, 0, 0, 0, 0, 0, 0x01}),
-					},
-				},
-			},
-		},
-		Event: &pb.TapEvent_Http_{
-			Http: eventHTTP,
-		},
-		DestinationMeta: &pb.TapEvent_EndpointMeta{
-			Labels: dstMeta,
-		},
-	}
-	return event
-}

controller/cmd/main.go

@@ -10,8 +10,6 @@ import (
 	proxyinjector "github.com/linkerd/linkerd2/controller/cmd/proxy-injector"
 	publicapi "github.com/linkerd/linkerd2/controller/cmd/public-api"
 	spvalidator "github.com/linkerd/linkerd2/controller/cmd/sp-validator"
-	"github.com/linkerd/linkerd2/controller/cmd/tap"
-	tapinjector "github.com/linkerd/linkerd2/controller/cmd/tap-injector"
 	servicemirror "github.com/linkerd/linkerd2/multicluster/cmd/service-mirror"
 )
 
@@ -34,10 +32,6 @@ func main() {
 		publicapi.Main(os.Args[2:])
 	case "sp-validator":
 		spvalidator.Main(os.Args[2:])
-	case "tap":
-		tap.Main(os.Args[2:])
-	case "tap-injector":
-		tapinjector.Main(os.Args[2:])
 	case "service-mirror":
 		servicemirror.Main(os.Args[2:])
 	default:

controller/proxy-injector/webhook_test.go

@@ -37,7 +37,6 @@ func confNsDisabled() *inject.ResourceConfig {
 func TestGetPatch(t *testing.T) {
 
 	values.GetGlobal().Proxy.DisableIdentity = true
-	values.GetGlobal().Proxy.DisableTap = true
 
 	factory := fake.NewFactory(filepath.Join("fake", "data"))
 	nsEnabled, err := factory.Namespace("namespace-inject-enabled.yaml")