inbound: Include server labels in tap responses (#1239)

This change modifies the inbound tapping behavior so that server &
authorization labels are included in tap metadata for HTTP requests.

Author: olix0r

linkerd/app/core/src/metrics/mod.rs

@@ -280,6 +280,12 @@ impl FmtLabels for InboundEndpointLabels {
     }
 }
 
+impl fmt::Display for ServerLabel {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        self.0.fmt(f)
+    }
+}
+
 impl FmtLabels for ServerLabel {
     fn fmt_labels(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         write!(f, "srv_name=\"{}\"", self.0)

linkerd/app/inbound/src/http/router.rs

@@ -26,6 +26,7 @@ struct LogicalPerRequest {
     server: Remote<ServerAddr>,
     tls: tls::ConditionalServerTls,
     permit: policy::Permit,
+    labels: tap::Labels,
 }
 
 /// Describes a logical request target.
@@ -37,6 +38,7 @@ struct Logical {
     http: http::Version,
     tls: tls::ConditionalServerTls,
     permit: policy::Permit,
+    labels: tap::Labels,
 }
 
 /// Describes a resolved profile for a logical service.
@@ -222,12 +224,7 @@ impl<C> Inbound<C> {
                 // dispatches the request. NewRouter moves the NewService into the service type, so
                 // minimize it's type footprint with a Box.
                 .push(svc::BoxNewService::layer())
-                .push(svc::NewRouter::layer(|(permit, t): (_, T)| LogicalPerRequest {
-                    client: t.param(),
-                    server: t.param(),
-                    tls: t.param(),
-                    permit,
-                }))
+                .push(svc::NewRouter::layer(LogicalPerRequest::from))
                 .push(policy::NewAuthorizeHttp::layer(rt.metrics.http_authz.clone()))
                 // Used by tap.
                 .push_http_insert_target::<tls::ConditionalServerTls>()
@@ -239,6 +236,31 @@ impl<C> Inbound<C> {
 
 // === impl LogicalPerRequest ===
 
+impl<T> From<(policy::Permit, T)> for LogicalPerRequest
+where
+    T: Param<Remote<ServerAddr>>,
+    T: Param<Remote<ClientAddr>>,
+    T: Param<tls::ConditionalServerTls>,
+{
+    fn from((permit, t): (policy::Permit, T)) -> Self {
+        let labels = vec![
+            ("srv_name".to_string(), permit.labels.server.to_string()),
+            ("saz_name".to_string(), permit.labels.authz.to_string()),
+        ];
+
+        Self {
+            client: t.param(),
+            server: t.param(),
+            tls: t.param(),
+            permit,
+            labels: labels
+                .into_iter()
+                .collect::<std::collections::BTreeMap<_, _>>()
+                .into(),
+        }
+    }
+}
+
 impl<A> svc::stack::RecognizeRoute<http::Request<A>> for LogicalPerRequest {
     type Key = Logical;
 
@@ -274,6 +296,7 @@ impl<A> svc::stack::RecognizeRoute<http::Request<A>> for LogicalPerRequest {
                 .version()
                 .try_into()
                 .expect("HTTP version must be valid"),
+            labels: self.labels.clone(),
         })
     }
 }
@@ -344,16 +367,15 @@ impl tap::Inspect for Logical {
         Some(self.addr.into())
     }
 
-    fn dst_labels<B>(&self, _: &http::Request<B>) -> Option<&tap::Labels> {
-        // TODO include policy labels here.
-        None
+    fn dst_labels<B>(&self, _: &http::Request<B>) -> Option<tap::Labels> {
+        Some(self.labels.clone())
     }
 
     fn dst_tls<B>(&self, _: &http::Request<B>) -> tls::ConditionalClientTls {
         tls::ConditionalClientTls::None(tls::NoClientTls::Loopback)
     }
 
-    fn route_labels<B>(&self, req: &http::Request<B>) -> Option<std::sync::Arc<tap::Labels>> {
+    fn route_labels<B>(&self, req: &http::Request<B>) -> Option<tap::Labels> {
         req.extensions()
             .get::<dst::Route>()
             .map(|r| r.route.labels().clone())

linkerd/app/outbound/src/http/mod.rs

@@ -17,7 +17,7 @@ use linkerd_app_core::{
     transport_header::SessionProtocol,
     Addr, Conditional, CANONICAL_DST_HEADER,
 };
-use std::{net::SocketAddr, str::FromStr, sync::Arc};
+use std::{net::SocketAddr, str::FromStr};
 
 pub type Accept = crate::Accept<Version>;
 pub type Logical = crate::logical::Logical<Version>;
@@ -174,15 +174,15 @@ impl tap::Inspect for Endpoint {
         Some(self.addr.into())
     }
 
-    fn dst_labels<B>(&self, _: &Request<B>) -> Option<&tap::Labels> {
+    fn dst_labels<B>(&self, _: &Request<B>) -> Option<tap::Labels> {
         Some(self.metadata.labels())
     }
 
     fn dst_tls<B>(&self, _: &Request<B>) -> tls::ConditionalClientTls {
         self.tls.clone()
     }
 
-    fn route_labels<B>(&self, req: &Request<B>) -> Option<Arc<tap::Labels>> {
+    fn route_labels<B>(&self, req: &Request<B>) -> Option<tap::Labels> {
         req.extensions()
             .get::<dst::Route>()
             .map(|r| r.route.labels().clone())

linkerd/proxy/api-resolve/src/metadata.rs

@@ -3,7 +3,7 @@ use linkerd_tls::client::ServerId;
 use std::collections::BTreeMap;
 
 /// Endpoint labels are lexographically ordered by key.
-pub type Labels = BTreeMap<String, String>;
+pub type Labels = std::sync::Arc<BTreeMap<String, String>>;
 
 /// Metadata describing an endpoint.
 #[derive(Clone, Debug, Eq, PartialEq)]
@@ -56,7 +56,7 @@ impl Metadata {
         authority_override: Option<Authority>,
     ) -> Self {
         Self {
-            labels: labels.into_iter().collect(),
+            labels: labels.into_iter().collect::<BTreeMap<_, _>>().into(),
             protocol_hint,
             opaque_transport_port,
             identity,
@@ -65,8 +65,8 @@ impl Metadata {
     }
 
     /// Returns the endpoint's labels from the destination service, if it has them.
-    pub fn labels(&self) -> &Labels {
-        &self.labels
+    pub fn labels(&self) -> Labels {
+        self.labels.clone()
     }
 
     pub fn protocol_hint(&self) -> ProtocolHint {

linkerd/proxy/tap/src/grpc/match_.rs

@@ -1,9 +1,10 @@
-use crate::{Inspect, Labels};
+use crate::Inspect;
 use ipnet::{Ipv4Net, Ipv6Net};
 use linkerd2_proxy_api::net::ip_address;
 use linkerd2_proxy_api::tap::observe_request;
 use std::{
     boxed::Box,
+    collections::BTreeMap,
     convert::{TryFrom, TryInto},
     net,
     str::FromStr,
@@ -90,7 +91,7 @@ impl Match {
                 .unwrap_or(false),
             Match::DestinationLabel(ref lbl) => inspect
                 .dst_labels(req)
-                .map(|l| lbl.matches(l))
+                .map(|l| lbl.matches(&*l))
                 .unwrap_or(false),
             Match::RouteLabel(ref lbl) => inspect
                 .route_labels(req)
@@ -138,7 +139,7 @@ impl TryFrom<observe_request::r#match::Match> for Match {
 // ===== impl LabelMatch ======
 
 impl LabelMatch {
-    fn matches(&self, labels: &Labels) -> bool {
+    fn matches(&self, labels: &BTreeMap<String, String>) -> bool {
         labels.get(&self.key) == Some(&self.value)
     }
 }

linkerd/proxy/tap/src/lib.rs

@@ -25,7 +25,7 @@ pub fn new() -> (Registry, grpc::Server) {
 }
 
 /// Endpoint labels are lexicographically ordered by key.
-pub type Labels = std::collections::BTreeMap<String, String>;
+pub type Labels = Arc<std::collections::BTreeMap<String, String>>;
 
 /// Inspects a request for a `Stack`.
 ///
@@ -37,11 +37,11 @@ pub trait Inspect {
 
     fn dst_addr<B>(&self, req: &http::Request<B>) -> Option<net::SocketAddr>;
 
-    fn dst_labels<B>(&self, req: &http::Request<B>) -> Option<&Labels>;
+    fn dst_labels<B>(&self, req: &http::Request<B>) -> Option<Labels>;
 
     fn dst_tls<B>(&self, req: &http::Request<B>) -> tls::ConditionalClientTls;
 
-    fn route_labels<B>(&self, req: &http::Request<B>) -> Option<Arc<Labels>>;
+    fn route_labels<B>(&self, req: &http::Request<B>) -> Option<Labels>;
 
     fn is_outbound<B>(&self, req: &http::Request<B>) -> bool;