proxy: v2.175.0 (#8142)

This release alters the policy-related labels that the proxy sets on inbound traffic:

* The `srv_kind` label is set with a value of "default" or "server",
  depending on whether the `srv_name` label correponds to a default
  policy or a `Server` resource. `srv_name` no longer includes a
  "default:" prefix for default policies.
* The `saz_name` label is removed, replaced by `authz_kind` and
  `authz_name` labels. Similarly, the `authz_kind` label is either
  `default` or `serverauthorization`, and the `authz_name` label never
  includes a "default:" prefix.

---

* build(deps): bump tj-actions/changed-files from 17.3 to 18 (linkerd/linkerd2-proxy#1539)
* build(deps): bump async-stream from 0.3.2 to 0.3.3 (linkerd/linkerd2-proxy#1540)
* build(deps): bump syn from 1.0.86 to 1.0.87 (linkerd/linkerd2-proxy#1541)
* build(deps): bump mio from 0.8.0 to 0.8.1 (linkerd/linkerd2-proxy#1542)
* build(deps): bump syn from 1.0.87 to 1.0.88 (linkerd/linkerd2-proxy#1545)
* build(deps): bump libc from 0.2.119 to 0.2.120 (linkerd/linkerd2-proxy#1544)
* build(deps): bump tj-actions/changed-files from 18 to 18.1 (linkerd/linkerd2-proxy#1543)
* build(deps): bump tj-actions/changed-files from 18.1 to 18.2 (linkerd/linkerd2-proxy#1546)
* build(deps): bump mio from 0.8.1 to 0.8.2 (linkerd/linkerd2-proxy#1550)
* build(deps): bump quote from 1.0.15 to 1.0.16 (linkerd/linkerd2-proxy#1549)
* build(deps): bump syn from 1.0.88 to 1.0.89 (linkerd/linkerd2-proxy#1548)
* build(deps): bump tj-actions/changed-files from 18.2 to 18.3 (linkerd/linkerd2-proxy#1547)
* build(deps): bump which from 4.2.4 to 4.2.5 (linkerd/linkerd2-proxy#1554)
* build(deps): bump tokio-rustls from 0.23.2 to 0.23.3 (linkerd/linkerd2-proxy#1553)
* build(deps): bump tj-actions/changed-files from 18.3 to 18.4 (linkerd/linkerd2-proxy#1551)
* build(deps): bump log from 0.4.14 to 0.4.15 (linkerd/linkerd2-proxy#1555)
* build(deps): bump foreign-types-shared from 0.3.0 to 0.3.1 (linkerd/linkerd2-proxy#1557)
* build(deps): bump foreign-types-macros from 0.2.1 to 0.2.2 (linkerd/linkerd2-proxy#1556)
* build(deps): bump hyper from 0.14.17 to 0.14.18 (linkerd/linkerd2-proxy#1559)
* build(deps): bump log from 0.4.15 to 0.4.16 (linkerd/linkerd2-proxy#1558)
* inbound: Support multiple authorization types (linkerd/linkerd2-proxy#1560)

Signed-off-by: Oliver Gould <ver@buoyant.io>
Signed-off-by: Kevin Leimkuhler <kleimkuhler@icloud.com>
Co-authored-by: Kevin Leimkuhler <kleimkuhler@icloud.com>

.proxy-version

@@ -1 +1 @@
-v2.174.0
+v2.175.0

test/integration/deep/opaqueports/opaque_ports_test.go

@@ -22,7 +22,7 @@ var (
 	opaqueUnmeshedSvcPod = "opaque-unmeshed-svc"
 	opaqueUnmeshedSvcSC  = "slow-cooker-opaque-unmeshed-svc"
 	tcpMetricRE          = regexp.MustCompile(
-		`tcp_open_total\{direction="inbound",peer="src",target_addr="[0-9\.]+:[0-9]+",target_ip="[0-9\.]+",target_port="[0-9]+",tls="true",client_id="default\.linkerd-opaque-ports-test\.serviceaccount\.identity\.linkerd\.cluster\.local",srv_name="default:all-unauthenticated".*} [0-9]+`,
+		`tcp_open_total\{direction="inbound",peer="src",target_addr="[0-9\.]+:[0-9]+",target_ip="[0-9\.]+",target_port="[0-9]+",tls="true",client_id="default\.linkerd-opaque-ports-test\.serviceaccount\.identity\.linkerd\.cluster\.local",srv_kind="default",srv_name="all-unauthenticated"} [0-9]+`,
 	)
 	tcpMetricOutUnmeshedRE = regexp.MustCompile(
 		`tcp_open_total\{direction="outbound",peer="dst",authority="[a-zA-Z\-]+\.[a-zA-Z\-]+\.svc\.cluster\.local:[0-9]+",target_addr="[0-9\.]+:[0-9]+",target_ip="[0-9\.]+",target_port="[0-9]+",tls="no_identity",no_tls_reason="not_provided_by_service_discovery",.*\} [0-9]+`,

test/integration/viz/policy/policy_test.go

@@ -2,7 +2,6 @@ package policy
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"os"
 	"strconv"
@@ -147,13 +146,7 @@ func TestPolicy(t *testing.T) {
 					return nil
 				})
 				if err != nil {
-					// FIXME this test is flakey, and we may not get a success rate reported. If we
-					// hit that flakiness, just skip the test for now.
-					var ne noSuccess
-					if errors.As(err, &ne) {
-						t.Skipf("XXX Skipping flakey test: %s", err)
-					}
-					testutil.AnnotatedFatal(t, fmt.Sprintf("timed-out checking stats (%s)", timeout), err)
+					testutil.AnnotatedFatal(t, fmt.Sprintf("timed-out checking policy stats (%s)", timeout), err)
 				}
 			})
 		}

viz/metrics-api/policy.go

@@ -164,17 +164,27 @@ func buildServerRequestLabels(req *pb.StatSummaryRequest) (labels model.LabelSet
 			namespaceLabel: model.LabelValue(req.GetSelector().GetResource().GetNamespace()),
 		})
 	}
-	var resourceLabel model.LabelName
+	var resourceGrouping model.LabelName
 	if req.GetSelector().GetResource().GetType() == k8s.Server {
-		resourceLabel = serverLabel
+		resourceGrouping = serverNameLabel
+		labels = labels.Merge(model.LabelSet{
+			serverKindLabel: model.LabelValue("server"),
+		})
+		if req.GetSelector().GetResource().GetName() != "" {
+			labels = labels.Merge(model.LabelSet{
+				serverNameLabel: model.LabelValue(req.GetSelector().GetResource().GetName()),
+			})
+		}
 	} else if req.GetSelector().GetResource().GetType() == k8s.ServerAuthorization {
-		resourceLabel = serverAuthorizationLabel
-	}
-
-	if req.GetSelector().GetResource().GetName() != "" {
+		resourceGrouping = authorizationNameLabel
 		labels = labels.Merge(model.LabelSet{
-			resourceLabel: model.LabelValue(req.GetSelector().GetResource().GetName()),
+			authorizationKindLabel: model.LabelValue("serverauthorization"),
 		})
+		if req.GetSelector().GetResource().GetName() != "" {
+			labels = labels.Merge(model.LabelSet{
+				authorizationNameLabel: model.LabelValue(req.GetSelector().GetResource().GetName()),
+			})
+		}
 	}
 
 	switch out := req.Outbound.(type) {
@@ -189,7 +199,7 @@ func buildServerRequestLabels(req *pb.StatSummaryRequest) (labels model.LabelSet
 		// no extra labels needed
 	}
 
-	groupBy := model.LabelNames{namespaceLabel, resourceLabel}
+	groupBy := model.LabelNames{namespaceLabel, resourceGrouping}
 
 	return labels, groupBy
 }

viz/metrics-api/prometheus.go

@@ -36,14 +36,16 @@ const (
 	promLatencyP95      = promType("0.95")
 	promLatencyP99      = promType("0.99")
 
-	namespaceLabel           = model.LabelName("namespace")
-	dstNamespaceLabel        = model.LabelName("dst_namespace")
-	gatewayNameLabel         = model.LabelName("gateway_name")
-	gatewayNamespaceLabel    = model.LabelName("gateway_namespace")
-	remoteClusterNameLabel   = model.LabelName("target_cluster_name")
-	authorityLabel           = model.LabelName("authority")
-	serverLabel              = model.LabelName("srv_name")
-	serverAuthorizationLabel = model.LabelName("saz_name")
+	namespaceLabel         = model.LabelName("namespace")
+	dstNamespaceLabel      = model.LabelName("dst_namespace")
+	gatewayNameLabel       = model.LabelName("gateway_name")
+	gatewayNamespaceLabel  = model.LabelName("gateway_namespace")
+	remoteClusterNameLabel = model.LabelName("target_cluster_name")
+	authorityLabel         = model.LabelName("authority")
+	serverKindLabel        = model.LabelName("srv_kind")
+	serverNameLabel        = model.LabelName("srv_name")
+	authorizationKindLabel = model.LabelName("authz_kind")
+	authorizationNameLabel = model.LabelName("authz_name")
 )
 
 var (
@@ -117,9 +119,11 @@ func promQueryLabels(resource *pb.Resource) model.LabelSet {
 	if resource != nil {
 		if resource.Name != "" {
 			if resource.GetType() == k8s.Server {
-				set[serverLabel] = model.LabelValue(resource.GetName())
+				set[serverKindLabel] = model.LabelValue("server")
+				set[serverNameLabel] = model.LabelValue(resource.GetName())
 			} else if resource.GetType() == k8s.ServerAuthorization {
-				set[serverAuthorizationLabel] = model.LabelValue(resource.GetName())
+				set[authorizationKindLabel] = model.LabelValue("serverauthorization")
+				set[authorizationNameLabel] = model.LabelValue(resource.GetName())
 			} else if resource.GetType() != k8s.Service {
 				set[promResourceType(resource)] = model.LabelValue(resource.Name)
 			}