Oliver Gould
Oliver Gould
@Vamsi0473 we'll do another proxy-init release as we prepare for the upcoming stable-2.12 release, or you're welcome to build your own image from https://github.com/linkerd/linkerd2-proxy-init/blob/main/Dockerfile if it's urgent. We generally don't...
Fixed by https://github.com/linkerd/linkerd2/pull/9179
The destination controller is already configured with a set of cluster-wide default opaque ports. This default _should_ apply for all outbound connections (regardless of whether they are in-cluster or not)....
Ah, OK. So the destination controller does this as we'd hope, but proxies are configured by default to avoid resolving configuration for IP addresses outside of the `clusterNetworks` configuration (which...
> When I was looking through the proxy's source the other day, I interpreted [this section](https://github.com/linkerd/linkerd2-proxy/blob/f1df316ec45a725d5ed8022cb75207a36195247d/linkerd/app/outbound/src/tcp/opaque_transport.rs#L68-L76) as skipping opaque transport if mTLS is not in use. Have I misunderstood? This...
I've put up a [change](https://github.com/linkerd/linkerd2-proxy/pull/1614) to add some more debug logging to help us narrow this down. You can try it by running your workload with pod annotations: ```yaml config.linkerd.io/proxy-image:...
@JacobHenner OK, I think I've tracked down the issue and should have a fix in `config.linkerd.io/proxy-version: opaque.ddf0ce28` -- i'm getting tests together and will try to include this in the...
@JacobHenner Great. I'll leave this open for now, though it may stale out. I think this will slot into already-(loosely-)planned egress policy/configuration work, sketched in for 2.13.
@cawoodm Sorry we didn't get back to this sooner. We'd probably want to figure out how to get an integration test setup to exercise this configuration. We currently use `k3d`...
You'll need to create authorizations that permit unauthenticated connections on the ports that require connections from kubelet. Unfortunately, we don't have any mechanism to discover the source IPs for kubelet...