Merge branch 'main' into zd/split-tls-detection

.github/workflows/coverage.yml

@@ -25,7 +25,7 @@ jobs:
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
       - id: changed
-        uses: tj-actions/changed-files@e9772d140489982e0e3704fea5ee93d536f1e275
+        uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c
         with:
           files: |
             .codecov.yml

.github/workflows/fuzzers.yml

@@ -32,7 +32,7 @@ jobs:
       - run: apt update && apt install -y jo
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
       - run: git config --global --add safe.directory "$PWD" # actions/runner#2033
-      - uses: tj-actions/changed-files@e9772d140489982e0e3704fea5ee93d536f1e275
+      - uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c
         id: changed-files
       - name: list changed crates
         id: list-changed

.github/workflows/markdown.yml

@@ -15,6 +15,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
-      - uses: DavidAnson/markdownlint-cli2-action@b4c9feab76d8025d1e83c653fa3990936df0e6c8
+      - uses: DavidAnson/markdownlint-cli2-action@db43aef879112c3119a410d69f66701e0d530809
         with:
             globs: "**/*.md"

.github/workflows/pr.yml

@@ -18,20 +18,20 @@ jobs:
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
       - id: build
-        uses: tj-actions/changed-files@e9772d140489982e0e3704fea5ee93d536f1e275
+        uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c
         with:
           files: |
             .github/workflows/pr.yml
             justfile
             Dockerfile
       - id: actions
-        uses: tj-actions/changed-files@e9772d140489982e0e3704fea5ee93d536f1e275
+        uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c
         with:
           files: |
             .github/workflows/**
             .devcontainer/*
       - id: cargo
-        uses: tj-actions/changed-files@e9772d140489982e0e3704fea5ee93d536f1e275
+        uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c
         with:
           files_ignore: "Cargo.toml"
           files: |
@@ -40,7 +40,7 @@ jobs:
         if: steps.cargo.outputs.any_changed == 'true'
         run: ./.github/list-crates.sh ${{ steps.cargo.outputs.all_changed_files }}
       - id: rust
-        uses: tj-actions/changed-files@e9772d140489982e0e3704fea5ee93d536f1e275
+        uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c
         with:
           files: |
             **/*.rs

.github/workflows/release.yml

@@ -84,7 +84,7 @@ jobs:
         if: github.event_name == 'pull_request'
       - id: changed
         if: github.event_name == 'pull_request'
-        uses: tj-actions/changed-files@e9772d140489982e0e3704fea5ee93d536f1e275
+        uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c
         with:
           files: |
             .github/workflows/release.yml

Cargo.lock

@@ -53,9 +53,9 @@ dependencies = [
 
 [[package]]
 name = "anyhow"
-version = "1.0.86"
+version = "1.0.89"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b3d1d046238990b9cf5bcde22a3fb3584ee5cf65fb2765f454ed428c7a0063da"
+checksum = "86fdf8605db99b54d3cd748a44c6d04df638eb5dafb219b135d0149bd0db01f6"
 
 [[package]]
 name = "arbitrary"
@@ -296,15 +296,15 @@ checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
 
 [[package]]
 name = "bytes"
-version = "1.7.1"
+version = "1.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8318a53db07bb3f8dca91a600466bdb3f2eaadeedfdbcf02e1accbad9271ba50"
+checksum = "428d9aa8fbc0670b7b8d6030a7fadd0f86151cae55e4dbbece15f3780a3dfaf3"
 
 [[package]]
 name = "cc"
-version = "1.1.18"
+version = "1.1.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b62ac837cdb5cb22e10a256099b4fc502b1dfe560cb282963a974d7abd80e476"
+checksum = "07b1695e2c7e8fc85310cde85aeaab7e3097f593c91d209d3f9df76c928100f0"
 dependencies = [
  "jobserver",
  "libc",
@@ -1865,6 +1865,7 @@ dependencies = [
  "linkerd-http-route",
  "linkerd-proxy-api-resolve",
  "linkerd-proxy-core",
+ "linkerd-tls-route",
  "linkerd2-proxy-api",
  "maplit",
  "once_cell",
@@ -2214,6 +2215,18 @@ dependencies = [
  "untrusted",
 ]
 
+[[package]]
+name = "linkerd-tls-route"
+version = "0.1.0"
+dependencies = [
+ "linkerd-dns",
+ "linkerd-tls",
+ "rand",
+ "regex",
+ "thiserror",
+ "tracing",
+]
+
 [[package]]
 name = "linkerd-tls-test-util"
 version = "0.1.0"
@@ -2412,9 +2425,9 @@ checksum = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3"
 
 [[package]]
 name = "memmap2"
-version = "0.9.4"
+version = "0.9.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fe751422e4a8caa417e13c3ea66452215d7d63e19e604f4980461212f3ae1322"
+checksum = "fd3f7eed9d3848f8b98834af67102b720745c4ec028fcd0aa0239277e7de374f"
 dependencies = [
  "libc",
 ]
@@ -2562,9 +2575,9 @@ dependencies = [
 
 [[package]]
 name = "once_cell"
-version = "1.19.0"
+version = "1.20.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92"
+checksum = "33ea5043e58958ee56f3e15a90aee535795cd7dfd319846288d93c5b57d85cbe"
 
 [[package]]
 name = "opencensus-proto"
@@ -3000,9 +3013,9 @@ dependencies = [
 
 [[package]]
 name = "rustix"
-version = "0.38.36"
+version = "0.38.37"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3f55e80d50763938498dd5ebb18647174e0c76dc38c5505294bb224624f30f36"
+checksum = "8acb788b847c24f28525660c4d7758620a7210875711f79e7f663cc152726811"
 dependencies = [
  "bitflags 2.4.2",
  "errno",
@@ -3205,9 +3218,9 @@ checksum = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3"
 
 [[package]]
 name = "symbolic-common"
-version = "12.11.0"
+version = "12.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9c1db5ac243c7d7f8439eb3b8f0357888b37cf3732957e91383b0ad61756374e"
+checksum = "9fdf97c441f18a4f92425b896a4ec7a27e03631a0b1047ec4e34e9916a9a167e"
 dependencies = [
  "debugid",
  "memmap2",
@@ -3217,9 +3230,9 @@ dependencies = [
 
 [[package]]
 name = "symbolic-demangle"
-version = "12.11.0"
+version = "12.11.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ea26e430c27d4a8a5dea4c4b81440606c7c1a415bd611451ef6af8c81416afc3"
+checksum = "bc8ece6b129e97e53d1fbb3f61d33a6a9e5369b11d01228c068094d6d134eaea"
 dependencies = [
  "cpp_demangle",
  "rustc-demangle",
@@ -3652,15 +3665,15 @@ checksum = "08f95100a766bf4f8f28f90d77e0a5461bbdb219042e7679bebe79004fed8d75"
 
 [[package]]
 name = "unicode-ident"
-version = "1.0.12"
+version = "1.0.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b"
+checksum = "e91b56cd4cadaeb79bbf1a5645f6b4f8dc5bde8834ad5894a8db35fda9efa1fe"
 
 [[package]]
 name = "unicode-normalization"
-version = "0.1.23"
+version = "0.1.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a56d1686db2308d901306f92a263857ef59ea39678a5458e7cb17f01415101f5"
+checksum = "5033c97c4262335cded6d6fc3e5c18ab755e1a3dc96376350f3d8e9f009ad956"
 dependencies = [
  "tinyvec",
 ]

Cargo.toml

@@ -71,6 +71,7 @@ members = [
     "linkerd/tonic-stream",
     "linkerd/tonic-watch",
     "linkerd/tls",
+    "linkerd/tls/route",
     "linkerd/tls/test-util",
     "linkerd/tracing",
     "linkerd/transport-header",

linkerd/app/core/src/config.rs

@@ -2,14 +2,15 @@ pub use crate::exp_backoff::ExponentialBackoff;
 use crate::{
     proxy::http::{self, h1, h2},
     svc::{queue, CloneParam, ExtractParam, Param},
-    transport::{DualListenAddr, Keepalive, ListenAddr},
+    transport::{DualListenAddr, Keepalive, ListenAddr, UserTimeout},
 };
 use std::time::Duration;
 
 #[derive(Clone, Debug)]
 pub struct ServerConfig {
     pub addr: DualListenAddr,
     pub keepalive: Keepalive,
+    pub user_timeout: UserTimeout,
     pub http2: h2::ServerParams,
 }
 
@@ -18,6 +19,7 @@ pub struct ConnectConfig {
     pub backoff: ExponentialBackoff,
     pub timeout: Duration,
     pub keepalive: Keepalive,
+    pub user_timeout: UserTimeout,
     pub http1: h1::PoolSettings,
     pub http2: h2::ClientParams,
 }
@@ -84,3 +86,9 @@ impl Param<Keepalive> for ServerConfig {
         self.keepalive
     }
 }
+
+impl Param<UserTimeout> for ServerConfig {
+    fn param(&self) -> UserTimeout {
+        self.user_timeout
+    }
+}

linkerd/app/core/src/control.rs

@@ -124,13 +124,16 @@ impl Config {
             }
         };
 
-        let client = svc::stack(ConnectTcp::new(self.connect.keepalive))
-            .push(tls::Client::layer(identity))
-            .push_connect_timeout(self.connect.timeout)
-            .push_map_target(|(_version, target)| target)
-            .push(self::client::layer(self.connect.http2))
-            .push_on_service(svc::MapErr::layer_boxed())
-            .into_new_service();
+        let client = svc::stack(ConnectTcp::new(
+            self.connect.keepalive,
+            self.connect.user_timeout,
+        ))
+        .push(tls::Client::layer(identity))
+        .push_connect_timeout(self.connect.timeout)
+        .push_map_target(|(_version, target)| target)
+        .push(self::client::layer(self.connect.http2))
+        .push_on_service(svc::MapErr::layer_boxed())
+        .into_new_service();
 
         let endpoint = client
             // Ensure that connection is driven independently of the load

linkerd/app/inbound/src/lib.rs

@@ -201,6 +201,7 @@ impl Inbound<()> {
             // forwarding and HTTP proxying).
             let ConnectConfig {
                 ref keepalive,
+                ref user_timeout,
                 ref timeout,
                 ..
             } = config.proxy.connect;
@@ -209,7 +210,7 @@ impl Inbound<()> {
             #[error("inbound connection must not target port {0}")]
             struct Loop(u16);
 
-            svc::stack(transport::ConnectTcp::new(*keepalive))
+            svc::stack(transport::ConnectTcp::new(*keepalive, *user_timeout))
                 // Limits the time we wait for a connection to be established.
                 .push_connect_timeout(*timeout)
                 // Prevent connections that would target the inbound proxy port from looping.

linkerd/app/inbound/src/test_util.rs

@@ -10,7 +10,7 @@ use linkerd_app_core::{
         http::{h1, h2},
         tap,
     },
-    transport::{DualListenAddr, Keepalive},
+    transport::{DualListenAddr, Keepalive, UserTimeout},
     ProxyRuntime,
 };
 pub use linkerd_app_test as support;
@@ -59,10 +59,12 @@ pub fn default_config() -> Config {
             server: config::ServerConfig {
                 addr: DualListenAddr(([0, 0, 0, 0], 0).into(), None),
                 keepalive: Keepalive(None),
+                user_timeout: UserTimeout(None),
                 http2: h2::ServerParams::default(),
             },
             connect: config::ConnectConfig {
                 keepalive: Keepalive(None),
+                user_timeout: UserTimeout(None),
                 timeout: Duration::from_secs(1),
                 backoff: exp_backoff::ExponentialBackoff::try_new(
                     Duration::from_millis(100),

linkerd/app/integration/src/proxy.rs

@@ -1,7 +1,9 @@
 use super::*;
 use linkerd_app_core::{
     svc::Param,
-    transport::{listen, orig_dst, Keepalive, ListenAddr, Local, OrigDstAddr, ServerAddr},
+    transport::{
+        listen, orig_dst, Keepalive, ListenAddr, Local, OrigDstAddr, ServerAddr, UserTimeout,
+    },
     Result,
 };
 use std::{collections::HashSet, thread};
@@ -68,7 +70,7 @@ struct MockDualOrigDst {
 
 impl<T> listen::Bind<T> for MockOrigDst
 where
-    T: Param<Keepalive> + Param<ListenAddr>,
+    T: Param<Keepalive> + Param<UserTimeout> + Param<ListenAddr>,
 {
     type Addrs = orig_dst::Addrs;
     type BoundAddrs = Local<ServerAddr>;
@@ -118,7 +120,7 @@ impl fmt::Debug for MockOrigDst {
 
 impl<T> listen::Bind<T> for MockDualOrigDst
 where
-    T: Param<Keepalive> + Param<ListenAddr>,
+    T: Param<Keepalive> + Param<UserTimeout> + Param<ListenAddr>,
 {
     type Addrs = orig_dst::Addrs;
     type BoundAddrs = (Local<ServerAddr>, Option<Local<ServerAddr>>);

linkerd/app/outbound/src/tcp/connect.rs

@@ -21,7 +21,10 @@ pub struct PreventLoopback<S>(S);
 
 impl Outbound<()> {
     pub fn to_tcp_connect(&self) -> Outbound<PreventLoopback<ConnectTcp>> {
-        let connect = PreventLoopback(ConnectTcp::new(self.config.proxy.connect.keepalive));
+        let connect = PreventLoopback(ConnectTcp::new(
+            self.config.proxy.connect.keepalive,
+            self.config.proxy.connect.user_timeout,
+        ));
         self.clone().with_stack(connect)
     }
 }

linkerd/app/outbound/src/test_util.rs

@@ -7,7 +7,7 @@ use linkerd_app_core::{
         http::{h1, h2},
         tap,
     },
-    transport::{DualListenAddr, Keepalive},
+    transport::{DualListenAddr, Keepalive, UserTimeout},
     IpMatch, IpNet, ProxyRuntime,
 };
 pub use linkerd_app_test as support;
@@ -26,10 +26,12 @@ pub(crate) fn default_config() -> Config {
             server: config::ServerConfig {
                 addr: DualListenAddr(([0, 0, 0, 0], 0).into(), None),
                 keepalive: Keepalive(None),
+                user_timeout: UserTimeout(None),
                 http2: h2::ServerParams::default(),
             },
             connect: config::ConnectConfig {
                 keepalive: Keepalive(None),
+                user_timeout: UserTimeout(None),
                 timeout: Duration::from_secs(1),
                 backoff: exp_backoff::ExponentialBackoff::try_new(
                     Duration::from_millis(100),